Text size

Spacing

Contrast
Settings

 

Overview of the Cybersecurity Conference 2013

14.03.2013

Juhan Parts, Minister of Economic Affairs and Communications

Juhan PartsAccording to Juhan Parts, Minister of Economic Affairs and Communications, cybersecurity extends to more than single issues. The biggest setback would be a decline in the confidence of society concerning the internet, technology, and the opportunities arising therefrom.

The Minister also warned against possible overreaction, excessive centralisation and limitation of freedoms and rights in relation to cyber matters. "We always emphasise on the international level that security cannot be an excuse to limit the benefits offered by the internet," he noted.

The Minister said that security is difficult to ensure in a hierarchical system. "Cooperation is the key, but this word must be furnished with meaning. The focal issue is cooperation between the state and private enterprises, and the civil society should also be engaged in more cooperation. However, it is clear that we are unable to disregard rules to some extent. The security measures regulation approved by the Government of the Republic today with the objective of ensuring the continuous operation of information systems used to provide a vital service in both regular and emergency situations is an indication of this," said Parts.

The Minister made a separate note of investments: "The development of technology is rapid and investments in base infrastructure and services often seem excessive, yet underinvestment in the environment of e-services constitutes a security risk of its own."

To conclude with, Juhan Parts referred to the reputation of Estonia: "Estonia has capital in the field of cybersecurity both in terms of reputation and competence. We must make more efforts to use this reputation and reap the rewards. Estonia also looks good in the European context: matters that are being attempted to accomplish in Europe jointly look to us like a path we have already well-trodden. The main issue is how to remain a forerunner and innovator in this field considering our limited human resources."

As to the question whether Estonia needs a national cyber coordinator, the Minister replied that the risk of excessive coordination is always apparent with coordinators. Cybersecurity matters are regularly discussed by the Security Committee of the Government of the Republic and the Cybersecurity Council that involves various Ministries.

Jaan Priisalu, Director General of the Estonian Information System’s Authority

Jaan PriisaluJaan Priisalu, Director General of the Estonian Information System's Authority, explained the role of the EISA in enlivening cybersecurity cooperation in his presentation. When analysing vital services, the EISA has determined that 90% of them are dependent on IT and in case of 30% of the services, the dependency is critical: upon the disruption of IT, the service is also disrupted. The dependency is extremely critical for 10% of the services as the services have no other alternatives without the information system. The three pillars for the operation of vital services are communication, energy and data processing.

Priisalu emphasised that the ability to learn from the experience of others is essential and good lessons can be learned by helping each other in case of incidents. Priisalu pointed out the government-level exercise "Cyber Fever" as an example of good cooperation projects. "In this exercise, we learned that failures in information systems have extensive consequences and a cyber crisis will not remain a mere cyber crisis for long but spread rapidly to other fields as well." However, in the opinion of Priisalu, there is no need for a separate institution for cyber crisis management as in the event of an incident, the EISA will commence deterring the threat and five Ministries will also commence operations.

Priisalu also thanked enterprises for their cooperation-oriented attitude: "Regardless of the fact that the legislative basis is not advanced as quickly as we would like, we have never run into cooperation issues with providers of vital services." In the immediate future, the EISA will focus on measurement. As regards the international level, Priisalu was optimistic similarly to the Minister, noting that the EU Cybersecurity Directive will prescribe activities that Estonia is already undertaking.

To conclude the presentation, Priisalu noted the business activity in Estonia in the field of cybersecurity: "I am very glad to see that several enterprises such as Cybernetica, Signwise and Clarified Security are doing well. It is a lesser-known fact that Symantec also has numerous developers in Estonia. Estonia has plenty of potential in this field, especially SCADA security; this is a made-to-measure skill that certainly has a pleasant prospect."

