Setting up an OT-SOC: Interview with Mr. Yishai Shafran, SCADA Security Manager at Yanai Engineering

Founded in 1956, Yanai Engineering is the largest Israeli firm in the field of designing complex electrical systems. The company has designed and participated in the construction of hundreds of industrial projects across many sectors in Israel and internationally, including power plants, substations, desalination and water treatment plants, renewable energy plants and oil refineries.

We spoke with Mr. Yishai Shafran, Yanai’s Cyber Defense department manager, about the company’s evolution into become a leading OT-MSSP (Managed Security Services Provider) and its collaboration with Radiflow in helping industrial customers incorporate modern industry 4.0 solutions.

Read the Radiflow case study: “Incorporating Radiflow’s iSID in a managed OT SOC” which details the technical aspects of Yanai’s Radiflow-powered OT-SOC.

[inject id=’code-47fd23f73a9caecab1e206306adae7f9′]

How it all started:
In working with customers on implementing modern automation solutions we found that most customers found it difficult to manage the cyber-protection of their OT networks as it requires a unique skill set combining expertise in both cybersecurity and operational engineering. That’s when we decided to set up a cyber-defense department.

The problem with OT networks (and their owners):
Cyber-protecting SCADA systems is inherently problematic as the control equipment, controllers and communication protocols were not designed with cybersecurity in mind. Many types of cyberattacks that are no longer relevant to IT networks still threaten OT networks. Most currently-used PLCs do not require a password to connect to the network and do not keep log files. And while penetrating an OT network is somewhat more difficult today because of perimeter IT defenses placed on external connections, once the OT network has been breached it is actually easier for the attacker to execute the attack than it would be in an IT network.

Since industrial operators didn’t want to install active security measures in their real-time networks, most used simple, passive methods, such as hardening and implementation of policies.

However, we quickly realized that OT networks require a real-time monitoring system that can provide early detection so that attacks are blocked right after the network has been breached, but before the attack propagates or any damage is done. We needed to find a solution that provided real-time monitoring that didn’t require our customers to implement a full-fledged security department.

Designing the solution:
Our solution was setting up an multi-layered managed SOC service for monitoring customers’ network activity, which combined cybersecurity monitoring products with expert resources and methodologies.

Remote operation centers have been around for years in the IT field. However none were available for OT/SCADA because operators lacked the required network monitoring equipment and know. At the same time, operators were reluctant to connect their critical installations to an external control center, fearing it will expose them to attacks.

One of the main components of our SOC is Radiflow’s iSID Threat Detection System, which has already detected several attacks in real-time, to our full satisfaction and of course or customers’.

On top of the Radiflow tool, we’ve also implemented a product by Aperio that detects counterfeit data received from the thousands of sensors in a typical SCADA facility. This multilayer solution increases the efficiency of our system detecting anomalies in orthogonal views and correlating events to pinpoint the source of the anomaly.

In addition, we came up with a unique method of transferring data traffic from customers’ networks in a secure, physically unidirectional way. Radiflow’s iSAP Smart Probes, installed at customers’ facilities, transfer a mirrored data stream to the SOC, while filtering and compressing the data to minimize bandwidth consumption and prevent network overload.

Initial response from customers:
The success of our SOC took even us by surprise. Soon many customers signed on, realizing that they were finally able to monitor their SCADA systems the same way they monitored their IT networks.

The benefits for the customers were clear: powerful, innovative protection for their OT network, instantly operational, without the need for any investment or implementation of complex products. In many cases, our SOC monitoring service also revealed vulnerabilities in our customers’ OT networks, which provided management the full network visibility they needed to design a comprehensive, step-by-step defense roadmap with the assurance that their network is constantly monitored and secure.

Key success factors:
One of the key success factors was Yanai’s familiarity with the customers’ industrial facilities. Their trust in our professionalism helped us acquire our first strategic customers, which in turn brought in new customers that had nothing to do with our traditional engineering services.

In the end, the success of any project boils down to communication. It is important for our cyber professionals to be able to communicate with the engineers at the customer side and be willing to adapt their outlook accordingly.

Another key factor is choosing the right technology partners integrated into our SOC. It was important to us to find partners such as Radiflow that believed in the project and were willing to go the extra mile to fine-tune the initial design for it to succeed.

Digital roadmap:
We are currently developing methodologies for dealing with a new breed of attacks that are based on extensive knowledge of engineering, where engineers are part of the attacker team. These attacks hardly create any anomalies, so any damage seems to be caused legitimately. We have observed these types of attacks in the power D&T sector.

We are also working with Radiflow to optimize the alerting algorithms by incorporating the business logic priorities into the cybersecurity system.