By Ted Caddell
Amid increasing concern over threats to the nation’s power grid, the North American Electric Reliability Corp. last week ran a rigorous, two-day drill that simulated terrorist attacks.
“There were cyberattacks on corporate computers, infiltration of transmission systems and substations, explosives and shootings,” NERC CEO Gerry Cauley said in a press briefing Thursday, the final day of GridEx III. The exact scenarios were kept secret.
Cauley said that about 10,000 people at 315 organizations — electric generators, transmission companies, law enforcement, and local, state and federal government agencies — participated in or monitored the drill.
GridEx II, in 2013, drew 234 organizations and an estimated 3,000 participants. The first sector-wide grid security exercise was held in November 2011.
While details on the drills are kept close to the vest by NERC and the participants, a public report, expected out in January, will detail what the grid operators faced and how they fared.
The GridEx II report noted that the drill included simultaneous physical and cyberattacks. It laid out the “lessons learned” and recommendations, including efforts to enhance information sharing.
It also recommended expanding the capabilities and role of the industry group that coordinates with federal agencies on grid threats, the Electricity Sub-sector Coordinating Council.
Southern Co. CEO Tom Fanning, the head of ES-CC, said planning for the exercise began more than a year and a half ago and was essentially complete before the terrorist attacks in Paris on Nov. 13. So, although Fanning and his colleagues were in constant contact with federal counterparts after the attacks, they did not have an effect on this year’s drill.
That, he said, is an example of how grid operators must use current events to keep up with evolving threats. “The threat is ever changing,” Fanning said. “We know we have to continually anticipate the threat and adapt our own strategy. Being perfect here is an aspiration. We know we are always going to have to get better.”
“We are acutely aware of the recent events [in Paris] and the heightened urgency,” Cauley said. However, he said, “we have intentionally not built that into the exercises.”
This year’s drill was intentionally challenging, if not overwhelming, Cauley said. “It is a national exercise, and includes Canada and observers from Mexico,” he said. “The cyber vectors that we used started early [Wednesday] with attacks on public Internet and customer sites. We want to make sure this is not day-to-day stuff; it is rare,” he said. “We wanted to test the system.”
“There are cyberattacks in coordination with physical attacks, combined with trucks, and shootings to create some kind of enduring damage,” Cauley said. “This is not to be a simple, easy, one-day or two-day recovery.”
Cauley said cyberattacks have a bigger role in GridEx III than they did in previous exercises. Recently, there have been several public conversations about grid’s vulnerability to such attacks. Broadcaster Ted Koppel has been on a tour promoting his controversial book, “Lights Out,” about the grid’s vulnerability. Earlier this fall, a British think tank released a report asserting that U.S. nuclear power plants are at risk from cyberattacks. London-based Chatham House said the “risk of serious cyberattack on civil nuclear infrastructure is growing” because of its reliance on commercial “off-the-shelf” software.
“There are methods and tactics that exist to cause control systems to cause damage to equipment,” Cauley acknowledged. “But as a practical matter, it is very, very difficult to carry out” a successful cyberattack on security-hardened grid facilities.
NERC, grid operators and all other sectors of the industry continue to assess threats and react to them, Fanning said. “I think we are the only industry with mandatory critical infrastructure protection” against cyberattacks, he said. “What we are trying to do here is go beyond the requirement.”