Hackers Find Many Israeli Facilities at Risk of Attack

Following a suspected Iran attack on a water-treatment facility, a mapping project reveals 188 vulnerabilities in controllers

Amitai Ziv
Send in e-mailSend in e-mail
Barzilai hospital in the southern Israeli city of Ashkelon.
Barzilai hospital in the southern Israeli city of Ashkelon.Credit: Ilan Assayag
Amitai Ziv

At the end of April Israel experienced an exceptionally powerful cyberattack attributed to Iran.

Media reports said Tehran has sought to disrupt computers operating waste-water treatment plants and raise chlorine levels. If it had been successful, it would have done damage to crops.

The attack succeeded in penetrating the system but failed to achieve its goal. Foreign media reports say that on May 9 Israel retaliated with a cyberattack on the Iranian port of Shahid Rajaee, which was successful and disrupted operations for days.

Last week Iran threatened to retaliate against any country that carries out cyberattacks on its nuclear sites after a fire started at its Natanz plant. Some Iranian officials said it may have been caused by cyber sabotage and have pointed a finger at Israel.

The Tnuva factory in Rehovot.
The Tnuva factory in Rehovot.Credit: Nir Shmuel

Is it really that difficult to stage hacking attacks on Israeli infrastructure? The answer is yes, and among the most vulnerable targets were a hospital, pharmaceuticals logistics firm, hotel chain, water-treatment system in the south, as well as, it appears, the Degania Dam, which regulates water levels in the Sea of Galilee and flows into the lower Jordan River.

The vulnerabilities were revealed by Israeli “White Hat” hackers, who employ hacking tools in the service of companies and governments looking to discover vulnerabilities in their networks.

They sought to find where the holes are by mapping the country’s computers used for manufacturing, pumping water and other critical infrastructure that are linked to the internet.

Industrial controllers like these are considered the Holy Grail of Black Hat hackers because they affect physical infrastructure, not just the computer. If a controller is not protected by a password, it can be operated remotely without a problem.

The exercise, which was conducted in May, used tools that are available on the internet for free, first and foremost the search engine Shodan, which is used to map the IP addresses of controllers. At many sites, controllers were entirely exposed to attacks.

“The results don’t surprise us,” said Daniel Baran, CEO of Otorio, an industrial cybersecurity company, who said that the mapping discovered 288 vulnerable controllers throughout the country. “Smart controllers are connected to the internet because the user wants to control them remotely. But you can find these controllers with scan engines [dedicated search engines]. When a smart controller is connected to the internet, and assuming it’s not secured, you can run commands, operate them, disrupt them and affect their operation.”

The results published by TheMarker are only partial and when an institution is named it is only after it was informed of the vulnerability and the problem fixed.

Daniel Baran, CEO of Otorio, an industrial cybersecurity company.
Daniel Baran, CEO of Otorio, an industrial cybersecurity company.Credit: Yair Ivy

The first of the hacks occurred at Barzilai Medical Center in Ashkelon, where a computer that controls the water-osmosis process used in dialysis machines was completely exposed to hackers. The supplier hadn’t installed it properly. The sensitivity of the system is obvious: Dialysis patients suffer from kidney failure and are dependent on the quality of the machine’s water. 

The vulnerability was fixed after TheMarker reported it to the National Cyber Security Authority and the Health Ministry, according to Barzilai. It should be noted that before the problem was identified, the hospital boasted that it “holds the World JCI [Joint Commission International Accreditation Standards for Hospitals] and the Israel Standards Institute for the Protection of Human Medical Information.”

Another breach was discovered at Chemipal, Israel’s biggest distributor of medicines. The company has a logistics center that covers 30,000 square meters of floor space and employs 650 workers. The company has annual turnover of $1 billion.

The hackers found a vulnerability in a controller that ensures that two industrial refrigerators consistently have a temperature of between 8 and 9 degrees Celsius. The hackers couldn’t identify what the refrigerators contain.

Like Barzilai, Chemipal was surprised to learn of the problem and said the controller was operated by an outside contractor.
The company said in a statement that the problem was addressed and that related systems were surveyed for vulnerabilities. It said that the hacked controller was used in a peripheral cooling system used to cool offices. “No one could harm Chemipal’s system through the [hacked] controller,” it added. “The company has an advanced cyberdefense system that works continuously to identify vulnerabilities and to challenge the computer system.”

At the Fattal Hotels chain, the hackers were able to uncover two vulnerable systems –  one that controlled refrigeration at the Leonardo Hotel in Bat Yam and another that controlled the alarm system at the Leonardo in Ashkelon. A malicious hacker could have used the first to harm the health of guests and the second to create a panic with a false alarm.

Fattal said that “as soon as the matter was brought to our attention, we acted to settle the matter.” 

At Tnuva, Israel’s biggest food maker, a controller whose exactly function was unclear was found exposed to a hacking attack. The company acted quickly to address the problem after it was notified and said “there isn’t any way of penetrating our organic network with the information that was taken. In the case, only a small component in the system was exposed.”

Even after the alleged Iranian attack was reported, at least one of Israel’s water-treatment systems remained vulnerable, the hackers discovered. In this case, it was one located near the giant Israel Defense Forces training base in the Negev and serves the Ramat Hanegev Regional Council.

In response, the council said that after April the controllers were fixed so that they could not be adjusted without the use of a password. The controller that was hacked contained only “marginal operating information” and it has since been disconnected from the internet.

Comments