White House expands power grid war to include banks, Wall Street and telecom companies
The war game that the government and utilities hold every other year to simulate attacks on the power grid is being expanded this year to include big banks, Wall Street, and the telecommunications industry.
The expansion of the GridEx IV security exercise in November comes as presidential advisers are scrambling to draft recommendations to protect infrastructure, noting that the electric sector has been a step ahead on public-private partnerships to address cybersecurity.
Calling the nation’s utilities “the top of the risk matrix,” Mike Wallace, a former utility executive and member of the presidential National Infrastructure Advisory Council, said the exercise “offers the perfect opportunity to test precisely how federal authorities will be exercised during a severe cyber event.” He made the comments at the panel’s quarterly meeting last month to discuss its latest draft recommendations for protecting the grid.
“The NIAC has repeatedly found that cross-sector exercises is the best way to test decision making, protocols, procedures, and to identify gaps,” Wallace said.
But even before adding the telecom and financial sectors to the exercise was included in a formal list of recommendations, Trump was already on board, according to a senior White House official.
White House cybersecurity coordinator Rob Joyce told Wallace at the meeting that the idea of expanding the exercise to include all sectors vulnerable to cyber attacks grabbed Trump’s attention. And Joyce has been busy making it happen.
“As a point to go beyond the electricity sector, we are very supportive of that,” Joyce said last month. “As you know … the president received a brief on that. The concept of integrating the financial sector and the communications sector is very well received.”
Joyce said the administration is “in the process of working with the folks that plan that [exercise] to get that consolidated, and make that a much more robust, real-world exercise.”
It will be the first time since the exercise was ramped up in 2011 that the financial and telecom sectors will join in, confirmed Marty Coyne, spokesman for the North American Electric Reliability Corporation, or NERC, which is the lead group organizing the event.
NERC was chartered by Congress in the Energy Policy Act of 2005 to be the nation’s electric reliability watchdog, developing mandatory rules for utilities to guard against cyber and physical attacks, in addition to basic reliability activities such as making sure storms and overgrown trees don’t put half the country in the dark.
The telecom and financial sectors are intertwined with electricity, and all of them have been targeted by hackers looking to cause problems on the markets, communication infrastructure, and the grid.
Terry Boston, the former CEO of PJM Interconnection, the largest federally overseen grid operator, told the NIAC last month that before he left PJM in December 2015 the grid operator was suffering between 3,000 and 4,000 hacks per month.
The Department of Homeland Security said last year that 17 energy companies were successfully broken into by foreign government hackers between Oct. 1, 2013, and Sept. 30, 2014. In general, companies keep data about cyberattacks close to their vests. But what has provoked the most alarm for the utility sector was the December 2015 disabling of Ukraine’s power grid for several hours through the use of installed malware. The U.S. industry was put on high alert after the incident.
NERC issued an alert in June to U.S. utilities describing an improved version of malware used in the Ukraine attack and warning utilities to take appropriate steps to impede it from gaining access to their systems. The malware was used in a separate December 2016 cyber attack and is considered an improvement in “cyber-attack trade craft used to attack Ukraine’s electric infrastructure,” according to NERC.
The biennial GridEx exercise allows utilities to show “how they would respond to and recover from simulated coordinated cyber and physical security threats and incidents, strengthen their crisis communications relationships and provide input for lessons learned,” according to a NERC primer on the exercise, which will be held Nov. 15-16.