Aurélio Blanquet, what is your background? How did you become involved with EE-ISAC?
I have more than 30 years of experience in the energy sector, mainly focusing on network automation, complex machine-to-machine communication issues, remote control of substations, and so on – primarily information technology within energy networks.
With the increasing digitalization of the grid, cybersecurity is becoming a topic of utmost importance in our activities, and as EDP Distribuição – where I work – is a founding member of EE-ISAC, I am happy to use some of my time to develop and promote such an important initiative.
What is the long-term mission of EE-ISAC?
Our task is to improve the resilience and security of the European energy infrastructure through trust-based information-sharing and analysis on threats, vulnerabilities, incidents, solutions, and opportunities. EE-ISAC offers a community of communities to facilitate a proactive exchange of information and ongoing analysis, allowing its members to take more effective measures.
How did cybersecurity become important for the energy industry?
Cybersecurity became an important topic as a natural result of the changes in the energy network management landscape. Interest in remote control and coordinated automation led to the increased use of telecommunications. That led to smart digital networks, which are naturally susceptible to cyber-threats. This susceptibility means that we have to focus on cybersecurity to keep our energy networks safe.
In this way, our need for smarter and more ubiquitous digital control networks for our energy distribution infrastructure has led directly to our need for cybersecurity. As the services we provide are critical – energy is a vital part of our society – the need for effective cybersecurity is all the more crucial.
What were the initial conclusions drawn from this new requirement?
The key realization from this new era of intelligent energy networks has been that cybersecurity is a core aspect of our business, and it is here to stay. It needs to be a board-level issue, not just something that happens in IT. It has to be a part of our organizational culture, at every level.
A further conclusion – one that challenges all of us greatly – has been that we are usually, as individual organizations, insufficiently knowledgeable and often poorly equipped to deal with these threats. There is an untold number of attackers out there, and the number of defenders in a single organization is few.
Cybersecurity for European infrastructure
Aurélio Blanquet, Director of Automation and Telecommunications at EDP Distribuição in Portugal and Chairman of the European Energy Information Sharing & Analysis Centre (EE-ISAC), talks about this European PPP platform for information-sharing about cyber-threats in the European energy sector.
Aurélio Blanquet, what is your background? How did you become involved with EE-ISAC?
How did EE-ISAC come about, based on these conclusions?
I think it is clear that the weakest link compromises any chain, and there is a clear value chain at play in the energy industry. This means that cooperation among partners is critical to ensuring that every link is strong enough to withstand the modern cybersecurity threats the industry faces.
This includes manufacturers, utilities, and academia; on the one hand, the producers of much of the equipment that the sector uses, and on the other, those who actually use it. And last but not least, a huge amount of research is need in order to assure effective and cutting-edge expertise. Since they have so much in common, a new level of cooperation makes a lot of sense.
Manufacturers need implementational experience, and utilities need better and safer products. This can bring about a win-win situation through trust and the sharing of cybersecurity-related information – both weaknesses and solutions – on a suitable platform. EE-ISAC is that platform.
Can EE-ISAC provide a productive environment for this type of co-operation?
Through sufficient commitment, we can create a multipoint, multi-tier information-sharing network, which can be more efficient and more effective at solving problems. EE-ISAC is the DNA of such a network.
A highly cooperative and coordinated community can be sufficiently sophisticated to stand together against a growing set of increasingly well-coordinated communities on the attacking side. Other ISACs in other industries have shown that this concept works well when implemented correctly.
The idea is to be one step ahead. If the attackers are communities, and generally well-coordinated, then we have to become a well-coordinated community to defend against those attackers.
We represent a community of communities – the utility community, the manufacturing community, the IT community, the academic community, and so on – all bringing a valuable skillset to the table within this clearly-targeted meta-community.
Formalized communities are also useful for embodying trust, which is crucial in this type of undertaking. When the members know each other well, trust exists, and a new willingness to share sensitive data can be ignited.
How does this information-sharing and trust-based platform help deal with issues in the real world?
The formalized platform is especially useful for solving a fundamental dilemma in dealing with cybersecurity issues. If a weakness becomes known, and one needs help to fix it, you need to let other people know about it. But you cannot just generally disseminate the weakness, as that helps the bad guys in finding exploits.
Rather, you need an enclosed, trusted environment in which the information on the vulnerability can be shared, and can be evaluated by all sectors involved – possibly hardware, maybe software, maybe networking – and a joint solution created and distributed within the community.
The involvement of academia is important in this process to ensure we stay one step ahead, while the participation of manufacturers makes certain that we can be timely in delivering solutions – and both are part of EE-ISAC.
How do you deal with the speed requirement when the need for cooperation is often seen as slowing things down?
Here, cooperation means that we can apply more experts – and a more diverse set of experts – to a problem at one time, which typically makes finding a solution significantly faster. One hundred or two hundred experts are far more likely to find a solution to a given problem in a short period than one or two experts in-house.
What are the main cybersecurity challenges over the next five years that EE-ISAC will be helping its members face?
The first challenge is people. Cybersecurity is a human activity that is technology-based. Human skills are needed to combat the technical threat; we also must build human awareness about the need for and nature of cybersecurity – essentially creating a security culture.
Challenge number two is the importance of trust and cooperation. Creating a culture of trust within the platform among the various partners is critical for an open exchange of information. Once achieved, the organizational mechanisms have to be put in place to make sharing discovered weaknesses and solutions an essential part of organization-internal workflows.
The third challenge relates to processes. We need to disseminate best practices to inform the processes in place in utilities and manufacturers, to make sure they are as safe and secure as possible.
Challenge number four is technology – specifically, putting in place new technologies that are resilient to attack vectors and can respond actively to incursions.
What do you see as the key achievement of EE-ISAC so far?
The creation of EE-ISAC itself, with a small but growing group of key players, like Siemens. It is a milestone in how we deal with cybersecurity issues in the energy sector in Europe.
What are your next steps likely to be?
We will continue to grow and develop more momentum in the industry. While EE-ISAC is only a year old, it builds on a four-year FP7 European Commission project, so it has gained significant momentum already. We need to keep adding partners, formalizing processes, and ensuring both trust and communication.
The next focus is now content: creating structures in which we can extend the information-sharing function of EE-ISAC and the lessons learned so far and turn those into real deliverables, primarily in the form of technical and political policy guidance.