1
00:00:03,160 --> 00:00:09,119
Face to face meetings. That's critical
to build twists, and we got them.

2
00:00:09,599 --> 00:00:16,480
We were like the most critical value
of an ISAAC that is twisted.

3
00:00:23,800 --> 00:00:28,519
Welcome everyone to the Industrial Security Podcast. My name is Nate Nelson. I'm

4
00:00:28,519 --> 00:00:33,439
here with Andrew Ginter, the vice
president of Industrial Security at Waterfall Security Solutions,

5
00:00:33,640 --> 00:00:37,520
who's going to introduce the subjects and
guest of our show today. Andrew,

6
00:00:37,640 --> 00:00:40,159
how are you. I'm very well, Thank you, Nate. Our

7
00:00:40,200 --> 00:00:45,960
guest today is Aurelio Blanchier. He
is the Secretary General of the ee ISAK,

8
00:00:46,079 --> 00:00:50,840
which is the European Energy Information Sharing
and Analysis Center, and he's going

9
00:00:50,880 --> 00:00:53,719
to be talking about the good work
that they're doing at the ISAC at the

10
00:00:53,759 --> 00:00:57,640
center and about more generally what is
an ISAC and how does it work.

11
00:00:58,399 --> 00:01:04,799
Then here is your conversation with Aurelia. Hello, radio, and welcome to

12
00:01:04,840 --> 00:01:08,920
the podcast. Before we get started, can you give us a few words

13
00:01:08,959 --> 00:01:14,200
of introduction. Please tell us a
bit about yourself and about the good work

14
00:01:14,200 --> 00:01:19,519
that you're doing at the European Energy
ISAAC. Hi, Andrew, thank you

15
00:01:19,560 --> 00:01:25,640
for the invitation. Then it's a
pleasure to share with you the ISAAC.

16
00:01:25,760 --> 00:01:33,560
So I'm the secretary General of the
Energy the European Energy ISAAC which calls for

17
00:01:33,840 --> 00:01:44,599
Information Sharing and Analysis Center, and
previously I was the first president selected from

18
00:01:44,640 --> 00:01:52,319
the members community in twenty fifteen when
the association was launched, and I shared

19
00:01:52,400 --> 00:01:59,959
the association between fifteen and eighteen.
And previously I was director and board advisor

20
00:02:00,640 --> 00:02:07,240
an European energy utility. In this
case and particularly in Portugal DP, where

21
00:02:07,240 --> 00:02:19,639
I was responsible for the ICs and
cybersecurity strategy and implementation. So I work

22
00:02:19,719 --> 00:02:24,639
with the topic of the ICs for
almost forty years, and cybersecurity since the

23
00:02:24,759 --> 00:02:30,000
very beginning, where the cybersecurity was
not a non world around the community.

24
00:02:30,919 --> 00:02:42,639
So about the role that I'm performing. What I do is of course shure

25
00:02:42,680 --> 00:02:50,360
the presentation of the ISAAC to the
community, namely to aspiring members. Of

26
00:02:50,439 --> 00:02:58,199
course, we have lots of work
with the meetings and contacts with the CEA

27
00:02:58,360 --> 00:03:07,800
levels, partners and stakeholders, namely
European associations including the European Commission. And

28
00:03:07,840 --> 00:03:16,319
of course I also attend and I'm
speaker at the events and conferences on namely

29
00:03:16,360 --> 00:03:30,360
on energy, digitalization and on cybersecurity. You know one sentences everywhere where information

30
00:03:30,599 --> 00:03:39,400
sharing can play or plays a relevant
role in Europe, and I would say

31
00:03:39,439 --> 00:03:46,039
even worldwide. So in broad in
broad terms, if you want to know

32
00:03:46,199 --> 00:03:54,800
more about information sharing and how we
can how it can work on be a

33
00:03:54,879 --> 00:04:00,879
more cybersecurity world, namely on the
energy sector, we are ready to step

34
00:04:00,919 --> 00:04:08,120
forward. We're talking about the European
Energy i SACK Information Sharing and Analysis Center.

35
00:04:09,039 --> 00:04:14,560
You know, I've been part of
other iacs and the model that I

36
00:04:14,599 --> 00:04:18,199
have in mind for an IACK is
sort of a weekly phone call where managers

37
00:04:18,319 --> 00:04:23,120
of security operation centers are on the
call or you know, senior people from

38
00:04:23,800 --> 00:04:30,399
security operation centers. They exchange actionable
intelligence. The exchange IP addresses that they've

39
00:04:30,399 --> 00:04:34,720
noticed are attacking them. They exchange
file checksums from you know, suspicious attachments

40
00:04:34,720 --> 00:04:40,399
that they've received. They gather all
this information, they feed it back into

41
00:04:40,480 --> 00:04:46,360
their intrusion detection systems and their security
information and event management systems. You know,

42
00:04:46,519 --> 00:04:50,439
this is the you know, is
this what the the the European Energy

43
00:04:50,519 --> 00:04:56,959
i SACK does or are you doing
something else? We do something else,

44
00:04:57,920 --> 00:05:02,759
starting by the field of information.
So what we intend to do and what

45
00:05:02,920 --> 00:05:13,439
we are doing and promoting inside our
community is to feed an information sharing portal.

46
00:05:14,360 --> 00:05:21,439
And the idea is to ensure that
each member can in a real time

47
00:05:21,519 --> 00:05:29,800
basis share their own incidents, namely
the ones related with malware. So we

48
00:05:29,879 --> 00:05:39,120
have an European platform for malware information
sharing, and the idea is to have

49
00:05:39,920 --> 00:05:49,399
the feed that this platform embedded in
our members internal processes, including a synchronization

50
00:05:49,759 --> 00:06:03,680
between the member's platform if they have
a private sharing platform and this European platform.

