E-ISAC 2023 report highlights cybersecurity triumphs and challenges in electricity sector

The Electricity Information Sharing and Analysis Center (E-ISAC) unveiled its 2023 End-of-Year Report alongside its 2023 Year-in-Review video on Tuesday, reflecting positive ERO (Electric Reliability Organization) response to a challenging year. The report highlighted that the electricity sector faced an unparalleled array of sophisticated cyber vulnerabilities in 2023, including malware, ransomware, supply chain exploits, and various other threats.

The E-ISAC report also details its achievements amidst a complex landscape of cyber and physical threats. It offers an overview of significant activities, and improvements in information sharing between E-ISAC’s government partners in the U.S. and Canada, and its members, and provides insights into the organization’s plans for 2024.

“Cybersecurity Risk Information Sharing Program (CRISP) data and threat hunts identified malicious traffic and monitored extremist chatter threatening electricity assets, and we prioritized the most critical threats to deliver timely, relevant analysis,” Manny Cancel, CEO of E-ISAC and senior vice president at North American Electric Reliability Corporation (NERC), wrote in the report. “E-ISAC products kept members current on physical security threats, while Vulnerability of Integrated Security Analysis (VISA) workshops and other programs equipped industry with security best practices.”

Cancel added that new programs addressing real-world events were introduced. “The debut of the Physical Security Regional Workshop series in Charlotte, North Carolina, brought together more than 100 industry and government attendees; more security workshops will follow in 2024. We focused on gathering feedback, building a community of trust, and growing our people-first culture.”

The E-ISAC, managed by the NERC, functions independently from the NERC’s enforcement activities. It collects, analyzes, and disseminates information on cyber and physical threats, including alerts, warnings, advisories, notices, and vulnerability assessments, based on contributions from its members. The E-ISAC facilitates a secure, electronic platform for participants to exchange information on threats to critical infrastructure. Additionally, it oversees incident management, shares mitigation strategies with stakeholders across various sectors, and acts as a central hub for coordination and communication among its members.

According to the report, the E-ISAC equipped the industry with 24/7 information and analysis to keep the infrastructure secure from physical and cyber security threats. “The global geopolitical situation grew even more complex, with increased implications for the North American power grid. The E-ISAC assessed the People’s Republic of China (PRC) as a top cyberespionage adversary. China threat actors demonstrated increasing sophistication and adaptive techniques. State-sponsored cyber threat actor Volt Typhoon drew notable concern because it specifically targeted U.S. infrastructure,” it added.

The report highlighted that China-related cyber events documented by the E-ISAC amounted to 37.

The E-ISAC’s security response approach focused on threat monitoring and rapid communication of information. The E-ISACWatch provided 24/7 monitoring of the dark web, criminal forums, and industry internet-facing connections, identifying potential ransomware threats, third-party compromises, and unintended unsecured infrastructure. All-Points Bulletins offered immediate updates, while analysis on events such as continued Russian espionage activity and the Israel-Hamas conflict and their potential ramifications on grid security provided context.

Furthermore, the members and partners had access to advanced information and trends through the E-ISAC’s intelligence expertise and reach across the industry. The E-ISAC’s role in the Energy Threat Analysis Center (ETAC), a Department of Energy (DoE)-led program, affords access to advanced intelligence information about emerging threats. 

The report also focused on protecting physical infrastructure from a wide range of threats, which continued to be a top priority in 2023. “Threat levels stayed elevated throughout the year with more than 2,800 physical security incidents shared with the E-ISAC, including ballistic damage, theft, and vandalism. Of that number, approximately 3% resulted in varying levels of impact to the electricity grid,” it added.

Disclosing that cyber vulnerabilities have more than doubled from 2019 to 2023 while registering a 24 percent increase in critical vulnerabilities during the period, the NERC report listed five key cyber events. These include MoveIT Transfer which exploits a vulnerability in MoveIT Transfer to steal sensitive data; and Microsoft Outlook Privilege Escalation which uses zero-click vulnerability requiring no user interaction; and enables a Russian-based actor to conduct reconnaissance on government, energy, and transportation in Europe. 

The E-ISAC report also identified that the exploitation of the Citrix Bleed allows attackers to bypass authentication methods; and presents a high severity due to widespread use. It also included HTTP/2 ‘Rapid Reset zero-day vulnerability that enables distributed denial of service (DDoS) attacks on a scale never seen before, and Maximo Asset Management Vulnerability, which was used across the electricity industry increases risk; exploitation could cause business disruption. 

Data released disclosed that the 2023 cyber shares from member and partner organizations amounted totally to 968, with 240 reported as vulnerability; 254 as phishing; 123 as third-party ransomware; 110 as DDoS; and 241 reported as other. 

New technological advances such as artificial intelligence can spur positive innovation, but also the potential for large-scale risk. The E-ISAC will leverage CRISP, the Cyber Security Advisory Group of subject matter experts, and threat hunts to prepare members for future threats.

The E-ISAC worked with over 300 U.S. and Canadian government agencies, private sector organizations, trade associations, and the ERO Enterprise to help industry collectively reduce risk. It also rolled out a new vulnerability severity rating system for prioritizing the urgency of Cyber Threat Intel Reports, Cyber Threat Hunt Reports, and other related posts. The E-ISAC also introduced technology such as a new Threat Intelligence Platform (TIP) and updated real-time automated sharing feeds so information is sent in a more timely, efficient manner.

This year, the E-ISAC’s strategic priority focus areas aim to provide curated security information which members and partners will benefit from curated actionable security intelligence and risk mitigation measures through the Portal, workshops, automated information sharing, briefings, and seminars. It will also conduct advanced intelligence gathering, where threat hunts will identify malicious technology on IT and OT platforms, which will be communicated to members and partners. The agency aims to enhance the CRISP initiative by focusing on broadening participation, modernizing technology, and strategizing for its next-generation development.

It will also focus on member feedback through expanded collection and use of member feedback will lead to improved products and services and a better user experience on the Portal. It will also seek to grow E-ISAC membership by focusing on NERC-registered entities, natural gas companies, and renewable energy providers, as well as growing the Vendor Affiliate Program. 

Finally, the agency will give priority to implementing recommendations from the GridEx exercise. After the publication of the GridEx VII Lessons Learned report, participants from the tabletop exercise will gather to review and validate the recommendations. GridEx VIII planning will also begin.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.