Utility Companies Gather for Cyber / Physical Attack Exercise - GridSecCon 2018 & GridEx IV

Oct 9, 2018

Back to Veoci BlogUtility Companies Gather for Cyber / Physical Attack Exercise - GridSecCon 2018 & GridEx IV

Last November, GridEx IV kicked off with 6,500 participants from 450 different organizations. This exercise saw a large rise in participation over GridEx III; 1,800 more individuals participated, and 86 more organizations were represented.

Preparedness, which has always been a top priority, has gained increasing visibility in recent years as cyber attacks and other malicious threats become more common. It’s the reason behind these exercises and the different scenarios and injects—it allows participants to experience a broad spectrum of possibilities, both in terms of threats faced, and ways in which to respond to them.

Scenarios and Injects

GridEx IV move flow chart

GridEx IV set a record for participants, and the planned exercises played off this bump in players, simulating a large-scale, coordinated cyber and physical attack on specific sites spread across all North American Regions.

The exercise was divided into five “Moves” to represent different phases. Move 0 involved the adversary gearing up for the exercise, doing research and trying to sniff out vulnerabilities. The attacks kicked off with Move 1,  bringing down systems and disrupting power supplies. In Move 2, efforts to maintain reliability were enacted; meanwhile, copy cat attacks started to happen, and news and media started to work up a frenzy of coverage, piling more pressure onto the players to reconnect to the grid.

As the impact became clear, Move 3 began, with the players  executing their responses by isolating impacted cyber systems and enabling physical defense measures. And just as importantly, the players engaged in sharing information about the adversary and what solutions were working with each other. Move 3 also put a spotlight on physical and cyber mutual assistance, reinforcing how vital collaboration is.

Move Four saw players recovering from the attacks, repairing their cyber systems and physical assets, working with law enforcement to provide intelligence and receive guidance, and engaging in after action activities.

The point of these exercises is to prepare players for these events, but they also serve another purpose. Players, and the larger participating parties like the Department of Energy, use GridEx to identify gaps, find opportunities for improvement, and draw creative inspiration for future responses, which is  just as valuable as affirming existing response capabilities.

So, what were some of the biggest lessons from last November?

GridEx IV Lesson 1: Strong Collaboration

GridEx IV had members from all regions represented

The malicious actors in GridEx IV’s exercise focused on taking down multiple locations. The entire grid, or at least large portions, didn’t go down in the attack. The actors wanted to make a dent, but not enough to be noticed right away.

The nature of the attacks reinforced how important collaboration is in these scenarios. Open lines of communication encourage awareness and allow countermeasures to be deployed sooner. Not only that, but collaboration is essential to effective mutual assistance - a lot of sectors lent helping hands to the players with outages, not only restoring operations, but in the following recovery and investigation also.

Collaboration will be a massive factor in any wide-scale attack like the simulation GridEx IV put forth. And this highlighted another key realm in dealing with attacks on the grid: cross-sector response.

GridEx IV Lesson 2: Fluid Cross-Sector Response

GridEx scenarios always target the power grid, but electrical utilities are never the only ones affected by these attacks. Other utilities rely on the supply of power electrical utilities provide, like water utilities and telecom companies. They need to keep their operations up, and they can’t do so without power.

Attacks on the grid—and other utilities in general—extend beyond the utilities space too. A utility company is part of a much bigger network, not just the physical grid. When malicious actors make this kind of move, law enforcement will need to get involved at every level. Local, state, and federal agents will have a part to play in the response, recovery, and investigation. Making sure that all sectors and stakeholders are part of the response only improves future responses.

Both observers and players recommended more cross-sector play for future exercises. And it’s good to see that NERC, the organizer of GridEx, plans to incorporate more cross-sector play in future exercises. Including other utilities, law enforcement, and members in the supply chain will ensure every player is trained for a true, real-world incident.

There’ are even talks to tie vendors into the exercise more. GridEx IV did include vendors, but they were underutilized by participants. A true incident would see a lot of engagement with vendors, so recreating this in a simulation would be to the benefit of both parties.

Both cross-sector response and collaboration hinge on reliable communications for these operations. Given the potential scope of cyber hits on utilities, and the distinct possibility that the communications infrastructure may itself be compromised as part of a cyber attack, finding alternative or back up modes for collaborating is vital.

GridEx IV Lesson 3: Communications Resilience

During GridEX IV, E-ISAC pulled a simulated communications blackout in the National Capital Region, preventing participants from seeing a critical broadcast. If real malicious actors make a move on the power grid, they’ll most likely couple cyber hits in with physical ones. And as part of that, they’ll close off communication pathways.

The lead planners used the blackout in the National Capital Region to urge exercise participants to use backup communications methods. Given the reality of attacks on the grid, it’s good practice. These paths don’t need to be utilized often either, they just need to be available during an emergency.

What Will GridEx V Look Like?

Every exercise has seen more participants, as well as more organizations represented. GridEx I only included 83 organizations. That number ballooned to 234 for GridEx II, then to 374 in GridEx III. GridEx IV had 450, over five times as many as the first iteration.  

GridEx IV participation

Given the trend in the first four exercises, even more participants will dive in and more organizations will be represented in 2020 during GridEx V. It’s a good sign. More and more entities understand how vital security and preparedness is for their industry, and GridEx is the perfect time for them to show this. No outage in utilities is isolated; there is always a ripple effect.

You can read about the 2018 exercise more in NERC's official after-action publication here.


Explore our solutions for utilities.


Veoci for Utilities is going to GridSecCon 2018.  Come to booth #23 to learn more about the benefits Veoci offers utilities.

Follow us on Twitter, Facebook, and LinkedIn with #GridSecCon for the latest conference news.

Subscribe to the Veoci Blog

Receive all the latest emergency, crisis, and continuity management news, tips, and advice

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related Posts

Maintaining Institutional Knowledge: Building an Effective BCMP

Much of the strength behind a BCMP solution lies in the institutional knowledge it inherently establishes. There are many platforms out there that can help you build your BCMP components, but it is essential that you find one that also has the capacity to foster institutional knowledge.

Continue reading
Getting the Most Out of Real-World Exercises

Exercising a BCP is rarely as simple as the online guides suggest. A business continuity manager has to jump through a lot of hoops to get that final, show-ready polish on a BCP. They’re often chasing buy-in from each corner of the organization and bugging business unit leads and department managers to test BCPs and record the outcomes. What can a business continuity manager do to encourage the heads in their organizations to actively participate and do their part in preparing for disruptions?

Continue reading
How IT Outages Affect Businesses: Recognizing and Preventing Outages

How much damage can a business system outage cause? As is pretty clear these days, they happen often, and can have serious impact. Take, for example, Visa’s payment network outage. On June 1st, 2018, Visa’s payment system in Europe went down for nearly ten hours, halting many personal and bank transactions. The massive, complex nature of the system made it difficult to pinpoint the root cause of the outage, adding hours of downtime and many degrees of frustration for the company’s customers. After performing their root cause analysis, the company identified a “very rare partial failure” of a switch in one of their data centers as the cause of the outage.

Continue reading

Connect with us on Social Media

Join us on our journey to improve emergency, operations, and continuity management!

Veoci Facebook PageVeoci Twitter AccountVeoci Linkedin Company Page

Face crisis and continuity challenges with expert solutions designed for you and your teams.

Learn how Veoci puts you in control