Participants in the recent GridEx critical infrastructure exercise requested even more cybersecurity exercises, prompting the program to vow to “seek out leading-edge cyber training capabilities to facilitate more cyber challenges” in relationships with the Energy Department and national laboratories to “allow organizations to seek a more immersive cyber security exercise experience.”
The North American Electric Reliability Corporation recently released the GridEx V Lessons Learned Report to review the November 2019 security exercise, which included more than 7,000 participants from industry and government in the United States and Canada.
The executive tabletop scenario involved grid restoration after a crippling combined cyber and physical attack on electricity and natural gas systems in the northeast U.S. and southern Ontario, including cyber attacks on utility control systems and physical attacks targeting key electricity generation and transmission facilities and natural gas transmission. The cyber front included continuous attacks and “apparent copycat attacks using hacking tools readily available on the Internet.”
“This U.S.–Canada operational perspective focused the policy-level discussions beyond generalities to discuss which policy decisions would be effective or would create unintended consequences,” the report said.
The first phase of the exercise focused on how authorities would respond in the first hour after an attack, with a second phase focused on “near-term extraordinary operational measures” amid widespread power outages. The final phase centered on extraordinary operational measures after the first day, when some power would be restored but “serious critical infrastructure outages persist.”
“Participants noted that a critical component stockpile, such as a protective relay reserve similar to the transformer reserve, could fill a critical component gap in a cyber attack against the grid,” the report said.
Recommendations gleaned from the executive tabletop exercise included:
- “Ensure grid emergency response and restoration plans account for the complexity of national security emergencies and describe coordination with federal and state or provincial authorities.”
- “Incorporate natural gas providers and pipeline operators into restoration planning and drills.”
- “Enhance coordination with communications providers to support restoration and recovery and advocate for continued availability of 6 GHz spectrum.”
- “Build consensus with DOE on the design, issuing mechanisms, and liability protections for GSE orders issued under Section 215A of the Federal Power Act.”
- “Identify key supply chain elements and consider the formation of shared inventory programs for the most critical components.”
- “Continue to grow participation in the ESCC CMA program.”
- “Continue to strengthen the operational industry and government coordination between the United States and Canada.”
Fake malware called MOOSESCEPTER was created by Idaho National Laboratory through DOE’s National Exercise Program to be the principal adversary cyber malware campaign during GridEx V. “In the exercise, electricity industry cyber security professionals faced a problem set that included artifacts, signatures, and suspicious files,” the report said, adding that respondents described the MOOSESCEPTER scenario inject material as “exciting,” “original,” and “truly challenging.”
Brian Harrell, assistant director for infrastructure security at the Department of Homeland Security’s Cybersecurity and Infrastructure Agency, told HSToday that NERC’s GridEx served as “an opportunity for utilities to demonstrate how they would respond to, and recover from, a simulated cyber and physical security event.”
“This simulated scenario was designed to help strengthen response and recovery plans, crisis communications, and provide input for sector-wide lessons learned. The electricity industry has routinely made improvements based off of lessons learned from this biannual report and I anticipate more of the same,” Harrell said.
Harrell added that GridEx and similar exercises embody “CISA’s vision of defending against today’s threats and working to secure our collective tomorrow.”
“Exercises by their very nature are a critical part of enhancing our nation’s critical infrastructure security and resilience,” he said. “By challenging and practicing our incident plans in a no-fault, safe, environment we are able to identify areas that work well and identify areas that need improvement.”