Cyberattack Against Israeli Highway System? Maybe Not
The eastern end of the Carmel Tunnels road system near Haifa, Israel.
Did a cyberattack shut down a major road system in Israel last month? The Associated Press says it did, but security experts who spoke to Tom's Guide weren't so sure.
The AP, citing an anonymous source, published an exclusive story yesterday (Oct. 27) that said "a Trojan horse attack targeted the security-camera system in the Carmel Tunnels toll road," causing the underground highway, near the northern city of Haifa, to be shut down for 20 minutes on Sept 8.
On the following day, the AP said, the attack struck again, "causing massive congestion" that lasted "for eight hours" and resulted in "hundreds of thousands of dollars in damage."
The AP's source said the Carmel Tunnels camera system was hit by "unknown, sophisticated hackers, similar to the Anonymous hacking group that led attacks on Israeli websites in April."
But was this really a cyberattack? Maybe not. All of what's described in the story can be chalked up to routine malware infection — or even to routine system glitches.
The company that operates the Carmel Tunnels, which opened to traffic in 2010, took to Israeli radio today (Oct. 28) to deny the AP report and reaffirm the company's original statement that the shutdown was due to control-system flaws.
"There are virtually no verifiable details, but it doesn't feel like a 'cyberattack' based on the tiny insight we have so far," said Steve Santorelli, a digital-forensics investigator formerly with Scotland Yard and Microsoft who now works for Lake Mary, Fla.-based consulting firm Team Cymru.
"It feels more like another simple screw-up, the kind that happens every day with complex, interconnected networks, only this time, the impact was felt and seen more widely," Santorelli said in an email to Tom's Guide.
The AP story didn't explain exactly how the security-camera problems led to the closing of the tunnels, but industrial-control-systems security expert Joe Weiss of Applied Control Solutions told Tom's Guide that simply losing the video feed from inside the tunnels might be enough reason to close the road.
"If you are in Israel, and you're really paranoid about security, and you lost view in a tunnel, you might want to shut it down," Weiss said.
"A year ago," Weiss said, "BART [San Francisco's Bay Area Rapid Transit] had a computer problem where they lost view, so they had to stop every single train in its tracks. It's possible that they [the Israelis] had to close the tunnels for the same reason."
Robert David Graham, chief executive officer and co-founder of Errata Security in Atlanta, stressed that even if a traffic-control computer system were hit by malware, that wouldn't mean it had been singled out for attack.
"It's quite likely the problems stemmed from hacks/viruses, but that's not evidence of a cyberattack," Graham said in an email to Tom's Guide. "Saying somebody was 'targeted by a cyberattack' is like saying 'Hurricane Katrina targeted New Orleans.'"
"That's normally the case with matters like this," Santorelli said. "Automated malware seeps into a system and does what it's supposed to do — not because the system is sensitive, but because it's just yet another system to infect."
Santorelli added that the shutdown could have been entirely unrelated to malware.
"It could have been caused by about a million other issues, all relatively benign and simply unfortunate, as opposed to deliberate," he said. "Remember, these are complex systems, and, now that we've moved so many control systems away from closed, dedicated communications channels, onto the (far cheaper) Internet, the risks are magnified."
So why would a presumably authoritative, if anonymous, source tell a reporter that the tunnel closings were due to a cyberattack?
"It makes good headlines," Santorelli said. "The real cause might be a little embarrassing, and the folks that know the real truth might not be in a position to comment."
Only one was cited in the story itself, but via Twitter, the AP reporter said that more than one source had confirmed the allegations.
It's possible that the report is indeed accurate. There just isn't enough information disclosed to know for sure.
"It did not strike me as something that wasn't plausible," Weiss said, "But there's no way to read anything further into it from what's in the story."