Ben Lane, CIPRNA event manager, met Anna Ballance Senior Advisor for Industry Policy Coordination at the Electricity ISAC where she manages strategic initiatives, including international and cross-sector activities, as well as supporting ISAC-Electricity Subsector Coordinating Council activities.
Anna will be speaking at CIPRNA 2024 on the panel:
CI Interdependencies and Cascading Effects in Community Situational Awareness: https://ciprna-expo.com/session/ci-interdependencies-and-cascading-effects-in-community-situational-awareness/
The following is a transcription of their conversation.
Ben Lane:
Hello Anna. Great to meet you. You are senior advisor at the Electricity ISAC, and you are going to be speaking at CIPRNA in March in Lake Charles. First off, can you tell us a little bit about yourself, and your current role and position?
Anna Ballance:
Excellent. Thank you, Ben. Pleasure to speak with you today. I have been at the Electricity ISAC since 2020, so going on four years now. And I have been in the electricity sector, on the other side of that, for about four years. My background academically is in security, and I found my way into the electricity sector working for Edison Electric Institute prior to coming to Electricity ISAC.
Edison Electric Institute is a trade association in the United States representing the investor-owned utilities and I collaborated with members directly in our committee work. I feel like my background in this convergence of the security and policy space is grounded in the passion of finding what members and critical infrastructure providers need, what keeps them up at night, and I get to apply that here at the Electricity ISAC.
I work on our partnerships primarily. That includes our tri-sector partners – our financial services, and communications partners. I do a little bit of our international work as well. We have a relationship with the Japanese Electricity ISAC and the European Energy ISAC.
Ben Lane:
Thanks, Anna. Please can you explain the Electricity ISAC; its roles, and objectives to anyone who may not have heard of you and your work?
Anna Ballance:
The Electricity ISAC was created in 1999 and offers the electric industry quality analysis and rapid sharing of security information on how to mitigate complex, constantly evolving threats to the energy grid. Our mission is to reduce cyber- and physical-security risk to the electric industry across North America by providing unique insights, leadership, and collaboration. The keystone is the voluntary sharing from members and feedback from that community, the electricity asset owners, and operators.
We serve just under 1,800 organizations in our membership across the US and Canada. And as for our function, the E-ISAC operates as a clearinghouse, if you will, for security information encompassing both cyber and physical security. We are a hub of many sources including the observed incidents members share themselves, information and guidance from government partners, open-source intelligence, automated monitoring, and other inputs.
You can think of this as streams of information that our analysts then catalog, analyze, and publish into outputs such as bulletins, direct member outreach, white papers, and briefings. These cover content including alerts, tactics, techniques, and procedures (TTP), indicators of compromise (IOC) and mitigation strategies. We strive to provide timely, relevant, and actionable information that can help mitigate against security threats to the electricity industry.
Ben Lane:
Great, thank you. The Electricity ISAC looks at the energy/electricity sector, can you define what this means and what are the main developments and changing threats you are seeing for your sector?
Anna Ballance:
We are a subsector in energy, but we are a big one! The Electricity ISAC focuses on organizations that own or operate generation, transmission, and distribution of electricity. And right now, the threat landscape facing the electricity industry is dynamic and ever-changing.
Attacks are constantly evolving and becoming more sophisticated. As for who are our capable adversaries, these include advanced persistent threats (APT) (including nation-state sponsored adversaries), ransomware actors, threats from domestic violent extremists and insider threats, both cyber and physical.
An unprecedented number of hardware and software vulnerabilities face the electricity sector and critical infrastructure sectors, as well as businesses. There is an increased focus on physical security incidents, the potential risk from drones and the adversarial use of artificial intelligence to improve existing tactics. In short, our capable adversaries and their means are really what keep us up at night.
Ben Lane:
How does the Electricity ISAC work within its industry sector to tackle and prepare its members for these changing threats you just mentioned?
Anna Ballance:
Well, I thought you would never ask because otherwise it would be a grim conversation after that last question! While the threat landscape is becoming more diverse and challenging, we are doing our part at the Electricity ISAC. I said this before, but I will say it again: the keystone of our work is the voluntary sharing and the feedback from the communities, the asset owners, and operators themselves.