Tiit Tammiste, Head of Technology Division of EMT AS and Representative of the Estonian Association of Information Technology and Telecommunications

Tiit TammisteIn his presentation, Tiit Tammiste, Head of Technology Division of EMT AS and Representative of the Estonian Association of Information Technology and Telecommunications, pointed out that the consumption of IT services is ever more popular for smart devices; therefore, mobile services are becoming more and more important. However, in a crisis, service providers that are private enterprises above all proceed from the interests of the clients and owners. Yet the expectations for the functioning of communications are elevated in a crisis compared to a normal situation as people are more dependent on communications.

Tammiste criticised the crisis planning of the state, noting that the crisis scenarios seem as if they are the best kept secrets from the providers of vital services: "So we proceed from the necessities of our clients and business in our risk analysis rather than wider national scenarios. A heavy storm in Järva County is certainly a more realistic threat to us than cyber warfare."

"For example, 40-50 EMT base stations were out of commission due to a storm last November. It was chaos. People could not call the Rescue Board or ambulance. However, when we show the statistics of such a situation to the owners of the enterprise, less than 1% of the network is down and it looks as if there are no problems," Tammiste said.

Tammiste is of the opinion that a liberal approach is positive, but the intention of the state must be more distinctly expressed for the location of the servers of vital services and the solutions must be prepared with a view to crisis scenarios: "From the economic point of view, consolidation is necessary, but it is easier to consolidate in a location with more clients, such as Finland." Only clear and specific legislation helps prevent such developments, said Tammiste.  On the other hand, it is important to understand that Nordic countries are also engaged in amending their legislation. "The one to first implement the legislation will be the one to be able to centralise the servers," Tammiste emphasised. The security of cloud computing services must be given even more attention: "Such an approach would also help 'sell' us as a server country."

Yet Tammiste commended the cooperation of the state and enterprises: "The best example of cooperation is AS Sertifitseerimiskeskus. It is an institution that provides certification and timestamp services while it was jointly established by banks and telecommunications enterprises." The Estonian digital identity infrastructure always astonishes people abroad: "We just talked about it to Microsoft executives and endlessly answered questions as to how it is possible that we can sign a document simultaneously with the entire ocean stretching between us."

Software concerns accompany the utilisation of mobile devices: "In a PC-based world, we were able to direct which software people would use. That is no longer possible in the world of mobile applications. Anyone can create their Digidoc application and upload it to App Store. Nobody cares about the security level of the application. We must therefore seriously consider how to promote the topic of security and get through to the users what is secure and what is not," Tammiste noted.

Mait Peekmaa from Clarified Security OÜ and Ragnar Rattas from the EISA

Mait Peekmaa from Clarified Security OÜ and Ragnar Rattas from the EISA showed how a hacker could, on the basis of knowledge gained from YouTube, command the operation of traffic lights. Moral of the story: it is no longer possible to keep automatic control systems separate from the Internet. It must be accepted that the systems are open and there are good reasons to open them. The systems must therefore be protected by means of compensating measures.

Tarmo Mere, Chairman of the Board of Elektrilevi OÜ

Tarmo MereTarmo Mere, Chairman of the Board of Elektrilevi OÜ, emphasised that in addition to cyber threats, there are several other risks that the state should take note of. When explaining the context, Mere noted that the energy system is an integral whole that has been developed and used for 100 years. Rapid progress in the development of the power system has been taking place since the 1960s-1970s when the current systems were built, which are relatively not dependent on IT in essence. There are numerous producers in the network while there is one transmission network in Estonia (Elering). There are 35 distribution networks and a lot of micro-production has sprung up; the development has been explosive in this field in Europe.

"Our whole society is linked via the energy system. Excellent routines have been elaborated for incidents, but reacting to cyber threats is in the initial stages," Mere said. "A peculiar protection against cyber threats has been the fact that the system is dispersed. There has been no force to shut down the system in the entire country. No more than 40% of the system has been down at any time."

According to Mere, it is essential to understand the volume of the network for ensuring cybersecurity. Elektrilevi alone has over 61,000 km of power lines – enough to circle the world for one and a half times. It has almost 1,200 remotely controlled substations. 160,000 information points are connected to the control centre. "Taking into consideration the speed of IT development and the life cycle of automatic control systems, we will probably have control units in the network whose security is absolutely below the par in 20 years," said Mere.

