The government has introduced guidelines to increase cyber resilience of the hazardous materials industry. The methodology incorporating best practices and latest standards has drawn attention in the international community, including from the OECD
Israel has introduced a groundbreaking methodology for increasing the cyber resiliency of the hazardous materials (HazMat) industry, marking the first time for any country to set such guidelines.
The methodology in line with the latest standards and best practices is aimed at addressing the dynamic threat environment as well as mitigating the possibility of accidents and operating errors, among others.
Speaking at the Cybertech Global Conference 2020, Yosi Shavit, head of the Environmental Protection Ministry's Industrial Control System (ICS) security department, said the guidelines are expected to bring about major change in the sector.
"Our main goal is to increase cyber resilience of the hazardous materials industry in Israel. In Israel and all over the world the industry is the soft belly of cyber, or the weak link of the chain because when those plants were set up 30, 40 or 50 years ago, nobody was thinking about cyber security. Now we think we have the commitment to help these plants."
"Israel is first country in the world to introduce cyber regulation for the hazardous material industry," he said. The methodology was developed by Shavit's department after three years of preparations including significant field work at industrial facilities, according to the ministry official.
The ministry recently issued a guide detailing the new methodology.
For example, it explains how to conduct cyber risk assessment in the industry; the stages that every plant needs to carry out in order to protect itself; a list of 92 recommended controls to protect factories; and appendices such as plant statements on risk assessment execution, plant declarations on implementation of controls, and a template for cyber event reports.
The work plan is divided into seven stages. The first three stages, scheduled to last 12 months, are the mapping of dangerous processes and risks, assessment of cyber risks using the new methodology, and classification of industrial control systems. The following four stages, scheduled to last 24 months, are analysis of the gaps, building of a work plan, execution of the plan, and maintenance and monitoring.
The guide has already drawn interest in the international community. It will be translated into English at the request of the OECD.
Shavit said the new methodology is expected to raise the cyber resilience of industrial facilities to a high level within three years.
The companies in Israel's hazardous materials industry are required to receive from the ministry a toxin permit, which dictates how companies handle, store, and transport their hazardous materials. The ministry divides businesses into three groups, according to whether their permit must be renewed every one, two or three years. It is determined by two criteria: the amount of hazardous materials at their disposal, and proximity to public areas.
The ministry is regulator of over 4,200 industrial facilities in Israel, including the hazardous materials industry; the pharmaceutical industry; water corporations; and airports. It also regulates such fields as the Israel electric company's use of flammable materials; the transportation of hazardous materials at the country's sea ports; the pesticides industry's use of fertilizers; and the use by hospitals of Ethylene Oxide to sterilize medical equipment.
