Every year, cyber threats rise in the “ranking” of importance for the global economy. This, the most important topic for Ukraine, was discussed during the forum “Fuel and Energy Complex of Ukraine: Present and Future”.
Looking ahead – there are questions for both market participants and bodies that are called upon to ensure cybersecurity at the state level. But there is nothing that could not be changed.
Imperfections of Ukrainian legislation
IFES project manager in Ukraine Yuliia Shypilova, said that in the field of cybersecurity there is no a single global document that would determine how states should act. In 2011 and 2015, Russia and China tried to lobby for certain documents at the UN level, but they were not adopted as the United States has a different view on these issues.
There is the Budapest Convention on Cybercrimes – Ukraine ratified it in 2015, and now these provisions are binding. But, in order for this document to work, it must be implemented in national legislation.
The Budapest Convention consists of three components: substantive law, procedural and cooperation. Ukraine has implemented the material standards: most cybercrimes are reflected in the criminal code. We have problems regarding procedural law: we can establish the fact of a cybercrime, but no one knows what to do next.
“When cooperation with other states in the field of cybercrime, the collection of information and the transfer of evidence begins, Ukraine has not yet determined what electronic evidence is, how to collect, store, and ensure that there is no interference. Therefore, such cooperation is problematic”, Shypilova explained.
There is also a European Union directive on information and network security NIS. It is not mandatory for Ukraine, as we are not a member of the EU.
The directive provides for the adoption of a cybersecurity strategy, in Ukraine a similar document was adopted in 2016. Collaboration and information sharing groups have already been created.
On the other hand, according to this document, Ukraine is obliged to report, in compliance with all protocols, about cyber incidents to the relevant structures. Now our enterprises do this from time to time and in any form. According to the expert, the attack of the Petya virus occurred precisely because there were no information systems and recommendations on how to proceed.
“This is important because it will allow us to analyze who attacked and how, and understand how to act in a particular case”, Shypilova explained.
Based on the Cybersecurity Strategy of Ukraine, a law on the basics of cybersecurity was adopted in 2017. But it is a framework. “Many of its provisions should be spelled out at the by-law level. But they are not accepted by the Cabinet of Ministers”, the expert noted.
It is good that there is the cybersecurity strategy and its goals. But it is not spelled out who should reach and fulfill them.
“Creating a national cybersecurity system is a very ambitious goal. But it is not said who is responsible for it, when it should be achieved and how. And nobody monitors how activities are carried out in order to build this system”, said the expert.
Other legislative gaps include the inconsistency of certain standards with Ukraine’s international obligations and inconsistent terminology. Legislation was adopted at different times, so the terminology was used differently. Now, the competent authorities are faced with the fact that they cannot render certain actions, the court does not recognize their actions as legal.
Regarding legislation on critical infrastructure, the Ministry of Economy has developed a draft law, which has been under discussion for a long time, and submitted to the Verkhovna Rada at the end of the 8th convocation cadet. But it is considered rejected. And now this work has begun again. Although it could become a good base, says Shypilova.
One of the main problems of ensuring cybersecurity is subject-matter jurisdiction. Many institutions have similar functions. As a result, either no one is responsible for certain issues, or, conversely, the authorities begin to compete with each other.
Among other problems is the lack of a strategic plan. The strategy itself is good. But a plan is not only what we want to achieve, but also means of achievement.
The biggest problem for cybersecurity agencies is budgetary constraints...” Agencies hire young people, train them, and then they go to the private sector because they need to feed their families, because it’s impossible to survive for the money the state offers. To create a cybersecurity system we need, among other things, normal salaries”, Shypilova said.
Summing up the discussion at the forum, urgent tasks include:
- agreeing on terminology;
- adopting a comprehensive law on cybersecurity;
- adopting a law on critical infrastructure;
- harmonization of legislation with the European one;
- creation of an internal system for reporting cyber incidents (with a single structure that saw the whole picture, even if it is not a new structure);
- updating the law on law enforcement agencies, removing duplication of functions;
- adopting a law on state-private partnership in the field of cybersecurity.
What did energy companies tell?
Oleksandr Lisnyi, Director for Information Technologies of the State Enterprise NNEGC Energoatom, said that in Energoatom information and control systems are critical.
“Fortunately, they were designed in the 60-80s. Such prerequisites allow us to protect especially critical assets, internal perimeters, external public information systems – as a barrier to penetration”, said Lisnyi.
The biggest threat, he said, is internal. “We had several incidents that were not widely publicized. All of them are 100% connected with the actions of an internal employee. But there was no deliberate action to achieve some goal in order to create a “hole” in cybersecurity. Therefore, for us it is work to increase the level of knowledge of our staff. Increasing cybersecurity is a process that should not end”, the representative of Energoatom emphasized.
Director of Ukrhydroenergo IT department, Bohdan Karban, assured that his company is constantly analyzing the current situation and introducing the latest security technologies.
“We see a problem – until now, there are no definitions of critical infrastructure facilities. There are problems with regulating the technical aspects of cybersecurity. We note a not very good prospect in terms of improving cybersecurity after the introduction of the electricity market. The precedents were insignificant; we did not experience any attacks. What happened were the unintentional actions of workers. There were no serious threats”, Karban said.
Valerii Yermoshyn, Head of the IT Security Department at NNEGC Ukrenergo, said that interest in their information portals is constant. According to him, in particular, one of the services inaccessible to the general public was interested 69 times.
“Our users received 54 phishing emails containing malware. We recorded 7 cases of its appearance on various media, resources. We were lucky – we continued to work. Now we feel constant interest. In some cases, it is successful, in some – not”, Yermoshyn said.
