1. No category

Understanding Your E-ISAC

Understanding
Your E-ISAC
June 2016
NERC | Report Title | Report Date
I
Table of Contents
Introduction ............................................................................................................................................................... 3
Information Sharing and Analysis .............................................................................................................................. 4
Benefits of Sharing ................................................................................................................................................. 4
Safeguarding Your Information ................................................................................................................................. 5
Information Storage ............................................................................................................................................... 5
E-ISAC Organization ................................................................................................................................................... 6
E-ISAC Membership ................................................................................................................................................... 8
Member Account Management ............................................................................................................................ 9
Membership Products ............................................................................................................................................. 10
Reports ................................................................................................................................................................. 10
Programs .............................................................................................................................................................. 10
Tools ..................................................................................................................................................................... 11
Services ................................................................................................................................................................ 11
How to Share with the E-ISAC ................................................................................................................................. 15
Functional Separation from NERC ........................................................................................................................... 17
Summary.................................................................................................................................................................. 18
Appendix I ................................................................................................................................................................ 19
Confidentiality Requirements for NERC Employees ............................................................................................ 19
Confidentiality Requirements Applicable to E-ISAC Partners .............................................................................. 21
Appendix II ............................................................................................................................................................... 22
Appendix III .............................................................................................................................................................. 24
E-ISAC | Understanding Your E-ISAC | June 2016
2
Introduction
The Electricity Information Sharing and Analysis Center (E-ISAC) serves as the primary security communications
channel for the electricity industry, and enhances industry readiness and its ability to respond to cyber and
physical threats, vulnerabilities, and incidents—each of which could cause a potential impact to the bulk power
system.
The E-ISAC gathers and analyzes security data, shares appropriate data with stakeholders, coordinates incident
management, and communicates mitigation strategies with stakeholders. The E-ISAC conducts trend analysis of
all information shared to build the cyber “big picture” and identify possible threats to the entire industry. The EISAC operates in collaboration with the Department of Energy (DOE) and the Electricity Subsector Coordinating
Council (ESCC).
The E-ISAC is operated by the North American Electric Reliability Corporation (NERC) and functions as an
independent group and is organizationally isolated from NERC’s enforcement processes. This intentional isolation
was put in place to assure entities that any information shared with the E-ISAC would not be used for enforcement
actions or shared with NERC compliance personnel. The E-ISAC is governed by the E-ISAC Code of Conduct,1 which
requires each employee to sign a non-disclosure agreement with respect to industry-shared information.
1
http://www.nerc.com/gov/Annual%20Reports/E-ISAC_Code_of_Conduct.pdf.
E-ISAC | Understanding Your E-ISAC | June 2016
3
Information Sharing and Analysis
Information sharing among electricity industry members is critical to identifying emerging threats and enables the
E-ISAC to provide members with early warnings, one of the key benefits of E-ISAC membership. Sharing
information also provides access to subject matter experts not available at a single organization. As member
organizations increase information sharing with the E-ISAC, the E-ISAC, in turn, is better able to identify trends
that will allow members to proactively reduce cyber and physical risk. The E-ISAC provides a wide-area situational
awareness view of cyber and physical security events occurring across the North American electrical system. Just
as electric system operators rely on real-time tools (e.g., the Reliability Coordinator Information Sharing system)
to identify wide-area events occurring in a control area or across regions, members’ cyber and physical security
operators rely on information sharing and the identification of a broader coordinated attack through the real-time
E-ISAC tools.
Another key benefit the E-ISAC provides is the analysis that its staff conducts after receiving information from
members and partners. The E-ISAC staff reviews the data and conducts various types of analysis, including
malware analysis and indicator extraction, campaign link analysis, sector scale scoping, and sector relevance
assessments. This analysis allows the E-ISAC to create a unique dataset to help its members.
Benefits of Sharing

Assists in understanding intent/campaign attribution of indicators: Identifying adversary campaign tactics,
techniques, and procedures (TTP), allows the E-ISAC to share specific actions that members can take to
mitigate the threat. Additionally, sharing allows the E-ISAC to do predictive analysis on future threat TTPs.

Assists in reverse-engineering malware or assisting in better understanding an event: The E-ISAC has access
to closed environment malware analysis systems that perform static and dynamic analysis on files submitted
for malware analysis.

Shares tactical information across industry that can pre-emptively stop threats by providing mitigation
actions: Through member sharing, the E-ISAC has developed actionable indicators and mitigation strategies
to reduce a member’s cyber risk.

Allows for identifying additional information within the industry or other critical sectors: The E-ISAC works
with other ISACs to share indicators of compromise that appear across sectors to include requests for
information from cross-sector partners (cross-sector partners include representatives from organizations
within other non-energy sectors that overlap with the electricity industry) to help identify threat campaign
TTPs.
E-ISAC | Understanding Your E-ISAC | June 2016
4
Safeguarding Your Information
The E-ISAC protects partner-shared information through procedure, policy, legal documentation, physical, and
logical separation. E-ISAC policy does not allow for sharing of confidential or attributable information without
consent of the organization that provided the information. Any confidential or attributable information is stripped
from reports, bulletins, or other postings prior to sharing with partners.
Attributable information is defined as information that identifies the organization reporting the information,
another organization, or information about specific locations of assets. If attribution is requested, the E-ISAC
requires permission from the original source prior to releasing this type of information. If written permission is
not granted, attribution is not provided.
To answer the concerns of industry, the NERC Board of Trustees established a policy on March 8, 2013, on the role
of E-ISAC and compliance personnel prohibiting the sharing of any potential compliance violations. This policy was
further clarified by the E-ISAC Code of Conduct, which all NERC personnel must sign, established in May 2014, and
revised in March 2015. The E-ISAC does not share protected information with NERC personnel, directly or
indirectly, except in limited circumstances detailed in the Code of Conduct. Additionally, E-ISAC personnel are
required to sign a non-disclosure agreement for the protection of partner information.
Information Storage
The E-ISAC portal data is stored in a secured U.S. cloud service that is contracted by the NERC IT department, with
access to the portal managed by E-ISAC operations personnel. The portal undergoes continual backups and
receives quarterly penetration and vulnerability testing by a third-party security vendor, which includes a software
code review of the web portal; E-ISAC infrastructure also undergoes quarterly penetration testing. The E-ISAC
portal is also continuously monitored by a third-party network security vendor. Additionally, E-ISAC operations
personnel conduct daily log reviews of successful and unsuccessful access attempts on the E-ISAC portal as part
of the E-ISAC cybersecurity awareness and information protection safeguard. The E-ISAC operations personnel
also monitor document downloads on the public portion of the E-ISAC web page to build awareness of who is
visiting the website.
E-ISAC working documents and data are kept within the E-ISAC facilities, compartmentalized within an encrypted
E-ISAC portion of the NERC IT network, and accessible only via an E-ISAC VPN. Only E-ISAC operations personnel
control access to this information. The E-ISAC is currently transitioning to its own physical and logical IT network
infrastructure that is completely separate from NERC’s IT infrastructure with a completion date by the third
quarter of 2016. This new infrastructure will also undergo regular penetration and vulnerability testing.
E-ISAC | Understanding Your E-ISAC | June 2016
5
E-ISAC Organization
As shown in Figure 1, the E-ISAC is separated into two components: Stakeholder Engagement and Operations.
Stakeholder Engagement consists of cross-sector coordination, member outreach, and policy and coordination.
The Operations component is the interface for all information sharing and analysis. Operations consists of three
teams: Cyber Analysis, Watch Operations, and Physical Security Analysis.
Figure 1. E-ISAC Organization
All information the E-ISAC receives is routed through the Watch Operations team, which performs initial analysis
and then passes the information for detailed action to the respective analysis team. The Watch Operations normal
duty hours are from 6 a.m. to 6 p.m. Monday–Friday. After normal working hours, the Watch Operations duty
officer monitors the 24-hour incident reporting line. Watch Operations monitors the operations email account for
member and cross-sector sharing, manages the E-ISAC portal, reviews and edits (when necessary, to remove
attribution) member postings on the portal, and has primary responsibility for all E-ISAC postings on the portal.
The E-ISAC Cyber Analysis team provides analysis on all information shared to produce actionable indicators, and
builds the cyber “big picture” that is shared with members. This includes vetting of information shared by
government and cross-sector partners for validity to include the “so what” factor on how certain indicators would
apply to a sector. For example, the E-ISAC may receive indicators for an IP address to a domain hosting server
containing more than 1,000 websites. Blocking that single IP address could result in the blocking of legitimate
websites that members may need to use. The Cyber Analysis team works to find the actual domain name that is
hosting malware or malware command and control nodes. Additionally, the Cyber Analysis team performs
malware analysis on malware samples submitted to the E- ISAC to identify and disseminate indicators that can be
used to identify infections or mitigate malware command and control.
E-ISAC | Understanding Your E-ISAC | June 2016
6
E-ISAC Organization
The Physical Security Analysis team performs detailed analysis on all physical security events.
RCIS
OE-417s
BPSA
EOP-004
Direct Report (phone, portal)
E-ISAC/Ops
Figure 2. Physical Security Information
The Physical Security Analysis team receives both mandatory reporting via NERC’s Bulk Power System Awareness
office and member direct report contacts. When a report is received, the Physical Security Analysis team reviews
the information shared and contacts the entity for additional information. Generally, voluntary and mandatory
reporting submissions contain minimal information. The Physical Security Analysis team contacts the provider and
seeks more detailed information to determine if there is a bigger threat to the sector or to determine similarities
between other events. This is especially important in instances of sabotage, vandalism, and explosive devices. The
Physical Security Analysis team engages with law enforcement and state fusion centers to help build situational
awareness and identify adversary tools, techniques, and procedures that can be shared with industry physical
security teams to increase their awareness and protect against similar activity.
E-ISAC | Understanding Your E-ISAC | June 2016
7
E-ISAC Membership
The E-ISAC is designed to support chief security officers; chief information officers; chief information security
officers; and operational, cyber, and physical security analysts. Anyone involved in physical and network security
operations can benefit from the collaboration and threat information sharing on the E-ISAC portal.
Organizational membership is broken into three major groups: industry members, government partners, and
cross-sector partners.
Industry Members
Industry members include vetted electricity asset owners and operators (AOO) – or affiliates, such as trade
associations and contractors – in North America. When an AOO submits a membership request, the E-ISAC
conducts research to verify that the prospective member generates, transmits, or distributes electricity, or a
combination of the three. AOO members have access to the secure portion of the E-ISAC portal for information
sharing. Sector members and the E-ISAC staff post various types of actionable information on the portal, including
suspicious activity, questions and answers to security issues, and news links to relevant security stories with
potential impacts to industry. Members may also participate in programs like the E-ISAC monthly briefing series,
which covers timely critical infrastructure protection topics. Members are able to share and collaborate
anonymously on the E-ISAC portal, up to the Traffic Light Protocol (TLP) AMBER level (see Appendix I for more
information on TLP). Information labeled as TLP: RED should only be shared by the member to the E-ISAC staff,
whereas TLP: AMBER and below can be shared with other member sub-groups, such as the industry trades, other
energy ISACs (Downstream Natural Gas ISAC and Oil and Natural Gas ISAC), and international AOOs.
Government Partners
Government partners include federal, state, and local entities that can assist the E-ISAC and its members and
partners in gathering and analyzing data, providing guidance, and collaborating on addressing security issues.
These partners include both U.S. and Canadian agencies with a justified need to know. Industry members may
select whether they want their information distributed to government partners. Only TLP: GREEN and TLP: WHITE
information can potentially be shared with government partners as the portal does not allow TLP: RED or TLP:
AMBER sharing with this group.
Cross-sector Partners
Cross-sector partners include representatives from organizations within other non-energy sectors that overlap
with the electricity industry. These cross-sectors are the critical infrastructure sectors defined by the Department
of Homeland Security (DHS)2 and can also include key vendors, manufacturers, or other individuals or
organizations on an as-needed basis. Information shared is restricted to TLP: GREEN or TLP: WHITE.
E-ISAC uses the TLP matrix in Appendix I. All material posted to the portal is marked with distribution instructions
that indicate whether the material is restricted to internal member use (TLP: AMBER), necessary
consultants/third‐party providers (TLP: GREEN), or whether all E-ISAC portal users can distribute the material more
broadly (TLP: WHITE).
The E-ISAC portal may contain information provided by federal agencies that is controlled but unclassified. This
creates a legal communications conduit for the exchange of cybersecurity information, which does not fall under
the NERC Compliance Monitoring and Enforcement Program.3 Unless marked as “Public,” all content hosted on
the E-ISAC portal is considered protected and to be handled and protected consistent with any specified markings
2
3
http://www.dhs.gov/critical-infrastructure-sectors.
http://www.nerc.com/FilingsOrders/us/RuleOfProcedureDL/Appendix_4C_CMEP_20130625.pdf.
E-ISAC | Understanding Your E-ISAC | June 2016
8
E-ISAC Membership
or assigned TLP designations. Violations of the E-ISAC User Agreement may result in termination of access, and
other action, including but not limited to civil and criminal penalties.
No personnel from NERC (including compliance enforcement personnel) and the regional entities are not allowed
membership or access to the E-ISAC portal.
Member Account Management
Individual accounts are created through the E-ISAC portal at www.eisac.com. Applicants using previouslyvalidated organizational email domains are able to automatically register. The registration system will send
notification if an email domain has not been validated. To register an organization and validate an email domain,
one must send an email to [email protected] from his or her organizational email account. The email should
include a brief description of the organization and the sender’s role/job title. The E-ISAC vets the request by
verifying that the organization meets the requirements for membership, and if so, will approve the sender’s email
domain for account registrations. The sender will receive an email with step-by-step instructions for portal
account creation and information that walks the sender through the information sharing process. There is a Portal
User Guide4 to assist users. When signing up for membership, all individuals must agree to the user agreement;
violation of the agreement are grounds for termination from E-ISAC membership.
The E-ISAC monitors access logs to the portal for security intrusions and other suspicious activities. If compromised
credentials are discovered, the E-ISAC will notify the member or partner organization and deactivate the account.
If an individual believes his or her credentials have been compromised, the individual should contact the E-ISAC
immediately.
The E-ISAC terminates accounts when notified by a member or partner that an individual has left the organization.
It is an organizational responsibility to notify the E-ISAC, recognizing that delays may occur in notification when
someone has left an organization. This consideration is why the E-ISAC only allows organizational account domains
as one of the first steps an organization takes when an individual departs is to de-provision the individual’s
enterprise information technology (IT) access accounts. Individuals may contact [email protected] to deprovision user accounts.
4
https://www.eisac.com/Content/attachments/help_manual.pdf.
E-ISAC | Understanding Your E-ISAC | June 2016
9
Benefits Available to Members
The E-ISAC relies on data submitted by industry to produce a variety of reports, programs, tools, and services to
member organizations. This data helps the E-ISAC create timely, relevant, and actionable documents. Two-way
information sharing is critical because it allows the E-ISAC to help industry identify emerging trends and to provide
an early warning.
Reports

Incident Bulletins (Cyber and Physical): Bulletins are based on information submitted by E-ISAC member
organizations. Bulletins are anonymized to protect the source of the information and include physical and
cyber security information that provides timely, relevant, and actionable information of broad interest. These
technical documents are targeted towards cyber and physical analysts.

Daily Report: A 24-to-36 hour summary update on information sharing, vulnerability reporting, and news of
specific interest to industry. It is targeted to cyber and physical analysts, and provides links to actionable
content shared on the portal via incident bulletins.

Weekly Report: A summary of news, content shared on the portal, ad hoc bulletins, daily reports, mitigation
options, and the E-ISAC analyst perspectives.

Monthly Report: A high-level, summarized report targeted for CEOs and senior management. It includes a
rolling 12-month trend analysis that analysts can use for their senior leaders.

Issue-Specific Assessments: Assessments report on malware campaigns that include adversary tools, tactics,
and procedures (TTP), and mitigation steps.

NERC Alerts: The E-ISAC advises the NERC Bulk Power System Awareness team on the issuance of NERC alerts
regarding cyber and physical security vulnerabilities.
Programs

Monthly Briefing Series: The E-ISAC monthly briefing covers timely critical infrastructure protection topics
selected by the E-ISAC analytical teams. The monthly series includes representatives from the DHS Office of
Intelligence and Analysis, as well as the ICS-CERT, both providing updates on current events. Additionally, EISAC invites subject matter experts to provide updates on selected topics, including representatives of the
Department of Energy’s national laboratories.

GridSecCon: The E-ISAC leads the annual grid security conference, which brings together cyber and physical
security experts from industry and government to share emerging security trends, policy advancements,
training, and lessons learned. This program is organized by the Stakeholder Engagement component of the EISAC.

GridEx: The E-ISAC coordinates the biennial grid exercise that is designed to exercise utilities’ crisis response
and recovery procedures, improve information sharing during a crisis, gather lessons learned, and engage
senior leadership.

Cybersecurity Risk Information Sharing Program (CRISP): CRISP is a voluntary, subscription-based NERC
program managed by the E-ISAC that facilitates the exchange of detailed cybersecurity information between
the industry, the E-ISAC, DOE, and Pacific Northwest National Laboratory (PNNL). The program enables owners
and operators to better protect their networks from sophisticated cyber threats by facilitating the timely
sharing of government-enhanced threat information, enhance situational awareness, and better protect
critical infrastructure. The underlying technology for CRISP was deployed across the DOE networks more than
10 years ago. The technology was first installed at five utilities through a DOE pilot program. Under the
E-ISAC | Understanding Your E-ISAC | June 2016
10
Benefits Available to Members
direction of DOE and in coordination with the ESCC, CRISP has transitioned from the pilot program to broader
deployment across utilities in North America to identify threats across the sector. These threats are shared
with the broader membership.
Tools

The E-ISAC Portal: The portal is the primary platform to store and share information, including background
information surrounding NERC alerts, incident bulletins, daily reports, weekly reports, monthly reports, etc.
In addition, other benefits include:

Providing industry with insights on best practices and technologies.

Providing information exchange opportunities on security challenges and actionable analysis.

Providing the timely information sharing of evolving security threats and possible mitigation.

Identifying and exploring ways of sharing information outside of the normal mandatory processes.

Emergency Notification System (ENS): The ENS is used to send out mass notifications to predetermined
members within the E-ISAC and NERC during the event of a crisis or significant activity. The system may also
be used to directly notify ESCC leadership. An audio bridge is used in conjunction with the ENS to provide a
situational awareness briefing to ESCC partners, CEOs, and industry analysts.

Webinar Access: A 3,000-person webinar capability is used to host monthly webinars as described in the
program section.
Services

Analytical Capabilities: The E-ISAC uses different types of analysis when reviewing data submitted by
members and partners:

Malware Analysis and Indicator Extraction: The E-ISAC can provide technical analysis on network traffic
or malicious code. This deconstruction can help identify indicators of compromise that can be used to
detect or deter future attacks and provide insight on whether previously unrecognized attacks occurred.
Once the E-ISAC discovers these indicators, the team then shares them broadly with the sector to improve
all members’ ability to detect or deter the same attack. In some instances, this deconstruction also
provides insight into the tools, tactics, or procedures the attacker used. Uncovering this information can
drastically improve the security posture while potentially giving insight to intent, or connecting it to a
broader campaign.

Campaign Link Analysis: Another challenge for an individual company is to understand when an
attempted attack is linked to previous activity. The E-ISAC can provide historical context and determine
whether these indicators have been observed within the sector or through government channels. Linking
these indicators of compromise to campaigns can provide further insight on future defensive posture and
understand the motive better.

Sector-Scale Scoping: It can be a challenge for an individual company to determine when a particular
threat is focused against a particular employee, the company, the sector at large, or diffused across the
Internet. When provided the proper information, the E-ISAC can ascertain if the threat was observed by
others within the electricity industry and if any significant commonalities or differentiators exist among
the known observations. The E-ISAC also has strong partners with both the cross-sector and the
government. This, combined with vendors and Internet-based sources can generate a larger picture of the
threat. Understanding the scope of the threat can enable the members to better identify previously
unrecognized targeted attacks and infer the potential intent of the threat.
E-ISAC | Understanding Your E-ISAC | June 2016
11
Benefits Available to Members


Sector Relevance Assessments: The E-ISAC can determine how new or old threats, vulnerabilities, and
risks affect the sector over time. These E-ISAC informational products take a longer view of the security,
and map it to ramifications in the sector. These assessments can better inform members at
a strategic level for high-impact events and larger trends based on smaller events in aggregate.
Outreach on Physical Security: The E-ISAC conducts outreach with members on physical security issues to
provide a platform for partnership between industry and the E-ISAC. The following are the key objectives:

To provide industry with insights on best practices and technologies, and to resolve and discuss challenges
in its security programs, policies, and procedures.

To provide information exchange opportunities on physical security challenges and actionable analysis.

To provide the timely information sharing of evolving physical security threats and possible mitigation.

To identify and explore ways of sharing information outside of the normal mandatory processes.
The following Table 1 and Table 2 list the types of cyber and physical information to share with the E-ISAC. If any
of the below information has already been generated by various incident response activities, including tool
analysis reports, incident response lessons learned, forensics reports, etc., send the E-ISAC that summarized
information via email at [email protected]. Alternatively, members can share this information via a cyber
bulletin on the E-ISAC portal. Malicious code samples can be sent to [email protected] as a .zip or .rar file.
Where possible, encrypt attachments using the industry standard phrase (infected) for malware sharing.
The E-ISAC can use the information listed in Table 1 and Table 2 to find previously unknown Indicators of
Compromise (IOC) by determining previously unknown tactics or techniques, and helping identify malicious tools
used in the attack.
The information in Table 1 applies to both business networks and operations networks, such as distributed control
systems, energy management systems/supervisory control and data acquisition systems, or other industrial
control systems environments. Other unique information valuable within operational technology (OT) networks
include:


Undisclosed or non-public software/hardware vulnerabilities.
Abnormal or suspicious events, including malware detection, network activity, personal activity, rogue
devices, unexplained outages, unauthorized access, etc.
Table 1: Cyber Information to Share
Immediate notification of high
impact events
 Destructive malware (including disk wipers, ransomware), any malware,
or unauthorized activity within an IT or operation technology (OT)
environment with direct impact to operations.
 Cyber threats or announcements of intended cyber malicious activities
(publicly or privately) to either employees or the company.
 Other public events, such as announcements of loss of customer data/
Personally Identifiable Information (PII), website defacements,
distributed denial-of-service activity, etc.
E-ISAC | Understanding Your E-ISAC | June 2016
12
Benefits Available to Members
Actionable information
Indicators of Compromise (IOC) to
share
Forensic artifacts to share
 This largely encompasses IOCs from observed events. IOCs are the
observable artifacts left by either an attempted (successful or
unsuccessful) attack or intrusion. The E-ISAC can also assist in
determining IOCs if a member can only provide forensic artifacts, such as
network traffic or binary files.
 Malicious or suspicious E-Mail message attributes including sender
addresses, subject lines, bodies, links, attachment names, attachment
MD5s, attachment payloads, date time (Coordinated Universal Time
[UTC]) of delivery, header information, including sender IP address or
notable oddities, such as MUA, language, etc.
 Network traffic summarization, including malicious source IP address,
source domain, source hostname, source or destination ports, date time
(UTC) of activity.
 Malicious website activity (web drive-bys, exploit kits, water holing, etc.)
including URIs, date time (UTC) of activity, known redirects, known
downloads or download SHA1/MD5 hashes, known attribution to exploit
kit or other tools, etc.
 Malicious USB-based malware, including SHA1 or MD5 hashes, filename,
known signatures.
 Other activity, such as recon activity, suspicious activity.
 Entire email messages.
 Malicious binary files.
 Full network captures.
E-ISAC | Understanding Your E-ISAC | June 2016
13
Benefits Available to Members
The information in Table 2 applies to physical security activity across facilities. Other unique information
valuable to include:


Impact of the activity; and
Involvement of law enforcement or relevant state/federal fusion center reports.
Table 2: Physical Information to Share
Break-ins/attempted break-ins
Misrepresentation
Theft, loss, or diversion
Sabotage, tampering or vandalism
Expressed or implied threat
Aviation activity
Eliciting information
Observation, surveillance
Materials acquisition, storage by an
employee or employee’s associates
 Unauthorized personnel attempting to enter or actually entering a
restricted area, secured protected site, or nonpublic area. Impersonation
of authorized personnel (e.g., police/security officers, janitors, or other
personnel)
 Presenting false information or misusing insignia, documents,
identification, etc., to misrepresent affiliation as a means of concealing
possible illegal activity.
 Stealing or diverting something associated with a facility/infrastructure
or secured protected site (e.g., badges, uniforms, identification,
emergency vehicles, technology, or documents), which are proprietary to
the facility/infrastructure or secured protected site.
 Damaging, manipulating, defacing, or destroying part of a
facility/infrastructure or secured protected site.
 Communicating a spoken or written threat to commit a crime that will
result in death or bodily injury to another person(s), or to damage or
compromise a facility/infrastructure or secured protected site.
 Unknown drones flying or hovering over power plants, substations, or
transmission lines.
 Questioning individuals or otherwise soliciting information at a level
beyond mere curiosity about a public or private event; about the
particular facets of a facility or building, and its purpose, operations,
security procedures, etc., in a manner that would arouse suspicion of
terrorism or other criminality in a reasonable person.
 Demonstrating unusual or prolonged interest in facilities, buildings, or
infrastructure beyond mere casual (e.g., tourists) or professional (e.g.,
engineers) interest, doing so in a manner that would arouse suspicion of
terrorism or other criminality in a reasonable person. Examples include
observation through binoculars, taking notes, attempting to mark off or
measure distances, etc.
 Acquisition/storage of unusual quantities of materials, such as: cell
phones, pagers, radio control toy servos or controllers, fuel, chemicals,
toxic materials, timers, or other triggering devices in a manner that would
arouse suspicion of terrorism or other criminality in a reasonable person.
E-ISAC | Understanding Your E-ISAC | June 2016
14
How to Share with the E-ISAC
Partners can share directly with the E-ISAC by posting to the portal, emailing the E-ISAC, or calling the 24-hour
incident line. Partners can also share directly with other partners by posting to the portal and selecting groups
with which they would like to share.
The timeframe for receiving a response from the E-ISAC/sharing feedback varies based on the type of inquiry or
information shared. However, the E-ISAC will work to respond to inquiries in a timely manner. In general, the EISAC operates under the following response guidelines (see Table 3) during the normal business hours from 6 a.m.
to 6 p.m. Monday–Friday Eastern:
Table 3: Time-frame and Methods of Communications
24-Hour Incident Line
Response time
Information
dissemination
Speak with a watch officer
directly or receive a call
within one hour.
The watch officer will gauge
the type of
request/information shared
and share courses of action
with the individual/entity.
Email
Within four hours, a watch
officer will acknowledge
that information was
received and request
further information as
needed.
The member can specify
whether information may
be shared, attribution
level, and follow-up
expected.
Portal
Information is posted to
portal. Watch officers
monitor the portal and
reach out as needed.
The member may select
type of post, attribution,
TLP level, etc. (See Portal
User Guide5 for more
details and instructions).
Partners are asked to not share PII or critical infrastructure protection information. To submit reports to NERC for
EOP-004-2, R3 and OE-417 reports, send to [email protected]. While not required, please cc:
[email protected]. For cyber-related events, send reports to [email protected].
If a member posts attributable information on the portal to share with the membership, the E-ISAC Watch
Operations team will edit the post as needed to ensure sensitive information is safeguarded. Examples include
attachments with attributable information or the organizational name in the post.
Any member may respond to another member’s portal post and ask questions. In the event a member contacts
the E-ISAC and requests more information on a portal posting, the E-ISAC will contact the original provider to
inquire whether they are willing to provide additional information.
All incidents submitted to the E-ISAC Watch Operations team or to the E-ISAC portal are logged/ticketed to
facilitate trend analysis. The Watch Operations team conducts initial analysis of the information, follows up with
the provider, and takes the appropriate action. These actions may include anonymization and posting to the EISAC portal (if not done by the provider) and providing the incident report to the appropriate cyber or physical
analysis teams for review and follow up. The Watch Operations team, Cyber Analysis team, and Physical Security
5
https://www.eisac.com/Content/attachments/help_manual.pdf.
E-ISAC | Understanding Your E-ISAC | June 2016
15
How to Share with the E-ISAC
Analysis team meet daily to review the day’s sharing activities and status of any outstanding tickets undergoing
detailed analysis.
E-ISAC | Understanding Your E-ISAC | June 2016
16
Functional Separation from NERC
The E-ISAC Code of Conduct applies to both the E-ISAC and NERC staff; it delineates the policy regarding
information sharing, functional separation between the E-ISAC and NERC personnel, and actions. The Code of
Conduct also details physical and electronic access to E-ISAC information, which is limited to the E-ISAC and
support personnel (e.g., IT staff).
The following physical access restrictions are in place:

E-ISAC work space is physically separated from NERC work space and is accessible only to the E-ISAC staff.

All access doors require a radio frequency identification keycard and are protected by an audible alarm that
is also monitored by building security.

All E-ISAC visitors must sign in and be escorted by E-ISAC personnel.
The following electronic access restrictions are in place:

Only E-ISAC operations personnel have administrator privileges to the E-ISAC portal. This access grants
user/group management control and content editing of all portal posts.

E-ISAC members have restricted access to the E-ISAC portal, which allows them to submit information. Specific
access is dependent on membership category. Industry members have access at TLP: WHITE, TLP: GREEN, and
TLP: AMBER. Cross-sector and government partners are restricted to TLP: WHITE and TLP: GREEN but may
only access those shares that included them. For example, if an industry member submits a TLP: GREEN portal
post but only selects E-ISAC AOO, only that sub-group will be able to see the share.

E-ISAC information is electronically protected by restricted access to servers and shared drives and access
requires pre-approval under an authorization process administered by the chief security officer.

Systems and applications are secured using user identification, password protection, and VPN controls.
E-ISAC | Understanding Your E-ISAC | June 2016
17
Summary
The E-ISAC is focused on providing a member-orientated collaborative environment that is designed to reduce
member risk throughout the electricity industry. The E-ISAC monitors open source websites and private sources
of information for relevant and actionable cyber and physical threat information. The E-ISAC team conducts
analysis, reports on events impacting the electricity industry, and provides learning opportunities through
conferences and exercises with the most valuable source of information coming from the members themselves.
Information that members share with the E-ISAC helps create an understanding about security threats that
may impact industry. With this information, the E-ISAC provides industry with analysis focused on their
concerns. Members learn from each other, share best practices, and use actionable information to make their
organizations—and industry as a whole—more secure.
E-ISAC | Understanding Your E-ISAC | June 2016
18
Appendix I
Confidentiality Requirements for NERC Employees
As it relates to NERC employees, NERC’s policy is to protect all information submitted to NERC that contains
Confidential Information, as that term is defined in Section 1500 of the NERC Rules of Procedure.6 Confidential
Information includes, among other things:

Confidential business and market information (including information that is proprietary or competitively
sensitive, such as trade secrets)

Critical Energy Infrastructure Information

Personnel information that identifies or could be used to identify a specific individual, or reveals personnel,
financial, medical, or other personal information

Confidential or classified information obtained from governmental entities

Cybersecurity incident information
Under the NERC Rules of Procedure, NERC must keep in confidence and not copy, disclose, or distribute any
Confidential Information or any part thereof without the permission of the entity that submits the Confidential
Information, except as otherwise legally required. NERC is under an obligation to ensure that its officers, trustees,
directors, employees, subcontractors and subcontractor’s employees, and agents to whom Confidential
Information is exposed are under obligations of confidentiality and abide by all NERC rules and processes relating
to access and management of Confidential Information.
The NERC Employee Handbook includes a NERC Employee Code of Conduct7 that requires NERC and E-ISAC
employees to maintain the confidentiality of:

Confidential Information of NERC or the E-ISAC, of partners of NERC or E-ISAC, or of market participants to
which the employee has access by virtue of his or her position with NERC or E-ISAC (such information may
include enforcement actions, cyber threats or incidents, data breach information, confidential or classified
information obtained from governmental entities, or trade secrets—as defined by applicable law).

Confidential Information of other third parties that has been provided to NERC or E-ISAC under the terms of a
confidentiality agreement.

The Code of Conduct further specifies:
NERC personnel operating on behalf of E-ISAC shall further protect any Confidential Information gained in
such capacity and not share any E-ISAC Confidential Information with any non-E-ISAC personnel, except as
provided for in the E-ISAC Code of Conduct or other applicable NERC or E-ISAC policies. No employee may
copy, reveal, give, or make known to anyone outside of NERC any Confidential Information (or for E-ISAC
Confidential Information, outside of E-ISAC), without appropriate safeguards and authorization by
management, including, without limitation, limiting access to the least amount of Confidential Information
to allow any third party to meet his/her obligations to NERC and making all third parties aware of the
confidential nature of such information and all requirements related to its protection.
To ensure both NERC and the E-ISAC staff are aware of security issues and ramifications, all NERC and E-ISAC
employees must certify, on an annual basis, that they have read, understood, and will continue to comply with
the NERC Employee Code of Conduct and the E-ISAC Code of Conduct. Additionally, beginning in 2016, all E-ISAC
personnel must sign a confidentiality agreement stating, among other things, that they will comply with all of the
6
7
http://www.nerc.com/AboutNERC/Pages/Rules-of-Procedure.aspx.
http://www.nerc.com/gov/Annual%20Reports/NERC%20Code%20of%20Conduct%20dotx.pdf.
E-ISAC | Understanding Your E-ISAC | June 2016
19
Appendix I
NERC and the E-ISAC’s policies and procedures related to confidentiality and will maintain the confidentiality of
all E-ISAC information. Under the confidentiality agreement, each E-ISAC employee agrees not to copy, reveal,
give, or make known to anyone outside of NERC any trade secret or Confidential Information without appropriate
safeguards and consent of the source of the information.
E-ISAC | Understanding Your E-ISAC | June 2016
20
Appendix I
Confidentiality Requirements Applicable to E-ISAC Partners
The confidentiality requirements that apply to NERC employees also apply to E-ISAC partners. The E-ISAC User
Agreement that E-ISAC partners agree to as a condition of membership provides the following:
All content hosted on the Portal is considered E-ISAC Private unless expressly marked Public. E-ISAC Private
material shall be marked with distribution instructions that indicate whether the material is restricted to
Internal Use and Necessary Consultants/Third-Party Providers or whether Portal Users can distribute the
material more broadly.
As discussed above, the E-ISAC uses the Traffic Light Protocol (TLP) matrix in Table 5. All material posted to the
portal is marked with distribution instructions that indicate whether the material is restricted to Internal Use (TLP:
AMBER), Internal Use and Necessary Consultants/Third‐Party Providers (TLP: GREEN), or whether portal users can
distribute the material more broadly (TLP: WHITE). The portal may contain information provided by federal
agencies that is controlled but unclassified. This creates a legal communications conduit for the exchange of
cybersecurity information with E-ISAC staff, which does not fall under the NERC Compliance Monitoring and
Enforcement Program. Unless marked as “Public,” all content hosted on the E-ISAC portal is considered protected
and to be handled and protected consistent with any specified markings or assigned TLP designations. Violations
of the User Agreement may result in termination of access, and other action, including but not limited to, civil and
criminal penalties.
Table 4: Traffic Light Protocol (TLP)8
COLOR
When should it be used?
How may it be shared?
Sources may use TLP: RED when
information cannot be effectively acted
upon by additional parties and could lead
to impacts on a party's privacy, reputation,
or operations if misused.
Sources may use TLP: AMBER when
information requires support to be
effectively acted upon but carries risks to
privacy, reputation, or operations if shared
outside of the organizations involved.
Recipients may not share TLP: RED
information with any parties outside of
the specific exchange, meeting, or
conversation in which it is originally
disclosed.
Recipients may only share TLP: AMBER
information with members of their own
organizations who need to know, and
only as widely as necessary to act on
that information.
For E-ISAC eyes only
and parties directly
involved.
GREEN
Sources may use TLP: GREEN when
information is useful for the awareness of
all participating organizations, as well as
with peers within the broader community
or sector.
Recipients may share TLP: GREEN
information with peers and partner
organizations within their sector or
community, but not via publicly
accessible channels.
For member-internal
use and necessary
consultants/thirdparty providers.
WHITE
Sources may use TLP: WHITE when
information carries minimal or no
foreseeable risk of misuse, in accordance
with applicable Rules and Procedures for
public release.
TLP: WHITE information may be
distributed without restriction, subject
to copyright controls.
No restrictions for
unmarked, public
information.
RED
AMBER
8
www.eisac.com, Public Document Library, “TLP Guidance Table (005).pdf.”
E-ISAC | Understanding Your E-ISAC | June 2016
21
Additional
Guidance
For member-internal
use only (do not
distribute outside
your company).
Appendix II
Frequently Asked Questions
What does the E-ISAC acronym stand for?
The Electricity Information Sharing and Analysis Center
What is an ISAC?
The ISACs were created as a result of Presidential Decision Directive 63 (PDD-63) in 1998. The directive requested
that the public and private sectors create a partnership to share information about physical and cyber threats,
vulnerabilities, and events to help protect the critical infrastructure of the United States. PDD-63 was updated in
2003 with Homeland Security Presidential Directive/HSPD-7 to reaffirm the partnership mission.
What does the E-ISAC do?
The E-ISAC gathers and analyzes security data, shares with stakeholders as appropriate, coordinates incident
management, and communicates mitigation strategies with stakeholders. In collaboration with DOE and the
Electricity Subsector Coordinating Council (ESCC), the E-ISAC serves as the primary security communications
channel for industry and enhances the ability to prepare for and respond to cyber and physical threats,
vulnerabilities, and incidents that could cause a potential impact to the BES.
What information is contained in a NERC alert?
As part of its normal course of business, NERC often either discovers, identifies, or is provided with information
that is critical to assuring the reliability of the bulk power system (BPS) in North America. To effectively share this
information, NERC uses email-based alerts that are designed to provide concise, actionable information to the
electricity industry. NERC develops these alerts with E-ISAC input as required, and shared with registered entities;
non-confidential alerts are posted on the NERC website and described in high-level detail on the E-ISAC secure
portal.
NERC alerts are divided into the following three distinct levels:

Industry Advisory: Purely informational, intended to alert registered entities to issues or potential
problems. A response to NERC is not necessary.

Recommendation to Industry: Recommends specific action be taken by registered entities. A response
from recipients, as defined in the alert, is required.

Essential Action: Identifies actions deemed to be “essential” to BPS reliability and requires NERC Board of
Trustees' approval prior to issuance. Like recommendations, essential actions also require recipients to
respond as defined in the alert.
Each NERC alert contains specific information, including the following:

A list of functional entities to whom the alert was distributed

Reporting requirements and details (if applicable)

A set of “primary interest groups” within the receiving organization (those who may benefit most from
the alert)

Background information for the creation of the alert (generally a description of a disturbance event or
particular information about a cyber or physical vulnerability)

Specific, actionable observations, recommendations, or essential actions
E-ISAC | Understanding Your E-ISAC | June 2016
22
Appendix II

Contact information for the appropriate NERC staff

Label indicating the sensitivity of the information contained in the alert
Generally, NERC distributes alerts broadly to users, owners, and operators of the BPS in North America through
its Compliance Registry. Entities registered with NERC are required to provide and maintain up-to-date compliance
and cybersecurity contacts. Alerts may be targeted to groups of entities based on their registered functions (e.g.,
Balancing Authorities, Planning Authorities, Generation Owners, etc.).
How long has the E-ISAC existed?
The E-ISAC was launched in 1998 and is operated by NERC.
Does the E-ISAC have any endorsements?
In March 2013, DOE outlined its expectations of the roles and responsibilities of an electricity ISAC.9 In
collaboration with DOE and the ESCC, the E-ISAC serves as the primary security communications channel for
industry and enhances ability to prepare for and respond to cyber and physical threats, vulnerabilities, and
incidents.
How much does it cost to join?
Membership in the E-ISAC is free.
9
http://www.nerc.com/news/Headlines%20DL/ES-ISAC%20Letter%2014MAR13.pdf.
E-ISAC | Understanding Your E-ISAC | June 2016
23
Appendix III
References
Additional information on antitrust provisions, code of conduct, and other policies and procedures:

E-ISAC Code of Conduct:
http://www.nerc.com/gov/Annual%20Reports/E-ISAC_Code_of_Conduct.pdf

NERC Antitrust Compliance Guidelines:
http://www.nerc.com/gov/Annual%20Reports/NERC%20Antitrust%20Compliance%20Guidelines.pdf

Policy on the Role of the E-ISAC vis-à-vis NERC’s Compliance Monitoring and Enforcement Program:
http://www.nerc.com/gov/Annual%20Reports/Updated%20ESISAC%20Firewall%20Approval%20(13%20Mar%202013).pdf

NERC Employee Code of Conduct:
http://www.nerc.com/gov/Annual%20Reports/NERC%20Code%20of%20Conduct%20dotx.pdf

Portal User Guide:
https://www.eisac.com/Content/attachments/help_manual.pdf

NERC Rules of Procedure:
http://www.nerc.com/AboutNERC/Pages/Rules-of-Procedure.aspx

NERC Compliance Monitoring and Enforcement Program:
http://www.nerc.com/FilingsOrders/us/RuleOfProcedureDL/Appendix_4C_CMEP_20130625.pdf
E-ISAC | Understanding Your E-ISAC | June 2016
24

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz