“The things we do are certainly challenging and innovative,” Michael Arov, cyber-technology product-line manager at Rafael, told JNS. “The Israel Railways project is one of them.”
Arov, who is responsible for all of the company’s cyber activities, said trains are becoming more computerized, which means that the cyber “attack surface” rail networks present to those with hostile intentions is also increasing.
“Israel Railways is considered critical infrastructure because of the damage that can be caused [to the country through it]. Our first goal is to safeguard human lives and create a situation in which it will be hard—in the cyber world, we don’t say ‘impossible’ because nothing is impossible—but to make it very hard to harm lives,” said Arov.
Preventing catastrophic scenarios like collisions and derailments is a top priority, he added.
In order to achieve this, “one has to understand first what the cyber situation is, in all of the subsystems,” said Arov. “A train network is a system of systems. There are lots of subsystems, and they all have to be in tune with one another. If not, the entire system goes out of sync.”
The critical control panels, the power supply, the train doors and most importantly the signaling system all require close monitoring and defense.
“The real-time signal system is what decides which train, with which driver, is where and on what track. This is the holy grail of every attacker. It is the most critical system for train safety,” said Arov.
The train system’s Cyber Security Operations Center (CSOC) provides a constant overview and will sound a real-time alert when something suspicious takes place.
The CSOC draws attention to problems as they are detected. Operators can then manage the risks—like deciding whether or not to halt train traffic or avoid using a certain part of the track.
“In the end, the solution is stable, holistic and does not harm functionality,” said Arov. “We understand we have to support the main process and not disrupt the train’s functions.”
‘Privacy is a central issue’
When it came to setting up a defense program for the Bank of Israel’s National Credit Registry, Rafael faced a different set of demands. Unlike the country’s rail system, cyber attacks on the registry were not potentially life-threatening, according to Arov, but could still cause significant damage to the country.
The registry contains plenty of sensitive data in one location, and Rafael had to devise a way that allowed non-governmental organizations, like credit bureaus, to access the figures without leaks.
“We built a system that intimately supervises what information is being accessed, grants authorizations, conducts checks and monitors all connections between the computer system and the business-transactions world,” said Arov. “This was a different kind of problem that required a different solution from the train network.”
Yet here, too, Rafael built a CSOC that creates a single picture of all cyber activities and provides real-time alerts.
“Privacy is a very central issue in this kind of project. There is data here that would be very interesting to others. Even registry employees cannot access restricted data without triggering an alert. Privacy is severely enforced here,” he added.
In recent years, Israeli authorities have created more order in terms of defining their jurisdiction in the sensitive world of cyber defense, after years of uncertainty.
The Israel National Cyber Directorate is responsible for policy on defending core national infrastructure. The Shin Bet domestic-intelligence agency plays a central role in national cyber defenses, too.
Ultimately, Arov said, despite the appearance of so many companies and so much investment into cyber defense, the threat is here to stay.
“Our sense is that products are not the ‘be all and end all’ in this world. Even if you have a really good lock on your door at home, it doesn’t mean that someone can’t breach it. The solution has to be comprehensive. One also has to deal with windows, and intruders can come in through the ceiling and walls. Locks are great, they are part of the solution, but they’re not enough,” he argued. “It is important to understand the big picture. In the end, cyber defense is not a one-off event.”