GridEx Brings Power Grid Cybersecurity into PracticeDecember 02, 2019 by Robin Mitchell
GridEx is a conference aimed towards uptraining security experts and assessing threats facing core infrastructure processes.
This month, the North American Electric Reliability Corporation (NERC) ran the Grid Security Exercise—commonly known as GridEx—to test the strength of the US electrical grid against cyberattacks.
What is the NERC, who should participate in this exercise, and why is it important?
What Is the NERC?
The North American Electric Reliability Corporation, or NERC, is a non-profit corporation that seeks to strengthen the reliability of the American electrical grid. Originally set up in 1968, the original goal of the NERC was to promote reliability and adequacy of the bulk transmission grid. Since then, it reformed in 2006 to now combat modern problems including vulnerability to cybersecurity issues, enforcement of complacency with electrical standards, and provide training resources for accreditation systems.
With over 500 companies controlling different portions of the grid containing multiple grid interconnections and an ever-increasing population all reliant on the electrical grid, the importance of the NERC has dramatically increased. Electrical grids in the past used to be simple with little to no networking or remote control but with the rise of the internet and computer technology almost all grids are, to some degree, accessible via standard internet connections.
Because of this, there is a new threat on the horizon which has had NERC concerned for many years now: cyberattacks.
What Is GridEx?
The Grid Exercise, or GridEx for short, is an exercise run by NERC for utility companies to demonstrate how they would handle blackouts caused by both cyber and physical attacks.
Once the exercises are complete the NERC can advise utility companies on how they performed and how their response can be tailored to ensure that power lines are restored as fast as possible. The exercise, which is run once every two years, aims to perform a range of checks including incident response plans, expand local and regional response, improve communications, and increase supply chain participation.
Who Participates in the Exercises?
While ideally all parties involved with electrical generation and distribution should participate, it can be argued that the most vulnerable sectors are those with internet connectivity as well as those who are responsible for large metropolitan areas.
Power stations, for example, are responsible for generating power but—with so many of varying types and security factors—an attack on these would be incredibly hard. The other bonus of power generation is that, with so many stations connected to the network, knocking one out of the equation can be quickly responded to with other power stations increasing their electrical output until the original station is brought back online. Sub-stations, however, are particularly at risk as they are often networked and can disconnect whole electrical distribution networks.
Other parties that should be involved with GridEx are regional and federal governments, critical infrastructure cross-sector partners, and supply chain organizations. An argument could also be made that law enforcement should take note in the event that blackouts are caused by criminal activity (both cyber and physical).
Is GridEx Necessary?
There have been multiple instances where both the American electrical grid and other countries have been attacked by foreign governments before. While these attacks are usually more of an annoyance (e.g., a military test exercise), they bring into question what a foreign power would be capable of.
While the most obvious advantage would be shutting down essential services prior to an invasion, such attacks could also be used to potentially destroy economies as well as disrupt daily life leaving hospitals, traffic co-ordination, prisons, and homes without power.
With the grid being operated by over 500 companies, one would think that an attack all would be near impossible (due to the potentially different protocols and software frameworks being used) but the individual companies are often only responsible for small portions of the network and so are often overlooked—potentially leaving large portions of the grid at risk.
Was networking a good idea?
The advancements in technology have provided comfort and benefits to the vast majority of industrial infrastructure, but sometimes implementing technology can cause more hassle than it's worth. Connecting the grid to the internet allows for faster response times to blackouts and monitoring, but it brings drawbacks, as well. It also brings into question if the grid could be brought back to a more primitive system whereby a telephone exchange provides communication between engineers who can operate sub-stations.
Should the grid be connected to the internet? What are your thoughts?