GridEx event aims to strengthen utility industry’s response to attacks on electric grid
October is Cyber Security Awareness Month, but the utilities industry is looking ahead to November when it will train to tackle potential cybersecurity vulnerabilities in the nation’s electric grid.
On Nov. 15-16, the North American Electric Reliability Corporation (NERC) will conduct GridEx IV, a training exercise to ensure that electric utilities are prepared to thwart potential cyber or physical attacks. Since 2011, NERC has presented the GridEx event on a biennial basis.
“The objective of GridEx is to provide an opportunity for all levels of industry and government to collaborate on a North American response to a simulated, coordinated cyber and physical attack on the power grid,” according to Bill Lawrence, the director of NERC’s Electricity Information Sharing and Analysis Center. “Participants in the exercise include industry and government security staff, law enforcement, senior executives, and CEOs.”
Depending on their roles, participants may have different objectives. For example, during the last exercise, GridEx III, held in November 2015, some participants learned how to execute crisis response and recovery. Other participants learned how to improve communication.
“Each organization involved in GridEx has their own objectives during the exercise to enhance and improve their emergency response capabilities,” Lawrence told Daily Energy Insider. More than 4,400 individuals from 364 organizations participated in GridEx III.
The large-scale exercise is designed to overwhelm participants, no matter how prepared they might consider themselves. Being involved in worst-case scenarios not only provides a higher level of awareness, but also reinforces the need for cooperation and communication.
According to data by Accenture, 49 percent of utility executives around the world believe that within the next five years there is a moderate risk of an electric grid cyberattack, and 14 percent think the risk is significant. In North America, 52 percent of executives reported there is a moderate risk that a cyberattack could affect the electric grid within the next five years, while 24 percent said there is a significant likelihood of an attack.
Regarding the various types of cyber attacks, the survey respondents reported that government directed (or inspired) attacks account for the greatest increase in cybersecurity threats in the past year, along with cybercriminals or organized hackers driven by a profit motive.
The importance of the country’s electrical grid cannot be overstated.
“The power grid is one of 16 critical infrastructures identified by the U.S. government,” Lawrence noted. “More than 330 million consumers in North America depend on the bulk power system for a reliable, secure and resilient supply of electricity.”
A successful cyber or physical attack on the U.S. grid would have far reaching ramifications for nearly every industry. Other countries have experienced successful cyber attacks first hand. Ukraine, for example, in 2015 suffered a cyber attack that cut the power for 225,000 people.
Lawrence acknowledges it’s challenging to keep up with the ever-changing threats to critical infrastructure facing the country. “Challenges to protecting the grid from cyber and physical security threats include ensuring that the training and tools available to bulk power system owners and operators keep pace with potential vulnerabilities as they emerge and evolve.”
However, he said, “To date, there has been no impact to the reliability of the bulk power system due to a cyber or physical security attack.”
Federal regulators also continue to focus on strengthening the grid against attacks.
The Federal Energy Regulatory Commission (FERC) recently proposed new cybersecurity management controls to further enhance the reliability and resiliency of the grid.
FERC’s Notice of Proposed Rulemaking proposes to direct NERC to provide criteria for electronic access controls for low-impact cyber systems and to address risks associated with malicious code that could come from third-party transient electronic devices like laptop computers and thumb drives.
