Cybersecurity Leaders - Motti Cohen - The First Global Cybersecurity Observatory

Cybersecurity Leaders – Motti Cohen, CTO and Chief Cybersecurity Architect @ IECyber – Israel Electric Corporation

Motti Cohen serves as the Cyber Chief Technology Officer (CTO) at the cyber entrepreneurship and business development of the IEC’s cyber unit, where he is responsible for leading IECyber’s information security and IT/OT product architecture design and project management. In this role, Motti sets the corporate information security and technology vision and strategy in key areas, including governance, policy, awareness, project management, audit, assessment, incident response, operations, technical investigations, business continuity and more.

In his previous functions in the IEC, Motti served as the Head of Israel Electric Corporation (IEC) Cyber Fusion Center, including responsibility for administration of the IEC’s multi-tenant SIEM, SOC and SOAR (e.g. rule authorization, system configuration, operations, and maintenance,) creating and maintaining an incident response team (IR), investigating and analyzing cyber incidents.

Motti is a cybersecurity veteran with more than 23 years’ expertise in cyber architecture design, penetration testing and ethical hacking, security and crisis management, cyber risk assessment, cloud security, ICS/Cybersecurity and more.

Motti Served in the 8200 Unit of the Israeli Intelligence Corps. and holds a Bachelor of Science degree in Information Systems specialized in cyber security methodology.

What unique security challenges does your industry face?

Industries across the globe rely on operational technology (OT) and industrial control systems (ICS) to support their mission-critical infrastructures. From the moment we wake up until the moment we go to sleep, we breathe and use (ICS) systems.

The electric power grid is evolving quickly with the introduction of new “intelligent” technologies, which will improve its efficiency and performance. However, these technologies have the potential to make the grid more vulnerable to cyberattacks, which has motivated a new set of standards. When we look at OT cybersecurity, we often think only of malicious attack, but we also need to see it as potential of accidental flows in the system.

The Lack of OT Staging environment is critical, there is no ability to Emulate, Simulate, and Test Cyber Sturdiness – unlike IT staging system where you can build a nearly exact replica of a production environment for software and cyber security testing and updates.

OT Cyber Staging environments are very complex and very expensive to set up with low distribution and unattainable. Usually only rich countries can afford such environments. Therefore, there is no available budget and resources for robustness and security testing on real-time manufacturing systems. There is no ability to perform a periodic validation after the deficiencies found in the testing process, and this prevents organizations from analyzing and understanding the cyber threats and risks impact on their operational environment.

What advice do you have for security leaders?

The idea of “selling “Cybersecurity” is the area where security leaders struggle the most. To truly “tackle” security in organizations they must sell it to the employees. 95% of all successful cyber-attacks are caused by human error. TThe employees daily behavior and activities is the root cause to make us more secure.

Selling “Cybersecurity” to employees must start by convincing them to change their cyber behavior at home, by achieving a change in the employee’s cyber routine at home, will make an impact on how employees will continue their cyber behavior and daily routine at work.

Ransomware and phishing are among the risks that have threatened all industries recently. From your perspective, how should companies mitigate these risks and what has worked for you?

The COVID 19 pandemic has shown a sharp increase in Ransomware attacks. Hackers have managed to cripple government networks, businesses have been crippled, and hospitals forced to turn away patients. If you are going to take a hit on your Data and files, at least learn from the mistakes others made. These are my recommendations for key success elements to prevent and mitigate ransomware attacks:

Identify Ransomware Behavior: Organizations can identify ransomware behavior by installing ransomware protection software. Ransomware can be traced because they have observable patterns. Once these are detected, they can be blocked.
Configure military-grade backup and restore software and test the restore function regularly. Ransomware/malware destroys and holds data hostage.
Implement effective security awareness training combined with simulated phishing attacks to dramatically decrease the Phish-prone percentage of your employees. It is important to be able to recognize a threat before it causes downtime.
Install and maintain high-quality EDR / antivirus software, as a layer you want to have in place, but do not rely on it, they always run behind.
File Extensions: All documents should include relevant viewable file extensions from trusted sources. It is necessary to protect the system from downloading inconsequential documents that may be coming in from suspicious sources. Be vigilant and aggressive in blocking file extensions via email. If you are not blocking .scr, .js, .wsf, .vbs, or scanning the contents of .zip files, you’re not done.

