This week, the North American Electric Reliability Corp. released its unclassified summary of its latest GridEx exercise, which tested how utility participants would handle a blackout following a cyber and physical attack on the U.S. grid. How vulnerable is the grid to an attack like the one simulated at GridEx, and how should state regulators take the lessons learned from the exercise to formulate a plan of action? On today's The Cutting Edge, EnergyWire reporter Peter Behr discusses the unclassified summary's details and next steps.
Monica Trauzzi: Welcome to The Cutting Edge. New details this week on NERC's latest GridEx exercise. Joining me today with the latest on the unclassified information is EnergyWire's Peter Behr. Pete, thanks for coming on the show.
Peter Behr: Thank you.
Monica Trauzzi: Pete, late last year NERC held the electric industry's third GridEx simulation. It tested how utility participants would handle blackouts following a cyber and physical attack on the U.S. grid. Yesterday the unclassified summary of the exercise was released. How eye-opening was GridEx III, and what new details did we find out yesterday?
Peter Behr: This report does not indicate where utilities and the grid are vulnerable, so that's not what's in there, but there are three takeaways that the report does contain. One is that the participation in this war-game simulation went way up. There were 166 utilities that took part in this, and that's about triple what they had in the first one in 2011. And this is an exercise, where the operators of the utilities sit at a computer. They have a secure connection to the war-games computer, and then they're hit with an escalating terrorist attack on their facilities, a physical attack by suicide squads, and then that's accompanied by a very advanced cyberattack that kind of fills the control room with bad information and takes down control systems. So, the participation is way up. That shows the industry does feel there's something to be worried about here.
The information-sharing system that the utility industry had was not up to the job, the report said. They have a secure portal, where a utility can send evidence of malware or attack software, and that's supposed to be quickly analyzed and then distributed, sent out to the whole industry so other utilities can see if this stuff is in their system. And in this exercise, they didn't use the real portal, but they created a mirror image of it, and it was overwhelmed by the flow of incoming traffic. So, that's one problem.
The second big piece to work on is that the coordination between the federal government, the state government, the National Guard, FBI to bring the system back up after a catastrophic attack is just not what it needs to be. So that's another priority that's coming out of this, and I would say the third thing, and this is probably troubling to NERC, is they asked all the utilities that took part to send in their lessons learned. How did it go? What worked; what didn't work? And only a quarter of the utilities actually have come through with their lessons learned.
Monica Trauzzi: So, how do state regulators take the lessons learned from GridEx, whatever they know of the lessons learned, to formulate a plan of action, because that's really the next step? How do you respond when something happens?
Peter Behr: Well, so we have this kind of split oversight. The high-voltage grid is regulated very closely by FERC, and NERC develops rules for it. We're in the sixth version of these rules. Each of the states control the distribution utilities, and the most recent attack in the Ukraine, as we know, aimed at that distribution part of the grid that is not part of federal control. But I think that one of the takeaways from GridEx III is the need to get the governors and the federal agencies much more tightly integrated. So, if there was an outage that destroyed equipment, if you have extended blackouts, if you have cities without power for several weeks, how're you going to deal with that? And we don't have the right policies and laws in place, according to the participants here.
Monica Trauzzi: There have been calls for more substantive data on the risks to cybersecurity. What details are missing at this point, and is NERC being transparent enough? What kind of is the missing link?
Peter Behr: Well, the industry people who took part in this have access to a confidential version of the public report that's on NERC's website, and we're told that goes into much more detail about what happened. But, again, this particular exercise is less about stopping this cyberattack from getting in as it is, what do you do in the unlikely but possible event of a major attack that blacks out cities for weeks? And it really stresses the need to practice. This is the fifth anniversary of the Fukushima Daiichi catastrophe in Japan, and the big lesson from that was they were completely unprepared for the worst-case disaster that hit them. So, this is all about preparing for something that probably won't happen but could happen, and each utility has to train and make sure that it knows how to get to the FBI, how to get to the governor's office, how to be in touch with the National Guard if they ever got hit with this. So, in terms of exposing new vulnerabilities in the grid to cyberattack, that's not what they were trying to do here.
Monica Trauzzi: All right, Pete, we'll end it there. Thank you for coming on the show. It's always nice to see you.
Peter Behr: My pleasure.
Monica Trauzzi: More Cutting Edge coming next Friday. We'll see you then.
[End of Audio]