It's a huge responsibility to try to ensure cyber security for an organization, regardless of its size. Few companies would say they have the full complement of resources they would like to have in order to properly protect themselves from cyber threats. On the belief that there is strength in numbers, many organizations are joining an industry-specific Industry Sharing and Analysis Center (ISAC) to confidentially share threat and mitigation information with their peers within their own industry.
According to The National Council of ISACs, "ISACs are trusted entities established by Critical Infrastructure Key Resource (CI/KR) owners and operators to provide comprehensive sector analysis, which is shared within the sector, with other sectors, and with government. ISACs take an all-hazards approach and have strong reach into their respective sectors, with many reaching over 90 percent penetration. Services provided by ISACs include risk mitigation, incident response, alert and information sharing. The goal is to provide users with accurate, actionable, and relevant information."
The National Council explains that member benefits vary across the ISACs and can include: access to a 24/7 security operations center, briefings, white papers, threat calls, conferences, webinars, and anonymous CIKR Owner/Operator reporting.
I recently spoke to the CISO of a regional bank who said that the Financial Services ISAC (FS-ISAC) was invaluable to her during the time of the 2012-2013 series of DDoS attacks on banks. The member financial institutions –business rivals on a day to day basis – were willing to share confidential information with each other about the ongoing attacks and other threats in order to preserve the integrity of the country's collective financial system. The FS-ISAC viewed an attack on one bank as a potential threat to all banks, and it was better for the members to pool resources and help each other rather than struggle with the security issues alone.
The U.S. Federal government is a significant resource contributor to most of these ISACs. For example, the U.S. Treasury Department recently announced the formation of the Financial Sector Cyber Intelligence Group which will provide data to the FS-ISAC for information sharing. The Department of Homeland Security is behind the coordination of the Communications ISAC, and so on through the industries.
Have you joined your industry ISAC yet? If not, what are you waiting for? There are numerous ISACs catering to the specific needs of various industries, especially those that are considered critical infrastructure such as defense, financial services, energy and public utilities.
The National Council of ISACs list its member groups as:
- Defense Industrial Base ISAC
- Emergency Management and Response ISAC (EMR-ISAC)
- Electricity Sector ISAC (ES-ISAC)
- Financial Services ISAC (FS-ISAC)
- Information Technology ISAC (IT-ISAC)
- Maritime ISAC (Maritime Security Council)
- Multi-State ISAC (MS-ISAC)
- National Coordinating Center for Communications (Communications ISAC)
- National Health ISAC (NH-ISAC)
- Nuclear Energy Institute (NEI)
- Oil & Natural Gas ISAC (ONG-ISAC)
- Public Transit ISAC (PT-ISAC)
- Real Estate ISAC (RE-ISAC)
- Research and Education Networking ISAC (REN-ISAC)
- Supply Chain ISAC (SC-ISAC)
- Surface Transportation ISAC (ST-ISAC)
- Water ISAC
Other established ISACs include: