Electric grid hacking exercise puts spotlight on shortage of security clearances
As foreign hackers continue to probe the U.S. grid for weaknesses, a cyber exercise for the North American energy sector has shown that many utility personnel still lack access to the classified information needed to stay on top of the threat.
Not enough utility employees had the clearances needed to share threat information for a serious cyberattack scenario rehearsed during the exercise, according to a report published Friday by regulator North American Electric Reliability Corp. (NERC).
“Government should plan to quickly declassify information that utilities need to prevent or respond to attacks,” the report states.
During the two-day exercise, which took place in November, government officials and utility executives worked together to respond to simulated “cyber and physical attacks” against control systems and generation and transmission facilities “that caused widespread and prolonged power outages,” the report notes.
Energy industry officials have long urged the U.S. government to expedite the clearance process for private sector operators. Last year, American Gas Association CEO Dave McCurdy told lawmakers that his industry was in pressing need of actionable cyberthreat information.
This fourth iteration of the biennial “GridEx” exercise convened a record 6,500 people from 450 organizations, including electricity transmission authorities and academics. As hackers have grown bolder in attacking the industrial control systems (ICS) that underpin the grid in places like Ukraine, observers credit GridEx with sharpening the North American grid’s defenses.
“GridEx does a great job in finding new areas to explore and focus on rather than a rinse-and-repeat sort of mentality,” Ben Miller, director of threat operations for ICS security firm Dragos, told CyberScoop.