Aurélio Blanquet, Chairman of the European Energy Information Sharing & Analysis Centre (EE-ISAC) and Director of the Grids’ Digital Platform at EDP Distribuição in Portugal, talks with Siemens about the EE-ISAC.
Aurélio Blanquet, what is your background?
How did you become involved with EE-ISAC? I have more than 30 years of experience in the energy sector, mainly focusing on network automation, complex machine-to-machine communication issues, remote control of substations, and so on – primarily information technology within energy networks.
With the increasing digitalization of the grid, cybersecurity is becoming a topic of utmost importance in our activities, and as EDP Distribuição – where I work – is a founding member of EE-ISAC, I am happy to use some of my time to develop and promote such an important initiative.
What is the long-term mission of EE-ISAC?
Our task is to improve the resilience and security of the European energy infrastructure through trust-based information-sharing and analysis on threats, vulnerabilities, incidents, solutions, and opportunities. EE-ISAC offers a community of communities to facilitate a proactive exchange of information and ongoing analysis, allowing its members to take more effective measures.
How did cybersecurity become important for the energy industry?
Cybersecurity became an important topic as a natural result of the changes in the energy network management landscape. Interest in remote control and coordinated automation led to the increased use of telecommunications. That led to smart digital networks, which are naturally susceptible to cyber-threats. This susceptibility means that we have to focus on cybersecurity to keep our energy networks safe.
In this way, our need for smarter and more ubiquitous digital control networks for our energy distribution infrastructure has led directly to our need for cybersecurity. As the services we provide are critical – energy is a vital part of our society – the need for effective cybersecurity is all the more crucial.
What were the initial conclusions drawn from this new requirement?
The key realization from this new era of intelligent energy networks has been that cybersecurity is a core aspect of our business, and it is here to stay. It needs to be a board-level issue, not just something that happens in IT. It has to be a part of our organizational culture, at every level.
A further conclusion – one that challenges all of us greatly – has been that we are usually, as individual organizations, insufficiently knowledgeable and often poorly equipped to deal with these threats. There is an untold number of attackers out there, and the number of defenders in a single organization is few.
Cybersecurity has to be a part of our organizational culture, at every level.
Aurélio Blanquet, Chairman of EE-ISAC
How did EE-ISAC come about, based on these conclusions?
I think it is clear that the weakest link compromises any chain, and there is a clear value chain at play in the energy industry. This means that cooperation among partners is critical to ensuring that every link is strong enough to withstand the modern cybersecurity threats the industry faces.
This includes manufacturers, utilities, and academia; on the one hand, the producers of much of the equipment that the sector uses, and on the other, those who actually use it. And last but not least, a huge amount of research is need in order to assure effective and cutting-edge expertise. Since they have so much in common, a new level of cooperation makes a lot of sense.
Manufacturers need implementational experience, and utilities need better and safer products. This can bring about a win-win situation through trust and the sharing of cybersecurity-related information – both weaknesses and solutions – on a suitable platform. EE-ISAC is that platform.
Can EE-ISAC provide a productive environment for this type of co-operation?
Through sufficient commitment, we can create a multipoint, multi-tier information-sharing network, which can be more efficient and more effective at solving problems. EE-ISAC is the DNA of such a network.
A highly cooperative and coordinated community can be sufficiently sophisticated to stand together against a growing set of increasingly well-coordinated communities on the attacking side. Other ISACs in other industries have shown that this concept works well when implemented correctly.
We have to become a well-coordinated community to combat cyber-attackers.
Aurélio Blanquet, Chairman of EE-ISAC
The idea is to be one step ahead. If the attackers are communities, and generally well-coordinated, then we have to become a well-coordinated community to defend against those attackers.
We represent a community of communities – the utility community, the manufacturing community, the IT community, the academic community, and so on – all bringing a valuable skillset to the table within this clearly-targeted meta-community.
Formalized communities are also useful for embodying trust, which is crucial in this type of undertaking. When the members know each other well, trust exists, and a new willingness to share sensitive data can be ignited.
How does this information-sharing and trust-based platform help deal with issues in the real world?
The formalized platform is especially useful for solving a fundamental dilemma in dealing with cybersecurity issues. If a weakness becomes known, and one needs help to fix it, you need to let other people know about it. But you cannot just generally disseminate the weakness, as that helps the bad guys in finding exploits.
