TEL AVIV — Ilan Barda knows how to protect the electric grid from cyberattacks, but he doesn’t understand the rules of baseball.
America’s favorite pastime may not seem to matter for Barda, whose office in Israel’s high-tech capital is strewn with cords and hardware rather than sports paraphernalia.
But the CEO of cybersecurity startup RadiFlow says he could use a baseball lesson or two as he pursues the U.S. market for industrial cybersecurity.
"English is only the starting issue — that’s the easier part. The problem is the culture," Barda said. "When I go to a meeting, the first thing that happens is they speak for 20 minutes about their [U.S.] college, what they’ve done over the weekend. … How can I say anything?"
That’s if he gets into the meeting at all. In the hush-hush world of grid security, where officers at many bulk electric power companies carry top secret security clearances with the U.S. government, an Israeli outsider can be seen as a liability.
Barda recounted one time when he flew out to a meeting with an American utility — he won’t say which one — only to be turned away at the gate when a guard found out he wasn’t a U.S. citizen. He had to drive back to a nearby consultancy and teleconference in.
Barda wasn’t bitter about that episode, saying it was fair precaution for a critical infrastructure operator to take. He also acknowledged that Israel, where military service is compulsory for most of the population, has its own cultural quirks: "You start with discussing what you’ve done in the army together, then you start doing business."
But his experiences are reflective of the challenges that face Israeli firms old and young as they seek to make inroads in the fast-growing field of industrial cybersecurity.
It’s easy to see why Israeli entrepreneurs have their sights set on the United States. Though Tel Aviv’s tech firms often bring in their first foreign customers from nearby Europe, the real prize for growing Israel’s $3 billion cybersecurity export market lies across the Atlantic.
That’s especially true for vendors catering to the oil, gas and electricity businesses — systems that use so-called Supervisory Control and Data Acquisition (SCADA) networks. The U.S. bulk power grid is among the biggest in the world by any measure, and includes about 80 times as many substations as Israel’s. The United States has nearly 400,000 miles of transmission lines greater than 100 kilovolts, while the government-owned Israel Electric Corp. oversees 3,400 miles.
Barda’s company sets out to safeguard that infrastructure from hackers. RadiFlow’s software monitors the equipment in industrial environments, learns what each controller is supposed to be doing and alerts operators whenever there are suspicious changes.
RadiFlow is hardly the only cybersecurity company to make use of behavioral analytics, where competitors win or lose based on the strength of their algorithms. But Barda’s is one of a bare handful of companies to apply that technology to the industrial space.
Another Israeli startup in the area, dubbed ICS², goes straight to the heart of the industrial control systems (ICS) it takes its name after.
Unlike RadiFlow, which monitors each far-flung piece of a SCADA network, ICS²’s technology trains most of its focus on the "data historian" that pulls operational information from across the industrial space, be it a wastewater facility or a manufacturing plant.
"We look on the operational data, on the historian data; we analyze it, create signatures and look for the physical connection between the dots," said ICS²’s co-founder and vice president of sales, Omri Green.
Green’s two-year-old company launched as a spinoff from solar power producer BrightSource Energy’s software and industrial process departments. ICS² now has nine employees and has courted business from major electric utilities in the United States.
"You must be small in the beginning because this is a slow market. If you will have a lot of people, you will sink," said Green. "We’re in a good position — we have customers, we’ve started to get revenues … but we are still fighting."
Billion-dollar potential
Israeli officials like to boast that Tel Aviv has the second-highest concentration of new tech companies behind Silicon Valley. A 2009 book titled "Start-up Nation" chronicled Israel’s rise as a hub for innovation. The reputation has stuck, and not without reason — during the first half of 2015, nearly 350 Israeli high-tech firms attracted $2.1 billion in investment, according to the IVC Research Center in Tel Aviv, which tracks venture capital in the country.
But not every tech sector is susceptible to being transformed by startups, and experts say industrial cybersecurity can be a tough sell. Companies running long-distance oil pipelines or high-voltage transmission lines are cautious around young products, particularly anything that gets close to the operational technology.
"It’s a terrible space for startups," said Yoav Tzruya, partner in Jerusalem Venture Partners’ Cyber Labs. "In 12 to 18 months, you cannot really provide a solution to a tier 1 energy company — show me you’ll be around in two years’ time."
Tzruya said his venture capital firm looks for "paradigm shift companies" that offer a "fundamental kind of change" to the market. As an example, he cited CyActive, an Israeli startup that used genetic algorithms to predict the evolution of future malware variants. CyActive, which had early backing from JVP, was bought by PayPal in March for a reported $60 million. The startup was just over a year old at the time.
