back to article Water treatment plant hacked, chemical mix changed for tap supplies

Hackers infiltrated a water utility’s control system and changed the levels of chemicals being used to treat tap water, we're told. The cyber-attack is documented in this month’s IT security breach report (available here, registration required) from Verizon Security Solutions. The utility in question is referred to using a …

  1. Bronek Kozicki Silver badge
    Unhappy

    no prizes for good guess

    which will happen first:

    1) government wanting even more surveillance on everybody

    2) stiff penalties for companies leaving their systems insecure

    1. Craig 2

      Re: no prizes for good guess

      "stiff penalties for companies leaving their systems insecure"

      Even connecting critical infrastructure to a publicly accessible network should be a criminal offense in my book. The question of whether it's secure or insecure is easy to answer: it's not.

      1. Peter2 Silver badge

        Re: no prizes for good guess

        Frankly, I think it would be nice to have a grown up debate as to what should, and should not be able to be accessed remotely at all.

        My view is that the answer to that is something similar to Asimov's first law. "A <system> may not injure a human being or, through inaction, allow a human being to come to harm."

        The ability to remotely access a car's control systems via a sodding radio's bluetooth/wifi and disable control inputs from the driver (like steering or brakes) should be burned with fire along with the people who allowed the basic system design. Industrial processes and in general anything that can cause harm should be air gapped in the same way the control systems in nuclear power plans are.

        Yes, it's going to raise costs. But doing otherwise is critically dangerous with things like flouride going in drinking water:-

        http://www.nejm.org/doi/full/10.1056/NEJM199401133300203

        From that it seems quite clear that if a hacker had of dumped the entire flouride store into the water supply then nobody would have noticed until either they had to refill it or people started turning up in hospital. Utterly ludicrious.

        1. MyffyW Silver badge

          Re: no prizes for good guess

          The wild libertarian in me answers:

          "doing otherwise is critically dangerous with things like flouride going in drinking water"

          with

          "Stop adding flouride to tap water, I've got an inalienable right to rotten teeth"

          (and in case you think I'm a dirty cow, I am a bit OCD when it comes to brushing, so my gnashers are a pearly white.)

          1. Anonymous Coward
            Anonymous Coward

            Re: no prizes for good guess

            "Stop adding flouride to tap water, I've got an inalienable right to rotten teeth"

            Then don't drink the tap water, buy your own drinking water, problem solved.

            Or , stated using the same line of thtinking: "Get your nanny-state coddling out of my tap water, it's my God-given right to drink fluoride-laden water if I so choose".

            1. Pompous Git Silver badge

              Re: no prizes for good guess

              Then don't drink the tap water, buy your own drinking water, problem solved.

              How do you do that when the municipality you happen to be in has banned sales of bottled water. Apparently the do-gooderesses don't mind Coke, Fanta, Leed etc, but water is a definite no-no.

              1. Anonymous Coward
                Anonymous Coward

                Re: no prizes for good guess

                "How do you do that when the municipality you happen to be in has banned sales of bottled water. "

                Citation needed.

                It seems improbable that any government agency can ban the sale of water.

        2. Captain Badmouth
          Holmes

          Re: no prizes for good guess

          "From that it seems quite clear that if a hacker had dumped the entire flouride store into the water supply then nobody would have noticed until either they had to refill it or people started turning up in hospital. Utterly ludicrious."

          See my Camelford link later in this thread.

        3. I. Aproveofitspendingonspecificprojects

          Your View?

          > My view is that the answer to that is something similar to Asimov's first law. "A <system> may not injure a human being or, through inaction, allow a human being to come to harm."

          You are obviously an idiot or too young to voice an opinion.

          A public utility still using internet access after Stuxnet is liable for manslaughter charges and in any case the management need removing urgently, especially their security bods. If this had happened without such mitigation it would be an act of war. It probably still is.

          I hope that Trump is as bomb proof as his predecessor because he really sounds like the sort of arse that America's enemies (or Israel's friends) want in.

          1. Anonymous Coward
            Anonymous Coward

            Re: Your View?

            "I hope that Trump is as bomb proof as his predecessor because he really sounds like the sort of arse that America's enemies (or Israel's friends) want in."

            For the life of me, I cannot see why this statement is in any way relevant to the discussion.

            A down vote for bad cut & paste, or stupidity, or both ...

            ps: Same applies if you substitute Clinton for Trump

        4. Anonymous Coward
          Anonymous Coward

          It's "fluoride", not "flouride"

          see title

        5. LDS Silver badge

          Re: no prizes for good guess

          Yes, and then Asimov made out a good living by writing about what the three laws of robotics happened to work in some extreme corner cases (and requiring Susan Calvin to understand what really happened). Moreover it postulated the very way the positronic brain was built had them truly "hardwired" and thereby could not bypassed - without damaging the brain irreparably and inoperative. Unluckily software can be modified, and some systems can't really become wholly inoperative, unless some safety mechanism detect it and put the system is a safe state.

          Truly airgapped system would require all the air to be removed, so no humans could touch those system and plug in their USB drive to watch some porn while monitoring the systems...

        6. Anonymous Coward
          Anonymous Coward

          Re: no prizes for good guess

          Well-designed, critical systems usually have hard limits built into them so that such a thing can't happen - not without someone going out there manually (with appropriate tools) and taking the situation in hand, anyway. For fluorine/chlorine and such, I would generally expect such a system to either just reject a "dump everything" command, or to merely increase things to a higher but still relatively safe level - whatever the hard limit restricts it to.

        7. Rick Manner

          Re: no prizes for good guess

          Regarding the concern about dumping an entire storage tank of fluoride into the water system, I have two bits of information that may make you more comfortable.

          First, fluoride has a bitter taste. So if there is a severe overdose, people will not drink the water. Trying to cover up this bitterness is a large part of why toothpaste has a strong flavor added, as well as the fluoride treatments at your dentist's office.

          Second, most regulators require that for chemicals added to the water that the system run off of what is termed a "day tank". The day tank only stores a limited amount (usually about one day's worth), exactly to prevent the type of overdose that you are referring to. . There are other benefits. Because it is a smaller tank, minor changes in feed rates are noticed sooner.

          By the way, this second idea was started long before hackers were born. It is a practical solution that prevents excessive dosing for whatever reason.

      2. PNGuinn
        Megaphone

        Re: no prizes for good guess @ Craig 2

        It probably IS illegal in just about any jurisdiction you'd like to think of, with probably very large penalties.

        Problem 1 - the kind of scum who do this sort of thing tend to be criminals with every intent of causing mayhem - either for blackmail or political reasons. They know full well what they’re trying to do, know the penalties and know the risks.

        Problem 2 - the authorities in many of those jurisdictions will either (a) not understand their own laws and prosecute on a minor technicality, (b) seek to minimise the crime to cover either their own ineptitude or that of those who run the vulnerable systems or (c) don't want to upset the nice terrists in case they get really mad - hearts and minds and all that carp.

        Solutions 1 - Hit the perps hard - a lot of this stuff endangers life and health apart from being costly. Be aware that this will likely lead to war in some cases. Be aware that it's pointless going to war unless you're prepared to win - and clear up afterwards.

        Solution 2 - Make it very clear in law that there's a clear audit trail of criminal responsibility for all those responsible for critical systems and their security, including their design and maintenance INCLUDING THOSE IN GOVERNMENT. With appropriate penalties. Not chosen by lazy incompetent greedy fat ....

        One can dream.

    2. VinceH Silver badge
      Facepalm

      Re: no prizes for good guess

      "which will happen first:"

      Well, you could at least have made it a little difficult by not listing the most likely thing as number 1!

    3. asdf Silver badge

      Re: no prizes for good guess

      Well considering the SCOTUS pitched a fit and overturned the one time the government actually convicted a large corporation (Arthur Anderson) of outright fraud #2 is a pipe dream. At least they can still go after executives for bad behavior you know like they did after the mortgage meltdown. Funny how that works when your whole culture is based around corporatism.

    4. Captain DaFt

      Re: no prizes for good guess

      "which will happen first:

      1) government wanting even more surveillance on everybody

      2) stiff penalties for companies leaving their systems insecure"

      #) Nothing. It's not like They urinated in a reservoir or anything serious like that.

      1. Mark 85 Silver badge

        Re: no prizes for good guess

        #) Nothing. It's not like They urinated in a reservoir or anything serious like that.

        I guess no one pointed out to them that fish, birds, and animals all pee and poop in the reservoir and it doesn't get drained and scrubbed.

        1. allthecoolshortnamesweretaken

          Re: no prizes for good guess

          “I don't drink water. Fish fuck in it.”

