by Josh Mitnick

How Israel secures critical infrastructure: Its water supply

Apr 06, 2021

To harden Israel’s water network against an estimated 500,000 hacking attempts a year, Mekorot, the nation's water supplier, has invested heavily in securing critical infrastructure.

David Balsar
Credit: David Balsar

In the arid Middle East, countries have long worried about water security and even considered it a casus belli. 

The growing impact of climate change has further ratcheted up the potential for destabilization due to disruption of water reserves — even well beyond traditionally parched regions. And with increased exposure of critical infrastructure to sophisticated cyberattackers, water networks are more vulnerable than ever. 

In February alone, two of the largest U.S. states have had to grapple with threats to their water supply. As a result of record frigid winter weather, some 12 million Texans have had water interruptions due to low supply at hundreds of water systems across the state. Earlier in the month, hackers tried to increase the level of sodium hydroxide a treatment centre in the central Florida town of Oldsmar. 

Last year, it was Israel’s water network that was targeted: in April 2020 year hackers reportedly linked to Iran targeted controllers at an Israeli wastewater treatment plant in an effort to release chlorine into the network. The head of Israel’s National Cyber Directorate that if the attack had succeeded, it would have interrupted the country’s water supply and caused “big damage” to civilians. 

For decades, Israelis have followed the rise and fall of its one freshwater lake, the Sea of Galilee, on a daily basis – a reflection of country’s chronic sense of water insecurity. But in the last five years, thanks in part to lessons learned from its own droughts and a dramatic build up in desalination plants on the Mediterranean Sea, Israel no longer relies on rainfall to fill the Sea of Galilee. Desalinated seawater now accounts for 85 percent of the country’s drinking water. Water security is further bolstered by a system of water treatment plants that enable it to recycle 90 percent of its wastewater for agriculture.

Those developments prompted Global Water Intelligence to rank Israel’s water sector No. 4 in the world and the World Bank to publish a 55-page report detailing the innovations in Israel’s national water management system. 

At the core of Israel’s water system is Mekorot, the 83-year-old government-owned monopoly responsible for taking 1.5 billion cubic meters of water annually from desalination plants and reservoirs, pumping it in bulk across the country to households and industry, and then treating wastewater to be reused for agriculture. That makes it an obvious target for hackers. 

To harden Israel’s water network against an estimated 500,000 hacking attempts a year, Mekorot has invested heavily in security technology. 

David Balsar, general manager for innovation and ventures, spoke with CIO about how Mekorot uses IT to secure its network and how the utility is seeking to leverage a digital transformation to optimize management and electricity usage.  

Balsar, who has overseen investment in four local start-ups, also discussed how Mekorot has been offering its know-how and best practices to water utilities in the U.S. and Europe — including the most recent breach at the water treatment centre in Oldsmar, Florida. 

Balsar said that one common theme of the recent hacking attempts in Florida and Israel is the vulnerability of smaller water companies because of a lack of resources to devote to security technology.  

What is your role at Mekorot?

We both source the technologies that are used at Mekorot, and we invest in actual start-ups.

How much does Mekorot invest in cyber security?

As the national water company, Mekorot is considered critical infrastructure. We are subject to the standards and protocols of the Israel Cyber Authority, which is a statutory entity that is responsible for all of the critical infrastructure and government agencies in Israel. We are ranked at the highest standard of cyber qualification. So we’ve been investing a lot of resources and we’ve been leveraging brain power to source the best cyber defence tools and build a very robust cyber architecture around it. 

You mentioned that Mekorot provided consultation on the Oldsmar treatment centre breach. What can Mekorot offer utilities in other countries?

Because we are in a tough neighbourhood, we see like half a million [hacking] attempts per year of all kinds across our ecosystem. And this requires us to be very alert and flexible. So we invest a lot of money into creating this advanced and sterile ecosystem in which it’s much harder for hackers to tap in. But it’s like cat and mouse, so we need to innovate all the time, and use technologies all the time to stay on top of the game.

