Throughout 2016, the E-ISAC collected, analyzed, and shared information on physical and cyber security issues, and this report is a review of the main issues covered over the year. The information came from open source reporting, electricity members, and federal partners and includes the E-ISAC's analytical summary of those collective reports. This report looks at how the E-ISAC may further identify trends and patterns benefitting members.
The North American Electric Reliability Corporation had its quarterly Board of Trustees meeting on May 11. One issue the meeting focused on was NERC's long-term strategic efforts with the Electricity Information Sharing and Analysis Center (E-ISAC). John McAvoy, chair of the Electricity Subsector Coordinating Council's Member Executive Committee, addressed the Board in support of the E-ISAC Long-Term Strategic Plan, saying security is an integral part of industry operations and we live in a dynamic threat environment. In order to continue evolving, we must improve cross-sector collaboration and information sharing. The long-term plan will help the E-ISAC reach its goals, he added. Some of the plan's action items include:
- Replacing the current web portal with a new “platform” that will enable automatic information sharing, the creation of private discussion groups, data visualization, among other features;
- Increasing the E-ISAC's capability to collect security intelligence;
- Hiring specialized analysts;
- Acquiring additional data storage, management, and sharing technologies; and
- Increasing the E-ISAC's access to classified networks and facilities.
The plan, which was developed working closely with NERC leadership and the Member Executive Committee, builds on the ESCC's 2015 recommendations and discusses improvements needed in 2017 to address current threats, a look at the mid-term range of 2018-2022 to address emerging threats, and what the E-ISAC might look like beyond 2023 if the forecasted issues continue to develop. The NERC Board of Trustees accepted the plan at the May 11 quarterly meeting.
The April 2013 sniper attack on Pacific Gas and Electric’s Metcalf substation has been described as a “wake-up call” or an alarm for the electric utility industry to apply closer scrutiny to the vulnerability of key infrastructure to various kinds of attack – whether physical, as in the Metcalf shooting, or in the form of cyber-attacks that might impair physical operations.
The white paper goes into detailed discussion of three major topics. The first is about identifying a process for the prioritization of strategic electrical facilities and determining appropriate security measures or approaches to ensuring resiliency of the system. The second discusses establishing practices for the exchange of highly-confidential or “sensitive” information between utilities and the Commission. The last topic goes into confirming whether existing incident reporting requirements are adequate. These three subject areas are examined with an eye toward ensuring appropriate regulatory oversight of jurisdictional utility operational performance, and providing a mechanism for entities not subject to CPUC ratemaking authority to identify their own most appropriate measures.
NERC conducted its fourth biennial (once every two years) grid security and emergency response exercise, GridEx IV, from November 15–16, 2017. With 6,500 individuals and 450 organizations participating across industry, law enforcement, and government agencies, GridEx IV consisted of a two-day distributed play exercise and a separate executive tabletop on the second day. The exercise provided an opportunity for various stakeholders in the electricity sector to respond to simulated cyber and physical attacks that affect the reliable operation of the grid, fulfilling NERC’s mission to assure the effective and efficient reduction of risks to the reliability and security of the BPS. Led by NERC’s E-ISAC, GridEx IV was the largest geographically distributed grid security exercise to date. Electric utilities continue to use the planning materials for separate exercises with NERC, government, and consultant support.
The Department of Homeland Security (DHS)/National Protection and Programs Directorate (NPPD)/Office of Cyber and Infrastructure Analysis (OCIA) assesses that unmanned aircraft systems (UASs) provide malicious actors an additional method of gaining undetected proximity to networks and equipment within critical infrastructure sectors. Malicious actors could use this increased proximity to exploit unsecured wireless systems and exfiltrate information. Malicious actors could also exploit vulnerabilities within UASs and UAS supply chains to compromise UASs belonging to critical infrastructure operators and disrupt or interfere with legitimate UAS operations.