The convergence of the information systems with the operating systems in the field of industry, including with the energy field, is increasingly manifest. The future will reinforce such trend, and, at the same time, the related risks grow higher. The recent cyber-attacks have expanded the degree of awareness not only at the level of the companies administrating critical infrastructures, but also at state and supra-state level. An evidence for this is given by the European Directives requiring related actions of prevention and the setup of some institutional tools such as the National Computer Security Incident Response Center – CERT-RO. We found out from Mircea Grigoraș, Deputy General Manager with CERT-RO, about the obligations incumbent upon the companies operating in the energy field in the near future.
Dear Mircea Grigoraș, in the current context, the role of the National Computer Security Incident Response Center becomes increasingly visible, inclusively for the energy companies. What are the competencies and tools CERT-RO counts on to coordinate the measures and good practices on cyber security?
It is worth underlying that we refer to competences that CERT-RO was granted upon Government Decision no. 494 of 2011 for now, namely prevention, identification, analysis and response. First, CERT-RO gathers information on the IPs and URLs signaled by our partners as being involved in cyber-security incidents. Then, we maintain and administrate a data basis of alerts and incidents of the national cyberspace. Data collection is based on the cooperation protocols concluded by CERT-RO and the voluntary nature of the notifications regarding such threatening.
Secondly, the institution can provide advices to companies and users in case of significant incidents. Upon the eventual request of the affected companies or public institutions, CERT-RO may offer support and, in certain situations, it may intervene with teams on the spot, if necessary, but only for the public institutions.
Last but not least, CERT-RO carries on supporting activities with the partners in the private environment and the institutional environment, and plays an active role in the development of strategies, policies and regulations as well as in the development of awareness campaigns. Thus, we organize more than 10 technical workshops per year for cyber-security specialists of the public and private environment, where, by hands-on trainings, new technologies are showcased to them; along with our partners in the private environment, we are involved in the European Cyber Security Month, in the organization of the European Cyber Security Challenge, as well as in other activities and sector-related work groups for the development of the cyber-security culture and the prevention and response capacities.
To underline the urgency of the topic, it is worth specifying that the Directive on the security of networks and information systems (NIS), adopted at the European level back in 2016, should be transposed in the national legislation on May 9. What is the current stage in the transposition process and what new obligations arise for the companies administrating critical infrastructures in the energy field?
Currently, the process of public consultancy on this draft law has been completed, and is now on finding itself on the inter-ministerial endorsement circuit. We have a deadline for the coming into force of the law and we do all our best to support the Ministry of Communications so that at that moment we should have a regulatory frame as good as possible. The law will affect two categories of companies, respectively those to come into the category of essential services operators, and those in the category of digital services providers – as per the Directive. The secondary legislation will include criteria and thresholds based on which a company can determine if it falls in the above category, and a 2-year term will be set for them to identify voluntarily, without undergoing any audit.
According to the regulatory provisions, these organizations will have to ensure a minimum set of technological and governance measures in order to increase the network security degree. Practically, any organization providing services essential for the population will have to maintain certain rigor in the information systems infrastructure, to count on dedicated personnel for ensuring cyber-security, to develop within the organization security trainings and policies and to report to CERT-RO the incidents exceeding a certain threshold or possibly affecting the users / clients of at least two EU member states. All these are to be proved by an audit carried out by a third party.
The NIS Directive invokes the so-called “culture of security”, considered to be vital to the information technology-based economies and societies. What exactly does this concept refer to?
Considering the constant evolution of the threats, as well as the increased financial and social impact an attack could have on operators and society in general, a decision to legally ensure a minimum technological level for the organizations’ information infrastructure has been adopted. Besides the technical regulations, the companies will have to maintain an increased degree of awareness of the employees against the threats and the social engineering methods used by hackers.
Often, the European Directives are built on the information, analyses and good practices of the companies in the vanguard of the field envisaged by the directive. In what extent are the major energy companies of Romania, and CERT-RO as well, prepared to prevent and to adequately answer cyber threats?
That’s a very good question. It is worth saying that until now companies have not been under the obligation of notifying any authority or the audience as regards incidents and attacks or to make public information on the technological condition of the internal infrastructure, thus it is very difficult for me to answer your question, since we do not have enough data. However, once the NIS Directive has been transposed, we will have such visibility, which will provide us a much more accurate image on the vulnerabilities and threats in the national cyberspace, therefore a much better institutional response capacity, both in terms of awareness raising and education, and in terms of response to incidents.
It is important to highlight that the very draft law for the transposition of the NIS Directive specifies that CERT-RO will co-operate and consult with the authorities appointed for each business sector, as well as with their representatives to generate a regulatory framework in consideration of each sector’s specificity.
Also in May, on the 25th, it is the deadline set for the enforcement of another European Directive, this time envisaging personal data protection, the so-called General Data Protection Regulation. Where does Romania stand, from this perspective?
This regulation is the responsibility of another public institution, ANSPDCP, the National Supervisory Authority for Personal Data Processing, thus I cannot comment on that. What I can say is that GDPR and NIS are complementary regulations and many companies will have to comply with both of them. So far, the GDPR regulation has been much more visible publicly, since it does not require transposition, being directly enforced in the member states. However, we are sure that along with the enforcement of the law for the transposition of the NIS Directive and of the subsequent legislation, the business environment will focus on this issue as well.
What is the impact you anticipate at the level of the companies counting hundreds of thousands or millions of clients, especially if considering that the enforcement of the intelligent metering devices will exponentially increase the volume of the data collected, stored and administrated by such companies?
This depends on the level of investments in technology that companies allocate. At first sight, this approach may seem to generate costs since the level of the budget of investments in security increases. However, the investments in security do increase exponentially the cost hackers bear in carrying out on of a successful cyber-attack. If we look at the example of Ukraine’s incident with Black Energy – when a power outage hit most part of the country for about 8 hours –, we can notice that this was possible because the hackers succeeded to get access to the information systems administrated by the distribution companies.
Certainly, a higher degree of security could increase the budget of investments, it depends on the current level of security of the IT infrastructure. Even if we talk about investments, often the amounts are low compared to the financial risk of a security incident, especially for the companies of utilities, and, at the same time, this represents an investment into the confidence granted to clients. For these reasons, some companies have already made the first steps in this regard, as we already provide consultancy for the development of specialized teams or internal security centers. We want the main impact of the law to be the security of the consumers and of the companies’ employees.