Public-private collaboration is essential in the face of the growing importance of cybersecurity

Public-private cooperation is very important in the field of cybersecurity and cybersecurity itself is currently essential in the protection of critical energy infrastructures.  

These are critical infrastructures that offer essential services for everyone and are key to the day-to-day running of society, as is the case of the energy sector, which includes major companies such as Iberdrola.  

In this regard, the Centro Superior de Estudios de la Defensa Nacional (CESEDEN) hosted at its headquarters in Madrid, with the participation of the Spanish Institute for Strategic Studies (IEEE) and the Spanish energy company Iberdrola, the seminar "Cybersecurity in critical energy infrastructures", in which important personalities and experts from the Spanish state administration, the Armed Forces and the private sector discussed the important issue of protection against cyberthreats that are growing daily around the world. 

The event was opened by Manuel Aragón Reyes, Professor of Constitutional Law at the Autonomous University of Madrid and co-director of the seminar, Francisco de P. Bisbal Pons, Director of CESEDEN, Santiago Martínez Garrido, Secretary General and Secretary of the Board of Directors of Iberdrola, and Francisco J. Dacoba Cerviño, Brigadier General of the Spanish Army, Director of the IEEE and also co-director of the seminar.

Francisco de P. Bisbal Pons indicated that the security of critical facilities should be a priority for any state due to the importance of guaranteeing the security of energy infrastructures.  

Santiago Martínez Garrido highlighted Iberdrola's collaboration with the Armed Forces on security matters for almost ten years. The Secretary General and Secretary of the Board of Directors of the Spanish energy company highlighted Iberdrola's "ethics and leadership" in relation to issues of national defence, energy security, Sustainable Development Goals, climate change and security in energy infrastructures. Santiago Martínez Garrido indicated that the Chairman of Iberdrola, Ignacio Galán, promotes all these initiatives, although he was unable to be present at the CESEDEN headquarters due to the presentation of the company's third quarter results, which were "magnificent", highlighting the success of investment in clean energy and networks.  

Martínez Garrido stressed that Iberdrola is concerned about cybersecurity in critical energy infrastructures and that the new reality brings challenges, emphasising that the increase in digital services and the growing digitisation of processes requires a balance between human and machine participation. 

The Iberdrola representative stressed that they offer a public service related to critical infrastructures and that cybersecurity is a priority for the company. "We are permanently subject to attacks from third parties for data, to attacks on a daily basis, and there is a need to update the cybersecurity system permanently", explained Santiago Martínez Garrido, who also alluded to the fact that "we have to be at the digital forefront due to interconnected and cross-border systems, as there are threatening agents". 

Manuel Aragón Reyes, who has been co-director of this type of defence seminars since the beginning, highlighted the collaboration for more than ten years with Iberdrola in these seminars, which have been resumed after the pandemic. 

The Professor of Constitutional Law at the Autonomous University of Madrid highlighted the close cooperation between Iberdrola and the Armed Forces and stated that the 2022 European directive on the resilience of cybersecurity in critical entities aims for comprehensive security against all types of risks, especially against cyberthreats.  

Francisco J. Dacoba Cerviño pointed out that the national security strategy's motto is that it should be a project shared by the whole of Spanish society. In this case, Iberdrola, with this initiative, shows that there is a co-responsibility of all social actors in cybersecurity and protection of critical energy infrastructures. The brigadier general and director of the IEEE pointed out that the objective is that "Spain is in the best conditions to protect its interests and that society can develop its project in a safe, prosperous and free manner".  

The event included a round table discussion entitled "General aspects of cybersecurity", with the journalist Antonio Jiménez Martínez as moderator and with the participation of Elena de la Calle Vian, technical advisor in the area of Cybersecurity of the Department of National Security of the Cabinet of the Presidency of the Government, Roberto Villanueva Barrios, Brigadier General of the Spanish Army and Head of the Cybersecurity Department of the Centre for Information and Communications Systems and Technologies (CESTIC) of the Ministry of Defence, Francisco Antonio Marín Gutiérrez, Lieutenant Colonel of the Spanish Army and Head of the Intelligence Section of the Joint Cyberspace Command, and José Miguel Gordillo Luque, military officer and Global Director of Corporate Security at Iberdrola. 

The general aspects of cybersecurity have to do with the increasingly complex threat posed by the ability to steal sensitive data, extort, manipulate states of opinion and cause collapses in public entities or companies.  