"These are the companies that have the potential to become billion-dollar companies," Tzruya said.
Israel’s government has in some cases stepped in to support promising startups. The government-owned Israel Electric Corp., for example, uses products from several cybersecurity vendors and has invested in a "CyberGym" to better prepare its employees for potential attacks (EnergyWire, July 21).
Other funding for new tech companies comes from Israel’s new civilian cybersecurity authority, which is building a series of national "computer emergency response teams" (CERTs).
"When the Israel National Cyber Bureau launches multiple CERTs, like energy, critical infrastructure … [startups] are actually working under contract to supply that," said Orna Berry, who spent 10 years in Israel’s high-tech venture capital industry and is now a corporate vice president at EMC Corp. "Sometimes when the market is relatively strong in the country, the government plays first customer as well as the incentivizer, and you actually overcome the humps."
Waterfalls and firewalls
Several established firms in Israel have thrown their hat into the ring of industrial control system security.
Check Point Software Technologies Ltd., the $14.7 billion company credited with inventing the firewall, developed a line of ICS-focused products following news of the Stuxnet worm in 2010. That hack first demonstrated how a cyberattack could damage physical systems — in Stuxnet’s case, by changing rotor speeds in Iranian nuclear centrifuges until they spun out of control.
Since then, there have been only a few examples of malware aimed at industrial systems. But even a handful of incidents has been enough to set gears turning in what is now a multibillion-dollar global business.
"There was a misconception in the area of industrial systems that these are very isolated environments, using proprietary protocols, and nobody can harm them," said Noam Green, product manager for Check Point. "Suddenly we got the revelation that everything can be a target."
With information technology systems, it’s easy to reboot a set of Windows computers with the latest updates and bug fixes. But industrial operators don’t always have the luxury of shutting down their systems to install a patch on short notice, leaving them vulnerable for months or sometimes years at a time.
"SCADA technologies and protocols were built with absolutely no security in mind — in fact, it’s almost too easy to attack these environments," Green said. "The most concerning thing about ICS and critical infrastructure is that it’s the basis of modern life; everything you do today, if you turn on the lights, you go to the bathroom and open the tap, you drive down the road, there’s traffic lights … everything has ICS involved in it."
Check Point has built a gateway to "virtually patch" such ICS systems, watching out for vulnerabilities that are reported through vendors, governments or the media and blocking any attempts to exploit those weaknesses.
Another Israeli company, Waterfall Security Solutions, takes the concept of a gateway a step further and stops incoming traffic altogether.
Waterfall’s "unidirectional gateway" features a laser that sends data out from the industrial environment so it can be monitored remotely. But the person viewing that data on a laptop from afar, for example, would have no way to send commands back into the control room through the gateway, which lacks a photocell to receive return laser signals.
The idea is to work like a waterfall — data flows out but does not splash back up.
Lior Frenkel, CEO and co-founder of the 8-year-old company, said the gateway takes aim at one problem: control networks that can be reached from the Internet. By its nature, his flagship product can only be used in places with onsite staff, such as power plants and refineries.
Waterfall has found favor among U.S. energy companies including several major power producers and Houston-based Noble Energy Inc., which deploys the gateways on its offshore oil and gas platforms.
Frenkel emphasized that blocking outside signals isn’t just about preventing advanced, highly targeted attacks like Stuxnet, widely believed to be a product of U.S. and Israeli intelligence agencies. "The troubling thing is that the damage is almost the same if it’s an IT [information technology] virus — a generic one, not designed for operational technology," he said.
As soon as a critical infrastructure organization finds out about a computer infection, he explained, it typically must investigate the network, shut it down, clean it up and bring it back online "just to clean a mundane virus that propagated there."
"The damage isn’t always breaking your stuff or making it stop working," said Frenkel, who helped launch Waterfall in 2007.
From lasers to firewalls, anomaly detection to predictive algorithms, the business of securing industrial networks can be dense and complex to an outsider, a fact not lost on its practitioners.
Barda of RadiFlow said some companies don’t appreciate the technical differences between competing solutions, leaving room for "confusion." They think, "’I will just wait one year until the market clears up,’" he said, "which is bad because they do not deploy anything."
Barda freely admits critical infrastructure operators aren’t the only ones that could stand to learn more. "This is an early market and we do not think we are the experts at everything that goes into utilities," he said, noting that his organization works with the Electric Power Research Institute in the United States to make sure it’s tailoring its products to what’s actually needed.
"People are already aware of the problem — nowadays it’s about understanding the different solutions," he said.
