North American Companies Dive into Continent’s Largest Grid Security Exercise
Where security incidents are concerned, practice might not make perfect, but it certainly leads to improvement.
This week, groups from across the North American electricity infrastructure system have converged for the seventh biennial North American Electric Reliability Corporation (NERC) Electricity Information Sharing and Analysis Center (E-ISAC) grid security exercise—GridEx VII.
GridEx provides electricity providers, government agencies, and other organizations an opportunity to exercise their emergency response and recovery plans as part of a simulated cyber and physical security attack affecting the North American grid. The two-day simulation is the culmination of a year of work analyzing past findings to determine areas for improvement and testing, coordinating between agencies and companies, planning the exercise, and navigating complex logistical arrangements.
Past exercises have centered around advanced persistent threat attacks, simulated physical attacks on transmission and generation facilities, and coordinated physical and cyberattacks from a nation-state against the North American grid.
Typically, the exercise is divided into two portions: distributed play, which provides an opportunity to engage participants across North America to test grid resilience and their own organization’s individual response plans, and an executive tabletop exercise, which convenes industry executives and government leaders to explore the challenges posed by a severe, converged cyber and physical attack. The sixth GridEx executive tabletop (in 2021) was held virtually for the first time, enabling wider participation.
GridEx VI in 2021 involved five “moves” or stages of distributed play that participants had to contend with:
- Move 0. In the week leading up to the exercise, cyber and physical threats to electricity infrastructure emerged across North America, and initial reports indicated that adversaries were conducting aggressive reconnaissance of the electric grid, telecommunications infrastructure, and natural gas facilities.
- Move 1. On the morning of the exercise, planners announced that control system faults caused generation unit outages across numerous plants, followed by transmission substation system faults. Large explosions trip generators offline and open transmission circuit breakers near-simultaneously at multiple locations.
- Move 2. Later that day, physical attacks on pipelines and liquid natural gas production facilities disrupted natural gas supplies to generators. Cyber and physical attacks targeted telecommunications infrastructure, forcing players to rely on backup systems.
- Move 3. The next morning, the adversary directly targeted critical employees. Social media users claimed responsibility and threatened further incidents. Operations staff received vague but credible threats against them and their families via robocall.
- Move 4. Later that day, further social media threats targeted specific transmission and distribution facilities. Entities implemented emergency operations plans and worked with partners to recover from the attacks.
The objectives for each GridEx change based on the findings from previous exercises and emerging needs and threats within the electricity system. Each exercise is followed by an after-action survey and report. Coordination and emergency communication with stakeholders, government agencies, and other necessary partners are regular areas for continued improvement. The surveys also reveal ways for the exercise itself to improve moving forward.
NERC began #GridExVII today, the largest grid #security exercise in North America. Participating organizations across #industry and government will exercise their response and recovery plans in simulated, coordinated #cyber and physical attacks on the #grid. pic.twitter.com/nF4j6azFGO— NERC (@NERC_Official) November 14, 2023
For GridEd VII, which took place 14-15 November, the objectives included:
- Exercise incident, operating, communications, mutual assistance, and crisis management response plans.
- Respond to imminent cyber, physical, and other threats with the potential to affect the reliable operation of the grid.
- Enhance coordination with state/provincial and local governments, suppliers supporting critical operations, and industry partners to facilitate restoration.
- Manage interdependencies with natural gas sector, telecommunications sector, and other critical sectors.
- Exercise response to IT and communications systems failures.
- Respond to emergency events in a remote or hybrid environment with reduced staff availability and limited access to resources.
“The sector-wide exercise was a great opportunity to test response and recovery, but also to ensure we are moving rapidly to restore critical services,” Brian Harrell, former assistant secretary for infrastructure protection at the U.S. Department of Homeland Security and current energy sector security executive, tells Security Management. “The scenario put security, emergency preparedness, and individual business units ‘through the paces’ to highlight opportunities for improvement and future investment areas. The ability to communicate with destroyed or degraded systems is always a challenge, so the exercise challenged all participants to think outside the box. Our focus this year was on insider threat, supply chain, and critical communications.”
Past participants have lauded how GridEx enabled them to practically test their emergency preparedness and identify areas for improvement. The distributed play exercise is designed to be customized to each organization’s resources, participation level, and time availability, which enables more groups to take part.
"It lent a great deal of urgency to what we were doing—urgency and relevance,” ASIS Member Ross Johnson, CPP, president of Bridgehead Security Consulting, told Security Management in 2022 after participating in GridEx VI. “All these low probability events—the 1-in-50-year, 1-in-100-year, 1-in-1,000-year events—are all happening now. All these checks are coming due at the same time.”
Nebraska-based Lincoln Electric System (LES) noted in a press release today that “Participating in this drill allowed LES and others in the industry to continue building effective communications procedures and systems to share operational and security information. LES has a handful of ‘planners’ who developed realistic and challenging situations to test LES’ participants and allowed the utility to refine the response capabilities to unique threats.”
“When an entire community depends on you to keep their lights on, you can never be too prepared for the next emergency,” Eric Ruskamp, LES manager of regulatory compliance and GridEx VII planner, said in the press release. “GridEx is just one of the many ways LES works to stay ahead of future threats to our power supply.”