Cyberattack on Israeli Water Systems Uncovers Regulatory Chaos
Even if the damage caused by Iran's cyberattack on the water systems was indeed trivial, its existence nevertheless revealed their fragility to foreign threats
"Damage to a few farmers," that is how representatives of Israel's Water Authority summed up the impact of an Iranian cyberattack against Israel's water systems in an emergency meeting held by Minister of Energy Yuval Steinitz several days after the event occured at the end of April. In the meeting, that was meant to analyze the immediate implications of the attack on the water supply and on maintaining Israel's vital interests, those in attendance were surprised to hear some of the representatives of the Water Authority, which oversees the supply of water in Israel, characterize the event as "trivial.” So trivial that according to foreign reports, Israel retaliated with a cyberattack earlier this month on computers at Iran's Shahid Rajaee port that caused massive backups on waterways and roads leading to the facility.
Even if the damage caused by Iran's cyberattack on Israel's water systems was indeed trivial, its existence nevertheless revealed the fragility of the country’s water systems to foreign threats. The care for Israel's water resources was transferred to a new government ministry last week as part of coalition negotiations, with the new minister Ze'ev Elkin receiving the responsibility after it had previously rested in the hands of the Ministry of Energy and its minister Yuval Steinitz for the past five years.
In meetings held at the energy ministry at the start of May under the guidance of ministry Director-General Ehud Adiri in order to assess the vulnerability of Israel's infrastructure to cyberattacks, it became clear to officials that even though the energy minister has the responsibility to operate the electricity, gas and petrol systems during a time of crisis (war, natural disaster or cyberattack), he doesn't have control over the water systems. That responsibility lies with the Water Authority, which regulates the sector, and which alerted over the past year that it shouldn't have these tools in case of a national emergency.
These findings match the Israel State Comptroller's report from last May which dealt with the office for cyberattacks’s preparedness. Most of the report is classified for reasons of national security, but according to the comptroller at the time, Yosef Shapira, "despite the efforts being made over recent years there are still gaps in the cyber defence of vital organizations, government ministries and the civil service."
In addition, the report also found that some of the bodies that were checked had only partially mapped their systems and that there was a lack of regulations and updated security orders. It also showed that previous deficiencies that were detected had not been remedied. The report found that some of the government ministries don't meet the guidelines of the Israel National Cyber Bureau and also discovered gaps between the authority of the government ministries and the civil service.
Authority over Israel's water systems is currently decentralized between a long list of agencies and companies that make it difficult to centrally manage and prepare for an outside attack. Israel's state-owned national water company Mekorot is currently the main body responsible for delivering and connecting cities and communities to the water supply, as well as some of the actual water supply itself through its drilling activities. Some 56 regional companies are responsible for the water supply within the cities, with the Water Authority aiming to reduce that number to 30 by this August. Residential water supply largely relies on Israel's five desalination facilities, which provide around 80% of Israel's drinking water. Four of these facilities are privately owned, with the remaining government facility in Ashdod currently in the process of being sold.
The decentralization of the water sector created a situation in which Mekorot doesn't have any access or oversight over the readiness of the desalination facilities for a cyberattack. This is unlike the electricity sector where despite a growing number of private power plants, the Israel Electric Corporation is still responsible for 70% of the electricity supply and operates a cybersecurity department to protect its facilities. As a result, in the water sector, it is the desalination facilities themselves or the water authority that is responsible for protecting and overseeing the security of the means of production.
In surprising timing, several days before the first cyberattack on Israel's water systems at the end of April, Mekorot turned to the Water Authority requesting to receive an additional budget to invest in the protection of water systems from foreign threats. Mekorot already operates a cyber department that is active in preventing attacks, but the company requested to upgrade it, explaining that it needs to do so in light of the growing fear of cyberattacks.
In the correspondence between Mekorot and the Water Authority seen by Calcalist, the state-owned company requested an additional budget to upgrade its cyber systems. The Water Authority turned down the request, explaining that Mekorot already has the sources for funding and that an additional budget could result in an increase of prices for the consumer.
In the answer sent by the Water Authority to Mekorot, it says its workers met with a computing team from the state-owned company and that the Authority "doesn't oppose promoting the projects and even supports Mekorot's obligation to constantly improve its information systems." The Authority also noted that "once every five years Mekorot's expenses are updated. In the aforementioned meeting, it was also stressed that Mekorot has flexibility with its budget and doesn't need to turn to the Water Authority whenever a change is required, including the one described in your letter."
This answer by the Water Authority prompted a response from the energy ministry, which was also included in the correspondence. "In five years the cyber threat has increased by hundreds of percent. Technologies change and the threats expand and evolve and our enemies are becoming more sophisticated," an energy ministry representative wrote. "The budget for cybersecurity in all of the bodies in the ministry, state-owned companies and private companies is growing significantly every year. As a ministry, we see the cyber threat as a primary threat, so therefore I would exclude the issue of cyber from the five-year budget plan and discuss it at least every two years."
But despite the intervention of the representative from the energy ministry, so far there has been no change in the position of the Water Authority and Mekorot hasn't received a dedicated budget to deal with cyber threats. As stated, several days after this back and forth, a cyberattack was carried out against Israel's water systems and shed a different light on the correspondence.
Despite the Water Authority's stance in the correspondence with Mekorot, it seems that they are aware that their hands are tied when it comes to a national event with implications not just for the citizens of the country but for the emergency authorities.
The energy ministry may have lost its responsibility for the water sector last week following the reallocation of responsibilities between government offices. However, it still holds the ministerial responsibility for everything that happened in the sector to date. The ministry told Calcalist that the "care and responsibility for the protection of the water sector from cyber events lies with the Water Authority." They also noted that the "Ministry of Energy set up and operates a cyber center that monitors the entire activity of the energy sector based on advanced systems operated by professionals. Following the recent events and in general, the energy ministry suggested that the Water Authority connects all the facilities under its responsibility to a sector-dedicated cyber center to provide a reliable, relatively quick and efficient solution to the protection of the water systems. And all of this without harming the responsibility and the authority of the Water Authority in addressing the issue of cyber."
Calcalist also approached the Water Authority and asked whether its officials believe that Israel's water sector, including desalination facilities, regional companies and the Water Authority are protected from cyberattacks and what came out of Mekorot's request for an additional budget to protect its systems. The Water Authority refused to respond, with the Israel National Cyber Bureau requesting to respond for both agencies. "Professionals at the Water Authority and the head of the Water Authority himself are in continuous communication with all the suitable authorities in the government in order to provide a full response to any water security event (including cyber events). The recent attempts were addressed and blocked by the Water Authority and the National Cyber Bureau.
"In all, the water systems in Israel are protected. There are some 1,400 water suppliers so there is some variance and plenty of redundancy. The desalination facilities, regional water companies and wastewater treatment plants are all well protected and are attended to by the Water Authority with the guidance of the National Cyber Bureau. The Water Authority and National Cyber Bureau are currently promoting the setting up of a national center to monitor cyber threats in the water sector." Regarding government meetings on the matter and the budget available for protection, they responded that "recently there were meetings held between the Water Authority and the relevant government ministries. The protection of the water facilities is always under examination and the budget is updated accordingly."