Instant, comprehensive and trustworthy collaboration between security teams in energy sector companies is a must in a modern world where industrial control systems are Internet-connected and cyber threats to power grids are imminent.
This is where the European Energy Information Analysis and Sharing Centre (EE-ISAC) comes into its own, with support from the European Union Agency for Network and Information Security (ENISA) and the cooperation of the Directorate-General for Energy (DG ENER).
The EE-ISAC is a non-profit, centralised organisation established to support energy sector entities with information about cyber threats and assistance in security incident handling. It addresses the NIS Directive suggestion to create sectorial ISACs within the European Union.
Level of trust
Trust is not built within seconds, but years. The EE-ISAC is an experienced, recognised organisation which gathers major European energy sector companies together. Non-disclosure agreements are in place between parties, which ensures a certain level of comfort during the talks.
The presence of representatives from a wide range of countries ensures each member can profit from finding new threats aimed at certain devices, networks and countries. They can enrich their security defence systems to prepare for possible, upcoming attacks.
Clear rules and independence
The EE-ISAC’s board is elected from among the members. There’s no governmental or commercial hypervisor. Each party signs the same agreement.
Influence on law-making
The EE-ISAC, as a European-wide organisation, strictly cooperating with European Union institutions and European governments, plays a significant role in the creation of law and regulation for cybersecurity in the energy sector.
Additionally, it can represent all members in front of governmental agencies to analyse international threats and incidents.
All members are encouraged to cooperate mutually – both receiving information from other members and sharing their findings with others.
Face-to-face meetings give an opportunity to exchange experience with peers.
Members share knowledge about:
- Security incidents – attack vectors, threat actors, indicators of compromise • Best practices – security solutions implementations, standards introduction, CSIRT tools and practices • Emerging threats – observed attack trends, activity of advanced persistent threat (APT) groups
- Vulnerabilities – both of IT and OT systems, technical bugs and gaps in standardisation
- Mitigations – how to recover from attacks: case studies
- Strategic analysis – what to secure, what to expect from a strategic (not operational) point of view
Regular plenary meetings
Face-to-face meetings are crucial to building a relationship of trust. Held on a regular basis, plenary sessions are usually divided into open and closed parts.
Security experts and candidate members are invited to take part in open plenaries, enriching the common knowledge about emerging threats, security solutions, good practices and current topics as well as bringing an opportunity for the new members to join the community.
If there is no need for the whole community to work intensively on a topic (i.e. information sharing tool, standards etc.) a workgroup can be established to solve the problem. This ensures better and quicker communication. Each workgroup shares its findings among all the members.
The massive amount of data requires aggregation, storage and analysis tools.
Information sharing platforms, such as MISP, ensure secure storage with granular access.
It also allows automation, which makes information sharing quick and painless.
E-mails and video conferencing
One of the tools for information sharing among the EE-ISAC community are secure, encrypted e-mails. Members receive regular bulletins that summarise current threats and product vulnerabilities.
- Public energy sector companies, such as energy and gas distribution operators and TSOs • Universities and research institutes • Government institutions, i.e. European Union agencies
- Private companies and vendors From a community emergency response team (CERT)/Polish Electricity Company (PSE) perspective, as a pioneer team in the Polish energy industry, membership in the EE-ISAC has an impact on strategic decisions on the team’s development and security solutions choice. It is also an excellent opportunity to get the latest news from ICS cybersecurity.
Members of the CERT team have access to a broad array of exclusive resources, educational tools and peer-to-peer networking opportunities, conference and events. In practice this allows CERT/PSE members to deepen existing relationships with other experienced professionals and make new contacts on a regular and on-going basis.
As EE-ISAC members attend meetings, being active in plenary meetings allows members to forge lasting ties with others, all who have shared professional interests. Contacts developed through these networking opportunities are incredibly beneficial for security practices. These relationships are productive, ongoing sources of inspiration and ideas.
CERT/PSE translate these ideas into practice, which helps improve the level of cybersecurity in the organisation and the Polish energy sector. SEI
About the author
Jaroslaw Sordyl is the deputy director for Cybersecurity, the IT Department and head of the Computer Emergency Response Team at PSE S.A. – the transmission system operator in Poland. He is a former law enforcement officer, until 2014 a member of the management board of Europol, the Polish representative to the Heads of Europol National Unit forum, a member of a working group of IT and corporate systems. Sordyl is the former head of Europol National Unit in Poland responsible for the area of fighting of cybercrimes and IP crimes. He is also a board member of the EE-ISAC.