NERC’s biennial GridEx security exercise this week “incorporated elements of some of the major [cyber]attacks” experienced in the past year, according to Manny Cancel, senior vice president at NERC and CEO of the Electricity Information Sharing and Analysis Center.
GridEx VI consisted of two parts. First was a two-day distributed play exercise on Tuesday and Wednesday, in which more than 700 organizations took part including electric utilities, federal and state governments, manufacturers and supporting industries. The second part was a tabletop session on Thursday with executives from the electric, natural gas, finance and telecommunications industries; the Electricity Subsector Coordinating Council (ESCC); and U.S. and Canadian government officials.
In a media call prior to the tabletop session, NERC CEO Jim Robb said that he feels “really good about the defenses” the electric industry has created, citing the cybersecurity protections implemented through NERC’s Critical Infrastructure Protection standards and the “highly engaged executive culture” exemplified by the ESCC. However, the dependence of electric utilities on other sectors which do not have the same level of preparedness makes it imperative that they build strong relationships with those stakeholders, he said.
“We all have to recognize that we can’t draw a box around the industry. Cross-sector impacts and the role of supply chain in assuring reliability and security are key, and that’s why events like GridEx are so important,” Robb said. “It brings all the players in the ecosystem together … to practice and drill, get to know each other, and grease those critical communication skids that would be required in an actual emergency. And it makes us all stronger together.”
While NERC did not reveal details about the scenarios for the distributed play or tabletop exercises, Cancel said that “supply chain attacks … attacks on remote access platforms, as well as ransomware [were] all incorporated.” Each of these attack vectors has been a major topic of conversation among critical infrastructure providers this year thanks to incidents like the hacks of the SolarWinds Orion and Microsoft Exchange platforms and the ransomware attack against Colonial Pipeline.
Pandemic Impacts Inform Exercise
This year’s GridEx was also the first since the outbreak of the COVID-19 pandemic, and while participants praised the industry for showing up in spite of the logistical difficulties, the impact of the virus was keenly felt at the event. Southern Co. CEO Tom Fanning said that the industry is well aware of the cybersecurity risks created by the need for most employees to work from home, and that these threats were a necessary element of the exercise.
“The pandemic opened up a different work environment, which I think will persist from here on out. The old work environment, of 80% of your employees having to be physically in the office, is probably [gone], and I’m sure we are all adopting hybrid approaches … that require linkages from your distant location into work,” Fanning said. “And so every intersection of communication provides an opportunity for the bad guys to get in.”
Fanning added that the workforce changes caused by the pandemic are “tactical” and do not rise to the same level of concern as “strategic changes” such as the growth of artificial intelligence and computing power that enable more sophisticated cyberattacks.
Robb added that the pandemic also affected the logistics of the event itself, forcing the tabletop exercise, which is usually held in person, to be conducted online. However, this decision did lend a bit of verisimilitude to the exercise, he added.
“In many ways [it’s] unfortunate because the relationships that we’ve built in the past through the tabletop have been very valuable, but it’s probably more reflective of reality,” Robb said. “In the event of an actual grid emergency, the likelihood of us getting 50 key people in a room in Washington, D.C. on day one [is around] zero. So I think this allows us to test our ability to work in a dispersed manner, to deal with a very real scenario that could play out.”
RTOs Pitch In
Representatives from the RTOs also took part in the exercise. Matt Turner, executive director of enterprise support and campus operations for CAISO, said the scenario modeled “multiple cyber and physical attacks” that gave more than 300 participants and observers from the organization and its reliability coordinators a chance to test their emergency response plans. The exercise included a test of the effectiveness of high-frequency radio communication among “multiple balancing authorities and [the Governor’s Office of Emergency Services].”
ERCOT, NYISO and ISO-NE also participated, with Zachary Hutchins of NYISO calling the exercise “an excellent opportunity … to test response plans alongside governmental agencies, supply chain partners, other ISOs and the broader utility industry.” PJM said more than 300 of its personnel took part in a “rigorous simulated challenge to our crisis response plans,” while nearly 200 MISO employees “tested system operations, security, [information technology], communications and the Unified Incident Command structure,” the RTO said.
“We have to be ready to respond not only to those events that we can imagine but also be flexible in these exercises to handle situations that we have never encountered,” said Mike Bryson, senior vice president of operations at PJM. “GridEx is invaluable for us to test our ability to keep the power flowing at all times while also learning how we can improve our own practices and fine tune our response plans.”
NERC will review the results of this year’s exercise for a public report, which it plans to release in March 2022.
Jason York, Michael Yoder, Michael Kuser, Hudson Sangree, Amanda Durish Cook and Tom Kleckner contributed to this article.