Francisco Antonio Marín Gutiérrez focused precisely on the risks and threats to national security in cyberspace. The lieutenant colonel and head of the Intelligence Section of the Joint Cyberspace Command indicated that the increasing digitisation of activities has widened the area of exposure to cyberattacks. "Since 2016 NATO has considered cyberspace as a sector of operations," he stressed, explaining that the magnitude and frequency of cyber attacks and illicit use of cyberspace have increased in recent years. As a result, "cybersecurity has become a priority for organisations and governments".  

Francisco Antonio Marín Gutiérrez highlighted threats to critical infrastructures, espionage and interference from abroad, disinformation campaigns and the vulnerability of cyberspace as the main risks and threats today.  

He recalled famous major cyber-attacks on critical infrastructure such as Stuxnet against Iran's nuclear industry in 2003, which was the first known major attack, and noted that there are now several multiple attacks in the Ukrainian war, such as the one between May and September 2023 by the Russian intelligence service against major Ukrainian internet and telecommunications providers. 

The lieutenant colonel highlighted the vulnerability of cyberspace and pointed out that the national security strategy speaks of two threats: cyberattacks and the use of cyberspace for the development of illicit activities, such as cybercrime, cyberespionage or the financing and propaganda of terrorism. 

He also insisted that Spain faces numerous cybersecurity challenges related to the high levels of interconnectivity. "There are state-actors, who are the most dangerous as they have greater resources for more sophisticated attacks. These attacks are now commonplace for their geopolitical interests, gathering information, influencing the population and damaging critical infrastructure," he explained. He recalled how Iran attacked the Saudi state oil company Aramco, affecting 3,000 of its computers at the beginning of Ramadan, and also pointed out that in Ukraine since 2014 there have been major attacks on critical infrastructures by Russia, although now the Ukrainian country is better prepared to deal with these offensives. 

He also alluded to "hacktivism" or hacker activism. Activism used to be associated with the defence of values, but hacker groups echo ideologies and nowadays subversive use is made of computers and networks to promote a political agenda in many cases. Francisco Antonio Marín Gutiérrez indicated that various states use hacktivists as proxies.  

As for internal actors, he pointed out that more than three quarters of the incidents are related to negligence of internal staff, 60% are unintentional and almost 15% are intentional with disgruntled employees or outright saboteurs.  

The trend now is that these categories are mixed and that various countries hide behind organised criminal groups or "hacktivists", and it is becoming increasingly difficult to see who is behind them. 

Roberto Villanueva Barrios focused on cybersecurity as a basic element of digital transformation in the field of defence and explained the role of the Centre for Information and Communications Systems and Technologies (CESTIC), which is in charge of communications, digital management and network cybersecurity for the Ministry of Defence. "Every day-to-day activity is subject to attacks," explained Roberto Villanueva, who also explained that Spain's military defence is primarily aimed at military operations, which are also related to cyberspace. "The battlefield is now digital," he stressed.

Cyberspace is part of the battlefield and it is the mission of the Spanish Armed Forces to attend to it for national defence. For Roberto Villanueva, the combatant is the centre of the action and it is necessary to focus on him through cybersecurity; in this sense, information is what "gives us superiority and the possibility of imposing ourselves" on the battlefield. The brigadier general and head of CESTIC's cybersecurity unit explained that the combatant is subject to many communication structures and information systems; he is given information for the combat to be successful, and even the civilian sector participates by providing information.  

According to Roberto Villanueva, cyberspace is part of the integral structure for defence, the central part is what the Ministry of Defence uses with communication systems, which have a direct relationship with the areas of operations. They are also connected to international organisations within integral structures such as NATO or the European Union. "Information is the strategic asset of the Ministry of Defence, it guarantees us superiority and success in operations," he stressed.  

Roberto Villanueva indicated that "we are in combat every day, every hour" and that we are constantly receiving attacks; many have no repercussions and others require intervention. He pointed out that, through security operations centres, the aim is to automate the response as much as possible. He explained that it is impossible to stay ahead of attackers or respond without intelligence services. "We need information to prevent attacks and take measures in infrastructure and defence," he said.  

Elena de la Calle Vian focused on how the EU is combating cyber threats. "The national security strategy indicates that the EU must play a greater role in some areas that require a joint response, such as pandemics, terrorism and cybersecurity, as this is a cross-cutting area that affects us all", she explained.  

