EE-ISAC – The Critical Infrastructure Protection & Resilience Europe (CIPRE) – An interview

September 6, 2024

Ben Lane, CIPRE event manager, met with Aurelio Blanquet, Secretary General of EE-ISAC – the European Energy Information Sharing & Analysis Centre.

The EE-ISAC is an industry-driven, information sharing network of trust. Private utilities, solution providers and (semi) public institutions such as academia, governmental and non-profit organizations share valuable information on cyber security & cyber resilience.

Ben Lane: Briefly explain the ultimate purpose and goal of EE-ISAC.

Aurelio Blanquet: The ultimate purpose of the ISAC is to provide a trusted community for joint analysis of cybersecurity threats, vulnerabilities, and incidents leveraged by a timely vaulted of information sharing that allows its members to take their own effective measures supported by better informed decisions. The final goal is to make information sharing a cornerstone to improve the resilience and cybersecurity of the European energy infrastructure. As the three main pillars we always tend to talk about technology, processes, and people. However, co-operation and information sharing are a founding base for what we do and without that, we would be lacking a critical building block of the knowledge, awareness, preparedness, and response needed to achieve a more cyber-secure European energy infrastructure.

Ben Lane: That’s a good overview. Thank you. Let’s drill a bit deeper then into information sharing. What methods do you use to share information and who gets the information?

Aurelio Blanquet: We have two main approaches: at the member level we aim to contribute to embed information sharing into the cybersecurity processes of our members or use their processes already in place syncing their own MISP (Malware Information Sharing Platform) if they have one, or pushing them to directly feed the EU MISP, a platform developed under the EC project “Empowering EU ISACs”, provided by the EC and hosted by ENISA since September 2022.

At the same time, we incentivize our members to work on Threat Analysis and to develop Threat Intelligence skills. We must note that the work developed at EE-ISAC is mainly done by its members; not only because they are the owners of sensitive cybersecurity information, but also because they are the ones that know what kind of actions they need to take. So, they are the main players in this work and what we do is to help and incentivize them to have these processes in place. The European Commission provided a European MISP platform for all the EU ISACs. Once a member has an incident he should work on it, do a threat analysis, and develop threat intelligence capabilities.

An important part of the methodology is to vault the information that is loaded on the platform. To assist in this task, we have a core IT team made up of volunteers from members to carry out this operation to ensure that all the information that is fed onto the platform is properly vaulted.

The other approach is at the European level, and our goals and objectives are to target operators and stakeholders from all European countries, including the UK. The goal is to have all countries represented in the EEE-ISAC because in this way we can cope with different sensibilities, geographical situations, geopolitical exposure, and we also need to be all connected from the information point of view.

Ben Lane: How is information disseminated? And a secondary question is about non-members because it seems there might be some gaps in the information sharing, i.e., your members need to actively find the information. How does that happen? And anyone not within EE-ISAC as a member is not seeing the information, is that correct?

Aurelio Blanquet: Thisdepends on the confidentiality level of the information. We use a TPL protocol and if the information that is fed onto the platform, as well as the threat analysis that we are talking about, is TPL red, the answer is clearly no: This information will not be delivered outside the group defined in the dissemination. Of course, if the TPL is green or white, the information will become public.

For example, if we are working with a member on a report that later will be made publicly available, from the moment we start working on the report to the moment before delivery, the report is accessible for all members because some of them will be contributors to the report, which means that the information is always delivered in a timely fashion to members. The single most important responsibility of each member is to ensure that they are responsible for their own information and the use of anyone else’s information respecting the TPL protocol.

Ben Lane: What advantages does a member of EE-ISAC have over a non-member? Can you describe the advantage? Do members support EE-ISAC financially?

Aurelio Blanquet: This is a not-for-profit organization; the only source of revenue comes from membership fees. We don’t attract sponsorship. From the very beginning in 2012, we realized that one of the critical issues was knowledge. We all need knowledge, and we all need knowledgeable information. In the very early draft design of the DENSEK project (a H2020 project and the founding father of the EE-ISAC), we realized that looking to the energy sector, the knowledge that we had in 2012 and even now around cybersecurity joining all the energy companies was not enough to claim we were a knowledgeable group. So, who could add to and complement our knowledge? The first answer of course is the solution providers; they provide the solutions we need to overcome our challenges. So: we have problems, we have needs as energy operators, and the solution providers develop solutions. But this is not enough because on the ‘top of the edge’ of knowledge is academia and research institutes. Those are the guys mainly responsible for ensuring that knowledge in Europe is on ‘top of the edge’; they are responsible for the research, they are the main actors for learning and teaching. Without academia, we were lacking knowledge, and we were lacking a unique opportunity to learn. And so, we have academia and research institutes as members, and we decided their membership fees would be paid in “kind”, not in money.

We also work closely with EU entities as non-paying member as ENISA for example. ENISA delivers knowledge, reports and other services as the EU Agency for Cybersecurity. We also realized that we need another category of stakeholders that were not able to be members because they were not European, or if they were they were not operators nor service providers. And so, we decided to create partnerships with other ISACs such as the Japanese Energy ISAC (JE-ISAC) as well as the US Energy ISAC (E-ISAC) to widen the knowledge base and viewpoints.

We also launched co-operation with other organizations such as the EUTC (European Utilities Telecom Council) because we realized that if we are talking about the European energy infrastructure as critical, then it goes without saying that they depend on telecommunications. And telecommunications are also a critical infrastructure for energy, so it made sense to partner with EUTC.

The same way with E.DSO (European Distribution System Operators) as representative of the European DSO with the largest electricity infrastructures and the ENCS (European Network for Cybersecurity), also a European association with a permanent team of experts that makes it the point of excellence in designing cybersecurity solutions for its members, who are exclusively European energy utilities.

Ben Lane: It might be useful to understand how you see collaborations developing in the future because there will need to be increasing collaborations across Europe to ensure these standards and these recommendations are fully promoted to the widest possible audience.

Aurelio Blanquet: Yes, I think it will be a never-ending process, and very challenging. The EUTC collaboration is a good example of how other collaborations can develop; by having a single voice for cybersecurity in telecommunications for utilities means we are combining numerous telecoms, cybersecurity, and “energy perspective” skills in one place, which means the “whole” is working together much more effectively. We will always be looking for new co-operations and collaborations for the benefit of a wider community.

Ben Lane: Thank you for your time, and good luck in your important work and we look forward to meeting you all CIPRE 2024, in Madrid!

Related Articles

Rohde & Schwarz at International Security Expo 2024

Rohde & Schwarz at International Security Expo 2024

Loss Prevention and a safe Critical Infrastructure with Advanced Scanning Technology Rohde & Schwarz participates in the annual International Security Expo, taking place in London, from September 24-25, 2024. At booth D30 in the Olympia main hall Rohde &...

Share This