Ben Lane, CIPRNA event manager, met Angela Haun, Executive Director of the Oil and Natural Energy ISAC (now known as the ONE-ISAC).
Malware. Data breaches. Insider threats. Cyber espionage. It is not a question of if you will be attacked but when. In fiscal year 2016, ICS-CERT responded to 290 incidents with the energy sector accounting for fifty-nine of those incidents. As cyber threats evolve, the oil and natural energy industry faces unique challenges with the increasingly interconnected delivery of services to a common consumer and supplier base.
To protect the nation’s critical infrastructure, the Oil and Natural Energy Information Sharing and Analysis Center (the ONE-ISAC) was created to provide shared intelligence on cyber incidents, threats, vulnerabilities, and best practices to enhance security in the industry.
This is a transcript of their conversation
Ben Lane:
Hello Angela Haun from the ONE-ISAC! We’re going to speak today a little bit about the ISAC and some of the work you do.
We’re also looking forward to meeting your Chairman, Octavio Herrera, who will be speaking in the Oil & Gas Sector Symposium at CIPRNA 2025, March 11-13, Houston TX.
https://ciprna-expo.com/session/oil-gas-sector-symposium/
Please tell us a little about yourself and how you got to where you are now and introduce ONE-ISAC to us.
Angela Haun:
Well, Ben, thank you for the honor of being able to speak to you today. CIPRNA is a great event, and I know Octavio is going to do a great job supporting you.
I’m the Executive Director of the ONE-ISAC. For those of you who don’t know, it’s the Oil and Natural Energy Information Sharing and Analysis Center, formerly the ONG-ISAC.
Last November we announced we were expanding our scope of member eligibility to alternative fuels and renewable energies. This is important for us to stay relevant and travelling in the direction of the sector and many of our member companies. We wanted to be able to support them, and bring in those other companies who can now be part of our sharing community.
So that’s still a pretty fresh announcement, but I’m super happy with the direction we’re going in. Last year was our 10th anniversary, and now we’re ready for the next 10!
I have been in this role for 6 1/2 years. Prior to that I was a special agent for the FBI for 20 years. I started my agent career in the Chicago Field Office. I moved to Washington, DC at FBI Headquarters where I worked in the Office of Congressional Affairs as well as the Cyber Division. And that’s where my passion for information sharing and getting people to work together really lit a spark in me.
I was also the unit chief of the Public-Private Alliance unit, which was the governance division for the InfraGard program at the time. InfraGard, as you may know, is a public-private partnership. I believe they’re engaged in this event, which I think is awesome.
I did take a transfer down to the Houston Field Office where I worked in healthcare fraud until I was very fortunate to take over as the InfraGard coordinator for FBI Houston.
We grew the chapter into the largest in the country with the help of a lot of awesome volunteers who are patriots and who support protecting our critical infrastructure. So, I was very fortunate.
This led me to the role I do know. It was just a perfect fit. It is the greatest “next” chapter I could have hoped for.
Ben Lane:
That’s wonderful. You’ve got a new administration in place now; how are your roles changing? How have they had to change over the past five or six weeks and with this new focus on “drill, baby, drill”?
Angela Haun:
Our mission is straightforward. We are a communication hub. Our mission is to share cyber threat intelligence and vulnerability information with our members and partners, and that’s not going to change. That is our lane. We’re not into regulation or policy development. We want to help companies communicate threats that have been anonymized, with best practices and mitigation strategies. We want to help companies protect themselves and each other.
Ben Lane:
You don’t see an impact in terms of some of your roles, some of your objectives in this new administration? What you’re saying, I think, is that your objectives and roles will remain firmly the same; to remain a vital information sharing hub and to continue to do your good work.
Angela Haun:
Absolutely.
Ben Lane:
How do you as an ISAC gather intelligence information to analyze? And how do you identify what information is worth sharing and how do you then share it?
Angela Haun:
Great questions. The ONE-ISAC has a Threat Intelligence Center, our TIC. Our TIC is managed by our Director of Threat Intel, Mary Fernandez, and is staffed by our two cyber threat analysts, Hunter Hedapole and Sadie-Anne Jones.
They are the key players in reviewing what’s coming across the radar from government agencies, from our vendor partners, from fusion centers. We have lots of pools of information. Our secret sauce is member submissions. When our members tell us what they’re seeing in their environment and what they’re doing about it, our analysts can run with that information, and they conduct more research. They find out what we can do about threat actors and inherent vulnerabilities.
