In corporate-speak, “keeping the lights on” means doing the bare minimum to keep the business running. But to the members of the Electricity Information Sharing and Analysis Center (E-ISAC), keeping the lights on is everything.
It’s a critical time for electric utilities and the energy sector as a whole – but isn’t it always? The U.S. recently crossed the halfway point of the Department of Energy’s 100-day plan to safeguard the energy supply chain and in particular bolster the cybersecurity of electric utilities’ industrial control systems.
Meanwhile, the recent ransomware attacks on the Colonial Pipeline and attempted sabotage of local water supplies (including a newly reported attack on the Bay Area) have raised mainstream awareness of the chaos that can ensue when hackers targeted critical infrastructure. U.S. President Joe Biden even raised this concern in a summit with Russian President Vladimir Putin in which he cited 16 areas of critical infrastructure that should be off limits to state-sponsored and state-supported hackers.
One of the new tools that E-ISAC’s approximately 1,200 North American members can now use to protect their assets is Neighborhood Keeper – an opt-in, sensor-enabled data collection and information-sharing network from Dragos. Developed with the support of the DOE, which piloted the technology, the network will aggregate data on threat analytics and indicators of compromise and then share it with the community so they can respond accordingly.
And because the data is anonymized, it can be safely shared with government partners as well. “The challenge – and what's been widely acknowledged within government circles – is that government does not own critical infrastructure. It’s owned by the industry, and they do not have visibility into the activities that may be going on into our [energy] customers,” said Ben Miller, vice president of professional services and R&D at Dragos. However, this solution “offers that venue for government partners to gain visibility, but in a safe fashion, that does not run risk of [exposing] customer data.”
The benefit: “more visibility and insights into what's going on in these OT networks,” said Manny Cancel, E-ISAC’s senior vice president and CEO. “What are the traffic patterns that are there? What are things that look malicious? What are indicators of compromise? Who are potentially the adversaries that are trying to do these things?”
Manny Cancel, E-ISAC’s senior vice president and CEO, recently addressed these latest developments, in a Q&A interview with SC Media.
Explain in more detail the value behind your expanded relationship with Dragos and its info-sharing network.
The value will be, as I said, the visibility. There is value in terms of seeing the patterns of traffic, the indicators of compromise, the techniques that the adversaries may be using… You can build a risk mitigation program around that. The other thing is, it's not just the people that have these sensors in place – and this is where the ISAC comes in – after the analysis is conducted [the ISAC] can share that more broadly across its membership.
How will this expanded initiative help E-ISAC members better facilitate and execute their role in the Biden Administration’s 100-day plan to advance technologies that provide cyber visibility, detection and response capabilities to electric utilities and their industrial control systems?
Our role in the ISAC is really to facilitate the dissemination of information. You can think of the ISAC as sort of town crier, so to speak. But really we're responsible for making sure that we keep the sector up to date on physical and cyber security threats. So this is part and parcel, to that mission… We'll get additional visibility and insights into what’s going on into these networks. We've [already] done a lot to do this in traditional IT networks. [But] this is an opportunity to do this in OT networks where different protocols are used and different configurations are in place.
As the E-ISAC and its members continue to innovate, you do so in the shadow of several major attacks against critical infrastructure, including the Colonial Pipeline. How have these incidents illustrated the importance of the work you are currently undertaking?
It absolutely underscored and reinforced the need for information sharing across the sector and across critical infrastructure sectors. The ransomware that compromised the Colonial Pipeline is no different than the ransomware that compromised other sectors and can compromise the electricity sector, so the more we know about those types of attacks and what can be done to prevent them, the better off collectively we are.
For example, while Colonial isn’t part of the electricity sector, once we learned about that attack we spent a lot of time monitoring and also being on the lookout for potential indicators of compromise in the electricity sector.
Has E-ISAC pursued any other collaborative and information-sharing initiatives from a cybersecurity perspective?
I would draw a parallel to another tool that we have in place across the sector known as CRISP: the Cybersecurity Risk Information Sharing Platform. Similarly, this is a sensor that sits on IT networks. This is another great example of private and public sector participation with the government. It’s a program that the ISAC oversees for the electricity sector.
CRISP has eight monitors for malicious activity – and what this essentially does is it compares [this activity] to the intelligence that the U.S. government has, and tries to identify that activity. It's also a big data platform – it learns about malicious activity that it's seen.
CRISP has numerous times paid off benefits and detected threats that we’ve shared more broadly across the sector. A great example of this is recent when FireEye shared the indicators of compromise and the techniques that the adversaries had executed in the SolarWinds attack, we put them into CRISP, and we started monitoring across the sector. And, fortunately, we haven't seen that. But we continue to do that to this day.
What is your reaction to Biden’s summit with Putin, including the news that the U.S. told his Russian counterpart that critical infrastructure must be off-limits to cyberattacks?
Certainly, we are supportive of any conversations that reduce the risk to critical infrastructure. Let's face it – we're talking about people here. It's [more than] shutting down electricity – and it's extended to other infrastructure. A protracted, prolonged loss of water infrastructure would be devastating.
So when you think about the socioeconomic impacts of disruptions of critical infrastructure, of course we want to be supportive of [continued dialogue between the U.S. and Russia]… I hope they do that constructively and proactively... and hopefully we get to a world where that’s more of a reality.