A November drill involving electric utilities across North America mimicked the disruptive malware used to cut power in Ukraine in 2016, testing operators’ ability to expunge the malicious code from their systems.
The fictional scenario, revealed Tuesday in a press briefing on the exercise, saw the malware compromise the industrial control systems that utilities use to manage their operations. An electric equipment vendor helped the utilities replace some of the industrial computers that had been “bricked,” or rendered useless, by the malware. (The code was not actually executed on live systems; it was all simulated.)
The intense scenario forced participants to “start implementing their incident response plans” and “really upped the training value for many utilities,” said Matt Duncan, an official at the North American Electric Reliability Corp., the regulator that runs the biennial drill, known as GridEx.
It is an example of the greater lengths that many utilities go to simulate disruptions to their networks following separate cyberattacks in Ukraine 2015 and 2016. And the scenario fits right in with GridEx’s years-long tradition of stretching even well-prepared utilities to the limit in recovering from waves of hypothetical attacks.
The fifth iteration of the drill, in November, convened over 7,000 organizations across North America, from multi-state utilities to smaller cooperatives to U.S. government agencies. It was a record turnout, and the first time that utilities tested their ability to respond to an emergency order from the Secretary of Energy to restore grid operations.
A report on the exercise that NERC released Tuesday made recommendations on how utilities and government organization can improve the resiliency of the grid, from working more closely with telecommunications providers to possibly setting up a strategic supply of critical electric equipment.
Supply chain needs more drilling
The malware that participants had to fend off was modeled after the code used in the 2016 cyberattack that hit a substation in Kyiv, the Ukrainian capital. While the 2015 cyberattack in Ukraine gained more attention because it cut power for 225,000 people, researchers say the 2016 attack was more sophisticated and the malware used could be more easily “scaled” to hit other systems. Researchers have attributed both to Russian government-linked hackers.
“The ICS component of [the malware] in 2016 provides a lot of great training value to the industry,” Duncan told reporters.
Despite the strong turnout, NERC made clear in a report that it had hoped for more participation from electricity supply-chain vendors. Only three major vendors registered for the exercise. Six equipment suppliers participated in the previous exercise in 2017.
The supply-chain aspect of the drill is important. Advanced hacking groups, including the group behind the Trisis malware that shut down a Saudi petrochemical plant in 2017, have made a point of targeting ICS equipment suppliers in their hacking operations.
Lessons from the exercise are emerging as utilities across the country are working overtime to ensure service isn’t interrupted during the coronavirus pandemic. It is the type of extreme scenario for which GridEx prepares utilities.
NERC has kept its cyberthreat watch floor — which alerts utilities to hacking activity — staffed around the clock during the health crisis.
“As we all know, times like this is when we can expect to see cyberthreats executed,” said Manny Cancel, NERC’s senior vice president.
The exercise organizers said they will consider what they learn from the pandemic in designing the next GridEx. The drill, after all, presents a worst-case scenario that is grounded in real-world threats.