Recent Incidents and Exercises Highlight the Importance of Increasing Electric Grid Resilience, Information Sharing

A group of China state-sponsored hackers allegedly infiltrated networks that are used for real-time operations for electric grid control and dispatch in India via their DVR and IP camera systems, according to new research published this week by Recorded Future.

The intrusions targeted at least seven Indian State Load Despatch Centres (SLDCs); Recorded Future’s Inskit Group said the targeting appeared to be geographically concentrated, focused on SLDCs near the disputed India-China border in Ladakh. 

“In addition to the targeting of power grid assets, we also identified the compromise of a national emergency response system and the Indian subsidiary of a multinational logistics company by the same threat activity group,” the researchers said. “To achieve this, the group likely compromised and co-opted Internet-facing DVR/IP camera devices for command and control of Shadowpad malware infections, as well as use of the open source tool FastReverseProxy (FRP).”

Insikt Group finds continued targeting of the Indian power grid by Chinese state-sponsored activity group - likely intended to enable information gathering surrounding critical infrastructure systems or pre-positioning for future activity. Read more: https://t.co/XWBeu85K6I pic.twitter.com/8bwIOFUrEY

— Recorded Future (@RecordedFuture) April 7, 2022

This is not the first intrusion into India’s system that the researchers have identified, and they attribute the activity to information gathering about critical infrastructure systems or pre-positioning for future activity.

“The objective for intrusions may include gaining an increased understanding into these complex systems in order to facilitate capability development for future use or gaining sufficient access across the system in preparation for future contingency operations,” Inskit Group said.

Meanwhile, across the globe, more than 1 million customers were without power in Puerto Rico this week after a fire at the U.S. territory’s main power plant caused its largest blackout of the year.

“The blackout also left nearly 170,000 customers without water, forced authorities to close some main roads, and snarled traffic elsewhere across the island of 3.2 million people, where the roar of generators and smell of diesel filled the air,” according to the Associated Press reporting from San Juan. 

The cause of the fire is not yet known, but could have been caused by a circuit-breaker failure, said a representative of Luma—the company that took over transmission and distribution from Puerto Rico’s Electric Power Authority in 2021. This most recent fire is just the latest in a series of challenges Puerto Rico’s grid has faced, including two previous fires at substations and the catastrophic damage to the grid caused by Hurricane Maria in 2017.

These incidents, coupled with disruptions in electric service in Ukraine due to Russia’s invasion, highlight the fragility of the electric grid and the importance of pre-planning to respond quickly to mitigate further damage from physical attacks and cyber incidents. 

To help the electricity industry better prepare for these scenarios, the North American Electric Reliability Corporation (NERC) and the Electricity Information Sharing and Analysis Center (E-ISAC) released on Thursday a report that analyzes an international exercise to provide recommendations for actions by the industry, cross-sector partners, and government.

Enhancing routine and emergency operations coordination between the electricity industry and natural gas providers is one of several recommendations identified in @NERC_Official and the E-ISAC’s GridEx VI Lessons Learned Report, which was published today: https://t.co/iCmC2qAGfc pic.twitter.com/e5U1v9C223

— NERC (@NERC_Official) April 7, 2022

The exercise, known as GridEx, is held every two years with an emphasis on including participants from across North America. The most recent exercise, GridEx VI, was held in November 2021, with thousands of participants from Bermuda, Canada, New Zealand, and the United States testing the operational and policy measures needed to restore the grid after a severe cyber and physical attack.

“Exercising emergency response preparedness on this scale is a tremendous undertaking by industry and government partners,” said Manny Cancel, NERC senior vice president and CEO of the E-ISAC, in a press release. “Expanding the reach of the exercise was a key recommendation arising from GridEx V. Our recent exercise was further enhanced by the presence of our Canadian partners, as well as other critical infrastructure partners from telecommunications, water, and gas sectors.”

The GridEx VI scenario focused on a response to cyber and physical attacks that caused reliability, resilience, and security issues that impacted the U.S. West Coast and Canada, along with natural gas and telecommunications impacts. The exercise was broken into two parts—a distributed play and a tabletop—with each participating organization responsible for managing their portion of the exercise based on materials supplied by GridEx VI coordinators.

In GridEx VI Lessons Learned, the report shares policy recommendations based on the exercise to help the industry better prepare for and respond to a severe security event. These include:

1.  Continuing to build effective communications procedures and systems to share operational and security information. “The electricity industry has robust grid monitoring and control capabilities that have withstood the test of emergency situations over decades of operation,” according to the report. “However, the tabletop scenario presented conditions that severely strained the industry’s ability to communicate operational status to their many external stakeholders, including state/provincial and local government.”
   
