Jean Kolarow is deputy head of corporate security at Berliner Wasserbetriebe which is the largest water supply and wastewater disposal company in Germany. He is responsible at the company for areas such as information security, crisis management and disaster prevention. At Command Control he takes part at the panel Awareness Success-Stories on September 21. We spoke with him about the panel and the security challenges of operators of critical infrastructures.
Berliner Wasserbetriebe are operators of a critical infrastructure. What are the specific security challenges faced by operators of critical infrastructures?
Kolarow: As a public service company with responsibility for over 3.7 million people in and around Berlin we are particularly focused on those threats that affect our core processes. These may include cyber attacks, events of nature and also huge scenarios such as terrorist attacks or a blackout—the risk spectrum is diverse. However, I also see challenges in the collaboration with other critical infrastructure (KRITIS) operators and authorities to reach agreements and achieve the highest possible resilience, not only as a water provider but also in conjunction with others.
How should the security precautions of operators of critical infrastructures differ from those of “normal” companies? What role do employees play and how important is the issue of awareness?
Kolarow: KRITIS companies have a social mandate. In other words they provide those basic goods which keep our society functioning. The KRITIS definition is unequivocal in this regard. In order to ensure that downtimes in these supply chains are as short as possible both preventive and reactive measures should be analyzed from a security perspective and implemented sensibly. I personally see the difference in the weighting of the reactive measures, for example, with the introduction of a high-performance business continuity management process. KRITIS companies should be in a position to permanently maintain their reactive capacities on a high level so they can also fulfill their mandate in emergency or crisis situations. It is not a question here of shortages of random or expendable consumer goods but, as already mentioned, of the very processes that keep our society functioning, and in the case of water, also of human life. This position is certainly a question of attitude, perhaps even of philosophy—and I am a supporter of Murphy’s Law, namely “Anything that can go wrong will go wrong” and every KRITIS operator must be prepared for this.
As far as the role of employees is concerned, I see few differences to other companies which have also recognized the value of security awareness for themselves. The employees are a crucial cornerstone without which the best security precautions would be futile. A sustainable security culture only functions when everyone has been guided along the same path.
At Command Control you are participating in the Awareness Success Stories panel. Could you give us a taster of what Berliner Wasserbetriebe are doing in relation to awareness and why this is successful?
Kolarow: We have a very heterogeneous workforce structure and therefore we have to make use of diverse media channels. I will explain why this is the case, the role we play as a department and why I consider communications techniques to be necessary and profitable and through which communications can be conducted on a personal level. For us as a recent department, this last point has, and continues to be, of huge significance in the overall security context of our company.
Do you think that cyber security can also be a growth lever for companies?
Kolarow: Yes. Without a doubt. Incidents affecting information security can inflict long-term damage or even destroy companies, both start-ups and multinationals alike. Our economy is increasingly based on IT—and the limits of its possibilities have definitely not yet been achieved. Expanding and maintaining one’s own technological advance also implies the parallel expansion and further development of security. This is slowly even being recognized by those who initially enthusiastically threw around buzzwords such as Industry 4.0, Smart City and AI. I think it will still take considerable time to internalize the slogan Security by Design and see it as a growth-securing maxim rather than as a growth inhibitor.
Command Control is primarily targeting decision-makers such as CEOs, CIOs, CISOs, security administrators, etc. Why should decision-makers concern themselves with the topic?
Kolarow: Decision-makers per se carry a heavy responsibility for all the assets and people in their company. At the same time they must be role models and multipliers for their management teams. It has to be clear to them that in today's world it is not only pure commercial aspects, but also security aspects, that determine whether their own company will grow or disappear from the market. They must consider security as a self-evident component of their management remits which contributes to the sustained value to the entire organization. Security awareness is therefore to be viewed as an inherent aspect of a comprehensive security mindset. It is not a tedious must-do task but a tool for employee development that will empower the organization as whole to adopt a security-aware conduct.
Why are you looking forward to Command Control?
Kolarow: I am of course looking forward to listening to the announced speakers and to the exchanges with experts about the latest cyber security developments. I was also stationed at several places in Southern Germany during my military service and got to know Munich as a starting-point for free weekends. I am therefore looking forward to revisiting a city of which I only have good memories.