The North American power grid is completing its largest biennial exercise today, called GridEx, with its highest number of participants since it was launched in 2011 by the North American Electric Reliability Corporation (NERC).
More than 5,000 electric utilities; regional and federal government agencies in law enforcement, first response, and intelligence community functions; critical infrastructure cross-sector partners; and supply chain stakeholders participated in GridEx IV, a biennial exercise designed to simulate a cyber/physical attack on electric and other critical infrastructure across North America.
The exercise promotes a strong learning environment and collaboration between industry and the public sector to "enhance the security, reliability, and resiliency" of the bulk power system, said Charlie Baradesco, CEO of NERC.
Exact details of the exercise are not released due to security concerns. But it is similar to the other GridEx exercises in that it has participants work through their incident response plans, practice their local and regional response, engage interdependent sectors, improve communication skills, engage senior leadership, and compile lessons learned. The exercise, however, has no impact on the real electric grid.
GridEx IV is a "series of escalating scenarios in which the system is stressed continually further," says Tom Fanning, Electricity Subsector Coordinating Council cochair and chairman, president and CEO of Southern Company. "Consider the joint effects of a cyber and kinetic attack that, as time goes by, creates greater consequences to our ability to undertake commerce…what we're looking for are the potential friction points or breaks in the system. That's how we learn."
Also new this year is an emphasis on communication with the public, incorporating social media response and fake news mitigation says Marcus Sachs, CSO of NERC. On the first day of the exercise, participants uploaded photographs of simulated damage, explosions, and news stories to test how that information would play out.
"Allowing that to play out in an exercise space…shows how the simulation is a good replication of real world problems that we face," Sachs says.
The exercise also pulls in other industry stakeholders outside of the utilities sector, such as finance and telecom, because the utility sector is dependent on these to get the grid back up and running should an incident occur.
"We're taking the Russian nesting doll approach to preserving our system when it's under duress," Fanning adds. "We're dependent on telecom—we've got to be able to talk to our people in the field."
While a cyberattack has never turned off the power in North America, stakeholders must remain vigilant, Baradesco added in a call with reporters on Thursday. GridEx helps ensure "we remain as prepared as possible."
More than 400 executives—from government and the private sector—are also involved in this year's GridEx, participating in tabletop exercises to work through how they would handle an attack on the grid.
This participation is critical, Sachs says, because "security starts at the top."
And this commitment to getting those at the top involved in the exercise sets GridEx apart from other exercise scenarios, says Brian Harrell, CPP, vice president of security at AlertEnterprise.
"While federal partners have often incorporated losing critical grid components within their exercise scenarios, GridEx is the only event that has industry CEOs, trade associations, government partners, academia, and utility subject matter experts responding to a grid reliability scenario," Harrell says.
Harrell is the former operations director of the Electricity ISAC and director of critical infrastructure protection programs at NERC. He helped launch the first GridEx in 2011 because, as the largest machine on the planet, the North American power grid requires constant maintenance, monitoring, and continuous learning.
"Exercises are a key component of national preparedness—a well-designed exercise provides a low-risk environment to test capabilities, familiarize personnel with security policies, and foster interaction and communication across organizations," Harrell adds.
Participation in GridEx is voluntary, but Harrell says there is value for utilities to participate—even if in a limited capacity.
"Reviewing the security response to the grid's critical components, such as generators, large substations, and transmission lines during a disruptive, coordinated attack on the grid will help industry understand how to make the system more secure," he says.
Other industries—both those inside and outside the United States—run exercises to test specific response plans, policies, and procedures. But these exercises tend to focus on reliability issues, as a result of supply shortages, natural disasters, and catastrophic failure, Harrell explains.
"Very few exercises incorporate a coordinated physical and cyberattack scenario designed to destroy critical infrastructure components," Harrell says.
This has become all the more important after the cyberattack on Ukraine's electric grid in December 2015, which resulted in the first known loss of power due to a cyberattack.
"The United States has never experienced a massive cyberattack-related power outage, but there have been direct cyber events in recent years against energy infrastructure, including intrusions into energy management systems, targeted malware,, and advanced persistent threats (APTs) left behind on computers by phishing attacks," Harrell says. "The perception that cyber risks are low because only a few and limited attacks have occurred on industrial control systems is not just ignorant, but highly dangerous."
Once GridEx IV is completed, participants will begin to share lessons learned which NERC will compile into an after-action report. That report, according to officials on Thursday's call, is expected to be released in March 2018.