Over the years, cybersecurity professionals have warned organizations in the energy and water sectors of the dangers of exposed Human Machine Interface systems which are easy targets for malicious actors.
The need to secure HMIs in the water sector came to light recently, when a group of Iranian hackers accessed to an unprotected Industrial Control System (ICS) at an Israeli water facility and published a video as proof according to reports by researchers from OTORIO, an industrial cybersecurity firm.
The threat actors gained access through a human-machine interface (HMI) system that was left unsecured online.
In a blog post, OTORIO revealed that “The reservoir’s HMI system was connected directly to the internet, without any security appliance defending it or limiting access to it. Furthermore, at the time of the publication, the system did not use any authentication method upon access.”
“This gave the attackers easy access to the system and the ability to modify any value in the system, allowing them, for example, to tamper with the water pressure, change the temperature and more. All the adversaries needed was a connection to the world-wide-web and a web browser.”
In other words, the access could have enabled the attackers to manipulate processes at the water facility and alter the value of parameters such as water pressure and temperature.
The Iranian group, known as the “Unidentified Team” claimed responsibility for the breach and disclosed how they managed to carry out the hack in a video published on its Telegram channel on December 1st, 2020.
A day after the video was posted, the facility’s administrators implemented some changes to prevent access to the HMI without authentication. However, OTORIO experts observed that the compromised system was still vulnerable to attacks.
They noticed that even after the upgrades, the system still allows communications on port 502, which is used for Modbus protocol, that doesn’t require any authentication/encryption, enabling even unskilled attackers easy access to the system via Modbus.
Otorio also revealed that the target is a relatively small site with an estimated capacity of 4-6 million cubic meters.
Currently, the company’s researchers have not been able to ascertain the type of damage caused but said the “damage potential is very high.”
Commenting on the incident, Noam Even, a threat intelligence researcher at OTORIO said: “Often there are other safety mechanisms (some mechanical) that can reduce the damage, but if such a system is not in place, the consequences can be catastrophic.”
Prior to this attack, the same group targeted an American governmental education website in Texas, which it claimed was in response to the killing of Mohsen Fakhrizadeh, a top Iranian nuclear scientist. Official reports from Iranian and US state that Israel was behind the assassination.
Earlier in 2020, at least two Iranian cyberattacks on the Israeli water sector were identified, primarily targeting smaller, local facilities. In one instance, the hackers attempted to modify the water chlorine levels of the reservoir. While these attacks didn’t cause any significant damage, it revealed that the attackers knew how to target industrial systems.
According to Otorio, generally speaking, Israel’s water and water treatment facilities are secure but noted that private facilities such as the one targeted by the Unidentified Team are very loosely regulated and can be an easy target for attackers.