NERC last week submitted a compliance filing that sought to reassure FERC about the fairness of the Electricity Information Sharing and Analysis Center’s (E-ISAC) industry outreach efforts.
FERC ordered the filing in November, as part of its order accepting NERC’s 2023 Business Plan and Budget and those of the regional entities and the Western Interconnection Regional Advisory Board (RR22-4). (See FERC Orders Clarification in ERO Budget Filing.) The commission’s request was based on comments submitted by the Edison Electric Institute in response to the budget documents.
In its order, FERC said it needed “additional transparency into certain E-ISAC costs” because the $38 million budgeted for the E-ISAC represents more than 25% of NERC’s overall budget for 2023 and an increase of more than 15% from the previous year’s budget. Specifically, the commission raised questions about the E-ISAC’s Vendor Affiliate Program (VAP), a membership plan for suppliers of hardware and software products to the electricity sector.
Membership in VAP consists of three tiers; higher levels cost more but confer additional benefits, such as access to networking sessions at the GridSecCon security conference or participation in GridSecCon panels. The commission asked NERC to explain why it chose this structure for the program, how it prevents participating vendors from engaging in sales and other “business development opportunities,” and how it promotes collaboration and information sharing.
In its response, the ERO said that along with sharing threat indicators and other intelligence with the electricity sector, the E-ISAC aims to “take a holistic approach to cyber and physical security” by inviting vendors to participate in information sharing and providing information on the vendors to grid operators. Through the VAP, NERC can connect “security-focused professionals, service providers, and original equipment manufacturers [OEM] … together with E-ISAC members to share information and enhance security practices.”
NERC told the commission that participants in the VAP are screened before being admitted into the program. This screening is designed to keep out security risks. Criteria include being a known provider of cybersecurity products or services, an OEM, or a provider of other related services to the industry. Companies based outside the U.S. may be admitted, but only if they are not subject to U.S. sanctions, compliant with E-ISAC security procedures, or not presenting other, unspecified risk factors.
Approved vendors are given access to the E-ISAC Portal, but “are limited to certain discussion channels created specifically for the VAP.” The same confidentiality and use restrictions apply to vendors as to all other users.
Regarding the membership structure, NERC said the tiers are meant to “accommodate vendors of different sizes and resources.” However, the only benefit the ERO identified for higher-paying vendors is improved visibility; NERC emphasized that the program “does not promote any particular vendor, product, or service.” Participants in VAP must limit their discussions to “specifically agreed-upon topics … that are directly relevant to the security of the electricity industry.”
The E-ISAC said it reviews vendor presentations prior to their participation in any E-ISAC event and monitors posts on the portal to check for material that might serve a business purpose. While the E-ISAC acknowledged that some members and VAP participants have business relationships, it said these are exclusively outside the domain of the VAP and “incidental to the vendor’s participation.”
FERC also expressed worries about the relationship of the E-ISAC to its counterpart in the natural gas sector, asking NERC to show whether costs were shared fairly between the two organizations. NERC replied that its communications with the Downstream Natural Gas-ISAC had created “no new or incremental costs [and] no additional tools, FTEs, or other investment are required at this time.” NERC observed that organizations in the gas sector are already providing $60,000 per year to the E-ISAC to cover any costs associated with cross-sector engagement.