US issues warning after cyberattacks on water supply in Israel

The U.S. government warned people running critical infrastructure to prepare immediately for cyberattacks, saying they face a “serious threat.”

The alert on Thursday cited an attack on Israel’s water supply in April as attackers’ readiness to hit critical systems through their sensitive operational technology — the computers and machines that operate water, power and other industrial systems.

Watch here:

Water Attack

In Israel, as in many places, parts of the water supply run on remote control. But the same connection that lets you in can let attackers in, too, if it’s not secured.

Attackers took advantage in April, breaking in to the cellular router — the remote connection device — for a water facility in Israel, reported Security Week.

They changed the commands on a device known as a PLC, or programmable logic controller, a crucial part of the water equipment and industrial control systems.

“If the bad guys had succeeded in their plot we would now be facing, in the middle of the Corona crisis, very big damage to the civilian population and a lack of water and even worse than that,” Israel’s country’s National Cyber Directorate leader, Yigal Unna, said at the CyberTechLive Asia conference.

“…(I)t wasn’t one or two controllers,” he added, according to The Jerusalem Post. “It was a… wide spectrum of attacks aiming specifically at energy and watering, and the only reason it failed was… our efforts, the INCD [Israel National Cyber Directorate] preparedness, the risk management.”


 Tel Aviv, Israel. Image: Fabrice Peresse/iStock

New Attacks

Israel’s Water Authority told employees to change passwords “with emphasis on the operational system and the chlorine control in particular,” and to disconnect systems from the Internet if the password could not be changed, ynetnews reported.

But this month, the Israeli Water Authority confirmed two new water attacks in June.

The attackers hacked agricultural water pumps in two new locations in Israel. Once again, they used the remote connection to take over water equipment controllers, Security Week said.

Water facilities should be concerned about the attacks, said Ilan Barda, CEO of security company Radiflow.

“The cybersecurity of water management facilities should be under high priority in most countries,” he told Archer News.

High-Level Attacks

The attackers took time to educate themselves on the machines, a sign that this was a high-level attack, Barda said.

“They did very, very accurate changes,” he said. “Somebody was doing very good homework. So, it was not just somebody getting sporadic access and then trying some changes,” he explained.

Foreign intelligence officials are connecting the first water attack to Iran, The Washington Post reported.


Large water pipe line in the Negev desert, Israel. Image: Flik47/iStock


Water facilities often have little money to prepare for attacks and are vulnerable, according to researchers.

“I think they are aware of the problem, but it’s not just not a priority and doesn’t have the right budget,” Barda said.

Cyber crooks have already infected US water companies with ransomware, affecting office computers and causing chaos, including attacks in Colorado in 2019 and North Carolina in 2018.

So far, there have been no reports that the attacks affected the water supply itself.

Still, that’s no reason to let down your guard, said Kwadwo Burgee, formerly of CISA and now with security company Rapid7.

“If you leave your door open and no one has come and taken anything from you, does that mean that you’re supposed to leave your door open all the time?” Burgee said.

“Immediate Steps”

The government alert lays out a plan for critical infrastructure cybersecurity.

The recommendations include steps such as:

—Immediately disconnect systems from the Internet that do not need Internet connectivity for safe and reliable operations. Ensure that compensating controls are in place where connectivity cannot be removed.

—-Plan for continued manual process operations should the ICS become unavailable or need to be deactivated due to hostile takeover.

It also urges that organizations protect their remote connectivity to operational technology, or OT, networks, including:

—Segment networks to protect PLCs and workstations from direct exposure to the Internet.

—-Ensure all communications to remote devices use a virtual private network (VPN) with strong encryption further secured with multifactor authentication

—Connect remote PLCs and workstations to network intrusion detection systems where feasible.

—Prohibit the use of default passwords on all devices, including controllers and OT equipment. 

There are many more steps with more detailed information in the alert.


Main image: Water treatment plant. Image: tuachanwatthana/iStock

Leave a Reply