COVID-19 did not create Industrial Control Systems (ICS) cyber security exposure to the internet - but it may have intensified the process. As employees began working from home, operational networks had to be opened for remote connection. Providing employees, suppliers, and partners access to OT environments was crucial in order to maintain productivity - but it also increased the risk of cyber incidents.
On Sunday, April 26th, 2020, the Israeli Water Authority reported a cyber attack attempt, targeting the water sector’s Operational Technology (OT) systems in multiple locations over the country. The authority, which is responsible for the production and distribution of water, as well as seawater desalination and sewage treatment, advised the local water corporations to change the access credentials of all ICS connected to the internet. In case they were unable to do so, the IWA advised them to disconnect the ICS from the internet completely.
At the time, some researchers suggested that the attack originated from the Gaza Strip. According to these reports, the hackers managed to gain access to several controllers after searching for exposed assets on Shodan, a search engine dedicated to finding computers, servers, machines, and devices connected to the internet.
ICS have been opening up to the internet as part of the Industry 4.0 revolution. Internet connectivity allows operators and manufacturers to improve efficiency, decentralize their organizations, and improve profitability. This trend had an unpleasant flip-side, as the exposure of ICS to the internet also meant that hackers and cybercriminals could now gain access to them if they were not properly protected.
ICS Security Exposure Spikes in the Wake of COVID-19
ICS exposure has been a security concern for nearly a decade. Until recently, it appeared that awareness about OT security is leading to a slow, yet steady, decrease in ICS exposure. Then COVID-19 came on the scene and changed everything.
In a blog post from March 2020, Shodan pointed to a steep increase in internet exposures in the ICS segment over the first three months of the year. Over 120,000 controllers were discovered showing open communication ports, reaching an unprecedented peak.
So what brought about this alarming spike in ICS exposure after a long period of steady decrease? One explanation is the major consequences of the COVID-19 pandemic, which are pushing industries to ease remote access to their production assets.
From an attacker’s point-of-view, the exposure of such assets means an effective shortcut on the road to gaining control over the productive core of an industrial organization - be it water utilities, oil refineries, the food and beverage industry, or pharmaceutical manufacturing plants. Without this exposure, the common path to reach the control systems would require a sophisticated network attack, typically executed with a low success rate.
For Advanced Persistent Attacks (APTs) that seek “quality targets”, such assets are more than low-hanging fruit. For example, in 2013, an Iranian state-backed attack group managed to take over the controllers of the Bowman Dam (NY). The physical damage, in this case, was minor, but it made the United States Department of Homeland Security authorities feel uncomfortable in their own backyard. The attack conveyed a “symbolic message”.
The plot thickens...
Back to Israel. On May 7th, 2020, Fox News reported that Iran was responsible for the April 26 attack, also noting that Iran used American servers to break into the Israeli water and sewage OT.
Although no official authority, neither in Israel nor in the US confirmed the report, some important questions must be raised regarding the depth and sophistication of this ICS OT cyber attack. Was it accomplished using only internet-exposed ICS? Or was it the result of a longer, sustainable attack on Israeli water companies and authorities?
Both options are highly probable. Like many other countries around the world, some of Israel’s infrastructure assets are exposed to the World Wide Web. On the other hand, given Iran’s track record of cyber attacks, taking over the OT in an attempt to disrupt the control of Chlorine additives in water wells (as some reports claimed), can be considered yet another milestone in their long odyssey.
Whatever the true nature of the attack was, governments usually do not share the full story behind such cyber attacks, and we don’t expect this incident to be any different. Yet, in the unique context of ICS-related cyber attacks, this is a case that warrants study and analysis when we design our security solutions and expect them to meet real-life scenarios.
Incidents, like the one described above, are typically caused by a lack of awareness, low-level monitoring, and unsafe design. They can be prevented by conducting periodic security assessments and penetration tests, along with threat intelligence collection and analysis.
Here are some risk-management steps and ICS OT security solutions:
Recent Posts