The North American Electric Reliability Corporation conducted the GridEx IV security exercise in November 2017, the fourth such exercise since 2011.
The purpose of the exercise is to undertake geographically distributed exercises that are designed to simulate an overwhelming, coordinated physical and cyberattack on the grid and provide utilities the opportunity to strengthen crisis response and enhance understanding from lessons learned.
Each exercise has specific objectives, and those for GridEx IV were:
- Exercise incident response plans
- Expand local and regional response
- Engage critical interdependencies
- Improve communication
- Gather lessons learned and
- Engage senior leadership.
The 2017 exercise, led by NERC’s Electricity Information Sharing and Analysis Center, included 6,500 participants, an increase of about 2,000 from GridEx III in 2015. The GridEx IV participants represented more than 450 organisations across industry and government, growing by 86 organisations more than GridEx III – a significant achievement.
GridEx consists of a two-day distributed play exercise and a separate executive tabletop on the second day. The six-hour executive tabletop portion took place on 16 November and involved 42 industry executives and/or senior government officials. This structured discussion encouraged participants to share the actions they would take in responding to the scenarios, along with potential issues they would face. In particular, participants articulated the severe limitations and barriers that would need to be addressed, both independently and collaboratively, to respond.
The vast majority of GridEx participants take part in the exercise from their workplaces, where they receive scenario injects that detail different cyber and physical threats based on real-world attacks against critical infrastructure. Each scenario was modified at the local level to have the greatest applicability to exercise participants, and prompted a response both internally and externally, based on the information provided.
An exercise control cell, based in the Washington DC area, managed simulated news reports, monitored the exercise, and gathered lessons learned.
Four events made up the baseline scenario and each lasted four hours. The scenario inject for each move were conducted in real-time and was followed by a 30-minute break for discussion and problem identification. Scenarios one to four happened on 15 and 16 November 2017.
Objective 1: Exercise crisis response and recovery
- Increase the extent to which entities exercise their cyber, physical, and operations response: 96% of respondents indicated that they felt their ability to ‘exercise cyber, physical, and operational security response plans’ was ‘well’ or ‘very well’ done.
Objective 2: Expand local and regional response
- The 2017 exercise involved law enforcement from eight different states, six State National Guards and 29 FBI field offices. Additionally, there were 17 State emergency management agencies that participated. The Wisconsin and South Carolina state governments used GridEx IV as their annual capstone exercise, involving all of their departments and agencies.
Objective 3: Engage critical interdependencies
- One of the key objectives was to involve cross-sector entities and 2017 saw the participation of four gas utilities, five water utilities, and two telecom companies. In future exercises, NERC will encourage these cross-sector entities to play a larger and more active role.
Objective 4: Improve communication
- While many participants felt that internal communications and communications with the E-ISAC and Bulk Power System Awareness departments worked well or very well, it was clear that communication with neighbouring utilities and law enforcement fell short of expectations.
- One clear outcome was the need for alternative methods of communication such as SATCOM, HF, WPS or GETS. However, this also raised the issue of ensuring the staff are familiar with the alternative communication channels available and that these are sufficiently robust to ensure they meet organisational requirements.
Objective 5: Gather lessons learned
- Feedback from participating organisations needs to be improved with only 25 feedback reports received. While lessons learned may appear to be specific to the organisation, by sharing the reports, a wider trend may be identified. NERC will continue to encourage the sharing of lessons learned.
Objective 6: Engage senior leadership
- This was explored in the executive tabletop portion of GridEx IV.
While improvements have been made since 2013 to build on the collaborative relationships between the electricity industry and government there is a need to continue efforts in other more challenging areas, such as unity of message and effort.
- Two particular recommendations from participants that would help maintain reliable grid operations were:
– Increase grid emergency response capabilities through adequate communication options
– Ensure utilities have access to sensitive information: Share threats that may affect multiple critical infrastructure sectors.
- Topics for the next executive tabletop included:
– Increase participation with other critical infrastructure sectors to include “all lifeline sectors – Increase State level participation in future exercises through organisations like the National Governor’s Association, National Fusion Center Association, and the Adjutants General Association of the United States
– Consider security of generator fuel sources and whether this represents a vulnerability
– Review secure industrial control system architecture and whether these systems are adequately architected with security in mind
– Identify critical supply chains and what equipment may be vulnerable to supply chain disruption.
- Review monitoring of machine-to-machine communication and artificial intelligence: Identify and understand security risks with machine-to-machine interfaces and artificial intelligence in order to mitigate risks
- Consider including tactics: Are tactical capabilities are in place to execute policy-level decisions. For example:
– Template orders to implement FAST Act orders
– More focused regional-level scenarios to test who decides what, when, and how – Exercise ESCC/EGCC coordination with detailed scenarios to prompt specific decisions and how they would be implemented.
The exercise provides valuable opportunities for learning across the industry, allowing participants to improve their response to a crisis and especially, how crisis coordination with others is undertaken. With each successive GridEx, more and more industry and government organizations and individuals take part, recognizing the value in such a large cooperative exercise towards building the public/private relationships that would be called on in such a severe attack.
Understanding how cyber and physical incidents could disrupt the reliability of the grid prepares industry staff to more quickly identify threats, share information about them with others, and respond to realworld events with law enforcement and first responders. SEI