Vendor role in NERC’s upcoming cyberattack exercise unclear despite growing power sector threat
The lack of any planned vendor participation for GridEx VI has taken some cybersecurity experts by surprise, particularly after last year’s SolarWinds software supply chain hack, which NERC said exposed about 25% of electric utilities to malware.
“It appears that we are continuing the theme of missed opportunities,” Nick Cappi, cyber vice president of portfolio strategy and enablement at Hexagon PPM, said in an email. “GridEx is having a mock cyber-attack on our grid but excluding the companies who provide technologies designed at protecting it.”
The lack of direct inclusion of vendors is surprising, observers say, because in after-action reports following the 2017 and 2019 GridEx simulations, NERC identified increased vendor participation as a goal.
In 2017, no utilities participating in GridEx reached out to vendors for help or information during the simulation. In 2019, according to an assessment of the event, “only three major electric industry supply chain vendors officially registered.” A goal to increase supply chain participation in GridEx V that year was considered “partially achieved.”
Cancel said it simply isn’t possible to invite the entire technology ecosystem to participate in GridEx. “At some point, we have to put a box around it.”
SolarWinds is not participating in GridEx, said Cancel, but the scenario NERC has planned does include a software compromise.
“We try to be as inclusive as possible,” said Cancel. “This year we will focus on critical infrastructure. … There may be some outreach” to software companies.
NERC officials, in an email, also clarified that NERC does not invite vendors to join the exercise, it only invites E-ISAC members, which include owners and operators of electric power infrastructure. However, “we strongly encourage the participants to include their supply chain vendors (if appropriate) into their planning and participation. This is based on the premise that the participants are the best at determining which vendors are critical to their operations.”