British utility biz Southern Water was the victim of a phishing attack on Wednesday, resulting in a hurried shutdown of some of the company's systems.
An industry insider told The Register that Southern Water's networks, including the system responsible for Supervision, Control, and Data Acquisition (SCADA) were hit. The source, who asked to remain anonymous, added the cause was an employee inadvertently opening an attachment in an email purporting to be from the company's CEO with a subject of "Coronavirus".
Customers may have noted a slight wobble in services on 26 February as the company's social media orifice noted that things had dropped offline due to "essential maintenance".
We’re really sorry but our services are temporarily unavailable while we carry out essential maintenance. We’ll be back online as soon as we can and we apologise for any inconvenience caused.— Southern Water (@SouthernWater) February 26, 2020
A little later, things were back up and running. No harm done. Nothing to see here.
We're pleased to say our maintenance is now complete and our services are available again. Thanks for your patience and we're sorry for any inconvenience caused.— Southern Water (@SouthernWater) February 26, 2020
Behind the scenes, however, the tech team were a tad busier as a spokesperson confirmed in response to a question from The Register sent on 27 February:
Yesterday, a phishing attack tried to gain access to our services. It was not successful, our information security team responded very swiftly and no customer or confidential data was accessed.
The attack did not directly cause any outages, however we did suspend a number of our internet services while we investigated. All services are now back up and running.
The Register understands that Southern Water is actually rather chuffed with the way its teams handled the incident. It's just a shame that it happened in the first place.
Phishing, as all Register readers are all too aware, is an attack where users are tricked into doing what the UK's National Cyber Security Centre (NCSC) delicately calls "the wrong thing".
In this case, the phishing was via email and the use of the CEO as the sender will have made it look genuine to the recipient. Stir in some COVID-19 hysteria and we can see how an ordinary user could be persuaded to open something they might regret that slithered past the usual filters.
Southern Water has outsourced chunks of its processes over the years. It renewed a managed service contract with outsourcing giant Capita back in 2018 for a cool £30m. The agreement saw Capita taking care of front and back-office duties for an initial five-year term with an option to extend for a further three years.
Perhaps fortunately for Southern Water, The Register understands Capita's involvement with the utility is more to do with printing than external email. That said, Capita does have form with email snafus (as its Education Services tentacle will attest), so things might have turned out differently. ®