PolicySummit Critical Infrastructure Committee GridEx IV Lessons Learned GridEx IV Update Bill Lawrence Director of the Electricity Information Sharing and Analysis Center NARUC Critical Infrastructure Committee meeting February 12 2018 3 Agenda o Mission o Objectives o Components o Exercise Components o Stakeholders o Participation o Information sharing o Preliminary findings - Distributed Play o Executive tabletop overview and discussion items o Way forward 4 Mission statement GridEx is an unclassified public private exercise designed to simulate a coordinated cyber physical attack with operational impacts on electric and other critical infrastructures across North America to improve security resiliency and reliability 5 GridEx Objectives o Exercise incident response plans o Expand local and regional response o Engage critical interdependencies o Improve communication o Gather lessons learned o Engage senior leadership 6 TLP GREEN Exercise Components Move 0 Pre-Exercise Preparation Identification Containment Operators may participate in Cyber Intrusion detection activities 7 Distributed Play 2 days Executive Tabletop 1 2 day Utilities E-ISAC and BPSA Executive Tabletop Reliability Injects and Coordinators info sharing by email and phone Support Fed State Prov and Agencies Vendors Players across the stakeholder landscape will participate from their local geographies Facilitated discussion engages senior decision makers in reviewing distributed play and exploring policy triggers Diverse Stakeholders Organization Reliability Coordinator Regional Entities Trade Associations US Department of Energy Natural Resources Canada Local State Provincial Law Enforcement and Emergency Response Federal Agencies' Headquarters and regional offices FBI DHS RCMP Public Safety Canada 8 Recommendation o Active with multiple entities as Active in the control area o Active o Active Explanation o RC may guide the inject customization in the control area or entities may customize injects themselves see slides 9 and 10 o RCs will be involved with utilities in submitting lessons learned per objective #3 o These organizations may have crisis coordination roles and may work with RCs and utilities to determine if an Active role is required No compliance-related participation will be permitted o US DOE Infrastructure Security and Energy Restoration o Natural Resources Canada Energy Security Division o Active as invited by the utility o Active or white cell by ExCon o Utilities may also invite regional Active participation o Utilities may invite these organizations to register as Active and participate at the utility location or remotely o NERC is in coordination with US and Canadian Federal organizations for o Active HQ-level participation Canadian Cyber Incident Response Centre CyWatch NCCIC ICSCERT etc and o Active regional participation e g FBI Field Offices State and Major Urban Area Fusion Centers etc Diverse Stakeholders con't Organization Cross-sector ISACs ISAOs and other organizations Support Vendors Consultants Public Utility Commissions Public Service Commissions Recommendation o Observing Explanation o E-ISAC will invite specific interdependent sectors e g Nuclear Down-stream Natural Gas Communications Financial Water etc o Cross-sector organizations may be invited by electric utilities to participate as Active or Observing o Active only by invitation from participating utility or by E-ISAC o Observing o Utilities are encouraged to involve 3rd party support in planning and during the exercise o Organizations will be listed in Exercise Directory as Acme Utility - Somebody's Internet Co using their own organizational email addresses o Crisis response roles vary by organization some may coordinate with RCs to determine if an Active role is required No regulatory-related participation o Utilities may invite Active or Observing regional participation e g National Guard etc Defense and Intelligence o Observing o E-ISAC will share information with key stakeholders e g Canadian Security Intelligence Service National Security Agency etc Federally Funded Research and Development Centers Academia o Observing o E-ISAC will invite 9 Participation o o o o o 10 6500 Participants 206 Electric utilities 452 Organizations 17 Cross-sector partners 10 States 2 full-scale Active and Observing 500 GridEx Exercise Participation 450 400 117 26% 