[00:00:03:15–00:00:33:16]
Navroop Mitter:
Hello, this is Navroop Mitter, founder of ArmorText. I’m delighted to welcome you to this episode of The Lock & Key Lounge, where we bring you the smartest minds from legal, government, tech, and critical infrastructure to talk about groundbreaking ideas that you can apply now to strengthen your cybersecurity program and collectively keep us all safer. You can find all of our podcasts on our site, armortext.com, and listen to them on your favorite streaming channels. Be sure to give us feedback.

[00:00:33:18–00:00:49:03]
Matt Calligan:
Hey folks, welcome to The Lock & Key Lounge podcast. I’m Matt Calligan, your host for today, and I’m delighted to welcome a good friend, Matt Duncan, to our program. Matt, welcome to the show, amigo.

Matt Duncan:
Happy to be here, Matt. What a great name, by the way.

[00:00:49:05–00:01:34:12]
Matt Calligan:
I love—you know what? Yeah, it is the best. And it keeps things simple. I’ll never forget it. For folks listening, Matt Duncan is the Vice President of Security Operations and Intelligence—‘cause he’s a smart guy—at the E-ISAC, Electricity Information Sharing and Analysis Center, where he leads efforts to assess and mitigate both cyber and physical security threats for the North American electricity grid.

With 17 years of national security experience, Matt’s career has spanned the Department of Energy, the Pentagon, and even the—I’m going to trip over this—Helmand Provincial Reconstruction Team in Afghanistan. I think that was the story you were telling me the other day.

Matt Duncan:
Yeah, it was, and you got it right.

[00:01:34:16–00:04:12:02]
Matt Calligan:
I didn’t trip over it. It scared me when I saw it first. I was like, oh, I’m going to screw this up. At the E-ISAC, he oversees programs like the Cyber Security Risk Information Sharing Program, known as CRISP, and works closely with industry and government to support operational decision-making with actionable threat intelligence. He also holds certifications in Cyber Threat Intelligence and Critical Infrastructure Protection, degrees from Saint Joseph’s University and Syracuse Maxwell School, and he was a Fulbright English Teaching Assistant in Germany.

But in his own words, he’s here to help the guardians of the grid keep the lights on and just get stuff done. So, Matt, the topic for today—we’re going to be focusing on threat intelligence sharing. It is a critical pillar, really. I mean, it is an essential component for any cybersecurity professional. Yet, one of the things that is quite clear—if you ever wade into this topic or even get into it at all as a user—all programs are not equally effective.

The E-ISAC has distinguished itself, and this isn’t—this is my personal opinion, but also, I know the opinion of many folks in this industry—has distinguished itself as one of the most successful models for these threat sharing communities, and as well as being able to provide timely, actionable intelligence to participants through various initiatives, right, including CRISP.

So today, for folks listening, we’re sitting with Matt Duncan to discuss why the E-ISAC’s approach to intelligence sharing has been so effective. We’re going to explore a couple things, like the role of trust in this, the trust in the people in platforms, and the use of that shared intelligence. We’ll also dive into what makes a threat intelligence network thrive and what improvements E-ISAC even hopes to make on this success in the future.

So let’s jump to—so I guess, Matt, the first question here. For listeners who may not—probably should start here, actually—‘cause I remember it was funny. I was looking at your LinkedIn before we got on, and I was reminded of the fact that you and I both started in our current trajectories of careers at the same time, right about—you joined the E-ISAC just a couple of months after I started with ArmorText. And we were talking—everybody was talking inside ArmorText about the E-ISAC, and all these ISACs are great. And I was like, what the hell is an ISAC?

So, for listeners who may not be familiar with the E-ISAC, give us an overview of what it does and how it supports the electricity subsector.

