Cybersecurity and Physical Security

The grid security benefits of sound data, information management

Assuring the security of the bulk power system in North America depends on a multi-faceted, cost-effective data and information exchange that provides the maximum benefit to system asset owners and operators. The North American Electric Reliability Corporation’s (NERC’s) Electricity Information Sharing and Analysis Center (E-ISAC) continues to improve its capabilities for the secure exchange of data and information with industry and government through updates to programs, procedures and controls.

NERC’s E-ISAC first became the focal point for voluntary information sharing within the electricity subsector 20 years ago following a Department of Energy (DOE) request. In addition to its long-standing relationship with DOE, the E-ISAC’s government partners include the Department of Homeland Security (DHS), the FBI and the Federal Energy Regulatory Commission (FERC) Office of Energy Infrastructure Security (OEIS). By 2006, the E-ISAC became the hub for securely collecting, analyzing, and distributing voluntarily shared security information. As time went on, E-ISAC capabilities continued maturing and hit a milestone in threat data collection following the industry-wide launch of the Cybersecurity Risk Information Sharing Program (CRISP) four years ago.

At its core, CRISP is a data collection and analysis program. CRISP participants share Internet traffic flowing in and out of their business networks, which is then collected and analyzed at DOE and one of its national laboratories, using unclassified and classified threat information. Any findings in the analysis are shared with CRISP participants within a day, and any actionable indicators of compromise are shared through the E-ISAC portal with all asset owners and operators, regardless of whether they participate in CRISP. Currently, CRISP-participating utilities cover more than 75 percent of U.S. customers.

E-ISAC members benefit most when the information shared provides specific analytical context. E-ISAC staff, in collaboration with DOE and its intelligence analysts, work to share an unclassified description of the tactics, techniques, and procedures (TTPs) used to identify a threat and the methods to prevent or mitigate it. I am encouraged by the leadership and continued support from public power in the E-ISAC Industry Engagement Program (IEP). This program, which embeds industry cyber and physical security analysts at the E-ISAC for three days, has helped educate E-ISAC staff on the products and services that are valuable to industry. We have also been able to build better trust relationships with our industry partners as they see what data is most helpful to share and help see how the E-ISAC safeguards all information.

As a complement to CRISP, the E-ISAC is partnering with industry and government on the design of programs to detect and defend against industrial control system threats, including DOE’s Cybersecurity for the Operational Technology Environment program (CyOTE). Effective responses to threats targeting operational or business networks can be developed collaboratively using the E-ISAC model to assure a continent-wide approach to grid security and resilience.

To safeguard data and information voluntarily shared by industry members, the E-ISAC follows its Code of Conduct, shares information with members and partners according to the originator’s control, and safeguards the information on its portal to meet data security needs.

The E-ISAC Code of Conduct stipulates that E-ISAC staff will not report or convey information about possible industry violations they may encounter or learn about in the course of their E-ISAC activities to NERC’s Compliance Monitoring and Enforcement Program (CMEP) personnel. The Code of Conduct also bars the E-ISAC from releasing to CMEP personnel any attributed, protected information gathered to assist E-ISAC analysis and identification of emerging threats.

E-ISAC collaboration with industry at the most senior executive level occurs through utility chief executive officers through the industry-led Electricity Subsector Coordinating Council (ESCC). The ESCC serves as the principal liaison between leadership in the electric power sector and in the federal government, with the mission of coordinating efforts to prepare for national-level incidents or threats to critical infrastructure.

To further encourage the trusted, voluntary exchange of sensitive information, the E-ISAC and its members and partners use the Traffic Light Protocol, adopted from DHS, which places restrictions on data sharing. There are four categories:

  • RED: Sharing is restricted to the E-ISAC and parties directly involved in the specific exchange, meeting or conversation in which it was originally disclosed.
  • AMBER: Sharing is restricted to members within an organization who need to know in order to act on that information.
  • GREEN: Sharing information is permitted for the awareness of all participating organizations as well as with peers within the broader community or sector, but not to be posted or shared publically.
  • WHITE: Sharing is for public distribution and release.

Sharing information with the right audience on any cyber or physical security threat requires well-designed, secure communications. The E-ISAC secure portal allows members and partners to select how broadly they want to share information and at what attribution level. The E-ISAC uses the same protocol when it receives information from industry members or government partners via email or phone.

As you can see, voluntary information sharing with the E-ISAC is key toward raising awareness when there are incidents that may be targeted at several electric utilities at the same time. More sharing helps ensure the security of the grid and reduces cyber and physical security risks for all stakeholders, and safeguarding industry’s trust in the E-ISAC to protect that information is foremost on staff’s minds. Part of realizing these benefits for E-ISAC members is receiving customized and immediate notifications on security threats, cyber and physical security bulletins, actionable threat indicators, threat mitigation advice, peer-to-peer networking under the public power initiated E-ISAC IEP and through portal postings, and close-up access to the planning of NERC’s annual grid security conference, GridSecCon, and grid security exercise, GridEx.

GridSecCon and GridEx are integral to the year-round cyber and physical security training for industry. GridSecCon takes place each October — National Cybersecurity Awareness Month — and focuses on protecting the grid through information sharing, education and collaboration with experts from industry and government. GridEx, which takes place in November every two years, provides the opportunity for utilities to demonstrate how they would respond to and recover from simulated coordinated cyber and physical security threats and incidents, strengthen their crisis communications relationships and provide input for lessons learned. Our next exercise is scheduled for November 13–14 this year.

The E-ISAC continues improving its information sharing systems to build on hard-earned trust and better meet industry needs as the cyber and physical security threat landscape evolves. The electric grid of the future will depend on all of us being more collaborative in information sharing, analysis, and sharing of threats and mitigation measures. The E-ISAC, working together with members and partners, such as the American Public Power Association, can make the bulk power system across North America more secure and resilient today and beyond. 

[In 2019, the GridEx V effort includes even more value for distribution-only utilities (including those with limited generation or transmission assets). The American Public Power Association has been at the GridEx V planning table and ensured that there are numerous distribution level “injects” that will serve to challenge medium to small utilities and drive up valuable lessons learned. To learn more about GridEx V and how to participate, join the Association for a free webinar on April 11 from 11 a.m. to noon Eastern. The webinar will feature the E-ISAC’s Jake Schmitter, Eric Ruskamp from Lincoln Electric System, and Ken Lewis from Salt River Project. To register for the webinar, please sign up here. Later this year, the Association will host its second annual Cybersecurity Summit, where attendees will be able to learn more about the latest in cybersecurity practices, trends, and technologies].