Simulated power-grid crash probes North America's growing cybersecurity problem

North American utility executives, power grid operators, government security officials and electric sector strategists watched a sophisticated, multifront onslaught of physical and cyberattacks bring the continent's electricity system to its knees Nov. 16-17.

It was only a test, but a very important one that the more than 700 participants — and the millions of electricity customers they serve — hope never becomes reality.

While the precise scenario of the simulated grid crash is confidential, the North American Electric Reliability Corp.'s sixth grid security exercise, dubbed GridEx VI, highlighted the electric utility industry's increasing exposure to risk through its deep dependence on telecommunications, natural gas and other critical infrastructure. It also illuminated the importance of collaborating across sector silos by sharing information about attacks and responding in a coordinated fashion.

"It's really designed for utilities and government stakeholders to both exercise their response and recovery plans, as well as to grease the skids for collaboration efforts during a massive cyber and physical security event that we hold in a simulated environment," NERC President and CEO Jim Robb said Nov. 18 during a media briefing.

"The conflict is in our telecommunication networks. It's in our electricity grids. It's in our financial systems," added Tom Fanning, the chairman, president and CEO of investor-owned utility Southern Co. "And when you consider the reach of cyber conflict, 87% of the critical infrastructure in America is owned by the private sector."

Fanning is on a special cyberspace commission created by Congress that in August called for greater collaboration with private companies to enhance the nation's cybersecurity efforts.

'Evolving threat landscape'

GridEx VI comes as the Biden administration seeks to dramatically scale up the country's defenses to cyberattacks from a wide range of state-sponsored and independent actors, and amid significant changes in the power sector that open new targets for exploitation and sabotage. That includes millions of workers driven home by the coronavirus pandemic, increasing digital connectivity across power and gas industries, and millions of new distributed energy devices.

"We all know that the energy systems are facing an unprecedented evolving threat landscape, from cyberattacks ... to increasing threats posed by our changing climate," said Puesh Kumar, acting principal deputy assistant secretary at the U.S. Energy Department's Office of Cybersecurity, Energy Security and Emergency Response.

"It really is the time to come together to tackle these challenges and address them through thoughtful conversations, thoughtful policies, thoughtful development of tools and technologies to really advance how we ensure that we have a resilient energy sector," Kumar said at the briefing.

Toward that end, Kumar pointed to the bipartisan infrastructure bill recently signed by President Joe Biden that included billions of dollars to upgrade and modernize the U.S. power grid.

The power sector's cyberrisk has grown substantially in volume and complexity since the last GridEx simulation in 2019, according to Manny Cancel, a senior vice president at NERC who heads up the reliability organization's Electricity Information Sharing and Analysis Center, known as E-ISAC.

"And unfortunately this trend shows no sign of subsiding," Cancel told reporters.

Cybersecurity incidents reported to E-ISAC were up 96% in 2020 from 2019, NERC said in a recent report. Incidents involving ransomware, supply chains, scanning and general "suspicious activity" all increased more than 100% over the year. Including events not reported to NERC, typical organizations experience "thousands or millions" of attempted compromises every day, according to the report.

Learning the lessons

E-ISAC, which hosts the biennial exercise, plans to publish a public report on GridEx VI next March to reflect input from participants. A few lessons already are clear from this year's test. Among them is the importance of sharing information about cybersecurity experiences.

"I can't emphasize strongly enough the importance of information sharing to achieving our mission of providing situational awareness to the industry in the form of timely and actionable information," Cancel said. In addition to intelligence provided by U.S. and Canadian government officials, NERC is seeing an increase in information being shared voluntarily by power sector asset owners and operators.

During a recent interview, Cancel noted how the interconnected nature of the power system with other sectors also exposes weak links. That was evident in the widespread outages related to extreme weather in California in August 2020 and Texas in February 2021, Cancel said. In both cases, the power sector's reliance on natural gas for grid reliability, especially when variable renewable energy resources are not producing electricity, played a major role in blackouts.

Cancel also pointed to the Colonial Pipeline Co. cybersecurity breach last May, a ransomware attack that shut down a sprawling pipeline system that transports gasoline, diesel and jet fuel from Texas across the East Coast.

"Had that been a natural gas pipeline, you might have been talking about more severe implications and ramifications," Cancel said. "Those sorts of events really sensitize us to the critical interdependence between these sectors."