At the end of April, a cyberattack that has been attributed to Iran was directed at six wastewater treatment plants around Israel. The incident was exceptional in two respects.
First of all, it targeted physical infrastructure that potentially could have inflicted damage in the real world – as opposed to more common attacks on computer networks. Secondly, the attack was successful to some extent. According to a report on Israel’s Ynet news website, the sewage treatment plants recorded faulty data, pumps went out of control and the attackers took over the operation system at one station. Late Monday, The Financial Times of London reported that, according to a Western intelligence source, the Iranian attackers had attempted to boost the levels of chlorine in the water supplied to Israeli consumers.
Israel’s response came on May 9. According to the reports, Israel disrupted operations at the southern Iranian port of Shahid Rajaee at the Strait of Hormuz. Contrary to official Iranian claims, the damage at the port appears to have been extensive. Satellite images show traffic jams stretching for kilometers on roads leading to the port and cargo ships waiting to be unloaded for three days. That’s a harsh blow for a country that is already suffering from international sanctions and limits on its international trade.
There was another cyberattack on Israel on May 21. This time, thousands of Israeli websites were altered. We have seen many such acts of defacement in the past, but this one was exceptional in its scope and duration. Some of the websites were down for an entire day.
The websites affected included small businesses, some of which are entirely dependent on e-commerce at a time when they were trying to recover from the economic impact of the coronavirus pandemic. This attack could not be attributed to Iran and was probably perpetrated by amateur anti-Israeli hackers from several countries.
We will remember the events of recent weeks, as well probably all of 2020, as a turning point in the history of modern cyberwarfare, Yigal Unna, the director general of the Israel National Cyber Directorate, told CybertechLive Asia, an online cybertechnology conference on Thursday.
Unna called the targeting of Israel’s water infrastructure an organized and synchronized attack, but added that no damage was caused. “If the bad guys had succeeded in their plot, we would now be facing, in the middle of the corona crisis, very big damage to the civilian population and a lack of water and even worse than that.”
- Israeli cyber chief says major attack on country's water systems foiled
- Iranian cyberattack aimed to raise chlorine level in Israeli water, report says
- Iran struck first. 'Israel' retaliated massively. Behind the cyber war rattling the Middle East
‘Today it’s water – tomorrow, oil’
In fact, such incidents provide a glimpse of the wars of the future. Cyberspace will assume an increasing part in geopolitical confrontations and conflicts.
“The attack happened but the damage was prevented and that is our goal and our mission,” Unna said of the attack on the water infrastructure, but the Cyber Directorate didn’t exactly manage to prevent the attack, which in fact occurred. And we probably won’t be prepared for the next attack either.
“I reported to the Cyber Directorate in September about fuel containers that are open to the web. I checked at the end of last week, and they are still accessible to anyone with a keyboard,” said Noam Rotem, who is an ethical hacker, someone who looks for flaws in a computer system but does so within the law.
“This involves the fuel stations’ primary tanks, which I can simply lock remotely and damage supply. And this is not the only case. I reported to the Cyber Directorate about industrial refrigerators that are open to the web, about hotel climate control systems, central heating systems and others.”
Sources familiar with the subject said that was what happened in the attack on the water infrastructure. The Iranians didn’t need to employ special capabilities to access it. “They are the same controls,” Rotem asserted. “Today it’s water. Tomorrow it [could be] oil.” These systems are old, exposed to the internet and lack security. No one, including the Cyber Directorate, has bothered to conduct a survey and try to close them. As of today, there is nothing preventing another attack on them.”
No gatekeepers, no punishment mechanisms
The first problem is that the Cyber Directorate is not authorized to order civilian companies to do anything. It can only make recommendations, and there are very few sanctions that it can impose on companies lacking proper security. The Israel Securities Authority did once levy a 300,000-shekel ($85,500) fine on an app that was not properly secured, and the Justice Ministry’s Privacy Protection Authority acted against Ituran, a location technology firm, regarding the security of its databases, but these cases represent the exception, not the rule. In most instances, there are no gatekeepers and no punishment mechanisms.
“I once discovered a system at an emergency entity that included individuals’ biometric data. I entered, saw the information and immediately reported it to the Cyber Directorate,” Rotem said. “I get an email a few days later from the directorate. The company says [the breach] is closed. We can’t check. Can you confirm this? They have no legal authority,” he recounted.
The Cyber Directorate is responsible for critical infrastructure. Last year, the State Comptroller’s Office published a report on the Cyber Directorate and on insufficient preparedness when it comes to critical infrastructure. But – and this is another problem – desalination plants are not deemed critical infrastructure.
“If I shut down a purification plant, and redirect wastewater into irrigated fields, and E. coli gets into food, is that not critical?” a senior cybersecurity official wondered. “What’s aggravating about the story is that if you do a scan with Shodan,” a reference to a search engine for Internet-Of-Things devices, “you will find all kinds of open devices in Israel. You think that the solar panels on the roof, which send electricity back into the grid, aren’t exposed? You don’t have to be a genius. It’s as easy as pie. The business-economic [sector], which is based on computer networks, is exposed – and Israel isn’t doing enough to protect it. Regulation is much stricter in Germany, for example.”
Who’s in charge?
A third problem is the classic Israeli confusion over who has responsibility. The waste purification plants are the responsibility of local governments. (The state comptroller recently published a report on the local authorities’ inadequate preparation for cyberattacks). But the local authorities are, in turn, under the jurisdiction of the Interior Ministry.
Now Israel has a Water Resources Ministry and a new cybersecurity office is also being established. So who is being given the responsibility for the waste treatment plants? Everyone wants a piece of cybersecurity. Sounds good, until the next cyberattack takes place, when no one will be at fault.
Hacking is the ability to find systems’ weaknesses, not only the kinds based on digital technology. The Iranians found a perfect spot to hit, from their standpoint – vulnerable operational infrastructure that is not deemed of critical importance, and where areas of responsibility are hazy. From that standpoint, the Iranians not only hacked into water treatment plants, but also into Israel's operating system.