Iran Did Its Cyber Homework and Managed to Embarrass ‘Israel’ - Haaretz

By Staff, Haaretz

Commenting on the latest cyber-attack at the end of April that has been attributed to Iran and was directed at six wastewater treatment plants around ‘Israel’, Amitai Ziv wrote for ‘Israeli’ Haaretz newspaper that the incident was exceptional in two respects.

First of all, it targeted physical infrastructure that potentially could have inflicted damage in the real world – as opposed to more common attacks on computer networks. Secondly, the attack was successful to some extent.

According to a report on ‘Israeli’ Ynet news website, the sewage treatment plants recorded faulty data, pumps went out of control and the attackers took over the operation system at one station. Late Monday, The Financial Times of London reported that, according to a Western intelligence source, the Iranian attackers had attempted to boost the levels of chlorine in the water supplied to ‘Israeli’ consumers.

There was another cyber-attack on ‘Israel’ on May 21. This time, thousands of ‘Israeli’ websites were altered. “We have seen many such acts of defacement in the past, but this one was exceptional in its scope and duration. Some of the websites were down for an entire day,” the author said.

The websites affected included small businesses, some of which are entirely dependent on e-commerce at a time when they were trying to recover from the economic impact of the coronavirus pandemic. This attack could not be attributed to Iran and was probably perpetrated by amateur anti-‘Israeli’ hackers from several countries.

We will remember the events of recent weeks, as well probably all of 2020, as a turning point in the history of modern cyber warfare, Yigal Unna, the director general of the ‘Israel’ National Cyber Directorate, told CybertechLive Asia, an online cybertechnology conference on Thursday.

Unna called the targeting of the ‘Israeli’ entity’s water infrastructure an organized and synchronized attack. “If the bad guys had succeeded in their plot, we would now be facing, in the middle of the corona crisis, very big damage to the civilian population and a lack of water and even worse than that.”

In fact, such incidents provide a glimpse of the wars of the future. Cyberspace will assume an increasing part in geopolitical confrontations and conflicts.

Unna said that the Cyber Directorate didn’t exactly manage to prevent the attack, which in fact occurred. “And we probably won’t be prepared for the next attack either.”

“I reported to the Cyber Directorate in September about fuel containers that are open to the web. I checked at the end of last week, and they are still accessible to anyone with a keyboard,” said Noam Rotem, who is an ethical hacker, someone who looks for flaws in a computer system but does so within the law.

“This involves the fuel stations’ primary tanks, which I can simply lock remotely and damage supply. And this is not the only case. I reported to the Cyber Directorate about industrial refrigerators that are open to the web, about hotel climate control systems, central heating systems and others.”

Sources familiar with the subject said that the Iranians didn’t need to employ special capabilities to access it. “They are the same controls,” Rotem asserted. “Today it’s water. Tomorrow it [could be] oil.”

The first problem is that the Cyber Directorate is not authorized to order civilian companies to do anything. It can only make recommendations, and there are a very few sanctions that it can impose on companies lacking proper security.

“I once discovered a system at an emergency entity that included individuals’ biometric data. I entered, saw the information and immediately reported it to the Cyber Directorate,” Rotem said. “I get an email a few days later from the directorate. The company says [the breach] is closed. We can’t check. Can you confirm this? They have no legal authority,” he recounted.

The Cyber Directorate is responsible for critical infrastructure. Last year, the Comptroller’s Office published a report on the Cyber Directorate and on insufficient preparedness when it comes to critical infrastructure. But – and this is another problem – desalination plants are not deemed critical infrastructure.

“If I shut down a purification plant, and redirect wastewater into irrigated fields, and E. coli gets into food, is that not critical?” a senior cyber security official wondered. “What’s aggravating about the story is that if you do a scan with Shodan,” a reference to a search engine for Internet-Of-Things devices, “you will find all kinds of open devices in ‘Israel.’ You think that the solar panels on the roof, which send electricity back into the grid, aren’t exposed? You don’t have to be a genius. It’s as easy as pie. The business-economic [sector], which is based on computer networks, is exposed – and ‘Israel’ isn’t doing enough to protect it. Regulation is much stricter in Germany, for example.”

A third problem is the classic ‘Israeli’ confusion over who has responsibility.

Now ‘Israel’ has a Water Resources Ministry and a new cyber security office is also being established. So who is being given the responsibility for the waste treatment plants? Everyone wants a piece of cyber security. Sounds good, until the next cyber-attack takes place, when no one will be at fault.

Hacking is the ability to find systems’ weaknesses, not only the kinds based on digital technology. The Iranians found a perfect spot to hit, from their standpoint – vulnerable operational infrastructure that is not deemed of critical importance, and where areas of responsibility are hazy. From that standpoint, the Iranians not only hacked into water treatment plants, but also into ‘Israel’s’ very operation system.