As foreign hackers continue to probe the U.S. grid for weaknesses, a cyber exercise for the North American energy sector has shown that many utility personnel still lack access to the classified information needed to stay on top of the threat.
Not enough utility employees had the clearances needed to share threat information for a serious cyberattack scenario rehearsed during the exercise, according to a report published Friday by regulator North American Electric Reliability Corp. (NERC).
“Government should plan to quickly declassify information that utilities need to prevent or respond to attacks,” the report states.
During the two-day exercise, which took place in November, government officials and utility executives worked together to respond to simulated “cyber and physical attacks” against control systems and generation and transmission facilities “that caused widespread and prolonged power outages,” the report notes.
Energy industry officials have long urged the U.S. government to expedite the clearance process for private sector operators. Last year, American Gas Association CEO Dave McCurdy told lawmakers that his industry was in pressing need of actionable cyberthreat information.
This fourth iteration of the biennial “GridEx” exercise convened a record 6,500 people from 450 organizations, including electricity transmission authorities and academics. As hackers have grown bolder in attacking the industrial control systems (ICS) that underpin the grid in places like Ukraine, observers credit GridEx with sharpening the North American grid’s defenses.
“GridEx does a great job in finding new areas to explore and focus on rather than a rinse-and-repeat sort of mentality,” Ben Miller, director of threat operations for ICS security firm Dragos, told CyberScoop.
The most recent GridEx included new pre-exercise training, dubbed Move 0, that focused on the reconnaissance hackers carry out before an attack. “Attacks don’t occur in minutes but instead weeks or months and Move 0 helped illustrate this to the attendees,” Miller said.
Such reconnaissance techniques have been on display in an ongoing hacking campaign targeting the U.S. energy sector that the Department of Homeland Security has attributed to Russian government actors. DHS warned last month that the hackers had used spear-phishing and watering-hole attacks to collect information on ICS.
The NERC report on GridEx found other areas for improvement. Twenty-two percent of participants said the exercise didn’t effectively test utilities’ communication plans with groups like law enforcement and state officials – a crucial point of contact in the event of serious hacking incident. In the 2015 cyberattack of the Ukrainian power grid, hackers cut power for at least 225,000 customers but also hit the power company’s customer call center, hampering the recovery process.
The NERC report also floated the possibility of the electric industry’s cyber-threat sharing hub, known as E-ISAC, adding a “common operating picture” to give utilities a clearer view of overall grid security.
Energy officials in Europe and elsewhere also are increasingly carrying out more complex cyber exercises to try to keep pace with hacking operations. Last October, Swedish nuclear plant employees drilled for a range of attacks, including one based on the 2015 hack of the Ukrainian grid. It was the most technically sophisticated exercise in which the UN’s nuclear watchdog has participated.