NERC’s GridEx security exercise may be in its seventh iteration, but it still packs a challenge for participants across the electric grid, stakeholders said in a Nov. 16 media call.
According to Manny Cancel, senior vice president at NERC and CEO of the Electricity Information Sharing and Analysis Center (E-ISAC), more than 250 organizations took part in the distributed play portion of GridEx VII, held Nov. 13-14. The distributed play was followed by an executive tabletop session Nov. 16, in which executives from the electricity, natural gas, telecommunications and finance sectors participated, as did representatives from the U.S. and Canadian governments and the Electricity Subsector Coordinating Council.
The participation rate was “pretty consistent with … prior GridExes,” Cancel said.
GridEx VI, held two years ago, saw participation from 293 organizations, the lowest number since the second exercise in 2013. (See NERC: GridEx Lessons Already In Use.) Nonetheless, Cancel said the E-ISAC, which developed the core exercise scenario for the distributed play as well as the virtual environment for the exercise, was “very happy with the level of participation,” particularly the involvement of other critical infrastructure sectors in the planning, distributed play and executive tabletop.
Electrical equipment vendors also played a part in this year’s exercise, as they have in previous years. Participants said the sector’s representation mostly came from original equipment manufacturers, who provided input into issues such as supply chain shortages that are causing growing concern.
“We do include vendors … not only in the actual drill, but even in the planning for the drill and coming up with scenarios, and that’s been valuable,” Cancel said. “They face the same threats that we face, they have insights, and they can provide value, so we’re looking forward to continuing to leverage that as we go forward.”
Cyber and Physical Attacks Simulated
Other real-world issues continued to influence this year’s distributed play and executive tabletop scenarios, stakeholders said. While details about the distributed play scenario — which participating organizations customized to fit their needs after the E-ISAC gave them the general themes — have not been released, participants in the call mentioned cyber intrusions by nation-state actors attacking the grid either directly or through supply chains, or spreading misinformation on social media.
Physical violence, another increasingly prominent focus of security specialists, also constituted “a substantial portion of the drill,” Cancel said. Puesh Kumar, director of the Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response (CESER), said exercises like GridEx provide an opportunity for utilities and law enforcement to practice not only bringing those responsible to justice, but also preventing as much harm as possible.
“When people commit these types of crimes, it’s … a very unsafe environment. It’s not just unsafe for the general public, if the power goes out and critical resources aren’t available; it’s actually unsafe for the individuals committing these crimes as well,” Kumar said. “So getting that awareness of how unsafe trying to commit a crime like this actually is” remains a major focus for DOE and CESER.
Pandemic’s Lessons Resonate
Participants also noted the continuing legacy of the COVID-19 pandemic, despite the absence of travel restrictions that limited the GridEx VI executive tabletop to remote attendance only.
Duane Highley, CEO of Colorado-based Tri-State Generation and Transmission Association and co-chair of the ESCC, noted that his organization’s version of the distributed play included simulating the loss of its headquarters. Because “the ability to work remotely has really been enhanced” during the pandemic, Highley said reconnecting the company’s employees was much simpler than it would have been in previous years.
Kevin Wailes, CEO of Lincoln Electric System in Nebraska and ESCC co-chair, added that “the virtual environment provides the opportunity for a lot more participation [by small utilities and co-ops] than we’ve … had in the past.” Pedro Pizarro, another ESCC co-chair and CEO of Edison International, said he was glad the scenario included simulation of the loss of communications, because the experience of the pandemic made it “critical that we prepare for that kind of scenario.”
Cancel emphasized that the landscape of threats facing the energy sector is dynamic and evolving and that while events like GridEx can help entities practice their response to recently identified risks, there are always more dangers emerging. Kumar said one benefit of GridEx is its ability to bring together stakeholders both inside and outside the industry to practice their communication skills so they can engage quickly when malicious actors try to exploit new vulnerabilities.
“The reality is that there’s always going to be vulnerabilities; we just need to figure them out before someone else does and takes advantage of them,” Kumar said. “Exercises like this really bring the manufacturers closer together with the energy sector community, both in industry and government, to really start to mature what I like to think of as [operational technology] vulnerability disclosure. … I think that’s a very positive sign in terms of where we’re headed with vulnerabilities.”