It was only a coincidence that the terrorist attack last Friday in Paris happened days before GridEx III, but that tragic event intensified how seriously the utility security exercise was taken in the U.S. this week, officials said.
“Let me assure you that we were tuned in, activated and on task,” said Southern Co. CEO Tom Fanning, one of the utility, government and reliability leaders who talked to the media via conference call Thursday to discuss the massive, two-day simulated grid security event.
GridEx III, which was coordinated by the North American Electric Reliability Corp. (NERC) involved more than 300 organizations and close to 10,000 participants. The exercise simulated both physical and cyberattacks on power generation and transmission assets throughout the continent.
Those feigned attacks included shootings, explosions to destroy human and grid assets, as well as destruction of control systems. The participants reacted as if those were successful destructions, stressing control, communication and backup systems to see how they would respond.
Other participants Thursday included the U.S. Department of Energy, Homeland Security and the Electricity Sub-sector Coordinating Council, which includes utility and co-op CEOs as co-chairs.
“The event is severe,” Gerry Cauley, president and CEO of NERC, said. He added that the attack vectors include simulated assaults on public-facing Internet and customer service sites, as well as those that would cause damage to equipment such as transformers.
“We wanted to test ourselves as severely as we would,” Cauley said. “It is meant to be several attacks covering multiple points across the entire North American continent, resulting in outages to transmission and generation equipment (and) customer outages.”
The GridEx events are held every two years, with the first on in November 2011. An after-action report complied for GridEx II stressed a unified approach by agencies, utilities and reliability groups to recognize that cyber and physical attacks represented unique restoration challenges.
“One of the most important aspects of responding to a crisis is the ability to quickly and accurately assess the situation, share that assessment with decision makers and take action,” the March 2014 GridEx II report reads.
On Thursday, the GridEx III participants said they felt that the latest exercise was successful in building on lessons learned from the previous events.
“One of the things we’ve done is create this focus on communication,” Cauley said.
“We realized we had not stressed ourselves enough in terms of communication.”
Fanning noted that the “playbook” for GridEx III was about 100 pages long and laid out responsibilities of participants to coordinate restoration activities. The events in Paris, although they did not involve destruction of French grid assets, put everyone involved with GridEx III on particular notice.
At the same time, you never know exactly how those kinds of attacks can happen, they acknowledged.
“The threat is ever changing,” Fanning said. “We know we’ve always got to anticipate the threat environment is changing and therefore adapt our own strategies. We’ve got to skate to where the puck will be.”
NERC officials were also involved with GridEx III in Canada and Mexico. Duane Highley, president of CEO of Arkansas Electric Cooperative Corp. & Arkansas Electric Cooperatives, pointed out that a simultaneous exercise was underway in that state, involving regulators, the FBI, state police and regional transmission officials.
All in all, events like GridEx III may be not real attacks, but they are crucial to evaluating preparedness if and when something does happen on such a huge scale, participants said.
“The Department of Energy recognizes that there are many serous hazards and threats facing the electric sector,” said Liz Sherwood-Randall, deputy secretary for DOE. The GridEx participants are “sharing the commitment to counter those threats, protect the American people and keep the power turned on.”
Suzanne Spaulding, Under Secretary for National Protection and Programs Directorate within the Department of Homeland Security, noted that her department and DOE meet with utility CEOs three times a year to discuss threats and response capabilities.