What is an ISAC or ISAO? How these cyber threat information sharing organizations improve security

ISAC and ISAO definition

[Editor’s note: This article, originally published on July 3, 2019, has been updated with a directory of ISACs and ISAOs.]

An Information Sharing and Analysis Center (ISAC) is an industry-specific organization that gathers and shares information on cyber threats to critical infrastructure. ISACs also facilitate the sharing of data between public and private sector groups.

ISACs were established under a presidential directive in 1998 to enable critical infrastructure owners and operators to share cyber threat information and best practices. Besides being sector specific, most ISACs are comprised of large companies with a different set of priorities and challenges than a vast majority of smaller organizations and entities, according to Michael Echols, CEO of the International Association of Certified ISAO’s (IACI) at the Kennedy Space Center.

Many ISACs are well resourced, come with membership fees and have infrastructure and full-fledged security operations centers for monitoring threats on a global scale. The National Council of ISACs currently lists 21 member ISACs including those for the financial, automotive, energy, aviation, communication and defense industrial base sectors.

Information Sharing and Analysis Organizations (ISAOs) are the result of a White House directive to promote voluntary cyber threat information sharing within industry sectors. In February 2015, President Obama signed an executive order directing the U.S. Department of Homeland Security (DHS) to encourage development of ISAOs for private companies, non-profits, government departments, and state, regional and local agencies.

The executive order established limited liability protections for organizations that voluntarily share threat intelligence with each other and the government via these venues. In October 2015, the University of Texas at San Antonio (UTSA) was tasked with identifying a set of standards and guidelines for creating and operating ISAOs under a grant.

Since the directive was signed, several organizations in multiple sectors have voluntarily created ISAOs for sharing information and best practices on cyber threats and mitigation. However, the broad and pervasive information sharing among organizations of all sizes and across all sectors that was originally envisioned has not quite happened yet for multiple reasons.

Why ISAOs are needed

The goal in promoting ISAOs was to make it easier for all organizations to share threat information and not just those belonging to ISACs, says Echols, who at the time was director of the Cyber Joint Program Management Office at the DHS and led the implementation of the executive order.

The evolution of IACS has been somewhat exclusionary, Echols says. “There were a lot of large organizations that participated in information sharing and who had access to government while many other companies didn’t even know these practices existed,” he says. “The idea behind ISAOs was to promote and allow any group of companies or organizations or entities to work together to share information.”

Security experts have long noted that threat info sharing can enable better situational awareness and help organizations across sectors identify common threats and ways to deal with them more far more quickly. “On the other side, hackers in a very documented way are already teaming up and sharing information on new approaches and opportunities to bring more value,” to their efforts, Echols says.

In the more than four years since the ISAO executive order was signed, some progress has been made towards broader information sharing among private companies. Several ISAOs have been established and are currently engaged in relatively robust information sharing activities akin to what is going on within ISACs, Echols says. Some examples of the more active groups include the Metal and Mining and Maritime and Port Security ISAOs, he says.

The ISAO Standards Organizations at UTSA, in collaboration with existing ISACs, critical infrastructure organizations, agencies and public and private stakeholders, has identified voluntary standards and guidelines for standing up and operating ISAOs. This includes examples of contractual agreements, business processes, technical specifications and operating procedures that any organization can use to establish an ISAO. The IACI offers what it calls ISAO in a Box that offers organization step-by-step guidance on planning, building and operating an IASO.

Some ISAOs see big wins

Christy Coffey, vice president of operations at the Maritime and Port Security ISAO (MPS-ISAO) says information sharing of the type enabled by the executive order is critical. “We need to accelerate private sector information sharing, and I believe that the ISAO is the vehicle,” she says.

The MPS-ISAO itself was founded in 2016 and its cybersecurity intelligence and information sharing service launched in the summer of 2017. Members of the ISAO include ports, vessel operators, and rail operators along with organizations that provide services and products to the maritime industry. 

In the two years the ISAO has been operating, the focus has been on providing what Coffey describes as actionable intelligence and identification of malicious groups targeting ports and maritime activity. Information being shared in the group includes every thing from rogue email and IP addresses to best practices and equipment vulnerabilities.

“We’ve had some incredible wins which are the result of customer information sharing, backed by quality analytics,” Coffey says. Some recent examples include identifying ransomware in a shared email and notifying others in the ISAO within minutes and developing a blocklist from customer-shared IPs that reduced unauthorized login attempts by over 99%. “Without information sharing there would be no insight,” she says.

Activity levels among ISAOs varies

The ISAO Standards Organization currently lists more than 70 groups that it describes as being engaged in some level of information sharing activity. The list includes both sector-specific ISACs and the newer ISAOs that might be based on faith, geography or roles such as corporate directors and officers.

Greg White, executive director of the standards organization at UTSA, says the level of activity among these groups tends to vary. “Some of them are very capable and others that are minimally functioning in an information sharing capacity,” he says. “What an ISAO does depends on its membership and what its purpose is.”

The liability protections available to members of ISAOs has gone a long way in helping private companies get over concerns about sharing information with others, White says. Some ISAOs share little more than email lists while at the other end of the spectrum there are some ISAOs that handle such sensitive information that have so-called traffic light protocols in place for ensuring the information is handled appropriately. “Information sharing is not sector specific anymore. Every city and community in the nation should have an ISAO,” he notes.

Lack of trust, funding limit growth of ISAOs

Getting there could take a while. Many organizations that have tried to launch an ISAO have run into issues over how to fund it, how to continuously show value to executives, and knowing who to trust, Echols says. For organizations to engage in true information sharing, there needs to be a high degree of trust among them. They need to know that any threat information they share in an ISAO will be handled appropriately. That kind of trust can be hard to obtain when setting up a new ISAO.

When you start bringing together tens and hundreds of organizations where the people don’t know each other, the information sharing organization has to act as that trusted broker, says Jonathan Couch, senior vice president of strategy at ThreatQuotient. “They have to protect the anonymity of each organization that is sharing information and they should be providing the filter by which the information being shared is specific and relevant to the industry sector.”

The government has to play a leadership role in fostering trust among private companies, Echols notes. It could be something as simple as setting basic security requirements for vetting entities that want to join an ISAO or through requiring official registration of an ISAO body, he says

Another issue is a lack of awareness of ISAOs and the value they can bring in terms of improved cybersecurity. “We spend a lot of time educating a lot of companies and organizations,” Echols notes. The government itself has done little to promote ISAOs at a national, state or regional level. The elimination of a cyber coordinator role within the White House has exacerbated the problem, he says. Most organizations have never heard of an ISAO. They seldom have even heard of an ISAC, he says. 

“If development of ISAOs doesn’t happen now, at some point it is going to have to happen,” he says. “All we are doing for the moment is wasting time.”

Industry-specific ISACs and ISAOs

Below is a listing of some of the industry-focused ISACs and ISAOs, many of which serve an international member base:

Automotive

Automotive ISAC: Founded in 2014, the Auto ISAC community shares and analyzes intelligence about emerging vehicle cybersecurity risks to enhance vehicle cybersecurity capabilities across the global automotive industry.  

Aviation

Aviation ISAC: The Aviation ISAC is an international threat-sharing organization to help the industry prepare for cyber threats, vulnerabilities and incidents.

Critical Infrastructure

WaterISAC: This organization, founded in 2002, serves the U.S. water and wastewater sector as a threat sharing security information source.

Defense

National Defense ISAC: ND-ISAC provides defense industry entities and suppliers with information and services to best use security data, tools and best practices.

Education

K12 Six: This organization is a threat intelligence and best practices sharing community for members of the U.S. K-12 education community committed to preventing and responding to cyber threats.

Research & Education Networks ISAC: REN-ISAC serves over 700 member institutions within the higher education and research community by promoting cybersecurity operational protections and response.

Energy

Electricity ISAC: E-ISAC serves the North American electricity industry with information sharing and analysis of physical security and cybersecurity risks.

Energy Analytic Security Exchange: EASE is a physical security and cybersecurity threat intelligence sharing community to help defend the energy sector’s networks, facilities, staff and reputation.

Oil and Natural Gas ISAC: ONG-ISAC, founded in 2014, provides shared intelligence on cyber incidents, threats, vulnerabilities, and best practices within the industry.

Financial services

Financial Services ISAC: FS-ISAC is a global intelligence sharing community that offers members an intelligence platform, resiliency resources, and a network of experts.

National Credit Union ISAO: NCU-ISAO assists members with information sharing, threat intelligence, operational guidance, and workforce education.

Healthcare

Health ISAC: H-ISAC is a global organization for healthcare stakeholders to coordinate, collaborate and share physical and cyber threat intelligence and best practices.

Medical Device ISAO: MedISAO helps members of the medical device community to improve the security of medical devices through education, awareness and advocacy. ​

Legal

Legal Services ISAO: Founded in 2015, LS-ISAO shares actionable cyberthreat and systems vulnerability information among law firms to prevent and respond to incidents, secure IP, and protect client data.

Public sector

Public Safety Threat Alliance: Founded by Motorola Solutions, the PSTA ISAO is a hub for the global public safety community to collaborate and share threat intelligence and other information.

Real Estate

Real Estate ISAC: RE-ISAC, managed by the Real Estate Roundtable, is a sector-specific conduit for sharing information about potential physical and cybersecurity threats and vulnerabilities to help protect commercial facilities and the people who use them. 

Retail and Hospitality

NRF Cyber Risk Exchange: Operated by the National Retail Foundation, the NRF Cyber Risk Exchange is an ISAO dedicated to sharing cybersecurity information within the retail industry.

Retail & Hospitality ISAC: RH-ISAC delivers strategic and tactical information-sharing channels, routine threat briefings, an annual conference, and workshops and webinars.

Sports

Sports ISAO: This organization, a Cyber Resilience Institute program, provides a secure, vetted forum for members in the sports community to discuss cybersecurity matters.

Technology

CompTIA ISAO: For members of the Computing Technology Industry Association, this ISAO helps tailor threat intelligence and actionable analysis for technology vendors, managed services providers (MSPs), solution providers, integrators, distributors, business technology consultants, and their customers.

Information Technology ISAC: IT ISAC, founded in 2000, enables collaboration and sharing of relevant, actionable cyber threat information, effective security policies, and practices for the benefit of the IT sector.

Transportation

Maritime and Port Security ISAO: Founded in 2016, MPS-ISAO serves global maritime transportation critical infrastructure with cybersecurity resources, tools and technologies, and sector-specific operational guidance and workforce education.

Public Transportation, Over the Road Bus, and Surface Transportation ISACs: PT-ISAC, OTRB-ISAC, and ST-ISAC share a website that serves as a clearinghouses for information on threats, vulnerabilities, and solutions to physical and cyber infrastructure security.