February 21, 2018
By Jeannine Anderson
Two cyber security experts – one from the East, one from the West – came to Washington, D.C., in late January to spend a week at the headquarters of the Electricity Information Sharing and Analysis Center, or E-ISAC. The two took part in a new pilot program to help utilities get to know the E-ISAC better and to give the agency feedback on how to better inform the U.S. electricity industry about cyber and physical attacks.
In interviews, these two utility officials – Jeff Staten, senior cyber security analyst with the New York Power Authority, based in White Plains, New York, and Nick Giaimo, principal security analyst with the Salt River Project near Phoenix, Arizona – talked about what the week at E-ISAC was like and discussed some of the initial lessons learned from the pilot project, called the E-ISAC Industry Augmentation Program.
In separate interviews, others involved with the project talked about how the idea for it came about and explained how participation in the program – which is currently limited to members of the Large Public Power Council (LPPC) – could be expanded later this year to include investor-owned utilities, public power utilities, and rural electric cooperatives. The second round of the pilot project is scheduled for late February into early March, and a third round is scheduled for late April into early May.
Intel from utilities is key
The E-ISAC staff “have connections to threat intelligence that folks in the industry don’t have,” and do a good job of analyzing that information, NYPA’s Staten said in a Jan. 29 interview. But it also is very important for the E-ISAC to receive pertinent information from the electric utility industry, he said.
“The more information they get, the better the analysis,” Staten said.
“If you don’t share information, you don’t get analysis,” he said. “If you don’t get analysis, you don’t get the bigger picture.” And utilities who report information to the E-ISAC can take advantage of the agency’s ability to synthesize and analyze data, he noted.
Both NYPA’s Staten and SRP’s Giaimo said that one of the initial lessons learned from the first week of the pilot program is that working alongside the E-ISAC staff, and getting to know the agency’s work processes, helps build trust between the ISAC and the electricity industry.
The E-ISAC is operated by the North American Electric Reliability Corporation, which sets mandatory reliability standards for the U.S. electric utility industry. Its offices are at NERC’s headquarters in Washington, but are physically separate from the rest of NERC, and E-ISAC staffers sign a code of conduct preventing them from disclosing any confidential information to others at NERC.
‘Firewall’ separates E-ISAC from rest of NERC
Staten said that, among other things, spending the week at the E-ISAC offices showed him and Giaimo that the ISAC is a separate organization, with a separate budget and office space that is walled off from the rest of NERC and is accessible only to E-ISAC staff.
“We observed a great sensitivity” by E-ISAC staff about “where the firewall is between the E-ISAC and NERC,” said Staten. There is “a clear boundary between E-ISAC and NERC.”
The E-ISAC is very careful about how it handles information that it gets from utilities, he added.
As an example, Staten said, “Say a phishing email is sent to a CEO,” and the utility reports this to the E-ISAC. The agency’s staffers “keep that information anonymous,” he said. “They sanitize it to make sure that the source of the information is not going to be revealed.”
The NYPA official noted that before spending the week with E-ISAC, he was aware of its watch floor and analysis team, but did not know about the full extent of the publications, workshops and other educational materials the E-ISAC produces. Those include daily, weekly and monthly reports, as well as special alerts and bulletins. The E-ISAC also takes part in and facilitates public and private sector participation in GridEx, the major NERC exercise held every other year; and its annual grid security conference, GridSecCon.
E-ISAC wants feedback from utilities
Staten emphasized that those who work at the E-ISAC are very eager to get feedback from the electric industry on what they do and want to know how they can improve.
“They were very solicitous of criticism – everybody was very open,” he said.
Asked for any advice he might give to others in the utility industry who are interested in taking part in the Industry Augmentation Program, Staten said that anyone presented with the opportunity to be in this type of exchange program should take advantage of it.
“Do it,” he said. “You’re going to learn so much.”
The Industry Augmentation Program encourages “better communication between the industry and the E-ISAC,” said the SRP’s Giaimo. The E-ISAC “is trying to look at various ways they can raise awareness of their role and increase engagement with industry,” he said in a Jan. 30 interview.
He and Staten “gave feedback as to which [of the E-ISAC’s] products we were aware of or were not aware of,” Giaimo said.
The face-to-face exchange made possible by the week at the E-ISAC’s headquarters was “extremely beneficial,” he said.
Getting to know E-ISAC – and each other
“Getting to know each other, examining their processes and tools, and giving them a glimpse into our processes” meant that he and Staten came away with a more detailed understanding of what goes on at the E-ISAC, said Giaimo. In turn, the E-ISAC staff gained a better understanding of how grid security operations take place at the utilities where the two industry participants work.
It also was a good opportunity for him and Staten to talk shop, he said.
