1
E-ISAC Update
Bill Lawrence, Director of your E-ISAC
WECC Compliance Workshop
Boise, ID
March 29, 2018
2
CID to CIP
3
• Mission and Vision / Structure
• Code of Conduct / Traffic Light Protocol
• Long-term Strategic Plan background
• Strategic plan framework
• Key activities
• Cyber and Physical incidents
• GridEx IV update
• GridSecCon 2018 update
• Contacts
Agenda
4
Mission
The E-ISAC reduces cyber and physical security risk to the electricity industry across North America by providing
unique insights, leadership, and collaboration
VisionTo be a world class, trusted source for the
quality analysis and rapid sharing of electricity industry security information
5
E-ISAC Structure
6
• Established in 2014; revised in 2015
• Covers all NERC personnel
E-ISAC Code of Conduct
https://www.nerc.com/gov/Pages/default.aspx
7
Traffic Light Protocol
https://www.eisac.com/portal-home/document-detail?id=64208
8
E-ISAC Portal
9
• The E-ISAC underwent a strategic review with the ElectricitySubsector Coordinating Council (ESCC) in 2015
• Under the ESCC, the Member Executive Committee (MEC)was created and serves as a CEO-led stakeholder advisorygroup
• MEC input was used on the E-ISAC Long-term Strategic Plandeveloped in 2017
• The plan was approved by the NERC Board in 2017 andincluded in the NERC Business Plan and Budget forimplementation in 2018 and beyond
Background
10
Vision: To be a world class, trusted source of quality analysis and rapid sharing of electricity industry security information
Supported by:• NERC Board of Trustees• Electricity Subsector Coordinating Council (ESCC)• ESCC Members Executive Committee (MEC)
E-ISAC Strategic Plan
EngagementAnalysisInformation Sharing
Accelerate sharing and high priority
notifications
Enhanceportal
Improveinformation flow
and security
CRISP CYOTE CAISS Strategic Vendor
Partnerships
Hire and developexceptional employees
Leverage information sharing
technologies and resources
to enhance analytical capability
Prioritize products and
services
Metricsbenchmarking
Evaluate 24x7
Operations(future)
Build trust and show value
World Class ISAC
11
Key Activities
E-ISAC Critical Broadcast Program• Launched a rapid information sharing capability of the E-ISAC on February 7• 1,208 individuals from 245 organizations joined the call• Exercise on February 22 had over 960 individuals from 220 organizations
CRISP• Expanding membership Base – NERC, Res, and five other companies joining in Q1• Identifying and evaluating opportunities to lower cost of participation
Portal enhancements• Improving email notification capabilities with expected delivery date of March 31• User community requirements under review and development process underway
Industry Augmentation Program• Completed two cycles with analysts from NYPA, SRP, and NPPD• Builds trust, exchanges expertise and understanding of threats and response
12
New Services
CAISS
(Cyber Automated Information Sharing System)
MARTIE
(Malware Analysis Repository and Threat Information Engine)
13
Physical Security Overview
Q1 Incidents of Note • Axe incident in CA• Suspicious Activity Events• Emotionally unstable
individuals inside substation • Drone/UAS events• Security Equipment theft• Copper price
monitoring/theft
14
Phishing
Incidents
15
Cryptocurrency Mining
Incidents
16
Mission statement
GridEx is an unclassified public/private exercise
designed to simulate a coordinated cyber and physical attack
with operational impacts
on electric and other critical infrastructures
across North America
to improve security, resiliency, and reliability
17
• Exercise incident response plans
• Expand local and regional response
• Engage critical interdependencies
• Improve communication
• Gather lessons learned
• Engage senior leadership
GridEx Objectives
18
Players across the stakeholder landscape will participate from
their local geographies
Facilitated discussion engages senior decision
makers in reviewing distributed play and
exploring policy triggers
Executive Tabletop
Utilities
Reliability Coordinators
E-ISAC and
BPSA
Fed/State/Prov Agencies
Support
and Vendors
Injects and
info
sharing
by email
and phone
Identification
Containment
Distributed Play(2 days)
Executive Tabletop (1/2 day)
Move 0Pre-Exercise
Preparation
Operators may participate in Cyber Intrusion detection
activities
Exercise Components
19
Participation
• 6500 Participants
• 206 Electric utilities
• 452 Organizations
• 17 Cross-sector partners
• 10 States (2 full-scale)
20
Active and Observing
36
122
209
335
40
109
155
117
0
50
100
150
200
250
300
350
400
450
500
GridEx 2011 (76) GridEx II (231) GridEx III (364) GridEx IV (452)
GridEx Exercise Participation
Active Observing
47%
53%53%
47%
57%
43%
74%
26%
21
• Where’s the Cavalry?▪ Relationship building with partners (e.g. cross-sector, law enforcement,
emergency managers, etc.)
▪ What is the State/Federal Government’s role during a Grid Emergency?
• E-ISAC Portal improvements
• Greater cross-sector participation
• Public Affairs and Corporate Communications vs. Incorrect or Misleading information
• Communication resiliency (e.g. WPS, GETS, HF Radio, etc.)
• Electric Utility – RC emergency communications
• Cyber Mutual Assistance
• On-keyboard cyber training
• Active Lead Planners
Preliminary Findings –GridEx IV Distributed Play
22
• GridEx IV Reports are complete and posted this week!
• CIPC Grid Exercise Working Group standing back up June, 2018
• GridEx V Initial Planning Meeting will be held November 2018
Way Forward
GridEx V:
November 13-14, 2019
23
GridSecCon 2018
October
16-19
2018
24
• Resiliency, reliability, security
• The E-ISAC and CMEP functions can and should work together –carefully
• The E-ISAC Long-term Strategic Plan is just beginning, but taking off quickly▪ CBP and MARTIE
• The E-ISAC Portal contains security information that is available to CMEP personnel
• GridEx and GridSecCon are valuable sources of security information
Key Takeaways
25
Contact
26