Cybersecurity and Physical Security

Five reasons why your utility should participate in GridEx V

Every other year the Electricity Information Sharing and Analysis Center (E-ISAC) and the North American Electric Reliability Corporation (NERC) conduct a nation-wide exercise to test how the utility industry would react to a coordinated cyber and physical attack on the North American electric grid. The exercise plays out in real-time with participants from the US, Canada and Mexico. The fifth iteration of GridEx (GridEx V) will be held November 13-14, 2019. If you have not participated in this exercise, you have missed a great opportunity to test yourself and your organization.

My first exposure to the exercise was as an observer in 2015. I received the training materials and simply watched the exercise play out. I was very impressed with the exercise and saw how it could test and strengthen our internal training. We then decided to actively participate in 2017—with more than 100 employees participating.

It was a great experience. In addition to making us think critically about how we would respond to an attack on the grid, it also allowed us to look internally to identify our strengths and opportunities for improvement. This was well worth the time and labor spent preparing for participation.

In 2019, the national effort has been expanded to reach distribution-only utilities (or those with limited generation or transmission assets). The American Public Power Association has been at the GridEx V planning table and ensured that there are numerous distribution level problems or “injects” that will serve to engage medium to small utilities.

Here are 5 reasons your utility should participate in GridEx V:

  1. Its free and flexible. You can participate from your office (at your convenience) over the two days of the exercise.
  2. It’s an opportunity for your utility to demonstrate how it would respond and recover from simulated cyber and physical threats and incidents.  
  3. It will almost certainly strengthen your crisis communications skills—or at least flag areas where you need to improve your preparation or planning.
  4. It’s confidential. You do not need to share how well or poorly your organization responded to the exercise. You can keep it all confidential and use the information to improve your preparedness and response efforts.
  5. You choose the level of participation as either “active” (i.e., directly involved in planning, exercise, and after-action activities) or “observing” (i.e., more limited participation)  

To learn more about GridEx V and how you can participate, join the American Public Power Association for a free webinar on April 11 from 11 a.m. to noon Eastern. The webinar will feature the E-ISAC in addition to myself and a participant from Lincoln Electric System in Nebraska. Listen to the recording of this webinar here.

For more information on participating in GridEx V, please contact the Association’s Cybersecurity Team at [email protected].