When Colonial Pipeline CEO Joseph Blount appeared before lawmakers earlier this month to defend his company’s response to the ransomware attack that paralyzed fuel supplies for the U.S. East Coast in May, he was forced to admit that his company and its peers need help meeting the threat posed by today’s increasingly aggressive cyber threats.
“Private industry alone can’t … solve the problem totally by [itself],” Blount told members of the Senate Homeland Security and Governmental Affairs Committee. (See Colonial CEO Welcomes Federal Cyber Assistance.) “The partnership between private and government is very important to fight this ongoing onslaught of cyberattacks around the world.”
Improving that partnership is the goal of Neighborhood Keeper, the recently announced product of an alliance between cybersecurity firm Dragos and NERC’s Electricity Information Sharing and Analysis Center (E-ISAC), with support from the Department of Energy in the form of a research grant. The initiative is aimed at helping utilities, regulators and other stakeholders improve security outcomes by pooling their knowledge and brainpower.
“It’s widely acknowledged that the U.S. government does not have a visibility into critical infrastructure, because it is owned by the industry,” Ben Miller, vice president of professional services and research and development at Dragos, told ERO Insider. “And so we’re focused on [giving] them visibility into the threats that may exist within critical infrastructure, but in a safe fashion. That’s really the focus: to give government some assurances of what is occurring in these environments and visibility into something that’s never really existed before.”
Neighborhood Keeper acts as a threat intelligence system based on the Dragos Platform, a network of sensors analyzing multiple data sources across customers’ industrial control systems (ICS) and operational technology environments. Data are aggregated, anonymized and shared by Dragos with the E-ISAC, which analyzes the information for markers seen in recent attacks or general signs of compromise.
“There are so many different things that would be indicative of malicious activity,” Manny Cancel, senior vice president at NERC and CEO of the E-ISAC, told ERO Insider. He noted examples such as employees accessing networks for which they haven’t been approved, or remote access requests coming unexpectedly from overseas or other unusual locations.
But the growing sophistication of attackers has made detecting intrusions, let alone shutting them down, ever more difficult. In the case of the SolarWinds hack last year, intruders believed to be Russian gained access to the update server for the company’s Orion network management platform and inserted their own code into the platform’s software patches; when clients downloaded and executed the patches, the attackers gained access to their information technology networks. About 18,000 public- and private-sector organizations are known to have been impacted by the compromise. (See SolarWinds Recovery May Require Extreme Actions.)
Critical to the collaboration, and an essential condition of DOE support, is that the insights gained through the E-ISAC’s analysis be available for the entire industry, not just users of Dragos’ technology. Miller and Cancel both acknowledged that no single solution will spot all threats; the hope is that Neighborhood Keeper will help utilities filter out the important information from the background cyber noise.
Broader Collaboration Efforts Ahead
All of the parties to Neighborhood Keeper see the collaboration as just a first step. For Dragos, similar platforms could be easily developed for other critical infrastructure sectors, working alongside those sectors’ equivalents to the E-ISAC or any other partners who can provide useful insights.
“We are certainly looking at … expanding [the system] out to more parties, the E-ISAC being one of the first ones,” Miller said. “But we also have the ability to extend it out to industry as well. … We’ll be opening up to a larger pool, over time, of who can be involved from an analysis perspective.”
Cancel also sees the Dragos partnership as a potential model for future collaboration efforts. There are many cybersecurity researchers and consultancies with perspectives on the electric industry, and the E-ISAC sees expanding its partnerships with all players in the ecosystem as an essential element of fulfilling its mission.
“I would say this is part and parcel to the E-ISAC’s mission. We are a provider of information to the electricity sector … and certainly anything that would be potentially impacting an operational technology environment or an environment that’s used to distribute energy is important,” Cancel said. “And the analysis that the E-ISAC does now, and would continue to do on this platform, is right in our sweet spot and part of our strategic plan.”