Later this week, utility officials and first responders will get the call they dread the most: A successful cyber and physical attack collapsed large portions of the grid.
It is just a drill — the biennial GridEx exercise put on by the North American Electric Reliability Corp. (NERC) — but grid operators will treat it like a true disaster situation, running through their crisis plans, coordinating responses and reassuring customers as they rush to "restore power."
This is the fourth such drill since 2011, but this year it has taken on a new sense of urgency. There has been a wide range of cyberattacks in the last couple of years — including at least one successful grid attack in Ukraine — and hackers have become more sophisticated in their methods. At the same time, physical attacks are now a fear around the world.
According to a recent report from consulting firm Accenture, more than three quarters of utility executives in North America believe a cyberattack is likely in the next five years. Those results mirrored results from Utility Dive's 2017 survey of utility professionals, which found cyber and physical grid security to be the most pressing issue facing the industry.
More than 5,000 people will participate in GridEx, including utility officials, Homeland Security, local law enforcement and the FBI—as well as officials in Canada and Mexico. And involvement will stretch beyond the power sector to include the natural gas industry, financial services and telecommunications. It is the first year those last two sectors have been included.
There will be no way to stop this attack in advance — GridEx IV's focus is primarily on the response — but it will give the industry an opportunity to better understand the relationships necessary to cope with an actual event.
"We want asset owners and operators to exercise their crisis response plans in a severe scenario, and build the relationships they will need with other utilities, state, local and federal partners, especially the first responders and law enforcement who will be necessary to ensure safety of workers in attacks like this," said Bill Lawrence, the director of NERC’s Electricity Information Sharing and Analysis Center.
The GridEx team has a lot to work with, between experts on both the industry and government sides, as well as real-world events which have occurred. The exercise scenarios use “unclassified real world instances that happened, as well as the imaginations of some folks on our planning team," Lawrence said.
“We are focused on one of the primary threats we think could be brought against the North American grid, and that is a combined cyber and physical security attack," Lawrence said.
In recent years, fears of a successful grid attack have moved far beyond a theoretical possibility.
It was 10 years ago that researchers at Idaho National Laboratory's Aurora Project demonstrated how a remote attacker could damage generators. By opening and closing certain circuit breakers, hackers could push a machine's rotating parts out of alignment, damaging a power plant and taking it offline.
The 2015 attack on Ukraine, which caused widespread blackouts in that country, proved that it was not just possible but that hackers were actively looking at power plant vulnerabilities. And U.S. officials have conceded for some years that China has the capability to take down parts of the domestic grid.
In the wake of the 2016 Presidential election, where the hacking and cyber threats became a major election issue, Sen. John McCain (R-AZ) revealed that Russia also has the capability to shut down American power plants through cyber hacking efforts.
"It isn't just elections that they are hacking into. It is across the board ... including the ability to shut down power plants," McCain said on Meet the Press. "They can do grave danger to the United States of America."
All of this has thrust the United States into a kind of cyber cold war. Scott Aaronson, executive director for security and business continuity at Edison Electric Institute, told Utility Dive earlier this year that "what the Russians can do, so can the U.S."
While attackers have yet to be successful on a wide scale, the U.S. is already a target.
Over the summer, U.S. officials were investigating a failed attack that targeted nuclear generation this year. Code named "Nuclear 17," the attack targeted Wolf Creek Nuclear, owned by Kansas City Power & Light Co., Westar Energy and Kansas Electric Power Cooperative. The 1,200 MW plant's operational systems are separate from its internet-connected network, but news of the attempt was a warning signal for the indsutry.
Hacking the grid is an enormously difficult challenge, but the sophistication of bad actors is on the rise.
The key reason the United States has been successful in thwarting intruders—at least so far— Lawrence said, "is the great deal of attention paid to security based on the NERC standards ... and then above that, utilities that have really taken security on board and go well beyond the standards. That gives us a lot of professionalism behind defense, and also a great deal of diversity."
NERC, along with government agencies and other industry groups, is continuing the work to boost security across the industry.
This fall, NERC proposed new reliability standards aimed at strengthening the vendor supply chain that delivers software and critical updates to manage the country's bulk electric supply system. The new standards require entities to develop and implement plans to address supply chain cybersecurity risks, and address concerns that supply chains for information and communications technology and industrial control systems present a potential weak spot in grid defense.
The U.S. Department of Energy in September announced up to $50 million in funding to DOE's national laboratories, earmarked for research and development of next-generation tools to improve grid resilience and the security of the natural gas transportation system.
