Utilities to practice crisis response, address gaps in cybersecurity planning during GridEx

The electricity industry will participate in the North American Electric Reliability Corporation’s (NERC) fifth grid security exercise known as GridEx on Nov. 13 and 14, an event that allows utilities to test how they would respond to and recover from simulated coordinated cyber and physical threats to the electric grid.

The biennial event provides electric utilities, government agencies and other stakeholders with the opportunity to practice their coordinated responses to an attack that threatens the reliability of the grid. Organizations will simulate event reporting, loss of control center functionality, incident response recovery plans and notification processes.

Exercises like GridEx are a crucial part of enhancing the nation’s critical infrastructure security and resilience, said Brian Harrell, assistant director for Infrastructure Security at the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

“The GridEx V scenario features direct cyber and physical attacks on energy infrastructure and examines the cascading impacts to the communications sector. The impacts from a disruption of these systems can have wide ripple effects across the country, impacting emergency response, transportation, and the economy. Managing these risks in advance involves preparing for all hazards, reinforcing the resilience of our assets and networks, and remaining vigilant and informed,” Harrell told Daily Energy Insider in emailed remarks.

Testing the plans and preparations to thwart a cybersecurity attack on the North American energy grid through exercises can lead to identifying gaps in planning, as well as to the creation of multi-jurisdictional support agencies, the head of NERC said.

“Assuring the cybersecurity of the bulk power system is one of the key priorities for the ERO,” said Jim Robb, president and CEO of NERC, referring to the Electric Reliability Organization (ERO) Enterprise. “Our adversaries are persistent and they’re determined, and that requires consistent vigilance from all of us because a united defense is what’s essential in protecting our grid.”

The exercise, Robb said, is designed to overwhelm even the most prepared organization. But, he added, individual organizations can customize the scenarios to align with their unique needs.

Harrell noted that today there are very few cyber-only or physical-only incidents that could impact critical infrastructure.

“As our world grows more interconnected, and our infrastructure grows more interdependent with other systems and functions, we must look at our risks from both a cyber and a physical perspective,” Harrell said. “CISA was a part of the planning for the exercise and the scenario highlights this convergence with both kinetic and cybersecurity attacks.”

Some 80 members of CISA will join in the exercise that is expected to have thousands of participants. CISA members will help with collaboration among critical infrastructure sectors, and help coordinate operations to mitigate cascading failures.

“Critical infrastructure security and resilience requires a clear understanding of the risks we face and a whole‐of‐community effort that involves partnership between public, private, and non‐profit sectors, and CISA is committed to providing the support needed to prepare and respond to critical infrastructure threats and incidents,” Harrell said.

GridEx has grown significantly in terms of the number of participants. More than 6,500 people representing 450 organizations participated in the last GridEx event in 2017, compared to 180 participants who attended the inaugural event in 2011.

In order to be effective in combating any future attacks, the event is not open to the general public. After the completion of GridEx, utilities will provide input on lessons learned, and NERC will produce a public report that includes observations and recommendations for improving the exercise.

Utilities and critical infrastructure connected to America’s electric grid remain vulnerable, according to Terry Jarrett, an energy attorney who has served on both the board of the National Association of Regulatory Utility Commissioners and the Missouri Public Service Commission. He wrote in an op-ed last week that more than half of the 1,700 utility professionals recently surveyed believe that the United States will face a cyberattack on America’s critical infrastructure within the next 12 months.

Earlier this year a cyberattack on the power grid left grid operators in the western United States with temporary blind spots. Hackers using firewall vulnerabilities caused disruption for more than 10 hours on March 5, according to a report from the Department of Energy in April. The 17-page report outlines several attacks on grids across the country.

Harrell said it was imperative that all sectors come to the table to address security threats.

“… Everyone plays a role in the nation’s security and resilience, and we must coordinate and collaborate across every level government, private sector, and other community organizations,” he said. “This exercise embodies CISA’s vision of defending against today’s threats and working to secure our tomorrow.”