A collaborative partnership involving energy companies, intelligence, law enforcement and stakeholders is committed to testing and guarding the resiliency of the electrical grid as America’s power comes under both cyber and physical threats.
The North American Electric Reliability Corporation takes the security of the grid seriously and remains vigilant against constantly evolving vulnerabilities, and that starts with the Electricity Information Sharing and Analysis Center (E-ISAC). The E-ISAC serves as the primary security communications channel for the electricity industry, and enhances industry readiness and its ability to respond to cyber and physical threats, vulnerabilities, and incidents – each of which has the potential impact to impact the bulk power system.
Through a secure portal, members share critical information and unique insight among public and private partners with the goal of reducing cyber and physical security risk across North America.
The E-ISAC, which was created in 1999 at the request of the Department of Energy, conducts trend analysis of all information shared to build the security “big picture” and identify possible threats to the entire industry. It operates in collaboration with DOE and the Electricity Subsector Coordinating Council (ESCC), which is made up of industry chief executive officers, and with government partners including the Department of Homeland Security, the FBI and the Federal Energy Regulatory Commission.
Among the comprehensive set of activities designed to strengthen North America’s grid security posture are the Cybersecurity Risk Information Sharing Program (CRISP), the annual grid security conference GridSecCon, and the biennial grid security exercise GridEx.
CRISP is a voluntary program that facilitates the exchange of detailed cybersecurity information between industry and the E-ISAC, as well as DOE and its Pacific Northwest National Laboratory. With participation of utilities serving 75 percent of U.S. electricity consumers, the program enables owners and operators to better protect their business networks from sophisticated cyber threats. Anonymized information and data from CRISP is shared via the E-ISAC portal for the benefit of all members.
NERC’s annual GridSecCon brings together cyber and physical security experts from industry and government to share emerging security trends, policy advancements, and lessons learned related to the electricity industry. The next conference is scheduled for Oct. 16-19, 2018.
GridEx began in 2011 and takes place every two years. The severe simulated cyber and physical attack scenarios allow utilities, government partners and other critical infrastructure participants to engage with local and regional first responders, exercise cross-sector impacts, improve unity of messages and communication, identify lessons learned and engage senior leadership.
The attack scenario is designed to overwhelm even the most prepared organizations, and allows learning from “real world” attacks and impacts on critical infrastructure, such as those seen in Ukraine in 2015 and 2016. NERC uses input from participants to develop observations and propose recommendations to help industry enhance the security, reliability, and resilience of North America’s bulk power system. GridEx has seen steady increase in engagement by industry stakeholders and government officials over the life of the program.
It takes member engagement — voluntarily gathering and sharing information that is valuable and actionable among industry members — for the E-ISAC to identify emerging threats and provide members with early warnings, and potentially reach other subject matter experts. More participation means a better finger on the pulse of emerging trends that will allow members to proactively reduce cyber and physical risk. All information shared with the E-ISAC is protected and never shared with any personnel with roles in the Compliance Monitoring and Enforcement Program.
A specific program to drive up trust in the E-ISAC’s protection of information shared by members, as well as providing a knowledge exchange between analysts, is the Industry Augmentation Program. This program embeds security experts from electric utilities at the E-ISAC for a week at a time, and participants share information on their own crisis response procedures and incident handling experience. They also see how the E-ISAC functions to take in and analyze information, the tools available, and care taken by the staff to safeguard shared information. The E-ISAC’s expertise includes:
- Understanding the intent behind attacks and campaign attribution of indicators: By identifying adversary campaign tactics, techniques, and procedures (TTP), the E-ISAC can share actionable indicators and specific strategies that members can take to mitigate the threat. Additionally, increased sharing from industry allows the E-ISAC to do predictive analysis on future threat TTPs.
- Reverse-engineering malware and assisting in better understanding an event: The E-ISAC has access to closed-environment malware analysis systems that perform static and dynamic analysis on files submitted for malware analysis, and has strong partnerships with government organizations such as the National Laboratory system to increase analytical capability.
- Identifying additional information within the industry or other critical sectors: The E-ISAC works with other cross-sector ISACs to share indicators of compromise that may pose a threat to the electricity industry and our stakeholders.
Together, these partnerships and proactive measures help keep the country’s lights on as a range of threats from hackers to disasters try to compromise the grid.
NERC’s E-ISAC continues to build and refine its products and services in its quest to be a world-class, trusted source for quality analysis and rapid sharing of electricity industry security information in the manner that is best for grid security in North America. To become a member of the E-ISAC or for questions on the programs and services available to members, please send an email to [email protected].