New technologies based on IT are already changing the needs and behavior of all energy players. At the same time, they require new approaches from the authorities and raise new risks, such as cyber security. We continue to present the conclusions of the 2018 Energy Strategy Summit, with a selection of ideas from the intervention of Mr. Cătălin Aramă, General Director of CERT-RO.
Good afternoon! My participation in this event is an opportunity for the National Center for Cyber Security Incident Response CERT-RO to get closer once again, to take a new step towards the energy sector, one of the priority sectors for us.
I will start by presenting the scenario of a NATO exercise recently held in Bucharest. This involved a cyber-attack on the exploration and exploitation infrastructure of the Romanian Black Sea continental shelf. The scenario had an important component of sabotage against the offshore industrial networks, and the cyber-attack involved the decommissioning of command and control systems on board of an oil tanker resulting in an accident. Subsequently, media techniques, supported by complex cybernetic instruments – as we know, 85% of the online content is generated by robots – led to a specific strategic and political decision. I started with this example, relevant in the context of today’s discussion, because cyber security is omnipresent. The exercise I have evoked has taken place under the aegis of NATO, which shows that the Alliance appreciates that Article 5 can be invoked in the case of a cyber-attack on a Member State; cyber space is considered as a theater of operations just like the classic ones – land, sea and air.
Cyber security is omnipresent especially in the energy field, a priority area for all companies and for all national and international actors at all levels.
The NIS European Directive requires ensuring a high common level of security in all Member States for the economic sectors concerned; energy is at the forefront, alongside sectors such as transport, finance-banking, health, water distribution and digital platforms. The European Directive is the first horizontal legislative framework in the field of cyber security and a step forward in strengthening national capabilities in cyber security. The directive strengthens cooperation at European level and, very importantly, promotes a risk management policy for the key service providers and for the digital service providers. The Directive has a profound economic character, as it considers the impact of a cyber-attack on economic factors, companies, administrations and citizens, as well as the malfunctions that may arise in those operating essential services and can affect many Member States simultaneously.
The Directive imposes obligations both on Member States – to ensure that they have the capability to ensure the security of IT networks and equipment, but also to key service providers and operators – to ensure that they comply with a set of cyber security rules.
Romania has taken important steps in this area, namely the transposition of the NIS Directive has been made by a law that was approved by the Parliament two weeks ago and it will be promulgated shortly.
It is a beginning where we see an opportunity to launch a dialogue and I welcome the opportunity to launch this dialogue with all the actors in the energy sector – the Ministry of Energy, NARE, NAMR, professional organizations and companies, as a first step of cooperation between civil society and business environment.
Collaboration for cyber security
Even since 2017 we have signed collaboration protocols with Enel, Teletrans, Transelectrica, E.ON and soon we will sign such documents with Electrica, CONPET and OMV Petrom. What are these protocols? They represent a rapprochement between the National Cyber Security Incident Response Center and the actors operating systems.
Currently, industrial networks operating in the energy sector are networks that were designed for long lifespans of 20 or even 30 years. These networks are not connected at the moment and thus they are not exposed to significant risks as long as they are not online. As investments are made in modernization, one they are connected to the Internet, vulnerabilities do occur. I have to insist on an important difference. While, in the enterprise environment, the integrity and confidentiality of data are important, in the industrial area, the sustainability and continuity of services are those that matter most. Therefore, collaboration between cyber security specialists and the engineers designing the grids is necessary for developing viable systems and secure IT structures in the energy industry. We wish that, together with you, to reach to the concept of security by design.
We are working on these projects aimed at increasing the operational capacity of CERT-RO, projects that provide an interconnection platform and an early warning system. At the same time, we also launched the project of a test platform for industrial control systems. We are glad to have not only national support for this, but also regional support, because several Balkan states have announced that they agree to use this platform. Of course, such a project becomes viable only if we manage to also involve the equipment manufacturers; the first step is that we already obtained acceptance from one of the manufacturers that probably covers most of the industrial control systems used in the national energy system.
This collaboration with key service providers will materialize in a pragmatic way through the National Cyber Security Services Platform developed through the eCSI – Enhance National Capabilities for Interoperability project. In this platform, operators will be able to exchange real-time information with CERT-RO, and the Center will connect on the same platform with our counterparts across the European Union.