Talking non-nuclear critical energy infrastructure security
Tim Compston, Features Editor at SecurityNewsDesk, interviews Thomas Wuchte, Head on Anti-Terrorism Issues – Transnational Threat Department – at the OSCE on the hot topic of protecting critical energy infrastructure which keeps the wheels of the global economy turning.
It is all too easy to sit back and take the energy that powers our day-to-day lives for granted, especially as we are in an era which is far removed from the days of ‘blackouts’ and ‘brownouts’. However, while things may seem smooth on the surface the reality is more turbulent behind-the-scenes. This type of national infrastructure is under threat like never before, and not just from physical attack. Today the cybersecurity of these facilities is also high on the agenda. This is a situation which Thomas Wuchte says the OSCE (Organisation for Security & Cooperation on Europe) and its partners have been accelerating their efforts on over the last couple of years.
This has led, ultimately, to the development of a ‘good practice guide on Non-Nuclear Critical Energy Infrastructure Protection (NNCEIP) from terrorist attacks’ which, Wuchte confirms, has a very strong focus on the new ‘threats emanating from cyberspace’ and, crucially, how to manage these risks and achieve incident response preparedness, infrastructure resilience and energy reliability.
A transnational perspective
When we start our discussion, Wuchte, who recently gave a keynote presentation on the subject of critical energy infrastructure security at Counter Terror Expo, is keen to tell me more about the pivotal role the OSCE plays in an increasingly uncertain world. By any measure the geographic reach of the OSCE, which is headquartered in Vienna, Austria, is impressive, Wuchte points out that it is, in his words: “The biggest regional security arrangement after the United Nations, with 57 participating states and 11 partners. We like to say that our OSCE family stretches all the way from Vancouver to Vladivostok.”
Drilling down into the work of the OSCE, Wuchte explains that the organisation’s efforts are focused on a number of key security issues. For his part, Wuchte has a cross-border remit which has counter terrorism at its heart: “Our Transnational Department also deals with border security and management and strategic police matters.” With cybersecurity, by its very nature, having a strong transnational dimension it is perhaps not too surprising that this virtual threat is a growing element of the Department’s efforts.
Wuchte moves on to outline the genesis of the ‘good practice guide’ on NNCEIP which he referenced at the recent Counter Terror Expo with regards to cybersecurity, in particular: “Back in 2010/11 period we held a large meeting amongst our organisations that looked at all the issues involving non-nuclear critical energy infrastructure protection. The reason why we have this word ‘non-nuclear’ is that we recognise that the International Atomic Energy Agency [IAEA] quite capably handles issues around nuclear security.” He reports that there was strong interest from OSCE’s participating states to look at the sort of infrastructure that could potentially be used by adversaries as targets to attack and disrupt: “From this we narrowed our focus to the protection of critical energy infrastructure from terrorist attacks and the threats emanating from cyberspace. This was a large piece of my presentation at the Counter Terror Expo,” explains Wuchte.
Public and private co-operation
During the exercise to develop the ‘guide’ itself, Wuchte points out that it was important that both the public and private sectors were well represented: “We gathered the stakeholders to draft the guidebook in 2013/14 and got not just government policymakers that are usually concerned about this, but also the business community on-board. Partnerships between the public and private sector really are essential to maintaining critical infrastructure security and the resilience of that infrastructure. It was quite a good collaborative process and we also had NATO and the EU involved.”
Connectivity – opportunity and threat
Wuchte says that the threats relevant to non-nuclear critical energy infrastructure operators can be classified in many ways and that the pressing concern, with the sort of industrial computerised control systems found on these sites is their ever-greater degree of interconnection and integration: “On the one hand it makes this infrastructure easier to operate but they are also, increasingly, at risk from manipulation and targeted cyberattacks,” reflects Wuchte.
“We felt within our organisation [OSCE] that, given this, such cyber-related threats were particularly important for non-nuclear critical energy infrastructure operators.” Of real concern here, reckons Wuchte, are the so-called ‘cascade effects’ which can flow from any initial incident: “This means that a well co-ordinated cyberattack could, potentially, be even more damaging than a physical attack.”
He goes on to explain that, ultimately, the 100 page guide is designed to provide a working framework for governments and operators to consider in the context of their own country’s ongoing approach to these issues: “It is a publically available document. Again going back to the term ‘stakeholders’, it has to be seen as everybody’s concern not just the policymakers themselves. Businesses play an ever more important role fighting terror, especially in cases where their infrastructure could be targeted. It was apparent from the process of developing our guidebook that most of the Internet infrastructure, including communication platforms, is privately owned. We have this term: ‘developing effective public-private partnerships’, and we are very proud of the approach we take to this issue at the OSCE.”
Asked how things have progressed since the guide was first published, Wuchte is quick to respond by emphasising that the document was never intended to just be issued and then the job was essentially over. In fact he sees it very much as just the start not the end of efforts here: “We are now in the process of developing national table-top risk assessment and crisis situation management exercises. We have taken some lessons learned from the guidebook and applied them most recently, at our first event in Spain, by going through scenario-based discussions with public-private partnerships. Here is a situation and here are ways you could think through what you could have done in advance or what you would do in reaction to an attack.”
Moving ahead, Wuchte reflects that the OSCE guidebook on ‘Non-Nuclear Critical Energy Infrastructure Protection (NNCEIP) from terrorist attacks’ is an extremely useful tool to help people think things through if, unfortunately, something does happen which interferes with the working of their critical energy infrastructure: “You have a good knowledge base – and plan – about how to work through the process,” he says.
Generating best practice
So, to conclude, with the cyber threat to critical infrastructure recognising no boundaries, powering ahead with transnational initiatives to develop and disseminate best practice, like Thomas Wuchte and his team at the OSCE, is certainly a step in the right direction.