E-ISAC releases report on GridEx VII exercise, highlighting recommendations for grid security and resilience

The Electricity Information Sharing and Analysis Center (E-ISAC), a division of the North American Electric Reliability Corporation (NERC), released its report on the seventh biennial grid security and resilience exercise, GridEx VII. This exercise, the largest of its kind in North America, concluded in November and played a vital role in testing and improving rapid and innovative response capabilities.

The GridEx VII report summarizes the recommendations and observations identified through each exercise. The recommendations are intended to help electric utilities, government partners, the E-ISAC, and other stakeholders prepare for and respond to security incidents that affect the North American electricity system. 

The GridEx exercises included distributed play and executive tabletop (tabletop). The E-ISAC developed specific goals for each portion of GridEx VII. The Tabletop focused on policy-level decisions for senior industry and government leadership, while Distributed Play focused on operational response activities. 

The goal of the Distributed play was to exercise the resilience of the North American electric system in the face of a coordinated attack from a nation-state adversary, while that of the Executive Tabletop was to engage senior industry and government leadership in a comprehensive discussion of the extraordinary operational measures needed to protect and restore the reliable operation of the grid.

On Nov. 14 and 15, last year, operational participants across North America exercised the resilience of the electric system in the decentralized and independent Distributed Play exercise. On Nov. 16, industry executives and government leaders from the U.S. and Canada convened in person in Washington, D.C., as well as virtually, to explore the challenges presented by cyber and physical attacks against the electric grid and the electric market system. 

To achieve its objective, distributed play was structured to test incident response, operational procedures, communication protocols, mutual assistance efforts, and crisis management plans. It aimed to address immediate cyber, physical, and other threats that could impact grid reliability and improve coordination with state/provincial and local governments, critical operations suppliers, and industry partners to expedite restoration efforts.

The GridEx VII report added that it also works towards managing interdependencies with natural gas, telecommunications, and other critical infrastructure sectors; exercising response to information technology (IT) and communications system failures; and exercising response to emergency events in a remote or hybrid environment with reduced staff availability and limited access to resources. 

The E-ISAC’s GridEx Planning Team established overarching objectives for Distributed Play, allowing participating entities to adapt these objectives or create their own to align with their organization’s specific priorities.

To accomplish this objective, the Tabletop exercise was structured to investigate the national security implications in the U.S. and Canada resulting from supply chain attacks on critical systems and software utilized by various industries, including vital telemetry connections between control centers. Additionally, it aimed to improve coordination within the electric industry, particularly with the natural gas and communications sectors, which have substantial interdependencies with the electric sector, to ensure the safe and reliable operation of the grid.

It also sought to enhance industry coordination with U.S. and Canadian federal and state/provincial governments, including communications mechanisms, and explore security and resilience implications of long‐term electricity market outages, recognizing the increasing diversity of generation resources.

The Tabletop recommendations identified that the industry should evaluate technologies and processes that could be used to increase the resilience of Inter-Control Center Communications Protocol (ICCP) telemetry exchange between control centers, according to the GridEx VII report. Also, it should evaluate opportunities to employ alternate technologies for operator voice (i.e., interpersonal) communications essential to operate the grid. 

Furthermore, industry and government should continue discussing how to consider government priorities during a complex and prolonged power outage scenario as part of the electric industry’s established restoration procedures. Lastly, the industry should evaluate options to manage the grid reliability impacts of the electricity market system or data unavailability over an extended period.

When it came to the Distributed Play recommendations, the GridEx VII report said that non-federal government partners and electric utilities should advance coordination efforts, as GridEx is an opportunity for the government to collaborate with electric utilities, increase mutual understanding, and identify critical interdependencies. 

It also identified that communications and response in a hybrid work environment should be further refined. By providing an opportunity to exercise in-person and virtual response protocols, GridEx VII helped participating organizations identify challenges with hybrid response and interoperable communications with internal and external response partners.

The GridEx VII report added that response planning should be augmented to ensure comprehension of technical information across functional teams and external response partners. It also called for GridEx to continue to evolve to provide additional support for planners from organizations of varying sizes and with different levels of experience. 

It also identified that cyber and technical components of the GridEx scenario should continue to be developed and expanded for future iterations of GridEx. GridEx is a grid security exercise that focuses on cyber and physical attacks on the grid and has been designed to reflect the current threat landscape. The E-ISAC’s GridEx Planning Team developed a Master Scenario Event List (MSEL) with both cyber and physical attack components, and cyber incident response formed a core component of many instances of GridEx VII. 

However, as participating organizations have varying levels of technical cyber expertise, the GridEx Planning Team will continue seeking to deliver a scenario and associated exercise material that cater to differing levels of cyber capabilities, the GridEx VII report determined.

The GridEx VII report identified that E-ISAC’s GridEx Planning Team should continue to develop complex cyber injects within the MSEL to allow planners to create a robust cyber scenario if appropriate for their organization. While not all organizations will use complex cyber injects, the GridEx Planning Team will work with cyber subject matter experts to ensure that organizations that do wish to exercise a more robust cyber scenario are provided with cyber injects before the FPM that allow for a sophisticated and challenging exercise. 

The E-ISAC’s GridEx Planning Team should provide more detailed guidance on cyber-related injects and inject supporting material for planners. The GridEx Planning Team will prepare uniform cyber injects with coinciding guidance from subject matter experts on how to use and implement the injects and accompanying supporting material. This will provide planners with a better understanding of how each injection and supporting material can be used and employed during the exercise.

The GridEx VII report highlighted that the E-ISAC will collaborate with industry and government partners to review the recommendations provided by participants for the upcoming Tabletop exercise. These include resilient communications that explore options to enhance the resilience of Electricity Subsector Coordinating Council (ESCC) communications; interdependencies with the natural gas and communications sectors; develop a North American scope; enhance state and provincial government participation, and address GridEx VII Tabletop policy matters within the context of operational realities without unnecessary technical details. 

In February, the E-ISAC unveiled its 2023 End-of-Year Report alongside its 2023 Year-in-Review video, reflecting positive ERO (Electric Reliability Organization) response to a challenging year. The report highlighted that the electricity sector faced an unparalleled array of sophisticated cyber vulnerabilities in 2023, including malware, ransomware, supply chain exploits, and various other threats.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.