51
00:06:04,240 --> 00:06:13,000
This way we are able to have
in an almost real time basis,

52
00:06:13,319 --> 00:06:23,680
a full information data set that allows
us to have a broad vision about incidents

53
00:06:24,079 --> 00:06:32,519
within our members community and broadly in
the European level. So the first thing

54
00:06:32,720 --> 00:06:41,759
that we do is to collect this
information. To make this information actionable,

55
00:06:42,360 --> 00:06:47,519
we perform a second task. What
we do is to vote this information to

56
00:06:47,560 --> 00:06:57,399
assure that it's trusted all information and
it's not a false positive information. And

57
00:06:57,480 --> 00:07:00,600
this is the first challenge. On
second challenge we have. The first one

58
00:07:00,720 --> 00:07:06,040
is to feed the information. Second
is to have a right balance between the

59
00:07:06,160 --> 00:07:16,199
voting process and the timely information that
is made available in platforms. If we

60
00:07:16,240 --> 00:07:24,120
take if we take too much time
to vote, the information lacks timeliness and

61
00:07:24,720 --> 00:07:32,120
if we want it to be very
timely, maybe it can be not voted

62
00:07:32,199 --> 00:07:38,120
information. So this is the second
task that we perform and less but not

63
00:07:38,360 --> 00:07:45,199
least, what we do is to
use this information in order to produce thirty

64
00:07:45,199 --> 00:07:53,600
intelligence report that the reports that are
made available inside the community, and that

65
00:07:53,759 --> 00:08:05,519
corresponds to an analysis that helped the
members to take more supported the actionable information,

66
00:08:05,839 --> 00:08:11,319
which means that each member can use
the information that is fitting in the

67
00:08:11,360 --> 00:08:18,399
platform on his bealf and the information
is updated. And also the reports that

68
00:08:18,560 --> 00:08:31,600
came from the treatment of the raw
information that is stored in the in the

69
00:08:31,639 --> 00:08:35,240
in the platform. So I think
it's from my perspective, the three main

70
00:08:37,480 --> 00:08:43,759
levels that the ISAAC and the community
works. So Nate real quick. What

71
00:08:43,799 --> 00:08:50,120
I heard there was that the ISAC
does have a function that is focused on

72
00:08:50,200 --> 00:08:54,559
actionable intelligence. It's different from the
ISAC that I described, you know,

73
00:08:54,639 --> 00:08:58,960
my previous experience in a different ISAC
in that it's more it sounds like automatic.

74
00:09:00,360 --> 00:09:03,639
Instead of a call once a week
where the information's exchanged verbally or you

75
00:09:03,679 --> 00:09:09,360
know, pasted into teams, the
UH, the information is made available in

76
00:09:09,399 --> 00:09:13,279
a real time portal. There's a
validation step that goes on. People have

77
00:09:13,360 --> 00:09:18,320
access to the the the intel as
soon as somebody enters it and it's validated

78
00:09:18,559 --> 00:09:24,399
and there's there's reporting that goes on
so that you know that that sounds useful,

79
00:09:26,840 --> 00:09:28,879
So that makes sense. I mean, I've I've had a look at

80
00:09:28,879 --> 00:09:33,960
your website. You have a risk
management white paper there that that anyone can

81
00:09:33,000 --> 00:09:41,799
download. You know it you're focused
on events that shut down operations in Europe,

82
00:09:43,320 --> 00:09:46,039
and you know, I'm reminded that
at the time we're recording this,

83
00:09:46,240 --> 00:09:50,799
just just a week ago, there
was an announcement of an event in Denmark

84
00:09:52,399 --> 00:10:00,960
where you know, firewalls on critical
infrastructures, including I understand electric utilities were

85
00:10:01,000 --> 00:10:07,120
breached by an accused nation state adversary. Where does can you can you talk

86
00:10:07,120 --> 00:10:11,960
about the Denmark event? Where does
that fit in sort of your scale of

87
00:10:13,039 --> 00:10:16,960
attacks on the power grid? Well, that's a very very good question.

88
00:10:18,200 --> 00:10:26,320
I think both types of incidents are, by different reasons, very very relevant.

89
00:10:28,799 --> 00:10:35,080
Of course, when you have a
huge impact on people or in the

90
00:10:35,759 --> 00:10:48,000
or on the economy, this is
an incident well immediately vidical and consequences and

91
00:10:48,159 --> 00:10:56,360
it can be a power outage,
but it can be it can you can

92
00:10:56,440 --> 00:11:03,000
have an acting situation like you about
in Denmark, and we had also when

93
00:11:03,879 --> 00:11:13,000
in Portugal in twenty twenty two that
didn't have any impact on the on power.

94
00:11:13,000 --> 00:11:22,120
Nevertheless, it means that the companies
faced vulnerability and this vulnerability was exploited.

