Powering Strong Communities
Security and Resilience (Cyber and Physical)

Grid Security Exercise Tackles Real-World Cyber, Physical Threats

The North American Electric Reliability Corporation last week wrapped up its grid security exercise, GridEx VII.

On Nov. 15-16, more than 250 organizations – including public power utilities – “played simultaneously in a complex and challenging scenario while adapting the exercise to meet their specific organizational needs,” NERC noted in a news release.

This year’s scenario reflected real-world cyber and physical threats and was designed to stress-test crisis response and recovery plans. Hosted every two years by NERC’s Electricity Information Sharing and Analysis Center, GridEx is the largest grid security exercise in North America.

Scott Corwin, President and CEO of the American Public Power Association, and Adrienne Lotto, Senior Vice President for Grid Security, Technical & Operations Services, at APPA, participated in the exercise.

“GridEx is a great example of how the power industry is proactively meeting cyber and physical threats to the grid head on,” Corwin said. “It also gives utilities the opportunity to work collaboratively with their federal government partners to effectively address the evolving threat environment facing the energy sector.”

A total of 47 public power utilities and entities took part in the exercise.

“Although, the E-ISAC is not aware of any specific credible cyber or physical threats to the North American grid, the threat landscape in which we are operating is unprecedented -- we are facing challenges that are increasingly difficult to detect and protect against,” said Manny Cancel, NERC senior vice president and E-ISAC chief executive officer.

“Our adversaries continue to look for ways to exploit our interconnected system. We must continue to be vigilant. By working together in exercises like GridEx, we can make sure they are not successful,” he said.

Nebraska public power utility Lincoln Electric System has participated in every GridEx events since 2011, either as an observer or participant.

“There’s a strong commitment from public power and smaller utilities to recognize the evolving threats on our grid,” said Kevin Wailes, LES CEO, and co-chair of the Electricity Subsector Coordinating Council. “This year, LES took the framework developed by NERC and modified it to include our 80 direct participants and about 40 agencies and different observers involved,” he said.

“The exercise has matured a lot over the years. Some of the threats we have today never would have been conceived during the first GridEx,” Wailes said.

“With thousands of people and hundreds of companies and agencies involved in this effort over the two days, the learning experiences we’ve gained will aid critical infrastructure in keeping this country safe,” he said.

Since GridEx VI in 2021, the E-ISAC has expanded partnerships and reciprocal information sharing with industry sectors associated with electricity “and the E-ISAC leverages these partnerships to help members mitigate potential compromises to their systems,” NERC said.

Exercises like GridEx are an important aspect of NERC’s mission to assure the reliability and resilience of the bulk power system, which is inextricably tied to grid security, NERC said.

Since the last GridEx in 2021, “the cyber security landscape has continued to evolve, guided by geopolitical events, new vulnerabilities, changes in technologies, and increasingly bold cyber criminals and hackers,” NERC went on to say.

“I’m extremely proud of how our sector has responded to -- and addressed -- these challenges,” said Cancel. “Our remarkable resilience and unity as well as rapid and innovative response capabilities are a reflection of how our industry has been monitoring and, through exercises like GridEx, preparing for these events for decades.”

The exercise concluded with an invitation-only executive tabletop session, which brought together industry and government executives to focus on strategic and policy-level issues raised during the exercise and offered the opportunity for serious dialog about how to make the grid more secure.

Following GridEx VII, the E-ISAC will develop a public report on the exercise with input from all participants.

The report is scheduled to be released by the end of the first quarter of 2024.