335 74% 350 300 155 43% 250 200 109 150 47% 209 100 50 0 40 53% 36 47% GridEx 2011 76 122 GridEx II 231 Active 11 53% 57% GridEx III 364 Observing GridEx IV 452 GridEx IV Communications Electricity Subsector Coordinating Council ESCC NERC Crisis Action Team Regional Entities NERC Bulk Power System Awareness BPSA E-ISAC Electricity Information Sharing Analysis Center Energy GCC Other SCCs Trade Associations Executive Coordination Unified Coordination Group UCG or non-US equiv DOE Department of Energy DHS NCCIC ICS-CERT US-CERT Other Federal Agencies US FBI FERC DOD Canada Public Safety Canada NRCan RCMP CSIS CCIRC Coordination with Government Vendor Support IT ICS ISP Anti-virus Other Critical Infrastructures Telecommunications Oil Gas others Bulk-Power System Entities Coordinated Operations Reliability Coordinators Balancing Authorities Generator Operators Transmission Operators Load Serving Entities etc ExCon GridEx IV Exercise Control NERC staff GEWG BAH Nat'l Labs SMEs for Sim-cell et al 12 Local State Provincial Government o Governors Premiers o Emergency Management Organizations o Emergency Operations Centers Fusion Centers o Local FBI PSAs o National Guard o PUCs PSCs Information Sharing with the E-ISAC o Cyber shares 204 o Physical Security shares 364 o OE-417s submitted 244 o EOP-004s submitted 132 o Utilities participating in Cyber Mutual Assistance 43 13 Preliminary Findings - GridEx IV Distributed Play o Where's the Cavalry Relationship building with partners e g cross-sector law enforcement emergency managers etc What is the State Federal Government's role during a Grid Emergency o E-ISAC Portal improvements o Greater cross-sector participation o Public Affairs and Corporate Communications vs Incorrect or Misleading information o Communication resiliency e g WPS GETS HF Radio etc o Electric Utility - RC emergency communications o Cyber Mutual Assistance o On-keyboard cyber training o Active Lead Planners 14 Executive Tabletop Overview o Five-hour Executive Tabletop held on November 16 2017 the second day of the large-scale GridEx IV security and emergency response exercise Parallel separate tabletops were held in Canada and Australia o Objective Engage senior industry and government leadership in a robust discussion of the policy issues decisions and actions needed to respond to protect and restore the reliable operation of the grid 15 - I SAC Executive Tabletop Themes ELECTRICITY INFORMATION SHARING AND ANALYSIS CENTER Messaging E rt A DIVISION OF NERC What Knows or NEECIS ID Know 1 What i What What Does or Needs to Government What the What the Knows or I Public Knows Government Public Does or eeds to Know 0f to What Ind ustry r NEECIS Extraordinary Measures Government the Knows m- Public Knows eeds to Know or to Ultra RESILIENCY RELIABILITY SECURITY Phased Scenario Discussion One Day After Attacks Begin 17 Three Days After Two Weeks After For each phase after attacks begin o Participants role-play actions and the decisions needed to respond to the situation restore power and secure the grid o Identify any gaps Tabletop Discussion o Situation assessment and initial response by industry and government o Communications between utilities and with local state and federal government Utility liaison with state emergency operations centers o Immediate government priority Stop the Attacks Utility liaison with National Guard o Grid Emergency Operations Utilities have the authority to implement emergency actions e g shed load to maintain grid operation Utilities coordinate with local and state government to identify highpriority customers 18 Tabletop Discussion o Share sensitive information Need to distribute information quickly and declassify if necessary o Decide national-level priorities When resources are limited balance local state and national interests o Critical infrastructure interdependencies Communications financial services natural gas and critical manufacturing sectors as life-line sectors o Utility finances to fund recovery and restoration 19 Way Forward o GridEx IV Reports will be complete by end of March 2018 o GridEx V Initial Planning Meeting will be held November 2018 20 E-ISAC ELECTRICITY INFORMATION SHARING AND ANALYSIS CENTER A DIVISION OF NERC RESILIENCY RELIABILITY SECURITY PolicySummit Critical Infrastructure Committee This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu