NERC: Utilities failed to contact vendors during GridEx cyberattack simulation
None of the utilities participating in the exercise turned to vendors for help or information. But utility industry officials say the relationship with their suppliers remains tight.
Cybersecurity has become a major focus for utilities, rapidly growing as a concern in the face of changing and increasingly-sophisticated attacks. But a recent report shows the power industry must broaden its tent when it comes to how it thinks about incident responses.
In particular, the utility industry may need additional focus on its relationship with supply chain vendors, with regards to grid security — though industry officials maintain there is already a very close working relationship in place.
The focus on security has grown quickly in recent years, as utilities better understand the threat and as vulnerabilities grow. Joe Stuntz, vice president of cybersecurity at One World Identity, and formerly of the White House Office of Management and Budget's Cyber and National Security unit, said utilities just a few years ago saw cyber attacks as a threat on par with a natural disaster.
"It was seen as a risk," said Stuntz, stressing the singular indefinite article. "People compared it to parts of the grid going down for a hurricane — they always come back up. This was just another risk ... What has changed the calculus for some of the folks I talk to, is the destructive aspect: malware that can get in and cause physical destruction."
Consider this: In 2015, Lloyd's of London issued a report estimating the economic loss of a widespread attack on the U.S. power grid at anywhere from $243 billion up to $1 trillion. Today, some security experts say it is only a matter of when, not if.
There was a successful attack on the grid in Ukraine in 2015, but the United States power industry has been either lucky or good, or perhaps a bit of both, in recent years.
There have been no cyber breaches that impacted grid reliability in the U.S., and the biggest scare was a false alarm in Vermont in late 2016. But that could change soon. A recent hack impacted the pipeline sector's communications and the impacts spilled into the power sector. Last year in the Middle East, hackers successfully breached Schneider Electric control technology at a plant, marking the first time an industrial control system (ICS) was known to be hacked.
"You will not prevent these things from happening. You must invest in an incident response plan and technology to quickly understand what happened."
A growing focus on ICS vulnerabilities means vendors — a potential blind spot in the utility sector's response plans — will play an essential role in protecting critical operations.
Bob Noel, director of strategic relationships at cyber incident response company Plixer, takes a sober view of the future: "You will not prevent these things from happening," he told Utility Dive. "You must invest in an incident response plan and technology to quickly understand what happened."
Against this growing threat backdrop every two years, the North American Electric Reliability Corp. holds "GridEx," a simulated attack exercise that gives utilities the opportunity to test their plans along with industry, local officials, law enforcement and others. As the industry's focus on cybersecurity has grown, so has participation: last year there were more than 450 participating organizations and 6,500 individuals.
Last month, NERC released its assessment of the November simulation. The bulk of the recommendations focus on communication and coordination, including broadening the involved stakeholders and developing processes for sharing critical information.
Bill Lawrence, director of NERC's Electricity Information Sharing and Analysis Center, said in a statement the level of participation in GridEx IV "shows the commitment that NERC and industry have
toward improving security and information sharing."
But in an email to Utility Dive, Lawrence also said improving communications "has been an ongoing objective that has been built upon with each successive GridEx series."
Within GridEx, Lawrence said communications is a "broad term" that covers a range of topics, including exercising and improving coordination with local law enforcement, state government, vendors and others. And it has grown in each iteration of the simulation.
But while there is a broad call for more coordination, the assessment report shows that particular focus is needed on industry vendors. During the simulated attack, no utilities reached out to vendors. However, Lawrence noted GridEx IV was also the first exercise where cyber and physical security vendors "were encouraged to participate in a coordinated fashion with other participants."
"We were pleased with the initial turnout," Lawrence told Utility Dive.
Utilities did not call on vendors
A half dozen supply chain vendors were involved in the simulation, "serving as points of contact ... for any organization simulating malfunctions with third-party hardware or software," according to NERC's report. In addition, a generic "vendor helpdesk" was set up. Utilities did not reach out to any of the participating firms during the exercise, and the vendor desk received no contacts either.
By contrast, 29 field offices of the Federal Bureau of Investigation participated, along with seven state police forces. The report says "law enforcement participation was fruitful and provided the opportunity for law enforcement to coordinate with electrical entities within their areas of responsibility."
The report spreads around the blame for the lack of vendor participation, calling on planners to emphasize vendor communications more while also making a larger effort to include the companies. "Future scenarios should be designed to include a more prominent role for vendors," the report concludes.
"In the early minutes or hours of an attack there's a lot of confusion about where it's coming from ... if you have everyone involved, that helps the operational response."
Vice President of Cybersecurity, One World Identity
One World Identity's Stuntz said he was pleased to see the recommendations focus on communications and coordination — particularly on vendors and law enforcement. "They should absolutely be engaged," he said. "In the early minutes or hours of an attack there's a lot of confusion about where it's coming from ... if you have everyone involved, that helps the operational response."
Stuntz said utility sector vendors specifically are "critical."
"They're subject matter experts," he said. "A lot of the systems involve remote access points ... remote access points of some vendor systems are probably some of the most vulnerable parts of the grid. Because they have to remote-access in to manage their system, if they can remotely access it, there's always a chance others can as well."
Why didn't utilities reach out? According to Noel, it is a problem that cuts across industries.
"There is a culture and mindset that you keep security measures to yourself, because when you admit an incident, then you admit you screwed up," Noel said. "So there is a reticence to be transparent. As an industry and culture we need to get beyond this ... There's an initial response to circle the wagons. There is a real reticence, in my opinion, for people to swiftly share."
Scott Aaronson, vice president of security at the Edison Electric Institute, which represents investor-owned utilities, offered a different view. He said the utility industry's relationships with vendors is very close and may not be reflected in the report for a variety of reasons.
The relationship between the electric companies and vendor community is "absolutely strong," Aaronson said. He called GridEx "an extraordinarily important exercise," but added that "there is always going to be some artificiality."
"Bringing in vendors universally isn't always in the cards," he said, also noting there may have been contacts not picked up in the report and the simulation may not have specifically called for it. Additionally, he said that for many utilities, their vendors operate in close coordination, almost like utility staff, and that relationship might not have been seen as an outside call to vendors.
"While in this instance, companies may not have literally brought in their vendors, I can tell you one of the first calls a company would make would be to a vendor of a piece of equipment that was compromised."
Vice President of Security, Edison Electric Institute
"While in this instance, companies may not have literally brought in their vendors, I can tell you one of the first calls a company would make would be to a vendor of a piece of equipment that was compromised," Aaronson said. "GridEx in some ways is very real, but it also has a theoretical component ... We're not talking about a specific company's widget that was compromised."
Consolidated Edison in New York, among the utilities that participated in GridEx last November, also reiterated its vendor relationships are strong.
ConEd's incident response does include vendor contacts, spokesman Allan Drury said. "We recognize that equipment vendors hold important information we need to protect our systems and customers. We communicate regularly with vendors about these matters.”
As planning ramps up for GridEx V, in 2019, NERC's Lawrence said the council's Electricity Information Sharing and Analysis Center is taking steps to improve vendor participation.
"We will work with utilities, who have strong relationships with their vendors, during planning for the next GridEx," Lawrence said, with a focus on improving interaction between industry and the vendor community.
Follow Robert Walton on Twitter