The Electricity Information Sharing and Analysis Center (E-ISAC) released Understanding Your E-ISAC (what I’ll refer to as the “Guide”) in June. Note that this isn’t a summary of the Guide, but rather is a collection of observations I made while reading it.
The Introduction of the document includes what is included every time somebody from NERC talks about the E-ISAC, the disclaimer that they are separate from NERC.
The E-ISAC is operated by the North American Electric Reliability Corporation (NERC) and functions as an independent group and is organizationally isolated from NERC’s enforcement processes. This intentional isolation was put in place to assure entities that any information shared with the E-ISAC would not be used for enforcement actions or shared with NERC compliance personnel.
This actually seems like it is less strongly worded than what I have heard in other places, such as at industry events. Normally E-ISAC people emphasize that they are separate from NERC, and wouldn’t use that “operated by NERC” language. This is related to one of my favorite visuals.
I think it’s hilarious that the E-ISAC always talks about how it’s so separate from NERC, yet they use the same template for their reports, albeit with minor tweaks in coloring and what part of the grid pattern is visibile.
Anyway, the Guide starts off by talking about the benefits of information sharing, and includes most of the points that are always used in that discussion. You could basically substitute “ISAO” or “Threat Intelligence” or “CISA” for E-ISAC in this section and it would still make sense.
The Guide then goes on to discuss how the E-ISAC safeguards information. A big emphasis here is on the existence, and the following of, the E-ISAC Code of Conduct. One interesting thing from the Code of Conduct is that it defines “E-ISAC Personnel” as, “The CSO as well as all NERC employees who report to the CSO.” This is mildly interesting because the Guide includes an organizational chart.
The Code of Conduct doesn’t seem to include Tim Roxey as E-ISAC personnel, because he reports to Gerry Cauley, NERC’s President and CEO, instead of Marcus Sachs, E-ISAC’s Senior VP and CSO. I’m sure Roxey still follows the Code of Conduct, but I would think NERC would want to make that more clear.
After a section on what the roles of the Watch Operations and Analyst groups are, the Guide talks about who the members of the E-ISAC can be. It says that “Industry members include vetted electricity asset owners and operators (AOO) – or affiliates, such as trade associations and contractors – in North America.” This seems to contradict what the E-ISAC says on their website, which is that, “The E-ISAC portal is currently restricted to owner/operators and selected government partners.” The website description is the one that is actually used, as I know of at least one trade organization which has tried to get involved in E-ISAC activities and was told that it was limited to asset owners and operators.
The Guide hits the separate-from-NERC topic hard, including this part:
No personnel from NERC (including compliance enforcement personnel) and the regional entities are not allowed membership or access to the E-ISAC portal.
I’m reasonably certain this was an editing fail, as it would imply that personnel from NERC are allowed access. As a former English teacher, this made me smile. That pesky double-negative can be difficult to notice when you are reading your own writing, since in your head you know what you mean. That the “no” and the “not” are spread pretty far apart in this sentence probably increased the likelihood of the mistake being missed.
The membership section also talks about access revocation. It is the member organization’s responsibility to notify the E-ISAC if an individual has left their organization and should therefore lose their E-ISAC portal access, which is really the only way that could be done. This part is worth quoting in full, though.
The E-ISAC terminates accounts when notified by a member or partner that an individual has left the organization. It is an organizational responsibility to notify the E-ISAC, recognizing that delays may occur in notification when someone has left an organization. This consideration is why the E-ISAC only allows organizational account domains as one of the first steps an organization takes when an individual departs is to de-provision the individual’s enterprise information technology (IT) access accounts.
This references that owners and operators are vetted partially through their use of corporate emails. That is a valid requirement, and I wouldn’t expect the E-ISAC to just take some random gmail address and believe an assertion that they are in the electric industry. But this reason for requiring corporate emails doesn’t make sense. It seems to imply that because an organization would de-provision corporate email access, that somehow would cause the former employee to also lose access to the E-ISAC portal. But once the employee is verified and provided access to the portal, whether they can subsequently access the email address they used to register has nothing to do with whether they can still log in to the portal.
The Guide then goes into describing the products and services the E-ISAC offers. Among them is webinar access, with a “3,000-person webinar capability is used to host monthly webinars as described in the program section.” As a former math teacher, one of the things I hate is the bad or misleading use of statistics. This number is supposed to be impressive and show capabilities, but it provides no actual information. Does this mean they fill that capacity? What kinds of numbers do they actually see? If the attendance is consistently and considerably less than 3,000 people, then this number means that they are paying for a capability they don’t need, wasting money. If they consistently max out the attendance and end up “sold out” of spots then they are providing a service people want but not reaching as many people as they should be. If they just want to sound cool and have a big number, then they could just as easily pay GoToWebinar or whoever more money and say something like a 10,000-person capacity. Or, maybe, they are consistently at something like 2,700 attendees, in which case they are getting their money’s worth in the capacity and meeting the demand they have. But the 3,000 number doesn’t let us know any of that.
The products and services section also talks about the Cybersecurity Risk Information Sharing Program (CRISP), which allows me the opportunity to draw your attention to this story about a Public Utility District in Washington feeling the need to complain to their congressional delegation and the Department of Energy because NERC was pushing CRISP and pressuring them to sign up for that quite expensive program.
All in all, if you are an asset owner or operator, it’s probably a good idea to get an account with the E-ISAC, and this Guide is probably worth at least a skim. Since they are closed off to trade organizations, though, even those that specifically work on cybersecurity for the electric sector, I can’t say for sure how helpful their information sharing programs may be.
Workentin's Cybersecurity Blog 