Hackers may try to exploit holes in cyber oversight of the Israel Electric Company (IEC) to take down the country’s electricity network, State Comptroller Matanyahu Englman warned on Wednesday.
“Cyber threats are increasing with the growth of the cyber arena and could lead to harm both in the digital and physical worlds, including power stations and assembly lines,” Englman wrote.
He cautioned that a cyberattack on Israel’s electrical network could lead to major economic damage and endanger human lives.
The report said that the IEC’s facilities are among the most critical to the state and that harming their ability to provide electricity could throw the state into a tailspin in a time of crisis. Moreover, such a paralyzing attack could also impact other fundamental infrastructure, such as communications, logistics and a variety of mechanized activities underlying the country’s economy and defense.
The comptroller said that the Israel National Cyber Directorate (INCD) has not formally settled with the IEC on how and when it must report incidents in which it is hit by cyberattacks.
Once the INCD gives these directives to the IEC, the report said there must be a distinction between immediate crisis reports and rolling periodic reports. The INCD has not listed what IEC reports to it must include regarding hacks, the report said.
Moreover, the INCD has not fully followed up with the IEC to clarify to what extent it has followed instructions that were issued about improving its cyberdefenses.
Similar issues came up on Tuesday when the US’s top intelligence and cyber officials testified before the US House Intelligence Committee.
The relevant US officials still have major disagreements about what reporting requirements should entail, what immunity to give to those who report being hacked, and who those being hacked should report to within the US government.
Englman gave the IEC mixed scores on how updated and comprehensive are its strategic cyberdefense plans.
While the report complimented the IEC for establishing a cyber threat command center, it criticized the IEC for failing to sufficiently empower its cyber unit as a separate and independent division organizationally as of a July deadline.
The INCD said that it is “reviewing the findings of the comptroller’s report and treats them very seriously.” The INCD added however that since the report was drafted, it has “increased the oversight regarding carrying out cyber directives given to the IEC, and also recently completed the strengthening of procedures for oversight.”
The IEC said that it relates to the comptroller’s report as having “supreme importance... and accordingly is investing huge resources in partnership and coordination with the INCD. The criticism of the comptroller will be reviewed and is already at an advanced stage of being addressed.”
According to the comptroller, the IEC is investing NIS 527 million per year in cyberdefense efforts and carries NIS 100m. in cyber insurance.