We tap into those subject matter experts and thought leaders that are doing research on cyber threats and vulnerabilities, and we try to make it specific to oil and gas (and now renewables and alternative fuels) so our member companies know when it comes across their radar because we are pushing it out via our threat intel platform and emails. Importantly they know that it has been vetted and curated for them.
Many of our member companies have small- to mid-size security teams, and they really need help in narrowing information down to what is actionable, what is relevant, what is timely. And those are key, important factors to the information we want to share with our members.
And again, we have lots of sources for that, but our members and partners are key in getting that necessary information into the hands of those who can action it and who can protect their networks and systems. Sometimes it’s a bit like a neighborhood watch where if one member company is seeing something and they submit that, we anonymize it and get it out for the good of the whole, then others will know what to be on the lookout for.
It’s very much a give and take. We need to know if an issue is isolated, if it’s targeted, if it’s spreading across the sector or across other critical infrastructure sectors. Getting that knowledge and putting those pieces of the puzzle together are important.
Ben Lane:
Yes, and a complex job, because as you say, you’re vetting and curating information, and you’re expecting and you’re wanting people to trust it, and they need to trust it.
Is there a trend in threats and frequency? And what type of threat are you seeing? I know you can’t be too specific obviously, but if you can give an overview, a generalization, of what you’re seeing, that would be very interesting.
Angela Haun:
Right now, we’re seeing an increase in Microsoft Teams vishing, and that’s voicemail phishing. Since November of 2024, the level of reported attacks has gone up.
We continue to see the sophisticated phishing kits designated to steal O365 credentials. The business email compromise continues to be a problem, frequent use of third-party accounts that get compromised to then spam other companies and change banking information or routing instructions for deliveries of hard goods. The attackers are increasingly deploying two-stage phishing link attacks. While the phishing email contains the link to a legitimate file hosting share service, the connecting second link can be sending that victim to an attacker-controlled phishing page.
We are also noting that attackers commonly hide their phishing infrastructure behind a Cloudflare CAPTCHA to evade detection. So that’s where you must prove you’re not a robot, right.
Those are some of the issues of what we’re seeing. Those aren’t necessarily energy-specific, but we make sure that we get as much information as we can and get it out into the hands of our folks that are managing their environments and facilities and assets so that they know what they need to do to help protect themselves.
Ben Lane:
We work with several ISACs. Last year we worked with the Communications ISAC and the Electricity ISAC, and this year we’re working with you guys and with Auto-ISAC. So how do you work with the other ISACs? What’s are the collaboration functions between the ISACs?
Angela Haun:
That’s a good question. The ONE-ISAC participates in the National Council of ISACs. We have monthly meetings where we get briefings from government agencies, and then we share amongst ourselves, and we also have separate calls for our analysts to engage each other, build these relationships so that when something happens, we know who to call, they know who to call, and that we’re all in this together.
We meet a few times a year in person. I’ve been able to develop good relationships with my counterparts, and that gives our analysts an opportunity to connect with each other too.
In addition to that, the ONE-ISAC has a strategic partnership program where we have formal arrangements with other ISACs that help us share resources, share intelligence, support each other in the mission, and continue to develop those relationships. We are very close with the Electricity ISAC because we have a lot of common stakeholders and common interests, as well as the Downstream Natural Gas ISAC. We communicate with them regularly, because when someone gets hit, we’re probably all getting hit, so that’s how we structure our relationships with them.
Ben Lane:
This is the cascading effect we talk about. You must be linked up together to understand what needs to be done when one part of the puzzle goes down.
Finally, what keeps you awake at night?
Angela Haun:
Oh, that’s a great one. I ask subject matter experts the same thing, especially our CISO community. For me, with my background, I think the thing that keeps me up at night is destructive malware and complex, multi-pronged attacks on infrastructure that could cause great harm and damage, including potential safety hazards and loss of life. This is where they can be sophisticated by distracting your attention over here while something even worse is going on over there.
Ben Lane:
Thank you so much for your time. We look forward to CIPRNA next week and meeting and hearing Octavio speak.
We hope to stay in touch for our 8th edition of CIPRNA in Baton Rouge in 2026 where we would like to develop our relationship.
But for now, thank you, and thanks for your time.
Angela Haun:
Thank you.