          ― W.C. Fields

        2. Goopy

          Re: no prizes for good guess

          Daddy, what are stated towers for?

    5. Gigabob

      Re: no prizes for good guess

      It will be a furious race - but I predict a tie at the finish line.

  2. Jon Massey
    FAIL

    The.. just.. I don't even

    " login credentials for the AS/400 were stored on the front-end web server."

    pardon?!

    1. P. Lee Silver badge

      Re: The.. just.. I don't even

      ... and what's with the pejorative "ageing as/400" smack-talk?

      If you store credentials on the frontend web server, no amount of "modern" systems or updates are going to save you.

      1. Voland's right hand Silver badge

        Re: The.. just.. I don't even

        If you store credentials

        Question is what credentials. Some credentials - such as what you need to access CRM have to be stored.

        Now the fact that the credentials were such that they allowed to manipulate the actual live industrial control systems is the "criminal negligence" bit. As these control chlorine, cloramine and access to drinking water supply there are quite a few criminal charges applicable for the execs of the water company in question in most legislation. Criminal negligence is just the start. I would slap onto them "being accessory to terrorism" without having a second thought.

      2. Michael Wojcik Silver badge

        Re: The.. just.. I don't even

        ... and what's with the pejorative "ageing as/400" smack-talk?

        Yes. A swing and a miss there for Leyden. I'd much rather have the back end be an AS/400 running, oh, some release of OS/400 V3 than, say, an almost-certainly-misconfigured Win2K system, or never-patched Linux of similar vintage.

    2. Roger Varley

      Re: The.. just.. I don't even

      Any takers for a bet on whether they were for QSECOFR or not?

    3. Anonymous Coward
      Anonymous Coward

      Re: The.. just.. I don't even

      More to the point what the hell is a web server doing connected to the control systems and being accessible from the internet? Taking it further why were the control systems even anywhere near being connected to the internet?

      1. I ain't Spartacus Gold badge

        Re: The.. just.. I don't even

        I would imagine the billing system is probably polling information from the control system. And presumably the treatment controls are on the same system as the network/metering ones. Obviously this should be via a locked down account with no permissions - but I guess it isn't. Well, even more obviously, it shouldn't even be connected - that info should be going to an offline database first.

        I can understand wanting to have central control of the system. Rather than having to control things individually at each pumping station and works. But that should be via a private network, not the internet. And there certainly shouldn't be a bloody web server.

        Admittedly they do regular testing of the water. But although some of that will be manual, so not vulnerable to computer intrusion, I'd expect that this will also be moving towards automation though.

        You can do an amazing amount of damage though. If you control valves, pumps, or worse pumps and valves - then you can easily cause pipes to burst. With chemical dosing you can either overdose or underdose the water and cause problems. Sewage plants are also delicately balanced, in that they have beds which use bacteria to break down some of the waste products - and if too much of certain chemicals gets in there, it kills off the colonies, and stops the treatment plant working.

    4. PNGuinn
      Flame

      "login credentials were stored on the front-end web server."

      Simple solution - someone's b***ocks need to be stored equally publicly on a barbed wire fence. Probably several peoples' .... No need to detach them first,

  3. Alister Silver badge

    A couple of weeks ago South Derbyshire and North Leicestershire residents were warned not to use their tap water for any reason because the chlorine concentration was at dangerous levels.

    Curious coincidence.

    1. HollyHopDrive

      Well, I was one of those customers and given just how little Severn Trent seemed to know about the incident and how it happened it made me wonder too.

      After 8 hours there was still much confusion. I saw them doing what looked to me as pumping out a water tower into a long like of waiting tankers the next day.

      When I was down getting my 4 litres of free water (generous or what!) We asked the ST woman there why we couldn't shower in it and she said it's chlorine and it's way stronger in concentration that you'd get at the swimming baths. (She really couldn't stress just how much we really shouldn't use it to even wash hands). So if something looked like a computer error or hack this is a likely candidate.

      Then again, could just be coincidence. Guess we will never know!

      1. Roger Greenwood

        Many water companies who abstract ground water (like ST) use superchlorination - they add a lot of chlorine to guarantee to kill any bugs then reduce the chlorine levels before it hits supply, without needing an intermediate tank/reservoir - it goes straight down the pipe. A mechanical/electrical failure at any point in the dosing system could allow high chlorine levels to get through to supply without the system getting hacked.

        1. wardster

          Yep - super chlorination, or shock dosing.