The technical adviser in the area of cybersecurity at the Department of National Security pointed out that they are a body that advises the Presidency of the Government on national security. She explained that national defence, public security and external action are supported by intelligence services, which are basic. "National security seeks to protect the daily lives of citizens in 16 areas, such as energy, economic, maritime and health security, etc.," she explained. Elena de la Calle Vian indicated that cybersecurity is essential within national security. "We seek to integrate national security information from these 16 areas in order to anticipate crisis situations, as well as to develop cooperation strategies with public and private actors," she said.  

Elena de la Calle Vian also indicated that the European Cybersecurity Agency offers tools for sharing information between countries. "In a visual way, you can see which sectors are affected," explained De la Calle Vian, who pointed out that seeing which sector in which country is affected is fundamental in order to have a joint vision and face the challenge.  

"There are 27 countries, each with its own characteristics, there are many open files on cybersecurity and reaching an agreement takes time," she explained. The threat landscape is growing with the geopolitical element now having a strong influence, she also said. Elena de la Calle Vian pointed out that there are organisations declaring digital war on EU countries involved in the war in Ukraine, for example, with attacks on public and private entities as well. Russia attacked Viasat in order to begin the invasion of Ukraine and cut off Ukrainian communications; this attack affected wind turbines in Germany, for example, which depended on this infrastructure, as the Department of Homeland Security advisor explained. This "was the first attack officially attributed to a state", she stressed. Elena de la Calle Vian also indicated that in the Israeli-Palestinian conflict, there is vigilance in case there are collateral effects, with denial of service attacks occurring, explaining that the Israeli population's warning system against attacks was hacked and could even give false alerts to the Israeli civilian population.  

The advisor to the Department of Security also indicated that another challenge in the EU is the lack of professionals, which the European Commission estimates at 800,000 people. The global shortage of personnel in this area is estimated at 3.5 million. In Spain there is also a lack of staff, as Elena de la Calle Vian explained, indicating that there are now 153,000 people, 24% more than last year. But 57% more staff, 60,000, are lacking, despite the fact that there are cybersecurity-ready infrastructures in place. Meanwhile, the vulnerability of hardware and software products reaches some 13,000 products, 50% of which are attacks on critical infrastructures, as Elena de la Calle Vian pointed out, noting that the EU has a joint strategy with a lot of cybersecurity regulation since 2020.  

She also indicated that entities must also have cybersecurity measures in place to maintain the security of everyday life. "There are many vulnerable products in software and hardware that have a connection to the internet. These will have to undergo security evaluation with the new EU regulations to obtain cybersecurity certification, with a market surveillance system," explained Elena de la Calle Vian, who stressed that many of the attacks come from the vulnerability of the products we use every day.  

José Miguel Gordillo Luque referred to the high cost of cybersecurity. Iberdrola's Global Head of Corporate Security pointed out that the cost of cybercrime is estimated to grow by 15% annually by 2025, to some $10.5 trillion. 

This has a major impact on private companies and there is increasing regulatory pressure and even criminal liability of corporate management bodies, as he explained. In this way, companies are identified as a fundamental part of the global cybersecurity ecosystem. Boards of directors are responsible for the implementation of cybersecurity plans, respecting regulations and obligations, and there is even criminal liability if this is not done, as José Miguel Gordillo explained.  

"Boards of directors of large companies should have cybersecurity experts to advise the whole board on this implementation," he said. He also explained that the most important cost of cybersecurity is the cost in physical lives. The cyber attack can affect physical assets which means that human lives can be affected to the maximum extent possible. "People have lost their lives indirectly due to cyber-attacks," he said.   

José Miguel Gordillo referred to financially motivated criminal organisations, which constitute the majority of the attacks we receive, such as phishing or ransomware, whose main objective is to steal data for extortion or to sell in hidden channels to other organisations that intend to penetrate entities.  

On the other hand, there is the motivation of destabilisation with state-actors and activist groups that want to take control of company infrastructures linked to critical infrastructures that can affect the population.  

José Miguel Gordillo recalled that there are very sophisticated attacks, with offensives against the electricity sector such as those perpetrated against Ukraine in the framework of the Russian invasion or against Israel in the framework of the war against Hamas.  

Electricity is a critical infrastructure and any impact on the grid has an impact on other actors, he explained, as electricity is vital to the functioning of any entity in any sector. "We cannot fail society by providing this service," he said.  

