Building Trust to Cooperate at the EE-ISAC | Episode 117

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Welcome Everyone to the industrial security podcast. My name is Nate Nelson I’m here with Andrew Ginter the vice president of industrial security at waterfall security solutions who’s going to introduce the subjects and guest of our show today Andrew how are you.

Andrew Ginter
I’m very well. Thank you Nate our guest today is Aurelio Blanquet he is the secretary general of the EE-ISAC which is the European Energy Information Sharing And Analysis Center and he’s going to be talking about the good work that they’re doing at the ISAC at the center. And about more generally what is an ISAC and how does it work.

Nathaniel Nelson
Then here is your conversation with Aurelio

Andrew Ginter
Hello Aurelio and welcome to the podcast. Um, before we get started. Can you give us a few words of introduction? Please. So you know tell us a bit about yourself and about the good work that you’re doing at the European Energy ISAC.

Aurelio Blanquet
Hi Andrew thank you for the invitation then it’s a pleasure to to share with you. the the isaac. So I’m the secretary general of the energy. The european energy. isaac which calls for information sharing and Analysis Center and previously I was the first president elected from the from the members community in the 2015 when the association was launched. And I shared the association between 15 and 18 and previously I was director and board advisor of and european energy utility in this case in particular in in Portugal edp where I was responsible for. The ics and cyber security strategy and implementation. So I work I work with the topic of Dcs for almost forty years and cybersecurity since the very beginning where the cybersec security was not a known word. Around the community. So about the the the role that I’m performing you what the I do is of course assure the presentation. The of the eyes zak to the community and namely to aspiring me members.

Aurelio Blanquet
Um, of course we have lots of work with the meetings and contacts with the sea levels partners and the stakeholders namely European associations including the European commission and of course I also attend and and I’m speaker at the events and conferences on namely on energy digitalization and on cybersecurirty. Ah. You know one sentence is everywhere where information sharing can play or plays a relevant role in Europe and I would say even worldwide
-2:55 <cut here>

Andrew Ginter
Thanks for that. Um, and we’re talking about the European Energy ISAC Information Sharing And Analysis Center. You know I’ve been part of other ISACs and the the model that I have in mind for an ISAC is sort of ah, a weekly phone call. Where managers of security operation centers are are on the call or you know senior people from from so security operation centers. They exchange actionable intelligence. They exchange ip addresses that they’ve noticed are attacking them. They exchange file checksums from um, you know, suspicious attachments that they’ve received they gather. All this information they feed it back into their intrusion detection systems and their security information and event management systems. You know, is this what the the European Energy ISAC does or are you doing something else?

Aurelio Blanquet
We do something else. starting by the feed of information. So what? So we intend to do and what we are doing and promoting inside our community is to feed.

Aurelio Blanquet
And an information sharing portal and the idea is to assure that each member can in the real-time bases share their own incidents Namely the ones related will malware. So We have a European platform for malwa information sharing and the the idea is to have these the feed that this platform emeded in our members internal processes including.

Aurelio Blanquet
And a synchronization between the members platform if they have a private and sharing platform. and this european platform this way we are able to have. in almost real-time basis a full information. dataset that allow us to have a broad vision about incidents within our members community. And broadly in at the european level.

So the first thing that we do is to collect. this information to make this information actionable we do as we we perform a second task. What we do is to vault this information to assure that. it’s trustable information and is not a false positive information and this is the first challenge or second challenge. We have the first one is to feed the information second. Is to have a right balance between the vaulting process and the the the timely information that is made available in platforms if we take if we take too much time to vault.

Aurelio Blanquet
The information lacks timeliness and if we want it to be very timely. Maybe it can be not avoted information. So this is second task that we we perform and last but not the least. What we do is to use this information in order to produce threat intelligence report that reports that made available inside the community and that corresponds to an analyses. And that helped the members to to take more supportive. actionable information which means that. each member can use the information that is feeding in platform on Isb off and the the information is updated and also the reports that came from the treatment of these row information that is. stored in the in the in the platform. So I think it’s from my perspective. The the 3 main levels that to do isaac and the community works.

