The North American Electric Reliability Corporation (NERC) last week wrapped up its grid security exercise, GridEx VI, with a large number of public power utilities having participated.
Over two days, more than 700 planners led their organizations’ efforts to exercise their response and recovery plans in the face of simulated, coordinated cyber and physical attacks on the North American bulk power system and other critical infrastructure.
This year, GridEx participants expanded to include more representation from public power, co-op and municipal entities, Canadian partners and other critical infrastructure sectors, such as natural gas, original equipment manufacturers, financial services, and telecommunications, NERC said. Approximately 60 public power utilities participated.
Hosted every two years by NERC’s Electric Information Sharing and Analysis Center (E-ISAC), GridEx is the largest grid security exercise in North America.
GridEx is “designed for utilities and government stakeholders to both exercise their response and recovery plans as well as to grease the skids for collaboration efforts during a massive cyber and physical security event that we hold in a simulated environment,” said Jim Robb, president and CEO of NERC, in a roundtable with media on Nov. 18.
“Of course, since we last held GridEx in 2019, the threat environment has changed significantly,” he said. “In addition to dealing with the pandemic, many entities have had to implement response and recovery plans in the face of actual cyber and physical attacks,” Robb said.
“This is our sixth GridEx and we’re very pleased this year that we’ve seen increased interest and participation” from public power utilities, among others, “despite the strains of the pandemic,” he said.
Kevin Wailes, administrator and CEO of Nebraska public power utility Lincoln Electric System and ESCC co-chair, said that “when we go through this process, it’s not just this event that we are preparing for, but it’s those that we have actually experienced, even this year.”
By way of example, he pointed to Hurricane Ida. “This same group of people, to a large extent,” played roles in helping to respond to the hurricane, Wailes noted.
Wailes discussed GridEx during a recent appearance on the American Public Power Association’s Public Power Now podcast.
The exercise concluded with an invitation-only executive tabletop session, which brought together industry and government executives to focus on strategic and policy-level issues raised during the exercise.
Robb noted that the tabletop exercise participants include executives from the electricity, natural gas, telecommunications and financial services industries, the Electricity Subsector Coordinating Council (ESCC) and senior federal government officials from the Department of Homeland Security and the Department of Energy, among others, “as well as our Canadian partners.”
Following GridEx VI, the E-ISAC will develop a public report on the exercise with input from all participants. The report is scheduled to be released in March 2022.
Since the last GridEx in 2019, the cyber security landscape has continued to evolve, guided by geopolitical events, new vulnerabilities, changes in technologies, and increasingly bold cyber criminals and hackers, NERC said.
Lessons learned from GridEx over the years include tangible recommendations for entities as well as industry-wide insights leading to strengthened crisis communication procedures across the industry such as the development of the cyber mutual assistance program, which has proven to be a critical resource, NERC said.