Last year’s GridEx VI security exercise provided some much-needed practice for the security challenges facing the electric grid today, officials from the U.S. government said in a media briefing on Thursday.
Speakers at the briefing, held to mark the release of NERC’s after-action report on the exercise, said that several elements of the exercise have since been seen in practice during Russia’s invasion of Ukraine, including the use of social media to spread misinformation about the developing situation to cause civil unrest. Brandon Wales, executive director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), said the experience of GridEx VI has already prompted action at the federal level to address this potential threat.
“We’ve begun … working across various sectors and with relevant technology and social media companies about being prepared to respond to these blended attacks, where they’re using social media [and] disinformation to make the impacts of cyberattacks potentially worse,” Wales said. “That is something that I think in the future will likely be in the playbook of multiple adversaries if they are looking to really stress our systems.”
Puesh Kumar, director of the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER), said that the use of exercise scenarios requiring collaboration across industries, as well as between the public and private sectors, helped lay the groundwork for coordinating the response to the developing situation.
“We have lowered the bar for sharing information in terms of what we are seeing, not only out in Russia and Ukraine, but even here,” Kumar said. “You heard the president [say] about two or three weeks ago [that] we are seeing cyber activity targeted at critical infrastructure in the United States. … There are over 3,000 electric utilities across the United States. All it takes one or two utilities seeing activity, and we quickly cascade it to the others out there.”
Attendance Down from Last Time
NERC conducted the sixth iteration of GridEx across three days last November. As in previous years, the exercise was developed, managed and delivered by the Electricity Information Sharing and Analysis Center (E-ISAC). (See GridEx VI Incorporates Recent Cyber Lessons.)
GridEx VI was performed in two stages: First came the distributed play, held Nov. 16-17. In this part of the exercise, participants — more than 3,000 people across 293 organizations in the electric industry, government and other stakeholders — worked a core exercise scenario developed by E-ISAC, which also provided a virtual environment for the exercise to play out. Each organization administered the scenario itself, resulting in a “unique exercise experience” for every participant.
The second component was the executive tabletop, hosted by E-ISAC Nov. 18 for almost 200 participants from 88 organizations, including investor- and publicly owned utilities, cooperatives, independent system operators, and U.S. and Canadian government entities, as well as the natural gas and telecommunications industries. The tabletop was held online for the first time due to the COVID-19 pandemic, allowing participation by a larger and more diverse group of entities while inadvertently mirroring the way a crisis would likely play out.
Unlike the tabletop, participation in the distributed play was down significantly from the 526 organizations represented in GridEx V. Last year’s 293 organizations represent the lowest official participation in the biennial exercise since 2013’s GridEx II. (See NERC: COVID-19 is Chance to Test GridEx Lessons.) The 3,000 individuals participating were likewise fewer than half of GridEx V’s approximately 7,000.
NERC’s report attributed the decline, in part, to the participation challenges posed by the pandemic and also to changes in how participants were counted. Unlike in previous years, participants in GridEx VI were only required to register with E-ISAC to use the exercise tools or access planning materials. NERC said in light of these shifts, “future participation numbers are likely to be more comparable to those recorded for GridEx VI.”
Cyberattacks Get Personal
The scenario of GridEx VI threw myriad challenges at participants. The distributed play simulated a major cyber and physical attack against the North American power grid as customized for each organization, while the tabletop presented a similar scenario centering on the U.S. and Canadian West Coast and included attacks against the natural gas and telecommunications industries.
Incidents in the two-day distributed exercise were grouped into four periods, representing the morning and afternoon of each day. The first day saw control system and transmission substation faults accompanied by physical attacks on pipelines and liquid natural gas production facilities that constrained generation capacity.
On the second day the adversary “directly targeted critical employees” with threats against them and their families, while social media users threatened more attacks on transmission and distribution facilities. Manny Cancel, senior vice president at NERC and CEO of E-ISAC, confirmed that the personal targeting of key personnel was derived from real events and the known capacities of potential adversaries.
“We all know that our adversaries are very sophisticated, and one of the techniques they use is to go after some of the folks in our agencies. Whether it’s through phishing campaigns or other ways to harvest credentials or data, they look for the weak link and try to take advantage of it,” Cancel said.
“Distributed planning especially is informed by the work of the people that are … on the ground. Over 700 planners … have helped us build the scenario, and they leverage the experiences they’ve been through.”
Communications Issues Highlighted
One of the most urgent recommendations from the report was that the electric and telecommunications industries strengthen their coordination in light of the “well-understood” interdependencies between both sectors. In this year’s tabletop scenario, a widespread outage in landlines and mobile phones “essentially [halted] the grid restoration process,” highlighting the need for “technical alternatives that have rudimentary functionality and high reliability.”
In Thursday’s briefing, Wales emphasized that “the report is not implying that there are no backups” for these communication systems, mentioning satellite phones and radio as methods for utilities to stay connected to their field personnel. Instead, he said, the thrust of this recommendation is to allow entities greater “certainty” about their ability to respond in an emergency.
“What’s coming out of this is a little bit deeper kind of understanding — what are the minimum requirements needed at any given location for power to be restored effectively?” Wales said. “What are the various tools that can be brought to bear? … I think that’s going to be some of the work that we do over the next two years, before the next GridEx.”