Andrew Ginter
So nate real quick. What I heard there was that the isac does have a function that is focused on actionable intelligence. It’s different from the the eyes act that I described they know my previous experience in in a different ISAC in that. it’s more. It sounds like automatic instead of. A call once a week where the information is exchanged verbally or you know pasted into teams the yeah the information is made available in a real-time portal. There’s a a validation step that goes on people have access to the the intel as soon as somebody enters it and it’s validated. And there’s there’s reporting that goes on so that you know that that sounds useful

Andrew Ginter
So that makes sense I mean I’ve I’ve had a look at your website. You have a risk management white paper there that that anyone can download. you know it it. You’re focused on events that shut down operations in Europe. And you know I am reminded that at at the time we’re recording this just just a week ago. There was an announcement of an event in Denmark where you know firewalls on critical infrastructures including I understand electric utilities were breached by.. And accused nation state adversary where does can you can you talk about the denmark event where does that fit in sort of your scale of of attacks on the power grid.

Aurelio Blanquet
Well, that’s a very very good question. I think both types of incidents are by different reasons very relevant. of course. When you have a huge impact on on people or in the or on the economy and this is an incident with immediately critical consequences. And it can be a power outage. but it can be. You can you can have a necking situation like you talked about in Denmark and we we had the also 1 in in portwell in 2022 that didn’t have any impact on on the on power. Nevertheless it means that the companies face a vulnerability and this vulnerability was exploited if the it. Didn’t have any consequence. It could have 2 main reasons because the company were able to defend itself and control the the incidents and have an effective response.

Aurelio Blanquet
Ah, or maybe even the attacker was not intending to make armful but was just testing and it also happens quite often and in it in any of those situations and association like the isaac. Plays a critical role. if you are if you have not a network like we had in Ukraine a couple of years ago it will be more than useful to have community that is able to. To support you and help you in the incident response and sharing with you. what can the the the different kinds of best practice that you can perform to to overcome the incident.

Nathaniel Nelson
So this danish incident that you guys are referring to for listeners who aren’t fully caught up. it began it occurred in the spring of last year starting with a firewall vendor. Called Zyxel I don’t know if it’s zesler Zixe which in late April of 2022 revealed a pretty serious command injection vulnerability. It was given a nine point eight out of 10 cbss score for for those of you who follow along with that. and shortly thereafter attackers utilize this vulnerability in their firewalls to attack the the danish energy sector pretty broadly because the firewalls were the thing separating. The internet from control systems protecting safety critical equipment. It became a very serious incident I believe according to what I’m looking at now eleven energy companies were compromised pretty much immediately. five more were attacked but managed to stop the attackers. It. Took the as the sector cert described it entire night to remedy the issue but they did successfully protect all of the systems until eleven days later when more attackers came back.

Nathaniel Nelson
This time instead of the publicly revealed vulnerability. There were two zero day vulnerabilities of the same severity affecting the same devices. the attackers seem to have thrown the book at the energy companies this time and a couple of pings back to attacker controlled servers. Revealed that they might have had to do with the russian group sandworm. So I believe at the end of the day all of the utilities and related companies were safe but it did sort of very obviously demonstrate the threat here.

Andrew Ginter
That’s right I mean I was in Denmark when the story broke. at at an event doing a book signing and had opportunity you know at at the event. the. The organization sectur the sectur cert that reported the incident. you know gave a presentation I had a chance to sit down with the the technical lead from the cert afterwards. and so yeah, you know all of that’s true. a. fine detail in my understanding. the firewalls were not between the internet and the ot systems the firewalls were the internet-facing firewalls for the business they were the you know the the firewallet protected the it t network and so the sector cert is a little bit unusual. they have technology that is you know getting a copy of all the packets that are being exchanged and inspecting them for tax signatures at the internet interface of these critical infrastructure utilities their members. Not. At the itot firewall where most people think that you would be you know monitoring for attacks. They’re monitoring for attacks on the entire organization. and they found these. You know these attacks it was 1 of 1 of their people that identified the the initial intrusion.

Andrew Ginter
And they said you know, really their role is to detect and alarm detect and inform so they called the affected organizations said you’re under attack here’s the details and a great many of them were small and. You know didn’t really know how to deal with the intrusion and so in spite of the Sektor CERT not primarily you know, being an incident response organization. Not really having a flyaway team. They said look this is denmark they got into a car. They drove out to these facilities and you know walked them through the process of of turning off the the firewall and updating the firmware and you know activating the internal incident response to to see if if anything had been stolen or. Sabotaged or anything so they were involved in the in the the incident response as well. Even though that officially isn’t what they do So So good on them.

Nathaniel Nelson
Yeah, that is a pretty crucial correction that you made to me Also the report. the language in the report is a little bit broad. They say we have experienced that zeicil is used to a large extent to protect the critical infrastructure and we know that many Ot environments. wait here. We go. The attack groups had a publicly known vulnerability that they used to penetrate the industrial control systems and the primary defense against that happening was precisely the equipment that was vulnerable. So Maybe they use the the firewalls to get into the id networks and then the IT/OT. Defenses are sort of taken as a given. do you have any detail about exactly like how their network was mapped out or not so much.

Andrew Ginter
No I don’t I I missed that in the report. you know I’m going off my memory of the the conversation with the the folks at Sektor. They’ve promised to come on a future episode. So let’s let’s get them on and and we can dig into the details with them instead of relying on my my fallible memory here.

Nathaniel Nelson
It also occurs to me as we’re talking about this. You know this was a critical vulnerability in what appears to be a relatively popular firewall product. that might be found anywhere else in the world. I know that there was a gap between the twenty fifth when the vulnerability was revealed. We’re not talking about the zero days here that’s another matter and then may eleventh when the attack occurred. Is it just that everybody would have patched in that time that I haven’t heard similar stories from other countries. Andrew do you know if this initial vulnerability was exploited elsewhere.

Andrew Ginter
I Don’t know that you know I asked Aurelio that and he basically said you know he if he had information he couldn’t share it with me. They have strict rules about nondisclosure. and but you know to me it’s It’s a. It’s an interesting question I I would like if someone you know, digs up an answer I’d very much like to know because what we have here is excuse me a danish organization the sector cert reporting an attack on Danish critical infrastructure using this firewall as an attack vector. as you point out. The firewalls used very widely did anyone else get hit and they’re just shut up about it that would be useful to know if nobody else got hit and. The bad guys used this firewall as and as a vector specifically to attack Danish Critical Infrastructure. What does that mean I I don’t know I’d very much like to know.

Nathaniel Nelson
Ah, or alternatively others were hit and as we know that there is some evidence here that there’s a state sponsorored actor involved. Maybe they just didn’t know.

Andrew Ginter
Yeah, so like I said I would I would like to know I I hope that you know more information comes to light over time.

Andrew Ginter
I’m going to change topics in a moment but before I leave your your information sharing system. You know I know that the information in there is confidential but is there anything that you can tell us sort of. In terms of the the volume or the the quality of information that you have in there that you’re tracking

Aurelio Blanquet
Just to have a small idea when I look at to the information gathering in our sharing platform. January to July and I I didn’t updatedate it with the figures from October but we have them something like 60000 events responding to five millions of attributes. And two point five millions co of correlations among those and the cyber security events and the attributes if we look to our the organizations that fitted the platform and we make an average. Each organization in average feeded something around one hundred than fifty and events in the platform. This means that that if an organization is not part of a community. With an active and very proactive and information sharinging attitude. The organization is able to deal with 150 incidents but is only able to take decisions and to make action based on the information deliver by One hundred and and in 50 in security incidents if you broad your your interests you are able to take the same action based on 60000 on the information of 60000 and events which means that the scale is much much higher and if you go up your in in your information scale. for sure then. Ability to take a better decision will be much much higher.

Andrew Ginter
And changing gears a bit. I understand that yes you folks are focused a lot on incidents and information sharing. That’s what you know isac means but you’re also talking to governments you’re talking to the commission. you know NIS2 is the big news from the commission that all of the governments are acting on can you talk about NIS2 what what does it mean to your members and you know is there I don’t know advice that your members are giving the the member states. What’s what’s happening with nis two in in the organization.

Aurelio Blanquet
Well then the needs to as well as the the very very new network code for cyber security that was the close for comments last Friday midnight last Friday means for the the association 2 things as old regulation that comes from the commission is always a concern and an opportunity to have a voice on the on the content of the the less legislation. whatever it is focus on the the NIS2. what this means is that looking to the energy sector in Europe and looking for to the and NIS the and yeah, the NIS2 broadens the accountability of the companies that who were already covered by the and NIS and then brings to the compliancy.

Aurelio Blanquet
Requirements A new group of companies that were outside the and nis and when we look to those companies we see small companies and this is a very very big challenge. Not for the members of the association. But namely for the no members of the association because those companies and because they are small and energy companies. They are not so well prepared as as the big players are in these cyber Security Challenge.

So until now they were outside the regulation now they are inside and they must be as compliant as as the big ones of course with some nuances. and with different. impacts in terms of a ah fault. But Nevertheless this means that there is an opportunity to to join forces instead. fight along in this world and Then. We recognize that the that the NIS2 from this perspective makes sense because as we talked before the the European energy system and is an into is an interconnected system which means is as strong. As it’s a weakness link and it’s easier to attack a couple of 10 or 20 small energy companies and bring problems to a full energy systems than to try to attack. big company that is that is well prepared and train into better response maybe is not going to be as effective as she would like but is for sure better prepared and so NIS2 brings a new level level of responsibility for the energy companies and a new challenging challenge. namely for the small companies that are not not so prepared. So for sure. It will be time to start thinking collectively and not individually. Other other way they will be noncompliant with and ni to looking to the big companies and to do all companies covered by the NIS2 and for the first time and NIS2 recommends cooperation and as a pillar for cybersec security. So NNisTwo incentivizes and european companies to cooperate on cybersecurity and this goes straight to The Dna of an association like the isaac we are sharing information in order to be able to cooperate on actions and to be more effective on the decisions. Each member can individually take.

Another point that and NIS brings and it’s an a challenge as well as an opportunity is to make them responsible managing the the managing of the companies for. Assuring the training to and to assuring the the resources for implementation the to implement mitigation measures which means. That once once again, it’s an opportunity to share plans and strategies. among companies in in order to have. and then lying in the approach on those on those challenges so I would say that those 2 points are the the the the main news that the and NIS is bringing to the table and will be compulsory from next October 2024.

Andrew Ginter
So Nate just a word of background here for people who aren’t necessarily tracking what’s happening in the european union. this too is the the new I don’t know I’m even sure what it is directive from the the union from the commission. to to everyone about cyber security of critical infrastructure. It. It is not in and of itself a regulation. Okay, NIS2 does not say these power companies have to do those things. nistu is a requirement it. It orders the member states to pass regulations and it says you have to take these factors into account when you decide which. Of your you know power providers and other critical infrastructures are critical. you have to pass laws that have these kinds of characteristics and you know it’s called nistu because niss happened a few years ago was the same thing ordered the member states to to pass laws.

Andrew Ginter
And so things are a little bit different in every member state. and the the new regulations the new NIS2 is has got broader strokes you know as Areio said more smaller utilities are coming into scope in the the very broad brush of nis I and of course in the. The individual national regulations that will will come about because of it. you know the other one the the network code for cybersecurity. This is something that’s newer than than this to it’s still being being created but in my understanding, it’s analogous to north american NERC CIP 012. you know the NERC CIP family of standards has I don’t know 14 standards in it 12 yeah is one of the things 12 talks about it. They use very technical terminology in 12 but it’s loosely interpreted as requiring encryption between control centers. You know the control centers are the the places the systems that control large chunks of the power grid and when they talk to each other about how much extra capacity they have how much. Power is flowing through them. You know all this real-time communication. sip 12 roughly requires encryption I’m guessing the the same thing is coming in the new law in in Europe because increasingly the european power grid is integrated. There are you know there’s electricity being sold from 1 nation to the other.

Every nation tends to have its own control center and of course now they’re all increasingly talking to each other to facilitate these international flows and exchanges and you know purchasing and and selling of of power. So it’s it’s a complicated space. Every nation tends to have its own control center and of course now they’re all increasingly talking to each other to facilitate these international flows and exchanges and you know purchasing and and selling of of power. So it’s it’s a complicated space.

Andrew Ginter
So NIS2 is going to change a lot I mean member states are are passing their regulations right now to comply with the with the directive is the eisac involved in you know, creating or or I don’t know influencing this regulation.

Aurelia Blanquet
you talked about the n ni s 2 but as I said previously. last week the the public discussion on the the network code for cybersec security was open for for discussion. and the. When we look and it’s also a very important piece. for the the cybersec security wall and in Europe and the the association also was able to comment and to deliver a positioned paper to the commission. And as well as it vi do with the and NIS2 the association is usually 3 main concerns if I may might say when we look to the legislation and usually we start working. within the working groups that are responsible to to to write to the the legislation but when we look to the final documents what we look for is to check the consistency of of the the legislation and the consistency.

Aurelio Blanquet
At the document level. for instance, when we we look at the to the and nccs we saw some inconsistency some potentially inconsistency on the way the document described a cyber incident or a cyber attack. And this is something that can not be misconfused and so what we do in this case is to comment and ask the commission to make clear the concepts. And the terms that they are using on the less. The legislation that usually is already complex enough that risk to me to to to be misconfused the the second one is about efficiency and about the efficiency means. No avoid redund disease and leverage on existing work or an existing technology so the same way that NIS2 was the buildup from the and Nis the nccs when the. one was published for public comments was written in the moment where other pieces of legend legislation was already in place and we must assure that is not going to invent or reinvent the will and.

Put other rules. Besides the ones that are already in place or are going to be in place and risk to impose and double lines of action that will be useless and in and the inefficient. and the third last but not least is the time to action what we try to see is ah and comment is if the time to make it possible is suitable or not and for instance looking. Going back to your first question about the and nis two. 1 criticism that most of the sector and sector puts is that it will be very difficult if not impossible to to assure that companies are ready for nnis too. You know October of 2024 if we think that most of those companies now cover as small. They don’t have resources neither financial nor in people don’t have met your teams in terms. cybersec security and even if they have the money they are going to face the shortage of skills that we are facing in Europe and world the wild when we talk about cyber security. Which means that they are not talent enough. in europe to assure the the resources we need to to full fuel the and NIS2 requires. But this is a challenge.

This is an opportunity for cooperation and it’s true that we need to move forward. Otherwise we will be as weak as the weaknessed link and it will not be conceivable in european terms.

Andrew Ginter
Um, okay so so sharing actionable intelligence you know, working with with X government authorities to try and influence legislation So that. It You know doesn’t mess things up too badly with with inconsistencies and whatnot. I understand as well that the ISAC hosts face-to-face meetings. in those meetings I mean what? What do you accomplish?? what. What? What do you do? face-to-face that that doesn’t happen through your portal and through these these you know letters that you sent to governments.

Aurelio Blanquet
Okay, thank you for and for your question. It’s ah, quite relevant one. we can split to the face-to-face meetings in in 2 types. The first one is face-to-face meetings with members. And the face-to-face meetings with the members are mostly to share non-disclosable information. There is no way to share nondisclosure information unless you make a face-to-face meeting because this information usually. Is even not written the second one is with non-members can be prospect members or in the intending members. And in this situation. the face-to-face meetings is critical to build trust this information sharing is only possible if you do it in the trustable community and the trustable community is more than a group of people. That you know by name and by affiliation into an organization is people that you need to know in the eyes and you can identify yourself and at the and level.

Aurelio Blanquet
That allows you to to share and and at back. useful information to to yourself and so I would say that. Face-to-face meetings for members are critical to to to keep the trust and to share non-disclosable information to to non-members. The face-to-face meetings are critical because I the first seed to build to build Trust. and without them we were lack of the most critical value of an ISAC which is. That is trust.

Andrew Ginter
Well, this has been good. Ah thank you Aurelio for joining us before we let you go can you sum up for us. You know what? what? what should we be taking away about working with an organization like the European Energy ISAC?

Aurelio Blanquet
thank you for your question and you well I would say that there are main for forming takeaways that I would like to share with you the the first one is that active information sharing. In the trusted community is a powerful a very powerful pillar if not the most powerful pillar in a successful cybersecurity strategy. The second one is that capabilities are by the end, the outcome of knowledge. And experience and through an association like Isaac when you share knowledge and you share information you are able to improve both both knowledge and experience and get more capable to face. The cyber security challenges the the third one is that almost as a consequence is that through cooperation we will for sure reach farther than we we stay. Alone in these challenging cybersec security world and last but not the least what I can say is that if.

Aurelio Blanquet
Someone that is listening and is working in the energy sector and is not yet member of the European energy isaac or even in energy isaac in his own Country. Don’t wait more. And join us and this because it’s more than ever time to act together so look to to the our website get in touch. And we’ll be more than pleased to get you on board and thank you and you.

Nathaniel Nelson
That was your interview enter with areo bla I forgot is how to pronounce his last name. So I entered that was your interview with Areo blanquie. Do you have anything to take out our episode with.

Andrew Ginter
Yeah, you know Aurelio pointed out sort of 3 priorities for the ISAC. You know, active information sharing sharing, developing capabilities, and knowledge & experience. He pointed out that cooperation makes us all stronger and you know. Ah, NIS2 is requiring cooperation among critical infrastructures and NIS2 is you know is not saying you have to go join the Energy ISAC. But it’s saying you need to cooperate. You know we need to be stronger and here’s an opportunity to do that I mean it’s it’s a truism that our enemies cooperate. You know nation states cooperate against us with their allies. There’s a dark web where criminals cooperate where they share information. They buy services from one another we need to do the same. We are stronger together. They are stronger together. We need to be stronger than they are um so it. It all makes sense to me.

Nathaniel Nelson
Well thanks to Aurelio for speaking with you and Andrew thank you for speaking with me today. This has been the industrial security podcast from waterfall. Thanks to everyone out there listening.

Andrew Ginter
It’s always a pleasure. Thank you Nate.