[00:04:12:04–00:05:21:11]
Matt Duncan:
Thanks, Matt. And you’re right, we are probably one of the more important pillars of critical infrastructure protection that you have never heard of. If you’re at the financial services, the water, transportation, telecommunications, or electricity, ISACs—Information Sharing and Analysis Centers—are essentially private sector intelligence groups that facilitate sharing within their verticals, within their critical infrastructure sector, because over 85% of the critical infrastructure in the US and Canada is actually privately owned.

And so, while government plays an important role, the private sector needs its own intelligence collection organizations to facilitate that sharing. We are neither government nor true private sector. We are a not-for-profit corporation, and we are funded by electricity bills from the US and Canada.

Matt Calligan:
That’s right. So, pay your electric bills, everybody.

Matt Duncan:
It’s the best 25 cents you’ll spend on an annual basis.

[00:05:21:13–00:06:32:04]
Matt Calligan:
Absolutely. Well, and—threat intelligence sharing has gained a lot of traction. It’s widely used by vendors and by government and people all over the place. But I always think it’s important for how you, as an organization—right, that’s the E-ISAC’s job—is that thing—is to share this intelligence and nothing else. So, how would you, as an organization, define threat intelligence sharing? And why does it matter to an average cybersecurity professional?

Matt Duncan:
Well, it matters to a cybersecurity professional, a physical security professional—

Matt Calligan:
True.

Matt Duncan:
—or anybody that is running a business. I think it actually applies to business intelligence as well, because in order to make good decisions, inform your risk posture, and, in our case, keep the lights on, you need to be able to collect, process, and analyze data to understand your adversaries’ or competitors’ motives, targets, and attack methods.

Matt Calligan:
Yeah.

Matt Duncan:
And for a big sector like electricity, you need to do that at the tactical level, at the operational level, and even the strategic level.

[00:06:32:05–00:08:21:12]
Matt Calligan:
Yeah. Well, and it’s been a while—it’s been around for a while—the concept. I would—from my perspective and a lot of the folks who I interact with—the E-ISAC has played a critical role in influencing how threat intelligence is actually shared, how people go about the collective defense approach, and how it’s actually even practiced.

Well, I guess more—maybe phrase that as a question, right. How would you, from your perspective—that’s my opinion, obviously—but how would you, from your role inside the E-ISAC, how would you say that the E-ISAC has influenced that and in what ways? ‘Cause I know clearly it does. But what are some ways that you would—you can think of examples or things like that—where you all have influenced the way people share collective intelligence and things like that.

Matt Duncan:
Well, I appreciate the kind words, and really, it’s not just me or really the E-ISAC. It’s the entire electricity industry and the critical infrastructure community because, ultimately, cybersecurity, physical security is a team sport.

Matt Calligan:
Right.

Matt Duncan:
And without our members sharing voluntary information to the E-ISAC to spot threats from nation-state actors, criminals, or even hacktivists and activists, we wouldn’t be able to do our job very well.

And because we have established trust among those entities in electricity, but all the 16 critical infrastructure sectors, we’re able to get that information, contextualize it, and then get it back out in a digestible format. So utilities and critical infrastructure operators can take action and protect themselves. And we also work with vendors and the government.

Matt Calligan:
Yeah.

Matt Duncan:
So we’re really an all-source intelligence shop.

[00:08:21:14–00:09:59:22]
Matt Calligan:
Yeah, absolutely. Well, the thing that I think really does distinguish this, though, for you all—from seeing you all build this, especially over the past seven years—making a thriving threat sharing community or creating a threat sharing community that would be considered to be thriving actually isn’t easy. Our technology underpins a lot of these communities.

And so we have folks approach us and say, hey, we want to do this collective defense thing. We want to start a new community. And I can tell you, too many organizations think that all they need to do is just announce that it’s—that it exists—and that threat sharing is going to happen. It reminds me of Michael Scott when he declared bankruptcy in The Office sitcom. It’s like people just think they can just say, “We declare a threat sharing,” and it happens, right?

