The hacks may provide useful examples of what needs to be done in Israel to protect its own vital resources, including its water supply. Risks have also spiked that a hack of a private company could lead to the infiltration of a wide number of government and security agencies.
On December 13, it was announced that Texas-based software firm SolarWinds Corp. was the victim of a Russian hacking campaign. Top US cyber officials said earlier this month that nine federal agencies and 100 private-sector companies had been affected by the hack. The repercussion of the hack was severe: the vast majority of US government institutions, including many in the defense and cyber establishment, had been hacked by Russia and their data had been harvested for months.
Then on February 5 it was announced that the water supply of the small 15,000-person town of Oldsmar, Florida (near Tampa Bay) had been hacked and that absent the intervention of one human monitor, the water could have been poisoned – leading to a mass death incident.
Israel is no stranger to these dangers.
In the spring of 2020, a series of Israeli officials indicated, off-the-record and with clear public hints, that Iran had hacked part of the country’s water supply.
While Israel was able to block the attack from spiraling past some initial success to avoid the loss of life, Israel National Cyber Directorate Chief Yigal Unna said it was a major turning point in cyber history and that “cyber winter is coming, and it is faster and stronger than the worst estimates.”
Since then, there were three other less high profile attempts to hack Israel’s water supply, including as recently as December.
In addition, insurance giant Shirbit was hacked, Israel Aerospace Industries was hacked and hundreds of other Israeli companies were hacked either in December or within recent months.
The INCD has confirmed that it has been in contact with US counterparts to compare notes on the water supply cyber hacks.
FORMER IDF cyber intelligence official Yaron Rosen recently told The Jerusalem Post that the hack in Florida was “very different, but had a resemblance” to the April 2020 hack of Israel’s water supply.
He noted that “the attack on the Israeli water supply was probably conducted by Iran,” while the one in “Florida was probably [carried out] by a [non-state] hacker, and we are not sure what the incentive was.”
Brig.-Gen. (ret.) Rosen, the president of TOKA, an IDC-ICT senior fellow and former chief of the IDF cyber staff, emphasized that one lesson learned was that whether in the US or Israel, “critical infrastructure companies carry public health [obligations] whether in energy, transportation or another area.” Further, he said, “the nation has a responsibility to lead efforts in order to protect” its companies and citizens.
Asked why neither the US nor Israel have succeeded at blocking major hacks despite past experiences with such hacks, such as the 2017 WannaCry worldwide cyber attack, he said that the challenge was in some ways more complex than any prior threat.
He said that even the smartest policymakers had not fully made the necessary conceptual jump because “the involvement you need from the private sector in defending the physical border is practically zero.”
But, he said, the private sector must help defend a country’s cyber warfare “border” in a way that neither it nor the government are used to.
“Everyone has to be involved. Banks have to be involved. What do banks have to do with defending against Israel’s enemies? Guess what: they have to be, or Iran or North Korean will steal” countries’ national security and business secrets, he stated.
“Russia is not invading the US in any physical way, but Russia in cyber space is actively invading the US, period, exclamation mark!”
Regarding the water supply company in Florida, Rosen asked “who took care to grade that company for its cyber safety standards? Who did risk assessment and compliance management? That’s the role of the government.”
“How did the state not disbar this water treatment plant from providing water treatment... You were not compliant? You are not allowed to supply water – the day after they will comply!” he exclaimed.
One idea Rosen is highlighting is the equivalent of a “cyber WHO,” meaning a global agency responsible for setting general norms and building the cyber defense capacity of weaker countries.
Rosen said the US and like-minded allies should be ready to tell countries with inadequate cyber defenses, “if you don’t decide to defend your landscape, your S&P loans you are asking for from the World Bank - you will get at a higher price because” you are acting irresponsibly.
Likewise, Monstercloud CEO Zohar Pinhasi said to the Post, “If you were able to hack a water plant, you need to know what you are doing. The software is very specialized software. They need to know the platform... to change things to a point where it will cause” harm.
