SANS Industrial Control Systems Security Blog

Context for the Claim of a Cyber Attack on the Israeli Electric Grid

SANS ICS

*Update* A cyber analyst in Israel (Eyal Sela) messaged me to add that the media reporting so far is misleading with regards to the context around the incident. The "Israel Electric Authority" the Minister mentioned is in no way related to the networks of the Israeli electric companies, transmission, or distribution sites. The Israeli Electric Authority is a regulatory body of roughly 30 individuals and this "cyber attack" is only referencing their networks. The original purpose of this blog was to stress caution to the reports but did not try to dispel what the Minister of National Infrastructure, Energy, and Water resources had stated as reporting was too early with no evidence presented. However, new reporting shows that the "cyber attack" was simply ransomware delivered via phishing emails to the regulatory body's office network and it appears in no way endangered any infrastructure. This once again stresses the importance around individuals and media carefully evaluating statements regarding cyber attacks and infrastructure as they can carry significant weight.

*Original Post*

Dr. Yuval Steinitz, the Minister of National Infrastructure, Energy, and Water resources, announced today at the CyberTech Conference in Tel Aviv that a "severe cyber attack" was ongoing on the Israel National Electric Authority. His statements were delivered as a closing session at the conference and noted that a number of computers at the Israeli electricity authorities had been taken offline to counter the incident the previous day.

There are few details that have been offered and thus it is far too early for any detailed analysis. However, this blog post attempts to add some clarity to the situation with context in how this type of behavior has been observed in the past.

First, Dr. Steinitz mentioned that computers had been taken offline. This discussion around the choice by the defenders to take systems offline indicates a normal procedure in terms of incident response and malware containment. The intention of the incident responders cannot be known at this time but this activity is consistent with standard procedures for cleaning malware off of infected systems and attempting to contain an infection so that it cannot spread to other systems. Additionally, Dr. Steinitz stated that a "virus" had been detected which adds to the context around the system removal. Taking systems offline is not preferable but the fact that systems were removed from the network does not necessarily make the incident more severe. On the contrary, this indicates that incident responders were able to respond early enough with planned procedures to counter the incident prior to an impact.

Second, there have so far been no outages reported or any such impact of the "attack" quantified. It appears, only from what has been reported so far, that the use of the term "cyber attack" here is very liberal. Malware infections in industrial control system (ICS) networks are not uncommon. Many of these environments use traditional information technology systems such as Windows operating systems to host applications such as human machine interfaces (HMI) and data historians. These types of systems are as vulnerable, if not more so, than traditional information technology systems and malware infections are not novel. With regards to historical case studies it is far more common for incidental malware to lead to system failures than targeted attacks. For example, the Slammer malware reportedly caused slow downs in the Davis-Besse nuclear power plant's networks and crashed a utility's supervisory control and data acquisition (SCADA) network in 2003. However, in terms of targeted/intentional intrusions leading to outages we only have three validated public case studies: Stuxnet, the German Steelworks facility, and the Ukrainian power grid. It is these targeted intrusions where an outage occurred that could be considered an attack. Often times people unintentionally abuse the phrase "cyber attack" when it is more appropriate to classify the activity as adversary intrusions, compromises, or espionage activity. To understand what constitutes an actual attack it is helpful to read the ICS Cyber Kill Chain.

Third, there has been an increased focus on cyber security in Israel both as it relates to the cyber security of national infrastructure and in the technology companies that are making Israel an enticing location for venture capital funding. In January, Israeli Prime Minister Benjamin Netanyahu gave a presentation to the World Economic Forum where the center of his discussion was cyber security. This was followed by a February announcement that the Cabinet in Israel approved a plan for a comprehensive national cyber defense authority. With the increased focus on cyber security it is entirely possible that Israel had taken a proactive approach to looking through their infrastructure networks to identify threats. In the course of this action it may have found malware that may be targeted or incidental in nature. In either case, from what is being reported right now it appears unlikely that this is an actual attack and more likely it is the discovery of malware. However, it is important to watch for any developments in what is being reported.

Israel has threats that it must consider on a day-to-day basis. Critical infrastructure is constantly the focus of threats as well although there are a lack of validated case-studies to uncover the type of activity much of the community feels is going on in large quantities. However, reports of cyber attacks must be met with caution and demands for proof due to the technical and cultural challenges that face the ICS security community. Simply put, there is a lack of expertise in the quantity required alongside the type of data needed to validate and assess all of the true attacks on infrastructure while appropriately classifying lesser events. Given the current barriers present in the ICS community the claims of attacks should be watched diligently, taken seriously, but approached with caution and investigated fully.

Robert M LeeBio: Robert M. Lee is the course author of ICS515 - Active Defense and Incident Response and the co-author of FOR578 - Cyber Threat Intelligence. He is also the Founder, CEO of Dragos Security and gained his start in cyber security in the U.S. Intelligence Community as a Cyber Warfare Operations officer. He may be found on Twitter @RobertMLee

3 Comments

Posted January 27, 2016 at 4:15 AM | Permalink | Reply

Steven

Thanks for your continued contributions and perspectives. It's certainly been an interesting year for ICS, and it's barely started. Exciting times.

Posted January 27, 2016 at 7:50 AM | Permalink | Reply

wasd

Rumor has it the Israeli thing is pure hype

Posted January 28, 2016 at 7:45 AM | Permalink | Reply

zfk

Nice recap, thank you.
I'll send the link at some people.