Hackers have discovered that the sewer system in the Israeli coastal town of Or Akiva is completely exposed on the web, without any basic protection. Israeli cyber researchers say that many industrial systems in Israel and abroad are exposed to similar hacks – which allow hackers to gain access, take over systems and cause physical damage.
On Thursday, hackers published a photo showing the graphic interface of the sewage pump control system in Or Akiva. An examination revealed the interface was completely undefended and did not even require a password and the website did not use the Hypertext Transfer Protocol Secure.
Nonetheless, the hackers may not have known exactly what the interface is used for, because the photo, posted on a Telegram channel, was captioned: “Wow, fuel pumps in Israel. Wonder what happens when the pumps are off-line?” The interface showed, in real time, Or Akiva’s sewage pumps, the level and flow of the sewage and pressure, as well as other live parameters.
- If the Iranians are cyberterrorists, so are Israelis
- Suspected Iranian cyberattack on Israel triggers sirens
- Iranian Cyberattack Aimed to Raise Chlorine Level in Israeli Water, Report Says
After being approached by Haaretz, the National Cyber Directorate contacted the Or Akiva municipality on Thursday morning, but the interface remained exposed for many hours thereafter. The municipality blocked access to the interface only on Thursday evening following a query from Haaretz.
According to the municipality, this interface is used only to monitor the sewage system and does not allow actions that would harm the system. However, cyber experts who asked to comment anonymously, confirmed that hackers could in theory use this interface to take remote actions that could cause critical damage to the system. “The remote control units can carry out autonomic operations such as closing and opening the pumps and valves, according to specific parameters that the system monitors at this time, for example, the height of water in a tank,” an expert said.
“The weak spot that we continually see in many recent events is that these remote terminal units, which do not include modern security systems, could allow a hacker who accesses them from the internet to control them and change the way they operate,” explained Tom Alexandrovich, head of the active cyber protection team in the National Cyber Directorate. This usually happens because of a “combination of lack of awareness and lack of specific human resources,” he added.
This hacking risk comes against the backdrop of the growing cyberwar between Iran and Israel, in which, during the last two years, the Iranians attempted and succeeded in hacking water installations in Israel, including, according to the National Cyber Directorate, “control and monitoring systems of sewage purification plants, pumping stations and sewage.” The most publicized case of the hacking of an industrial system was the American-Israeli computer worm Stuxnet, of the uranium enrichment facilities in Iran. The work damaged the control mechanisms of the Iranian uranium enrichment centrifuges and shut down one fifth of them.
The exploit: Not updated
The exposed interface of the Or Akiva municipality was manufactured by Ovarro, a company that makes monitors and remote terminal units for controlling industrial systems. Its program, TWinSOft, uses the company’s TBox to manage these remote controller units.
In March 2021, Uri Katz and Sharon Brizinov, Israeli cybersecurity researchers for the Claroty company, conducted a study that revealed a number of key weaknesses in these systems. These weaknesses allow hackers to plant a malicious code in the program’s updates, and disrupt or shut down the system.
Following the study, Ovarro issued updates for all its problematic programs and controllers. According to the Claroty researchers, all the versions of TWinSOft prior to version 12.4 are still vulnerable and at risk. Haaretz checked and found that the version the Or Akiva pump interface now uses was 12.1.
Brizinov, told Haaretz that they also reported the exposed interface, but no action was taken even then. In fact, the screen shot of the exact same interface, with the details blurred, can be seen in a blog post published by Brizinov and Katz warning people of the exploit. Brizinov said that he cannot dispute the municipality’s claim that this is a monitoring system only and that no actual actions can be taken with it. However, Haaretz has learned that the National Cyber Directorate approached the Or Akiva municipality already in 2021, in wake of the exploit's publication, but on Thursday, as noted, the interface was still exposed.
“I see two problems here,” said Brizinov. “The first is the Israeli entities connect [such] products without basic protections. And when these systems allow real operation – shutting off a pump, connecting a pump, changing parameters — then a physically destructive action can be taken.”
The two Claroty researchers discovered that 63 percent of all the TBox interfaces worldwide are in a similar position to the Or Akiva sewage system – completely exposed on the web, without basic password protection. Of these interfaces, 5.3 percent were identified in Israel.
“Another point is the optics,” Brizinov added. “Even if the systems are for monitoring only, without the capability to perform physical actions, hackers can still take pride in the hack: get in, take photos and say ‘we hacked Or Akiva.’ – and even if they don’t change even one parameter, it doesn’t matter to them because their goal is that image,” he said.
The Or Akiva municipality responded: “When the information was received on Thursday morning the engineering and security department began working with the Hadera sewage plant and the Water Authority’s cyber department to deal with the matter. It is important to note that the internet page is a data base of the actions of the sewage pumping stations, and there is no possibility of any active steps by a reader of the page, certainly not malicious action, perish the thought. Out of an abundance of caution, the page was removed from the web.”
In addition to making sure these system are updated, the National Cyber Directorate recommends taking the following basic steps to protect remote terminal units: First, change the default password of the management interface immediately after installation. Secondly, make sure that the hardware and software in the industrial installations and infrastructure are managed from dedicated organizational networks or by means of a server like VPN with a suitably strong identifier. Lastly, ensure that these remote controllers are accessible only from equipment that needs direct access to them, such as engineering stations.