Sunday, November 17, 2013

Electric Grid Cyber Exercise - GridEx II

During the past month or so there has been a considerable emphasis on the resilience of the U.S. Electric Grid.  For instance the National Geographic Channel ran a program on a simulated cyber attack of the electric grid that resulted in a substantial national blackout (please see my blog comments HERE).

Secondly, the SANS Institute posted a well-produced video showing how a cyber attack could occur on a electric utility in the U.S.  You can view this very enlightening, eight-minute-long video HERE.

Thirdly, on Wednesday, November 13th, the North American Electric Reliability Corporation (NERC) began conducting a two-day national cyber war game to determine how resilient the electric grid and its many utility operators and supporters are to such an attack.  My friend Andy Bochman wrote about this exercise in his BLOG and Mr. Matthew Wald of the New York Times wrote an interesting article summarizing the drill.  NERC's very brief press release regarding the exercise is HERE.

Some key summary notes about the exercise include (Thanks to Mr. Wald's article for most of these "facts."):
  • The exercise was named "GridEx II" (the first Grid Exercise -- aka GridEx -- was held in 2011)
  • More than 200 industry and government organizations participated in the cyber and physical security exercise
  • The exercise was designed to enhance and improve cyber and physical security resources and practices within the industry. 
  • Each hour of drill time was meant to simulate four hours of actual activity -- the drill ran for eight hours on Wednesday and four hours on Thursday
  • The exercise gave participants the opportunity to check the readiness of their crisis action plans through simulated attacks/events to self-assess response and recovery capabilities, and to adjust actions and plans as needed, while communicating with industry and government organizations.
  • The simulated attacks included:
    • injected computer malware
    • cyber denial of service attacks
    • bombed transformers and substations
    • knocked out power lines
    • 150 simulated "casualties" including seven deaths of police officers, firefighters and utility workers investigating the attack scenes who were "shot" by attackers still at the damaged location
  • One main aspect of the drill was a log of all phone and email communications to determine whether the participants could promptly reach the appropriate people at power companies, police stations or distant cybersecurity centers, and whether they could communicate the appropriate information. 
  • According to Mr. Wald's article even the Royal Canadian Mounted Police (RCMP) participated in GridEx II. -- Don't forget that the electric grid we rely upon is the "North American" electric grid and Canadian electric companies are major providers of power to the U.S.

If done right exercises are an excellent way to really stress your policies, procedures and resources and to see how well prepared your company/state/region/country is for the "real thing."  My exposure to GridEx II -- albeit limited -- has certainly given me a sense that this was a good test and worthwhile for the electric grid operators, managers, regulators and policy makers.  

I'm looking forward to the formal after-action report.

And, just to show the value of such exercises, here is a quote from Mr. Wald's NYT article that make me take notice:

At the Southwestern Electric Power Company, a subsidiary of American Electric Power that serves parts of Louisiana, Arkansas and eastern Texas, attackers used guns and bombs against a power plant and a transformer, and 108,000 of the company’s 520,000 customers lost power. “There were certainly surprises for us,” said Venita McCellon-Allen, the president and chief operating officer. “I sat up straight in my chair.”

Thanks to the GridEx team!  Well done!