An advanced cyberthreat-sharing shield called CRISP has expanded to several dozen large U.S. utilities covering three-quarters of the American population.
The flip side of the story is the have-nots — the thousand-plus smaller utilities serving one-quarter of the country that don’t have the budgets or technical skills to fully deploy the Cybersecurity Risk Information Sharing Program, run by the North American Electric Reliability Corp. (NERC), the grid’s security monitor.
The Energy Department, which launched the forerunner of CRISP a decade ago, is aiming to close some of that coverage gap by creating a cheaper, simpler version of the program, known unofficially as CRISP Light.
"The department is actively working to advance the CRISP technology, to look at ways to make it faster, better, cheaper, to expand opportunities for all utilities to participate," said Henry Kenchington, DOE deputy assistant secretary for advanced grid integration, in an interview with EnergyWire.
NERC and DOE officials would not discuss the cost barriers to CRISP, but some industry officials said it can cost several hundred thousands of dollars to deploy and almost that much a year to maintain, putting it out of reach for the smallest utilities.
"We need a low-cost option, and we believe there can be one," said Duane Highley, an executive at an electric cooperative in Arkansas and co-chairman of the electric power industry’s national cybersecurity coordinating committee.
"Until CRISP becomes either affordable or subsidized, the smaller utilities probably are not going to be able to take advantage of it," said Mark Weatherford, chief cybersecurity strategist at vArmour Networks Inc., a data security firm, and former Department of Homeland Security deputy undersecretary for cybersecurity.
The smaller utilities not in the program, primarily municipal power companies and co-ops, aren’t generally considered a potential threat to the nation’s high-voltage power grid, Weatherford said. But a successful hacking attack that took down any of these systems would be a jarring defeat for U.S. cyberdefense. A cyberattack that also destroyed critical grid equipment could plunge communities into crisis.
The CRISP portal is operated by NERC’s Electricity Information Sharing and Analysis Center (E-ISAC), the power industry’s top-level cyberthreat-sharing organization, in partnership with the Pacific Northwest National Laboratory and Argonne National Laboratory. It became fully operational last year and runs on a current budget of $8 million. Most of the costs are covered by participating utilities, NERC says.
CRISP’s attack-sensing hardware is positioned on utilities’ exterior boundaries to intercept threat information and send it over secure channels in encrypted form to PNNL and the Argonne lab. Laboratory experts analyze the data and send back alerts and defensive tools to utilities to thwart attacks, while protecting the identities of utilities that supply the data.
Some of the threat data can be shared by all the utilities registered with E-ISAC, including some co-ops and municipal utilities that are not paying E-ISAC members. But these are not full partners, and they face a risk of falling further behind larger utilities as new, automated "machine-to-machine" threat communications programs are developed that process cyber data faster by reducing needs for hands-on operations.
DOE’s Kenchington said, "We’re looking at new technologies to make it [CRISP] more effective. That effort on our side is continuing and ongoing. We are talking with all the utilities and the energy sector on how to improve how we share information, not only the technology but the protocols, and what’s the best way to do these things, because it’s not a trivial matter."
DOE, DHS offer cyber pitches
While DOE and NERC expand their program, the Department of Homeland Security is doing the same, offering a new automated indicator sharing (AIS) program providing threat information such as malicious internet addresses or email addresses that are sending out phishing campaigns to gain access to company email networks.
It remains to be seen whether the DOE and DHS programs will be complementary or competing. They are not closely aligned at this point, some experts say.
Andy Ozment, DHS assistant secretary for cybersecurity and communications, said his department’s push now is to increase the use of AIS in critical infrastructure sectors.
"It’s real. It’s live," Ozment said of the AIS platform. "We need the audience to sign up and start sharing with us today and start receiving all the information we are pumping out every day. It’s there," he added in an interview with EnergyWire.
"If you are a small or medium-sized business and have never dealt with threat indicators before, then this is a great way to start because we’ll give them to you free. It doesn’t make their life impossible," Ozment said of AIS’s impact on potential cyberattackers, "but it certainly makes their job harder."
Ozment said the AIS program had reached three dozen companies by late spring this year and has been adding a handful a week. "This is not a program where we’re going to go from zero to 100 percent overnight," he said. "I love where we are right now, and I see us steadily increasing."
Another elaboration of the DHS platform is the enhanced cybersecurity sharing (ECS) program that channels classified cyberthreat data to selected information technology firms that process and pass unclassified versions of the data on to companies for a fee. ECS is designed to filter out emails that have specific threat signatures, block access to identified malicious internet sites and perform threat detection (EnergyWire, Oct. 13, 2015).
"A utility can pay one of those managed security service providers essentially to be protected using that classified information. They don’t need the complicated clearances and special facilities. They are paying a service provider who scrubs their traffic and blocks attacks using classified information," Ozment said.
A DHS spokesman declined to discuss the cost of ECS or the number of utilities that participate. An industry official who was not authorized to speak on the record said last fall that the percentage of U.S. energy companies in the program is still in the single digits. The official said that the cost varies with the size of the utility and typically runs around $5,000 a month, not a stumbling block for a billion-dollar-a-year utility but quite possibly outside the budgets of the smallest power companies.