José Miguel Gordillo Luque alluded to "cyber resilience", i.e. learning to live with this phenomenon. We have to protect, but not only that, we have to live with the phenomenon of cyber threats. He also pointed out that cybersecurity and physical security should not be separated. "There must be a holistic approach to security," he said. Iberdrola's Global Head of Corporate Security also pointed out that "you have to identify, protect, detect, respond and recover" and also stated that employees of organisations must have an intense culture to prevent cyber-attacks as 88% of cyber-attacks are due to the behaviour of employees either consciously or unconsciously.  

He also indicated that public-private cooperation is essential in a hyper-connected world, which is a must for cyber resilience. The public sector must take the lead in making public-private cooperation effective and "making the nation more cyber-secure and trustworthy".  

José Miguel Gordillo Luque also indicated that data protection is a priority for Iberdrola. He pointed out that there is a reputational and economic cost if, as a result of a cyber-attack, data is leaked, and there may even be administrative sanctions by the State.  

This was followed by the second session of the day, entitled "Cybersecurity and energy security", moderated by Yolanda Gómez Rojo, deputy editor of the ABC newspaper, and with the intervention of Álvaro de Lossada Torres-Quevedo, head of the Cybersecurity Coordination Office of the General Directorate for Coordination and Studies of the Secretary of State for Security, Ignacio Fuente Cobo, Colonel and Senior Analyst at the IEEE, Natalia Galán Vázquez, Head of Intelligence, Strategy and Security Governance at Iberdrola Spain, and Rafael Ceres Campos, Head of the Global Cybersecurity Office for Digital Transformation at Iberdrola. 

Álvaro de Lossada Torres-Quevedo referred to the protection of critical infrastructures and indicated that cybercrime has grown by 351.17% in 2022 compared to 2015 in Spain, a "frankly dizzying" rise. He also pointed out that more than 89% is economic crime, being crimes that can lead to loss of information. Meanwhile, attacks against ICT systems have grown by 78% in the last five years, although they are the least common now.  

The energy sector accounts for 37.2% of cybersecurity-related incidents, although this does not mean that the energy sector is the least prepared, it has solid protection, as Álvaro de Lossada pointed out, explaining that the majority are self-reported vulnerability incidents, 60%, which is good news, and a smaller percentage is information theft.  

Álvaro de Lossada also recalled the challenges of implementing the new European NIS2 regulation: choral transposition, challenges in governance, dispersion of obliged subjects, dispersion of authorities, dispersion of certifications and the non-multiplication of burdens, taking into account the specificities of each sector.  

With this new regulation, many agents subject to compliance with cybersecurity obligations will be incorporated and the challenge is to find a unified certification system that does not multiply in each sector.  

He also explained that critical operators have more security measures and incidents have grown less than in the rest of the economic sectors.  

Ignacio Fuente Cobo spoke about the importance of energy security, which has to do with the uninterrupted availability of affordable energy sources. In the long term it is based on timely investments to supply energy according to economic needs, which has to do with the energy model of each country, and in the short term resilience focuses on the ability of the energy system to react quickly to sudden changes in the balance between supply and demand.   

Countries implement plans to ensure energy security with investment plans and energy models go beyond security and have to do with geopolitical intentions as well. 

Ignacio Fuente Cobo pointed out that Spain is highly vulnerable in terms of oil and gas, and that after the sanctions against Russia, demand was reduced somewhat, but Europe is now turning to other countries with which it is not politically in tune, such as Azerbaijan or Qatar. However, despite the sanctions, Russian gas has continued to be bought indirectly.  

The colonel and IEEE analyst pointed out that energy decisions have political consequences, such as dealing with Azerbaijan or Qatar. Even some nations such as Germany have complained about the price of gas sold by the US, taking advantage of the moment now.  

Finally, Natalia Galán Vázquez and Rafael Ceres Campos detailed more technically and in depth how Iberdrola develops its cybersecurity policy with the desire for the new NIS2 regulations to have a coherent focus in the face of dispersed regulations, to also have an international focus, to have adaptable and agile regulations in the face of changes and to encourage investments in cybersecurity, as well as to include the mandatory sanctions for non-compliance, promoting responsibility at all levels.  

They pointed out that all areas of the company must be involved, from the Board of Directors to any department. Everyone must be aware of cybersecurity in today's times.