Pinhasi, who worked in information security during his IDF service, said, “this has been going on for years... I was able to hack a computer with no Internet... if it’s a computer, it can be hacked. It’s a game of cat and mouse.”
If hackers can “figure out what equipment a facility uses, then they can purchase one. They’ll try to find vulnerabilities using so many methods and then apply that vulnerability against that method. Don’t disclose what equipment you are using,” so as not to allow hackers that planning advantage, he said.
He described a common situation in which “a small town got hacked, but the problem is that the small town is actually connected” with broader parts of the country, which can lead to “a domino effect. Law enforcement agencies are connected to other agencies using various connections - those agencies are also at risk.”
Moving on to the SolarWinds hackers, the Monstercloud CEO explained that they “gained access to a trusted supplier, which is huge. If you download an update from Microsoft, you’re not going to check if it’s legitimate... We will see the echo of this event for the next couple of years. No one really knows how deep they went.
“I would say shame on the government that they have not even thought about an event such as this... the name of the game is social engineering...Hackers don’t sit in a basement with a hoodie. These are extremely smart individuals” who draft long-term plans to use human nature as a vulnerability,” he cautioned.
FORMER US air force cyber intelligence official Jeff Bardin called the Florida water sector hack “one of those soft targets. It was running [outdated] Windows 7, and did not have strong infrastructure. If you look at the county location, it looks more like a target of opportunity as opposed to a major effort.”
Describing the hack, he said, “they were not really hiding their activities. It was right on the screen.”
Bardin, currently chief intelligence officer of Treadstone 71, a cyber intelligence company that advises Middle East organizations and multinational corporations, said this kind of brazen activity without covering cyber “footprints” was much more likely a young group or at most a proxy for a nation state than a sophisticated nation state who would know better.
But he had another theory. “We always automatically think the worst... Iran has to be behind it. It could be,” yet he suggested “looking locally at disgruntled people in the Oldsmar area,” he said.
“We just had the 2020 [US presidential] election. That whole area voted Democrat, which could upset a lot of people... Voting blue in a red state: could that attract the hacking of infrastructure? A lot of people are not even considering things like that,” he conjectured.
He raised the possibility that the hackers may never be identified because the, “attack was on an old system... they probably did not log anything either. The whole infrastructure was so outmoded, that they probably did not track anything.”
Bardin was skeptical the hack would be a turning point, saying there have been warnings for decades. “We haven’t made the changes until now, I don’t see this as being a major awareness shift. I imagine there are communities throughout the US that don’t even know this happened.”
Regarding those calling the SolarWinds hack the most sophisticated ever, he said, “I do disagree about the sophistication claim... The password was embedded in the SolarWinds software,” along with the ability to see root access commands, saying, “that is how it’s built... Is that really sophisticated or just poor architecture?”
Further, he slammed US companies like SolarWinds for selling their platforms in Russia, “just like Oracle, FireEye, Cisco, CrowdStrike. If it is sold there and the Russians have it, then they can reverse engineer it.”
He said this gives Russia and others the ability to understand “how the [American] supply chain works, review the code, what are the patches and pushes - they can analyze all of it.”
US and Israeli companies need to “stop selling to the adversary,” he urged.
“Would Israel sell to Hezbollah or Iran? We sell everything to China. They just take and rebuild it eventually, they want economic hegemony across everything.”
He said even trusted services like Microsoft should be scrutinized, including demands not to “treat security as an afterthought” in writing code, since until now the primary concern was “functionality first.”
Bardin criticized the large companies who were hacked for trying to convince the public of the sophistication of the cyber attack, saying, “they are doing that because they have a platform to do it, but they take no responsibility themselves.
“They are not pointing the finger at SolarWinds because they would also have to change their business practices, it is the arsonist calling in the fire department,” he warned.
The good news seems to be that the US, Israel and other allies are cooperating closely to learn from escalating cyber hacks with real world consequences. The bad news is that good guys still seem nowhere near a strategy that can or will stop the next mega cyber strike.•