Hospitals, power grids, and financial institutions share a common vulnerability: the systems that keep them running were never built with today's threat landscape in mind. An Israeli cybersecurity company born in a kibbutz defense plant is making the case that detection is no longer enough.
On Yom Kippur 2025, Shamir Medical Center, one of Israel's largest hospitals, was struck by a cyberattack that temporarily shut down several central systems, including Chameleon, the medical records platform used across numerous Israeli hospitals and HMOs. Investigators later confirmed the attack was carried out on behalf of Iranian intelligence, gaining entry through a compromised laptop belonging to a support staff member at a third-party IT company. Yosi Karadi, head of Israel's National Cyber Directorate, was unequivocal: "The very attempt to damage an Israeli hospital means a red line has been crossed, which could have led to an attack on human life." The attackers got in the way they almost always do: through a file.
The Shamir incident was not isolated. Israeli healthcare organizations face an average of nearly 2,400 cyberattacks per week, roughly 37 percent above the global average, according to Check Point Research. Since mid-2025, nearly 450 cyberattacks have targeted Israeli institutions, many traced to Iranian-aligned actors. The pattern extends well beyond Israel. Between January 2023 and January 2024, critical infrastructure worldwide sustained over 420 million cyberattacks, equivalent to 13 attacks every second, a 30 percent increase from the prior year. The healthcare sector accounted for 14.2 percent of all attacks targeting critical infrastructure in 2024, according to the World Economic Forum. In the energy sector, weekly cyberattacks against utilities quadrupled between 2020 and 2023. The organizations least able to absorb a disruption are, by a measurable margin, the ones hit most.
The organizations that can least afford a breach are the most exposed. The gap between their operational dependencies and their security posture has never been wider.
Why detection has failed critical infrastructure
The dominant model in cybersecurity for the past two decades has been detect and respond. An organization deploys antivirus software, a sandbox, a secure email gateway, or a combination of all three, and waits to identify threats as they attempt to enter. The model carries a structural flaw that becomes catastrophic in critical infrastructure environments: it is reactive. Detection-based tools work by recognizing known threats. Zero-day exploits are, by definition, unknown. Advanced persistent threats are specifically engineered to evade sandbox analysis. The increasing use of artificial intelligence by threat actors is producing malware variants that mutate faster than detection signatures can be updated. In an environment where a single undetected file reaching a hospital network can bring down a medical records system, or where a file transferred to an industrial control system can trip a substation's circuit breakers, waiting to detect a threat is not a viable posture.
The problem is compounded in operational technology and industrial control system environments. OT and ICS networks were designed for reliability and uptime, not security. Many run legacy systems that cannot be patched, cannot run endpoint agents, and cannot tolerate the latency that traditional security tools introduce. They were air-gapped for years, physically isolated from external networks, and considered safe by virtue of that separation. The growth of remote monitoring, vendor access requirements, and operational efficiency initiatives has steadily eroded that separation. Files now arrive from USB drives, engineering laptops, vendor-supplied media, and automated system-to-system transfers. Each one is a potential entry point. Each one has, in documented incidents across energy, water, and manufacturing sectors, been used as one.
Born in a kibbutz defense plant, deployed across 450 critical networks
The origins of Sasa Software are rooted in exactly the kind of environment where file-based threats carry the highest stakes. In 2010, Plasan, the kibbutz-based Israeli defense contractor behind armored vehicle systems for the US Army, needed to meet stringent ITAR compliance standards for a military contract. No existing tool on the market could satisfy the requirements. The team built their own. The result was the technology that would become GateScanner, a Content Disarm and Reconstruction platform that does not attempt to detect malicious content but instead eliminates the conditions under which it can survive. In 2013, the technology was spun off as an independent company wholly owned by Kibbutz Sasa, with the majority of profits channeled back into research and development. Frost & Sullivan later named it Critical Infrastructures Security Vendor of the Year.
