GRID EX III - Physical and Cyber Security on the Electric Utility Grid

By Dawn Roth Lindell, SVP & CIO, Western Area Power Administration

Dawn Roth Lindell, SVP & CIO, Western Area Power Administration

What would happen if our electricity was down for weeks or months due to a coordinated attack on our electric grid? Without electricity, we go without clean water, our food would rot and without gasoline pumps which now use electricity, vehicles would run short on gas. Without transportation our grocery store shelves would be empty. Without electricity, hospitals would no longer be able to keep life support system operating. Lives would be lost and the list goes on. It is clear that our way of life requires this critical resource. That’s why the Federal Government is taking proactive planning measures. 

“Grid Ex III was the third nationwide security exercise for the utilities who manage the electric grid.”

Grid Ex III was the third nationwide security exercise for the utilities who manage the electric grid. This opportunity, led by the North American Electric Reliability Corporation, enables utilities to collaboratively practice our responses to scenarios around physical and cyber security attacks. Literally thousands of people participated throughout the U.S. to test the response plans in place for grid attacks. These plans define how we will repair and replace critical systems and infrastructure that enable the delivery of electricity to our homes and businesses. 

The grid is made up of generation sources like coal, gas, hydroelectric and nuclear power plants, which send power over large transmission lines to cities where it is needed. Then, in substations all over the country, the power is sent on smaller distribution lines to homes and businesses. Utilities use technology to manage the power plants, transmission/distribution lines and substations. They also use technology to market the power between utilities.   

Western Area Power Administration, one of the four federal power marketing administrations under the Department of Energy, manages over 17,000 miles of transmission and over 300 substations to utilities in 15 states in the west. We chose to participate in the GRID Ex III table top exercise to review our plans, practice executing our responses and identify any weaknesses that we need to address. We recognize the criticality of our mission to the people of our nation. Our systems must run 365 days per year. That means we work hard to ensure that people have electricity on Christmas, New Year’s Eve, July 4th and every other day.  Managing technology that must never go down is an interesting challenge.    

The GRID EX III scenarios included imaginary malware attacks on our control systems that caused electric system anomalies. They also included the kind of acts of terror we unfortunately see each week – active shootings, bombs and break-ins. Under these scenarios, our job is to work with law enforcement to keep our employees safe and identify the perpetrators. We also partner with other utilities to route the electricity as effectively as possible to keep the lights on where ever possible.

This exercise allowed us to have two very bad imaginary days where technologists, physical security professionals, linemen, engineers and leadership worked together to resolve the issues that were thrown at us. There were twists that caused us to think on our feet. Our staff focused on how to address safety, logistics, and operations as well as work our internal and external communications including holding imaginary press conferences and sharing information with our employees during a crisis.  

Naturally we did find weaknesses and gaps in our plans that we will address over the next several weeks to further improve our readiness. This makes us stronger. We also gained insight into additional preventative steps we can take to further improve our preparedness.

My advice to technologists is to jump at the chance to participate in any kind of business continuity exercise. It is a humbling experience as issues arise that you hadn’t considered before. Planning a response is different than actually having to respond. Each of us has a critical mission to uphold. Practicing how to uphold that mission during times of crisis will enable a calm and competent response when you have an actual bad day.