Biennial exercises that simulate attacks on portions of the power grid in North America have led to a number of security improvements since the first exercise in 2011, industry and government officials said on Thursday.
“The point of GridEx is to find our vulnerabilities and improve them,” Tom Fanning, CEO of Southern Company [SO], the second largest utility company in the U.S., said during a media briefing to discuss the latest Grid Security Exercise (GridEx).
GridEx V, the fifth version of the grid, was completed on Thursday after two days of simulated cyber and physical regional attacks, largely in New York, that highlighted interconnectivity among various aspects of the natural gas industry, and the financial services and telecommunications sectors, federal, state and local authorities, and stakeholders in Canada.
The two exercises, which also included an executive tabletop exercise of CEOs, focused this year on how participants would actually respond and coordinate to recover from an attack.
In the past eight years since the start of the GridEx events, there has been an increase in the number of security clearances held by industry, Kevin Wailes, CEO of Nebraska-based Lincoln Electric System, a small non-profit, customer-owned utility, said on the media call.
Wailes is also co-chair, along with Fanning, of the Electricity Subsector Coordinating Council, the principal liaison between the federal government and the electric power industry.
Wailes also said that between GridEx I and GridEx V there has been an increase in the amount of information being shared by various stakeholders and improved partnerships. After the third GridEx, he pointed out that the utility industry created a cyber mutual assistance group, similar to the type of group that already existed to help when natural disasters strike.
The cyber mutual aid group essentially recognizes “that any individual utility may not have enough bench strength in a catastrophic event and need to find ways to make that happen. There’s significantly more communication. There’s a variety of things that have been basically developed after these exercises that were the gaps that we discovered.”
While Lincoln Electric is a small utility, Wailes said GridEx V showed the interest in how it responded to the exercise. On Wednesday, there were over 100 participants in a room at the utility, half of which were not employees.
Wailes said Nebraska’s Lt. Governor and Adjutant General of the National Air Guard attended, as did cyber protection team members from the Guard, congressional staff, state senate staff and senators, law enforcement and first responders, and local utilities.
All these stakeholders wanted to see “what the challenges would be for any utility, let alone a local smaller utility trying to deal with a catastrophic event,” he said.
A lessons-learned report from GridEx V will be available next March.