Dear Members and Affiliates,

 

Welcome once again to our quarterly Newsletter!

Beyond the various events and launches you can read about in "A word from the CEO" down below, I am pleased to announce the CyberSpark's TEDxBGU, which is scheduled to take place on January 25, 2018, at Ben-Gurion University of the Negev. The event will include lectures by the best ecosystem experts and will touch upon various topics in CyberSpark'srealm: Innovation, ethics, medicine, academic collaborations and more. All lectures will be uploaded to web platforms and will be available for you online.
You will soon receive updates regarding the event's agenda and speakers.

I encourage you to keep in touch with us via our website and our Facebook page.

 

Please feel free to contact me with any issue that youmay have.

 

 

Kind Regards,

 

 

Dear readers,

It is my pleasure to open this 4th edition of CyberSpark Newsletter with the announcement of the foundation of SMART Range, the first International Cyber Security Smart Mobility Analysis and Research Test Range.

SMART Range is an initiative co-founded by Ben-Gurion University of the Negev, CyberSpark, CYMOTIVE Technologies, HARMAN - a wholly-owned subsidiary of Samsung, Deutsche-Telekom Laboratories, and several Tier 1 leaders in the industry. Together with the Healthcare Initiative (Soroka Medical Center for Cyber Research and Innovation), SMART Range fulfills the vision of establishing a diversity of Living Labs centers in Be’er-Sheva. As such, it will fulfill a vision for an automotive development ‘playground’ in a smart-city environment, hosting academic research, an innovation hub, an institute for testing and certification in the cyber arena, and a Standards development body for smart mobility.

Together with Global-EPIC (https://globalepic.org/ece/index.php), the initiative will be presented at the coming CyberTech event in Tel-Aviv, where the combined concepts of living labs for cyber resilience validation and global partnership of ecosystems is to be demonstrated and thoroughly discussed.

Entering a new era in comprehensive Cyber awareness, CyberSpark is extending its global multi-dimensional network of leading players, covering Academic institutions, industries, innovation HUBs, governments and municipalities. Only through exercising the synergic amplification advantages of global collaborations, will we be able to face the daily increased challenges associated with Cyber security across disciplines.  

 

More in the next Newsletter, in March 2018.

 

Roni Zehavi,
CEO, CyberSpark

 

Joseph Krull

 

Autonomous vehicles are coming and Israel is playing a key role developing the supporting technologies.  We see enormous effort placed on sensors, algorithms, machine learning and artificial intelligence related to self-driving vehicles.  A handful of Israeli companies focus on innovative ways to protect these vehicles and the related infrastructure from cyber security threats.  But we can and must do more to address the plethora of security vulnerabilities associated with the complex systems that comprise an autonomous vehicle infrastructure.  Comprehensive software and application security testing is a must to reduce risk.

 

The Threats to Smart Mobility

 

We can expect system errors in the first generation of wide deployed autonomous vehicles.  We can also anticipate that various attackers will attempt to identify ways to penetrate autonomous vehicle systems for nefarious purposes.  Sophisticated nation-state hackers and “hacktivists” will look for ways to disrupt critical transportation networks on a wide scale.  Cyber criminals will attempt to use ransomware-style attacks to extort money from operators of vehicles that cannot operate.  Even unsophisticated hackers (so-called “script kiddies”) will try to penetrate autonomous vehicle systems for the thrill of it or to have bragging rights.  Each of these attacks will lower the credibility of smart mobility and ostensibly place lives at risk.  

 

 

Autonomous vehicle infrastructure will rely on millions of lines of complex software code.  This code will include multiple languages and frameworks, embedded and real-time operating systems and sophisticated proprietary protocols.  Thousands of individual software developers will produce the code, and based on well-known data, very few of these developers will have ever completed any advanced security training related to their art.  Attackers look for flaws in systems and software to launch their attacks.  They only need to identify one exploitable vulnerability to shut down key systems or even make the systems do things that were never intended.  As an example, in 2013 and 2015, two security researchers isolated vulnerabilities in the Jeep Cherokee which allowed them to remotely control speed, braking and steering.  This resulted in Fiat Chrysler’s voluntary recall of 1.4 million vehicles in the United States.

