IT security

Austrian Energy CERT for cybersecurity resilience

Austria’s energy sector players have teamed up to implement an independent computer emergency response team for IT security support.
Published: Tue 16 Apr 2019

Cybersecurity is a top of mind subject for many in the energy sector as the threats increase and the chance of attack grows. The question is how it should be addressed and one example comes from Austria, which has launched a national ‘computer emergency response team’ (CERT) for the energy sector.

While companies clearly have a responsibility to their business and customers to take individual measures, there are additional benefits to be gained by collaborating with peers.

“The whole process started with a risk analysis on security of supply back in 2013,” explained Walter Fraissler, Head of Information Security at the Austrian energy company VERBUND, to Engerati in an exclusive interview on the energy CERT, which came into operation in 2017. “It was triggered by the risk analysis initiated by the national regulator, but it is the many member companies that have developed the CERT.”

The concept behind the CERT, which first emerged in the United States in the late 1980s and is attracting interest in a growing number of countries around the world from the Nordics to Australia, is to serve as an expert group to address IT security threats be it on a national or a sectoral basis according to how it is constituted.

“Our goal was that it should be an independent body with a high degree of trust held from government as well as members,” says Fraissler, adding that building this trust also has proved one of the most challenging and time consuming aspects of its development.

CERT tasks

The energy CERT is intended as a single point of contact between national authorities and members for any issues pertaining to IT security in the sector.

A key task is to collate and share information on security threats among the members, which includes the delivery of regular situational reports. Another key task, which Fraissler says is only possible for a “trusted partner”, is in the event of a security incident within a member, to investigate and report if also it is impacting other members.

“Very quickly the CERT can indicate if an incident is an isolated event or one affecting the broader industry,” he says.

Another task which the CERT has taken on as it has become more established, and which Fraissler says is also important for establishing a trusted community in the sector, is security training such as red team/blue team events to simulate the occurrence and response to a cyber attack.

“For companies to share information the trust is needed not only with the CERT but between the companies themselves.”

Lessons learned

Fraissler says that an energy CERT as a sectoral body is likely to be most beneficial and is recommended in a country such as Austria, where there are a large number of players but would be less so in a country with large monopoly companies.

“We have many companies with limited resources and having a dedicated team with specific knowledge is highly valued,” he says, noting that it operates with 24/7 duty availability.

However, he notes that finding the right skillsets to staff the CERT also proved to be a challenge. Currently it has just a handful of staff on a fulltime equivalent basis but through synergies with other organisations is able to collaborate and share some resources.

Fraissler says the energy CERT was brought into operation in a three-phased approach, each of them with six months duration. The first phase was a trial operation, phase two provided basic services and in phase three it ramped up to full operation.

“We have now had almost two years of operation and we are looking at how we can develop over the next couple of years, perhaps by giving the CERT additional tasks and responsibilities,” he comments.

“There is no 100% security and while we can think we are well prepared, we still need to be up to date with new developments, programmes and projects constantly.”

Pic Copyright VERBUND