GridNERC drill finds U.S. grid preparedness insufficient

Published 17 March 2014

The North American Electric Reliability Corporation (NERC) reported that its recent GridEx II exercise has highlighted the fact that nearly all the utilities which took part in the two-day drill last November – a drill aiming to test the preparedness of the U.S. power grid to withstand cyber and physical attacks – admitted that their planning for such attacks was insufficient. NERC’s president, Gerry Cauley, said that protecting utilities against cyber and physical attacks should be considered in the context of measures taken to protect the grid from other threats. He noted that utilities are already hardening their systems against storms like Hurricane Sandy, while working to determine their vulnerability to solar activity that changes the earth’s magnetic field.

The North American Electric Reliability Corporation (NERC) reported that its recent GridEx II exercise has highlighted the fact that nearly all the utilities which took part in the two-day drill last November – a drill aiming to test the preparedness of the U.S. power grid to withstand cyber and physical attacks – admitted that their planning for such attacks was insufficient.

More than 2,000 companies and organizations from across the United States, Canada, and Mexico participated in the exercise, and all said the drill showed them their vulnerabilities and how important communication among utilities was if such an attack occurred.

The New York Times reports that the NERC report offered few details. The organizers said it would make little sense to publicize the grid’s shortcomings beyond the organizations involved with it on a daily basis, and that NERC was communicating with the utilities individually about their performances.

The exercise provided “a one-two punch between cyber and physical security avenues,” Bill Lawrence, NERC’s manager of critical infrastructure protection awareness told the Times.

The drill found that the utility system needed better access to additional transformers, and that utilities and law enforcement personnel need to “develop mechanisms to preserve evidence and collect forensic data following a suspected physical or cyberattack,” and do so while trying to get the system back on.

The report noted that more than 98 percent of participating organizations found the exercise “useful for identifying opportunities to enhance their cyberincident response plans,” and 92 percent said the same for physical incident response plans.

The drill also revealed ordinary problems. For example, drill planners emphasized the importance of holding conference calls to keep all participants informed about attacks on neighboring utilities, but the conference call system did not have enough telephone lines.

The drill consisted of 12-hour simulated attacks during the first day, followed by twelve hours of a “tabletop exercise” on the second day, aiming to explore the point at which the federal government should intervene during a coordinated attack on the grid.

Gridex II was more than twice the size of the first exercise, conducted two years ago. The Times notes that there were many more participants this time, too, reflecting the growing anxiety about the vulnerability of the grid. The next exercise will be held next year.

Following an attack last year on a California high-voltage substation (see “Attack on California power station heightens concerns about grid security,” HSNW, 7 February 2014), the Federal Energy Regulatory Commission (FERC) has instructed utilities to prepare reports about their vulnerabilities.

NERC’s president, Gerry Cauley, said that protecting utilities against cyber and physical attacks should be considered in the context of measures taken to protect the grid from other threats. He noted that utilities are already hardening their systems against storms like Hurricane Sandy, while working to determine their vulnerability to solar activity that changes the earth’s magnetic field.

“We have to keep this always in perspective,” he said. The question was “getting the bang from the buck” spent on behalf of electricity customers for protection and resiliency. “We have to be always conscious of that balance,” he said.