And last is preparation, practice, and collaboration. If your organization is under Ransomware attack, the top management need to understand that Ransomware events are managerial, they need to make sure that those alongside with them are experts who have gone through such events, who have high technical capabilities in IR and information retrieval. They need to have an experienced negotiator to help them in the process.

What should corporate boards know about conducting information and cyber security?

Robert Mueller, who was the FBI director until 2013, once said that there are only two types of companies in the world: those that have already been hacked, and those that will be hacked in the future, then jokingly added that “the two groups can be merged into one category: companies that have been hacked and hacked again”. Anyone who takes Müller’s idea seriously (and we should all do so) will come to the conclusion that he should start researching and finding out which of his two categories his company belongs to: “those who have already been hacked” or “those who will be hacked in the future”.

Where do you see the difference between IT security and OT security?

Unlike cyber events against computer networks, ICS cyber security breaches events are very likely to directly affect the quality of life and physical safety of citizens (from water contamination and up to disabling essential services such as electricity, gas, water, transportation, etc..).

There is a difference between Cyber security defense methodology to IT and OT, due the nature of the systems criticality, system general availability and system safety.

ICS systems are subject to common environments traits, of which potential defense strategy must take into consideration – elements like production environment, configuration layer & network layer.

Here are some key challenges:

Production environment common challenges

Unsecured connectivity Modems, remote maintenance approaches and wireless connection as well as air gaps are fertile breach ground
Using IoT devices & capabilities together with obsolete Apps, written in an unsecured way
Information security & architecture abundance of verified exploitable information regarding architecture installation & maintenance, interconnection structure, controllers’ configuration
Standard / common operating systems are more likely to be explored for vulnerabilities

Configuration Layer Common Challenges

Updates are difficult to implement on systems which have been running for years without booting
Users authentication and identification is difficult because it is an operating environment
Sometimes default passwords were burned in the factory, at other times they are very difficult to change
Antivirus cannot always be installed on the equipment (for operational and contractual reasons), other times systems prevent execution of an unknown code

Network Layer Common Challenges

Limitations of intrusion testing due to the possibility of causing system downtime
Difficulty to perform network scanning, due to fear of delaying production processes (e.g. Ping sweep cause past failures)
Hard to introduce network information security components, due to focus on real-time performance, causing latency
Difficulty in encryption and network segmentation
Hard to introduce network information security components, due to focus on real-time performance, causing latency

For security executives who don’t have a strong relationship with their board, how can they improve it?

Today, C-Level executives are getting an unclear, fuzzy, not updated, and not relevant cyber situational picture in their areas of responsibility that creates an unsubstantiated decision process at all organizational levels and leads to weak cyber defense and resilience.

When leaders need to make cyber decisions, they are usually faced with:

Lack of clarity
Lack of structure
Lack of consistent updated (real-time) data & information

The information presented to the decision-makers is usually technical and not meaningful to their level. Cyber protection does not have a clear ROI. Therefore, most of the investments are based on “fear” and are very subjective to the CISO approach.

The ability to present a clear, updated, relevant and understandable cyber picture to different managerial levels of the organization allows executives to have a better visibility of what could happen and their security teams can make pinpoint decisions to reduce business impact. This will help to improve the relationship of C-level executives with security executives.

To Summarize

As digital transformation is spreading within the industrial environment, cybersecurity is a priority that has already become strategic to the business and may become even more so in the future.

To deal with this problem, we must do more! Industrial Cyber threats are a harsh reality of today’s world, which we can’t keep on ignoring them.

It is dejecting to see that for the most part we still lack significant progress across the board when it comes to dedicating resources to these challenges. As we increase the level of automation in our critical infrastructures, “we must take security issues seriously.”

From my experience, collaborating across business units and sectors can help us address more use cases. Sharing experiences can enhance the safety and security of the broader community.

Aligning with Security Frameworks and Standards will help us focus on the resources and actions required for protection. We need to balance between cyber sturdiness and the ability of the business to fulfill its destiny.

Cybersecurity Leaders – Motti Cohen, CTO and Chief Cybersecurity Architect @ IECyber – Israel Electric Corporation