The European Energy - Information Sharing & Analysis Centre (EE-ISAC) is an industry-driven answer to the need for a collaborative approach at an international level.

It forms an information sharing network of trust in which both private - utilities and solution providers - and (semi)public institutions - academia, governmental and non-profit organizations - share valuable information on cyber security & cyber resilience. This includes case studies, lessons learned from past security issues and future challenges.

Johan Rambi, EE-ISAC interim chair and corporate privacy and security advisor for Alliander discusses the need to create an 'environment of trust' conducive to information sharing, while keeping in mind the impact of potential cyber-attacks.

Organisations globally are facing a new challenge. Traditional cybersecurity is no longer an adequate protection against cyber threats.

“It’s no longer sufficient to suppose that you can defend against any potential attack; you must accept that an attack will inevitably succeed. An organisation’s resilience to these attacks – identifying and responding to security breaches – will become a critical survival trait in the future.” www.itgovernance.co.uk

Johan Rambi, corporate privacy and security advisor for Dutch utility, Alliander, is passionate about cyber resilience and believes there is a need to create an environment of trust which will enable utilities to feel secure about sharing sensitive information across national borders, and between the public and private sectors. As interim chair of EE-ISAC, a European body created to facilitate the sharing of sensitive cyber security information, Rambi’s task is to create a framework to support the trust and commitment needed to enable this.

Security beyond borders

Speaking recently, Rambi comments that “cybersecurity does not stop at national borders. Focusing on Dutch cases only would be unrealistic since the increased interconnectedness to the internet creates a reality in which our national ‘grid’ is no longer independent from the outside world.”

Rambi believes that cyber resilience risks need to be addressed at a European level and that organisations such as ISACs (Information Sharing and Analysis Centre) are a vital part of addressing the challenge. International ISACs should work together in order to realise the benefits of information and experience sharing.

The first ISAC was formed from a Presidential decision directive (PDD-63 in 1998) which requested the public and private sector create a partnership to share information about physical and cyber threats, vulnerabilities, and events to help protect the critical infrastructure. While this was initially focussed on the financial services market, ISACs have grown to cover a number of sectors affected by cyber threats.

An ISAC is a non-profit organization “that provides a central resource for gathering information on cyber threats to critical infrastructure and providing two-way sharing of information [Wikipedia]. Traditionally, ISACs help create a partnership to share information about both physical and cyber threats and vulnerabilities.

Creating a trustworthy environment

For this to work, ISACs must be based on trust; sharing information which is confidential and sensitive can seem contrary to protecting company information and intellectual property and a key imperative for the ISAC is to make utilities and technology providers feel safe about sharing sensitive data.

Rambi explains that “the trust-based environment in which our members will share data, knowledge and experiences is legally defined by our terms of reference (ToR). Every individual member will commit itself to the ToR before participating. We will cooperate with each other under strict participation rules, including those regarding transparency and information sharing, and using the traffic light protocol (TLP)* in our meetings.”

“Topics such as vulnerabilities in ICS/SCADA systems or cybersecurity incidents in smart meters are classified as RED according to the TLP protocol. These topics will not be shared outside the meeting room.”

However, Rambi is adamant that it takes more than legal boundaries to build a trust-based environment. He says that it is easier to trust those you know, and that the role of EE-ISAC is to enable good relationships between members as a way of facilitating information and experience sharing in the already legally defined trust-based environment.

In order to determine the effectiveness of the programme, the mutual benefit of the information shared must be monitored. This is to ensure that the benefits are equally balanced between all stakeholders, in order to encourage continued sharing of information.

“I think you can put it like this – EE-ISAC brings together top experts dealing with cybersecurity issues from different perspectives,” Rambi says. “It creates an environment in which they start talking to each other without legal or social hesitations. This results in a broader view upon the solution to these issues for each individual member. In the end we believe that this will strengthen the cyber resilience of energy sector as a whole.”

Traffic Light Protocol

*The Traffic Light Protocol (TLP) was a way of sharing sensitive information by which the originator indicates how widely the information can be circulated beyond the original recipient.

This is done by using colours to indicate how widely information can be distributed. By labelling the information with one of four colours, dissemination can take place within certain defined parameters.

Traditionally, the four colours are:

• RED - personal for named recipients only
In the context of a meeting, for example, RED information is limited to those present at the meeting. In most circumstances, RED information will be passed verbally or in person.

• AMBER - limited distribution
The recipient may share AMBER information with others within their organization, but only on a ‘need-to-know’ basis. The originator may be expected to specify the intended limits of that sharing.

• GREEN - community wide
Information in this category can be circulated widely within a particular community. However, the information may not be published or posted publicly on the Internet, nor released outside of the community.

• WHITE - unlimited
Subject to standard copyright rules, WHITE information may be distributed freely, without restriction.

EE-ISAC will be officially launched in December 2015. However, an ‘open house’ meeting will be hosted at European Utility Week. Anyone wishing to participate should contact the EE-ISAC secretariat for more information.