Brabbing had a long career with ISA, the Israeli Security Agency, at the height of which he served as the head of the agency's SigInt and Cyber Division and head of the Jerusalem District. Until his retirement to civilian life, his full name could not be disclosed, and he went by his ISA codename "Harris". The response to the first official report of the cyberattack by the YNet website was a laconic message issued by the Israel National Cyber Directorate and Israel Water Authority, stating that "The Water Authority and the National Cyber Directorate have reported that an attempted cyberattack against command and control systems in the water sector has been identified recently. The attempted attack was handled by the Water Authority and the National Cyber Directorate. It should be stressed that no damage was inflicted on the supply of water which continued to function and still functions normally."
Some five days after the widespread attack, Fox News reported that Iran was the party behind the cyberattack against the Israeli water corporations. According to the report, Iran used US-based computer servers to facilitate the attack. A senior official at the US Department of Energy, in charge of cyber infrastructures, said that the administration of President Donald Trump is committed to the defense of the USA and its allies against attacks of this type. The official refused to elaborate on the details of the attack in Israel, stating only that the investigation of the attack was ongoing.
Assuming this report is correct, it would be safe to assume that other parties, in addition to the US Department of Energy, Department of Defense and the White House were deeply bothered by the attack, and that the attack was, in fact, a constitutive event as far as the Israeli establishment was concerned.
Arik Brabbing and I conducted a brief discussion regarding the attack.
Q: What could be Iran's interest in attacking Israeli water installations, of all things?
"For some time now, Iran has been looking for ways to punish Israel for the attacks it stages against Iranian objectives in Syrian territory. Past reports alleged that Iran had attempted to attack Israel using drones or stage other 'physical' attacks, which were thwarted by IDF. A cyberattack can be the alternative to a physical attack, and offers an advantage as it may be staged through servers in a third country, thereby blurring and obscuring the attacker's tracks and attempting to evade reprisals. Such reprisals are almost inescapable in the case of a physical attack, which is far more difficult to deny or disown. For a country possessing the capabilities, cyber warfare can be easier than kinetic warfare. Geographic distance is of no consequence, operators maintain a minimum footprint and can hide easily. In many cases, proving the identity of the attacker is difficult – and the damage can be substantial.
"For years, the world has been discussing the physical damage that may be inflicted by attacking the operating systems of infrastructure and utility installations, collectively referred to as Operation Technology (OT), as opposed to Information Technology (IT).
"Immeasurable physical damage may be inflicted by attacking the computerized operating systems of infrastructures and utility systems. For example, remotely disrupting the operation of traffic light systems can lead to vehicle or train collisions – not to mention accidents that may be initiated in airports. By attacking operating systems it is possible, in theory, to disrupt production in chemical plants, thereby inflicting an ecological disaster, and to disrupt the operation of vital installations in hospitals, thereby threatening the lives of patients. The Administrator of the Hadassah Ein-Kerem Medical Center in Jerusalem, Professor Yoram Weiss, spoke about this just a few days ago. Last Thursday, a cyberattack was reported against a hospital in the Czech Republic.
"An attack against electrical power utilities can lead to a different kind of chaos. If the report regarding an Iranian attack against the water corporations is correct, that will be the first time we can clearly see the extent of the effort Iran had invested in hacking Israeli operating systems, in this case the systems of the Water Authority. This is a 'red spotlight', not just a blinking warning light, which could indicate the dawning of a new era in the conflict between Iran and Israel – a conflict that could produce implications on a global scale if Iran were to attack objectives in the USA or elsewhere.
"It is important to understand that past cyberattacks have already inflicted substantial damage (the world media even alleged that Israel and the USA had staged an attack that inflicted physical damage on the Iranian centrifuge installation in Natanz using the cyber tool 'Stuxnet'), but the attack against the water systems may turn out to be the dawning of a new era rather than a one-time event."
Q: How can you prevent such attacks?
"Israel is one of the world's best-prepared countries as far as attacks against operating systems are concerned, especially when it comes to defending installations regarded as critical infrastructures. As far back as 2002, ISA had established a critical installation protection network, and in 2015 the National Cyber Directorate assumed responsibility for that task, at the same time as the task of providing lower-intensity protection – which was expanded to cover the entire Israeli economy."
Q: Why are the water installations regarded as a critical infrastructure, having the most substantial defenses?
"Because an attack against a single water corporation may not be dangerous in itself, but a coordinated disruption of the water supply for the entire country can turn out to be a major disaster, especially if the attack were to lead to the contamination of water sources by disrupting the dosage of such substances as chlorine which, at high concentrations, can be dangerous.
"The opponent studies the routine activity and hours of operation of the organization he plans to attack very thoroughly. Generally, a cyberattack, like any other attack, requires intelligence, extensive preparations and in some cases – preliminary activities which countries possessing state-of-the-art systems, like Israel, can identify through network anomalies.
"Israel possesses good defensive capabilities, but naturally – nothing is full-proof. In this case, too, one may conclude – once again, all based on the reports in the media – that the offensive operation was thwarted with no substantial damage sustained by the defending side."
Q: How do you respond militarily?
"As with any other decision-making process regarding a response, a massive array of considerations must be taken into account – most importantly, whether to respond and the timing of the response. Generally, the cyber world involves other complexities regarding offensive action, including the identity of the attacker, as it is easy to hide in the cyber world, and easy to stage intentional deception regarding the opponent; divulging the methods of operation of the attack tool; whether the attacking country is effectively protected and prepared for the response of the other side; how to respond – by force, using cyber, by conveying messages.
"The attention must focus primarily on cyber deterrence and influence – so as to make the attackers (especially if the attackers are organizations or states) understand the heavy toll they might be required to pay."
Q: In this case, no lives were lost and Israeli day-to-day life was not disrupted. Does that mean there is no cause for concern?
"There is definitely cause for deep concern. Regardless of the question of who stood behind the recent attack, we must be deeply bothered by the fact that access had been gained which enabled an attack against so many objectives simultaneously. The attack may have been timed for the weekend, assuming the security elements would be less vigilant. At the bottom line, the security systems proved their effectiveness and prevented substantial damage, but numerous lessons must be derived, and future damage to operating systems must be prevented by any means."
Q: How do you respond militarily, if you know who stands behind the attack against the operating systems?
"That is the main question. Do you respond by staging a physical bombardment against a country that had staged a cyberattack against infrastructure systems, or do you stage a counter cyberattack against the infrastructure systems of the attacking country? Do you ignore the attack altogether, as no country had assumed responsibility for it? How do you establish deterrence that would prevent the next cyberattack? These are serious questions, which could indicate the dawning of a new security era."Read more: