Traditional cybersecurity is no longer an adequate protection against cyber threats. The formation of the EE-ISAC in December will enable secure sharing of cyber information among utilities, vendors and software developers in an effort to combat one of the biggest challenges facing the power sector today.
Johan Rambi, corporate privacy and security advisor for Dutch utility Alliander is passionate about cyber resilience and believes there is a need to create an environment of trust which will enable utilities to feel secure about sharing sensitive information across national borders, and between the public and private sectors. As interim chair of EE-ISAC, a European body created to facilitate the sharing of sensitive cybersecurity information, Rambi’s task is to create a framework to support the trust and commitment needed to enable this.
Speaking recently, Rambi comments that “cybersecurity does not stop at national borders. Focusing on Dutch cases only would be unrealistic since the increased interconnectedness to the internet creates a reality in which our national ‘grid’ is no longer independent from the outside world.”
Rambi believes that cyber resilience risks need to be addressed at a European level and that organisations such as ISACs (Information Sharing and Analysis Centre) are a vital part of addressing the challenge. International ISACs should work together in order to realise the benefits of information and experience sharing.
The first ISAC was formed from a Presidential decision directive (PDD-63 in 1998) which requested the public and private sector to create a partnership to share information about physical and cyber threats, vulnerabilities and events, to help protect the critical infrastructure. While this was initially focussed on the financial services market, ISACs have grown to cover a number of sectors affected by cyber threats.
An ISAC is a non-profit organization “that provides a central resource for gathering information on cyber threats to critical infrastructure and providing two-way sharing of information” [Wikipedia]. Traditionally, ISACs help create a partnership to share information about both physical and cyber threats and vulnerabilities.
For this to work, ISACs must be based on trust; sharing information which is confidential and sensitive can seem contrary to protecting company information and intellectual property and a key imperative for the ISAC is to make utilities and technology providers feel safe about sharing sensitive data.
Rambi explains that “the trust-based environment in which our members will share data, knowledge and experiences is legally defined by our terms of reference (ToR). Every individual member will commit itself to the ToR before participating. We will cooperate with each other under strict participation rules, including those regarding transparency and information sharing, and using the traffic light protocol (TLP)* in our meetings.”
“Topics such as vulnerabilities in ICS/SCADA systems or cybersecurity incidents in smart meters are classified as RED according to the TLP protocol. These topics will not be shared outside the meeting room.”
However, Rambi is adamant that it takes more than legal boundaries to build a trust-based environment. He says that it is easier to trust those you know, and that the role of EE-ISAC is to enable good relationships between members as a way of facilitating information and experience sharing in the already legally defined trustbased environment.
In order to determine the effectiveness of the programme, the mutual benefit of the information shared must be monitored. This is to ensure that the benefits are equally balanced between all stakeholders, in order to encourage continued sharing of information.
“I think you can put it like this: EE-ISAC brings together top experts dealing with cybersecurity issues from different perspectives,” Rambi says. “It creates an environment in which they start talking to each other without legal or social hesitations. This results in a broader view of the solution to these issues for each individual member. In the end we believe that this will strengthen the cyber resilience of the energy sector as a whole.”
*The Traffic Light Protocol (TLP) is a way of sharing sensitive information by which the originator indicates how widely the information can be circulated beyond the original recipient.
This is done by using colours to indicate how widely information can be distributed. By labelling the information with one of four colours, dissemination can take place within certain defined parameters. MI
TRADITIONALLY, THE FOUR COLOURS ARE:
RED - personal for named recipients only
In the context of a meeting, for example, RED information is limited to those present at the meeting. In most circumstances, RED information will be passed verbally or in person.
AMBER - limited distribution
The recipient may share AMBER information with others within their organization, but only on a ‘need-to-know’ basis. The originator may be expected to specify the intended limits of that sharing.
GREEN - community wide
Information in this category can be circulated widely within a particular community. However, the information may not be published or posted publicly on the Internet, nor released outside of the community.
WHITE - unlimited
Subject to standard copyright rules, WHITE information may be distributed freely, without restriction.