As Mere points out, the current requirements for the continued operation of the service are not related to cybersecurity in the slightest: "All we have done has been for business purposes at our own initiative." There are priorities for recovering the service. Energy supply is first ensured for vital systems (e.g. hospitals, the Rescue Board); secondly, for systems of social importance (e.g. the police, military objects, airports); thirdly, for objects of economic importance; and lastly, for institutions of great public impact (e.g. schools).

"However, we are not sitting idle in the field of cybersecurity. The transmission test conducted in cooperation with the EISA indicated that Elektrilevi will have to develop totally new competences that are not currently taught in Estonia. Persons can study to be IT, automation or cybersecurity specialists, but the symbiosis of these fields is nowhere to be found," Mere complained.

The evolution of technology will bring us higher supply reliability and convenience. In the same week as the conference, Elektrilevi commenced mass installation of electricity meters that provide automatic readings. A smart meter connected to the central system will be in everyone's homes by the end of 2016. However, this is where the distributed risk becomes a concentrated risk in terms of cybersecurity. "At the same time, we are making steps to further automate the substations, meaning that we will need to deal with cybersecurity quite a lot. The power network has not been designed to withstand the failure of more than 1-2 major links. When connecting to the network, one must be prepared for an overflow of failures," Mere emphasised.

Elektrilevi expects clearer expression of intention in legislation and constant cooperation from the state whereas the cooperation thus far has been at a high level. It must be considered that public security interests may not coincide with business interests. "We need a coordinated smart plan on the national level. We live in a small country and cannot pay for dealing with all the risks. We have to come to terms with the fact that our smart plan also includes only our hospitals and public assembly points – the things that ensure our survival – remaining operational in case of a terrible crisis," said Mere in closing.

Kalev Reiljan, Technology Director of Elion

Kalev Reiljan, Technology Director of Elion, spoke of confidence to begin with. In a crisis, the importance of communications is smaller than that of energy, yet communications are important for saving lives.

Reiljan pointed out the following phenomena as important trends:

  1. Kalev ReiljanIncrease in the complexity of network technologies in the last few decades. Compared to the former ordinary telephone service, the services are bigger in number and more complex. There are concerns about competence: how to find experts who could handle the complexity. The connection is more critical for the client as the client wants to view their favourite show and football goal and is angry when it is not possible.
  2. Cloud data processing. The incident in January showed that if something happens to a part of the cloud, different preparation for incidents must be ensured.
  3. BYOD, i.e. using one's personal devices for work.
  4. Social networks and changing of communications. The awareness of people has not increased as fast as the new channels of communication allow: this consequently results in dealing with privacy issues and identity theft.

Elion:

  • expects a clearer order from the state in order for enterprises not to prevent risks only proceeding from business purposes.
  • is engaged in ensuring the administration of services (January was an indication that the situation could be better).
  • pays attention to data protection. Elion does not manage as much data as banks, but there is still a significant amount of data that must be correctly classified and employees must be educated in the field of data processing.
  • deals with the consequences of fraud and theft of services. For example the case where calls to Sierra Leone were made from a school in Narva.
  • is engaged in physical security of essential objects.
  • increases the awareness of the users. A good cooperation example with the EISA is greenwalling: we prevent the access of infected computers to the network with warnings.

Reiljan emphasised that information security is not a matter that concerns well paid IT specialists; the matter should be seen as inherent in the organisation. It should first off be understood which services are essential, how exposed they are to the risks of information security and which control mechanisms can be applied.

The awareness of employees in enterprises is rather low and it should be dealt with more. To conclude with, Reiljan stated that the risks related to information security are becoming more frequent, the responsibility of telecommunications enterprises for ensuring the operation of the information society is increasing and cooperation is more important than ever before.

