The North American Electric Reliability Corporation (NERC) released the results of its latest GridEx (GridEx V) Grid Security Exercise in a “Lessons Learned Report” on March 31.
NERC conducted its fifth biennial Grid Security Exercise (GridEx), a grid security and emergency response exercise, in November 2019. The exercise was structured as two days of distributed play, providing an opportunity for stakeholders in the electricity industry to respond to simulated cyber and physical attacks that affected the reliable grid operation.
While the exercise was almost a total success, NERC did highlight a few weaknesses that it saw as possible causes for concern in the future.
One of these was that, “While many utilities used GridEx to strengthen their relationships with RCs [Reliability Coordinators], law enforcement, and government agencies, others lacked the resources needed to coordinate responses to the challenges in the scenario.”
Move 0 is GridEx’s world building phase, and the exercise gave participants information that cyber and physical security threats against the industry were growing, although they had no information about which facilities were targeted. This was a pre-exercise training that highlights the work hackers do in advance, and these are not unlike the infiltrations from Russia in the past few years, including hacking into the grid early to inspect for when they return to cause damages.
Each day, members received three to five exercise threat notifications that said hackers were “aggressively conducting cyber and physical reconnaissance of electricity grid, telecommunications, and natural gas facilities across North America." This took place during the three weeks prior to beginning GridEx. Members thought this portion of the exercise was valuable because it showed how quickly the threat level can grow against the grid. However, many participants were concerned Move 0 was too long, and in response, the planning team will shorten this exercise to one to two weeks in future exercises.
A third concern was that supply chain participation in GridEx V was very limited, leaving potential exposures to the utility industry.
The report noted, “Only three major electric industry supply chain vendors officially registered for GridEx V, although the number of participating vendors may have been greater. It is incumbent upon participating organizations to include supply chain partners in their response plans. Some organizations chose to engage with their supply chain partners during the exercise, while others did not.”
The problem here, according to NERC, is that supply chain vendors that do not avail themselves of the lessons and experiences provided by GridEx exercises may end up being targeted by hackers and would also not have the necessary resources to be involved in responses to actual cyber attacks on the utilities they serve.
As a result, NERC sees as one of its next steps to,“Build on the positive contribution of the supply chain providers who participated in GridEx V by including other critical providers in the exercise.”