This is a test: How NERC plans to up the stakes for this year’s GridEx disaster exercise
This week, more than 5,000 people will participate in a simulated attack on the North American grid, in an effort to prepare for what some see as an inevitability.
Later this week, utility officials and first responders will get the call they dread the most: A successful cyber and physical attack collapsed large portions of the grid.
It is just a drill — the biennial GridEx exercise put on by the North American Electric Reliability Corp. (NERC) — but grid operators will treat it like a true disaster situation, running through their crisis plans, coordinating responses and reassuring customers as they rush to “restore power.”
This is the fourth such drill since 2011, but this year it has taken on a new sense of urgency. There has been a wide range of cyberattacks in the last couple of years — including at least one successful grid attack in Ukraine — and hackers have become more sophisticated in their methods. At the same time, physical attacks are now a fear around the world.
According to a recent report from consulting firm Accenture, more than three quarters of utility executives in North America believe a cyberattack is likely in the next five years. Those results mirrored results from Utility Dive’s 2017 survey of utility professionals, which found cyber and physical grid security to be the most pressing issue facing the industry.
More than 5,000 people will participate in GridEx, including utility officials, Homeland Security, local law enforcement and the FBI—as well as officials in Canada and Mexico. And involvement will stretch beyond the power sector to include the natural gas industry, financial services and telecommunications. It is the first year those last two sectors have been included.
There will be no way to stop this attack in advance — GridEx IV’s focus is primarily on the response — but it will give the industry an opportunity to better understand the relationships necessary to cope with an actual event.
“We want asset owners and operators to exercise their crisis response plans in a severe scenario, and build the relationships they will need with other utilities, state, local and federal partners, especially the first responders and law enforcement who will be necessary to ensure safety of workers in attacks like this,” said Bill Lawrence, the director of NERC’s Electricity Information Sharing and Analysis Center.
The GridEx team has a lot to work with, between experts on both the industry and government sides, as well as real-world events which have occurred. The exercise scenarios use “unclassified real world instances that happened, as well as the imaginations of some folks on our planning team,” Lawrence said.
“We are focused on one of the primary threats we think could be brought against the North American grid, and that is a combined cyber and physical security attack,” Lawrence said.
In recent years, fears of a successful grid attack have moved far beyond a theoretical possibility.
It was 10 years ago that researchers at Idaho National Laboratory’s Aurora Project demonstrated how a remote attacker could damage generators. By opening and closing certain circuit breakers, hackers could push a machine’s rotating parts out of alignment, damaging a power plant and taking it offline.
The 2015 attack on Ukraine, which caused widespread blackouts in that country, proved that it was not just possible but that hackers were actively looking at power plant vulnerabilities. And U.S. officials have conceded for some years that China has the capability to take down parts of the domestic grid.
In the wake of the 2016 Presidential election, where the hacking and cyber threats became a major election issue, Sen. John McCain (R-AZ) revealed that Russia also has the capability to shut down American power plants through cyber hacking efforts.
“It isn’t just elections that they are hacking into. It is across the board … including the ability to shut down power plants,” McCain said on Meet the Press. “They can do grave danger to the United States of America.”
All of this has thrust the United States into a kind of cyber cold war. Scott Aaronson, executive director for security and business continuity at Edison Electric Institute, told Utility Dive earlier this year that “what the Russians can do, so can the U.S.”
While attackers have yet to be successful on a wide scale, the U.S. is already a target.
Over the summer, U.S. officials were investigating a failed attack that targeted nuclear generation this year. Code named “Nuclear 17,” the attack targeted Wolf Creek Nuclear, owned by Kansas City Power & Light Co., Westar Energy and Kansas Electric Power Cooperative. The 1,200 MW plant’s operational systems are separate from its internet-connected network, but news of the attempt was a warning signal for the indsutry.
Hacking the grid is an enormously difficult challenge, but the sophistication of bad actors is on the rise.
The key reason the United States has been successful in thwarting intruders—at least so far— Lawrence said, “is the great deal of attention paid to security based on the NERC standards … and then above that, utilities that have really taken security on board and go well beyond the standards. That gives us a lot of professionalism behind defense, and also a great deal of diversity.”
NERC, along with government agencies and other industry groups, is continuing the work to boost security across the industry.
This fall, NERC proposed new reliability standards aimed at strengthening the vendor supply chain that delivers software and critical updates to manage the country’s bulk electric supply system. The new standards require entities to develop and implement plans to address supply chain cybersecurity risks, and address concerns that supply chains for information and communications technology and industrial control systems present a potential weak spot in grid defense.