QUEBEC CITY — Ingrid Rayo’s fellow panelists nodded when she said participants in next month’s GridEx security exercise should focus on the people and organizations most relevant to their mission — in contrast to previous years’ emphasis on encouraging participation from as wide a range of groups as possible.
“I remember in one GridEx that we had a … daycare center right next to the control center that we were hosting GridEx from,” said Rayo, a senior consultant on governance, risk, cybersecurity and compliance at Burns & McDonnell, at this week’s GridSecCon security conference in Quebec City. “We pulled them in, and there was also a news station behind us and we pulled it in. And so we had all these people interacting, and the next thing you know, the news station was talking about the [daycare]. We forgot about the grid, because we were focused on the kids.”
Amid chuckles from the other panelists, Rayo explained that while there is value in getting buy-in from stakeholders in other sectors on which the electric industry depends — such as the telecommunication and natural gas sectors, which participated in GridEx VI in 2021 — it is easy to “take a rabbit hole” and overcomplicate the scenario. (See GridEx VI Incorporates Recent Cyber Lessons.) She recommended utilities “focus on those individuals that are truly active in the recovery plan and incident management” to make best use of their efforts.
The Electricity Information Sharing and Analysis Center (E-ISAC) holds GridEx every two years to help electric utilities and other stakeholders test and improve their security incident response plans. The exercise consists of a two-day distributed play exercise, with the E-ISAC creating a general scenario that each participating organization customizes for its own workforce, along with an executive tabletop for executives from the electric and related industries, along with U.S. and Canadian government officials.
Moderating the panel was Jesse Sythe, the E-ISAC’s GridEx Program Manager, who noted that GridEx distributed play scenarios have “consistently been ahead of reality,” with elements such as physical attacks on transformers in 2013’s GridEx II echoing that year’s shootings at California’s Metcalf substation. (See Substation Saboteurs ‘No Amateurs’.) He observed that GridEx IV in 2017, “in our most prescient move,” incorporated the impacts of a pandemic on workforce participation.
The distributed play for GridEx VII is scheduled for Nov. 14-15; Erin Rowe, the director for incident response at MISO who is organizing the distributed play exercise for her organization, said that this year she wants her team to “practice like we respond.” To that end, Rowe said, she intentionally sent out invitations with no location specified for the event.
“I don’t want them to sit in the conference room waiting, I want them to actually get that phone call, get the [Microsoft] Teams message, whatever mode that communication is going to come by, I want them to actually have to do it and go through the process for how we escalate that incident,” Rowe said.
Panelists emphasized that personal interaction is key to encouraging participation in GridEx. Saad Ansari, a senior specialist for emergency preparedness at Ontario’s Independent Electricity System Operator, assured audience members they don’t “have to reinvent the wheel” by scheduling face-to-face meetings just to discuss the exercise, but they should try to “leverage existing channels” by, for example, adding a GridEx discussion item to already-scheduled meetings.
Ashley Wemhoff, the incident response drill coordinator for the Nebraska Public Power District, acknowledged that organizations new to GridEx may feel intimidated by the idea of the two-day exercise and observed that participation in both days is not required. Several utilities in Nebraska are taking part only on the first day, she said.
Asked by Sythe for further advice on encouraging participation in GridEx, panelists urged organizations to try to emphasize the fun aspects of the event, which they acknowledged could be draining. Wemhoff jokingly suggested including glitter bombs in invitation packages, while Rayo said appealing to employees’ greed can be a winning strategy.
“People love swag, right?” Rayo said as the crowd laughed. “If you give them a free shirt, a free hat, whatever … as long as we have some [free gifts], you will get people to come to you and they will want to participate. It’s actually marketing for your next GridEx, because now they want to have the T-shirt like everybody else. We’re all a community, we all want to look alike and feel like we’re part of something.”