   

 

We must secure the entire software supply chain related to autonomous vehicles.  Code, regardless of its origin, should be tested for security vulnerabilities and remediated before moving to a subsystem or component.  There are numerous security testing tools available to perform basic vulnerability checks. These tools can be compared to basic spell checkers for documents.  As software moves through the supply chain, it should also be subjected to more complex security testing that includes identification of logic flaws, i.e. can you make the software or system do something it should not.  This type of testing can only be done manually by talented and experienced testers who understand the threats and the principles of secure code development.  Finally, communications between the infrastructure and the vehicles must also be tested to validate that control systems cannot be manipulated.  End to end security testing won’t be easy or inexpensive, but without it the safety, credibility and even viability of smart mobility cannot be assured.  

 

 

Tom Ahidror

 

Cyber Workforce vs. Cyber R&D Human Capital 

 

When the media and various pundits mention a growing need for cyber security experts, they rarely mention what types of experts are actually missing. There is a widely varying range of specialties in this field, from analysis, research, and engineering, to incident response and investigation, as well as other areas that require different backgrounds and training. Most of these occupations can be roughly categorized under the rubric "cyber security workforce", that is, the workforce responsible for the security of organizations. They may be working either from within the organization (usually under a CISO), or delivering a service from the outside.

There is another category, which is just as important, known as the “cyber security R&D human capital”. These are the women and men who research, design, develop and build cyber security products and services. They are the backbone of a market that has been growing exponentially, with Israel as one of its leaders. In my previous role as Head of Human Capital Development at the Israeli National Cyber Bureau, I led the effort to enhance this group both in numbers and quality on a national level.

Software Engineers vs. Cyber Experts

Even though cyber security is a distinct field within Information and Communication Technologies (ICT), most cyber security companies that provide products or advanced services, rely on human capital similar to that of other software companies. Some find it surprising that most developers in these companies are not cyber security experts, but rather software engineers that could have worked in any other ICT company. However, cyber security companies usually have a small core of ״cyber experts״. While their software engineering colleagues build effective products with minimum errors, cyber experts focus on errors in programs that might be exploited. Such experts are an essential part of product design, data science and analysis, research and other fields in a cyber security company that demand expertise in the intricacies of cyber threats. A cyber security company can manage with a relatively small number of these experts, but it cannot exist without them.

The Israeli "Military Path" to Cyber

One of the main reasons for Israel's prominent role in the cyber security market stems from its mandatory military service and its unique security challenges. Each year, the military gets to "cherry pick" some of the best and brightest to deal with cyber intelligence and warfare. In order to ensure that these recruits make the best of their time in the service of their country, the military has devised and perfected highly intensive courses, which allow high school graduates to handle complex technological challenges after only a few months.

Many of such trained recruits go on to become cyber experts in the industry. Moreover, most Israeli cyber security companies would have a hard time functioning without them. However, this path is very limited in numbers. Ultimately, for the cyber security industry in Israel to grow, it needs more experts than this route can provide.

An Alternative Path

The military cyber training courses are hard to emulate. They are extremely intensive compared to what is customary for civilian training. Their staff is usually made up of some of the best developers, while once outside the military, they rarely do anything other than development or engineering work.
Even so, the dire need for more cyber experts has created an opportunity. For the past few years, ITC has succeeded in training promising young professionals in cyber security, and placing them in R&D roles. It has done so by creating a highly intensive course tailored to the needs of the industry and taught by industry experts. Our industry partners, recognizing the potential for hiring more talent, have joined us by delivering some of the training themselves. In the coming years, we are expecting to train even more cyber security experts, and hopefully support the growth of this important industry.

 

Tom Ahi Dror is the VP of Business Development of Israel Tech Challenge (ITC). Before taking on this role, he was the commander of the IDF's Talpiot Program and the Head of Human Capital Development in the Israeli National Cyber Bureau.
 

