Is the highest priority physical threats to energy infrastructure or is your mission specifically based on the cyber danger?Bromberger: Our members come primarily from the cyber security and risk areas within their organizations, but we do discuss physical threats, especially in the context of blended cyber/kinetic attacks.
What are some common security best practices that have been developed through everyone's collaboration in the organization?Bromberger: Three recent examples should serve to highlight the benefits of exchanging information within our organization. The Industrial Control Systems Joint Working Group (ICSJWG) is a public/private consortium of security professionals from several sectors - manufacturing, IT, chemical, energy, and electricity among others - who are trying to determine the best way to secure current and next-generation control systems for these sectors. The private part of the ICSJWG is being managed by the North American Electric Reliability Corporation (NERC). Our secure information sharing portal is being used by the ICSJWG to coordinate and exchange information within and among the several subgroups. Since several EnergySec members are also volunteering on ICSJWG subgroups, it's a very good partnership opportunity.
Second, a couple of years ago NERC decided that it would be a great idea to leverage industry expertise when evaluating new threat and vulnerability alerts prior to formal dissemination to their constituents. Their Hydra program is designed to muster technical expertise on a moment's notice to provide rapid technical evaluation of these new threats and vulnerabilities. EnergySec saw an opportunity to help, and now hosts an information sharing portal for Hydra as well as provides over 115 volunteers to the effort.
Finally, one of our members recently developed a framework for information security within the utility sector that represents a best-in-class approach to defining and organizing the capabilities necessary to provide infosec services in critical infrastructure. Rather than keeping this knowledge to himself, he decided to share it with his colleagues on the EnergySec portal. The resulting feedback and interaction have provided benefits to everyone involved. This is the essence of what we're trying to accomplish.