95
00:11:22,240 --> 00:11:30,960
If it didn't have any consequence,
it could have too many reasons because

96
00:11:31,159 --> 00:11:39,240
the company were able to defend itself
and control the incident and have an effective

97
00:11:39,879 --> 00:11:48,159
response. Or maybe even the attacker
was not intending to make armful but was

98
00:11:48,360 --> 00:11:58,480
just testing. And it also happens
quite often it in any of those situations,

99
00:11:58,600 --> 00:12:05,480
and association like the ISAAC plays a
critical role if you are if you

100
00:12:05,559 --> 00:12:11,279
have not an attack like we had
in Ukraine a couple of years ago,

101
00:12:13,440 --> 00:12:20,879
it will be more than useful to
have a community that is able to support

102
00:12:20,960 --> 00:12:30,480
you and help you in the incident's
response and the shedding with you what the

103
00:12:31,559 --> 00:12:37,919
different kinds of best practice that you
can perform to overcome the incident. The

104
00:12:39,000 --> 00:12:43,559
latest numbers and the twenty twenty three
Threat Report on OT cyber incidents show that

105
00:12:43,600 --> 00:12:48,720
the threat environment has changed fundamentally.
At the beginning of this decade, OT

106
00:12:48,919 --> 00:12:54,639
cyber attacks with physical consequences have changed
from a theoretical problem to a very real

107
00:12:54,720 --> 00:12:58,559
problem. More than doubling every year. The new report is focused on deliberate

108
00:12:58,600 --> 00:13:03,720
cyber attacks in the public record.
These are attacks that cause physical consequences and

109
00:13:03,799 --> 00:13:09,799
process industries and discrete manufacturing. Most
of these attacks are ransomware, though the

110
00:13:09,840 --> 00:13:15,159
fraction of activist attacks is growing,
and the report's appendix includes a complete list

111
00:13:15,279 --> 00:13:20,159
of all cyber attacks since Stuxnet that
meet these criteria. To see how today's

112
00:13:20,200 --> 00:13:24,200
OT cyber threat environment has changed,
I invite you to download the report,

113
00:13:24,480 --> 00:13:30,440
a joint effort between Waterfall Security and
the ICs drive OT Incident Repository. You

114
00:13:30,480 --> 00:13:35,120
can download the report at Waterfall dash
security dot com, Slash twenty twenty three

115
00:13:35,600 --> 00:13:41,200
dash Threat dash Report, or just
go to the resources menu at the Waterfall

116
00:13:41,240 --> 00:13:48,919
Security site and click on white papers
and ebooks. So this Danish incident that

117
00:13:48,960 --> 00:13:54,120
you guys are referring to for listeners
who aren't fully caught up it began.

118
00:13:54,480 --> 00:14:03,480
It occurred in the spring of last
year, starting with firewall vendor called Zyxel

119
00:14:03,519 --> 00:14:09,879
I don't know if it's Zekesler Zigxel
zyx e L, which in late April

120
00:14:09,960 --> 00:14:16,639
of twenty twenty two revealed a pretty
serious command injection vulnerability. It was given

121
00:14:16,840 --> 00:14:20,000
a nine point eight out of ten
CBSS score for those of you who follow

122
00:14:20,000 --> 00:14:28,279
along with that, and shortly thereafter, attackers utilized this vulnerability in their firewalls

123
00:14:28,799 --> 00:14:39,240
to attack the Danish energy sector pretty
broadly. Because the firewalls were the thing

124
00:14:39,919 --> 00:14:46,200
separating the Internet from control systems protecting
safety critical equipment. It became a very

125
00:14:46,279 --> 00:14:52,720
serious incident. I believe, according
to what I'm looking at now, eleven

126
00:14:52,879 --> 00:14:58,759
energy companies were compromised pretty much immediately. Five more were attacked but managed to

127
00:14:58,799 --> 00:15:05,559
stop the attackers. It took the
as the sector described it, entire night

128
00:15:05,759 --> 00:15:13,039
to remedy the issue, but they
did successfully protect all of the systems until

129
00:15:13,559 --> 00:15:20,480
eleven days later when more attackers came
back. This time, instead of the

130
00:15:20,519 --> 00:15:26,440
publicly revealed vulnerability, there were two
zero day vulnerabilities of the same severity affecting

131
00:15:26,480 --> 00:15:31,519
the same devices. The attackers seemed
to have thrown the book at the energy

132
00:15:31,559 --> 00:15:37,559
companies this time, and a couple
of pains back to attacker controlled servers revealed

133
00:15:37,600 --> 00:15:43,120
that they might have had to do
with the Russian groups Sandworm. So I

134
00:15:43,200 --> 00:15:48,720
believe at the end of the day
all of the utilities and related companies were

135
00:15:48,000 --> 00:15:54,559
safe, but it did sort of
very obviously demonstrate the threat here. That's

136
00:15:54,639 --> 00:16:00,200
right. I mean I was in
Denmark when the story broke, at an

137
00:16:00,240 --> 00:16:07,279
event doing a book signing and had
opportunity, you know, at the event,

138
00:16:07,960 --> 00:16:17,279
the organization sector the sector ASSERT that
reported the incident, you know,

139
00:16:17,320 --> 00:16:19,519
gave a presentation. I had a
chance to sit down with the technical lead

140
00:16:19,559 --> 00:16:25,279
from the CERT afterwards, and so
yeah, you know, all of that's

141
00:16:25,320 --> 00:16:33,360
true. A fine detail in my
understanding. The firewalls were not between the

142
00:16:33,360 --> 00:16:37,480
Internet and the OT systems. The
firewalls were the Internet facing firewalls for the

143
00:16:37,519 --> 00:16:42,919
business. They were the you know, the firewall that protected the IT network.

144
00:16:44,159 --> 00:16:48,519
And so the sector assert is a
little bit unusual. They have technology

145
00:16:48,559 --> 00:16:52,799
that is getting a copy of all
the packets that are being exchanged and inspecting

146
00:16:52,840 --> 00:17:02,080
them for a tax signatures at the
Internet interface of these critical infrastructure utilities.

