A 20-year-old grid security program is getting a makeover to put murky cyberthreats into focus.
For it to succeed, the Electricity Information Sharing and Analysis Center (E-ISAC) is counting on the trust — and data — of power utilities at the front lines of the grid’s cyberdefense.
The goal is to become "a necessary piece of any electric industry security program, both in cyber and physical," said Bill Lawrence, senior director of the E-ISAC at the North American Electric Reliability Corp., an industry-led group that manages electric reliability for the bulk power system in North America.
Lawrence oversaw a recent million-dollar overhaul of the E-ISAC’s online portal for spreading the word on threats to the bulk power grid. Its budget got an 18 percent boost this year, to $21.9 million, according to NERC’s 2018 business plan. The hub is also set to more than double its current workforce over the next five years, to 52 full-time employees.
Lawrence is betting the long-term effort can cement E-ISAC into a "world-class, trusted source" for the utility industry, while keeping the federal government apprised of cyber risks to the sector.
The plan is risky. No organization, whether run by industry or government, has managed to gain the kind of grid security omniscience that Lawrence envisions. The revamped E-ISAC will rely on real-world data from hundreds of utilities to build a panoramic view of North American grid security — but first, companies have to feel comfortable sharing those data.
Kenneth Carnes, vice president and chief information security officer at the New York Power Authority (NYPA), said he’s on board and expects an "open dialogue" with the new center.
"The best way for us to be prepared is not looking just within our scope of view with our blinders on; it’s looking at what’s happening in the threat space as a whole," he said.
Carnes joined several other grid security professionals late last month for a visit to the E-ISAC’s headquarters in Washington, D.C., as part of a pilot program through the Large Public Power Council.
The E-ISAC is opening its doors to quash concerns that it shares sensitive cyber intelligence with its parent organization, NERC.
The information-sharing portal has struggled with its organizational links to NERC’s enforcement division, which can issue million-dollar fines for grid operators that fail to adhere to baseline cybersecurity and physical-security requirements. Never mind that the two arms of NERC are separated by badge-locked doors, with each governed by its own IT network and code of conduct — if a utility worries that its most sensitive cyber risks and weak points could come back to haunt it in a NERC audit, it’s not likely to submit information through the ISAC.
The new pilot project with the U.S. public power industry is partly aimed at quelling those fears.
"I personally don’t have any trust issues," said Michael Fish, senior director for enterprise cybersecurity at the Salt River Project, one of Arizona’s biggest utilities. "But I would say that one of the benefits of having this program is to understand how the E-ISAC was actually set up. The more that people understand the separation [with NERC enforcement], I think they’ll be more comfortable with information sharing."
If the E-ISAC can’t coax utilities into volunteering more data on cyberthreats, regulators at NERC and the Federal Energy Regulatory Commission could demand it.
If a cyberattack jeopardizes grid reliability, large electric utilities are currently obligated to tell NERC.
But that reporting threshold leaves out more common hacks of utilities’ corporate networks — intrusions that won’t shut off the lights anytime soon, but still might be of interest to grid overseers.
FERC has recently pushed NERC to come up with new requirements for disclosing a wider range of cyber incidents through the E-ISAC, citing concerns that current standards "may understate the true scope of cyber-related threats facing the grid."
But FERC’s proposal could throw off E-ISAC’s long-term strategy to double down on a voluntary approach.
"We have programs in place that are getting us a lot of data," said Lawrence. "It’s just going to be up to us in the near future to continue to work with our government partners on what should be required reporting and what we can still just get [voluntarily]."
Lawrence warned that forcing utilities to report certain findings could make them less inclined to look for them in the first place.
An E-ISAC pulled in too many directions — part rumor mill, part confidant and part cop — could undermine NERC’s renewed investment in the portal.
Building trust in the sharing center is "going to take something that is more than just, frankly, rearranging the desk chairs and putting more people in them," said Patrick Miller, managing partner at Archer Energy Solutions. "It’s going to take a full overhaul."
Miller suggested pulling the E-ISAC out from NERC completely, perhaps modeling the sharing center on the Federal Aviation Administration’s confidential reporting system, which is managed by a third party, NASA.
Until then, "we’re calling it ‘sharing,’ but what’s volunteered is very little," he said.
A classified advantage
Nevertheless, Miller acknowledged that the E-ISAC likely has the best, if an incomplete, view of North American grid cybersecurity compared to U.S. agencies.
FERC officials haven’t seen any U.S. grid cyber incidents cross their desks in the past two years, while the Department of Energy has recorded just eight grid cyber incidents since 2015.
The Department of Homeland Security, which promises to anonymize utilities’ information and protect it from Freedom of Information Act requests, can still count annual energy-sector cybersecurity incidents by the dozen.
Meanwhile, cybersecurity spending on the "smart" grid alone could scrape $3.2 billion by the middle of the next decade, according to forecasts from research consultancy Navigant Consulting Inc.
"There are countless groups, companies and government agencies that all want to take part in information sharing," noted Fish of SRP.
Still, he pointed out that "the E-ISAC has a built-in advantage when it comes to being able to share with the electric industry."
If the E-ISAC wants more operational data from its subscribers, its subscribers want more data from government files stamped "top secret." And the E-ISAC has cleared analysts in the Washington, D.C., area who can get that sort of access.
"When the government is the one that sees a particular cyber issue, there are a lot of things that get classified," Fish said.
The information-sharing center can help cut away the classified bits — such as who might be responsible for a given cyberthreat, and how intelligence agencies reached that attribution — and pass along the rest.
"I really need to know what [the threat] is and how it’s working: The last thing I really need to know is ‘Who?’" said Fish.
Carnes credited the E-ISAC’s familiarity with the supervisory control and data acquisition (SCADA) systems that operators use to physically manage the power grid.
"It’s transmission, it’s our SCADA systems — they have a unique capability and skill to provide us value and benefit there that other ISACs can’t," he said.
The E-ISAC is expanding its reach into industrial control systems to root out any lurking "destructive threats," such as the CrashOverride malware that knocked part of Ukraine’s power grid offline in late 2016. The organization has laid plans for a pilot project to collect data from sensors in Operational Technology (OT) networks, while giving utilities the ability to map out threats to their own systems and compare them to their peers.
NERC has acknowledged that measuring the success of the added programs will be "difficult," and that new specialists will be needed to crunch numbers from a new fire hose of data.
The E-ISAC already incorporates a flood of cyberthreat indicators from its Cybersecurity Risk Information Sharing Program, which has placed intel-gathering hardware at the edge of many major utilities’ networks (Energywire, July 6, 2016).
Jeff Staten, senior cybersecurity analyst at NYPA, said the "biggest concerns" are from nation-state actors in cyberspace, given that they have the resources and expertise needed to find weak links in industrial control systems. "The E-ISAC is uniquely positioned to focus on those," he said.
Staten noted that more shifts could be in store for the E-ISAC as the entire electric power industry moves away from moving power in one direction, from generation to distribution. Fast-growing smart grid technologies, from smart meters to solar power inverters, also need to be protected from hackers.
"The whole ecosystem is changing — it’s not just big power generation plants. We’re moving toward a more distributed power grid, by which you have consumers contributing back," he said. "We have to push the ISAC and the industry to focus on that space."