A major U.S. grid authority is urging utilities to weigh how their fuel choices could affect national security.
The North American Electric Reliability Corp.'s call for examining the "security of generator fuel sources" marks one of several takeaways from last year's GridEx IV security exercise, which pitted mock hackers and physical assailants against 6,500 government and industry grid defenders.
"Consider whether the diversity of fuel sources (today and into the future) presents a vulnerability to common mode failures or disruptions," NERC recommended Friday in a summary of "Lessons Learned" from the exercise.
The warning comes at a pivotal moment for the U.S. energy sector, which has seen cheap, natural gas-fired power generation steadily replace retiring coal and nuclear plants. The status quo has left some regions of the power grid heavily reliant on single gas pipelines or storage facilities, grid overseers say (Energywire, Nov. 15, 2017).
Brian Harrell, president and chief security officer at the Cutlass Security Group risk consultancy and a former GridEx organizer, pointed out that a failure in either the gas or electricity sectors could wind up spilling over into the other. He said he expected power companies to take some of the findings from GridEx IV to heart. "This comes down to utilities that are now going to say, 'OK, we cannot be dependent on one particular fuel source, so we need to try to diversify a little bit, just for the resilience of our own systems,'" he said.
NERC noted in its after-action report that it was "encouraged" by greater participation from the natural gas industry in last year's dress rehearsal for a grid disaster. Four gas utilities joined the two-day exercise, in addition to five water utilities and two telecom companies, NERC reported.
"There's been a lot of attention paid at the CEO level to get those sectors together," noted Bill Lawrence, director of NERC's Electricity Information Sharing and Analysis Center and a key architect of last year's exercise.
He said it will be "interesting" to see whether the electricity, telecommunciations and financial sectors coalesce to form a Strategic Infrastructure Coordinating Council, an idea first floated by a presidential advisory group last summer (Energywire, Aug. 23, 2017).
While he stopped short of endorsing the council outright, Lawrence said he and his staff at the E-ISAC "have been working to explore the possibilities of what that might look like" and are prepared to offer help.
Friday's report offered a high-level play-by-play account of the biennial exercise, which draws participation from hundreds of utilities across the country.
"The severe cyber and physical security attacks that we throw against our participants ... they're very difficult for them to handle," Lawrence said.
"Move 1" kicked off on a mid-November morning, when simulated hackers brought down some of the energy management systems that keep the bulk transmission grid in working order. Unidentified "adversaries" simultaneously launched physical attacks at multiple preplanned sites, using vehicles laden with explosive charges, NERC said (Energywire, Nov. 14, 2017).
The news got worse from there, and by "Move 2" in the simulation, "it became clear to participants that the attacks were large-scale and coordinated," with multiple regions across North America hit hard, according to NERC.
Following the "distributed play" portion of the exercise, utility executives and government officials met for a six-hour tabletop session to practice how they would handle an even grimmer grid crisis. That group included members of the White House National Security Council as well as senior grid security officials from the Edison Electric Institute and other industry organizations.
Can you hear me now?
Participants said the exercise showed the need for utilities to keep open lines of communication to make sure line workers can safely repair the grid and to get up-to-date information on evolving threats.
NERC called for bulk power operators to set contingency plans that use multiple technologies in case some modes are overwhelmed or brought down.
"Everyone participating in the exercise understands that traditional communications pathways — whether it's over landlines or voice-over IP, as well as cellphones — may not be totally available in a large-scale cyber and physical attack," said Lawrence.
The "Lessons Learned" report also recommended that NERC's threat information hub get its own backup radio system to keep in touch with its members in worst-case events.
Sharla Artz, vice president of government affairs, policy and cybersecurity at the Utilities Technology Council, lauded NERC's focus on an underappreciated linchpin of the modern grid.
"You think of lines that carry electricity — the electrons — from place to place," she said. "But what you don't realize is that underpinning that operation is a communications network that's transmitting data about the system."
She said GridEx IV "appropriately highlighted" the importance of reliable communications and that she expected the industry to pay close attention to the issue this year.
GridEx IV also tested utilities' external communications, forcing companies to consider how they would tell the public about a fast-moving threat.
NERC simulated news broadcasts and social media responses to the disastrous scenario as it unfolded, and exercise planners raised the prospect of attackers stirring the pot to sow confusion.
Adversaries "can take advantage" of new media channels "to scare our population into making bad decisions or just being concerned for their safety," Lawrence said. "Those are aspects we can explore safely in an exercise and just be a little more prepared for."
NERC reported that many utilities "found that their external messaging was 'ad hoc' and that they did not have an external communications playbook" for countering misinformation. The grid overseer recommended organizations refine their crisis communications plans and called for rehearsing the issue in greater detail at the next GridEx.
Harrell said he appreciated the risks of sharing information amid the fog of a widespread attack but urged utilities to practice getting the word out on sites like Twitter and Facebook anyway.
"I think more utilities need to embrace social media, and not shy away from this medium to communicate with the concerned public," he said. "Those who don't embrace social media will have the story told for them, and it may not be a good one."
Clarification: An earlier version of this story characterized NERC as the top U.S. grid regulator. The Federal Energy Regulatory Commission has oversight authority over NERC.