147
00:17:02,080 --> 00:17:07,119
Their members, not at the IT
OT firewall where most people think that you

148
00:17:07,200 --> 00:17:11,440
would be you know, monitoring for
attacks. They're monitoring for attacks on the

149
00:17:11,519 --> 00:17:17,119
entire organization and they found these,
you know, these attacks. It was

150
00:17:17,119 --> 00:17:22,200
one of one of their people that
identified the the initial intrusion and they said,

151
00:17:22,279 --> 00:17:29,759
you know, really their role is
to uh detect and alarm, detect

152
00:17:29,759 --> 00:17:34,960
and inform. So they called the
affected uh organizations, said you're under attack.

153
00:17:36,000 --> 00:17:40,960
Here's the details. And a great
many of them were small, and

154
00:17:41,759 --> 00:17:45,000
you know, I didn't really know
how to deal with the intrusion. And

155
00:17:45,039 --> 00:17:49,759
so in spite of the sector as
certain not primarily you know, being an

156
00:17:49,839 --> 00:17:55,519
incident response organization, not really having
a flyaway team, they said, look,

157
00:17:55,519 --> 00:17:57,200
this is Denmark. They got into
a car, they drove out to

158
00:17:57,279 --> 00:18:00,839
these facilities and you know, help, you know, walk them through the

159
00:18:00,880 --> 00:18:10,200
process of turning off the firewall and
updating the firmware and activating internal incident response

160
00:18:10,240 --> 00:18:15,640
to see if anything had been stolen
or sabotaged or anything. So they were

161
00:18:15,680 --> 00:18:19,359
involved in the in the incident response
as well, even though that officially isn't

162
00:18:19,400 --> 00:18:23,880
what they do. So good on
them. Yeah, that is a pretty

163
00:18:23,920 --> 00:18:29,319
crucial correction that you made to me. Although the report, the language of

164
00:18:29,359 --> 00:18:33,839
the report is a little bit broad. They say, we've experienced that ZEISSIL

165
00:18:33,880 --> 00:18:37,279
has used to a large extent to
protect the critical infrastructure, and we know

166
00:18:37,359 --> 00:18:41,960
that many OT environments that wait here
we go. The attack groups had a

167
00:18:41,000 --> 00:18:47,119
publicly known vulnerability that they could use
to penetrate the industrial control systems, and

168
00:18:47,160 --> 00:18:52,000
the primary defense against that happening was
precisely the equipment that was vulnerable. So

169
00:18:52,039 --> 00:18:57,640
maybe they use the firewalls to get
into the IT networks and then the ITOT

170
00:18:59,359 --> 00:19:03,400
defenses are sort of taken as a
given. Do you have any detail about

171
00:19:03,440 --> 00:19:08,400
exactly like how their network was mapped
out or not so much? No,

172
00:19:08,480 --> 00:19:11,960
I don't. I missed that in
the report. You know, I'm going

173
00:19:11,960 --> 00:19:18,240
off my memory of the conversation with
the folks at Sector. They've promised to

174
00:19:18,240 --> 00:19:21,559
come on a future episode, so
let's let's get them on and we can

175
00:19:21,599 --> 00:19:25,440
dig into the details with them instead
of relying on my fallible memory here.

176
00:19:25,960 --> 00:19:30,119
It also occurs to me as we're
talking about this, you know, this

177
00:19:30,319 --> 00:19:37,720
was a critical vulnerability in what appears
to be a relatively popular firewall product that

178
00:19:38,319 --> 00:19:44,279
might be found anywhere else in the
world. I know that there was a

179
00:19:44,319 --> 00:19:49,319
gap between the twenty fifth when the
vulnerability was revealed. We're not talking about

180
00:19:49,319 --> 00:19:52,599
the zero days here, that's another
matter, and then May eleventh, when

181
00:19:52,640 --> 00:19:57,960
the attack occurred. Is it just
that everybody would have patched in that time

182
00:19:59,000 --> 00:20:03,480
that I haven't heard some stories from
other countries, Andrew, do you know

183
00:20:03,079 --> 00:20:08,400
if this initial vulnerability was exploited elsewhere. I don't know that, you know.

184
00:20:08,440 --> 00:20:14,400
I asked Aurelio that and he basically
said, you know, he if

185
00:20:14,400 --> 00:20:17,359
he had information, he couldn't share
it with me. They have strict rules

186
00:20:17,359 --> 00:20:22,640
about non disclosure. And but you
know, to me, it's it's a

187
00:20:22,720 --> 00:20:26,279
it's an interesting question. I would
like if someone you know, digs up

188
00:20:26,279 --> 00:20:30,440
an answer. I'd very much like
to know, because what we have here

189
00:20:30,720 --> 00:20:36,359
is excuse me, a Danish organization, the sector Assert, reporting an attack

190
00:20:36,400 --> 00:20:42,359
on Danish critical infrastructure using this firewall
as an attack vector. As you point

191
00:20:42,400 --> 00:20:48,559
out, the firewalls used very widely. Did anyone else get hit and they're

192
00:20:48,599 --> 00:20:52,640
just shut up about it? That
would be useful to know. If nobody

193
00:20:52,640 --> 00:21:00,000
else got hit and the bad guys
used this firewalls as a vector to attack

194
00:21:00,160 --> 00:21:06,440
Danish critical infrastructure, what does that
mean? I don't know. I'd very

195
00:21:06,480 --> 00:21:12,000
much like to know. Or alternatively, others were hit, and as we

