Information Sharing is critical in many ways but, in its simplest sense, the more a defender knows, and the faster the defender knows, the more likely appropriate action can be taken to prevent or limit an attack. Originally, Information Sharing and Analysis Centers, known as ISACs, were meant to enable this sharing function. An ISAC was established for each of the Critical Infrastructure Sectors, and other industries as well. The Energy ISAC (E-ISAC) has been problematic because it is attached to the compliance arm of the electric industry, the North American Electric Reliability Corporation (NERC). Utilities were originally concerned that the E-ISAC would share any information provided to them with the compliance arm of NERC, thereby creating a possible investigation and fine liability. Vestiges of that concern remain today. In addition, E-ISAC has never been properly managed, or supported by the utilities.¹

While this situation has existed for the past 15 years, many other information sharing groups and mechanisms have emerged.² Today, there even exists a company that provides real-time, machine-speed sharing of cyber-valuable information across its range of customers. With these and other effective approaches available, it is incumbent on the electric industry to understand Best Practices and available technology and begin to migrate toward the highest benefit to the industry. A related issue is that among the 3,000 utilities in the U.S., 2,800 are medium to small entities and unlikely to have high levels of protection and are the least able to quickly react to information sharing. As such, they are attractive targets to attackers. A further complication is that the information they do possess is generally not of value to the larger utilities. These 2,800 utilities are also often connected to the supervisory control and data acquisition (SCADA)³ systems of the much larger utilities, and therefore represent another possible point of attack.

¹ Efforts are underway to fix these problems, but the E-ISAC has not been separated from NERC, and it also possible that the E-ISAC is not using the latest information-sharing technologies.
² As an example – see Information Sharing and Analysis Organizations (ISAOs)
³ SCADA is an acronym for Supervisory Control and Data Acquisition. SCADA generally refers to an industrial computer system that monitors and controls a process. In the case of the transmission and distribution elements of electrical utilities, SCADA will monitor substations, transformers and other electrical assets.

Protect Our Power is seeking an Educational Institution to develop information within this Topic for use by North American Electric Utilities. Contact Erick Ford at EFord@ProtectOurPower.org for more information or to recommend an Educational Institution.