Why Join an ISAO?
The electric sector already has an Information Sharing and Analysis Center, the E-ISAC. The sharing of information with the E-ISAC is required in some instances due to the NERC Critical Infrastructure Protection Standards. This can make some organizations wonder why another information sharing organization is needed in, or even appropriate for, the electric sector. The EnergySec Community ISAO provides complementary services apart from, or in addition to, the E-ISAC.
At EnergySec, we like to begin this discussion by talking about the Federal Bureau of Investigation. The FBI is the preeminent law enforcement agency in the United States. For some crimes, such as bank robberies, they are immediately called in and take charge of the investigation. This does not mean, however, that other law enforcement agencies don’t exist. Local police forces, state patrols, and other federal-level law enforcement agencies also exist. If a multi-state drug ring needs to be investigated, the Drug Enforcement Agency will likely be involved. If a string of car break-ins have occurred, the city policy or county sheriffs will investigate. In the same way, there are some things a national-level organization like the E-ISAC is best situated to do. But just as the existence of the FBI does not preclude the existence of county sheriffs, the existence of the E-ISAC does not preclude the existence of other information sharing organizations.
You may still have some questions about why another ISAO is needed to serve the energy industry.
Why Were ISAOs Created?
ISAOs are being created in response to Executive Order 13691. This Order was released on February 13, 2015 and called for the Secretary of Homeland Security to “strongly encourage the development and formation of Information Sharing and Analysis Organizations.” The federal government has also provided direct support for the ISAO creation process. Some examples of this support include Michael Daniel, the White House’s Special Assistant to the President and Cybersecurity Coordinator, attending a summit on the ISAO creation process and the involvement of high-level DHS leaders, including Assistant Secretary Andy Ozment, in the creation of ISAO standards. EO 13691 also explicitly states that ISAOs should “engage in continuous, collaborative, and inclusive coordination” with the National Cybersecurity and Communications Integration Center (NCCIC), which EnergySec has already begun meetings with.
Why a private, member-driven ISAO?
In the process of creating standards which ISAOs will be expected to meet, the question of trust has repeatedly been discussed. Some of the questions which have been raised include how to trust information which comes from an anonymous source, transparency of sharing, and “scoring” the quality and usefulness of information. Due to privacy concerns and the relationships which E-ISAC has with the government and regulatory agency, information which the E-ISAC shares with members is anonymized, both in terms of who the victim organization is as well as who provided the information to the E-ISAC. As a private, member-driven organization, the EnergySec ISAO Community has chosen to enable the involvement of only vetted members. By sharing information with attribution, members will be able to develop trust and decide for themselves how to handle information which they receive from the community.
What are the benefits of the EnergySec ISAO?
Speed of Information Flow
Due to privacy concerns and the time it takes a regulatory- and government-affiliated organization to authorize the release of information, there can be a delay between when an ISAC receives information and when they can make that information available to members. For example, the attacks that caused blackouts in Ukraine occurred on December 23, 2015. The E-ISAC released a public report on the event on March 21, 2016. NERC, presumably working with the E-ISAC, released a private alert on the event on February 9, 2016. In comparison, ESET released Indicators of Compromise (IOC) from this event on January 3, 2016. Using the EnergySec ISAO Community on the ThreatConnect platform, as soon as a single user uploaded those IOCs to the Community, then every member of the Community would have immediate access to that information.
Access to Additional Capabilities and Resources
The E-ISAC only allows electricity owners and operators to participate. By partnering with EnergySec and ThreatConnect, your organization’s intelligence and capabilities will be bolstered both by the work of EnergySec security analysts as well as the ThreatConnect Research team, which is focused tracking down existing and emerging cyber threats. The Financial Services-ISAC, generally regarded as one of the most mature ISACs, allows “Affiliate Members” from vetted companies which provide products and services to the financial services industry and can contribute to the FS-ISAC’s information sharing and analysis function.
Size of ISAO Communities
As the size of information sharing organizations increases, there may be diminishing returns since the relationships which trust are built on become too numerous to be successful. A large, national organization, such as the E-ISAC, provides some benefits. For example, that is likely one of the only organizations which could plan and coordinate something at the scale of GridEx. However, with a smaller organization which includes vetted, trusted members then the trust in the information being shared can be more immediate, as the members will be able to know the source of the information provided to the community.
Bill Nelson, president and CEO of Financial Services ISAC
“If there are some that compete, so be it…it beats one organization having monopoly control.”