Only three major electric industry supply chain vendors registered to participate in last year's GridEx V, the biennial simulated cyberattack run by the North American Electric Reliability Corporation (NERC) in order to test the utility sector's preparedness and response plans.
Experts say failure to fully engage the sector's supply chain is worrisome because vendors will likely be targeted by hackers and must be involved in the response to an actual cyberattack.
"Frankly, there's no awareness that we are invited," Alex Santos, CEO of Fortress Information Security, told Utility Dive. "To do a proper readiness exercise, you have to involve the vendors."
NERC officials say the two-day event in November 2019 drew 7,000 participants and achieved most of its objectives. However, the after-action report, released Tuesday, also revealed that some utilities "lacked the resources needed to coordinate responses" to the simulated attack.
GridEx V drew "unprecedented" participation, NERC officials said Tuesday in a call with reporters, but also revealed uneven response capabilities across the utility sector.
"It is a diverse industry, with 3,300-some utilities across the continent — some with tremendous capabilities, and others that are only now building from the baseline of their capabilities to fend off a cyber or major physical attack against the grid," said Matt Duncan, the manager of policy and coordination at NERC's Electricity Information Sharing and Analysis Center. "That's a gap we need to be honest about."
While NERC does not grade individual utility responses to GridEx, the simulation did yield broad recommendations including the need to enhance coordination with communications providers to support restoration and recovery. Another recommendation called for strengthening the operational industry and government coordination between the United States and Canada.
NERC set seven objectives for GridEx V, and achieved six of them including engaging critical interdependencies. The report indicates 16 natural gas utilities, 13 water utilities and three telecommunications companies participated. There were also improvements to local and regional responses: eight National Guard units, 29 field offices of the Federal Bureau of Investigation and 26 state governments participated in the event.
GridEx officials say business competition holds back vendors participation
NERC continues to struggle to engage the vendor community in its security exercise. In 2018, officials said none of the utilities participating in GridEx IV turned to vendors for help or information. This time around, just a handful formally registered to participate.
"It is incumbent upon participating organizations to include supply chain partners in their response plans," NERC's report notes. "Some organizations chose to engage with their supply chain partners during the exercise while others did not."
According to Duncan, some of the difficulty in engaging the utility supply chain is "because it's a different type of business space, a very competitive type of business space."
"It is too critical not to include the vendor community, as these scenarios and supply chains get more complicated."
Manager of policy and coordination, NERC Electricity Information Sharing and Analysis Center
The electric industry benefits from being regulated at multiple levels, with critical infrastructure protection protocols in place and fewer competitive concerns, Duncan said. And utilities have a history of collaborating in response to major events, such as hurricane recovery.
In GridEx IV, vendors were engaged through a helpdesk but that went unused during the exercise. This time, utilities were encouraged to invite their vendors to participate alongside them.
"It's a question of bringing them into the fold and showing them the value of participating, and not making it a sales opportunity," said Duncan. "I think we're going to get there. It is too critical not to include the vendor community, as these scenarios and supply chains get more complicated."
Could a 'contractual obligation' for vendors boost security?
Security experts say involving vendors, including service providers and equipment manufacturers, is vital to preparing the utility sector to respond to attacks.
"It is going to be essential to have private sector vendors participate in responding to an attack in the future," Richard Henderson, head of global threat intelligence at security provider Lastline, told Utility Dive in an email. "Nation-state actors who may decide to target the North American grid are just as likely to target specific vendor technologies as they are to target generalized computing infrastructure."
Each vendor who provides products used in the grid should be required to have detailed response plans in place in the event of an attack causing widescale energy disruption, Henderson said. That could include storing spare equipment located in strategic locations or having highly-skilled incident response professionals on retainer.
"The smaller [utilities] are going to be depending more on the vendors because they don't have all the resources to invest that the big guys do."
CEO, Fortress Information Security
"This should be a contractual obligation going forward," Henderson said.
Having as diverse a group of participants as possible can only help GridEx, said Dave Weinstein, chief security office of industrial cybersecurity company Claroty.
While original equipment manufacturers "aren't the most critical constituency for GridEx, they would absolutely be involved in a real-world situation," Weinstein told Utility Dive. "Because a lot of this technology is proprietary to one vendor or the other, that knowledge base is critical during a response. Of course it's the proprietary nature of the technology that deters participation for competitive reasons."
"Utilities need to be able to secure and support all hardware and software involved during an incident or threat," James Evelyn, general manager of security firm Force 5 Solutions, told Utility Dive. Electric companies "need to simulate attacks happening in real life today. Without vendor participation, they have no idea what vendor support will look like during an incident."
And vendor support will likely be more critical to smaller utilities than larger ones, said Fortress' Santos.
"The larger utilities probably have more functionality," Santos said. "The smaller guys are going to be depending more on the vendors because they don't have all the resources to invest that the big guys do."