A simulated widespread enemy attack on the North American electric power network this week created a disaster scenario, challenging grid operators to repel coordinated cyber intrusions and assaults on grid installations by heavily armed terrorist squads and rogue drones.
Under this practice scenario meant to point to any major vulnerabilities, millions of Americans were facing long-term power outages in a nationwide crisis.
"It breaks the system pretty severely," said Gerry Cauley, president and chief executive of the North American Electric Reliability Corp., which designed and ran the GridEx III exercise.
Some 350 utilities, government agencies and other organizations, and an estimated 10,000 participants were engaged Wednesday in the non-public training exercise, playing out the "war game" scenarios on secured Internet channels. A second exercise required industry chief executives and federal agency leaders to arrange transfers of massive spare grid transformers around the country to replace units destroyed in the "attacks."
In a briefing for reporters, Cauley did not pinpoint any major problems requiring immediate new responses. He said a detailed report on lessons learned could be ready in January.
The exercise indicated that despite accelerating investments in new grid defenses, a worst-case attack could leave parts or all of some cities temporarily uninhabitable. However, an event of such magnitude would take a coordinated physical and cyber attack on a scale that would be "very rare and very difficult," Cauley said.
"There were very serious events occurring in a simulated fashion on the grid, including attacks; cyberattacks on corporate computers and systems; attacks on communications systems; infiltration of control systems, relays and controls in substations and power plants; as well as physical attacks in terms of explosive and shooting," Cauley said.
Paris attacks excluded
Cauley said the terrorist attacks in Paris on Friday were intentionally not built into the exercise. "We are acutely aware" of the Paris attacks "and the heightened urgency around that," Cauley said. No particular attacker was identified in GridEx III, he added. "It’s not pinning this on any particular actor, but it is broad-based, [with] hundreds of points of attack on the grid. So it’s obviously very big and very coordinated."
Tom Fanning, chief executive of Southern Co. and head of a utility industry leadership group that meets with federal counterparts on grid threats, said high-level communications with the government began immediately following the Paris attacks, wholly apart from the NERC exercise.
The industry group — the Electricity Sub-sector Coordinating Council — was activated Friday evening, he told reporters, joining Cauley in the briefing. "We followed through the weekend with detailed interaction with the government," he said.
"People should understand that the government is on top of these issues in a very serious, detailed manner," Fanning said. "Throughout the weekend, the government was all over this," he said of the events in Paris. "You should be very proud of the response by the government," contrary to some of the criticism it receives, he added.
While not detailing how the simulated attacks were structured, Cauley said that the cyber assaults were designed to simulate not only disrupted communications between key nodes on the grid but also cyber manipulation of controls that would damage or destroy essential machinery and equipment.
"As a practical matter, it is very, very, very difficult to carry out [such attacks] in the field given the separation of control systems from the public-facing Internet and the protections that are put in place," he said.
"We don’t want to say it can’t happen. We have included that in the exercise as a very challenging set of circumstances," he added, "but it would be very rare and very difficult. We just want to be prepared."
A controversial study in 2013 by Federal Energy Regulatory Commission staff found that a successful physical attack on relatively small number of strategically located high-voltage transformer substations could cause widespread outages. FERC subsequently added mandatory physical defense preparations to existing cybersecurity requirements for grid operators.
GridEx III did not test the FERC scenario, participants said. "While there is a national scenario [underlying GridEx III], it gives ultimate flexibility to utilities to determine what cyber and physical attacks it wants to impose on their players," said Brian Harrell, a director of Navigant Consulting’s energy practice and a former NERC grid cybersecurity official.
Teamwork tested
The exercise tested teamwork among utilities, federal agencies and local law enforcement, which has suffered in certain instances because of communications gaps and incomplete planning, according to experts. Despite repeated attempts, Congress has not been able to agree on legislation to strengthen threat information sharing.
The second day of the exercise yesterday centered on industry and government collaboration in restoring electrical service. "We get an opportunity to demonstrate the working partnership we have established and the … trust we’ve built between industry and government," Cauley said.
"This GridEx exercise is an opportunity for our federal partners to interact with industry and hopefully test communications channels, push information products, and evaluate how to better get key information into the hands of grid operators," Navigant’s Harrell said in an email comment.
The industry wants more and better sharing and analysis of threat information. It remains to be seen how well government agencies can respond, he added. "Cybersecurity response and information sharing with federal partners continues to be a learning process."
Cauley said that communications issues have improved over the past two years, but he added, "it’s always striving to get to the next level because I don’t think we are declaring a victory."
"We are going to find ways to work effectively together," said Deputy Energy Secretary Elizabeth Sherwood-Randall.
Fanning said that collaboration "is going to be a never-ending saga."