 

Robin Campbell

 

On November 15, 2017, the White House released the Vulnerabilities Equities Process (VEP) charter in an effort to promote greater transparency around the U.S. government’s decision-making process for publicly releasing information about known cybersecurity vulnerabilities. The VEP dates back to a working group established in 2008 to develop a joint action plan to protect both government and public information systems from adversaries.

 

Government agencies are often the first to discover vulnerabilities in information systems or technologies. The focus of the new charter is provide a clear process for determining when to make vulnerabilities public. It prioritizes the public’s interest in cybersecurity, including the availability and reliability of the internet, information systems, critical infrastructure and the US economy generally. It notes that there must be a sound overriding interest for not disclosing the vulnerability, such as law enforcement or national security agencies requiring the vulnerability to remain secret in order to undertake lawful intelligence gathering without tipping off adversaries.

 

The process requires a delicate balancing act between public interest and public safety.  It is not unlike non-technical investigations, for example, whether to disclose the identity of a suspected terrorist (through a “Wanted” campaign or an all-points bulletin) or to keep the information confidential until further investigation reveals the whereabouts of the suspect.

 

The charter helps to shed some light on the issues being discussed and deliberated, the participants in the discussion and the process for disclosure. The new charter establishes a governing body, the Equities Review Board (ERB), which includes representatives from the Departments of Homeland Security, Energy, State, Treasury, Justice, Defense, and Commerce, as well as the Central Intelligence Agency and Federal Bureau of Investigation. The ERB must consider the scope of the threat, ability/likelihood that a vulnerability will be exploited, potential impact, and ability to mitigate against the operational value and the potential operational impact. The ERB is not limited to disclosure or non-disclosure of a vulnerability. It also has the option to disseminate mitigation information without disclosing the vulnerability, limiting use of the vulnerability in some way, informing the US and other allied governments of the vulnerability at a classified level and using indirect means to inform the vendor of the vulnerability.

 

Robin Campbell is a Co-Chair, Data Privacy and Cybersecurity Group at 

Squire Patton Boggs 

 

Asaf Atzmon

 

"Almost three of out every four cars sold today are equipped with a telematics system," says Colin Bird, Senior Analyst of Automotive Technology at IHS Markit. Connectivity is now standard in modern cars. And where there's connectivity, hackers aren’t far away. This applies to every laptop, to IoT – where the effects of attacks can often be much more problematic – and also to the connected car. After all, cars are now computers on wheels – just one more “thing” in the Internet of Things. The more we head toward autonomous driving, the more indispensable comprehensive cyber security protection will be. In fact, autonomous driving isn’t possible at all without comprehensive protection.

 

Possible attacks on the telematics unit can take place by capping the mobile radio signal, manipulating texts, or interrupting communication as with DOS attacks. One result of these attacks is often ransomware. WannaCry and Petya ransomware is a frightening prospect for many. Such an attack on drivers could mean no longer being able to start or move your car, or even having the engine turned off remotely – a terrible scenario on the road.

To prevent these new risks, connected cars, and especially autonomous driving, must always be connected with cyber security. In today’s era of increasing hacker-scale attacks, car manufacturers, suppliers and legislators must work together to ensure the best possible protection.

 

The HARMAN SHIELD Platform includes our award-winning Intrusion Detection and Prevention in-vehicle agents. This is coupled with a robust backend solution with seamless integration to the leading SOC/SIEM solution on the market - IBM QRadar Security Information Platform. Our proven suite of on-board vehicle security agents includes ECUSHIELD for in-vehicle protection and TCUSHIELD for telematics and IVI protection. We combine HARMAN’s ability to minimize potential attacks on a vehicle, with a scalable method of providing broad visibility to the OEM across its entire fleet of vehicles. OEMs will then benefit from a true end-to-end cyber security solution, which can also include secure Over-The-Air software updates.

 

Autonomous driving will not succeed without a strong cyber security infrastructure that protects our cars, devices and roadways from dangerous intrusions. No one organization can meet the ever-changing technology requirements that connectivity will demand. The current collaboration brings together leading players in cyber security to test and develop valuable standards that will benefit multiple industries and ultimately society.

 

Asaf Atzmon is the Director of Business, Development and Marketing, Automotive Cyber Security, at HARMAN