Participants in a wide-ranging exercise to test the response to an attack on the power grid among industry and government as well as interdependent critical infrastructure sectors found that communications and information sharing were “severely strained” in a complex cyber-physical attack scenario and could “essentially halt the grid restoration process.”
The North American Electric Reliability Corporation wrapped up its GridEx VI exercise, managed by NERC’s Electricity Information Sharing and Analysis Center (E-ISAC), on Nov. 18, and released its report on lessons learned Thursday.
The Distributed Play portion of the exercise from Nov. 16–17 allowed participants at the operations level to test the resilience of the electricity system within the scenario of a nation-state adversary targeted the North American grid with coordinated cyber and physical attacks. “Incidents during Distributed Play involved nationwide impacts, including explosions tripping generators off-line, cyber attacks against industrial control systems, and physical attacks on pipelines and liquid natural gas production facilities,” the report noted. A total of 293 organizations participated, down from 526 organizations in GridEx V; some organizations who skipped the exercise this time cited as reasons the coronavirus pandemic and increased threat activity.
Goals of this part of the exercise included activating response plans, enhancing coordination with government to help restore power, identifying interdependence concerns with natural gas and telecommunications sectors, responding to a supply chain-based compromise to critical components, and identifying common mode and cyber operation concerns across interconnections.
The Nov. 18 Executive Tabletop convened government and industry partners to discuss challenges that such a severe cyber or physical attack would pose to the grid. The daylong event was held virtually for the first time to bring in more participants from across critical sectors — drawing leaders from 88 organizations, including greater participation from interdependent industries — and was facilitated by former FEMA Administrator Brock Long. Government agencies participating included the Canadian Centre for Cyber Security, U.S. Department of Defense, U.S. Department of Energy, U.S. Department of Homeland Security, Natural Resources Canada, Public Safety Canada, and the White House National Security Council.
The tabletop exercise was designed to strengthen the coordinated response between the U.S. and Canada as supply chain attacks on systems and software pose national security threats, enhance federal and state/provincial government coordination with industry as well as industry’s response among sectors, find ways to battle the effects of misinformation and disinformation during such incidents, explore emerging security and resilience implications related to traditional and renewable fuel mixes, and build consensus between industry and government on the implications of grid security emergency orders (GSE).
Tabletop exercise participants responded to the scenario in four phases: the first hour after the attack, when “challenging operating conditions further degrade reliability when the Western Interconnection splits into two islands after a transmission disturbance initially assumed to be caused by wildfires”; the next morning, when “attacks on electricity and natural gas infrastructure cause widespread power outages affecting many high-priority customers, including defense-critical facilities”; later in the day, when “telecommunications disruptions impair power system restoration activities and complicate coordination with government” and “wind generation resources are disrupted by widespread control and response issues”; and two weeks and beyond, when “the Western Interconnection is restored and customer load is eventually reconnected, but energy and capacity margins are tight for the foreseeable future” and “active cyber attacks have ceased.”
The timeline for the Distributed Play portion of the exercise consisted of four moves from the point when adversaries conduct aggressive cyber and physical reconnaissance of critical infrastructure to when the attacks occur, to the point when “the adversary directly targeted critical employees, and pseudonymized social media users claimed responsibility for the attacks and threatened further incidents,” and “operations staff received vague but credible threats against them and their families via robocall.” Entities practiced implementing emergency operations plans and working with partners to recover from a devastating series of attacks.
Executives in the tabletop exercise recommended that that partners “continue to build effective communications procedures and systems to share operational information” as the scenario “presented conditions that severely strained the industry’s ability to communicate operational status to their many external stakeholders” including government. Entities should clarify differing crisis communications roles, the report said, and “continue to build effective communications procedures and systems to share security information” along with “continue to build on understanding of GSE order development and consultation processes.” Recommendations included continuing “to enhance routine and emergency operations coordination between the electricity industry and natural gas providers,” working to “strengthen operational coordination between the electricity industry and communications providers” as the scenario “featured a widespread loss of landline and cellular communications while electric utilities were recovering from the cyber and physical attacks and restoring the grid,” and continuing “to reinforce relationships between governments in the United States and Canada to support industry response to grid emergencies.”
“Industry participation in the exercise is time well spent and we were happy to see attention given to renewable wind generation within the scenario,” Brian Harrell, former Assistant Secretary for Infrastructure Protection at DHS and key developer of the GridEx program, told HSToday. “The scenario highlighted that in the case of essential grid communications, there is an urgent need to consider alternative communication paths that have functionality and reliability in the case of an extreme telecommunications disruption. Cloud-based solutions and private fiber-optic networks could be a good option.”
“At a minimum, during an outage, communications providers should prioritize grid control centers and other critical electricity facilities,” Harrell said. “Highlighting sector interdependencies continues to be eye-opening and remains an issue that needs greater evaluation, especially with respect to critical manufacturing and the water sectors.”
GridEx is held every two years. After the 2019 scenario, participants requested even more cybersecurity exercises, prompting the program to vow to “seek out leading-edge cyber training capabilities to facilitate more cyber challenges” in relationships with the Energy Department and national laboratories to “allow organizations to seek a more immersive cyber security exercise experience.”
That executive tabletop scenario involved grid restoration after a crippling combined cyber and physical attack on electricity and natural gas systems in the northeast U.S. and southern Ontario, including cyber attacks on utility control systems and physical attacks targeting key electricity generation and transmission facilities and natural gas transmission. The cyber front included continuous attacks and “apparent copycat attacks using hacking tools readily available on the Internet.”
Planning for GridExVII in 2023 is underway and the exercise will continue to be enhanced “to meet the challenges posed by the ever-evolving threat environment.”
