Late last year, the Israel Electric Corporation (IEC) launched a new entrepreneurship and business development unit for the cyber market, headed by Yosi Shneck. The establishment of the new unit indicates that IEC follows in the footsteps of other government-owned companies such as Rafael Advanced Defense Systems for the purpose of converting the corporation’s cyber assets into performing (cash-generating) assets. The new unit operates in Western Europe, the US, South America, and Japan, and has a staff of 12 employees, most of them IEC employees.
One of the best-known examples in this field of activity is the CyberGym Company, established in 2013 as a joint venture of IEC and private entrepreneurs. “Unlike CyberGym, my unit was established within IEC and focuses on Operational Technology (OT), mainly in critical infrastructure (utility) organizations that operate industrial control systems. Some of the utilities involved include electrical power, water, and similar utilities,” explains Shneck in an interview with IsraelDefense.
“We provide solutions in areas where we had identified gaps in the market. Along with products, the unit also provides professional consulting services to relevant organizations on improving their cybersecurity and their ability to recover from cyberattacks, as well as on effectively managing their cybersecurity setup. Our activity includes workshops and consulting programs for various management echelons within the organization, from line managers to the top management,” says Shneck.
One of the products the unit developed and sold to overseas clients is a dedicated command and control system for the OT world. The system enables company executives to view a cybersecurity status picture. “This is a unique product that enables executives to make decisions regarding processes taking place in their network. The decision-makers in critical infrastructure organizations currently rely more on intuition and sentiment than on facts, and that is a problem. Executives view a very partial status picture and make decisions according to it,” explains Shneck.
A New Cyberattack Dimension: Psychological Impact
One of the primary challenges associated with cybersecurity management in critical infrastructure organizations is separating the IT and OT environments. “The attacker is not interested in this organizational separation,” says Shneck, “As far as we are concerned, he will enter through whatever loophole he can find with a clear objective of damaging the organization’s ability to operate its infrastructures. We face highly capable attackers, be they states, criminal organizations, or any other stakeholder possessing these capabilities.”
Along with the OT and IT, Shneck refers to yet another environment – Virtual Technologies (VT). These attacks are intended to create a psychological impact on an audience or public. While these methods are well-known from elections or advertising campaigns, they have recently entered the cyber world with the intention of affecting the decision-makers. “They take these methods and apply them to key functionaries in organizations,” explains Shneck, “Imagine the attacker succeeds in affecting the decision-making of a manager in a production process using social engineering. This attack is not different from other attacks whose objective is to damage the manufacturing process.
“However, this attack involves an indirect channel into the organization that does not require hacking into its networks. Another example involves user impact. For example, an attacker may dominate a critical mass of remotely-controlled air conditioning units for the purpose of initiating a serious power outage that can lead to complete darkness. The implication is that you can attack critical infrastructures from the outside, by impacting numerous users. As an attacker, why attempt to crack an infrastructure company that has a budget and knowhow, if you can find an easier way to accomplish the same objective? He wants to stop the supply of electrical power, regardless of the way to do it.”
Challenges in the OT World
As stated, one of the challenges faced by critical infrastructure organizations involves the separate management of the IT and OT environments. “The challenge is getting the organization to a state of synchronized information between these environments in the virtual world. In some organizations, the separation is so deeply embedded in their character, that the environments have radically different cultures. The attackers do not differentiate between the environments,” explains Shneck.
“Another challenge is decision-making. The tools available notwithstanding, the decision-makers in such organizations face difficulties along two axes: they do not have a complete status picture and the picture they have is made accessible in a language they do not understand. The CEO does not care about firewall rules – he only wants to know the implications of the risk. On the other hand, line managers are interested in other things.”
Shneck will lead a simulation game titled ‘Michelangelo’ during the Cybertech Europe 2019 event, scheduled to be held next week in Rome. “Cybertech Europe will include a dedicated IEC event intended to simulate the decision-making process during a cyberattack. Ten guests will be seated around the table and playing the role of the senior management team of an imaginary organization, with me playing the role of CEO. The objective is to simulate and present to the audience how decisions are made in reality. At the conclusion of this event, IEC’s concept regarding this activity will be presented to the audience,” concludes Shneck.
Cybertech Europe 2019 will be held in Rome for the fourth year running. The event provides a meeting place for thousands of participants from around the world, from the public and private sectors. Hundreds of leading companies and promising startups will take part in the exhibition that will coincide with the conference, showcasing the latest developments in the field of cyber.