A cyberattack on the electric grid, widespread misinformation on social media, isolated blackouts, communications failures and active shooters.
Is it ever too early to plan for the barrage of emergencies?
The answer is a resounding “no” from electric co-op veterans of GridEx IV.
“GridEx focuses attention on continuous improvement to our cyber- and physical security efforts as we strive for operational excellence,” said Mike Kraft, senior engineer at Basin Electric Power Cooperative in Bismarck, North Dakota.
The biennial exercise organized by the North American Electric Reliability Corporation (NERC) gives utilities large and small the opportunity to flex their security muscles under extreme simulated emergencies.
“The lessons learned from GridEx assist Basin Electric in protecting our critical infrastructure. This helps us provide reliable power to our members,” said Kraft.
About 6,500 individuals and 450 organizations across industry, law enforcement and government agencies participated in the simulation exercise last November. NERC recently released a report with details and findings from the exercise.
Twenty-six G&Ts and 24 distribution cooperatives participated in GridEx IV. Co-op participation has grown significantly. In 2015, a total of 18 G&Ts and distribution co-ops took part in GridEx III.
“We do internal drills several times a year, but GridEx gives us the opportunity to participate in an exercise of this magnitude with large-scale coordination of entities,” said David Revill, vice president, power technology at Georgia System Operations Corporation (GSOC) in Tucker, Georgia. “We take cyber- and physical security extremely seriously, and believe that practice makes perfect.”
Tri-State Generation & Transmission also conducts “several internal and external exercises to validate and improve our processes,” said David W. Sayles Jr., business resiliency manager for G&T in Westminster, Colorado. “GridEx IV reinforced the importance of coordinating with external partners during a cascading coordinated national attack scenario.”
GridEx V is slated for Nov. 13-14, 2019.
Putting Communications to the Test
GSOC has participated in all four NERC GridEx drills. Basin Electric took part in GridEx III and GridEx IV. Each year the exercise creates more challenging scenarios, forcing participants to strengthen their security strategies.
Brian Haggard, GSOC’s lead planner for GridEx IV, noted that the exercise “really put communication and coordination methods to the test.”
GridEx IV emphasized social media, where the public and the utility try to communicate as malevolent actors use the platform to spread false messages to trigger mayhem.
“Spending time on social media may not be what you think of as work, but, when responding to a cybersecurity event, both internal and external communications are essential,” said Haggard.
Kraft urged co-ops to “identify who needs to know what, when do they need to know it, and how the communication will occur.”
“Communications are a key component to success during a crisis,” he said. “Recognize that and have a plan to deal with communication barriers.”
The co-ops plan to tweak their internal drills using lessons learned from the NERC exercise.
“Adversaries keep changing their methods,” said Haggard. “We need to evolve with them.”
Defending co-ops starts now
GridEx participants said keeping their co-ops safe doesn’t end with this exercise, and they encouraged other co-ops to get involved as soon as possible.
Tri-State G&T first got involved as an observing organization during GridEx III.
“That prepared us for full participation in GridEx IV,” said Sayles. “Observing the exercise helped us set meaningful objectives and identify the Tri-State departments to participate in 2017.”
Co-ops that have never participated should use the NERC report “as a punch list against their cybersecurity strategy,” said Kraft. Basin Electric invited member co-ops to be observers during the recent GridEx.
Kraft also recommends co-ops join NERC’s Electricity Information Sharing and Analysis Center (E-ISAC) and NRECA programs such as the Rural Cooperative Cyber Security Capabilities Program (RC3).
GSOC’s Revill noted that there is a “significant investment” of time involved in planning and participating in the two-day exercise. But co-ops can tailor their participation to fit their organization, he said. “Whether you’re a large or small co-op, there’s something for you in this exercise.”