Rather, you need an enclosed, trusted environment in which the information on the vulnerability can be shared, and can be evaluated by all sectors involved – possibly hardware, maybe software, maybe networking – and a joint solution created and distributed within the community.
The involvement of academia is important in this process to ensure we stay one step ahead, while the participation of manufacturers makes certain that we can be timely in delivering solutions – and both are part of EE-ISAC.
How do you deal with the speed requirement when the need for cooperation is often seen as slowing things down?
Here, cooperation means that we can apply more experts – and a more diverse set of experts – to a problem at one time, which typically makes finding a solution significantly faster. One hundred or two hundred experts are far more likely to find a solution to a given problem in a short period than one or two experts in-house.
What are the main cybersecurity challenges over the next five years that EE-ISAC will be helping its members face?
The first challenge is people. Cybersecurity is a human activity that is technology-based. Human skills are needed to combat the technical threat; we also must build human awareness about the need for and nature of cybersecurity – essentially creating a security culture.
Challenge number two is the importance of trust and cooperation. Creating a culture of trust within the platform among the various partners is critical for an open exchange of information. Once achieved, the organizational mechanisms have to be put in place to make sharing discovered weaknesses and solutions an essential part of organization-internal workflows.
The third challenge relates to processes. We need to disseminate best practices to inform the processes in place in utilities and manufacturers, to make sure they are as safe and secure as possible. Challenge number four is technology – specifically, putting in place new technologies that are resilient to attack vectors and can respond actively to incursions.
What do you see as the key achievement of EE-ISAC so far?
The creation of EE-ISAC itself, with a small but growing group of key players, like Siemens. It is a milestone in how we deal with cybersecurity issues in the energy sector in Europe.
What are your next steps likely to be?
We will continue to grow and develop more momentum in the industry. While EE-ISAC is only a year old, it builds on a four-year FP7 European Commission project, so it has gained significant momentum already. We need to keep adding partners, formalizing processes, and ensuring both trust and communication. The next focus is now content: creating structures in which we can extend the information-sharing function of EE-ISAC and the lessons learned so far and turn those into real deliverables, primarily in the form of technical and political policy guidance.
Rian van Staden is an energy author based in Bonn.
EE-ISAC has signed a Partnership Agreement with Smart Sec Europe and is proud to be involved in this event on 29-30 November 2016 taking place in Amsterdam, the Netherlands. Besides pre-event cooperation, EE-ISAC will be contributing to the conference programme. The programme will kick-off with EE-ISAC chairman Aurélio Blanquet discussing Strategic Drivers and Standards Development, and board member Johan Rambi will be presenting on Ecosystem Collaboration.
29 nov, 09.15 hrs - Strategic Drivers Panel
Assessing the emerging IoT landscape, its implications for smart utilities, and how cyber-resilience can be achieved
Aurélio Blanquet, Director, Division of Automation and Telecommunications & Chair EE-ISAC - EDP Distribuição, Walter van Boven, Digital Grid Department Manager & Acting CIO - Alliander, Kimmo Juntunen, ICT Infrastructure Manager and CISO - Caruna
- Defining IoT in the context of the smart utility and determining how it will impact future cyber-security policies and procedures
- Creating a vision of resilience in terms of preparedness, risk management, security, protection, and crisis management
- Identifying the factors driving large-scale investment in end-to-end cyber-security among the leading European smart utilities
- Bridging the gap between IT and OT skill sets in an increasingly connected smart utility environment
29 nov, 10.00 hrs - Ecosystem Collaboration
Establishing a framework for the seamless interworking of all stakeholders of the power market to speed up the implementation of next generation cyber-security within the smart utility
Johan Rambi , Corporate Privacy & Security Advisor - Alliander
- Determining the drivers for setting up more formal collaboration of utilities with suppliers, system integrators, and other parties in the supply chain
- Evaluating the benefits of sharing information in terms of incident data, technology requirements, standards developments, and regulatory guidance
- Working effectively with the supplier community to translate evolving utility requirements into robust and cost-effective cyber-security solutions
- Driving the end-to-end deployment of multi-vendor cyber-security solutions
About Smart Sec Europe
The third annual SmartSec Europe 2016 takes place 29-30 November 2016, in Amsterdam. Drawing together more than 120 IT and OT cyber-security leads from European TSO and DSO organisations, this techno-commercial event will provide a comprehensive review of the latest utility cyber-security investment strategies, regulatory and standards activity, technical implementation experiences, and future technology innovation and partnership requirements. The case-study focused agenda is complemented by a series of intimate round table discussions, a technology innovation panel session, a live demo lab of the latest tools, a solution zone displaying state-of-the-art utility specific cyber-security solutions, and an evening networking reception facilitating interaction and connection in a relaxed and informal environment.
