NERC, Utilities Ready for GridEx IV Cyber Security Event
The North American Electric Reliability Corp. is planning its fourth annual massive scenario, called GridEx IV. The event, which runs through Thursday, offers utilities a chance to know how they would respond to coordinated threats, discover where weaknesses hide and strengthen crisis communication.
The North American power grid will come under attack Wednesday. Guaranteed.
It’ll be a virtual combination of cyber and physical shots aimed not to take down the electric delivery system continent-wide but to help officials better plan for the real thing someday. Maybe soon.
The North American Electric Reliability Corp. is planning its fourth annual massive scenario, called GridEx IV. The event, which runs through Thursday, offers utilities a chance to know how they would respond to coordinated threats, discover where weaknesses hide and strengthen crisis communication, according to the GridEx statement.
Utilities and other grid stakeholders through North American have been planning GridEx IV for two years. GridEx III was held in November 2015 and the first one took place in November 2011.
“The GridEx planning team designs the exercise to allow each organization to participate in a way that is consistent with its available resources and real-world operational environment,” reads NERC’s media release on the event. “NERC asks participating organizations to complete an after-action survey and encourages them to share with the Electricity Information Sharing and Analysis Center lessons learned for the key observations and recommendations provided in reports after each exercise.”
GridEx IV, like the others before it, will learn from its predecessor. GridEx III’s participants included about 4,400 individuals from 364 organizations, making it the biggest cyber grid security exercise to date. More than 200 of those companies allocated staff staff to actively respond as if it were a real event, while more than 100 organizations observed the exercise.
At the time, NERC and its participants played it as real as possible under the controlled setting.
“The event is severe,” Gerry Cauley, president and CEO of NERC, said in November 2015. He added that the attack vectors include simulated assaults on public-facing Internet and customer service sites, as well as those that would cause damage to equipment such as transformers.
NERC does not disclose the scenario premise for the simulated attack. It also includes an executive tabletop group which observes and gathers insights from the events. GridEx III’s tabletop group included representatives from the National Security Council, Department of Energy, Department of Defense, FBI and National Guard, among others.
Probing attacks on the U.S. grid are nothing new, but much has changed since the last GridEx. In December 2015, only a month after GridEx III, hackers using the “Black Energy” bug successfully entered the Ukrainian grid, causing outages to about 225,000 customers in that nation.
Shortly before then, longtime television journalist and author Ted Koppel published a book about his investigation into the likelihood of a cyber attack on the U.S. power system. Koppel’s book “Lights Out: A Nation Unprepared, Surviving the Aftermath,” warned that the United States is shockingly unprepared for the attack which could cause blackouts that last weeks, maybe months.