Cross-sector coordination will be vital to protecting the electric grid and other critical infrastructure operators from rapidly expanding cyber and physical security threats, Matt Duncan of the Electricity Information Sharing and Analysis Center said on a panel with colleagues from other industries.
“It is increasingly [clear] that we can’t just do this [alone] as critical infrastructure; we need government, [and] we need supply chain vendors, because we all share the same attack surface,” Duncan, E-ISAC’s vice president of security operations and intelligence, said during a Dec. 2 Talk with Texas RE webinar.
“And even though the [E-ISAC] is just one of many ISACs, we know that electric power is essential to every infrastructure sector [and] every part of the economy, so we take our responsibility very seriously, not only to work with utilities but [with] cross-sector partners as well,” he said.
Duncan’s fellow panelists included John Bryk, manager of intelligence and risk analysis at the Downstream Natural Gas ISAC; Angela Haun, executive director of the Oil and Natural Energy ISAC (previously the Oil and Natural Gas ISAC); and Chuck Egli, director of security and resilience operations at the Water ISAC.
The talk came just a few weeks after GridEx VIII, the latest iteration of the biennial security exercise that drew more than 15,000 participants from over 370 organizations. (See GridEx Participants Report No Disruption from Shutdown.)
Several panelists pointed to GridEx as an example of the potential benefit from establishing cross-sector ties; Egli mentioned that the Water ISAC has even organized its own version of the exercise, H20Ex, along with H20SecCon, a conference on water infrastructure security inspired by the E-ISAC’s annual GridSecCon event.
“We’ve looked to the E-ISAC, in particular, as an example for how to bring those similar offerings to the sector and bring in more value,” Egli said. “A lot of it was, I think, thanks to being … very much involved … in the planning of those events, that we were able to then make them happen for our sector as well.”
Asked by Joseph Younger, the head of Texas RE’s Compliance Monitoring and Enforcement Program, how utilities can “get this right” regarding cross-sector coordination, Duncan said “one of the ways to get it right is to get it wrong, and the best place to get it wrong is in an exercise.” He said GridEx and similar exercises are a good way to find the weak points within either an organization or its dependencies, before they cause a real-world emergency.
Bryk said interdependency with other sectors “is probably one of the biggest [issues] we deal with” in the DNG-ISAC. He likened the problem to “the butterfly effect,” because a relatively minor problem in one sector can cause “a hurricane in the next sector.”
“Electricity helps us get gas out of the ground and move it, and gas helps [generate] electricity … so it can get to people. Water has to provide the cooling for things … There’s just no end to it,” he said.
The National Council of ISACs is a resource to help sort out such confusion, Bryk said, adding that “everything we do depends on the next ISAC in the line.” The NCI aims to help by creating playbooks of common practices and responses so that in a crisis, “we don’t have to go through that process of reinventing the wheel every time.”
Haun said the role of an ISAC is not “hands on keyboards [or] being on site,” but in collecting information during an emergency and making sure utilities have the data they need to address the issue.
“It’s not enough to say the sky is falling. It’s important that we talk about what they can do to protect their companies, their people, their assets, the critical infrastructure [and] ultimately the country,” Haun said. “So I’m just very passionate about having those relationships in advance and knowing who to talk to and being good partners, and that’s where the trust is developed, in my experience.”