          Anything above 0.5 ppm HClO will kill most bacteria, and your average swimming pool will be 1 to 3 ppm to ensure all those scutty people who don't shower before going for a swim doesn't bring in any nasties, and also to make sure if little Johnny curls off a floater, then it won't need the pool to be evacuated and drained!

          Obviously you don't want to be drinking the contents of your local pool, but it won't kill you.

          Hot spas and things like that can be maintained between 3 and 6 ppm, but as you aren't in for too long, it won't cause any problems.

          Anything above 6ppm however is really not advised, as at this concentration, you will start to get bleaching, and sensitive skin can start getting rashes and irritation.

          If you hit anywhere above 10 - 12 ppm, and you really really do have a problem. I can only assume that the STW recent problem had HClO levels way above 3 - 6 ppm.

          (I recently did the STA water treatment course.....)

          Anyone remember Milton Sterilising Tablets? Maybe someone bunged a few of these into the reservoir.......

      2. John Lilburne

        Hey shit happens. Back in the 1990s, when I worked in a chemical factory, we had a water treatment guy in to dose the cooling tower water with biocide (legionnaires). Unfortunately they didn't tell anyone that they'd done it. So some maintenance fellows comes on shift and opens up a valve to let water into the local canal. A few hours later the surface of the canal was covered in dead and dying fish.

      3. Anonymous Coward
        Anonymous Coward

        AS400?

        Could this be STW? A couple of decades ago (and before Sir Tim invented WWW) I worked on a SCADA system for Severn Trent that could, in theory, be used to control a water treatment plant. Being pre-WWW it didn't have a front end server, and it ran on hardware that was somewhat more mature than the AS/400, (not that I'm prepared to say what it ran on). I did hear from a reliable source that the old software had been ported to new hardware (AS400?) and it is entirely possible that a ropey old web front end was bolted on to the port. I also wonder if this is a coincidence.

  4. Anonymous Coward
    Facepalm

    Bullshit bingo

    Monzy Merza, Splunk’s director of cyber research and chief security evangelist, commented: “Dedicated and opportunistic attackers will continue to exploit low-hanging fruit present in outdated or unpatched systems. We continue to see infrastructure systems being targeted because they are generally under-resourced or believed to be out of band or not connected to the internet.”

    “Beyond the clear need to invest in intrusion detection, prevention, patch management and analytics-driven security measures, this breach underscores the importance of actionable intelligence. Reports like Verizon’s are important sources of insight. Organisations must leverage this information to collectively raise the bar in security to better detect, prevent and respond to advanced attacks. Working collectively is our best route to getting ahead of attackers,” he added.

    Every card a winner!

    Seriously, who writes this stuff?

    1. JoeF

      Re: Bullshit bingo

      And Verizon Enterprise, the guys who do write these intrusion reports, got hacked themselves, according to krebsonsecurity...

      http://krebsonsecurity.com/2016/03/crooks-steal-sell-verizon-enterprise-customer-data/

      1. Michael Wojcik Silver badge

        Re: Bullshit bingo

        And Verizon Enterprise, the guys who do write these intrusion reports, got hacked themselves

        Well, sure. The question is, how good was their report about it?

  5. Ralph B

    Meanwhile ...

    I heard that another US-based hacktivist group had got away with doing similar tricks for some years before they were stopped.

  6. Dan Wilkie

    I don't understand why the control system is linked to the customer payment portal, and why the payment portal would need credentials for the control system.

    Or did both systems just happen to run on the same AS/400? (REALLY?)

    1. LDS Silver badge

      Because there was a time when "consolidation" was the buzzword like cloud is today (cloud is still a form of consolidation...). The mantra was to run everything on fewer, more powerful systems to save money. Done in the right way it could be OK, done in the wrong way by clueless people "hey, we have this AS/400 let's run both the water control system and accounting from it! See how much we saved?" leads to these situations. Of course IBM told (and sold) you you could run different workloads on it, so why not? The AS supported hardware partitioning - but if used by clueless syadmin, little changes...

      1. PNGuinn
        Joke

        "consolidation" was the buzzword like cloud is today ...

        Ah - there's the solution stairing everyone in the face.

        Clouds bring rain. End of water shortages.

        Someone with good ideas just needs a legup.

    2. I ain't Spartacus Gold badge

      It could be there's some bigger commercial/industrial customers whose meters are reported directly on the network's controls systems. So the billing system uses that info to charge them. Not sensible, but doesn't mean someone hasn't done it.

