Johan Rambi is Corporate Privacy & Security Advisor for the Dutch network operator Alliander. In his role of (interim) chair of EE-ISAC, to be launched in December 2015, his task is to lay the foundations of this partnership - namely, trust and commitment. Cyber resilience risks force the energy sector to start sharing sensitive information, both across national borders and between the public and the private sector. This will only happen if you create a safe environment of trust, says Rambi.
- Alliander is already participating in the Dutch Energy ISAC. Can you explain why, as a regional network operator, you were also pushing for an Energy ISAC at European level?
Cyber security does not stop at national borders. Focusing on Dutch cases only would be unrealistic since the increased interconnectedness to the internet creates a reality in which our national "grid" is no longer independent from the outside world.
We need to address cyber resilience risks at an international (EU) level. Other international ISAC’s (e.g. the European FS-ISAC or United States ES-ISAC) have already proven the importance and benefits of international information sharing. In the end, different international ISACs should work together to realise global information and experience sharing. However, scaling up from national to European level is a good and necessary start.
"Cyber resilience risks force the energy sector to start sharing sensitive information,
both across national borders and between the public and the private sector.
This will only happen if you create a safe environment of trust."
- ISACs are based on trust; stakeholders are being asked to share (sometimes confidential) company information. What does an ISAC do to make utilities but also technology providers feel safe about sharing sensitive data?
The trust-based environment in which our members will share data, knowledge and experiences is legally defined by our Terms of Reference (ToR). Every individual member will commit itself to the ToR before participating. We will cooperate with each other under strict participation rules, including those regarding transparency and information sharing, and using the traffic light protocol (TLP) protocol in our meetings.
Topics such as vulnerabilities in ICS/SCADA systems or cyber security incidents in smart meters are classified as RED according to the TLP protocol. These topics will not be shared outside the meeting room.
- But doesn't it take more than just the legal boundaries of a trust-based environment that makes people talk about what is worrying them?
Yes, definetely. It is easier to trust those you know. The role of EE-ISAC is to build a good relationship between its members. This will facilitate information and experience sharing in the already legally defined trust-based environment.
Also, EE-ISAC will monitor the mutual benefit of the information shared. This is a very important factor since it creates a situation in which the interests of the different stakeholders are equal. If this situation is out of balance, the willingness to share will diminish.
I think you can put it like this, EE-ISAC brings together top experts dealing with cyber security issues from different perspectives. It creates an environment in which they start talking to each other without legal or social hesitations. This results in a broader view upon the solution to these issues for each indivdual member. In the end we believe that this will strengthen the cyber resilience of energy sector as a whole.
"EE-ISAC creates an environment in which cyber security experts
start talking to each other without legal or social hesitations."
EE-ISAC will be officially launched during European Utility Week 2015, on 4 November at the Siemens booth in hall A.