We try to suggest help in terms of remedying, understanding what has been done, and how to protect — in terms of high level strategizing. We also provide a set of best practices. Cyber for water utilities is new. Most water companies either are not anxious about this, or are not aware about the risk at all. But now with Covid-19, and everyone migrating to remote work, you see all kinds of hacking phenomena.  

Can you speak about a start-up technologies that Mekorot has invested in and actually uses?

IXDen is a software start-up which is used in the oil and gas industries. We migrated IXDen to water. We adjusted it to our architecture. We added an additional operational layer to their solution. It’s a cyber solution that detects [hacking] attempts. It also has an operational efficiency, predictive maintenance aspect to it. It gives an indication about the health of our equipment and assists with asset management. A cyber [attack] is one of the first suspicions, but it could also be a malfunction, a battery running low, or a technical malfunction. There are lots of reasons for equipment to behave strangely. 

This software gives each component, each piece of equipment a score. It can be a water meter, it can be a sensor, it can be a PLC —  there are tons of components in our architecture. We call it a biometric footprint, or a score. Every time it scans the system and sees a variation in the score, it gives an alert. If the score changes, you can assume something is starting to happen. It’s real-time system health monitoring. 

A majority of water utilities have been challenged during the COVID-19 pandemic by the need to shift to remote work. What vulnerabilities does that create?

Granting unsecured remote access— just simply connected to the internet or your IT or your OT [operational technology] system — increases the probability that hacking attempts will succeed. 

It takes a lot of resources to create a proper buffer between the IT and the OT, and the internet. Because what you are doing is duplicating everything. You need separate systems —  for the IT, the OT, and the internet, and its costly, because you need to maintain those systems as well. You need a lot of resources behind it. Most water companies do not have this philosophy or the resources to do it. And, what we see is that usually it’s the smaller, or  less experienced water utilities which are being hacked.

Of all the hundreds of thousands of hacking attacks per year, do you know what the breakdown is between attackers which might be state sponsored, or ones which come from individuals?

We have it all. Sometimes it’s hard to identify each time to identify where it comes from. We have the full range of flavours and origins. [State-sponsored actors] can be a part of it, but it can also be hackers just trying to tamper with your website. When they try to tamper with your chemical processes —  like your chlorine levels —  which can be more harmful. Last year we saw an attempt like this on one of the local municipal utilities, in which they attempted to tamper with a programmable logic controller in such a way it would release more chlorines into the system that it should. That can be quite inconvenient. [Israel’s] local water utilities don’t have the same level of investment and consciousness and experience as we have as a critical state infrastructure..   

Given the risks of a cyber-attack on the water infrastructure, and the need to use cloud computing, how do you integrate cloud technologies while ensuring the water network remains secure? 

There is a tension we deal with between using cloud computing or cloud servers, and an on-premise server. Naturally, an on-premise server is much more secure and manageable. You can control it much better, but the reality is that the cloud is much more advanced and scalable.

From my perspective, it’s a mix of on-premises, and then cloud, and in the cloud, the hybrid cloud, and then the secure cloud. You need to understand which data goes where, and which access you grant to which resource, to which cloud, or to which server. The important things usually go on-premises, with a backup. The game is how do you build it in a strategic way? 

When building the architecture and the overall strategy on your server, you take cyber into consideration, but there are other factors as well. But your network is still an alive and kicking business operation. You need [to create] efficiencies. You need to scale up, and so on. So we need to take into consideration many things in order to decide what is the best solution.

Can you talk about Mekorot’s digital transformation?

We currently have nine command and control centres and are in the process of creating one central control centre for the entire country’s network. Because we are dealing with the entire water cycle —  from production to transmission, to treatment to water reuse —  getting it all into one system that controls supply and demand is quite complex. 

Having one control room that operates with just three to five people requires a big effort in terms of digitalization, artificial intelligence, machine learning, and big data. We are producing more than 30 million data points a day. It can be pressure and temperature, or chloride or whatever. We need to take all of that data and translate them into actionable items. We are turning it into smart water, where you have real-time indicators and early detection. We will be able to monitor the network online for quality, volumes, and energy-usage.