196
00:21:12,079 --> 00:21:17,079
know that there is some evidence here
that there's a state sponsored actor involved,

197
00:21:17,440 --> 00:21:22,640
maybe they just didn't know. Yeah, So, like I said, I

198
00:21:22,119 --> 00:21:25,880
would like to know. I hope
that, you know, more information comes

199
00:21:25,880 --> 00:21:30,000
to light over time. I'm going
to change topics in a moment. But

200
00:21:30,240 --> 00:21:34,559
before I leave your information sharing system, you know, I know that the

201
00:21:34,599 --> 00:21:38,279
information in there is confidential, but
is there anything that you can tell us

202
00:21:38,279 --> 00:21:44,079
sort of in terms of the volume
or the quality of information that you have

203
00:21:44,160 --> 00:21:48,599
in there that you're tracking, Just
to have a small idea. When I

204
00:21:48,759 --> 00:21:56,319
look to the information gatherin in our
sharing platform from generally to July, and

205
00:21:56,680 --> 00:22:03,720
I didn't upidate it with the figures
from October, but we have something like

206
00:22:04,200 --> 00:22:14,960
sixty thousand events corresponding to five millions
of attributes and two point five millions of

207
00:22:15,079 --> 00:22:23,759
correlations among those the cybersecurity events and
the attributes. If we look to our

208
00:22:25,039 --> 00:22:30,839
the organizations that feeded the platform and
we make an average, each organization in

209
00:22:30,920 --> 00:22:41,960
average feeded something around one other than
fifty events in the platform. This means

210
00:22:41,039 --> 00:22:49,480
that if an organization is not part
of a community with an active and very

211
00:22:49,559 --> 00:22:59,119
proactive information sharing attitudes, the organization
is able to deal with one, not

212
00:22:59,559 --> 00:23:06,839
fifty incidents, but it's only able
to take decisions and to make action based

213
00:23:06,920 --> 00:23:18,240
on the information delivered by one and
fifty security incidents. If you broaden your

214
00:23:18,279 --> 00:23:26,519
interest, you are able to take
the same action based on sixty thousand on

215
00:23:26,559 --> 00:23:33,359
the information of sixty thousand events,
which means that the scale is much much

216
00:23:33,440 --> 00:23:45,400
higher. And if you go up
in your information scale, for sure the

217
00:23:45,440 --> 00:23:56,319
ability to take a better decision will
be much much higher. And changing gears

218
00:23:56,319 --> 00:24:00,519
a bit. I understand that,
yes, you folks are for becaused a

219
00:24:00,559 --> 00:24:04,640
lot on incidents and information sharing.
That's what you know, Isaac means.

220
00:24:06,720 --> 00:24:11,440
But you're also talking to governments,
You're talking to the Commission. You know

221
00:24:11,519 --> 00:24:15,160
this too is the big news from
the Commission that all of the governments are

222
00:24:15,160 --> 00:24:18,920
acting on. Can you talk about
this too? What what does it mean

223
00:24:18,960 --> 00:24:22,559
to your members? And you know
is there I don't know advice that your

224
00:24:22,559 --> 00:24:26,920
members are giving the member states.
What's happening with this too in the organization?

225
00:24:29,079 --> 00:24:34,960
Well the NIS too as well as
the very very new network calls for

226
00:24:36,039 --> 00:24:45,720
cybersecurity that was the closed for comments
lest Friday midnight last Friday means for thesociationion

227
00:24:45,799 --> 00:24:52,880
two things. All the regulation that
comes from the Commission is always concerned and

228
00:24:52,359 --> 00:25:03,000
an opportunity to have a voice on
the on the of the less legislation whatever

229
00:25:03,079 --> 00:25:14,039
it is focused on the NIS tool. What this means is that looking to

230
00:25:14,160 --> 00:25:22,400
the energy sector in Europe and looking
for to the NIS. The NAS tool

231
00:25:22,039 --> 00:25:34,880
broadens the accountability of the companies that
were already covered by the NIS and brings

232
00:25:34,960 --> 00:25:45,039
to the compliancy requirements a new group
of companies that were outside the NIS.

233
00:25:45,359 --> 00:25:52,359
And when we look at those companies, we see small companies. And this

234
00:25:52,599 --> 00:25:57,359
is a very very big challenge not
for the members of the association, but

235
00:25:57,759 --> 00:26:04,839
namely for the non members of the
association, because those companies and because they

236
00:26:04,880 --> 00:26:12,400
are small energy companies, they are
not so well prepared as the big players

237
00:26:12,559 --> 00:26:25,119
are in this cybersecurity challenge. So
until now they were outside the regulation.

238
00:26:25,559 --> 00:26:30,279
Now they are inside, and they
must be as compliants as the big ones,

239
00:26:30,400 --> 00:26:40,839
of course with some nuances and with
different impacts in terms of fault.

240
00:26:41,559 --> 00:26:48,920
But nevertheless, this means that there
is an opportunity to join forces instead of

241
00:26:48,079 --> 00:26:56,400
fight alone in this world. And
we recognize that that the NIS two from

242
00:26:56,480 --> 00:27:03,960
this perspective makes sense because as we
talked before, the European energy system is

243
00:27:04,039 --> 00:27:12,599
an is an interconnected system, which
means is as strong as it's a weakness

244
00:27:12,799 --> 00:27:21,160
link, and it's easier to attack
a couple of ten or twenty small energy

245
00:27:21,240 --> 00:27:27,480
companies and bring problems to full energy
systems. Then to try to attack a

246
00:27:27,559 --> 00:27:34,240
big company that is well prepared and
trained to better response, maybe is not

247
00:27:34,680 --> 00:27:40,599
going to be as effective as she
would like, but is for sure better

248
00:27:40,759 --> 00:27:48,519
prepared. And so NAS two brings
a new level level of responsibility for the

249
00:27:48,640 --> 00:27:56,839
energy companies and a new challenge in
challenge namely for the small companies that are

250
00:27:56,960 --> 00:28:02,920
not so prepared. So for sure
it will big time to start thinking collectively

251
00:28:03,240 --> 00:28:11,960
and not individually. Other way they
will be non compliant with NIS two looking

252
00:28:11,039 --> 00:28:17,359
to the big companies and to do
all companies covered by the NIS two.

253
00:28:18,640 --> 00:28:27,839
And for the first time, NIS
two recommends corporation as a pillar for cybersecurity.

254
00:28:29,000 --> 00:28:37,160
So NIS to incentivize this European companies
to corporate on cybersecurity and this goes

255
00:28:37,319 --> 00:28:44,200
straight to the DNA an association like
the ISAAC. We are sharing information in

256
00:28:44,440 --> 00:28:51,799
order to be able to cooperate on
actions and to be more effective on the

257
00:28:51,920 --> 00:29:03,279
decisions. Each member can individually take
another point and that NIS brings and it's

258
00:29:03,039 --> 00:29:12,279
a challenge as well as an opportunity, is to make them responsible the managing

259
00:29:14,079 --> 00:29:26,279
the managing of the companies for assuring
the training to and to assuring the resources

260
00:29:26,119 --> 00:29:40,960
for implementation to implement mitigation measures,
which means that once once again, it's

261
00:29:42,160 --> 00:29:53,880
an opportunity to share plans and strategies
among companies in in order to have uh

262
00:29:55,160 --> 00:30:03,000
AN align and the approach on those
those challenges. So I would say that

263
00:30:03,160 --> 00:30:12,279
those two points are the main news
that the NIS is bringing to the table

264
00:30:15,079 --> 00:30:27,359
and will be compulsory from next October
twenty twenty four. So it's just a

265
00:30:27,440 --> 00:30:32,640
word of background here for people who
aren't necessarily tracking what's happening in the European

266
00:30:32,759 --> 00:30:38,839
Union. This two is the new
I don't know, I'm not even sure.

267
00:30:38,880 --> 00:30:51,039
It's directive from the Union, from
the Commission to everyone about cybersecurity of

268
00:30:51,079 --> 00:30:56,559
critical infrastructure. It is not in
and of itself a regulation, okay,

269
00:30:56,680 --> 00:31:00,119
This two does not say these power
companies have to do those things. This

270
00:31:00,359 --> 00:31:07,400
too is a requirement. It orders
the member states to pass regulations and it

271
00:31:07,480 --> 00:31:11,240
says you have to take these factors
into account when you decide which of your

272
00:31:12,000 --> 00:31:18,440
uh You know, power providers and
other critical infrastructures are critical. You have

273
00:31:18,680 --> 00:31:22,480
to pass laws that have these kinds
of characteristics. And you know it's called

274
00:31:22,519 --> 00:31:26,039
miss too because ns happened a few
years ago, was the same thing,

275
00:31:26,440 --> 00:31:32,200
ordered the member states to pass laws, and so things are a little bit

276
00:31:32,200 --> 00:31:37,640
different in every member state. And
the new regulations, the newness too has

277
00:31:37,720 --> 00:31:45,000
got broader strokes, you know,
as Aurelio said, more smaller utilities are

278
00:31:45,119 --> 00:31:48,319
coming into scope in the very broad
brush of NISS too, and of course

279
00:31:48,480 --> 00:31:55,480
in the the individual national regulations that
will come about because of it. You

280
00:31:55,559 --> 00:31:59,640
know. The other one, the
Network Code for Cybersecurity. This is something

281
00:31:59,720 --> 00:32:04,039
that's newer than than this to it's
still being being created, but in my

282
00:32:04,160 --> 00:32:10,319
understanding, it's analogous to North America
KSIP zero one, two twelve. You

283
00:32:10,400 --> 00:32:14,759
know, the NRKSIP family of standards
has I don't know, fourteen standards in

284
00:32:14,839 --> 00:32:21,480
it. Twelve is one of the
things twelve talks about. They use very

285
00:32:21,559 --> 00:32:27,880
technical terminology in twelve, but it's
loosely interpreted as requiring encryption between control centers.

286
00:32:28,400 --> 00:32:32,880
You know. The control centers are
the places the systems that control large

287
00:32:32,960 --> 00:32:37,400
chunks of the power grid, and
when they talk to each other about how

288
00:32:37,480 --> 00:32:40,640
much extra capacity they have, how
much power is flowing through them, you

289
00:32:40,680 --> 00:32:46,880
know, all this real time communication. SIP twelve roughly requires encryption. I'm

290
00:32:46,920 --> 00:32:52,799
guessing the same thing is coming in
the new law in Europe because increasingly the

291
00:32:52,839 --> 00:32:58,359
European power grid is integrated. There
are you know, there's electricity being sold

292
00:32:58,480 --> 00:33:01,960
from one nation to the other.
Every nation tends to have its own control

293
00:33:02,079 --> 00:33:07,039
center, and of course now they're
all increasingly talking to each other to facilitate

294
00:33:07,160 --> 00:33:14,640
these international flows and exchanges and you
know, purchasing and selling of power.

295
00:33:14,759 --> 00:33:21,160
So it's uh, it's a complicated
space. So this two is going to

296
00:33:21,279 --> 00:33:24,400
change a lot. I mean,
member states are passing their regulations right now

297
00:33:24,519 --> 00:33:30,880
to comply with the with the directive. Is the EI SAC involved in you

298
00:33:30,960 --> 00:33:36,279
know, creating or or I don't
know, influencing this regulation. You talked

299
00:33:36,319 --> 00:33:43,920
about the NAS tool, but as
I said previously last week, the public

300
00:33:44,039 --> 00:33:59,559
discussion on the network calls for cybersecurity
was open for discussion and when we look

301
00:33:59,759 --> 00:34:08,599
and it's also a very important piece
for the cybersecurity wall in Europe. And

302
00:34:08,880 --> 00:34:16,039
the Association also was able to comment
and to deliver a position paper to the

303
00:34:16,119 --> 00:34:22,480
Commission, and as well as it
did do with the NIS tool, the

304
00:34:22,559 --> 00:34:29,239
association is usually thin. Main concerns, if I may might say, when

305
00:34:29,480 --> 00:34:37,800
we look to the lesislation and usually
we start working within the working groups that

306
00:34:37,960 --> 00:34:44,920
are responsible to write the lesislation.
But when we look to the final documents,

307
00:34:45,639 --> 00:34:52,880
what we look for is to check
the consistency of the lesislation and the

308
00:34:53,000 --> 00:35:00,280
consistency as at the document level.
For instance, when we look at it

309
00:35:00,400 --> 00:35:08,239
to the NCCS, we saw some
inconsistency, some potentially inconsistency on the way

310
00:35:08,840 --> 00:35:15,000
the document described a cyber incident or
a cyber attack. And this is something

311
00:35:15,079 --> 00:35:22,239
that cannot be misconfused. And so
what we do in this city, in

312
00:35:22,400 --> 00:35:30,159
this case is to comment and ask
the Commission to make clear the concepts and

313
00:35:30,360 --> 00:35:37,719
the terms that they are using on
the legislation that usually is already complex enough

314
00:35:39,280 --> 00:35:46,079
that used to me to be misconfused. The second one is about efficiency,

315
00:35:46,599 --> 00:35:54,719
and about the efficiency means know what
the doing is and the leverage on existing

316
00:35:54,920 --> 00:36:04,239
work or existing technology. So the
same way that the NIS tool was built

317
00:36:04,320 --> 00:36:12,840
up from the NIS the NCCS and
the one was published for public comments,

318
00:36:13,840 --> 00:36:20,320
was within a moment where other pieces
of legislation was already in place, and

319
00:36:20,800 --> 00:36:29,639
we must assure that is not going
to invent or reinvent the will and put

320
00:36:30,360 --> 00:36:35,440
other rules besides the ones that are
already in place or are going to be

321
00:36:35,519 --> 00:36:46,280
in place and risk to impose double
lens of action that will be useless and

322
00:36:50,199 --> 00:36:54,480
inefficient. And the third, last, but not least, is the time

323
00:36:54,599 --> 00:37:00,239
to action or what we try to
see is and comment is if the time

324
00:37:01,000 --> 00:37:07,519
to make it possible is suitable or
not. And for instance, looking going

325
00:37:07,599 --> 00:37:13,920
back to your first question, but
the NIS two, one criticism that most

326
00:37:13,960 --> 00:37:20,519
of the sector puts is that it
will be very difficult, if not impossible,

327
00:37:21,599 --> 00:37:27,800
to assure that companies are ready for
NIS two in October of twenty twenty

328
00:37:27,880 --> 00:37:34,679
four. If we think that most
of those companies now covered as small,

329
00:37:35,639 --> 00:37:44,480
they don't have resources, neither financial
nor in people, don't have Mathew teams

330
00:37:45,079 --> 00:37:52,039
in terms of cybersecurity, and even
if they have the money, they are

331
00:37:52,360 --> 00:37:58,599
going to face the shortage of skills
that we are facing in Europe and the

332
00:37:58,679 --> 00:38:05,679
worldwild when we talk about cybersecurity,
which means that they are not talent enough

333
00:38:07,320 --> 00:38:17,920
in Europe to ensure the resources we
need to fulful the NS two requirements.

334
00:38:19,039 --> 00:38:27,639
But this is a challenge, this
is an opportunity for corporation and it's too

335
00:38:27,800 --> 00:38:34,840
that we need to move forward,
otherwise we will be as weak as the

336
00:38:34,960 --> 00:38:39,880
weakness to link and it will not
conceivable in European terms. Okay, So,

337
00:38:40,119 --> 00:38:45,599
so sharing actionable intelligence, you know, working with government authorities to try

338
00:38:45,639 --> 00:38:50,639
and influence legislations so that it,
you know, doesn't mess things up too

339
00:38:50,679 --> 00:38:55,760
badly with with inconsistencies and whatnot.
I understand as well that the ISAAC hosts

340
00:38:55,880 --> 00:39:00,440
face to face meetings. In those
meetings, I mean, what do you

341
00:39:00,519 --> 00:39:04,320
accomplish what what what do you do
face to face that that doesn't happen through

342
00:39:04,360 --> 00:39:07,840
your portaland through these uh these you
know, letters of the center governments.

