Security of North American Energy Grid Tested in GridEx Exercise

A major exercise whose goal was to test the cyber and physical security of North America’s grid has enabled the energy industry and governments to review and improve incident response plans and collaboration.

The grid security exercise, GridEx V, was organized last week by the North American Electric Reliability Corporation (NERC) and it was hosted by its Electricity Information Sharing and Analysis Center (E‑ISAC).

According to NERC, over 6,500 participants representing more than 425 government and energy sector organizations in the United States, Canada and Mexico took part in the two-day exercise. In comparison, representatives of 370 organizations took part in the previous GridEx, which took place in 2017, but the number of participants was roughly the same.

It’s worth noting, however, that GridEx V also invited representatives of the natural gas, electrical equipment manufacturing, finance, and telecommunications sectors.

Described as the largest exercise of its kind, GridEx V aimed to test responses to cyber and physical security incidents and threats. Objectives included exercising incident response strategies, expanding the response of local and regional stakeholders, increasing participation of the supply chain, and improving communications.

SecurityWeek has reached out to NERC for more information about the simulated scenario, but the organization says it does not speak in detail about the scenario.

However, UtilityDive reported that the simulated attack targeted Consolidated Edison (Con Ed), which provides electricity and gas to New York City and Westchester. The scenario involved gas outages caused by a loss of supply, electric outages caused by a substation explosion, a water outage, and a cyberattack that resulted in the exposure of customer information. The scenario involved both physical and cyber attacks and unfolded over a period of several weeks.

“NERC’s GridEx series offers an invaluable opportunity for industry and government officials at all levels to evaluate crisis communications and security and response plans in order to identify new risks and develop actionable mitigation strategies,” said Tom Kuhn, president of the Edison Electric Institute (EEI). “Through the CEO-led Electricity Subsector Coordinating Council (ESCC), GridEx also helps us to enhance cross-sector coordination and develop a more detailed understanding of interdependencies and potential impacts to other critical infrastructure sectors.”

A report detailing GridEx V is expected to be published in March 2020.

The exercise comes after earlier this year a power utility in the United States reported interruptions to electrical system operations as a result of a denial-of-service (DoS) attack. It was revealed recently that the attack hit sPower, a Utah-based power producer that relies on wind and solar technologies, and it involved the exploitation of a known vulnerability affecting Cisco firewalls.

Related: U.S. to Help Secure Baltic Energy Grid Against Cyber Attacks

Related: NIST Working on Industrial IoT Security Guide for Energy Companies

Related: GAO Says Electric Grid Cybersecurity Risks Only Partially Assessed