Security Awareness Blog

ES-ISAC Changes Require Plan Updates

Ted GutierrezGuest Editor: This guest post is by the ever wise Ted Gutierrez who is the ICS & NERC CIP Product Manager at the SANS Institute and co-author of SANS ICS456 - Essentials for NERC CIP

Did you hear about the NERC registered entity that got a PV for failing to update the Cyber Security Incident response plan within thirty calendar days of a change? How about the registered entity that got a PV because they didn't notify the ES-ISAC of a Reportable Cyber Security Incident? Well if you don't act soon that could be you!

Whether still operating under CIP-008-3 or under a transition to CIP-008-5, registered entities are required to notify the ES-ISAC of Cyber Security Incidents within one-hour of a reportable event and to update Cyber Security Incident response plan(s) after any changes. But there are some changes you need to be aware of and possibly some updates to your documented plans.

Last September the Electricity Sector Information Sharing and Analysis Center (ES-ISAC) rebranded itself as the Electricity Information Sharing and Analysis Center (E-ISAC) even though currently enforceable versions of CIP-008 and CIP-014 still reference the ES-ISAC. But NERC was pretty quick to provide guidance that the name change did not alter compliance obligations. So don't even think about using that excuse with your auditor when you fail to report!

Not updating your response plan to reflect the new name is probably not going to get you a PV, but a more recent change might. As part of their continued rebranding effort, the E-ISAC last week announced an email domain change from nerc.net to eisac.com. It isn't clear if or for how long email addresses using the old domain will continue to work but if your response plans call for reporting to eisac@nerc.com you should update to instead report to operations@eisac.com. To ensure continued communications with individual E-ISAC team members, you'll also want to update your contacts to use the eisac.com domain.

Information sharing through voluntary and regulatory-required reporting to the E-ISAC really is critical to the subsector's ability to prepare for and respond to threats. So be sure to update your plans soon to ensure you can report in a timely manner if needed.

Bio: Ted Gutierrez, CISSP, GICSP, and GCIH, is the ICS & NERC CIP Product Manager at the SANS Institute and co-author of SANS ICS456 - Essentials for NERC CIP. Ted was most recently the Director of Operations Technology & NERC Compliance at Northern Indiana Public Service Company (NIPSCO) where he was responsible for compliance to NERC 693 and CIP standards and the support of the related operations technology systems. He has over twenty-five years of experience working in the electric utility, information technology, and manufacturing industries.