“A resilient, reliable, and secure power grid is essential to the Nation’s security, economy, and the vital services that Americans depend on every day,” Secretary of Energy Rick Perry said in a statement.
Indeed estimates of a successful attack's impact are frightening. Lloyd's of London in a 2015 report aimed at informing the insurance industry concluded the total economic loss could range from $243 billion up to $1 trillion in the most damaging scenarios.
Perhaps the most dramatic comes from a Congressional commission investigating the threat of an electromagnetic pulse attack (EMP). According to the theory, North Korea could potentially detonate a nuclear warhead over the United States, and the burst of electromagnetic radiation would effectively knock out the grid by destroying electrical components.
But it gets worse: James Woolsey, former director of the Central Intelligence Agency, raised the specter this year in a column for The Hill that such an attack could ultimately kill 90% of Americans--through the resulting collapse of society and mass starvation. That apocalyptic scenario has been played down by some, but if such an attack did occur it would no doubt be devastating.
How GridEx works
So it is against this ominous background that GridEx will take place this week. The exercise has grown each year, broadening to include more diverse stakeholders and more participating utilities.
"We want a wide range of participants," Lawrence said. "The primary focus is on grid operators. ... but we've brought in more cross-sector organizations. Natural gas suppliers, telecommunications, and financial services organizations are also participating, primarily with their major utilities that are supplying their electrical power."
"We just count on people to join the exercise and get an understanding of what they'd be going through," Lawrence said.
The tricky part about GridEx is that the exercise is voluntary. Utilities can "participate at whatever level they can devote resources to," Lawrence said. "Even if they can just observe the exercise, that's good enough in some cases. ... They are encouraged to participate, look around, see who is there and not there, and reach out to others that utilities want to see involved."
GridEx is a valuable exercise, but in some ways the real benefit comes in the two years between, where the power sector evaluates its response and builds more and deeper relationships during the planning cycles.
With thousands of participants, this is not something that will happen in a single building. It is a "very decentralized" [tabletop] two-day exercise, explained Lawrence. “We can only get away with about two days of focused attention from utilities, because we're not paying anyone to do this, not ordering anyone. It's all voluntary.”
The two days are broken into four hour chunks called “moves," during which information about the simulated attack will be sent out. And this year the exercise has been expanded to include something called "Move 0," where NERC will provide some training as well.
“If we prepare the defenders to recognize characteristics of those attacks, they might be able to break the kill chain,” Lawrence said. "There is a cyber and physical kill chain, and if you stop the attack in one place along the way, they wont be able to successfully implement their attack.
But not this time, however. By design, the GridEx "attack" will be successful.
"It really is a worst case scenario exercise," Lawrence said. "We design it to be extremely challenging."
In this instance, the attack will be a joint cyber-physical assault on the grid. Lawrence said that if a a group or nation was determined to inflict widespread damage, it would take more than a single technique or point of entry.
"If an adversary was really looking to devote a lot of planning, resources and time to coordinate an attack that would have wide ranging impacts on the North American grid, they'd want to use multiple avenues," he said.
It takes about two years to prepare for the GridEx event, and Lawrence said NERC is already planning on how to make GridEx V even more challenging and relevant for the industry. "We consider other high-impact, low-frequency threats out there, but the one we think our adversaries have shown the capability of doing ... involves not only cyber but also physical attacks against infrastructure."
Once the event kicks off on Wednesday, "we throw all of that at a utility," Lawrence said. "They all have physical security and cyber programs. A robust threat forces them to communicate across different silos. Sometimes, the physical security folks don't really talk to the IT infrastructure folks. And a virus on the system may mean shutting down some things, turning off systems, that the physical infrastructure folks need for visibility."
"It is a great opportunity for everybody to understand what piece of security they provide," Lawrence said. It also bring in the C-suite and crisis communications teams, to work on messaging as if they were really talking to their customers.
Ideally, these crisis preparations would never see the light of day in a real-world scenario. But that is increasingly unlikely, as the sophistication of attacks rises. While the utility industry in this country has been spared the worst, from the 2014 North Korea-Sony hack to this year's WannaCry ransomware, the writing is on the wall.
"Nothing that's happened in the world so far has been surprise to anyone who has participated in GridEx," Lawrence said. Asked if a successful attack is essentially inevitable, he hedged.
"Never say never. But for someone to reach out and do something on a scale that would impact a large piece of the grid is an extremely challenging problem for them."