And as someone who is on the other side of this and building it in and has done the work—not just you, clearly, but the team and the organization—but you being part of this, you’ve put this effort in. What are some barriers, as you mentioned some of these other industries that also participate in stuff like that, but there are certainly some that are even now trying to stand up their own threat sharing communities? From your perspective, being on the other side of this, what are some barriers to watch out for or things that—rocks to avoid, so to speak—when trying to share threat intelligence? And even maybe touch on what made CRISP and other programs successful despite those challenges.

[00:10:00:02–00:12:00:10]
Matt Duncan:
You know, Matt, when you made the Michael Scott declaration, I couldn’t help but smirk like Jim to the camera when you said it. And that’s because information sharing, threat intelligence sharing—while it is really important and impactful, and people want to do it—it’s also really hard to get started and maintain.

Matt Calligan:
Yeah.

Matt Duncan:
The E-ISAC, like all ISACs or threat sharing centers or alliances or communities, we’ve had our ups and downs over the years, and we learned a lot of important lessons from that. And many other threat communities, groups, centers, alliances that try to get started ultimately fail because they can’t establish the trust and the participation—

Matt Calligan:
Yeah.

Matt Duncan:
—the two-way participation that’s needed to sustain that community. Because you need to trust that whoever your members or the communities you work with that they’re going to share information in a responsible way, that they’re going to use responsible technology.

And in addition to that, not only do they need to be willing to share information and support you, they often have to fund you.

Matt Calligan:
Yeah.

Matt Duncan:
And cyber information, in particular, is very sensitive. As you can see from the news, it seems like every day there’s either a breach or a hack or a campaign that’s announced.

And oftentimes, the instinct of entities—whether you’re a bank, an investment firm—is to not want to make yourself vulnerable and say, “Hey, we had a breach,” or “We had an incident.” Because anytime information leaves your organization—leave your organization’s network—you’re potentially vulnerable.

Matt Calligan:
Yeah.

Matt Duncan:
So you’ll need to trust your community’s policies, the technical controls, and the use cases for your information. Otherwise, your community is not going to thrive, and it’s not going to exist for very long. And the community won’t get the benefit of the sharing.

[00:12:00:12–00:13:31:17]
Matt Calligan:
Yeah. I—you’ve mentioned trust a few times. And when you have a community, when a key element of a thriving community is that trust—trusting in the people themselves, trusting in the technology supporting it, as well as what will be done with that information—and the rest of the members sharing that responsibility and using it correctly.

Matt Duncan:
And I like the word you use there—responsibility—‘cause part of the trust isn’t just, “Oh, I’m trusting you with my information.” It’s to have those honest conversations, to give feedback, and be honest about your needs, about your requirements. And especially when you need to do better.

Matt Calligan:
Yeah.

Matt Duncan:
Nobody has all the answers. And one of the ways the E-ISAC has prospered over the years is because we listened to our members. We believe in user experience and customer experience, and that’s how we treat our members and partners in the ISAC—roughly 1900 and counting.

Matt Calligan:
Yeah.

Matt Duncan:
And having—being open to improvements, being open to new capabilities, and then planning for those, making business cases, and then delivering on those results—just like any business—is essential. And sometimes, I think people that are forming threat intelligence communities tend to want to only focus on the information, but you really need to have a holistic business process for how you’re going to succeed.

[00:13:31:19–00:14:46:05]
Matt Calligan:
Yeah, I have been probably more blunt than I should be. Some of these folks that come to us with this idea of, “Well, we’re just going to bring all these CISOs together and kick this off.” And I have said actually, bluntly, ”We are not beer goggles for you guys, right? We’re not going to make your community look better than it is.”

There’s no technology in the world. Sure, we can underpin it, and we can eliminate our particular approach. We can eliminate a lot of the concerns with sort of the freebie stuff that’s out there—the Discord threads and the WhatsApp stuff or whatever. But we’re—it’s—this does not absolve you of responsibility of fostering that community and engaging and putting the work in.

You can’t just pick a thing and hope it’s sexy, and everybody’s just going to jump into it. With the examples, I guess, in the line of what we’re talking here, are there particular lessons that you’ve taken away in the past seven years with the threat sharing initiatives? Are there things that didn’t work so well?

What—would you say, “Hey, don’t do that next time”—if you were you talking to you seven years ago?

[00:14:46:07–00:17:11:08]
Matt Duncan:
Yeah. And this is where my favorite and least favorite cliché comes into play—crawl, walk, run. I think oftentimes we focus on the, “Oh, we want to expose a novel O-day,” or, “We want to talk about this really neat living-off-the-land technique that we think Russian actors are deploying.” And really, it’s about the basics.

Matt Calligan:
Yeah.

Matt Duncan:
It’s about using tools like Shodan or Censys or other, essentially, search engines to look for vulnerable infrastructure that is connected to the internet, isn’t protected, and shouldn’t be connected to the internet.

Matt Calligan:
Yeah.

Matt Duncan:
It’s about doing open source intelligence gathering on social media, the dark web, some of these image boards that adversaries like to communicate on.

And I think I would go back to my—myself seven years ago and say, “Hey, man, start with the basics and then look at the needs of your customers and what they need to make their lives easier. So don’t just tell me there’s a problem. Tell me what—the way to fix it.”’

Matt Calligan:
Right.

Matt Duncan:
“Tell me the mitigation, and let’s find a way to see what people, my peers, and industry are also doing.”

And that’s probably where I would have tweaked seven years ago, but thankfully, the electricity industry has this wonderful culture of mutual aid and mutual assistance. It’s in the DNA of electricity. So when things came around like SolarWinds or Microsoft Exchange or Volt Typhoon, Log4J—pick your favorite catastrophic cyber announcement—

Matt Calligan:
Right.

Matt Duncan:
—we were able to build on the trust that we had established, that collective defense mindset and the mutual assistance approach of the industry, and share information, act as a convener, host calls, get unique insights from either vendors or the government, and then help the utilities protect their systems with that information and iterate on their lessons.

‘Cause again, it’s not about the ISAC. It’s about the industry. This is a team game. And it’s just wonderful to watch utilities, big and small, helping one another via the ISAC.

Matt Calligan:
Yeah, absolutely.

[00:17:11:12–00:18:07:03]
Matt Duncan:
Another thing—

Matt Calligan:
Yeah, go ahead.

Matt Duncan:
Another thing I would add is having a trusted communications channel. Every day we hear about—whether it’s China or Russia or even criminal groups compromising the pathways that we communicate, pathways that we thought were safe or secure—emails, text messages, phone calls. Whether you’re getting challenges with—whether you’re having challenges with email security, you need to have alternative ways to communicate.

You need out-of-band communication. And frankly, you need end-to-end encryption in how you talk. And you probably need more than one way to do that should one platform go down.

Matt Calligan:
Yeah.

Matt Duncan:
And that’s the other thing, making sure you have that clear, trusted channel to communicate not only internally but with your stakeholders and with the public.

[00:18:07:06–00:19:48:08]
Matt Calligan:
Do you see—obviously you all have done your own homework and implemented some of these—but do you see that strategy, that out-of-band communication strategy, working with technology? Tech-like end-to-end encryption—do you see that playing a role in enabling successful sharing communities that you guys work in?

Matt Duncan:
It all goes back to trust.

Matt Calligan:
Yeah.

Matt Duncan:
And with the adversaries looking to compromise our trusted networks—and think about—people added VPNs. “Okay, we’re going to be more secure; every—all traffic needs to go through the VPN.” What do the adversaries do? They start trying to get legitimate credentials to access the VPN. They DDoS the VPN.

They brute force. They SYN flood. They do all these fancy techniques ‘cause they know that’s where all the trusted communication is. And if you have a mindset of “assume compromise,” and for your most sensitive communications, we’re actually not going to use email or text. We’re going to switch to a third-party trusted encrypted app, or we’re going to have a different voice communication pathway that adds resilience and ultimately just makes it harder on the bad guys.

And bad guys are people, too. So if they find your organization a little too difficult to crack, they may move on to somebody else, and you’re going to be left alone for that moment.

Matt Calligan:
Right.

Matt Duncan:
So I think having not only the information to share, but the method to share it in a trusted fashion, is just essential for success and maintaining trust in your ISAC.

[00:19:48:10–00:22:57:23]
Matt Calligan:
Absolutely. For—and not just ISACs—‘cause obviously there’s the 16 designated ones, but there are new ones cropping up. Obviously no ones—there are no constraints on the renewable energies ISO and some of these other ones that are just kind of burgeoning. What would be a piece of advice you would give to them either as to build a community?

I would say—and also I’m going to flip this question and sort of split it into two. What would you give advice-wise to an individual company who was like a threat analyst in a company who was getting corporate pushback culturally against threat sharing? What would be advice for someone starting a threat sharing community and then someone who wants to join it but is facing some internal pressure to avoid it?.

Matt Duncan:
This is a question you’re always going to get. And, in the past, it was very hard to convince your general counsel, your board, your C-suite on the need to share your information to another third party that you didn’t have necessarily under contract. But I think over the last 25 years, the E-ISAC—actually 26 years now, E-ISAC is 26 years old—along with some of the other foundational ones, like the Financial Services-ISAC, Comms-ISAC. I think over the years, whether it was 9/11, the invasion of Iraq and Afghanistan, the first time the Russians invaded Ukraine, right up until the attacks that we have seen from Volt Typhoon in China, I think they recognize that you can’t defend your organization completely by yourself.

Matt Calligan:
Yeah.

Matt Duncan:
The oceans don’t protect us the way they used to. And while government certainly plays a role, industry also needs to step up and secure its information with its own threat intelligence, and ISACs or ISOs are a wonderful way to do that. So the first bit of advice I would give—and I have given this to folks in both the corporate and the NGO space—find your ISAC, find your ISO, figure out if they have the controls and trust you need, and then find a way to get involved with them and take advantage of the services that you’ll get from them.

Oftentimes, the services that you’ll get from your ISAC, you would have to go to a well-known vendor and pay a lot more money to get the breadth of information that might be available to you.

Matt Calligan:
Right.

Matt Duncan:
So, it’s a good way to be a good citizen and practice collective defense.

Matt Calligan:
Yeah. Well, and the—we put it a little more bluntly on our side when we’re talking to folks who get that pushback, and it’s like, you can’t hire your way out of the scale of the threat you’re facing. You—your company cannot have enough people on its payroll to address the size and scope of the way threat actors work these days.

[00:22:58:01–00:25:46:14]
Matt Calligan:
And so collective defense is the only way to do it realistically. It’s also a great way to turn your threat hunting team from five guys to 200 people. So the—it’s a very cost-effective way, and it saves organizations in hiring and having to focus on all these subject matter expertise at the same time, which a lot of them can’t.

I mean, some of the smaller electricity providers, and even on the distribution level, communities and co-ops, they don’t have the ability to have subject matter experts in all these fields. And so, from our perspective, collective defense is essential for organizations of all sizes, simply because the scale of the threat we face is not addressable on an individual level.

Matt Duncan:
Correct. And if you think about your contract law, the idea of force majeure, or Mother Nature causing hurricanes, there are things you can do. But in order to build resilience into your organization, you got to work with others. And that’s why there are 26—I think, currently—recognized ISACs that are part of the National Council of ISACs that touch everything from water to retail to media to space.

Matt Calligan:
Yeah.

Matt Duncan:
And that’s where those communities—and of course, the E-ISAC works with all of them. We have our trusted channels or analyst exchanges. And when we learn something that might be a threat to electricity could just as easily be a threat to a control system in the water space. So it’s important to have partners not only in your sector but other sectors.

I’ll also point out, there—it is somewhat easier, in my opinion, to share information in the electricity space because of the regulatory structure that we have in place.

Matt Calligan:
Right.

Matt Duncan:
The—there isn’t necessarily competition within a service territory. There is a little bit with the retail markets, but by and large, sharing is in electricity’s DNA.

Matt Calligan:
Yeah.

Matt Duncan:
But when you get to other sectors that might have antitrust concerns or they might have competitive concerns, I think we all need to get to a point culturally where we have to put that to a side and recognize the organizations that share are going to be more secure, more resilient, better investments than folks that try to do it by themselves. Because frankly, I don’t know of any company that would be able to defend themselves from China or Russia or some of these really bad ransomware groups completely by themselves.

Matt Calligan:
Yeah. Exactly. What—kind of pivoting, Matt—what should we look out for next—look out for next coming from the E-ISAC?

[00:25:46:15–00:27:16:17]
Matt Duncan:
Well, this gives me a good opportunity to plug my colleague, Jesse Sythe. I think he’ll be speaking with you or may have already spoken with you about grid security exercise, GridEx VIII, which is going to be held November 18th and 19th, 2025, across the continent—US and Canada. It is the largest grid security exercise in North America.

And we do it every two years. And it’s a great way to test out your cyber and physical security incident response plans internally, with law enforcement, your local partners, and your friendly neighborhood ISAC. So, we had roughly 15,000 participants in GridEx VII—

Matt Calligan:
Wow.

Matt Duncan:
—from 250 utilities. And we’re already planning to have more than that. And we’re not even to May yet. So it is an exciting time. It takes a long time to prepare. The E-ISAC and NERC basically supply the injects, the materials for the utilities at no cost. That 25 cents you pay every year in your electric bill that goes to the ISAC pays for that, with a little support from our government partners.

And then you create your own exercise. And all we ask is that you play with the people near you, and then you share your lessons back so we can improve the security posture of everybody in North America.

[00:27:16:19–00:28:24:00]
Matt Calligan:
Absolutely. So, after a long day of defending the grid, from a personal perspective—sometimes we like to ask folks what their favorite libation or drink is. I know we’re on the clock here today. So, you’re in a—you’ve got your official role hat on. So, I’ll ask this question a little differently. What’s—after that kind of day—what’s your go-to kind of thing to let off steam or unwind?

Matt Duncan:
So, I’m an extrovert, right? So, I actually gain energy by interacting and talking to people after an event or an exercise—maybe celebrating the accomplishments, telling a few war stories—and that helps me build connections. And it also makes—helps me feel good about what we do. Like I said before, security is a team sport, and I like hanging out with my team and lifting them up. And yeah, that’s how I—that’s how I like to unwind after these big events, and just really proud to have a great team of guardians at the E-ISAC and across the industry.

[00:28:24:04–00:31:00:22]
Matt Calligan:
Absolutely. Yeah. It always comes back to the people. Well, Matt, I want to appreciate you for taking the time today. Any final thoughts before we—

Matt Duncan:
No, just thanks for having me, giving me an opportunity to to talk about the ISAC and the electricity industry and what we do to help keep the lights on. And remember, sharing is caring.

Matt Calligan:
Sharing. That’s right. Couldn’t have said it better myself. Well, folks, thanks again for listening to today’s episode of The Lock & Key Lounge. I am your host for today, Matt Calligan. Make it a good day.

[00:31:01:00–00:31:33:12]
Matt Calligan:
We really hope you enjoyed this episode of The Lock & Key Lounge.

If you’re a cybersecurity expert or you have a unique insight or point of view on the topic—and we know you do—we’d love to hear from you. Please email us at lounge@armortext.com or our website, armortext.com/podcast. I’m Matt Calligan, Director of Revenue Operations here at ArmorText, inviting you back here next time, where you’ll get live, unenciphered, unfiltered, stirred—never shaken—insights into the latest cybersecurity concepts.