Energy companies are using more and more advanced digital technologies to automate and control physical energy delivery functions. These advancements are making the grid “smarter,” allowing operators to improve system performance, more flexibly adjust to a rapidly changing generation mix, and even detect and respond more rapidly to cyber threats. However, this creates a larger cyber attack surface and new opportunities for malicious actors to find and exploit cyber vulnerabilities.
One challenge in addressing this threat is understanding the complicated set of industry and federal organizations that have formed to play different, intersecting roles in incident response. In the event of a sophisticated cyber attack that disrupts electricity delivery at several utilities, no singular entity will be able to respond in isolation. Effective mitigation will require an industry-wide response that combines the resources and capabilities of industry and government.
Understanding the distinct roles and capabilities of each response organization can help utilities navigate the web of resources during an incident. Below is a snapshot of industry and federal cyber response partners that can coordinate industry response.
Electricity Information Sharing and Analysis Center (E-ISAC)
The industry-operated E-ISAC serves as a secure communications hub for the electricity industry, where members can report incidents or threats and receive alerts and warnings. The E-ISAC gathers and analyzes information on cyber threats, vulnerabilities, and incidents from industry members. It coordinates incident management with the Department of Energy and electricity industry, and provides key information to support response, including mitigation strategies, threat notifications, actionable attack indicators, and other security-specific resources.
Electricity Subsector Coordinating Council (ESCC)
The ESCC is a council of senior representatives from electricity companies and trade associations that coordinates federal and industry efforts to prepare for and respond to national-level incidents or threats to critical infrastructure. During a cyber event, the ESCC coordinates resource and information sharing among the electricity industry and with federal partners:
- ESCC Crisis Management Playbook—The ESCC Playbook outlines the coordinating role of the ESCC during both steady state and crisis state events. This Playbook provides industry and government executives with the requisite guidance to effectively communicate and support response and recovery actions.
- ESCC Cyber Mutual Assistance (CMA)—The Electricity Subsector Coordinating Council (ESCC) CMA Program is a voluntary program that helps utilities engage cyber resources and expertise from participating energy utilities across the nation. It mirrors the process the electricity industry uses to request electricity crews and equipment during storms and other disasters that affect physical grid infrastructure. Participating utilities sign non-disclosure agreements and designate a primary contact for the program in advance.
Department of Energy (DOE)
DOE serves as the Sector-Specific Agency for the energy sector, leading coordination with the energy industry through the SCC, and coordinating among government agencies to prepare for and respond to energy emergencies. During a cyber incident, DOE can provide expertise and assistance, coordinate information sharing, and deploy to affected regions to assist recovery.
Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC)
NCCIC is a 24×7 watch floor and coordination center for cyber risks to U.S. critical infrastructure. It provides cyber situational awareness, conducts analysis of control-systems-related cyber incidents, and conducts vulnerability, malware, and digital media analysis. For severe incidents, NCCIC’s Hunt and Incident Response Team (HIRT) can provide onsite incident response to organizations that require immediate investigation and resolution of cyber attacks.
Federal Law Enforcement
FBI Field Office Cyber Task Forces are capable of coordinating, integrating, and sharing information to support cyber threat investigations, as well as supplying intelligence analysis for community decision-makers. FBI field offices can tap into the FBI-led National Cyber Investigative Joint Task Force’s (NCIJTF) 24/7 watch floor, CyWatch, which shares classified cyber threat indicators (CTIs) with federal members, as well as the Office of Threat Pursuit, which analyzes collected cyber threat data. DOE, DHS, and the FBI coordinate federal response with affected utilities.
The federal government and energy industry recognize the potential threats posed by a sophisticated attack—including disruption to energy services, damage of specialized equipment, and human health and safety risks from the loss of power—and are working together to decrease the risk. The partners mentioned above are currently developing and implementing a multitude of security tools, technologies, and programs to not only prevent an attack, but respond in a coordinated way.