Dire grid hacking scenario sparked “shields up” approach to Russian threat

Every two years, the electricity industry runs a stress test designed to find and fix gaps in the North American grid’s cyber and physical defenses. The latest GridEx event presaged a blitz of real-world hacking threats that have kept U.S. power providers on high alert.

Months before Russia’s invasion of Ukraine, a group of power utility executives quietly practiced how they’d handle a worst-case cyber and physical attack on the North American grid.

The biennial GridEx exercise that took place last November was designed to be diabolical, forcing virtual attendees to puzzle over how to restore electricity without cell service or other telecommunications while facing a blitz of cyberattacks and disinformation from a nation-state adversary hellbent on wrecking the grid.

“Participants agreed that the loss of communications would essentially halt the grid restoration process,” the North American Electric Reliability Corp., which organizes the GridEx event, concluded in a report released today on takeaways from the exercise.

“The capabilities that the electricity sector has from a communications perspective are quite resilient, but nonetheless, we try to put forth a scenario that tests some of those assumptions about how we would operate,” said Manny Cancel, NERC senior vice president and CEO of its hub for cyberthreat warnings, the Electricity Information Sharing and Analysis Center. “You’re seeing this now in the Russia-Ukraine crisis, where adversaries will use dis- and misinformation to delay restoration, to perhaps spread false information that may seek to change decisions.”

Russian hackers associated with the GRU military intelligence agency infamously attacked Ukraine’s power grid in 2015 and 2016, briefly knocking out power to several hundred thousand people each time.

Since President Vladimir Putin ordered Russian troops to invade Ukraine on Feb. 24, a barrage of cyberattacks have struck U.S. and Ukrainian targets, with many linked to Moscow or its ally Belarus. One particularly disruptive hack of Viasat’s KA-SAT satellite system interfered with the remote maintenance and control networks of over 5,000 wind turbines in Germany and cut out internet service for many Ukrainians.

A cyberattack isn’t known to have ever caused a grid outage in the U.S. But every two years since 2011, NERC has gathered hundreds of utility industry participants for a disaster dress rehearsal aimed in part at preventing a potential grid hack from spiraling out of control. This year’s focus on telecommunications was the latest twist.

“[I]n the case of essential grid communications, there is an urgent need to consider alternative communication paths that have functionality and reliability in the case of an extreme telecommunications disruption. Cloud-based solutions and private fiber-optic networks could be a good option,” Brian Harrell, former assistant secretary for infrastructure protection at the Department of Homeland Security and a key developer of the GridEx program, told README. “At a minimum, during an outage, communications providers should prioritize grid control centers and other critical electricity facilities.”

November’s GridEx was split into two parts over several days: First, a “distributed play” exercise prompted over 3,000 grid industry players to run through their emergency response plans. Then, on Nov. 18, some 200 senior-level utility leaders as well as U.S. and Canadian authorities participated in the executive tabletop exercise.

The “lessons learned” report released today calls on the utility industry and U.S. government to shore up lines of communication — easier said than done during a crisis. President Biden called attention to critical infrastructure information sharing efforts in an unusual warning last month on Russian cyberthreats.

“We’ve lowered the bar for sharing information in terms of what we’re seeing in Russia and Ukraine, and in terms of what we’re seeing over here,” said Puesh Kumar, director of the Energy Department’s Office of Cybersecurity, Energy Security, and Emergency Response. “We have asked the private sector to lower their bar for sharing information back into the government… There are over 3000 electric utilities across the U.S. — if one or two utilities out there are seeing this activity, can we cascade it to the others out there?”

Brandon Wales, executive director of CISA, told reporters earlier today that Russia’s threat to U.S. critical infrastructure is not going to go away, and that exercises like GridEx help support his agency’s “shields up” mantra for defending the country’s most vital computer networks.

“That work leading up to this current [Ukraine] crisis will pay dividends in the long term,” he said. “Every organization has a responsibility to harden their cyber resilience and continue to be prepared to respond to disruptive cyber attacks.”