- More than 250 organizations participated this week in a simulated attack on the North American electric grid, known as GridEx, in order to gauge utility responses, communications protocols and cross-sector coordination, should an actual disruption occur. While risks are rising, some lessons from the Covid-19 pandemic can help make the grid more secure, experts said.
- The exercise is held every two years by the North American Electric Reliability Corp.’s Electricity Information Sharing and Analysis Center, or E-ISAC. Officials said this year’s scenario drew from real-world events and mimicked supply chain challenges, loss of access to utility buildings due to physical threats, and the inclusion of a nation-state attacker.
- NERC has also worked to expand the role of the vendor community in GridEx, including cybersecurity firms and equipment manufacturers. Including vendors in the exercise allows utilities “to review and examine all of the relationships, processes and tools they have available to respond to a real-life event,” said Katherine Ledesma, head of public policy and government affairs for cybersecurity firm Dragos.
Grid officials are not aware of “specific, credible threats” that could impact the power system, but the landscape is “dynamic, and continues to present challenges that are increasingly difficult to detect and defend against,” said Manny Cancel, NERC senior vice president and head of the E-ISAC.
“The electricity sector is under constant attack from nation-states and organized criminals,” Cancel said in a call with reporters, pointing in particular to China, Russia, Iran and North Korea.
“Geopolitical turmoil has contributed to a dramatic uptick in malicious cyber activity, including new iterations of malware and ransomware that are constantly pressuring information technology and operational technology platforms,” he said.
Utility security posture “has never been more important,” said Pedro Pizarro, president and CEO Edison International, the parent company of Southern California Edison. “We see critical infrastructure targeted in conflicts overseas. That heightens our risks in North America.”
Cross-sector and federal partnerships are essential to Edison’s cybersecurity approach, said Pizarro, who is also co-chair of the Electricity Subsector Coordinating Council. “One of the essential components of our strategy is planning and preparing to respond to major incidents and helping all stakeholders to understand their roles and responsibilities,” he said.
The electric power sector has also seen a significant increase in serious physical security incidents. “While most of these incidents do not result in grid impacts, incidents continue to increase and we expect this trend to continue,” Cancel said.
To help utilities prepare for these threats, the GridEx simulation brings in a wide range of participants. The event consists of a two-day simulated attack to test utilities’ responses, followed by an executive tabletop exercise which focuses on policy-level issues. GridEx participants include the electricity, natural gas, telecommunications and finance sectors. And NERC launched a vendor affiliate program last year to bring equipment manufacturers and security firms into the conversation.
Dragos participated in GridEx this week and Ledesma said she is “encouraged to see owners and operators, as well as government partners, include vendors and cybersecurity service providers” in the exercise. Vendor expertise, intelligence and capabilities are “vital during an incident and so it’s beneficial to include them in an exercise under blue sky conditions as well,” she said.
The GridEx attack scenarios are “authentic and reflect the contemporary threat landscape,” Ledesma said. “GridEx also provides the opportunity for organizations to coordinate regionally and across organizations on issues affecting interconnected generation, transmission and distribution systems.”
Utilities’ ability to respond to a cyberattack has been bolstered by the Covid-19 pandemic and the transition to work-from-home, said Duane Highley, CEO of Tri-State Generation and Transmission Association, and ESCC co-chair. “The ability to work remotely has really been enhanced,” he said.
“Part of our simulation was simulating the loss for a building because of a threat at the building location. And in prior years, that might have been a lot more of a scramble than it is now since we just went through two years of working remotely,” Highley said. “Establishing remote work for a workforce was a much simpler task today than it would have been pre-pandemic.”
This was the seventh iteration of GridEx. The E-ISAC plans to publish an assessment of the exercise by the end of the first quarter of 2024.