Impressions, surprises and renewing collaborative efforts while co-moderating a tabletop exercise

This past week was quite challenging as I was just coming from a visit to a pipeline asset owner in Germany[1] and needed to switch gears and support our Centers Tabletop Exercise Coherent Resilience 2019[2].  Each experience seemed to complement the other as in the former I was immersed in the real world of an industrial operation and then had to adapt to a “make believe” world dominated by a scenario playing on a natural gas pipeline.  There were 4 syndicate groups and I was appointed co-moderator of Syndicate 4 which focused on the scenario’s cybersecurity aspects played out over 3 days.  Will share some impressions and some surprises as I collaborated with a diverse group of experts from government, research institutes and natural gas transmission operators from 10 countries.

The most difficult part of moderating such a diverse group was in finding a common understanding of the peculiar security aspects of OT as compared to IT.  In the end we all seemed to agree that IT and OT are different and that a better understanding of OT is badly needed in order to adequately inform policy making.  We thought policy makers should avoid causing more headaches for the OT side in trying to fit in a poorly thought out policy into their critical operations. Someone said we “we need to trust the professionals”.   Strong participation by OT representatives (engineers) needs to be brought into the room, especially to achieve balance where IT biases may be too strong.

One of the biggest surprises for me took place when we discussed the importance of regional cooperation and information sharing.  This became evident as we realized how interconnected Lithuania, Latvia, Estonia, Poland and Finland were in terms of the energy networks.  A failure in any one country could cause serious issues of supply in another or even more countries that are now linked or are about to do so.  We focused on the question of collaboration among the national CERTs in investigating a cyber incident during a crisis in the energy sector.  One colleague from one of Lithuania’s neighbors expressed some disappointment in the lack of contact with his colleagues in Lithuania.  This was quite a surprise for me since in 2015 I worked with colleagues from Latvia and Estonia to have our Governments sign a Memorandum of Understanding (MoU) on Cooperation in Cybersecurity on November 4, 2015[3].  This MoU which included language very applicable to the issues we were discussing about collaboration and threat information sharing about incidents in critical infrastructure was not mentioned by any other participants.  I promised this colleague that I would do something about this and try to find out why the Lithuanian side as he put it “was hiding from us”.

First page of 3 Baltic States (Lithuania, Latvia, Estonia) MoU for Cooperation in Cybersecurity. Many of the concerns (information sharing and critical infrastructure) discussed during the exercise were covered in the MoU but no one referred to it during the exercise. A resource that remained unused. Perhaps the exercise will renew interest among the 3 countries.

It came down to the final closing ceremonies and as we were gathering I ran into my Minister and decided to go for it.  I introduced myself and explained the issue raised by one of our neighboring countries in regard to cooperation in cybersecurity and the MoU.  He listened and I was very happy to see that he later had several conversations with my colleague who raised the issue of our lack of collaboration.  The signs looked good and I hope a spark emerged which will rekindle interest in cybersecurity collaboration as approved in the MoU signed by the cybersecurity authorities from the 3 Baltic Countries (Lithuania, Latvia, Estonia) in 2015.  One that had a special signing event and feature. It was signed “live” via video teleconference with each of the 3 ministers using their own nation’s electronic signature on the same document.  [4].

Probably the biggest surprise for me was realizing that I had more in common with my co-moderator than I thought.  Our views during the exercise did not always jive and was saddened that we could not agree on some contentious points.  However he mentioned something about the digitalization of the energy sector.  It reminded me a report published by the International Energy Agency. I wanted to share this with him as I had been one of the contributors.  I looked up the list of contributors and there we both were on the list back to back [5] ! I showed this to him and we were both quite pleased.  The take away is that many of us are working together on the same task but may not realize sometimes how close the collaboration can be.

In short this kind of international participation in a table top exercise can have very beneficial and unexpected surprises.  We need collaborative contacts in order to pool our collective strengths and meet the increasing challenges in dealing with advanced and persistent threats emanating from cyberspace.


[1] https://enseccoe.org/en/newsroom/nato-energy-security-centre-of-excellence-conducts-central-european-pipeline-system-study-in-germany/425

[2] https://enseccoe.org/en/newsroom/nato-ensec-coe-started-table-top-exercise-coherent-resilience-2019/427

[3] http://kam.lt/en/news_1098/current_issues/baltic_states_step_up_cooperation_in_cyber_security.html

[4] More details on what it took to achieve the final signing of the Cybersecurity Cooperation MoU can be found in this article on page 18 at https://www.marshallcenter.org/mcpublicweb/mcdocs/files/College/F_Publications/perConcordiam/pC_V7N2_en.pdf

[5] See page 6 at  https://www.iea.org/publications/freepublications/publication/DigitalizationandEnergy3.pdf

http://scadamag.infracritical.com/index.php/author/vytautas/

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in cybersecurity and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) on the ISA 62443 Industrial Automation and Control System Security Standard and is Co-chair of ISA 99 Workgroup 16 on Incident Management and member of ISA 99 Workgroup 14 on security profiles for substations.