As to how much a cross-border enterprise is able to maintain data and applications in Estonia, Reiljan responded that it is a critical topic indeed. Finland and Sweden are currently actively working in order to obtain more investments related to cloud computing technologies and data centres.

Panel discussion on the role of the state and the private sector in ensuring the cybersecurity of vital services

In the panel discussion, Taavi Kotka, Deputy Secretary-General of the Ministry of Economic Affairs and Communications, Hannes Kont, Deputy Secretary-General for Rescue Policy of the Ministry of the Interior, Jaan Priisalu, Director General of the EISA, Tiit Tammiste, Technology Director of Elion and Raul Rikk from Trustcorp discussed the role of the state and the private sector in ensuring the cybersecurity of vital services.

Hannes Kont and Taavi Kotka

Raul Rikk was of the opinion that the role of the state is to deal with the common elements that affect everyone, to analyse trends and the development of threats and to shape the complete picture and skilfully prepare a smart plan. The state could demand base security in a very inclusive manner.

Hannes Kont seized on the idea of the enterprises that more legislation is required. Kont emphasised that the Estonian model is decentralised: we do not have one leading crisis ministry and every ministry is responsible for its own fields. If we wish for more roles and clarity, we should look at the respective competent authority.

Taavi Kotka was of the opinion that the subject matter needs more vigorous coordination. We must create a functional chamber, an institution to firmly and quickly bind the public and private sectors.

Jaan Priisalu emphasised that the cooperation is working well at the level of specialists, yet it still needs to be implemented at the level of executives. "I am glad to see that we are talking about completely other matters than a year ago," said Priisalu. The state can measure the situation better than the others are able to. The duties must thereat be shared with enterprises as the biggest competence can be found there. This also leads to better management decisions as management is pointless when the situation is incomprehensible.

Tiit Tammiste noted that good cooperation should lead to more specific details and the field should be regulated such that it would be clear who performs what and to what extent. Compliance with the Emergency Act may be dispersed, but it presumes active management.

When discussing competence, Raul Rikk noted that it is not possible to centralise smart persons. After 2007, various fields have dealt with cybersecurity in a rather independent manner.

Taavi Kotka stated that more attention should be paid to developing business activities. The cybersecurity curriculum is one of the most thorough courses of the IT Academy, but a new leap in competence can only be achieved in business.

Raul Rikk raised the question that perhaps we should define export as one of the priorities in the cybersecurity strategy on the example of Finland.

Tiit Tammiste pointed out that in the strategy of the Estonian Association of Information Technology and Telecommunications, cybersecurity has been marked as a field to be developed in the first priority and a chamber of information security of the Association is being established.

Kalev Reiljan raised the question as to how to improve the credibility of Estonia with a view to legislation. We are planning for crises that have not occurred and, on the basis of the principle of probability, if something has not happened, it is unlikely to happen in the next 10 years. Perhaps we are too focused on prevention and should pay more attention to the possible consequences.

Hannes Kont replied that the Ministry of the Interior is currently arranging the organisation of training exercises – they should rather be held fewer in number and with consideration for the actual gain. Prevention does not actually receive enough investments, but it should be done on a more measured base and with better aims. The response models are never set in stone, but compared to the neighbouring countries, Estonia is certainly the forerunner.

Raul Rikk emphasised that the most important keyword is analysis capacity as without analyses it is impossible to evaluate whether the resources have been divided reasonably.

Jaan Priisalu stated that it must be understood that our adversaries are people who are capable of thought and the final matter boils down to who is better able to exploit the situation. Plans that have been prepared in advance cannot therefore always be relied on as cyber crises quickly become crises in other fields.

Hannes Kont said that responsibility should be directed at the people and the awareness of the citizens of risks should be improved in order for people to have actual readiness and capacity to react. People must understand how fast the ambulance is able to arrive or how fast Eesti Energia is able to assist – that is the best way they can protect themselves.

Topic: Cyber Security

Added 01.08.2013

Back to page "News"