1

E-ISAC Update

Bill Lawrence, Director of your E-ISAC

WECC Compliance Workshop

Boise, ID

March 29, 2018

2

CID to CIP

3

• Mission and Vision / Structure

• Code of Conduct / Traffic Light Protocol

• Long-term Strategic Plan background

• Strategic plan framework

• Key activities

• Cyber and Physical incidents

• GridEx IV update

• GridSecCon 2018 update

• Contacts

Agenda

4

Mission

The E-ISAC reduces cyber and physical security risk to the electricity industry across North America by providing

unique insights, leadership, and collaboration

VisionTo be a world class, trusted source for the

quality analysis and rapid sharing of electricity industry security information

5

E-ISAC Structure

6

• Established in 2014; revised in 2015

• Covers all NERC personnel

E-ISAC Code of Conduct

https://www.nerc.com/gov/Pages/default.aspx

7

Traffic Light Protocol

https://www.eisac.com/portal-home/document-detail?id=64208

8

E-ISAC Portal

9

• The E-ISAC underwent a strategic review with the ElectricitySubsector Coordinating Council (ESCC) in 2015

• Under the ESCC, the Member Executive Committee (MEC)was created and serves as a CEO-led stakeholder advisorygroup

• MEC input was used on the E-ISAC Long-term Strategic Plandeveloped in 2017

• The plan was approved by the NERC Board in 2017 andincluded in the NERC Business Plan and Budget forimplementation in 2018 and beyond

Background

10

Vision: To be a world class, trusted source of quality analysis and rapid sharing of electricity industry security information

Supported by:• NERC Board of Trustees• Electricity Subsector Coordinating Council (ESCC)• ESCC Members Executive Committee (MEC)

E-ISAC Strategic Plan

EngagementAnalysisInformation Sharing

Accelerate sharing and high priority

notifications

Enhanceportal

Improveinformation flow

and security

CRISP CYOTE CAISS Strategic Vendor

Partnerships

Hire and developexceptional employees

Leverage information sharing

technologies and resources

to enhance analytical capability

Prioritize products and

services

Metricsbenchmarking

Evaluate 24x7

Operations(future)

Build trust and show value

World Class ISAC

11

Key Activities

E-ISAC Critical Broadcast Program• Launched a rapid information sharing capability of the E-ISAC on February 7• 1,208 individuals from 245 organizations joined the call• Exercise on February 22 had over 960 individuals from 220 organizations

CRISP• Expanding membership Base – NERC, Res, and five other companies joining in Q1• Identifying and evaluating opportunities to lower cost of participation

Portal enhancements• Improving email notification capabilities with expected delivery date of March 31• User community requirements under review and development process underway

Industry Augmentation Program• Completed two cycles with analysts from NYPA, SRP, and NPPD• Builds trust, exchanges expertise and understanding of threats and response

12

New Services

CAISS

(Cyber Automated Information Sharing System)

MARTIE

(Malware Analysis Repository and Threat Information Engine)

13

Physical Security Overview

Q1 Incidents of Note • Axe incident in CA• Suspicious Activity Events• Emotionally unstable

individuals inside substation • Drone/UAS events• Security Equipment theft• Copper price

monitoring/theft

14

Phishing

Incidents

15

Cryptocurrency Mining

Incidents

16

Mission statement

GridEx is an unclassified public/private exercise

designed to simulate a coordinated cyber and physical attack

with operational impacts

on electric and other critical infrastructures

across North America

to improve security, resiliency, and reliability

17

• Exercise incident response plans

• Expand local and regional response

• Engage critical interdependencies

• Improve communication

• Gather lessons learned

• Engage senior leadership

GridEx Objectives

18

Players across the stakeholder landscape will participate from

their local geographies

Facilitated discussion engages senior decision

makers in reviewing distributed play and

exploring policy triggers

Executive Tabletop

Utilities

Reliability Coordinators

E-ISAC and

BPSA

Fed/State/Prov Agencies

Support

and Vendors

Injects and

info

sharing

by email

and phone

Identification

Containment

Distributed Play(2 days)

Executive Tabletop (1/2 day)

Move 0Pre-Exercise

Preparation

Operators may participate in Cyber Intrusion detection

activities

Exercise Components

19

Participation

• 6500 Participants

• 206 Electric utilities

• 452 Organizations

• 17 Cross-sector partners

• 10 States (2 full-scale)

20

Active and Observing

36

122

209

335

40

109

155

117

0

50

100

150

200

250

300

350

400

450

500

GridEx 2011 (76) GridEx II (231) GridEx III (364) GridEx IV (452)

GridEx Exercise Participation

Active Observing

47%

53%53%

47%

57%

43%

74%

26%

21

• Where’s the Cavalry?▪ Relationship building with partners (e.g. cross-sector, law enforcement,

emergency managers, etc.)

▪ What is the State/Federal Government’s role during a Grid Emergency?

• E-ISAC Portal improvements

• Greater cross-sector participation

• Public Affairs and Corporate Communications vs. Incorrect or Misleading information

• Communication resiliency (e.g. WPS, GETS, HF Radio, etc.)

• Electric Utility – RC emergency communications

• Cyber Mutual Assistance

• On-keyboard cyber training

• Active Lead Planners

Preliminary Findings –GridEx IV Distributed Play

22

• GridEx IV Reports are complete and posted this week!

• CIPC Grid Exercise Working Group standing back up June, 2018

• GridEx V Initial Planning Meeting will be held November 2018

Way Forward

GridEx V:

November 13-14, 2019

23

GridSecCon 2018

October

16-19

2018

24

• Resiliency, reliability, security

• The E-ISAC and CMEP functions can and should work together –carefully

• The E-ISAC Long-term Strategic Plan is just beginning, but taking off quickly▪ CBP and MARTIE

• The E-ISAC Portal contains security information that is available to CMEP personnel

• GridEx and GridSecCon are valuable sources of security information

Key Takeaways

25

• operations@eisac.com

• memberservices@eisac.com

• eisacevents@eisac.com

• feedback@eisac.com

Contact

26