343
00:39:08,960 --> 00:39:15,280
Okay, thank you for your question. It's a quite relevant one. We

344
00:39:15,400 --> 00:39:21,760
can split the face to face meetings
in two types. The first one is

345
00:39:22,480 --> 00:39:29,000
face to face meetings with members,
and face to face meetings with members are

346
00:39:29,119 --> 00:39:37,360
mostly to share non disclosable information.
There is no way to share non disclosive

347
00:39:37,400 --> 00:39:44,880
information unless you make a face to
face meeting because this information usually is even

348
00:39:44,960 --> 00:39:52,599
not written. The second one is
with non members, can be prospect members

349
00:39:53,519 --> 00:40:06,079
or in intending members, and in
this situation, the face to face meetings

350
00:40:06,239 --> 00:40:13,360
is critical to build trusted This information
sharing is only possible if you do it

351
00:40:14,079 --> 00:40:20,679
in the trustable community. And the
trustable community is more than a group of

352
00:40:20,840 --> 00:40:29,199
people that you know by name and
by affiliation, into an organizations people that

353
00:40:29,360 --> 00:40:37,079
you need to know in the eyes
and with you can identify yourself and at

354
00:40:38,320 --> 00:40:54,239
a level that allows you to share
and and at back uh useerful information to

355
00:40:54,760 --> 00:41:01,559
yourself. And so I would say
that face to face meetings for members are

356
00:41:01,639 --> 00:41:15,599
critical to two to keep the trust
and two share non disclosable information to non

357
00:41:15,920 --> 00:41:21,960
to non members. The face to
face meetings are critical because are the first

358
00:41:22,079 --> 00:41:30,480
seed to build to build trust,
and without them we were lack the most

359
00:41:30,599 --> 00:41:37,320
critical value of an ISAAC with is
that is trusted. Well, this has

360
00:41:37,400 --> 00:41:40,880
been good. Thank you Aralia for
joining us. Before we let you go,

361
00:41:42,079 --> 00:41:45,800
can you sum up for us?
You know what? What what should

362
00:41:45,840 --> 00:41:52,320
we be taking away about working with
an organization like the European Energy ISAAC.

363
00:41:52,599 --> 00:41:58,760
Thank you for your question, Andrew, Well, I would say that there

364
00:41:58,840 --> 00:42:05,440
are meant for main takeaways that I
would like to share with you. The

365
00:42:05,519 --> 00:42:12,199
first one is that active information sharing
in the trusted community is a power,

366
00:42:12,840 --> 00:42:20,480
very powerful pillar, if not the
most powerful pillar in a successful cybersecurity strategy.

367
00:42:22,039 --> 00:42:27,880
The second one is that capabilities are, by the end, the outcome

368
00:42:28,360 --> 00:42:34,119
of knowledge and experience, and through
an association like the ISAAC, when you

369
00:42:34,280 --> 00:42:40,440
share knowledge and you share information,
you are able to improve both both knowledge

370
00:42:40,800 --> 00:42:52,000
and experience and get more capable to
face the cybersecurity challenges. The third one

371
00:42:52,960 --> 00:43:00,559
is that almost as a consequence,
is that through cooperation we will for sure

372
00:43:01,400 --> 00:43:13,480
rich further than we stay alone in
this challenging cybersecurity world. And lest,

373
00:43:14,480 --> 00:43:22,440
but not the least, what I
can say is that if someone that is

374
00:43:22,679 --> 00:43:30,719
listening and is working in the energy
sector and is not yet member of the

375
00:43:30,519 --> 00:43:37,280
European Energy ISAAC or even in an
energy ISAAC in his own country, don't

376
00:43:37,400 --> 00:43:46,719
wait more and join us. And
this because it's more than ever time to

377
00:43:46,920 --> 00:43:57,639
act together. So look to the
our website, get in touch, and

378
00:43:57,960 --> 00:44:06,679
will be more than pleased to get
you on board. So I answered,

379
00:44:06,760 --> 00:44:10,840
that was your interview with Aurelio Blanchie. Do you have anything to take out

380
00:44:12,119 --> 00:44:15,800
our episode with today? Yeah?
You know. Arelio pointed out sort of

381
00:44:17,119 --> 00:44:22,320
three priorities for the IACK you know, active information sharing, sharing and developing

382
00:44:22,719 --> 00:44:30,280
capabilities knowledge experience. He pointed out
that cooperation makes us all stronger. And

383
00:44:30,639 --> 00:44:37,599
you know NI two is requiring cooperation
among critical infrastructures. And this two is

384
00:44:37,800 --> 00:44:40,519
you know, is not saying you
have to go join the energy I SAC,

385
00:44:40,599 --> 00:44:44,679
but it's saying you need to cooperate. You know, we need to

386
00:44:44,760 --> 00:44:47,519
be stronger, and here's an opportunity
to do that. I mean, it's

387
00:44:47,840 --> 00:44:52,920
it's a truism that our enemies cooperate. You know, nation states cooperate against

388
00:44:53,039 --> 00:44:58,559
us with their allies. There's a
dark web where criminals cooperate, where they

389
00:44:58,599 --> 00:45:01,079
share information, they buy, serve, resist from one another. We need

390
00:45:01,159 --> 00:45:05,960
to do the same. We are
stronger together. They are stronger together.

391
00:45:06,119 --> 00:45:09,599
We need to be stronger than they
are. So it all makes sense to

392
00:45:09,679 --> 00:45:14,320
me. Well, thanks to Aurelio
for speaking with you, and Andrew,

393
00:45:14,400 --> 00:45:16,679
thank you for speaking with me today. It's always a pleasure. Thank you.

394
00:45:16,800 --> 00:45:22,599
Na. This has been the Industrial
Security Podcast from Waterfall. Thanks to

395
00:45:22,639 --> 00:45:23,280
everyone out there listening.