When Iran cyberattacked Israel’s water supply system on April 24 and 25, it did more than just shut down computers and disrupt water system operations. The water facility attack was intended to release large amounts of poisonous chlorine into Israel’s water delivery infrastructure, potentially poisoning tens of thousands of Israelis.
Attempts to poison wells, ponds, lakes and reservoirs is nothing new and goes back to antiquity. But the attempt to release harmful amounts of chlorine from within a water supply system using a cyberattack is altogether new. Iran hit six water facilities in Israel, damaging the operating systems and disabling safety instrumentation systems.
FireEye, a publicly-traded cybersecurity company headquartered in Milpitas, California, determined after extensive research that the malware developed for this kind of attack came out of Russia and specifically from the Central Scientific Research Institute of Chemistry and Mechanics, a Russian government-owned technical research institution located in Moscow.
The first use of the malware was against a petrochemical facility in Saudi Arabia in 2017. It would appear the Russia-developed cyber-weapon was shared with Iranian government hackers. The attack was routed through servers in Europe and the United States to try to hide its origin.
Israel regards the water supply attack as unprecedented because, unlike disruptive attacks that are non-lethal, this attack targeted millions of people and could have resulted in their poisoning. Israel’s National Water Company (Mekorot) has been criticized for not being sufficiently alert to cyber-threats or having proper safeguards in place.
Attacks on critical infrastructure continue to menace developed countries. Among the targets are power plants, including nuclear energy, transportation hubs, banking and financial systems, communications systems, railroads and metros, electrical grids, dams and reservoirs, water and sewage systems, food and agriculture systems and healthcare and medicine.
Aside from the recent attacks on Israel’s water system – and Israel’s retaliation that temporarily disabled the Iranian Shahid Rajaee port (Bandar Abbas) in the Straits of Hormuz – laboratories and institutions working on Covid-19 vaccines and related medicines have been targeted in the US, UK and elsewhere.
These rising attacks are attributed by US officials to China, Russia and Iran. Covid-19-linked cyberattacks reflect the huge competition among global pharmaceutical companies for windfalls and market share if a successful vaccine is developed.
A growing concern in the US is that foreign equipment, mainly coming from China, can have built-in back doors or include malware buried in the code of the firmware or software that comes with the hardware.
Chinese products sold to the general public have been found to be infected with malware or discovered to have so-called back doors. Some of that equipment has made it into critical infrastructure.
The Pentagon is in the process of removing some Chinese-made surveillance cameras used at military bases and Defense Department installations. Flash memory devices coming from China and elsewhere were blocked by the Pentagon either because they carried hidden malware or because the devices themselves were insecure.
Concerns have also been raised about network routers and other hardware routinely purchased by government agencies, defense contractors and critical infrastructure organizations.
In Israel, after the attack on the National Water Company, steps were implemented immediately to change all passwords and make other hardware and software changes to help prevent another incident.
Chinese power transformers
At the end of May, the US government seized a large 500,000 pound (226,796 kilogram) power transformer manufactured by Chinese company Jiangsu Huapeng Transformer Company.
Since 2009, Jiangsu Huapeng has delivered more than 100 large power transformers to US power companies in New York, New Jersey, Florida and Nevada. The seized transformer that arrived at the Port of Houston was already purchased and paid for by the Western Area Power Administration.
There is no indication that any power transformer from Jiangsu Huapeng has been compromised. But when US President Donald Trump signed Executive Order 13920 “Securing the United States Bulk-Power System” it spoke to perceived rising risks from Chinese-made and procured infrastructure components.
The Executive Order says that “foreign adversaries are increasingly creating and exploiting vulnerabilities in the United States bulk-power system, which provides the electricity that supports our national defense, vital emergency services, critical infrastructure, economy, and way of life.”
The order specifically prohibits a wide range of transactions that “involves bulk-power system electric equipment designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.”
The president’s order designates the US Department of Energy “to mitigate, prohibit or unwind” such transactions or purchases. On May 4, the US Department of Commerce announced a national security investigation into imports of parts used in electrical transformer equipment, specifically the transformers themselves, transformer cores and laminates and transformer regulators.
