In a compliance filing last week, NERC sought to once again reassure FERC that the Electricity Information Sharing and Analysis Center (E-ISAC) does not violate registered entities’ confidentiality when sharing information with the ERO Enterprise to assist in standards development (RR19-7).

NERC also proposed changes to its Rules of Procedure (ROP) regarding its use of All Points Bulletins (APB).

The commission ordered the compliance filing in January as a further follow-up to NERC’s five-year performance review. (See FERC Orders Audits of All REs by 2023.) The new filing is another attempt to address concerns FERC raised concerning the original performance review’s treatment of the E-ISAC and its role in developing reliability standards. NERC first addressed these questions in June 2020. (See NERC Clarified Audits, E-ISAC in Filing.)

In its June compliance filing, NERC claimed the E-ISAC operates under “broad information-sharing restrictions” that generally prohibit personnel from sharing any voluntarily reported information with non-ISAC staff at NERC, though limited exceptions are allowed. Some E-ISAC data may be used to inform development of reliability standards, but this is generally limited to information that is anonymized and aggregated. Data about specific companies may be shared if it is publicly available through other avenues.

This filing did not provide the clarity the commission sought, and it ordered NERC to provide a more detailed explanation of the information sharing procedures between it and the E-ISAC. FERC specifically asked about NERC’s intention to use data provided by the E-ISAC in reliability gap analyses that would “determine whether any modifications to the CIP [Critical Infrastructure Protection] standards are necessary to address a security risk.”

NERC’s latest filing provides more detail and updates on the information exchange procedures that it began with the E-ISAC last year. Since the previous filing, physical and cyber security analysts from the E-ISAC have begun to meet with NERC’s reliability standards staff and CIP subject matter experts every month for general discussions of the “security threat landscape.”

Discussions typically cover industry-wide security trends and threats or incidents from the previous month. E-ISAC staff “take care to only share information consistent with the code of conduct” in these meetings, such as anonymized and aggregated data.

The E-ISAC now also regularly shares reports, APBs and other issuances with CIP standards development personnel, though NERC emphasized again that when this information concerns specific entities it is subject to restrictions in the code of conduct. Data may also be provided that does not concern specific entities, such as reports on specific threats or vulnerabilities “provided by [a] government partner or security vendor.”

NERC’s reliability standards development personnel use this information in several ways:

• to advise active standards drafting teams about emerging threats that they should try to address in their work;
• as data points for evaluating proposed changes to the CIP standards; and
• to evaluate the overall adequacy of the COIP standards to address “emerging security threats and vulnerabilities.”

SolarWinds Offers Practical Test

The SolarWinds hack from last year provided a real-world example of the way that cooperation between NERC and the E-ISAC can benefit the entire industry. More than 18,000 public and private-sector organizations are known to have been targeted in the breach of SolarWinds’ Orion network management platform by hackers that security officials believe to be “likely Russian in origin.” (See SolarWinds Recovery May Require Extreme Actions.)

As soon as the compromise was disclosed in December 2020, the E-ISAC began to gather information about the incident from sources such as security vendors, member utilities and government partners. The data came in handy both for those trying to clean their systems of the malicious software and those at NERC trying to prevent the next incident.

“While the E-ISAC was focused on increasing situational awareness to help support industry’s immediate response to the incident, NERC CIP standard development personnel were focused on understanding the incident to evaluate the adequacy of the CIP standards to mitigate the impact of such an attack on BPS reliability and apply lessons learned to CIP standards development activities involving supply chain risk management,” NERC said.

At their monthly meetings since the incident, E-ISAC staff has provided CIP subject matter experts with updates on their latest findings. This information is all subject to confidentiality restrictions but includes useful data such as the nature of the incident, tactics, techniques and procedures used by the attackers and systems that might be vulnerable to this or future attacks along the same lines. The E-ISAC also shares high-level aggregated information about the “extent of conditions in the electricity sector.”

This information has proven valuable for NERC’s standard development process; for example, the organization’s Board of Trustees approved the withdrawal of proposed reliability standard CIP-002-6 (BES cyber system categorization) in February in order to re-evaluate its impact on cybersecurity preparedness in light of “recent cybersecurity events and the evolving threat landscape.” (See “Standards Actions,” NERC Board of Trustees/MRC Briefs: Feb. 4, 2021.)

NERC has also initiated informal discussions among ERO Enterprise stakeholders regarding possible further standards actions to address cybersecurity supply chain risks, partially drawing on threat data provided by the E-ISAC.

ROP Changes Require APB Sharing

NERC’s proposed changes to its ROP are relatively minor, consisting only of a sentence added to section 1003 specifying that the E-ISAC must “share all APBs with [FERC] staff no later than at the time of issuance” in accordance with FERC’s January order.

The order stemmed from NERC’s second compliance filing in September 2020, which clarified various aspects of the APB process including the threshold for sending the bulletins and procedures for approving them. (See NERC Files ROP Changes with FERC.) While NERC emphasized that its current practice is to share APBs with FERC at the time of issuance, if not before, the commission requested that it make the requirement explicit.