Verizon Investigation: Water Treatment Plant Hacked

By John Atienza on March 29, 2016

Resources:

More details arise from Verizon’s data breach digest where their RISK team was asked to come investigate a breach. Hacktivists were responsible for the hacking of a water treatment plan that I mentioned in an older post. Portions of the facility were actually directly exposed to the internet. The company used an AS/400 that was hacked using a combination of SQL Injection (SQLi) and spear phishing. The attackers were able to access the flow control and chemical treatment of water, but it did not seem like they had the required knowledge or intent to do any major harm. Luckily secondary security controls were in place to detect the changes made to flow and chemical treatment. Verizon’s RISK team still concluded that the security of the systems needed to be redesigned in a defense in depth (DID) layered approach to detect and stop future security breaches.