Israel’s Electric Corporation – Global Target for Hackers

Israel’s Electric Corporation – Global Target for Hackers

This post is also available in: heעברית (Hebrew)

Inside the national cyber command room of Israel’s Electric Corporation: 4,680 cyber events every second * 600 million blocks of information each day * 10,000 suspicious events daily * Between 8 and 10 cyber attacks daily.

11844848_m featureThe moment we set foot inside the national cyber command room of Israel’s Electric Corporation the board shows 4,680 cyber events. No need to be alarmed, though, not all of them are cyber attacks. Command room crew treat every alert with the same level of seriousness, though. Every incident is fed into information systems, to be analyzed by the experts and IT personnel who are present 24/7.

It’s no secret that the Electric Corporation, being a strategic infrastructure provider and the largest single energy provider in Israel, is a target for cyber attacks. According to Yosi Schenk, VP of Computing: “We handle 600 million blocks of information that reach our systems every day. We monitor them all, discover about 10,000 incidents per hour that require deeper investigation, with 8-10 identified as cyber attacks each day.”

On the giant screens covering the walls of the room things look clearer: Some feature tri-colored half-circles – green, yellow and red. When the needle shows red it means a cyber attack has been detected. Once a virus is discovered (trojan, malware, etc.) in the Electric Corporation systems – whether command or power production – an alarm is sounded. The viruses are categorized as “not severe”, “low severity”, “severe” and “very severe.”

The central board displays a moving map of planet Earth marked with flames of different sizes – each flame in a specific country shows the origin of a cyber attack, with the size of the flame matching the intensity of the attack. Another graphical element displays internet traffic intensity all over the world. When anomalies are detected ready room analysts begin their work.

So who are the main culprits, the perpetrators of cyber attacks? Yosi Schenk: “First we have to remember that we’re constantly under attack and despite that take almost no damage. The issue has been on the rise over the last few years – cyber attacks are no longer carried out just by criminals, now culprits are trying to bring down tactical or strategic targets, disrupting national routine.”

“As for the origin of the attackers: The U.S., Iran, Saudi Arabia, Poland and yes, Israel too. There’s no doubt that the attackers, whether in the name of a nation or for private citizens and organizations, have no intention of stealing anything from us – they want to damage infrastructure, disrupt normal, daily routine, damage the company’s reputation, deny service. Damaging reputation, in the cyber world, means damaging an organization that is trusted by a large number of citizens. We in the Electric Corporation are one such organization, because the public expects us to constantly provide them with power. More from the world of cyber attacks: If you’re attacked, if the attackers damage you somehow – it means you’re weak, vulnerable, and everybody will know it. That’s why we have to prepare, block threats and reduce the probability of success for attackers.”

Photo: Israel Electric Corporation
Photo: Israel Electric Corporation

iHLS – Israel Homeland Security

Over the last few years the Electric Company took many steps aimed at monitoring, detecting, identifying, analyzing and preventing cyber attacks, using human resources and advanced, costly systems. The cyber command room is at the heart of these activities, storing massive amounts of information which is then analyzed in order to alert other company branches when necessary. Analysts try to predict potential future attacks and discover anomalies in every block of information received.

The darknet is mentioned a lot these days, a source of many threats ranging from terrorists to criminal organizations.

Ronen Dekel, VP of Information Technology and Director of Cyber Command Technologies: “According to our model of cyber security the more motivation and resources an attacker has, the more successful he will be. That’s why defenders have to remain one step ahead of attackers. We collect information, store intelligence from hundreds of internal and external sources, manage R&D activities, cooperate with other, similar organizations in Israel and abroad, employ experts specializing in information security, information systems, computers and analysis – all aimed at providing us with situational awareness as far as cyber threats are concerned. Not every cyber weapon is aimed at creating immediate damage, some are “sleepers” set to go active six months from now. They have to be neutralized and identified before they activate.”

When considering cyber threats, Saudi Arabia is often brought up as an example: In just one minute, 30,000 computers in the Aramco oil giant stopped working. Israel’s Electric Corporation didn’t suffer any major damage resulting from cyber attacks so far, except, according to company management, “suspending a few workers for a while.”

Since cyber experts at the company are not involved with active defenses (“we leave that to others”), passive defense were the priority over the last few years. They include a large variety of rules of conduct, in addition to physical and digital measures that connect cyberspace and the physical work environment. A few examples:

  • Company employees are banned from using small flash drives. If one is accidentally plugged in an alert is sent to the command room.
  • Mail: When employees receive mail from an unknown or suspicious sources, that mail item is transferred to cyber security analysts.
  • When someone opens a circuit board without the proper authority an alert is sent to the command room.
  • HLS and physical defenses: Closed-circuit cameras, biometric access control in sensitive areas.
  • Education, training, drills and cyber security awareness. The level of awareness is high, with top company officials in charge of the issue. Management keeps stressing that even if only one attack in a million attacks got through, that might be the one to cause a disaster. Employees should always be prepared, and no incident is ignored.