    3. Adam 52 Silver badge

      I agree on why they had to be linked and why the credentials were so wide, but I don't see anything wrong with running it all on the same box, especially not an AS/400 which supports LPARS. No real difference to running on Xen today.

      1. LDS Silver badge

        Did they use partitions or not? The fact the AS/400 supports LPARS doesn't mean it was in use.

        Also, even today running software at different security level on the same hypervisor *can* be a security issue. There are bugs in hypervisors (and even in CPUs...) that let an attacker compromise other VMs. Thus, even if it costs more, may be sensible to run software on truly separated hardware.

        But everything becomes useless if there are easy channels between systems and powerful credentials are stored everywhere.

    4. Anonymous Coward
      Anonymous Coward

      Because organizations which run generally safe, sane, and relatively secure systems like the AS/400 (and its successors) don't usually see the need to carve things up unnecessarily, although some separation of duties may have been a wise decision in this particular case. But I have worked with/for several companies now who have gone down the path of "modernizing" their systems, by moving things over to some number of different (mostly) dedicated servers, only to often quickly run into the problem of not knowing why/when/where things are going wrong, nor of course how to fix it.

      I'm dealing with that very issue right now, in fact, where instead of things staying on the AS/400 where they really belonged, they've been spread out across several different servers of various types. But critical things are occasionally failing now where they didn't fail before, and the situation is getting progressively worse, and nobody really understands enough about the whole set-up (nor do they generally have the time or the patience) to really be able to go in and find the problem and fix it. Which is where I come in, because I've had to run such rabbits down in the past, at other organizations.

  7. Anonymous Coward
    Anonymous Coward

    The law needs changing, and soon

    All critical national infrastructure (water, power, etc) should be air gapped from the internet immediately, and anyone who attempts to implement internet connectivity as a cost cutting measure should be imprisoned. Cost cutting will bite us all on the ass eventually.........

    1. Mark 85 Silver badge

      Re: The law needs changing, and soon

      Eventually???? I daresay it already has bit us and bit us hard. The problem is, it hasn't changed the C-suite types thinking since all they focus on is profit.

  8. 2460 Something

    Demarcation?!?

    Why the hell is a control system on a publicly accessible network in the first place? Something like that should be on a self-contained network to prevent anything like this being possible. It beggars belief that all these utility companies don't have better network designs.

    1. Doctor Syntax Silver badge

      Re: Demarcation?!?

      " It beggars belief that all these utility companies don't have better network designs."

      In the circumstances "design" seems too strong a word.

    2. Fatman Silver badge
      Joke

      Re: Demarcation?!?

      <quote>Why the hell is a control system on a publicly accessible network in the first place? </quote>

      So Joe PHB can get his reports ANYTIME he wants. Mr PHB can't do shit without his reports.

      </snark>

  9. Doctor_Wibble
    WTF?

    Poisoning people is not hacktivism

    Maybe I'm being too pedantic but 'hacktivist' is not a term I ever associated with causing actual harm to people - messing about with the chemical balance of a water supply is a long way off that. It doesn't matter that they didn't succeed in the end.

    That said, I see the main concern is that the customer information wasn't used for fraud, so maybe I just have my values all wrong.

    1. Doctor Syntax Silver badge

      Re: Poisoning people is not hacktivism

      "maybe I just have my values all wrong"

      You have. Google Camelford incident. That was an operational cock-up but it seems likely that something similar or worse could be achieved deliberately through illegal access to SCADA networks.

      Having said that, if details of 2.5 million customers were exposed then they should be notified irrespective of whether there's any evidence of fraud. In fact, if they weren't notified it would be difficult to know whether there had been fraud or not. Hiding the whole incident behind a pseudonym is just irresponsible.

  10. Mahhn

    Find the punks and poor bleach down their throats. if they live, cut their hands off.

    Messing with water supply is NOT hacktivist activity, it's terrorist or murderer activity. Zero tolerance

    1. Anonymous Coward
      Anonymous Coward

      "...poor bleach down their throats. if they live, cut their hands off."

      You mean 'pour'.

      Your vengeance-filled angry reaction originates from somewhere very close to your reptilian brain stem. It's thus about as interesting or thoughtful as the firing of a single neuron in a Petri dish.

      I've noticed this sort of ugly reaction style post over the years, it's a very consistent style, and it's become something of a pet peeve for me. (Sorry.)

