The war game that the government and utilities hold every other year to simulate attacks on the power grid is being expanded this year to include big banks, Wall Street, and the telecommunications industry.
The expansion of the GridEx IV security exercise in November comes as presidential advisers are scrambling to draft recommendations to protect infrastructure, noting that the electric sector has been a step ahead on public-private partnerships to address cybersecurity.
Calling the nation's utilities "the top of the risk matrix," Mike Wallace, a former utility executive and member of the presidential National Infrastructure Advisory Council, said the exercise "offers the perfect opportunity to test precisely how federal authorities will be exercised during a severe cyber event." He made the comments at the panel's quarterly meeting last month to discuss its latest draft recommendations for protecting the grid.
"The NIAC has repeatedly found that cross-sector exercises is the best way to test decision making, protocols, procedures, and to identify gaps," Wallace said.
But even before adding the telecom and financial sectors to the exercise was included in a formal list of recommendations, Trump was already on board, according to a senior White House official.
White House cybersecurity coordinator Rob Joyce told Wallace at the meeting that the idea of expanding the exercise to include all sectors vulnerable to cyber attacks grabbed Trump's attention. And Joyce has been busy making it happen.
"As a point to go beyond the electricity sector, we are very supportive of that," Joyce said last month. "As you know … the president received a brief on that. The concept of integrating the financial sector and the communications sector is very well received."
Joyce said the administration is "in the process of working with the folks that plan that [exercise] to get that consolidated, and make that a much more robust, real-world exercise."
It will be the first time since the exercise was ramped up in 2011 that the financial and telecom sectors will join in, confirmed Marty Coyne, spokesman for the North American Electric Reliability Corporation, or NERC, which is the lead group organizing the event.
NERC was chartered by Congress in the Energy Policy Act of 2005 to be the nation's electric reliability watchdog, developing mandatory rules for utilities to guard against cyber and physical attacks, in addition to basic reliability activities such as making sure storms and overgrown trees don't put half the country in the dark.
The telecom and financial sectors are intertwined with electricity, and all of them have been targeted by hackers looking to cause problems on the markets, communication infrastructure, and the grid.
Terry Boston, the former CEO of PJM Interconnection, the largest federally overseen grid operator, told the NIAC last month that before he left PJM in December 2015 the grid operator was suffering between 3,000 and 4,000 hacks per month.
The Department of Homeland Security said last year that 17 energy companies were successfully broken into by foreign government hackers between Oct. 1, 2013, and Sept. 30, 2014. In general, companies keep data about cyberattacks close to their vests. But what has provoked the most alarm for the utility sector was the December 2015 disabling of Ukraine's power grid for several hours through the use of installed malware. The U.S. industry was put on high alert after the incident.
NERC issued an alert in June to U.S. utilities describing an improved version of malware used in the Ukraine attack and warning utilities to take appropriate steps to impede it from gaining access to their systems. The malware was used in a separate December 2016 cyber attack and is considered an improvement in "cyber-attack trade craft used to attack Ukraine's electric infrastructure," according to NERC.
The biennial GridEx exercise allows utilities to show "how they would respond to and recover from simulated coordinated cyber and physical security threats and incidents, strengthen their crisis communications relationships and provide input for lessons learned," according to a NERC primer on the exercise, which will be held Nov. 15-16.
The last exercise in 2015 included phony newscasts and fake social media posts to increase the reality factor. All of it is done to test the industry's mettle during an attack by would-be terrorist groups or state actors. The electric industry, law enforcement and government agencies all participated.
Expanding the GridEx exercise is generally "a good idea," said Scott Sklar, president of the the Stella Group consulting firm that specializes in renewable energy integration.
"What the feds are doing is try to put layers on layers of protection (across interlocking sectors) to prevent cyber-breaches," Sklar explained in an email. "Of course this has to be done."
But he says that the only true way to be safe from cyber attack is to disconnect power producers from the Internet.
"There is no way you can absolutely prevent cyber-breaches," he said, pointing out that the State Department, Department of Defense, and the Office of Personnel Management have all been hacked.
"Many, including myself, have suggested that critical public infrastructure, including utility and generation plant controls actually be isolated and NOT interconnected — thus making them impervious of cyber attacks," he wrote.
The Energy Department is developing a cybersecurity report, required under Trump's May executive order on cybersecurity. The Energy Department houses one of the more successful private-public partnerships for information sharing between the electricity industry and the federal government. The Electricity Subsector Coordinating Council is "the principal liaison between the federal government and the electric power sector," according the Edison Electric Institute, the lead trade group for investor-owned utilities.
The council's mission is to "coordinate efforts to prepare for, and respond to, national-level disasters or threats to critical infrastructure." The council is involved in the GridEx exercise and has used the event to hone its cybersecurity coordination with the federal government.