“Jeff and I had numerous conversations about things going on in our organizations,” Giaimo said. “There is a lot of value in having that kind of community within the industry.”
The agency’s watch floor resembles a security operations center, with monitors on the walls, said the SRP official.
“It was helpful to see what their process looks like – see how they follow up with industry,” he said.
Asked whether he too would recommend the program to others in the electricity industry, he said, “I certainly would.”
These days, Giaimo observed, attackers “are becoming more highly organized, more well-funded.”
“Essentially anyone who has a presence on the Internet is going to be exposed to these types of threats,” he noted. “Then there are people who are interested in our sector specifically.
When asked why people want to attack utility systems, he said such efforts can be motivated by different factors. There could be a financial reason for trying to extract customers’ data, or for gaining access to a utility’s network and then using it in various ways – for example, for cryptocurrency mining. A nation-state may want to obtain sensitive information about utility or grid operations that could be used later. People sometimes hack systems just to see if they can do it, as well, and sometimes there are “crimes of opportunity,” he said.
Whatever the reasons behind the attempted incursions, the E-ISAC helps utilities guard against them by uniting people within the electric utility sector, Giaimo said: “We’re better together.”
‘Trust is the cornerstone’
The Industry Augmentation Program pilot “is something we’ve been wanting to do for quite some time,” said Steve Herrin, the E-ISAC’s director of operations. It is “vital to get face-to-face feedback from the industry on how the E-ISAC operates,” he said in a Feb. 2 interview.
Asked about the preliminary lessons learned, and the role of trust in the relationship between the E-ISAC and utilities, Herrin said, “Trust is the cornerstone of the information-sharing concept.”
Without trust, he added, “no one wants to share anything.”
When someone from a utility shares its information with the E-ISAC, the E-ISAC is extremely careful what it does with that information, he said.
“We handle the information based on how the participants want us to,” Herrin said. The sharing of information is limited using a system of traffic light protocols, or TLP – a color code for the information. The utility – or whoever is sharing something with the E-ISAC – decides what TLP rating will apply to the information.
In the first week of the Industry Augmentation Program, the participants from NYPA and SRP “were really able to grasp how much the E-ISAC is a trusted source for quality analysis,” and for the rapid sharing of possible threat information, he said.
The E-ISAC “is very interested in getting feedback, to make their processes work better,” said Michael Fish, a Salt River Project official and a member of the Industry Augmentation Program Working Group, in a Feb. 1 interview. The working group is part of the LPPC’s Cyber Security Task Force, which helped create the IAP pilot program.
Fish, who is senior director of Enterprise Cyber Security at SRP, said the first week of the pilot project, held at E-ISAC’s offices Jan. 22-26, went very well.
“I think it was very successful,” Fish said. Some refinements may be made to the program in the coming weeks and months, he said, but so far, so good.
“I think we’re off and running,” he said.
The second round of the pilot project will take place the week of Feb. 25, with LPPC participants from the Nebraska Public Power District and the New York Power Authority. The third and last round of the pilot program is scheduled for the week of April 29, with LPPC participants from the Sacramento Municipal Utility District in California and JEA in Jacksonville, Florida.
E-ISAC had the idea; LPPC made it happen
The goal of the pilot program is “to provide the industry participants with a first-hand appreciation of the E-ISAC’s work processes and practices,” including its relationships with government agencies and other ISACs that have been created to protect critical infrastructure, notes the draft E-ISAC Industry Augmentation Program Manual for Pilot with the Large Public Power Council. Another objective of the pilot is “ultimately making the program available to the entire industry,” says the draft manual, which is being updated based on feedback from the pilot program.
The idea is for the electric utility industry to collaborate more with the E-ISAC and others “to raise our collective cyber security posture,” said Randy Crissman, senior consultant-utility operations with the New York Power Authority, who helped organize the pilot program on behalf of the LPPC and the E-ISAC.
Crissman said the idea for the pilot program came a couple of years ago, when he attended a presentation made by Marcus Sachs, the former NERC chief security officer who left the organization in November. Sachs mentioned the idea of a program that would bring utility people to the E-ISAC’s watch floor. The watch floor handles incoming information from utilities and others about possible incursions or other threats.
The idea was that the utility people, if they came to the E-ISAC, could help provide feedback on how well E-ISAC processes and products – such as bulletins, alerts and daily reports – were working from the point of view of the industry participants. At the same time, the E-ISAC could learn first-hand from the industry participants details about how their utilities’ cybersecurity programs are put together.
When the LPPC’s Cyber Security Task Force became aware of the E-ISAC’s desire for a pilot program that would make such an exchange possible, the task force began pursuing such a program, and formed the Industry Augmentation Program Working Group to work through the details.