According to him, it is the company's personnel, who overcome all the threats. And in terms of information security and the personnel of Ukrenergo in 2015 and 2019, these are different organizations.
“We were helped by the remedies that we use constantly. There is nothing in the world that we would not know about”, he said.
Yermoshyn noted that it is necessary to correct the procedures for the purchase of protective equipment. Today, physical protection of energy facilities refers to information containing state secrets. More critical and affordable information protection is the maximum for official use. Someone must take the initiative so that the Security Service makes adjustments to the information report. Otherwise, those who are constantly interested in us will perfectly know our infrastructure, starting with the model and versions of security features etc.
DTEK representative Serhiy Dzyuba assured that his company is making every effort to ensure the smooth functioning of our enterprises and the provision of services to consumers.
“Prior to Petya, not a single audit looked at real protection against real cyber threats. Practical work should come first”, said Dziuba.
According to him, the legislative settlement of the issue of cybersecurity will provide an opportunity for an adequate conversation with government bodies and with the Regulator. Decree No.518 (the CMU, on the approval of General Requirements for Cyber Protection of Critical Infrastructure Facilities – ed.) posed a number of questions on how to implement these requirements on facilities that the company considers to be critical infrastructure links.
“For example, the use of anti-virus protection at such facilities. And if the automated process control system does not involve the use of an anti-virus protection system, if it is extraneous in this system? This is an element of discussion with the people who developed this regulation. We have the opportunity to invite experienced professionals. But we understand that specialists working in state and legislative bodies are developing decisions – they are apparently not very motivated for the results of their work. Therefore, such documents should be submitted as a whole, finalized, discussed in the community of specialists”, he explained.
What does the state thinks and do?
Head of the State Center for Cyber Defense Roman Boiarchuk agreed that legislation in the field of protecting critical infrastructure has not yet been formed.
“Each ministry annually creates a cyber security plan for Ukraine. This plan is approved by the Cabinet of Ministers, reports are being generated. But they are not available to the public. Apart from the government, no one sees what and how was implemented”, Boiarchuk noted.
The only document that can be considered a standard for the protection of critical infrastructure, and which can be relied on, is a resolution of the Cabinet of Ministers, he noted. It is hoped that the current parliament will be able to adopt the necessary law.
Budget constraints on funding experts involved in cybersecurity are indeed an important issue, Boiarchuk said.
“Experts in the field of cybersecurity in the private sector have even higher salaries than “ordinary” IT specialists. Therefore, public-private partnership in attracting specialists to the system of development of national cybersecurity is essential”, he said.
But there is only one law on public-private partnership, which relates to the sharing of public resources by private and public organizations. And the main problem of public-private partnerships is trust. It takes time to build it.
Representative of the SSU Cyber-Security Situation Centre Andriy Haidar said that the Service has already launched several projects in the field of public-private partnership.
“One of them is a platform for the exchange of indicators of discredit, cyber threats about cyber-attacks – MISP HYPERLINK. It was previously opened, we finalized it to our standards. We constantly update, add indicators of discredit, technical information that can be used by systems to respond to some kind of cyber-attack. Today, about 50 critical infrastructure facilities are connected to it, and about 10 are energy facilities. It is good in that you can get up-to-date technical information about cyber threats for cybersecurity administrators. This service is free and voluntary”, said Haidar.
Another project is coordinated disclosure of vulnerability. The SSU website has a memorandum that should help cyber society and the state protect their facilities. There is a mailbox to which you can anonymously report information. It will be checked by the SSU and a corresponding response will be provided.
“So we urge the “white” hackers not to write something on Facebook, but to contact the Security Service. Together with the facility we will respond to threats”, said Haidar.
The SSU is also waiting for a draft law on critical infrastructure. Now the government has already set up a working group on this issue, because the general criteria for determining such objects is only the beginning of collaboration.
What we are missing: a look from abroad
Cisco Information Security Expert Volodymyr Ilibman noted that the topics that other speakers voiced are standard: legislative restrictions and transfer. These problems exist in all countries. But Ukraine still has its limitations.
The first is the problem of trust, the second is digital communications, the third is resource limitations for staff training. According to Ilibman, Cisco already faced the problem of trust when it organized an industry business community: no one wanted to share information, especially if there is a regulator or electronic government agencies on this platform.
The United States solved this problem in its own way: there is a public cybersecurity center that collects information “from below”, anonymizes it and transfers “above” already anonymized data on threats. And “above” is already information with recommendations. In Ukraine, communication is one-way – a decree from the ministry to the “bottom” and that’s all, even without feedback.
“But even that is written in resolution 518, although it is not ideal, must be used. There are many useful points to improve the security situation in Ukraine”, said a Cisco expert.
Staff training – there are many free resources that must be used, Ilibman noted. In particular, Cisco is launching courses in which infrastructure administrators can upgrade their skills.
“This is actually the difference between the Ukrainian and American experience – they constantly study there”, the expert summed up.
Tags: The Cabinet of Ministers, gas, DTEK, contracts, oil, renewable energy, NPP, NNEGC "Energoatom", legislation, electricity, NEURC, EU, The Minystry of Energy and Coal Mining, USA, energy market, foreign affairs
Andrew Favorov: Now is not the time to catch the falling knife
Chairman of Ukrainian Association of Renewable Energy Oleksandr Kozakevych: If we destroy the investment climate now, no one will come to Ukraine
Energy and quarantine: who is affected and what to expect