November 2013 As Worries Over the Power Grid Rise, a Drill Will Simulate a Knockout Blow
By MATTHEW L. WALD NY Times
Published: August 16, 2013
This is why thousands of utility workers, business executives, National Guard officers, F.B.I. antiterrorism experts and officials from government agencies in the United States, Canada and Mexico are preparing for an emergency drill in November 2013 that will simulate physical attacks and cyberattacks that could take down large sections of the power grid.
They will practice for a crisis unlike anything the real grid has ever seen, and more than 150 companies and organizations have signed up to participate.
“This is different from a hurricane that hits X, Y and Z counties in the Southeast and they have a loss of power for three or four days,” said the official in charge of the drill, Brian M. Harrell of the North American Electric Reliability Corporation, known as NERC. “We really want to go beyond that.”
One goal of the drill, called GridEx II, is to explore how governments would react as the loss of the grid crippled the supply chain for everyday necessities.
“If we fail at electricity, we’re going to fail miserably,” Curt Hébert, a former chairman of the Federal Energy Regulatory Commission, said at a recent conference held by the Bipartisan Policy Center.
Mr. Harrell said that previous exercises were based on the expectation that electricity “would be up and running relatively quick” after an attack.
Now, he said, the goal is to “educate the federal government on what their expectations should or shouldn’t be.” The industry held a smaller exercise two years ago in which 75 utilities, companies and agencies participated, but this one will be vastly expanded and will be carried out in a more anxious mood.
Most of the participants will join the exercise from their workplaces, with NERC, in Washington, announcing successive failures. One example, organizers say, is a substation break-in that officials initially think is an attempt to steal copper. But instead, the intruder uses a USB drive to upload a virus into a computer network.
The drill is part of a give-and-take in the past few years between the government and utilities that has exposed the difficulties of securing the electric system.
The grid is essential for almost everything, but it is mostly controlled by investor-owned companies or municipal or regional agencies. Ninety-nine percent of military facilities rely on commercial power, according to the White House.
The utilities play down their abilities, in comparison with the government’s. “They have the intelligence operation, the standing army, the three-letter agencies,” said Scott Aaronson, senior director of national security policy at the Edison Electric Institute, the trade association of investor-owned utilities. “We have the grid operations expertise.”
That expertise involves running 5,800 major power plants and 450,000 miles of high-voltage transmission lines, monitored and controlled by a staggering mix of devices installed over decades. Some utilities use their own antique computer protocols and are probably safe from hacking — what the industry calls “security through obscurity.”
But others rely on Windows-based control systems that are common to many industries. Some of them run on in-house networks, but computer security experts say they are not confident that all the connections to the public Internet have been discovered and secured. Many may be vulnerable to software — known as malware — that can disable the systems or destroy their ability to communicate, leaving their human operators blind about the positions of switches, the flows of current and other critical parameters. Experts say a sophisticated hacker could also damage hard-to-replace equipment.
In an effort to draw utilities and the government closer, the industry recently established the Electricity Sub-Sector Coordinating Council, made up of high-level executives, to meet with federal officials. The first session is next month.