Althoughindustry response has improved in recent years, the North American bulk powersystem must bolster coordination and communication and streamline incidentreporting when dealing with potential physical attacks and cyberattacks,according to a new report from the North American Electric Reliability Corp.
NERCreleased a report March 31 on its GridExIII exercise, the organization's third large-scale cyber andphysical attack simulation. The event took place Nov. 18-19, 2015, and was thelargest exercise to date, involving more than 4,400 individuals and 364organizations in the U.S. and Canada, including 166 utilities.
GridExIII showed "continued improvement to coordination, communication andemergency response actions," but more work is needed, NERC said. Thereport suggested that NERC's Electricity Information Sharing and AnalysisCenter, or E-ISAC, portal needs to be enhanced to accommodate urgent real-timecommunication with industry and other stakeholders in the event of an attack.Participants said information was "quickly buried within the portal,"which made highlighting urgent items difficult.
Inaddition, cyber and physical security incident reporting mechanisms must bereviewed for redundancies, and coordination should be improved with local lawenforcement and first responders on physical security threats that couldprevent utility workers from repairing damaged facilities, NERC said.
Theexercise was directed from a facility in McLean, Va., and included NERC staffand directors, government representatives, industry experts and members of aworking group established by NERC's Critical Infrastructure ProtectionCommittee. The group delivered materials for the exercise to participatingutilities, which then began to experience simulated control system operationissues and receive reports of break-ins. Those events were followed by anescalation in malware intrusions and coordinated physical attacks thatdisrupted communications and caused generation and transmission outages in thesimulation environment.
Duringthose setbacks, E-ISAC and NERC's Bulk Power System Awareness, or BPSA, groupheld a conference call with E-ISAC portal members to share information andprovide an update on grid reliability. On Nov. 18, BPSA received reports on 88physical security events, 23 cybersecurity incidents, 10 suspicious activitiesand 47 impacted electricity assets. By the next day, the number of reports fellto 18 for physical security, eight for cybersecurity incidents and six forsuspicious activities, with no further reports regarding electricity assets.
NERCwas vague about what kinds of attacks it staged, but the simulated events weresimilar to real-life incidents, including a 2013 at a California substation andinterference from unmanned aerial vehicles, E-ISAC Associate Director ofStakeholder Engagement, Bill Lawrence, said on a March 31 conference call.Utilities could also choose from a "menu" of simulated cyberattackoptions that use corporate networks or remote access to manipulate utilities'industrial control systems. Those attack modes mirror the Dec. 23, 2015, cyberattack-drivengrid outage inUkraine, which temporarily left about 225,000 customers without power.
"Securityexercises like NERC's GridEx are essential for industry and government partnersto experience a worst-case, advanced-threat scenario to better prepare againstany real crisis events," Lawrence said.
GridExIII also included a "tabletop" discussion with 17 NERC and utilitysenior executives, as well as government officials from the White House, U.S.Department of Energy, U.S. Department of Homeland Security and the FBI, amongother agencies. The group went over actions, policy issues and other decisionsrequired in the event of physical and cyberattacks, including priorities forrestoring electricity service and ways to prevent financial defaults tied tomajor attacks.