CRISP (Cyber Security Risk Information Sharing Program) is a US Department of Energy (DoE) program with two related efforts underway to meet the goals.
There can be cases where the Market, in this case energy companies, are not sufficient to support a product or service. The Market may be interested in trying out the new offering, but not at the price required to sustain the business. The government or other entity can step in and subsidize some or part of the product or service. The subsidy should be short term, perhaps 1 to 3 years. If the market does not perceive the value or the cost does not come down, the offering is not sustainable.
The DoE Office of Electricity Delivery and Energy Reliability (OE) is funding Norse Corporation to provide a threat information feed based on their Internet sensors to CRISP participants. It will be integrated in some way with FireEye hardware. The subsidy is $1.9M over two years.
DoE writes “This unique package and specialized low pricing represent a highly compelling enhancement to CRISP cyber security and the protection of energy related critical infrastructure.” The concept is the energy sector will see the value of this data and pay full price for it after two years.
This isn’t strictly a market failure issue because the offering exists and energy companies can buy it without DoE help. However it’s a small expenditure for the US Government, and it does not get them into the threat intelligence business. It’s low risk and allows participants and DoE to see if this information has value.
The more troubling aspect is the NERC/ES-ISAC/PNNL effort that forms the main part of CRISP. This could be a 3000-word post on its own, but here is the shorter, bulleted list of the major problems:
- Pacific Northwest National Laboratory (PNNL) is performing the analysis of the collected data at $7.5M for one year. Why is PNNL competing with industry? A proven, competitive and growing industry that is more talented and experienced than PNNL in this area. The $7.5M is for sensors at 28 companies, $267K per company for an Internet sensor plus about another $33K per company paid to NERC.
- There is an indisputable conflict of interest with NERC, the ERO/regulator, pushing an overpriced “security service” to the companies it regulates and can fine for not meeting the CIP regulations. They can talk about chinese walls and other separation, but this exacerbates the existing conflict of interest with the NERC as the regulator and ES-ISAC.
- Moving forward NERC is considering staffing up the ES-ISAC to take over the PNNL role. So NERC is going to build a threat intelligence analysis company; it goes from bad to worse.
- Finally, these sensors are not collecting data from an ICS. “The CRISP ISD is a network device which uses commercial off the shelf hardware. It’s placed at the transmitting site’s (e.g. utility) network border, just outside the corporate firewall.” The case that PNNL or some other organizations energy expertise is critical might be persuasive if this was an ICS security perimeter or interior being monitored, but the lack of relative experience and data feeds by NERC/PNNL will put this offering at a major quality disadvantage to commercial competitors. This is not even considering the pricing disparity.
NERC envisioned complaints about competition with commercial offerings and provided the following:
CRISP has two differentiators from other commercially available cyber risk monitoring services. The first is the intent and ability to integrate other cyber related threat information provided through governmental sources with the cyber threat information gathered from the ISDs installed at the participant’s sites. Second is the ability of the program to look across organizations within the electricity subsector, identifying correlation and trends.
CRISP, like Cyberstorm, LOGIIC and many others, will undoubtedly be called a success. You can write the press release before the event or project is finished. The criteria for success is the various organizations come together to participate in the project for event.
You can visualize the press release and presentations already. A list of 28 utility companies, DoE, raw monitored traffic numbers, events, bulletins written and a couple of quotes from senior executives. The Norse Corporation portion of CRISP will be easy to evaluate. Do energy sector companies purchase this service from Norse or their competitors when the subsidy ends?
The criteria for success of the NERC/PNNL effort is more difficult. A larger program is as likely to be due to marketing pressure than any value of the information. It’s the C-level / Director question … are we part of this CRISP security thing? If it is too late to stop, NERC should be working on and announcing in early 2015 plans to spin CRISP, and I would argue ES-ISAC, off to a commercial entity. Then the market would determine if CRISP is a success.
Image by arbyreed