Need, obligation, scarecrow, but above all a large field to discover and comprehend – this is cybersecurity today for companies in the energy industry. The situation here is similar with that of most organizations in other critical sectors such as transportation, finance-banking, healthcare, water supply and distribution, or digital infrastructure.
and have been the companies that, together with , have launched the dialogue and have stimulated the exchange of ideas with general considerations and technical details as requested by over 55 participants at the second edition of the Energy Breakfast Club this year, dedicated to cybersecurity topics: risk, prevention, recovery.
“I am pleased to find that energy, unlike other sectors of activity, has a much better understanding of the cybersecurity risks, in their real proportion and magnitude,” said , general manager of CERT-RO.
“Regulations are needed for changing the mindset and behaviors in this respect, but moreover, the adoption of the NIS Directive comes with a number of clear obligations,” said the official from CERT-RO. “We are talking about a draft law yet, in Romania and, while we can still talk about criteria or thresholds, there are also non-negociable obligations,” he warned. “Essential service operators will have to introduce, on the one hand, technical measures which would come with some costs, and, on the other hand, specific organizational measures. They will have to be prepared to report any computer incident to CERT-RO and to intervene to eliminate the impact of such an incident.”
Operators will be free to set up sectorial CERTs in order to meet sector-specific needs, but they will also be able to purchase CERT services. It is extremely important, however, that each essential service operator will have to have its own Security Operations Center (SOC), that is a centralized unit dealing with organizational and technical security issues. This SOC will be responsible for implementing cyber security measures and policies. CERT-RO has a coordinating role, but it also to be a licensing authority for sectorial centers, and cybersecurity auditors.
In his intervention, Cristian Pîrvulescu, general manager, Enevo Group, exposed the main elements specific to the energy systems, that introduce an added complexity in the understanding and approach to cyber security.
§ technological inertia and legacy equipment
§ structure changes on the same infrastructure: centralized operation – extended network – decentralized operation
§ isolated and physical secure vs. online objectives
§ IoT introduces new attack vectors and new variables into reliability formulas
“In Romania, we are talking about an energy system put into operation somewhere in the ’80s, built in the’ 70s, with the technology of the ‘60s, according to the philosophy of the ‘50s”, Cristian Pîrvulescu synthesized the idea that in the energetic field the technological level freezes for decades at the time when of the construction was made. That’s why countless equipment currently used in electrical networks has not been designed to respond to cybersecurity needs.
“Industrial control systems (SCIs) are usually not provided with protection solutions against cyber-threats, and that also generates a lack of vital information to understand both exposure (number and type of infected equipment) and new attack techniques used”, explained Enevo Group representative. “Without this basis, the defensive reaction is severely hampered, the incidents are discovered hard and late.”
Among the prevention solutions proposed by Cristian Pîrvulescu are the development of interdisciplinary skills, but especially a change of mindset for understanding and addressing such risks, in order to take into consideration cybersecurity from the design, engineering and auction / bidding phases.
presented several products and solutions for cyber security from the German group Phoenix Contact. Founded in 1923, the group a a leader in the field of electrical component manufacturing and industrial automation technology. Within the group, Phoenix Contact Cyber Security specializes in hardware and software solutions for cybersecurity for industrial equipment.
He briefly outlined the usual measures to protect networks against cyber attacks, including firewall systems, endpoint security equipment, IDS / IPS intrusion detection or prevention systems, SIEM – security information and event management.
Among the elements making Phoenix Contact a solid partner, Adrian Vladuț has listed:
§ development and production (hardware + firmware, ‘Made in Germany’)
§ long-term product management
§ Special Procedures for Product Security Incident Response (PSIRT) and for Common Vulnerabilities and Exposures (CVE)
Special emphasis was put on mGuard Secure Cloud – industrial VPN for remote secure access.
The presentations, and especially the discussions that followed, highlighted the need for ANRE to be involved in recognizing the costs imposed to the major operators of critical energy systems by the cyber security obligations. At the same time, public procurement systems need to be made more flexible for encouraging the adoption of the most secure solutions, from industrial equipment to software platforms and IT hardware.
Over 55 representatives fromattended the presentations and participated in discussions.
Energy Breakfast Club was organised by energynomics.ro with the support of our partners: .