Someone in Israel's Electricity Authority, a government department charged with providing utility services, fell for a phishing attack, opened an email and thereby was infected with ransomware which reportedly spread to other computers in the network. Yet the department chose to take the computers offline. Details are somewhat sketchy, but it appears that the media heard “electric,” “paralyzed” and “severe cyber attack” before reporting the Israeli power grid was hacked and taken down.
There are over 10,000 cybersecurity professionals attending Cybertech 2016 Conference in Tel Aviv. The audience was supposedly thinning out during the final Cybertech panel, according to Haaretz, but when Yuval Steinitz, the Israeli Minister of National Infrastructure, Energy and Water, started talking about the “severe cyber attack” on Israel’s Electricity Authority, he had everyone’s full attention. “Yesterday we identified one of the largest cyber attacks that we have experienced,” Steinitz stated.
“The virus was already identified and the right software was already prepared to neutralize it,” Steinitz said according to the Times of Israel. “We had to paralyze many of the computers of the Israeli Electricity Authority. We are handling the situation and I hope that soon, this very serious event will be over … but as of now, computer systems are still not working as they should.”
“This is a fresh example of the sensitivity of infrastructure to cyberattacks,” he added, “and the importance of preparing ourselves in order to defend ourselves against such attacks.”
Ransomware?
Ynet reported that the malware was ransomware, presumably sent by e-mail before spreading to other computers on the network. Although neither the exact type of encrypting ransomware, nor the extortion amount were mentioned, Ynet claimed payment was demanded to unlock the computers.
It’s not just the U.S. warning that a crippling cyber attack could take down critical infrastructure and the power grid; such warnings are issued across the world. In July, Israel’s National Cyber Authority issued a warning “that the country would be targeted by a massive cyber attack.” Government agencies were reportedly told be alert for “any possible scenario” and the warning applied to computer systems and cell phones.
Three years ago, when a secret demonstration for senator simulated a cyber attack on the power grid, the scenario was that the attack took down New York City’s power grid during a killer heat wave; Lawrence Ponemon, chairman of the Ponemon Institute, predicted “literally thousands” of people would have died. He added, “A cyber attack on electrical grids that was sustained for three to four weeks would be like returning to the dark ages.”
In the case of the “massive cyber attack” on Israel’s Electricity Authority, the Jerusalem Post reported, “The incident occurred during two consecutive days of record-breaking winter electricity consumption, with the Israel Electric Corporation reporting a demand of 12,610 megawatts on Tuesday evening as temperatures dipped to below-freezing levels.”
Steinitz, according to the Israel National News, added, “We need cybertech to prevent such attacks. Cyber-attacks on infrastructure can paralyze power stations and the whole energy supply chain from natural gas, oil, petrol to water systems and can additionally cause fatalities. Terrorists' organizations such as Daesh [ISIS], Hezbollah, Hamas and Al Qaeda have realized that they can cause enormous damage by using cyber to attack nations. Cyber-attacks are a great threat and I am certain that they will become a major threat in the next decade.”
No, the power grid wasn't hacked and knocked offline
Hold the flipping phone though as Robert Lee, CEO of Dragos Security, pointed out on the SANS Industrial Control Systems security blog. It’s not Israel’s power grid that got hit and taken offline, but the country’s Electric Authority which is regulatory body with about 30 people. The “virus” Steinitz referenced hit only the Israeli Electric Authority network. “The ‘cyber attack’ was simply ransomware delivered via phishing emails to the regulatory body's office network and it appears in no way endangered any infrastructure,” Lee wrote.
But what about Steinitz saying the computers were taken offline? “Taking systems offline is not preferable,” Lee wrote, “but the fact that systems were removed from the network does not necessarily make the incident more severe.”
Lee added:
There have so far been no outages reported or any such impact of the “attack” quantified. It appears, only from what has been reported so far, that the use of the term “cyber attack” here is very liberal. Malware infections in industrial control system (ICS) networks are not uncommon. Many of these environments use traditional information technology systems such as Windows operating systems to host applications such as human machine interfaces (HMI) and data historians. These types of systems are as vulnerable, if not more so, than traditional information technology systems and malware infections are not novel.
Unless different details emerge, this attack was not like the one on Ukraine’s power grid – the first reported case of a “hacker-caused power outage.” SANS ICS Director Michael Assante said the outage was “malware enabled, but not likely malware caused.” However, “the attackers demonstrated planning, coordination, and the ability to use malware and possible direct remote access to blind system dispatchers, cause undesirable state changes to the distribution electricity infrastructure, and attempt to delay the restoration by wiping SCADA servers after they caused the outage. This attack consisted of at least three components: the malware, a denial of service to the phone systems, and the missing piece of evidence of the final cause of the impact.”