If Iran succeeds in hacking either the US or Israel’s water sector, then the writing was on the wall, an ex-IDF intelligence official warned in an interview.
Ariel Stern, a former Israeli Air Force captain and the CEO and co-founder of Ayyeka, a global IoT solutions provider for critical infrastructure, issued his warning following a hack of England’s water sector exposing around 1.6 million people to danger in August, and as Russia continues to hack Ukraine’s infrastructure.
Stern noted that with news of the ransomware attack on South Staffordshire Water in the UK in August, searches for “cybersecurity water” were already up 82%, according to a Google Trends analysis.
He said that integrating new cyber defense solutions often “takes longer than anticipated. It is an unbalanced situation. The offensive side is very sophisticated when it comes to nations like Russia, Iran, North Korea and China maybe” as adversaries for the US.
He flagged that the main adversary in this sphere for Israel is Iran, but cautioned that even after past cyber attacks on Israel’s and America’s water sector in recent years, “we don’t have top minds in the water industry.”
Why is the water sector not secure?
In a complex twist, it is not that water sector employees are untrained, rather they simply are not trained for cyber defense.
“Most water sector workers are civil engineers. How can they ignore it [cyber dangers]? They are very sophisticated within their domain relating to pipes, water flows, ground stabilization and chemistry,” but not with regard to blocking hackers.
Stern said that he founded Ayyeka with Yair Poleg following their experience with Unit 8200 cyber assault teams, to help companies digitize and protect their data.
“We noticed that there is very unique infrastructure, including water. It is a very unique scenario because the infrastructure is physically large and spread over many cities, states and continents, unlike a smaller and more contained physical factory which you can protect with a simple fence,” he said, with special emphasis on vulnerabilities in the US.
MOREOVER, he said, “we have very sophisticated assets in the field and cybersecurity is a thousand times more challenging” because there are so many dispersed assets.
There are 55,000 distinct water operators in the US, but he said “the majority of the population is served by a small number of those operators – and it is those who are in the most danger and must adapt even sooner.”
“The cyber threat is remote for a small community in Nevada.” In the worst case, the number of residents is so small, that “the federal government could probably just ship bottled water,” to ride out a crisis. In contrast, he said that cities like New York, Los Angeles and Washington need to view the potential hacking threat as imminent and already need to take it very seriously.
According to the former intelligence official, “We make sure our solutions are very secure, authentic, encrypted and have a methodology. These factors are hardly a norm in the industry. There is major data collection. Just 25 years ago, the given password for most institutions was the numbers 1-6 consecutively. Most people didn’t know how to encrypt.
“Multiply [that] by a thousand in the government space which is a much more sensitive role. As a critic, we all know Israel does cyber well and Israeli solutions work in the US very well,” but he warned that, “There is a very big gap in how long different industries take to adapt.” Sometimes the speed to adapt to cyber defense requirements could be even slower than it takes the government to solve long-term complex space exploration problems – problems which are usually thought of as taking longer than any other issue.
“But there is a new trend of relying more on data for running water networks,” Stern said. “For new regulatory compliance standards and handling operational stress, the water sector is being encouraged to rely on computers. This increasing usage, in turn, increases vulnerability” to being hacked.
Part of the problem he said was that the US government “is not taking a stand. If the White House would just put out an order or a rule that everyone must comply with” a given standard, the private sector “would start moving themselves.”
“Until the government adjusts the regulations, water sector cyber defense will move slowly,” whereas in contrast, “if there is new regulation, the cyber defenders could “move at the speed of light.”
ANOTHER PROBLEM, he said, is a disparity between the low-quality systems that many in the industrial water sector purchase versus wealthier and more sophisticated technological businesses, or even individuals.
When a technology business or many individuals buy a new computer, “they like to get the latest operating system. They do not want to use a retro system like Windows 95,” he said.
“But the industrial side of computers is not as good. There is less incentive to work hard for industrial consumers, whose main interest is getting the lowest cost possible” through economies of scale. “Industrial clients may buy the oldest computer that is five years old for a water treatment plant,” he said.
If someone tries to get the engineering company to put out a competitive bidding process with standards, he cautioned that “the customer doesn’t want it because they just want the lowest price.” But he said that this calculation is short-sighted because “they will lose the money later,” when they get hacked.
Despite Stern’s warnings, Biden administration cyber chief Anne Neuberger recently told The Jerusalem Post that it could take years to improve the water sector’s cyber defense.
She said that improving the situation would be delayed, both because Congress has so far failed to pass sufficiently broad authorities for the federal government to fully regulate the issue, necessitating creative readings of older laws for weaker authorities, and because of the sheer number of authorities which need to be contacted and monitored regarding cyber defense progress.
Neither the US nor Israel has passed major cyber regulation laws due to various policy and political disagreements, at times leaving gaps in both governments’ authority to enforce cyber standards on the private sector.
The most notable cyber attack on Israel’s water sector came from Iran in April 2020, and it almost caused a major disaster.