Israel appears to have thwarted a large-scale attempt at a critical-infrastructure cyber attack against its national water supply. An internal report from Israel's Water Authority indicates that the incident occurred between Friday, April 24 and Saturday, April 25.
According to a statement from Israel's National Cyber Directorate, the attempted attack targeted the command and control systems of Water Authority's wastewater treatment plants, pumping stations, and sewage infrastructure. A follow-up statement from the Water Authority and National Cyber Directorate reported the incident appeared to be coordinated, but no damage had occurred.
Organizations affected by the attempted attack were ordered to immediately reset the passwords for all of the facility's operational technology (OT) systems—especially those related to chlorine control—and ensure all control software was updated. If it's not possible to change the passwords for certain systems, personnel were advised to disconnect these systems from the internet entirely.
This attempted attack highlights that while water infrastructure often eludes the public's attention as a major source of cyber risk, it remains susceptible to both targeted and non-targeted threats. A combination of legacy systems, growing connectivity, and federated management—most water utilities are owned and operated at a local level—warrants a high prioritization of cybersecurity for the water and wastewater sectors on a global level.
As with most OT systems, our water infrastructure demands a granular level of visibility to detect not only latent threats on the network, but also anomalies that might be indicative of a threat or could subject the network to even novice hackers. Misconfigurations and known vulnerabilities effectively lower the barriers to entry for threat actors and increase the risk of exploitation. Furthermore, as information technology (IT) networks converge with OT networks, owners and operators of water infrastructure should be ever-vigilant against account compromises that might grant an attack direct access to industrial control systems. This includes employees and third-party vendors that are accessing the infrastructure remotely.
The security and reliability of critical infrastructure—such as water, power, and telecommunications—is more essential than ever amid the current global pandemic. For more insight into securing critical infrastructure in our current global environment, check out our recent, three-part blog series from Admiral (Ret.) Michael S. Rogers, Chairman of Claroty's Customer Advisory Board: (part 1), (part 2), (part 3).
CWE-22 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL'):
The affected products could allow an unauthenticated attacker to overwrite files and execute arbitrary code.
MICROSENS recommends users to update to NMP Web+ Version 3.3.0 for Windows and Linux
CVSS v3: 9.8
CWE-613 INSUFFICIENT SESSION EXPIRATION:
The affected products contain JSON Web Tokens (JWT) that do not expire, which could allow an attacker to gain access to the system.
MICROSENS recommends users to update to NMP Web+ Version 3.3.0 for Windows and Linux.
CVSS v3: 7.5
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
The affected products could allow an unauthenticated attacker to generate forged JSON Web Tokens (JWT) to bypass authentication.
MICROSENS recommends users to update to NMP Web+ Version 3.3.0 for Windows and Linux
CVSS v3: 9.1
CWE-89 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND ('SQL INJECTION'):
ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to SQL injections which could allow an attacker to leak arbitrary information and insert arbitrary SQL syntax into SQL queries.
ControlID has released the following versions for users to update to iDSecure On-premises: Version 4.7.50.0
CVSS v3: 9.1
CWE-918 SERVER-SIDE REQUEST FORGERY (SSRF):
ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to a Server-Side Request Forgery vulnerability which could allow an unauthenticated attacker to retrieve information from other servers.
ControlID has released the following versions for users to update to iDSecure On-premises: Version 4.7.50.0.
CVSS v3: 7.5