      Typically the thread degenerates into a contest with subsequent entries like "No! Pour FLAMING PETROL down their throats. Cut their d#$&s off." "No! Use flaming Bunker fuels and pump it into their ears..." Etc. Etc. Etc.

      It would be useful to come up with a catchy name for the style of post, to make it easier to denigrate. Any ideas?

      1. Anonymous Coward
        Anonymous Coward

        Re: "...poor bleach down their throats. if they live, cut their hands off."

        "It would be useful to come up with a catchy name for the style of post, to make it easier to denigrate. Any ideas?"

        A 'post-tard', as in retard at posting, and rhymes with postcard which are used for brief inane messages.

        Similarly 'mutard' for those who don't know how to use the mute button on a conference call and end up talking to themselves.

      2. Mahhn

        Re: "...poor bleach down their throats. if they live, cut their hands off."

        Yes, pour.

        I see you are from the cupcake generation, where nobody gets punished, and everyone gets a trophy.

        I am from the worked for it generation, where if you hurt someone you get hurt, if get a trophy you worked hard for it.

        I have no sympathy for those that would inflict suffering on others for amusement, and see punishment for such actions as just. But maybe you want to give them a lollypop? and if your children are hurt or killed by these people you might see the world as it is and not though rose tinted glasses.

        Call my reaction Vigilant, and I will call yours Cupcake.

        1. Anonymous Coward
          Anonymous Coward

          Re: "...poor bleach down their throats. if they live, cut their hands off."

          'Vigilant'? Hardly. If your plan was Vigilant it would have involved actually looking at something rather than giving them and their kids injections in the eyes of radioactive napalm-spiders.

          The people responsible for this are the ones who shared credentials for critical systems on front-end web services. Those who made it so that the control systems were connected to the public Internet.

          The hackers were, according to the report, basically as clueless as the security bods and management who enabled them. The hacker was probably just a script kiddie arsing about and found this system, or a student looking to drop his water rate. He/she may not even have known it was a control system. So save the "crush their testicles with Osmium-booted rhinoceroses" talk for the people who caused the problem rather than those who bumbled into exploiting it.

          1. Mahhn

            Re: "...poor bleach down their throats. if they live, cut their hands off."

            You sound very defensive. Were you the "script kiddie"?

          2. Just Another SteveO

            Re: "...poor bleach down their throats. if they live, cut their hands off."

            "The people responsible for this are the ones who shared credentials for critical systems on front-end web services. Those who made it so that the control systems were connected to the public Internet."

            Hmmm, I can't disagree that it's completely stupid to do what you've outlined above and that they have a level of responsibility but your argument is a bit like "it's your fault for being burgled as you have nice stuff!". Regardless of the cluelessness of the individuals who perpetrated this, they are ultimately responsible for what they do and "bumbling into exploiting it" does not absolve them from that responsibility....

            My view - YMMV.

          3. Anonymous Coward
            Anonymous Coward

            Re: "...poor bleach down their throats. if they live, cut their hands off."

            "The people responsible for this are the ones who shared credentials for critical systems on front-end web services. Those who made it so that the control systems were connected to the public Internet."

            A characteristic of the "cupcake" generation, is their willingness to blame others for their own (and others') ill deeds. While the sysadmins in this case were clearly misguided, clueless and/or negligent, they are not responsible for the breach.

            Responsibility lies clearly with the perp. End of story.

  11. Slx

    I think the term Hactivists is wrong ...

    Tampering with your a towns water supply is dangerous vandalism and also leaving SCADA systems on the open web is insane. That's like leaving the keys to the water treatment plant under a rock with a note saying "please do not steal".

  12. Florida1920 Silver badge
    Pirate

    A warning or a warm-up exercise

    A "hacktivist" group with ties to Syria....

    Verizon's RISK Team uncovered evidence that the hacktivists had manipulated the valves controlling the flow of chemicals twice – though fortunately to no particular effect.

    To be sure, if they weren't caught they would have been back.

  13. Matt Bryant Silver badge
    Facepalm

    How to stop spearfishing - if your CIO has the balls.

    Simply remove email and Internet access from the majority of your employees. Far too many seem to assume it is a right to have a company email address and Internet access when the reality is very few employees actually need it for their jobs. Other messaging systems (such as Lync) can be limited to internal only conversations, removing the spearfishing threat and yet providing the same or better internal service than email. Then air-gap those few systems used for external email for those users whose role does require email from access to core networks.

