NERC Technology Security Committee Briefs: May 8, 2019

May 14, 2019

GridEx V will see more international participation, including possibly “active injects” to simulate a “worldwide assault … on Western civilization.”

ST. LOUIS — Below is a summary of the NERC Board of Directors Technology & Security Committee meeting Wednesday.

Australia and New Zealand to Join in GridEx V

GridEx V will see increased international participation, including the possible use of “active injects” from Australia and New Zealand to simulate a “worldwide assault … on Western civilization,” Chief Security Officer Bill Lawrence said.

NERC Chief Security Officer Bill Lawrence | © *RTO Insider*

The exercise, scheduled for Nov. 13-14, also will see increased participation by the natural gas industry, he said.

The “executive tabletop” portion of the exercise, formerly constructed as a continent-wide attack, will this time affect a “specific region with severe electric and natural gas impacts,” Lawrence said. The targets will no longer be CEOs but the “operational level: the COO, CSOs, etc.”

They will discuss what they learned from “a bad, bad day on the grid in hopes, and active preparations, that it wouldn’t happen for real,” he explained.

“GridEx is a lot about information sharing and some analysis, but really it’s the engagement opportunity. It’s building those trade routes [to industry and government] that will be of particular value,” he said.

Lawrence said he was encouraged to have the participation of Australia and New Zealand, who are members of U.S.’ Five Eyes intelligence alliance, along with the U.K. and Canada. He recalled the worldwide preparations for Y2K, when it was feared that legacy computer systems that represented four-digit years with only the final two digits would be flummoxed by the change from 1999 to 2000. “We were able to see New Zealand and Australia stay lit up [on Jan. 1, 2000,] and have a much higher confidence that North America was going to be good to go as well,” he said.

E-ISAC Continues Growth

Lawrence gave the committee an update on growth plans for the Electricity Information Sharing and Analysis Center (E-ISAC), which is expected to triple in size by the end of 2022 from the 20 staffers it had at the end of 2017.

The 2020 organization chart shows a staff of 47, an increase of seven full-time equivalents for analytics, watch operations and engagement, and three for corporate support. 2020 will be the third year of a five-year strategic plan that has already seen NERC add 19 FTEs.

The ISAC plans another 14 hires for 2021 and 2022 to enable 24/7 watch operations and support investments in technology and collaboration with strategic partners.

Lawrence said the E-ISAC is using consultants to help develop policies, such as information sharing protocols, that are “repeatable and scalable as we grow our team.”

“The E-ISAC is not as mature as we should be for a 20-year-old organization,” he said.

Lawrence said the move to a 24/7 watch operation was prompted by stakeholder input. “They want somebody who is awake at the phone. Right now, we do have 24/7 coverage but it’s with duty officers with a phone by the nightstand.”

The ISAC will initiate 24/5 operations this year with 24/7 staffing in 2020.

Lawrence praised the infrastructure support NERC is providing the ISAC. “It means that I don’t need to build my own IT, HR, legal [and] external affairs [capabilities], and I can focus on the analysts that are going to provide … value.”

Lawrence Downplays Denial of Service Incident

Lawrence decried media reports characterizing a denial of service incident involving a WECC member in March as a cyberattack, saying there has been no evidence of malicious involvement.

“It was a denial of service. So, something happened to — in this case — a piece of … communications technology — [firewalls] — that for about five minutes acted like a deer in the headlights. They went offline, causing a brief breach of communications” between the control center and generation.

The unnamed company disclosed the March 5 incident to the Department of Energy in an electric emergency and disturbance report (OE-417) that said it affected Kern and Los Angeles counties in California; Salt Lake County, Utah; and Converse County, Wyo. although no customers were impacted.

Lawrence said the incident led to a “leap to conclusions” that it was caused by hackers.

“But in this case, it might have been that or something as simple as a scan that detected this certain vulnerability that’s known about these [firewalls]. So, you update them with a patch and they’re good to go against that vulnerability,” he explained. “It’s not a distributed denial of service where somebody is just slamming against the firewall and keeping the communication systems down. It’s a hiccup, and they come back on and we gain visibility.

“There was no generation loss; no customers lost service,” he said, adding that a root-cause analysis is being conducted. “Calling it a cyberattack stretches the definition of cyberattack.”

The following day, however, FERC Commissioner Bernard McNamee described the incident as an “attack” during remarks to the Board of Trustees. McNamee said afterward he was speaking based on media accounts and not information shared with FERC.

— Rich Heidorn Jr.

FERC & Federal Reliability