Ben Lane, CIPRE event manager, met with Anjos Nijk, Managing Director, the European Network for Cyber Security (ENCS), in the Netherlands.
ENCS shares information and knowledge with its network of members, who are all experts on cyber security in the EU. It develops knowledge in three long-term security programs that are run by its consultants, in close collaboration with members’ security experts. It then shares the acquired knowledge through events, security requirements and best practice documents. It also provides testing, training, and consulting services to individual members.
Ben Lane:
Thank you for joining us today for our 15-minute CIPRE interview. We also look forward to welcoming you to CIPRE 2024 conference in Madrid as one of our speakers in the session: Implementation and Impacts of Network Code on Cybersecurity (NCCS) and NIS2 Directive.
Let us start with something you will be familiar with! Can you provide some background about your career journey to date?
Anjos Nijk:
I have a background in informatics and business administration. I started off in international telecommunications, working with AT&T and Lucent Technologies in the international telecoms markets.
I worked for a joint venture that had a license for biometric technology to build applications for border passage access control. This is how I entered the security domain. This was with Schiphol Group and Johan Enschede; I was introducing biometric access control solutions to the market.
I was then a co-owner of a company that developed technology by combining speech recognition with web technology and building applications around that concept. This business was acquired by a telecoms’ provider, and I then started to address the issue of cyber security in the grids, electricity grids initially, during the introduction of smart meters.
Grid operators realized they did not fully understand the risks associated with introducing IT technology into the grid. So, they recognized the need for dedicated support and the development of knowledge and skills required to deal with it on a cooperative basis. This is how the idea developed for European Network for Cyber Security (ENCS), an independent non-profit organization owned by grid operators that helps its members cost-effectively reduce cybersecurity risk.
Ben Lane:
Thank you. Can you please explain the main functions of ENCS?
Anjos Nijk:
ENCS’ members collaborate on cybersecurity research, capacity building, and knowledge sharing. ENCS has a pool of highly skilled grid security experts that collaborate with member experts to increase their resilience level. It develops content, shares knowledge and dedicated programs for security policy, architecture, and operations and is actively involved in European expert groups preparing for new European security regulations. It also provides support to members to implement its good practices; and develops and delivers security testing and training services.
Ben Lane:
ENCS is responsible for supporting members to implement the network security code as well as the NIS2 Directive, which work in parallel. What are the biggest challenges you are finding in this area?
Anjos Nijk:
Both regulations broadly have the same goal, which is to establish risk management and incident reporting, but there are significant differences in both the scope and requirements. Also, both regulations have their own governance structure with specific tasks and responsibilities for each regulation. So, for grid operators, there may be different authorities they have to deal with on the same topic but with different requirements. On top of that, additional regulations come into force at the same time, such as the CER, the Critical Entities Resilience Directive, and the CRA or Cyber Resilience Act.
Ben Lane:
Thank you for that broad overview, which is extremely useful, and we look forward to hearing more on this topic at CIPRE 2024 in Madrid. Can you provide your view and any clarity about the main differences that you see between the Network Code Cybersecurity and the NIS2 Directive?
Anjos Nijk:
The NIS2 is a horizontal regulation, which means that it applies to all sectors, whereas the Network Code Cybersecurity is a vertical regulation focused on cross-border electricity flows and can be considered as complementary to NIS2. In general, Network Code Cybersecurity is much more specific in its methodologies and requirements, while NIS2 is more open for national authorities to decide upon. The scope of Network Code Cybersecurity includes all electricity entities in the scope of the NIS2, but in addition, it includes European associations and government agencies at EU and national level. And if using the Network Code Cybersecurity, not all entities have to apply the measures because of the risk-based approach.
The risk-based approach is one of the principles of the Network Code Cybersecurity, which is a well-defined process. However, it is quite complex. The Network Code Cybersecurity will establish common minimum requirements with mandatory controls, which all critical and high impact entities in Europe must apply. So, only critical and high-impact entities must implement advanced controls for the critical impact perimeter, and minimum controls for the high impact perimeter.
The Network Code Cybersecurity also includes specific requirements for manufacturers regarding secure development, vulnerability handling, and protecting customer access. These aspects are unique to the Network Code and are not directly addressed by NIS2. And besides that, the Network Code Cybersecurity has a dynamic character, with risk assessment cycles of three years. This allows for the incorporation of threat level and technology developments into the risk-management approach. This is crucial, as we saw with the NIS1, which was static and required an update shortly after its introduction, leading to NIS2. In that respect, Network Code Cybersecurity is much more dynamic.
One more difference I would like to highlight is related to information sharing. Both the NIS2 and Network Code Cybersecurity include obligations for sharing of information, but they are quite different in this regard. A crucial distinction is that the Network Code Cybersecurity includes a mechanism for sharing information with entities cross-border. This, I believe, is an important addition to what NIS2 requires. Essentially, Network Code Cybersecurity enhances the sharing of information on cyber-attacks with cross-border effects, utilizing the reporting processes already established by NIS2.
Ben Lane:
That is a great summary. This then leads us to your members. What are the main cyber threats your members are currently experiencing?
Anjos Nijk:
I do not think there has been much change in terms of the main threats; they remain largely the same. However, there has been an increase in the volume of attacks in the IT domain, as well as in the sophistication of those threats. I do not consider these the main threats. For us, we consider nation-state actor threats and ransomware as the biggest threats for grid operators, as they could interfere with grid operation and even cause blackouts and put human life at risk. These are the most significant and complex threats to deal with, particularly when it comes to nation-state actors.
And obviously with the political climate, the threat has increased. So, this is, I think, where it is important to address the level of the expertise required to be able to understand and to get prepared for this type of attack. There are still some activities that we observe but not fully understand, due to their complexity. Those are the ones that we really should be concerned about.
And besides that, there is the threat that is building up through all the connected infrastructures. These connected infrastructures create interdependencies, and they may have a significant impact on the grid stability. The problem of this domain is that those connected infrastructures are not yet properly regulated.
Ben Lane:
The last point, there are limited experts in this area in cybersecurity. In broad terms, what do you recommend to your members?
Anjos Nijk:
To start with, it is about collaboration. I recommend making use of expert pools, like ENCS, and sharing information and knowledge across the industry. Then grid operators need to ensure that cybersecurity knowledge is represented at board level. This is especially important to implement ISMSs with clear responsibilities and controls, to allocate budget for cybersecurity, and to have dedicated cybersecurity training and exercising programs in place.
Besides that, it is of utmost importance to perform penetration testing, to include cybersecurity requirements in the procurement process, and to ensure that no new equipment enters the grid before security testing has been performed.
Ben Lane:
That is an effective way to wrap up that conversation. It leaves things hanging in the air for further conversations, which is why we are going to be meeting in Madrid. We look forward to hearing more!
Anjos Nijk:
Excellent. Thank you. I am looking forward to seeing everyone in Madrid, in November.