The Radiflow Security Blog
Cyber Attack Targets Israel’s Water Supply – Analysis and Mitigation Recommendations
On April 26 the leading Israeli news site YNET reported that water and wastewater facilities in Israel were subject to cyber-attacks during the previous week. According to the article, officials at the National Water Authority stated that they had received several reports regarding cyber-attacks on OT systems that caused no damage. In addition, all water providers were required to change passwords to operational systems and to harden Internet-facing connections to operational environments.
Emerging incident details
Based on communication with our industry contacts within the region, we believe that a malicious actor had gained initial access remotely to some elements within an OT environment and had established its presence by using weak or default passwords to access various network elements (SCADA server, Historian or others).
There are a number of potential options for this initial access breach. Most local water supply and waste-water facilities are small sites and most of them are connected via cellular-based communication to the Internet for maintenance and other purposes. These cellular routers are rarely hardened in terms of password control, disabling unsecure management interfaces and facing public IP address. So, it is believed that that cyber-criminal activity had been conducted remotely by scanning for known vulnerabilities, open ports, and exploiting weak or default passwords.
Another likely possibility for access to this type of utility (water, electricity, transportation) is supply chain compromise. There are a number of contractors that possess sensitive data such as network diagrams and credentials to deliver the services they provide such as engineering site design, HMI and SCADA software and hardware provisioning and daily maintenance. Some of these firms don’t have appropriate cyber security posture to deal with more sophisticated attacks like targeted spear phishing. Therefore, in some cases APT and cybercriminal groups prefer to gain access to supply chain companies and leverage this access to target itself.
It is believed that physical on-site evidence helped detect this attack. However, there is no evidence as to the intention of the attacker at this point. There was no reason to exploit this kind of utility for confidential data exfiltration, so it is assumed that the purpose is to disrupt critical operations at the time which is suitable for the attack group. This modus operando is similar to the infamous Triton malware that was discovered before it was be able to cause substantial damage.
These incidents further stress the importance of securing critical national infrastructures and in particular national water supply systems. Many international and local supervisory authorities have already taken steps in this direction, for example:
- The European NIS Directive specifically views water supply and distribution companies as operators of essential services (OES) which, as such, need to take appropriate security measures and notify the relevant national authorities upon serious cyber incidents.
- In the United Kingdom the NCSC has developed the Cyber Assessment Framework which provides cyber security guidance for vital service organizations.
- In the US in October 2018, America’s Water Infrastructure Act was signed into law. This act requires community (drinking) water systems serving more than 3,300 people to develop or update risk assessments and emergency response plans including cyber security issues.
Precedents – attacks on water facilities
This is not the first time that water utilities have come under cyber-attack.
- In 2013, an Iranian-based hacker team was behind a malicious breachinto the systems of the New York Bowman Dam SCADA system.
- In 2016 Verizon said it was investigating an OT network breachat an unnamed water utility referred to by Verizon as the Kemuri Water Company (KWC). In that breach, multiple PLCs’ logics were manipulated, and water supply was disrupted.
- In 2018, our own Radiflow intrusion detection system discovered crypto-mining malware in the OT networkof one of our water infrastructure customers.
- Other water facilities were subject to ransomware attacks including Jacksonville, NC-based ONWASAand the Fort Collins-Loveland, CO Water District.
Mitigation & prevention tools are readily available
Best practices for preventing cyber-attacks should include, but are not limited to:
- OT network segmentation
- End-to-end secure remote access connectivity, if applicable
- Proper hardening of network and IT equipment such as routers, servers and endpoints
- Strong authentication mechanisms and authorization methods
- Continuous monitoring and threat detection on the OT network
The cyber security posture of every OT network should be assessed periodically and detected gaps should be rectified by establishing a detailed mitigation work plan.
What if a water facility is unable to set up an in-house OT security department?
Obviously, some water facilities don’t possess the skilled human resources and/or CAPEX to establish an OT security management system.
In such cases, we recommend hiring a trusted Managed Security Service Provider (MSSP) which can help both with adoption of technology security elements and with establishing a continuous OT monitoring service and security assessment program. The cost in such a case would be considered as an operational expense, making it easier for the water utility to budget the expense.
A water purification site in Sderot, Israel. A memo sent by Water Authority officials ordered all personnel to immediately change passwords, ‘with emphasis on operational system and chlorine control in particular’.