EE-ISAC can offer members and relations wishing to attend the event a discounted rate on delegate places by using the promo code SMARTSEC-16-EEISAC when booking. Join us there and be part of the conversation on Cyber Security!
Picture: former Interim Chair Johan Rambi (left) handing over chairman's gavel to Aurélio Blanquet (right).
Vienna, 3 December 2015 – The members of the European Energy - Information Sharing & Analysis Centre (EE-ISAC) welcome the election of mister Aurélio Blanquet (Director - Division of Automation and Telecommunications, EDP Distribuição) as chair and Johan Rambi (Alliander), Robert Redl (EVN Group), Volker Distelrath (Siemens AG) and Chris McIntosh (ViaSat UK) as Members of the Board.
EE-ISAC is the first European ISAC for the smart energy sector. ISACs are networks of trust in which both private and public parties share security information either on a Human-to-Human basis via Member Meetings, digitally via an Information Sharing Platform or on a Machine-to-Machine level via Situational Awareness Networks.
EE-ISAC is answering a need for international collaboration at European level in order to protect the energy sector from cyber-attacks. “If we want to tackle future issues more effectively, we have to start taking an open approach towards cyber security. The only way forward is to share experiences with security incidents, whether they are success stories or not. EE-ISAC offers a platform to share this sensitive information in a secure way” says mister Blanquet.
This non-profit, industry-driven network is a joint initiative of 4 major European utilities together with technical universities, security technology providers and governmental & non-profit organizations.
Alliander, EDP Distribuição, EVN, TU Delft, SecurityMatters, Siemens, ViaSat, ENCS and the NCSC-NL are the founding members of EE-ISAC. Enel, ENISA, KU Leuven and Accenture are finalising their founding membership procedure. New members are Applied Risk, Webster University and T-Systems Austria GesmbH.
Cyber security information sharing on a European level
EE-ISAC enables top utility security experts to learn from their peer's experiences with security incidents, compare and evaluate security solutions (both from a technical and operational viewpoint) and discuss future challenges. Members benefit from an open dialogue with industry partners and suppliers. The trust-based environment in which members share information is legally defined by the Terms of Reference, to be signed by every individual member.
The strength and unique characteristics of EE-ISAC lie within the private/public composition of the partnership - bridging the gaps between the different disciplines, the lasting nature of the relationship between the participants – strengthening the already legally defined relationship of trust, and the low-profile, industry driven organisation of the network.
Requests for membership, interviews, logos and additional pictures can be sent to firstname.lastname@example.org.
We need to embrace a new approach in which cyber security is not seen as a business blocker but as a business enabler. At least, that is what Emil Gurevitch (Project lead on Smart Grid Security, SEAS-NVE), Johan Rambi (Privacy & Security Advisor, Alliander and Interim Chair of EE-ISAC) and Alex Campbell (Director EMEIA Advisory Services - Information Security, EY) argue. Cyber security is an enabling factor and should function as a quality criterion for your grid, say these gentlemen. They discussed this new approach at EUW15 as part of the Engerati Energy Talks series.
To prevent cyber security from being a show stopper, your strategy should be balanced between a protective, detective and responsive approach. Realistically, in the end utilities cannot only prevent attacks. Whether it's next week or in 3 years, the attacker will eventually will hack into your system. In that case, it is key to be able to detect in an early stage and respond with adequate incident management.
Utilities need to apply a holistic approach to security and privacy. With the implementation of smart meters this now also includes data protection issues. In order to build a trust relationship with your customers, next to protecting data you now also need to be transparent about the way in which your are using this data.
Cyber security is part of your grid. It is essential to have a fundamental understanding of your grid in order to be able to protect it. No two grids are the same and there is no 'silver bullet'. So do learn from your peers, but be aware of the unique characteristics of your own grid.