A new report by the successor organization to the Cyberspace Solarium Commission this week warned that utilities’ relationships with the Electricity Information Sharing and Analysis Center (E-ISAC) are not as strong as they could be.
The report was published by the CSC 2.0 Project, created after the bipartisan, congressionally sponsored commission issued its final report in 2020 to “support continued efforts to implement outstanding CSC recommendations” and continue to research additional cybersecurity issues discovered by the group. The goal of the report was to review Presidential Policy Directive 21, issued during the Obama administration, which established the federal government’s approach to critical infrastructure security and resilience.
In a letter to Congress last year, President Joe Biden indicated that he planned to “review and revise” PPD-21 to address emerging cybersecurity risks. CSC 2.0 conducted its own review of the directive — and Executive Order 13636, which focused on improving engagement between critical infrastructure stakeholders on cybersecurity and information sharing — to develop its own set of recommendations and review the current state of public-private sector security collaboration.
The review focused on the performance of sector risk management agencies (SRMAs) in supporting U.S. critical infrastructure. The 2021 National Defense Authorization Act established SRMAs for each critical infrastructure sector to support sector risk management, assess sector risk, manage sector coordination, facilitate information sharing between private and public sector entities, support incident management, and contribute to emergency preparedness efforts.
Citing their review of the Colonial Pipeline ransomware attack of 2021, when cybercriminals since linked to Russia hacked the company managing the flow of almost half the supply of gasoline and other fuel products to the U.S. East Coast and caused it to shut down its entire pipeline, the report’s authors sought to highlight “the broader challenge of inconsistent capabilities and performance across SRMAs.” They chose three examples for the discussion, including the Department of Energy, designated as the SRMA for the electricity sector.
While the report acknowledged DOE as “one of the best performing SRMAs” and called E-ISAC “one of the best” among its counterparts in other sectors, the authors observed that even such praise needs caveats. In this case, the E-ISAC’s relationship with NERC — which reports to FERC on reliability standards compliance and enforcement — creates an unintended chilling effect that discourages entities from turning over evidence that could implicate them in compliance violations.
“Our interviewees relayed that, because the E-ISAC is located within NERC, which in turn is subject to oversight by FERC, in-house counsels on occasion advise electricity companies not to share certain information with the ISAC for liability reasons,” the report said.
The commission said the utilities’ concerns constituted “an obstacle without an obvious solution,” because separating the E-ISAC from NERC would deprive it of financial resources and relationships that help with its services to the electric sector. It also did not provide any examples in which NERC or regional entities may have used information provided to E-ISAC in enforcement actions.
In an email to ERO Insider, a NERC spokesperson did not dispute the report’s claims but pointed out that the report itself notes that “the electricity sector has one of the best ISACs due to the robustness of its member-driven information sharing.” The spokesperson continued that NERC and the E-ISAC actively work to keep the organizations separate to allay the fears outlined in the CSC 2.0 report.
“NERC has a code of conduct in place that prohibits E-ISAC staff from sharing information about potential violations and compliance monitoring staff from seeking to obtain such information from the E-ISAC,” NERC said — a claim also noted in the report. “In addition, a firewall between networks and a separation of E-ISAC and NERC staff exists to further enhance safeguards. To date, this process has worked effectively and without fail since its inception.”
The spokesperson added that ongoing cyber and physical security threats to the grid make “the nexus between NERC and the E-ISAC … more valuable than ever before.”