The U.S. power grid’s hub for cyberthreat information got word last December that hackers had breached FireEye Inc., one of the world’s largest cybersecurity companies.
FireEye wasn’t the only victim: Several government agencies soon discovered that they, too, had been swept up in a massive hack of Austin, Texas-based IT firm SolarWinds Inc., whose hijacked Orion software product was also used by many large electric utilities.
"We immediately spun up into response mode," said Manny Cancel, CEO of the Electricity Information Sharing and Analysis Center (E-ISAC), in a recent interview. The information clearinghouse — Cancel likens it to a "town crier" — sent an alert to its more than 1,200 members, which collectively oversee the bulk of the U.S. electricity system.
While about a quarter of respondents had installed the malicious Orion update, the energy sector appears to have escaped the brunt of the SolarWinds hacking campaign, according to the North American Electric Reliability Corp., which operates E-ISAC (Energywire, April 14).
But as a string of other cyberattacks has buffeted U.S. critical infrastructure in recent months, E-ISAC is grappling with a flood of information about urgent threats like ransomware, which locks up victim computer files and demands payment for the key.
Within the past year, E-ISAC "doubled the amount of information that we pushed out, which is pretty dramatic," Cancel said. "My concern is: How do you keep up with this? How do you separate signal from noise?"
At stake is the security of one of the most complex machines ever built: the U.S. electric grid. The constantly changing nature of cyberthreats, combined with the transformation of the grid toward clean energy and its increasing dependency on digitization means that, for utilities, data reigns supreme.
But getting information on hacking threats isn’t easy. E-ISAC has faced industry skepticism because utilities can face multimillion-dollar fines if they fail to keep up with mandatory cybersecurity standards set through NERC. Though the nonprofit grid overseer keeps E-ISAC cut off from its enforcement division, some analysts say utilities may be wary of volunteering details of the latest hack.
In recent months, the Biden administration has placed a renewed emphasis on improving the cybersecurity relationship between the private sector and federal government, with the hope of gaining a deeper understanding of the threat landscape. E-ISAC is one of the main conduits for the White House to get information out to the electricity industry, quickly.
It’s also a two-way street. While E-ISAC was sending out information to the electricity sector on the SolarWinds hack, it was simultaneously sending anonymized reports back to the government on how the industry may have been affected.
In the days after the breach was uncovered, E-ISAC set up industry webinars alongside the Department of Homeland Security and issued technical bulletins incorporating information from government agencies as well as private companies like Microsoft Corp., SolarWinds and cybersecurity firm CrowdStrike.
At least nine agencies, such as the Department of Energy, were affected by the SolarWinds hack, but by late December, it was still unclear how far the hackers had reached into the private sector. The supply chain attack using the compromised Orion software affected around 18,000 customers, though far fewer were hit by further intrusions.
‘Very critical’
Drawn out of a presidential action and established in 1999, E-ISAC stands as the main information sharing center for the electricity sector at a time when cyberthreats are constantly evolving, when ransomware can threaten a small business just as easily as it can bring down a pipeline, and when U.S. intelligence officials estimate elite state-backed hackers have the capability to bring down sections of the grid — even if only for a few hours.
The information center, which is based in Washington, acts as a filter for government and private intelligence, sending out only what it deems relevant to the electric industry.
"We analyze intelligence, we distribute intelligence, we curate it, and maybe provide more context in terms of what it means to the electricity sector," Cancel said.
Steve Swick, vice president and chief security and privacy officer at Ohio-based utility holding company American Electric Power Co. and member of E-ISAC’s executive committee, said that the information-sharing hub has significantly grown since its founding.
"When I first started, we did not consider it a viable source of information," Swick said. "But now they’re very critical."
Swick said AEP automatically adds threat indicators from E-ISAC into its own network scanning and blocking systems.
He also praised new capabilities at E-ISAC, such as assessing potential threats from the "dark web" that requires use of the anonymized Tor Browser to access.
But he also acknowledged that some industry skepticism remains of the firewall between NERC, the regulator, and E-ISAC, the information collector.