The Jiangsu power transformers shipped to the US include electronic equipment and digital controls that are made by US and UK firms. As is normal, a power transformer is shipped from the manufacturer with the electronic equipment included in the delivery.
US authorities are concerned that the equipment could have been modified or had malware installed into it. The Wall Street Journal reported that the US government’s main focus was on a monitor that detects deterioration in the transformer’s insulating oil.
All large transformers need to be cooled and the usual method is to surround the transformer core with a jacket containing oil or other liquids to transfer away heat. A sign of an impending failure is when the oil temperature rises above normal levels.
Sensors in the transformer can trigger the safety instrumentation system that then can disable power to the transformer until it is repaired or replaced. If transformers in a large power grid overheat and go out of control, they can burn up or explode. Last July, Midtown Manhattan experienced a major power failure because a transformer caught fire.
It is not entirely clear why the Trump administration acted on Chinese power transformers. Power transformers are a growing market, estimated to reach US$34 billion in 2024.
Much of the industry is outside the US. But the US Energy Department says the United States is one of the “world’s largest markets for power transformers and holds the largest installed base of LPTs [large power transformers], and this installed base is aging.”
The Energy Department report also says the US only manufactures about 15% of the power transformers it requires. The Trump administration would like to see more domestic manufacturing and some companies from Japan and South Korea are now building plants to make transformers in the US.
While it is possible the Trump administration acted solely for economic reasons, it has cast its action as a national security issue, and the president directed the departments of energy and commerce to carry out investigations with that particular focus.
That suggests there may already be evidence of threats to the power grid involving hardware from outside the US. Among the national security concerns in play are cyber-attacks that could collapse the national power grid and the risk of electromagnetic pulse attacks (EMP) that could disable the grid.
Recent administrations have pushed for hardening power transformers against EMP, but the heavy dependence on imports and the lack of interest by private and semi-public power companies has led to little real progress.
As tensions mount between the US and China as well as Russia, more dangerous attacks on critical infrastructure can be expected, even if these attacks use cutouts to hide responsibility.
Every nation, including the US, has launched cyberattacks on rivals’ infrastructure – in 2010 the US and Israel used the Stuxnet “worm” against Iranian centrifuges, targeting the centrifuges’ supervisory control and data acquisition system (SCADA).
More recently, the US hit Iran with critical infrastructure disruptions after the 2019 Abqaiq-Khurais cruise missile and drone attack on Saudi oil installations. While Stuxnet was a serious attempt to slow Iran’s nuclear weapons program, it was only partly successful.
Neither the targets nor the results of recent US infrastructure attacks on Iran have been revealed.
While Stuxnet was a serious attack, for the most part the US has mainly been passive and not reacted against critical infrastructure cyberattacks, even while the US’ critical infrastructure sector was pummeled by state actors and allegedly independent hackers. So far that continues to be the US’ posture, but that passivity could change.
The most recent attacks are using more sophisticated tools aimed at defeating safety systems and, if the Iranian attack on Israel is indicative of the future, are aimed at harming civilians.
This means that cyberattacks are looking more and more like warfare, and could be interpreted as presaging a physical attack by a foreign adversary. The dividing line between cyber and hard military warfare is already blurry; the balance could tip, leading to US military countermeasures.
In fact, a cyber-event that resulted in US civilian casualties almost surely would be seen as a casus belli.
According to Israel’s Institute for National Security Studies (INSS), the Iranian attack was taken up by Israel’s political-security cabinet on May 7, 2020.
As INSS reported: “The Iranian cyber attacks are part of the multi-front struggle with Israel, which is also reflected in calls to destroy Israel, military entrenchment in Syria, support for Hezbollah and Palestinian Islamic organizations, and the drive for a nuclear weapon.”
The Israeli security cabinet decided on the subsequent port attack instead of stronger military action. Israel’s response would have been far harsher had the Iranian attack accomplished its poisonous objective.
The US probably would likewise react harshly if a critical infrastructure attack did any real and lasting damage and resulted in civilian casualties. No one can say for sure when, or if, that will happen but the potential for a cyber-driven military confrontation is rising.