
Water treatment plant hacked, chemical mix changed for tap supplies - bifrost
http://www.theregister.co.uk/2016/03/24/water_utility_hacked/
======
medymed
The article deems as 'hacktivist' a group that 'changed the levels of
chemicals being used to treat tap water.' This doesn't sound much like
activism, defined by google as 'the policy or action of using vigorous
campaigning to bring about political or social change' or 'hacktivism' as
described on wikipedia which focuses on distribution of information, defacing
websites, etc.

There is no mention of what chemical changes were made, but if malicious it
sounds more like warfare or terrorism potentially targeting civilians. The
subtitle is "Well, that's just a little scary", also quite an understatement.

~~~
pdkl95
> This doesn't sound much like activism

Yes it does; it's a perfect example of how "activist" (and by extension
"hactivist") is being used in modern propaganda. Jacob Appelbaum very recently
gave a rather... _intense_ talk[1] that is about[2] this type of propaganda.
As he explains:

    
    
        Let us address this concept of "activism", and it works like this.
        "Activism" is used as a pejorative term in order to suggest that
        participation in a democratic society is somehow outside of
        normal behavior.
    

> There is no mention

Stenographers publishing propaganda are not in the business of revealing
facts.

[1]
[https://www.youtube.com/watch?v=KJValv4YQcY#t=78](https://www.youtube.com/watch?v=KJValv4YQcY#t=78)
(note: Jacob doesn't pull his punches, so this contains some strong language)

[2] It also has some _disturbing_ new information about how The Guardian
treated him, Poitras, Greenwald, and others.

~~~
kbenson
Wow, now that's what I call Scorched Earth.

Personally, I'm one for trying to keep the personal attacks out of a rational
discussion, but I recognize that sometimes going with emotion can work as well
or better, depending on the audience. I'm also sure he views quite a bit of
what he's talking about as personal attacks on himself as well.

I'm sad now that I didn't see it when you posted it a few days ago, and
couldn't do my small bit to nudge it to the front page.

------
matt_wulfeck
It really boggles my mind that we don't air-gap every single one of these
types of critical systems.

Can someone help me understand why this isn't more popular? Is it because they
requirement controls from outside resources? Or maybe there's central places
that rely on telemetry?

Another option: outgoing UDP packets only. Outgoing telemetry but nothing
comes back in.

~~~
nickpsecurity
Management wants it done, done cheaply, with cheap support, and sometimes
plugging into their dashboards. Clive Robinson, who did SCADA, said those
things combine to make security nonexistent to afterthought in most
installations.

I'll add a lesson from software world that it also pays to contract steady
fixes over time instead of near-perfect the first time. That might partly be
because people in such industries only make sacrifices after shit hits the fan
publicly. See Target for example. ;)

~~~
akira2501
Of course.. you /expect/ that to happen, which is why you establish an
internal auditing process.

------
Pitarou
For what it's worth, the pseudonym Kemuri is Japanese for smoke.

There was a recent incident in the UK where too much chlorine was added to the
water supply, leaving it unsafe even for washing. I wonder if it's connected?

[http://www.bbc.co.uk/news/uk-england-
derbyshire-35786378](http://www.bbc.co.uk/news/uk-england-derbyshire-35786378)

~~~
mike_hearn
I don't think so. That does look like a rather good fit, especially as the BBC
article states quite clearly that the chlorine overdose was spotted due to
monitoring alarms, just like the Verizon article states.

But Verizon claims the valves were manipulated to "no particular effect" which
doesn't seem credible if it required a full system flush and a do-not-use to
be posted.

Also Severn Trent has 4.6 million customers, not 2.5 million.

~~~
Pitarou
Not the same incident, no, but could it be connected?

------
AdmiralAsshat
_Fortunately, based on alert functionality, KWC was able to quickly identify
and reverse the chemical and flow changes, largely minimising the impact on
customers._

The affected only lost _most_ of their hair.

------
rubyfan
I call BS. There are no facts revealed here other than some boogie man story
telling about, none other than a Syrian hacking group (during the Cold War,
this would have been the USSR instead of implying ISIL).

The whole thing reads like an advertisement for Verizon Security and Splunk.

------
willvarfar
So possibly a state actor doing reconnaissance? They get in, they verify they
have control by making a change they think won't be noticed, and they add it
to their list of nasty things to do when the war starts...

Remember the recent Ukrainian power outage hack?
[http://arstechnica.com/security/2016/02/hackers-did-
indeed-c...](http://arstechnica.com/security/2016/02/hackers-did-indeed-cause-
ukrainian-power-outage-us-report-concludes/)

------
mchahn
> It seems the activists lacked either the knowledge of SCADA systems or the
> intent to do any harm.

So it's a kid, not a state.

~~~
ChuckMcM
Not necessarily, if you were probing you would do so in a way that didn't
indicate your true intentions.

~~~
ams6110
Sounds like it started with a pretty simple SQL injection attack, any script
kiddie could have done that. Then poking around they found something like
control_system_passwords.txt somewhere on the web server and went from there.
Not exactly state-actor skilz required.

------
homero
Guys this is why we need backdoors, so it happens more often, oh wait

------
bencollier49
I genuinely believe that where software has the direct ability to cause
physical harm, there ought to be revocable professional accreditation for at
least one programmer on the development team. Likewise for systems security
on-site.

Actually, I'd be interested to know if things like ISO27001 are mandatory for
these sorts of facilities. And who gets in trouble if the system fails.

~~~
jakubp
I'm afraid ISO27001 guarantees very little. Specifically, in my (limited)
experience these kinds of programs/accreditations only look at a few data
points in the company where reality covers hundreds of data points, and only
in a brief period. Nothing stops people inside the organization from not
complying with the rules, and nobody actually verifies that the right people
in the organization actually know the rules.

------
sjclemmy
Every time I hear a story like this I am amazed. The cause of this is not
complex or difficult. It's basic stuff.

------
mariodiana
Any idea where this happened, even what country it happened in? I can't make
sense of that from the article. I'm guessing we're talking the U.S.

------
hackuser
As long as it only affects people who didn't vote for the governor, it's not
the government's problem.

------
USANEEDSHELP
Take all utility like infrastructure control systems off the internet (Gas,
Water, etc...)

~~~
swiley
The developer machines are still (by necessity) connected to the Internet.

~~~
nickpsecurity
It's not necessary: it's just convenient or more profitable. There's guards,
link encryptors, authenticated networking, and OSS knockoffs of above to
either reduce risk of or probably prevent malice from hitting on-site
computers.

They're just not applied by most because people paying don't give a shit. Any
high-security engineer doing SCADA or site-to-site for big companies will
probably tell you so.

------
awinter-py
the best part is that this is somehow verizon's fault.

------
tpallarino
Hope they stopped the flow of fluoride. Forced medication isn't ethical and
it's been shown to have no effect on dental health.

~~~
erkkie
And naturally you've based your understanding of such things on studies and
have references to share?

