Tell us a about your current role at Nuclearelectrica SA?
After three years as CIO of the central government I joined Nuclearelectrica, the only nuclear power generation company in Romania and one of the most prestigious Romanian organizations. Nuclearelectrica is highly respected among international peers, having one of the highest nuclear safety standards at international level. As CIO, I am responsible to lead the ICT digital transformation which translates into coordinating and prioritizing initiatives and projects, develop an integrated and updated technology and cybersecurity architecture to digitize processes, monitor and protect against IT, OT, IoT and hybrid threats. This industry is for good reason highly inertial and I confess it is a challenge to apply a sustained adaptation and digitization approach in a sector where safety is and will always be the main objective. This leads to longer implementation periods that is in contradiction with the acceleration shown by current technologies.
As CIO of one of Romania’s top critical infrastructures – what are your main security concerns and what are you prioritising at the moment?
We are reconsidering the cybersecurity architecture in order to address the current evolving threat landscape. The way technologies interact with one another has changed dramatically in the past five years and we need to take advantage of the latest capabilities in order to be able to provide adequate protection to our infrastructure. Without touching on specific details I can mention that our priorities are to re-engineer our current SOC and allow it to monitor individual sets of assets as well as the infrastructure as a whole in order to prevent against hybrid threats as well as APTs – advanced persistent threats that can take advantage of any vulnerability to reach a DCA – digital critical asset.
Have you seen any recent shifts in the cyber threat landscape? And, how is this affecting critical infrastructures?
The landscape is always dynamic with specific vectors that are behind the majority of attacks – I mean emails, web applications as prevalent malware entry points. In addition to these classic remote vectors, hacking techniques take increasing advantage of errors and misconfiguration and credential theft and on top we have crisis like Covid that offer more opportunities for attackers. We notice more credential sets come up in the dark web while driving a more complex infrastructure challenges the level of knowledge allowing for poor configuration and monitoring to become a real vulnerability. Financial gain remains the largest threat because it targets all vulnerable systems and is delivered mostly through ransomware attacks but organized groups as well as state actors have become increasingly active in critical infrastructures. Basically, a critical infrastructure is targeted by both general attacks as well as organized and well-funded dedicated attacks.
What are the 3 main challenges that cyber leaders in Europe are facing at the moment? And, do you think enough is being done at the EU level to properly address these issues?
Policy is always behind the trend and defined by the trend. Addressing the second question we would need supporting policy for sharing-driven organizations like ISACs and CSIRTs in addition to regularly updating existing policy and make it as specific as possible so all organizations understand how to apply it in a uniform manner.
Regarding the challenges, there is a limited but growing European role in both available funding and common protection infrastructure:
Complex programs/calls, lengthy projects with a big unknown if the submitted will receive financing. Cybersecurity is expensive and support is needed faster. There is also little standardization among member states but this will change for the better with new initiatives like the NIS Directive and eIDAS. Resilience is a team-role; no individual organization can be successful on its own.
Second, regarding day to day operations, there is an evolving landscape, hybrid threats, increased footprint (BYOD, mobile, cloud, social etc), lack of resources including specialized employees and more complex IT platforms to manage – all leading to errors and poor monitoring – now among top vulnerabilities.
Third, the Covid crisis has redefined the way we access the IT resources from remote, bringing complex challenges from the VPN infrastructure to BYOD and properly implemented identity management.
Looking at the protection of critical infrastructures in Europe, in which area do you think collaboration between states at the European level is the most mature? And where is it needed the most?
Probably the most mature collaboration outside GDPR and eIDAS is related to the NIS Directive that has been explicit in standardizing the protection of essential service providers across Europe. A practical implementation part of the NIS Directive is the chain of European CERT organizations where cooperation is active, even though mostly is still done on a one-to-one basis. This cooperation would be best to be widened so information sharing becomes standardized and done in real-time.
What have been the biggest challenges around COVID-19 for your organisation? And, how did you approach to them?
The biggest challenge was to quickly enable remote access within an organization that has forever prevented it. I would say it is a common critical infrastructure consideration to prevent external access to resources so we had to quickly implement a solution that will allow us to function under new social distancing rules. VPN, remote communication, digital signatures, digital document registration and archiving and other solutions have been implemented.
What impact do these challenges have on your cybersecurity strategy?
Fortunately enough, the majority of the implemented solutions were already a part of the cybersecurity strategy. Only the implementation schedule has been aggressively brought forward and so did the budgets we had to allocate. Another challenge has been to quickly enable our employees to use the new products, draft new procedures, manuals etc.
What does the next 5 years hold for your industry?
The energy sector is facing an upcoming digital transformation of core aspects such as the adoption of digital work packages, virtual, augmented and mixed reality for training, testing, technical documentation access and simulation, knowledge transfer through digital means, building of excellence centres to cooperate with peers, universities and other organizations.
Connect with Christian and learn more about how Nuclearelectrica ensured business continuity during the Covid-19 pandemic as part of a in-depth case study at the upcoming CS4CA Europe Online Summit. This includes how the company maintained cyber hygiene whilst working from home, how they deployed a global ByoD security policy in just 10 days and how they managed supply chain security.
Find out more and secure your place at CS4CA on 6th – 7th October, for FREE here.
Use complimentary discount code: EUVIP
