Iran hacked aspects of Israel’s water sector back in April 2020, with second-line defenses kicking in to prevent the water supply from being filled with poisonous levels of chlorine.
You might think that the incident would lead the water sector, which is significantly intertwined with the municipal sector, to improve its cyberdefenses.
Yet as recently as December 5, the state comptroller stated that 64% of municipalities have no cyberdefense plan or official way of handling their cyberdefenses.
The fact that 41% of Israeli municipalities have been attacked by hackers in recent years means that the dangers of cities, and therefore, aspects of water data being hacked, is very real and current.
What are the risks of Israel's water data being hacked?
Speaking to former Israel Police Lahav 433 investigator Rami Tamam, some of the specific risks of a group like Hamas being able to hack a city’s water data became apparent.
As Hamas increases its arsenal of rockets and becomes more sophisticated, hacking and then analyzing water data could help it maximize the lethality of its rocket attacks, explained Tamam, who currently serves as the co-head of the Kiryat Ono College Cyber Security and Forensics Program.
People often leave various electrical items running even when they are not at home. However, water is for the most part only used by people who are present and living in a residence.
It is also easy to trace increasing or decreasing water usage to reflect an increase or decrease of occupants in a given residential unit, neighborhood or even a city.
Hamas could essentially figure out people’s patterns for showering and doing their dishes.
This means, said Tamam, that Hamas could analyze water use data fluctuation to trace when Israelis evacuate portions of the Gaza corridor and where many of those evacuees end up, by virtue of their increasing water usage in another spot.
Hamas could then intentionally fire more missiles at the new spot where more civilians are gathering, thinking that they can avoid the rocket fire by moving away from the Gaza corridor, Tamam warned in a worst-case scenario.
Of course, water is only one part of this municipal cyber vulnerability, which may be the softest underbelly Israel has.
The defense establishment spends huge resources on cyberdefense. Some large private sector companies do so as well.
THERE ARE private-sector companies whose defenses are weaker, which is a problem. On the positive side, these companies can only collect customer data – meaning data the people actively choose to give them.
In contrast, Tamam emphasized that municipalities collect not only water-use data, but a vast amount of highly personal data about people’s education, special needs as well as enormous amounts of video footage of when people come and go from their homes.
“Cameras with analytics can learn everything about you, and with artificial intelligence,” municipalities are creating a vulnerable data-gathering “monster with no oversight,” said Tamam.
Solving the problem can get even more complicated when taking into account that completely unregulated and under-defended third-party suppliers are often handling data for municipalities.
All of these issues are only getting worse as cities install more video cameras (like the camera in Jerusalem hacked by Iran) for security purposes, and make a larger number of their functions run on “smart” digital technology.
Tamam allowed that some wealthier cities like Tel Aviv, Herzliya and Modi’in might have more significant cyberdefenses, but cautioned that there are many poorer cities, like Sderot, that are also moving to smart technologies.
He estimated that Sderot might have 1,000 cameras watching its citizens without the resources and awareness to do proper cyberdefense
Pressed about whether a shortfall in budgets or lack of awareness was the main reason why around two-thirds of municipalities are under-prepared or completely unprepared to defend their digital data, Tamam said it was still primarily an awareness issue.
However, he clarified it was not an awareness problem that people have not heard of hacking, but rather that the average citizen still does not view hacking threats to their data as a key voting item or even a secondary item.
He said municipal leaders know that spending money to build a new preschool is a clear way to rally votes because citizens can see a new physical structure and send their kids there. In contrast, most citizens would not visit a new city cyberdefense desk, and if the desk “succeeded,” it would mean that nothing had happened – again, not something that resonates with voters.
In that sense, Tamam said that education in convincing average citizens to want their local leaders to protect their data and services with serious cyberdefenses is the only way to alter these dynamics.
Tamam noted that the program he runs at Kiryat Ono is making its own contribution to increasing awareness, as well as the number of cyber practitioners who can help municipalities with cyberdefense.
In terms of funding and resources, he suggested that groups of nearby villages and cities work together to form a common cyberdefense desk that will increase each individual locality’s capacity to defend itself as part of the group.