Dive Brief:
- Utility lawyers at times advise electric companies to withhold information from the Electricity-Information Sharing and Analysis Center because the E-ISAC is organizationally located within the North American Electric Reliability Corp. which is overseen by the Federal Energy Regulatory Commission, according to a new report on public-private efforts to protect critical infrastructure.
- “In-house counsels on occasion advise electricity companies not to share certain information with the ISAC for liability reasons,” potentially including enforcement actions, the Cyberspace Solarium Commission 2.0, or CSC, noted in a June 7 report.
- The information sharing center is “organizationally isolated from NERC's enforcement processes,” according to the E-ISAC. But the relationship remains a “common concern among regulated entities that often hinder[s] transparent information sharing,” said Ron Fabela, chief technology officer of cybersecurity firm Xona Systems.
Dive Insight:
When it comes to securing critical infrastructure through public-private partnerships, “the energy sector is one of the strongest performing sectors,” CSC noted in its report.
The commission is co-chaired by Sen. Angus King, I-Maine, and Rep. Mike Gallagher. R-Wis. It is a voluntary effort to continue the work of the original CSC which was created by Congress in 2019 to develop a consensus approach to cybersecurity, and which ended in 2021.
The energy sector has “clear leadership from government and strong industry-led organizations,” the group’s report found. “It is also well-resourced.”
However the structure of information-sharing channels may be hindering some efforts to mitigate risks and the report noted this is “an obstacle without an obvious solution.”
“Removing the E-ISAC from NERC would likely strip it of key funding and relationships central to the services it provides to the sector,” the commission concluded.
The E-ISAC was established in 1999 to reduce cyber and physical security risk to the electric industry.
NERC, in a statement, said it has a code of conduct in place that prohibits E-ISAC staff from sharing information about potential violations; rules also bar compliance monitoring staff from seeking to obtain from the E-ISAC information about violations.
“In addition, a firewall between networks and a separation of E-ISAC and NERC staff exists to further enhance safeguards,” a spokesperson said in an email. “To date, this process has worked effectively and without fail.”
The Cybersecurity and Infrastructure Security Agency, or CISA, “could be a natural fit for managing the E-ISAC and assuage fears of sharing information that could turn into compliance violations,” Xona’s Fabela said in an email.
CISA is an agency within the Department of Homeland Security, while FERC is within the Department of Energy.
Fabela cautioned, however, that federal agencies’ “ability to create, execute, and maintain policy in these areas lags behind what the private sector has been able to operationalize out of necessity.”
The CSC report also noted CISA does not receive the interagency support necessary “to act effectively as the national risk manager.”
Concerns over the E-ISAC and NERC relationship are overblown, according to security consultant Tom Alrich.
“NERC built a literal wall through their DC office to separate the E-ISAC from the reliability folks on the other side,” he said in an email. However, it did not seem to quell lawyers’ concerns, he noted.
“I agree with the Solarium Commission that there's no good solution to this problem,” Alrich said.
