By Ted Caddell
GridEx III, a drill to test the emergency response capabilities of the North American high-voltage power grid, highlighted several vulnerabilities in the face of a simulated cyberattack. The lesson: Responding to a wide-scale computer malware attack is completely different from overcoming a monster storm.
“Electricity system recovery and restoration would be delayed or may not begin until the nature of the cyber risks are understood and mitigation strategies are available,” said NERC’s final report on the November drill.
GridEx III drew 4,400 participants from grid operators, federal agencies and local, state and federal law enforcement. The two-day scenario hit the grid with cyber and physical attacks resulting in blackouts in several cities. Organizers sent waves of simulated malware to grid operators by email. Throughout the beginning stages of the drill, operators were also notified about simulated attacks on physical plants such as transmission lines and substations.
“We wanted to challenge the coordinators to be on that ragged edge … [to see what they need to do to] protect the reliability of the system,” Bill Lawrence, NERC associate director of stakeholder engagement, said during a press conference Thursday.
The scenario employed email delivery of simulated malware — a tactic used by hackers who attacked three utilities in Ukraine in December. (See How a ‘Phantom Mouse’ and Weaponized Excel Files Brought Down Ukraine’s Grid.)
The after-action reports showed that secure sharing of communication between parties and reporting methods remains a problem.
“Industry needs to coordinate with local law enforcement to identify and assess the physical risks to electricity facilities and workers,” the report said. “Unlike how industry responds to major storms through mutual assistance, industry’s capability to analyze malware is limited and would require expertise likely available from software suppliers, control system vendors or government resources.”
Another observation was that the information-gathering tools may be capturing too much. The NERC-run information portal captured reports in real time, but participants said they and the system quickly became overwhelmed.
NERC, the report said, “should continue to enhance the [information] portal to support real-time, searchable, urgent communication and collaboration.”
Another major observation gleaned from the simulated cyber and physical attack was that recovery would be prolonged and expensive. “Utilities will need unprecedented levels of financial resources in order to restore their facilities and eventually resume normal operations,” the report said.
The massive expense of a widespread restoration effort raised a question: Where is that money going to come from?
“There are certain regulations and laws out there that could be useful for grid restoration,” Lawrence said. “For example, the Stafford Disaster Relief and Emergency Assistance Act is designed to deliver relief and funding to individuals that are impacted by a disaster.”
But the law doesn’t provide relief for private corporations, such as investor-owned utilities. “Obviously if the utility isn’t generating power, they can’t pay their employees, and that would be a severe impact,” Lawrence said.
GridEx III featured the first use of social media for communications purposes. The report also recommended lengthening the planning time for the next exercise.