Full Report
Israeli authorities have warned of possible attacks on SCADA systems of wastewater treatment, water pumping and sewerage facilities
Analysis Summary
# Incident Report: Targeted Attacks on Israeli Water Infrastructure
## Executive Summary
In late April 2020, Israeli national authorities identified a series of coordinated cyberattacks targeting the Supervisory Control and Data Acquisition (SCADA) systems of water and wastewater facilities. The attackers attempted to manipulate chemical levels (such as chlorine) in the water supply by exploiting internet-facing industrial control systems. While the attempt was detected and neutralized before significant physical harm occurred, it represents a significant escalation in targeting critical national infrastructure.
## Incident Details
- **Discovery Date:** April 24-25, 2020
- **Incident Date:** April 2020
- **Affected Organization:** Multiple local water committees and utility providers
- **Sector:** Water and Wastewater Systems (Critical Infrastructure)
- **Geography:** Israel
## Timeline of Events
### Initial Access
- **Date/Time:** April 2020
- **Vector:** Exploitation of internet-accessible Human-Machine Interfaces (HMIs) and Programmable Logic Controllers (PLCs).
- **Details:** Attackers targeted systems directly connected to the public internet, likely using brute-force attacks or exploiting weak authentication on management interfaces.
### Lateral Movement
- **Details:** Minimal lateral movement was required; attackers focused on direct interaction with the SCADA interfaces and PLCs controlling chemical dosing and pump operations.
### Data Exfiltration/Impact
- **Details:** The primary objective was not data theft but operational disruption. Attackers attempted to alter water parameters, specifically aiming to increase chlorine levels or disable pumps to disrupt supply.
### Detection & Response
- **How it was discovered:** Anomalies in the SCADA system behavior were detected by facility operators and national monitoring centers.
- **Response actions taken:** The Israel National Cyber Directorate (INCD) issued an emergency directive to all water facilities to immediately change passwords for internet-connected systems, update software, and, where possible, disconnect control systems from the public internet.
## Attack Methodology
- **Initial Access:** Exploitation of exposed industrial control ports (e.g., Modbus, Siemens S7, or web-based HMIs).
- **Persistence:** Likely achieved through hijacked administrative credentials.
- **Privilege Escalation:** Direct access to admin-level HMI panels provided necessary privileges.
- **Defense Evasion:** Minimal; the attack relied on the obscurity of the targeted facilities.
- **Credential Access:** Brute-forcing or use of default factory credentials.
- **Discovery:** Scanning for common ICS ports via tools like Shodan or Censys.
- **Lateral Movement:** N/A (Direct Infrastructure Attack).
- **Collection:** Monitoring of real-time sensor data within the SCADA environment.
- **Exfiltration:** N/A.
- **Impact:** Attempted manipulation of chemical dosing and physical equipment malfunction.
## Impact Assessment
- **Financial:** Low (costs limited to incident response and remediation).
- **Data Breach:** None reported.
- **Operational:** Minor localized service disruptions; potential for significant equipment damage.
- **Reputational:** High; highlighted vulnerabilities in critical infrastructure security posture.
## Indicators of Compromise
- **Network indicators:** Traffic from unauthorized IP addresses to port 502 (Modbus) or 102 (S7).
- **Behavioral indicators:**
- Unauthorized login attempts to PLC/HMI interfaces.
- Unexplained changes in chemical dosing setpoints.
- Sudden changes in pump logic or automated sequences.
## Response Actions
- **Containment:** Water facilities were instructed to disconnect ICS systems from the public internet.
- **Eradication:** Universal reset of administrative passwords across the sector.
- **Recovery:** Verification of PLC logic and water quality testing to ensure safety parameters were restored.
## Lessons Learned
- **Key takeaways:** Critical infrastructure components (PLCs/HMIs) should never be directly accessible via the public internet.
- **Failure:** Many facilities relied on "security by obscurity" or reused simple passwords across critical systems.
## Recommendations
- **Network Segmentation:** Implement a strict DMZ between IT and OT (Operational Technology) networks.
- **Authentication:** Enforce Multi-Factor Authentication (MFA) for all remote access to industrial networks.
- **Vulnerability Management:** Regularly audit internet-facing assets to ensure no industrial protocols are exposed.
- **Monitoring:** Deploy ICS-specific network monitoring solutions to detect anomalous commands sent to PLCs.