Crissman did much of the ground work, setting up conference calls with LPPC and E-ISAC officials.
The objective was to help the E-ISAC pilot the program “and work out the kinks,” Crissman said in a Jan. 31 interview. The LPPC would help to create an experimental program at the E-ISAC which, if successful, would become a permanent, self-sustaining program that then would be opened up to the rest of the electricity industry.
Electricity is ‘built into everything’
Electricity “has made its way into the U.S. culture, and is as important as food or water,” said Kenneth Carnes, the New York Power Authority’s vice president and chief information security officer, in a Jan. 31 interview. Electric power is now essential and is “built into everything,” he said.
Carnes, who is a member of the LPPC’s Cyber Security Task Force, was in Washington, D.C. to help launch the program the week of Jan. 22.
He called the Industry Augmentation Program “a big win for both sides of the table” – the utility people who take part, and the E-ISAC staff – and added that the E-ISAC has been very supportive of it.
“I’m hoping we can continue” the program once the pilot stage is over, and possibly “use this as a model for any other ISACs” who might be interested, Carnes said.
He said the pilot program is a credit to the public power sector, which “has a strong history of collaboration.”
Pilot program dovetails with strategic plan
The Industry Augmentation Program “is one of the tools in our toolbox that we’ve been very thankful for, with Randy Crissman’s leadership,” said Bill Lawrence, director of the E-ISAC. The pilot program also fits well with the E-ISAC’s five-year strategic plan, which focuses on continuously improving information sharing, analysis, and engagement, he said, adding that the E-ISAC is currently recruiting for several new job openings, including more cyber and physical security analysts, and a director of engagement.
The industry has a vested interest in the E-ISAC and wants it to be a world class organization. SRP’s Fish is also the public power representative on the E-ISAC member executive committee that provides strategic leadership and direction to help guide the future of the E-ISAC.
For the industry participants coming to Washington, the new program “beefs up trust in the area of information sharing,” he said. “We show them how we go through the information-sharing process.”
The information is shared using the traffic light protocol, or TLP. If a utility tells the E-ISAC something, the utility can designate that information as TLP red, amber, green or white. If it’s TLP red, it must be tightly restricted – not shared even among E-ISAC officials.
If the information is designated as TLP amber, it can’t go outside the E-ISAC’s walls. If it’s TLP green, the E-ISAC can share the information with others who it believes have a reason to have this information. TLP white means the information is public.
The E-ISAC takes this system “extremely seriously,” said Lawrence, adding that the E-ISAC works hard to build trust with information providers while protecting their identities. The E-ISAC, he noted, also readily accepts information that is shared anonymously.
Industry ‘has done a good job of defending itself’
Despite the proliferation of potential threats, “we are not one click away from the whole grid going dark,” Lawrence said.
“Once you start looking at taking down a major utility, then the next one,” and then the one after that, “it rapidly becomes a very challenging problem,” he explained, adding that this is due, in part, to the reliability standards set by NERC.
Asked about the possibility of an electromagnetic pulse attack (EMP), he noted that the Department of Defense is capable of doing something about such a scenario, and said several utilities are stockpiling large transformers in EMP-shielded facilities.
“We consider all threats,’ he said. “As scary as it looks out there, I think the industry has done a very good job of defending itself.”
Asked about the issue of trust, he said, “I’ve seen a shift in the willingness to trust us.”
Lawrence pointed out that the E-ISAC, though housed at NERC’s headquarters, is physically separate from the rest of NERC.
“We also have a code of conduct that prevents us from sharing any of our analysis,’ he said. No identifying information about a utility can be shared with anyone doing work on enforcement of NERC’s reliability standards. The text of the code of conduct can be found at www.nerc.com.
A new portal, a growing staff
Lawrence pointed out that the E-ISAC introduced a new, upgraded portal in December, and said, “we’re trying to build up stakeholder use of the portal.” He also noted that the E-ISAC staff is expanding: it stands at 25 now and is set to grow to 52 in the next five years.
The portal is a secured site that is open to owners and operators of electric utility assets in the U.S., Canada and parts of Mexico. Although the E-ISAC is part of NERC, all utilities can sign up for notifications from E-ISAC – they do not have to be registered with NERC.
Those in the electric industry who have not yet signed up for an account via the E-ISAC portal can do so by going to the E-ISAC’s website or by sending an email to firstname.lastname@example.org. Current users of the portal, as well as those who would like to join, are encouraged to provide feedback and/or seek technical support by contacting the E-ISAC at email@example.com or (404) 446-9780.
The American Public Power Association has encouraged its member utilities to sign up for the E-ISAC's portal to get alerts and resources to monitor and manage cyber threats.