The Electricity ISAC also operates an around-the-clock Watch that receives shares from members as well as monitors a variety of collection platforms. These include the dark web, ransomware, and cybercriminal sites, to provide timely and actionable information back out to our members and partners. We develop in-house analysis of ongoing incidents or threats, provide a suite of analytical products including what we call “all-points” bulletins, topic-specific webinars, and partner briefings within our intelligence community peers. And these are collaborative engagements.
The information in these shares includes anything from a cyber security standpoint as well as criminal activity, vulnerabilities, supply chain issues, and ransomware group activities. On the physical side, we provide products such as the Electricity ISAC’s “Physical Security” resource guide. This outlines many of our offerings including our design basis threat tools, monthly reports, outlooks, and white papers, such as those we have developed on drones, copper theft, and wind farm security. So, our offerings are quite broad and sometimes when a particular activity bubbles up we recirculate the resources that we may have created previously into a consolidated product. We can then remind members if [the activity] is not new to us and here are the resources available to you.
Additionally, we exercise with industry. The Electricity ISAC hosts GridEx. It is the largest grid security exercise in North America. It is designed to simulate real-world cyber and physical threats on the North American electricity grid and other critical infrastructure. It was designed to stress test crisis response and recovery plans. The GridEx VII summary and report will be published in a few weeks (as of 20/02/2024) and will outline participants’ lessons learned. These lessons can help validate practices, inform changes to contribute to more informed decisions about preparedness, mitigation, and resilience practices.
Ben Lane:
All companies obviously need energy and electricity to operate. So how does the Electricity ISAC work with other sectors and other ISACs to ensure resilience in the system?
Anna Ballance:
This is a crucial point because we do not operate in a vacuum. A humbling figure is that electricity makes up approximately 7% of the economy in the United States, but it is the first 7%. So, without the juice, nothing else works and we recognize this responsibility.
The three main themes of the Electricity ISAC’s cross-sector activity are:
- Collaborating and coordinating: During steady state operations any day, we are exchanging information with our ISAC peers through our operational teams. so direct sharing of information coming in and going out to ISACs and government partners, like DHS and CISA who have a risk management role for other critical infrastructure sectors. Recently, our cross-sector ISACs shares have made up about a third of our incoming partner shares overall. We also exchange best practices with ISACs through the National Council of ISACs and Association of ISACs from many sectors.
- Exercising: I mentioned GridEx before. The ISACs also participate in and observe exercises that challenge or feature those interdependencies. ISACs are uniquely positioned to make introductions, connect professionals from the different sectors such as incident responders and exercise planners to enrich exercise realism within our respective exercise scenarios, but also create a network of practitioners from across those sectors.
- Developing and practicing: This is related to exercises but encompasses much more. We are highly engaged in the incident management functions of the Electricity Sector Coordinating Council and work hand in hand with that CEO-led group to mitigate risk through unity of effort and unity of message in a crisis state. For the role of the ISACs in that cross-sector context, we maintain partnerships and points of contact. With our partners in the financial services and communications sector, we are developing a tri-sector playbook to serve as a framework for the ISACs and sector coordinating council representatives to coordinate.
Our role, while significant, exists alongside the utility-to-provider relationships, the regional cross-sector relationships, and coordination work within the states and provinces. I can confidently say that the sectors are working together across many levels and that the ISACs are part of that progress to assure resilient services. Cross-sector coordination is imperative for the success of our collective response in a crisis because of our interdependencies.
Ben Lane:
And this is clearly one of the areas that you will discuss at the conference where there is a tri-sector discussion on the opening day. So, we will see how that works in practice when all three of you are there discussing communications, financial services, and electricity.
Finally, if you had to pick one thing out of all the things you are dealing with daily, what would you pick that keeps you awake at night?
Anna Ballance:
I think the thing that keeps us most up at night is maybe an unattainable or unfulfillable self-assessment of “are we prepared?” Now more than ever, it is vital that industry and partners, the critical infrastructure operators, and asset owners, come together to build a strong and knowledge-based defense through information sharing and industry collaboration. [Our activities] do give me a sense of confidence because I see that [knowledge-based defense] is happening on a day-to-day basis.
Ben Lane:
Thank you. We look forward to seeing you in Lake Charles March 12 to 14 where you will be speaking in the following session:
- CI Interdependencies and Cascading Effects in Community Situational Awareness: https://ciprna-expo.com/session/ci-interdependencies-and-cascading-effects-in-community-situational-awareness/
Anna Ballance:
Looking forward to it. Thank you.