HAIFA, Israel – The electrical grid is arguably the most critical infrastructure in a country – without power there’s no water generation, offices and plants close, telecom networks shutdown… and the list goes on.
But electric utilities can’t protect everything on their operational and IT networks from cyber attacks, a senior security official at the Israel Electricity Company (IEC) told reporters here Sunday. Like any organization, he said, security is a matter of managing risk based on business priorities.
“If you collect everything [in network activity] you will be lost,” said Boaz Landsberger, deputy manager of IEC’s cyber security department. Cyber security “is not about collecting events and adding them up.”
So, for example, he’s more worried about spear phishing attacks than the number of viruses on the company’s desktops.
The business side has to tell the CSO what its priorities are, he said. “Business first, and then you have security. You have to give security to enable the business. If somebody says you must allow customers to pay their electric bill through the Internet, of course it is a little risky — if you put your credit card number on the Internet it might leak. If you allow people to email an attachment you cannot be 100 per cent sure it is clean … But we are a business company and we have to allow the business to continue.”
So infosec pros have to be flexible, he said.
In an interview with ITWorldCanada.com he expanded on his comments. “Define what critical business processes are important to the company, and see how to defend the processes best. You cannot do everything. Define what’s most important. You have the infrastructure that’s important to electricity generation, you have the IT network and you have the Internet. Isolate them as best as possible.”
But he also said having a solid security infrastructure is crucial. IEC set its infrastructure about a decade ago, he said, and despite adding cloud computing and other innovations hasn’t changed much.
“You have to have a solid architecture. You do not change your architecture every year. It’s not possible,” he says. “We have the IT network, we have the Internet, we hav the critical infrastructure. And inside the IT network we have small islands which are the critical data and we secure it. This is our methodology. We have a big shield between the Internet and the IT network, and a big shield between the IT network and the critical infrastructure, and inside the IT network we have smaller shields that defend critical data in the IT network. We thought about it 10 years ago and more or less the idea has not changed.”
Landsberger spoke to an international group of about two dozen reporters at the start of a five-day government-organized tour here to meet Israeli security companies selling cyber expertise or products, in conjunction with this week’s annual Cyber Tech conference in Tel Aviv.
The company, which generates and distributes about 70 per cent of the country’s power — wouldn’t quantify how many cyber threats it faces a year, nor its security budget, other than to say the government-owned IEC is the most attacked organization in the nation.
And IEC is proud of its cyber security expertise – one vice-president told reporters that “We have one of the best systems to deal with cyber threats … many companies are consulting with us.”
The IEC is even about to start selling advisory services to utility companies around the world. It also has a joint venture with an Israeli company called CyberGym for training IT staff in critical infrastructure organizations on how to respond to cyber threats.
Israel’s cyber security knowledge is respected in the Canadian energy sector, and Canadian and Israeli energy companies have been trying to learn from each on the issue for some time. The Canadian Electricity Association sent a fact-finding delegation in 2015 to Israel.
Robert Wong, vice-president and chief information and risk officer at Toronto Hydro, recalled in an email interview last week meeting a number of government officials and business people from Israel to discuss and share what they are doing and concluding that “it is definitely quite impressive how far ahead they are compared to most of us in North America.
“I was in attendance at a cyber security event last fall [in Toronto] organized by the IESO (Ontario’s Independent Electricity System Operator, which manages the provincial power network), and the senior vice-president and CIO of Israel Electric Corp. gave a presentation of their approach to cyber security in protecting their electricity system. I can’t go into specific details (because he did not provide them in his presentation) but my takeaway was that they live and operate in a much more challenging (and dangerous) environment than we do and therefore are forced to become much more advanced and sophisticated in their cyber security practices. They are under constant physical and cyber threat and must be at maximum diligence at all times. Consequently, they have to invest a lot more than we do on their cyber security practice (which is much easier to justify).
“It also helps that Israel as a whole has made cyber security development an area and focus for economic growth, so the state agencies there have easy access to these leading technology solutions.”
Energy is one of the critical infrastructure sectors that governments want to ensure are able to resist cyber attacks. Those that aren’t prepared can suffer. For example in 2015 parts of Ukraine were plunged into darkness in an attack suspected to have originated in Russia.
Canada participates in a number of international forums to exchange energy sector knowledge. In addition to working with the U.S. and Mexico on strengthening the North American electrical grid, Ottawa sends representatives to the annual international Meridian Conference on critical infrastructure information protection.
Meridian also works with the Global Forum on Cyber Expertise. Following the November, 2016 meeting They issued a good practice guide for policy makers for protecting IT assets of critical infrastructure.
Ottawa has a strategy for helping organizations protect critical infrastructure that dates back to 2010. Last fall the new Liberal government began a consultation on refreshing it.
The reporters’ tour of IEC included a visit to its ‘war room’ which has 16 large monitors on a wall, each displaying a wide range of data points including a map of the world that graphically shows moving arrows representing data streams of incoming threats to the company. On Sunday morning, the top source was the Netherlands (about 4,000 an hour), followed by the U.S., Brazil, Vietnam, and, a little way down Canada (about 200 events). But a company official noted the map only shows flows from the last hop. Because attacks are steered through several countries the map isn’t a true depiction of reality – in fact, he suggested that particular display is more for show.
But a company official noted the map only shows flows from the last hop. Because attacks are steered through several countries the map isn’t a true depiction of reality – in fact, he suggested that particular display is more for show.