Content Disarm and Reconstruction operates on a fundamentally different premise than detection-based security. Rather than asking whether a file is safe, it treats every incoming file as potentially compromised and rebuilds it from the ground up. The process deconstructs each file to its atomic components, separating content from format and deep-scanning both. Active content such as macros, embedded scripts, and structural anomalies is stripped. The file is then reconstructed according to its vendor specification, producing a functionally identical copy from which no malicious code can survive, because none is carried forward. The approach is analogous to sterilizing a surgical environment before an operation rather than attempting to identify pathogens after contamination. Independent penetration tests conducted by GateScanner clients have consistently shown prevention rates of up to 99.99 percent against unknown, file-borne threats.
CDR does not ask whether a file is safe. It ensures that any file reaching the network is, by construction, incapable of carrying malicious code. That is a different category of protection entirely.
The scenarios where detection fails and CDR stops them
The Shamir breach illustrated a pattern common across Israeli and global healthcare networks: entry through a trusted third party, via a file that no detection tool flagged. In the medical imaging environment, the same dynamic plays out at scale. Hospitals receive DICOM files, the standard format for CT scans, MRIs, and X-rays, routinely from external sources. These files travel across networks that connect directly to electronic health records, medication dispensing systems, and patient monitoring equipment. A weaponized DICOM file, embedding malicious code within image metadata or file structure, bypasses standard antivirus tools not designed to parse medical imaging formats at depth. GateScanner's Imaging Gateway applies CDR specifically to DICOM files, sanitizing each one before it reaches the clinical network. The radiologist receives the same image. The threat does not arrive with it.
In industrial control system environments, the equivalent entry vector is removable media. Engineers working on operational networks routinely bring USB drives from external or partially trusted environments into air-gapped or segmented networks to transfer software updates, configuration files, and vendor tools. NERC CIP 003-7, governing portable media in the energy sector, and NIST 800-53 media protection requirements both identify this as a primary attack vector. GateScanner Kiosk and GateScanner Desktop intercept every file transferred from removable media, apply CDR processing, and pass only the sanitized reconstruction to the operational network. The USB port becomes a controlled entry point rather than an unmonitored breach surface.
In financial services, the dominant attack surface is email. Weaponized Office documents and PDFs are the primary delivery mechanism for the ransomware strains that have repeatedly targeted wire transfer systems, trading platforms, and core banking infrastructure. Detection-based secure email gateways block known threats. Unknown threats, particularly those engineered to evade sandbox analysis through delayed execution or environmental awareness, pass through. GateScanner Mail intercepts every incoming email and attachment at the gateway, applies full CDR processing regardless of whether malicious code was detected, and delivers a sanitized replica to the recipient. The employee receives the same document and the same readable content. The embedded payload that has no sandbox flagged does not arrive, because the CDR process ensures it cannot.
The infrastructure defense posture that critical sectors require
The cost of a successful attack on critical infrastructure is not measured only in data loss or ransom payments. It is measured in operational disruption with direct physical consequences. In October 2021, Hillel Yaffe Medical Center in Hadera was struck by ransomware from Iranian-linked hackers, crippling its systems for weeks and forcing staff to revert to manual processes for non-urgent treatments. The attack preceded a 72 percent surge in cyberattacks against Israeli hospitals in the days that followed, as adversaries interpreted the breach as evidence that the sector was underprotected. The pattern repeated at Mayanei Hayeshua, Kfar Shaul Mental Health Center, and Ziv Medical Center in Safed. In each case, the entry point was a file. In each case, no detection tool caught it. In each case, the file should never have reached the network in its original form.
The 450 critical networks that GateScanner currently protects across financial services, energy, healthcare, transportation, and defense represent the early adopters of a security philosophy that is becoming increasingly difficult to argue against: that the correct response to a file-based threat landscape is not to build better detection, but to architect a system in which undetected threats cannot execute. The company's roots in Israeli defense, its continued ownership by the kibbutz that produced the original technology, and its consistent reinvestment of profits into research and development have produced a platform that has been in continuous development since 2013. In a region where hospitals are targeted on Yom Kippur and critical networks are probed by state-sponsored actors daily, that distinction carries consequences that extend well beyond the balance sheet.
Sasa Software is an Israeli cybersecurity company and developer of GateScanner Content Disarm and Reconstruction technology, protecting over 450 critical networks globally across financial services, energy, healthcare, transportation, and defense. Headquartered in Kibbutz Sasa, Israel, with offices in the United States and Singapore. More information at sasa-software.com
This article was written in cooperation with Tom White