Israel’s water facilities attack (2020)

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Date The attack took place between 24 and 25 April 2020.[1]
Suspected actor The attack was linked by the press to the Islamic Republic of Iran, making reference to alleged claims by unnamed foreign intelligence officials.[2] As of May 2022, Israel[3] – or any other State – has not attributed the attack directly to Iran. Iranian officials denied involvement in the attack.[4]
Victims The attack targeted six water supply and treatment facilities in two rural districts in Israel,[5] which provide for drinking water and wastewater removal and treatment services for residential areas, medical and commercial recipients.[6] It was reported that if the attack had succeeded, it would have created substantial damage to the civilian population of those areas, including shortage and contamination of drinking water.[7]
Target systems The attack was targeted simultaneously against the supervisory control and data acquisition (SCADA) systems of six Israeli water supply and treatment facilities.[8] It was reported that it targeted specifically the systems that control water flow,[9] the regulation of chlorine and other chemicals into the water,[10] and the wastewater treatment.[11] The attack allegedly targeted specific programmable logic controllers used to manage valves in the affected facilities.[12]
Method The attackers allegedly accessed the SCADA systems of the facilities through computer servers in the United States and various European countries.[13] Some sources claim that the human-machine interface was directly exposed to the internet without further protection, allowing the attackers to access the control system and change the values therein.[14]
Purpose Israel’s cyber authorities referred to the incident as a “synchronized and organized attack aimed at disrupting key national infrastructure”,[15] in particular, water supply in the relevant areas, during the Covid-19 crisis.[16] It was reported that the attack – if successful – could have triggered the shutting down of pumps, creating a water shortage in the affected areas in Israel.[17] In addition, according to the Israel’s Water Authority[18] and National Cyber Directorate,[19] the attack was aimed at altering the levels of chlorine or other chemicals in the water source of residential areas in dangerous and harmful proportions for the population.[20]
Result The attack was detected on time by Israel’s Water Authority[21] and the National Cyber Directorate,[22] countered and thwarted without causing any substantial disruption or damage in the water supply and treatment services, which continued to operate without interruption.[23]

Nevertheless, the attack managed to reach and impact the system of certain targeted facilities, such as by introducing changes or deleting data, taking over the operating system and forcing to disconnect and reset all parameters. In one of the targets, it provoked the pump to go into continuous operation circumventing its automatic mode.[24] Therefore, the operators had to respond by taking defensive measures.[25] The operation highlighted the risk of attacks towards internet-exposed industrial control systems.[26]

Aftermath Due to the attack, Israel’s National Cyber Directorate issued a security alert and ordered all water and energy entities to immediately change the access passwords in all internet-connected control and operation systems, to reduce their internet connectivity, and ensure that the most updated version of software was installed.[27] Similar alerts were issued by the Water Authority, with a particular focus on the systems related to chlorine control devices.[28]

On 9 May 2020, Iran’s Shahid Rajaee port computer system was subject to a major cyber-attack targeted at the systems that regulate shipping traffic,[29] disrupting the transport for several days.[30] Although not officially acknowledged, foreign government officials have linked the attack to Israel in alleged retaliation in kind for the attacks against its water facilities.[31]

In 2021, Israel’s Water Authority continued the efforts to enhance the protection of its critical infrastructure and defend it from hostile cyber operations, including ransomware attacks.[32]

Analysed in Although no scenario addresses this exact set of circumstances, relevant scenarios include:

Scenario 06: Cyber countermeasures against an enabling State

Scenario 20: Cyber operations against medical facilities

Collected by: Dominique Steinbrecher

  1. Warrick, J. & Nakashima, E., Foreign intelligence officials say attempted cyberattack on Israeli water utilities linked to Iran, The Washington Post (8 May 2020).
  2. See, e.g., Warrick, J. & Nakashima, E., Foreign intelligence officials say attempted cyberattack on Israeli water utilities linked to Iran, The Washington Post (8 May 2020); Warrick, J. & Nakashima, E., Officials: Israel linked to a disruptive cyberattack on Iranian port facility, The Washington Post (18 May 2020); Staff, T., 6 facilities said hit in Iran’s cyberattack on Israel’s water system in April, The Times of Israel (19 May 2020); Staff, T., Iran cyberattack on Israel’s water supply could have sickened hundreds – report, The Times of Israel (1 June 2020); Winston, A., Iran used US servers in cyberattack on Israeli water facilities – report, The Jerusalem Post (7 May 2020); Heller, A., Israeli cyber chief: Major attack on water systems thwarted, AP News (28 May 2020); Cimpanu, C., Two more cyber-attacks hit Israel's water system, ZD Net (20 July 2020); Mimran T. & Shany, Y., Israel, Cyberattacks and International Law, Lawfare (20 December 2020); Council on Foreign Relations, Attack on Israeli water utilities (2020).
  3. Staff, T., Iran cyberattack on Israel’s water supply could have sickened hundreds – report, The Times of Israel (1 June 2020); Staff, T., ‘Cyber winter is coming,’ warns Israel cyber chief after attack on water systems, The Times of Israel (28 May 2020); Warrick, J. & Nakashima, E., Officials: Israel linked to a disruptive cyberattack on Iranian port facility, The Washington Post (18 May 2020); DW, Israel thwarted attack on water systems: cyber chief (28 May 2020).
  4. Warrick, J. & Nakashima, E., Officials: Israel linked to a disruptive cyberattack on Iranian port facility, The Washington Post (18 May 2020); Al Jazeera, Israel cyberattack caused ‘total disarray’ at Iran port: Report (19 May 2020).
  5. Council on Foreign Relations, Attack on Israeli water utilities (2020).
  6. Warrick, J. & Nakashima, E., Foreign intelligence officials say attempted cyberattack on Israeli water utilities linked to Iran, The Washington Post (8 May 2020).
  7. Heller, A., Israeli cyber chief: Major attack on water systems thwarted, AP News (28 May 2020).
  8. Staff, T., 6 facilities said hit in Iran’s cyberattack on Israel’s water system in April, The Times of Israel (19 May 2020); Kovacs, E., Israel Says Hackers Targeted SCADA Systems at Water Facilities, Security Week (27 April 2020).
  9. Staff, T., Iran cyberattack on Israel’s water supply could have sickened hundreds – report, The Times of Israel (1 June 2020).
  10. Staff, T., Iran cyberattack on Israel’s water supply could have sickened hundreds – report, The Times of Israel (1 June 2020); Financial Times, Israel-Iran attacks: ‘Cyber winter is coming’ (31 May 2020).
  11. Warrick, J. & Nakashima, E., Officials: Israel linked to a disruptive cyberattack on Iranian port facility, The Washington Post (18 May 2020).
  12. Kovacs, E., Hackers Knew How to Target PLCs in Israel Water Facility Attacks: Sources, Security Week (30 April 2020); Warrick, J. & Nakashima, E., Foreign intelligence officials say attempted cyberattack on Israeli water utilities linked to Iran, The Washington Post (8 May 2020).
  13. Warrick, J. & Nakashima, E., Foreign intelligence officials say attempted cyberattack on Israeli water utilities linked to Iran, The Washington Post (8 May 2020); Warrick, J. & Nakashima, E., Officials: Israel linked to a disruptive cyberattack on Iranian port facility, The Washington Post (18 May 2020); Staff, T., Iran cyberattack on Israel’s water supply could have sickened hundreds – report, The Times of Israel (1 June 2020).
  14. Kovacs, E., Iranian Hackers Access Unprotected ICS at Israeli Water Facility, Security Week (4 December 2020).
  15. Staff, T., Iran cyberattack on Israel’s water supply could have sickened hundreds – report, The Times of Israel (1 June 2020); International Institute for Counter-Terrorism (ICT), Cyber Updates April - June 2020 Report (4 March 2021) 26.
  16. Warrick, J. & Nakashima, E., Foreign intelligence officials say attempted cyberattack on Israeli water utilities linked to Iran, The Washington Post (8 May 2020).
  17. Staff, T., Iran cyberattack on Israel’s water supply could have sickened hundreds – report, The Times of Israel (1 June 2020); Shushan, I. B., Failed cyberattack on Israel was designed to trigger a humanitarian disaster, Israel Hayom (28 May 2020).
  18. Goud, N., Cyber Attack on Israel water system, Cybersecurity Insiders (2020).
  19. Spencer Jones, J., Israel steps up cyber protection of country’s water supply, Smart Energy International (23 July 2021).
  20. Staff, T., Iran cyberattack on Israel’s water supply could have sickened hundreds – report, The Times of Israel (1 June 2020); Goud, N., Cyber Attack on Israel water system, Cybersecurity Insiders (2020).
  21. Warrick, J. & Nakashima, E., Foreign intelligence officials say attempted cyberattack on Israeli water utilities linked to Iran, The Washington Post (8 May 2020).
  22. DW, Israel thwarted attack on water systems: cyber chief (28 May 2020).
  23. Staff, T., 6 facilities said hit in Iran’s cyberattack on Israel’s water system in April, The Times of Israel (19 May 2020); DW, Israel thwarted attack on water systems: cyber chief (28 May 2020).
  24. Staff, T., 6 facilities said hit in Iran’s cyberattack on Israel’s water system in April, The Times of Israel (19 May 2020).
  25. Lyngaas, S., Israeli official confirms attempted cyberattack on water systems, Cyber Scoop (28 May 2020).
  26. Kovacs, E., Israel Says Hackers Targeted SCADA Systems at Water Facilities, Security Week (27 April 2020).
  27. The National Cyber Directorate, Attempts to attack control and monitoring systems in the water sector, SCADA Alert (April 2020) (free translation).
  28. Staff, T., 6 facilities said hit in Iran’s cyberattack on Israel’s water system in April, The Times of Israel (19 May 2020); Goud, N., Cyber Attack on Israel water system, Cybersecurity Insiders (2020); Cimpanu, C., Israel government tells water treatment companies to change passwords, ZD Net (21 April 2020).
  29. Warrick, J. & Nakashima, E., Officials: Israel linked to a disruptive cyberattack on Iranian port facility, The Washington Post (18 May 2020).
  30. Al Jazeera, Israel cyberattack caused ‘total disarray’ at Iran port: Report (19 May 2020).
  31. Al Jazeera, Israel cyberattack caused ‘total disarray’ at Iran port: Report (19 May 2020); Warrick, J. & Nakashima, E., Officials: Israel linked to a disruptive cyberattack on Iranian port facility, The Washington Post (18 May 2020); Cimpanu, C., Two more cyber-attacks hit Israel's water system, ZD Net (20 July 2020); Staff, T., Iran cyberattack on Israel’s water supply could have sickened hundreds – report, The Times of Israel (1 June 2020).
  32. Spencer Jones, J., Israel steps up cyber protection of country’s water supply, Smart Energy International (23 July 2021).