Vendor role in NERC's upcoming cyberattack exercise unclear despite growing power sector threat

Dive Brief:

Amid a wave of ransomware attacks and growing threats to the industrial control systems operating the electric grid, the North American Electric Reliability Corp. (NERC) will hold GridEx VI, its biennial security exercise, Nov. 16-17.
GridEx allows electric utilities to test their cyber and physical security plans in response to mock attacks, but experts say NERC is missing an opportunity to engage with vendors and the supply chain by failing to invite technology companies.
"I'm not aware of any software providers being included," said NERC Senior Vice President Manny Cancel, who is also CEO of NERC's Electricity Information Sharing and Analysis Center (E-ISAC), which runs GridEx.

Dive Insight:

The lack of any planned vendor participation for GridEx VI has taken some cybersecurity experts by surprise, particularly after last year's SolarWinds software supply chain hack, which NERC said exposed about 25% of electric utilities to malware.

"It appears that we are continuing the theme of missed opportunities," Nick Cappi, cyber vice president of portfolio strategy and enablement at Hexagon PPM, said in an email. "GridEx is having a mock cyber-attack on our grid but excluding the companies who provide technologies designed at protecting it."

The lack of direct inclusion of vendors is surprising, observers say, because in after-action reports following the 2017 and 2019 GridEx simulations, NERC identified increased vendor participation as a goal.

In 2017, no utilities participating in GridEx reached out to vendors for help or information during the simulation. In 2019, according to an assessment of the event, "only three major electric industry supply chain vendors officially registered." A goal to increase supply chain participation in GridEx V that year was considered "partially achieved."

Cancel said it simply isn't possible to invite the entire technology ecosystem to participate in GridEx. "At some point, we have to put a box around it."

SolarWinds is not participating in GridEx, said Cancel, but the scenario NERC has planned does include a software compromise.

"We try to be as inclusive as possible," said Cancel. "This year we will focus on critical infrastructure. ... There may be some outreach" to software companies.

NERC officials, in an email, also clarified that NERC does not invite vendors to join the exercise, it only invites E-ISAC members, which include owners and operators of electric power infrastructure. However, "we strongly encourage the participants to include their supply chain vendors (if appropriate) into their planning and participation. This is based on the premise that the participants are the best at determining which vendors are critical to their operations."

The Edison Electric Institute, which represents investor-owned utilities, did not respond to questions regarding whether more power companies plan to ask vendors to participate in this year's GridEx.

Some security experts say NERC's approach to vendor participation is appropriate. "I don't see this as being a problem," security consultant Tom Alrich said in an email.

"GridEx is an operational exercise for responding to a hypothetical attack, so only the operators of the [bulk electric system] can participate," Alrich said. "When an attack happens, it's too late [for] most vendors to be able to help — the software has already been written, the control systems have already been developed, etc."

Security company Dragos "isn't a direct player or observer in GridEx" but has clients that participate, Ben Miller, vice president of professional services and research and development for the company, said in an email.

Vendors do participate in GridEx, but may not be obvious, according to Miller.

"Many asset owners put a significant investment in GridEx and it's not unusual for their trusted vendors to be part of their efforts, though that wouldn't be apparent," Miller said.

Tobias Whitney, vice president of industry relations and regulatory government affairs for Fortress, said in a statement that his company is "actively working" with E-ISAC on supply chain cybersecurity risks, but he did not say if it has clients involved with GridEx.

"As demonstrated by SolarWinds and other incidents in the past year, the technology vendors that supply critical infrastructure are a key aspect of preparing for and mitigating malicious threat actors," Whitney said.

NERC should consider expanding the scope of GridEx participation, according to some security providers.

"Given the prominence of supply chain vulnerabilities demonstrated in both the recent SolarWinds and Kaseya attacks, it seems that extending the scope to cover supply chain and even involve key cybersecurity partners would be a logical addition," Jeff Barker, vice president of product marketing at security firm Illusive, said in an email.

It will take a "diversified consortium of experts," including operational technology cybersecurity companies, "to make a change in protecting our critical infrastructure," said Hexagon's Cappi. "If we want transformational events in improving the security of our critical infrastructure, then we need to break down the silos of information and obstacles to collaborate."