GridEx underscores need for collaboration, public-private partnerships to secure grid
With new and constantly evolving threats to critical infrastructure, GridEx VI, the largest energy grid security exercise in North America, focused this week on the importance of cross industry collaboration and public-private partnerships in keeping the power system safe and resilient.
The event was hosted by the North American Electric Reliability Corp.’s (NERC) Electric Information Sharing and Analysis Center (E-ISAC) and was attended by more than 700 electric power industry and government professionals. Held every two years by NERC, the virtual event tests organizations’ response and recovery plans in the face of simulated attacks, both cyber and physical threats, on the North American bulk power system.
This year’s GridEx featured greater representation from public power, electric cooperatives, municipal utilities, and Canadian partners. There was also increased participation from other critical infrastructure sectors, including natural gas, original equipment manufacturers, financial services, and telecommunications organizations, NERC said.
Officials from the U.S. Department of Energy (DOE), the Department of Homeland Security, and other federal authorities also took part, along with members of the Electricity Subsector Coordinating Council, which is the principal liaison between the federal government and the electric power industry on efforts to prepare for and respond to disasters or threats to critical infrastructure.
These cross-border and cross-industry relationships are critical to making the industry stronger in the face of an actual attack, NERC President and CEO Jim Robb said on Thursday in a media briefing that took place after day two of GridEx VI.
“We all have to recognize that we can’t draw a box around the industry,” Robb said. “Cross-sector impacts and the role of supply chain and ensuring reliability and security are key. And that’s why events like GridEx are so important. It brings all the players in the ecosystem together, what I would call the community response, to practice and drill and get to know each other and grease those critical communications skids that would be required in an actual emergency. And it makes us all stronger together.”
Edison Electric Institute (EEI) President Tom Kuhn noted in a written statement that protecting the grid from all hazards is a priority for investor-owned electric companies and one that is a shared responsibility between the electric power industry and its government partners.
“By participating in NERC’s GridEx series, we are able to test both our individual and our collective security, response, and crisis communications plans against possible energy grid threats,” Kuhn said. “It also allows us to strengthen our coordination through our time-tested partnership, the Electricity Subsector Coordinating Council (ESCC), to ensure that we stay connected should a real-world emergency occur.”
Tom Fanning, president and CEO of Southern Company and co-chair of the ESCC, said the ESCC is a prime example of the public and private sectors working together to promote national security.
“The conflict is in our telecommunication networks, it’s in our electricity grids, it’s in our financial systems,” Fanning said during the briefing. “When you consider the reach of cyber conflict, 87 percent of the critical infrastructure in America is owned by the private sector. The ESCC has been the clearest example of a reimagination of how the private sector will work with a sector-specific agency and the intelligence community and the folks that will hold the bad guys accountable.”
Through these public-private relationships, and the work being done through events like GridEx, Fanning said America is safer now, and will be safer tomorrow, from cyber threats.
“We will figure out ways not just to respond to what has happened, but rather to skate to where the puck will be and prevent America from that awful day where the existential threat becomes a reality,” Fanning concluded.
Manny Cancel, senior vice president at NERC and CEO of E-ISAC, detailed how the threat landscape has changed significantly since the last GridEx in 2019.
“The sheer volume, complexity and velocity of threats impacting our industry clearly demonstrate that our adversaries have the capability to disrupt critical infrastructure in North America – and unfortunately, this trend shows no sign of subsiding,” Cancel said. “At E-ISAC, we have seen a marked increase in cyber and physical security threats, particularly over the last year. We’ve experienced sophisticated supply chain threats, critical software vulnerabilities; we’ve also witnessed a significant spike in ransomware events.”
Citing NERCʻs 2021 State of Reliability Report, Cancel said there has been a nine-fold increase in ransomware reports in the past two years. E-ISAC has been working with its members to provide information, training and help to mitigate the threats, leveraging its partnerships with federal entities.
Puesh Kumar, acting principal deputy assistant secretary at DOE’s Office of Cybersecurity, Energy Security, and Emergency Response, concurred that partnerships and collaboration with the private sector and other stakeholders is critical to ensuring grid security and resilience in the face of the evolving threats. Kumar added that the $1.2 trillion infrastructure bill that was signed into law by President Joe Biden will help achieve those goals.
“The deal is the largest investment in the resilience of physical and natural infrastructure in American history, hardening our infrastructure against 21st century threats and making communities safer,” Kumar said. “It includes $27 billion to upgrade and modernize our electrical grid to make it more resilient to extreme weather and resistant to cyberattacks. And all of that is going to be done in partnership with our industry and state partners.”
The federal government is more focused than ever on the security of the nationʻs critical systems and functions.
“The administration has made the security of these systems a high priority and CISA and our inter-agency partners have responded by bringing our own unique authorities and expertise to bear,” said Brandon Wales, executive director of the Cybersecurity and Infrastructure Security Agency (CISA). “And that is also what we’re doing here today – government and industry coming together to ensure that we are prepared only by continuing to practically test our plans and processes together and following up on those lessons learned will strengthen our security and resilience.”
Following the exercise, the E-ISAC will draft a report of the proceedings from GridEx VI and make it available to the public. The report is scheduled to be released in March 2022.