"They’ve made the separation clear, except there are still a few utilities that have concerns around that. So that’s something they’ll probably continue to fight for a while," Swick said.
Patrick Miller, CEO of Ampere Industrial Security and former NERC auditor, has long been an advocate of removing E-ISAC from NERC entirely.
"I think it’s great at what it does. I think it could be much, much more if it wasn’t part of NERC," Miller said, going on to say E-ISAC is "notoriously inefficient."
Some utilities were also concerned with the Department of Energy-backed Cybersecurity Risk Information Sharing Program (CRISP) that’s managed by E-ISAC, Miller said.
That program is centered on a sensor technology and data platform that gets information straight from the computer systems of participating utilities. The effort is one of few examples of a government-linked program actively scanning private U.S. networks.
"It actually covers a substantial portion of electricity customers in the United States. I’m talking about the largest utility companies in the United States that participate in the program," Cancel said. "That is one thing that is unique, and it is a really good example of a pretty effective public private collaboration."
When CRISP sees malicious or suspicious activity, it will send an alert to the utility in real time. During the SolarWinds hack, that information was used to let government agencies know that there was little activity in the electricity sector, Cancel said.
But CRISP also faces concerns from utilities, Miller said. E-ISAC has pushed hard for power providers to buy the technology, he said, which cost hundreds of thousands of dollars around the time of the SolarWinds hack. But utilities haven’t always trusted where that information would go or who would see it.
The cost of deploying CRISP sensors has dropped recently, and Cancel said that E-ISAC is looking for additional ways to bring the price down. Cancel said that compared to other types of technologies, the tool is a relatively cheap defensive resource.
"How can you extend CRISP to smaller entities, who may not have the capital that a large [investor-owned utility] has? We’re actively working on those sort of things." Cancel said.
The information hub is also exploring adding operational technology, or OT, scanning to the CRISP program, which would boost visibility into the networks that physically manage the flow of electricity.
OT scanning has been a Biden administration priority: President Biden announced earlier this year a 100-day grid security sprint in part aimed at gleaning more data on potential threats to OT networks.
E-ISAC and industrial security firm Dragos Inc. announced that they’re working together to add an OT scanning technology. The National Rural Electric Cooperative Association also recently announced that it has deployed its own OT scanning technology, Essence, to 57 co-ops — paving the way for it to be added to CRISP, Cancel said.
While E-ISAC remains a key conduit between the energy sector and government, the nearly decade-old concerns about its NERC links appear to be limiting the number of active participants. In 2019, 10% of E-ISAC’s members voluntarily shared any information through the hub’s secure portal, with a couple of entities making up a significant portion of the submissions, according to the organization’s 2020 long-term strategic plan.
Cancel said E-ISAC offered a few explanations for those numbers. One is simply employee bandwidth, he said: Many utilities under an active cyberattack may not be thinking about voluntarily giving out info to E-ISAC.
The other explanation is that utilities are still suspicious that sharing will land them in hot water with NERC cybersecurity auditors.
Cancel said that E-ISAC routinely assures utilities that there is no information shared with the regulatory side. Utilities can also share data anonymously, Cancel said, and choose which groups within E-ISAC see those indicators.
But the tension between private companies and government agencies is overshadowed by threats to critical infrastructure by hackers who have little fear of reprisal.
The Cybersecurity and Infrastructure Security Agency, the top civilian U.S. cybersecurity authority that works with E-ISAC on a daily basis, has doubled down on the need for information sharing as threats to the electricity sector and other industries grow. Cancel said that CISA is "one of the predominant sources of information" for critical infrastructure operators and that "we both need each other to accomplish our mission."
"We all know that phrases like ‘public-private partnership’ and ‘info-sharing’ have become hackneyed bumper stickers," CISA Director Jen Easterly said earlier this month. "My goal is to ensure that new life is breathed into them, to turn public-private partnership into public-private operational collaboration, and information sharing into something that is always timely, relevant and, most importantly, actionable — able to be used by a network defender to help increase the security and resilience of their networks."