Search
March 4, 2026
Report: GridEx VIII Highlighted Areas for Improvement
Scenario Included Sporting Event, Drones, Military Threats
Participants in the GridEx VIII distributed play by state or province, with the change from GridEx VII in parentheses. Participants with operations in multiple states/provinces are counted by the location of their headquarters.
Participants in the GridEx VIII distributed play by state or province, with the change from GridEx VII in parentheses. Participants with operations in multiple states/provinces are counted by the location of their headquarters. | NERC
Mar 3, 2026 | Holden Mann
NERC's report on the GridEx VIII security exercise outlined the challenges that participants weathered during the distributed play and executive tabletop.

NERC’s GridEx VIII security exercise highlighted multiple areas for improvement for grid reliability, including better communication both within and outside the electric industry, heightened security around drones and reduced reliance on data centers, according to the after-action report from the Electricity Information Sharing and Analysis Center.

The E-ISAC hosted the biennial exercise Nov. 18-20, 2025, and included both a distributed play portion and an executive tabletop. In the distributed play, held the first two days, participants from 378 organizations worked individualized exercises based on a core scenario developed by the E-ISAC.

The tabletop, held Nov. 20, brought together leaders from 84 organizations, including industry executives, senior government officials and other “entities impacted by the scenario.”

Scenarios for the tabletop and distributed play both involved a conflict between two fictional nations in which adversary “Crimsonia” invaded ally “Beryllia” and launched cyber and physical attacks against U.S. and Canadian infrastructure to delay and degrade their response.

The tabletop occurred in summer 2028 across three acts. In Act 1, Crimsonia imposed a naval and air blockade on Beryllia, while electric utilities noticed spikes in cyber probes and forced oscillations across the Eastern and Western Interconnections.

Act 2 occurred several weeks later and involved steps by Crimsonia to deter intervention by rendering GPS services “essentially unavailable,” causing power outages at “U.S. and Canadian facilities with military missions,” and attacking Microsoft identity and authentication services. Act 3 involved physical sabotage against water systems, drone attacks on a nuclear power plant and a ransomware attack on a pipeline.

The distributed play took place in 2026 against the backdrop of preparations for a global sporting event dubbed the “World Chalice.” Play comprised five moves occurring over the course of two weeks.

    • Move 0 (before play began) — Utilities suffer vandalization and theft in the lead-up to the games, while the E-ISAC reports a new strain of malware being used on electric infrastructure overseas.
    • Move 1 — A small-scale cyberattack against corporate computers distracts information technology personnel, leading to a major attack on electric and gas utilities that disrupts monitoring and control systems.
    • Move 2 ­— Large-scale attacks are carried out against multiple substations with drones and firearms. An electrician is held hostage at one facility. Additional attacks affect defense-critical infrastructure (DCI) as Crimsonia invades Beryllia.
    • Move 3 — A heat dome causes failures at multiple data centers, affecting digital infrastructure including cloud services. Adversaries cut telecommunication lines to control rooms, insider attacks occur at utilities and vendors, and utility staff receive faked messages from leadership.
    • Move 4 — Players discuss the long-term recovery efforts from the perspective of a week after the last move.

With 378 organizations participating, the distributed play portion of GridEx VIII was the biggest since GridEx V in 2019 and the third largest since the first exercise in 2011. NERC explained the attendance shifts since GridEx V — 293 organizations participated in GridEx VI and 252 in GridEx VII — as likely due to registration policy changes. Since GridEx V, only E-ISAC members and partners have been able to register for the exercise, but in GridEx VIII asset owners and operators could vouch for non-members for the first time.

Most participants were based in North America, with additional involvement from entities in Australia, Germany, Portugal and New Zealand. 63 participants were based in the footprint of SERC Reliability, more than any other regional entity and 15 more than in GridEx VII; WECC had the second-most participants at 60, four fewer than in GridEx VII when it was the leader.

Recommendations

Both the tabletop and executive play sessions generated a list of recommendations to improve reliability and resilience.

Recommendations from the tabletop included that U.S. and Canadian defense facilities work with industry to develop “collective understanding of the electric reliability requirements for DCI and associated risks to” defense-critical electric infrastructure. Participants also urged government entities to improve information sharing with industry and promote laws like the Cybersecurity Information Sharing Act of 2015 and programs like the E-ISAC’s Cybersecurity Risk Information Sharing Program.

The drone-related incidents prompted a recommendation that the U.S. and Canadian governments work with industry on responses to drone threats and “clarify available government support.” Participants suggested also that industry and government discuss how to shield utilities from liability for following government directives affecting their operations or energy and resource allocation.

Distributed play participants urged that industry continue to coordinate with government and emergency management partners on exercise and response planning, and encouraged entities to continue testing their various communication methods for potential failure modes. Contributors also suggested that entities practice their internal coordination and communication along with strengthening their external relationships.

E-ISACNERC & Committees
KeywordscybersecuritydronesElectricity Information Sharing and Analysis Center (E-ISAC)GridEx VIIINorth American Electric Reliability Corp. (NERC)physical security
Holden Mann
NERC Says Violation Backlog Dropped in 2025
More From This Author

We Recommend

1
NERC Says Violation Backlog Dropped in 2025
Mar 2, 2026NERC & CommitteesHolden Mann
2
AI Has to be Reliable Before We Trust it with our Grid
Mar 2, 2026Standards/ProgramsDej Knuckey
3
MISO-SPP Conference Eyes Future Generation Trends
Mar 1, 2026Regional EntitiesAmanda Durish Cook
4
MISO, SPP CEOs Bet on Improved Interconnection Processes for AI Load
Feb 26, 2026Regional EntitiesAmanda Durish Cook
5
Energy Availability Tops MRO’s 2026 Risk List
Feb 26, 2026Regional EntitiesHolden Mann

Popular Stories

1
MISO, SPP CEOs Bet on Improved Interconnection Processes for AI Load
Feb 26, 2026MISOAmanda Durish Cook
2
FERC Declines to Suggest Interregional Transmission Requirements
Feb 25, 2026Public PolicyJames Downing
3
Colorado Bill Addresses Impacts of Coal Plant Extensions
Feb 22, 2026Public PolicyElaine Goodman
4
NERC Board Accepts MSPPTF Recommendations
Feb 12, 2026Standards/ProgramsHolden Mann
5
MISO-SPP Conference Eyes Future Generation Trends
Mar 1, 2026MISOAmanda Durish Cook

Industry Gatherings


Upcoming Event

Upcoming Event

Upcoming Event