  14. captain_solo

    Offshoring

    But how could the service providers all these companies and utilities hired to replace their onshore workers access the systems to manage them if the control systems aren't attached to the interwebs?

  15. Captain Badmouth
    Paris Hilton

    Nothing new to see here, move along please...

    Occam's razor folks,

    Never attribute to malice that which be adequately explained by stupidity :

    http://www.bbc.co.uk/news/uk-england-cornwall-17367243

    Alright it may have been hacktivists, but it may have been water authority fuckwits.

    paris, to fuck yur wits in the meantime....

    This may be news to many of our younger adherents, of course.

    Read and learn, gentlemen.

    1. Captain Badmouth
      Terminator

      Re: Nothing new to see here, move along please...

      This does not mean to say that we do not have a, potentially large, security hole in the nation's health. How many water treatment plants have adequate security in place? Ricin, anyone?

      1. wardster

        Re: Nothing new to see here, move along please...

        Good point, but it appears good old bleach will kill most things.

        >>> http://www.acs.org/content/acs/en/pressroom/newsreleases/2011/march/household-bleach-can-decontaminate-food-prep-surfaces-in-ricin-bioterrorist-attack.html

  16. Anonymous Coward
    Anonymous Coward

    And Nuclear

    Some years back, Spectrum, the IEEE magazine wrote of the hacking of a US nuclear power plant. IIRC, they issued commands to remove the fuels rods form the coolant, but the plant was offline for maintenance at the time.

    What kind of idiots are in charge?

    1. John Brown (no body) Silver badge

      Re: And Nuclear

      "What kind of idiots are in charge?"

      This man is in charge

  17. Kev99 Bronze badge

    Another example of what happens when the bean counters decide free is better and the coders think using the internet for everything is way cool. Only fools and idiots will put sensitive, proprietary, or mission critical software onto the internet. They keep forgetting that a net is a bunch of string held together by holes and that a cloud is a bunch of holes held together by vapor.

  18. a_yank_lurker Silver badge

    Buffoons Incharge

    The crux of the problem is why were the two systems ever linked to begin with. Treatment plant control systems have no need to be linked to the customer payment system or even on the Internet. Scada systems 30 years ago were not linked to anywhere but the control room which is one site so the connections were hardwired. This worked and still works.

  19. Anonymous Coward
    Anonymous Coward

    The coroner Mr Rose got ir completely wrong in the inquest on Carole Cross. The presence of aluminium in the brain of an Alzheimer's sufferer is a consequence of, and not a cause of, the illness. Alzheimer's is caused by the development of amyloid plaques in the brain which then adsorb any aluminium whihc may be present in the bloodstream. Aluminium is present in the diet from other sources and not necessarilt the water supply. For example, the average cup of tea contains aluminum which comes from the tea leaves.

  20. NeilPost

    Sounds like lazy, complacent secuurity practices on aging infrastructure. Comparable to leaving your car unlocked.

    Perhaps some jailtime is needed and some statuatory guidelines/practices on protecting public infrastructure like gas, water, electricity etc.

  21. Anonymous Coward
    Anonymous Coward

    "... (...registration required) from Verizon Security Solutions."

    At least twice I've registered with Verizon Security Solutions in order to gain some offered benefit. "Fill in this form and we'll send you this or that info." Batting ZERO-for-two in them following through. The name 'Verizon Security Solutions' has thus acquired an aroma of incompetence. Negative brand equity.

    What is it with people in the 'IT Security' field?

  22. Kev99 Bronze badge

    One more example of the IDIOTS being lazy and more concerned about saving a few bucks than securing their systems and protecting their customers.

  23. normal1

    Brilliant!

    And just who decides that these valves needed remote or even computer controls anyway?

  24. Stoneshop Silver badge
    Pint

    Contaminating

    our precious bodily fluids.

    1. Philip Lewis

      Re: Contaminating

      "Purity of Essence, Mandrake. Purity of Essence"

  25. allthecoolshortnamesweretaken

    Did someone say "fluoridation"?

  26. sml156

    I would be willing to bet that the reason they are accessible from the web is due to lazy engineers who use VNC to remote in. In fact some engineers are so lazy they do not want to use a password to log on.

    If you have never heard of this site http://vncroulette.com and the absolute insane things they find, What they find is open VNC servers open to the world

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019