   
2. Clarify the differing crisis communications roles of the Electricity Subsector Coordinating Council and Reliability Coordinators with the government and its members, including Canadian members. “Given the cross-border nature of the scenario, the Canadian and U.S. federal governments would be involved with the electricity industry, introducing a level of crisis communication not needed since the 2003 Northeast Blackout,” the report said. “While the [Electric Service Coordinating Council] can facilitate some of this communication, the directly-impacted RCs and utilities would be responsible for ensuring timely and effective communication and action.”
   
   
3. Continue to enhance routine and emergency operations coordination between the electricity industry and natural gas providers. “Federal government mechanisms to share potentially-sensitive security information with the electricity industry are challenging during normal conditions, and these mechanisms would be severely strained by the incidents described in the scenario,” the report found. “Approaches that require security clearances or one-day read-ins, access to specialized facilities are not feasible to support rapid industry response; however, in emergency situations, there are some options that allow for these constraints to be addressed.”
   
   
4. Strengthen operational coordination between the electricity industry and communications providers. During this exercise, “the Tabletop scenario featured a widespread loss of landline and cellular communications while electric utilities were recovering from the cyber and physical attacks and restoring the grid,” according to the report. “Participants agreed that the loss of communications would essentially halt the grid restoration process.”
   
   
5. Continue to reinforce government relationships between the United States and Canada to support industry response. “The scenario included disruptions of natural gas to generating stations. Compared with the GridEx V Tabletop two years ago, the discussion benefited from the more robust participation of natural gas operators and natural gas trade associations in the United States and Canada, some of whom are part of the natural gas industry’s National Mutual Assistance Program.”

In an interview with Security Management, Ross Johnson, CPP, president of Bridgehead Security Consulting, who has participated in GridEx exercises, including GridEx VI, and is the co-chair of the ASIS International Utilities Community, says that a recurring area for continuous improvement is passing information between different stakeholders as events are quickly unfolding. This makes preserving the ability to maintain what communication there is even more important.

“If you’re in the middle of a huge outage and you need to do a lot of coordination to bring it back, that’s not a good time to lose your communicability,” Johnson adds. “Our communications need to be robust enough to operate well under the worst conditions because that’s what we’re always trying to exercise against is under the worst conditions.”

Additionally, having connections between stakeholders in peaceful times so that information sharing is happening has become even more important following Russia’s invasion of Ukraine and the changing geopolitical environment.

“When we get into times of increased geopolitical concern—like what we’re in right now—we want to be sending information out quickly to members of the E-ISAC and the grid,” Johnson says. “We need to be saying, ‘These are the issues of concerns, these are the things you should be looking at, the indicators of compromise that you should be protecting against.’ The information flows quite quickly, so this would be a difficult time to initially jump into the river and understand what’s going on.”

One of the aspects that stood out about GridEx VI, Johnson says, was how including more participants from various sectors has allowed the exercise to become more complex. Coordinators have also been able to build in scenarios that were also real-life threats that the stakeholders were addressing.

For instance, in the tabletop exercise, a transmission disturbance is caused by a wildfire and participants must address that. Subsequent physical and cyberattacks on electric and natural gas infrastructure then caused power outages, and wind generation resources were also disrupted by control and response issues. In 2021, for instance, Canada and the United States faced a major wildfire season, as well as significant flooding—all of which can impact the electric grid.

“It lent a great deal of urgency to what we were doing—urgency and relevance,” Johnson adds. “All these low probability events—the 1-in-50-year, 1-in-100-year, 1-in-1,000-year events—are all happening now. All these checks are coming due at the same time.”

Brian Harrell, former assistant secretary for infrastructure protection at the U.S. Department of Homeland Security and a key developer of the GridEx program, also adds that he was happy to see the attention given to renewable wind generation in the GridEx VI scenario.

“The scenario highlighted that in the case of essential grid communications, there is an urgent need to consider alternative communication paths that have functionality and reliability in the case of an extreme telecommunications disruption,” Harrell adds. “Cloud-based solutions and private fiber-optic networks could be a good option. At a minimum, during an outage, communications providers should prioritize grid control centers and other critical electricity facilities. Highlighting sector interdependencies continues to be eye-opening and remains an issue that needs greater evaluation, especially with respect to critical manufacturing and the water sectors.”

Ultimately, communication across borders and industries about the threat environment, support measures, and response steps is what makes the GridEx exercise valuable and important for stakeholders, Johnson says.

“The electricity flows back and forth across the border. It doesn’t know it’s there,” he adds. “We have to make sure the process, procedures, and understanding flow back across the border as well.”