Managing cyber risk is a top priority for many electric and gas utilities. Yet few understand all the technical, operational, business, and communication challenges in responding to and recovering from a major cyber attack on energy operations.
On October 22 and 23, 2014, 120 representatives from 13 electricity and natural gas utilities got the chance to explore these challenges during the New York State Cybersecurity Exercise sponsored by the U.S. Department of Energy (DOE) with support from New York Independent System Operator (NYISO), Consolidated Edison, New York Power Authority, and the North American Electric Reliability Corporation. The two-day tabletop exercise was designed around a fictitious scenario involving a zero-day cyber attack on critical infrastructure in New York State that damaged control equipment, disabled email and communications, and created long-term consequences for energy delivery systems.
Nexight Group CEO Jack Eisenhauer facilitated two all-day tabletop sessions: one with operational staff and one with CEOs and top executives. During these sessions, executives, operations staff, industry associations, information sharing organizations, and Federal, State, and local government agencies explored cyber response strategies, coordination and communication protocols, and information sharing needs.
Participants uncovered critical gaps and challenges and identified actionable opportunities to strengthen cyber incident preparedness. Here is a quick summary of what they learned.
- Peer-to-peer communication among operational and IT personnel during cyber incidents is essential and different than for physical events.
- OT and IT personnel receive an overwhelming number of cyber alerts, making it difficult to discern true threats from the “noise.”
- Cyber incidents can last for weeks and determining the cause, scope of damage, and estimated time to restore is very difficult and time-consuming.
- Utilities can improve their cyber incident response by integrating key functions: emergency response/disaster recovery, business continuity, incident reporting, public affairs, and customer service.
- Cyber attacks stress different types of personnel and resources, including qualified technical expertise, forensics, and vendor support.
- Incident command roles during a major cyber event are unclear, leaving energy providers uncertain who is “in charge.”
- Public communication and messaging for cyber incidents is challenging, particularly during “blue sky” days.
What Executives Need to Know
- Cyber damage is invisible to the public; conveying the scope and magnitude of disruptions and damage to government officials, the media, and the public is a major challenge.
- Government and public appetite for information and restoration estimates will be intense, while uncertainties are high.
- A major cyber event could have long-term impacts on utilities, including workforce, liability, and financial issues.
What OT/IT Personnel Need to Know
- Response and recovery to a major cyber event would involve high levels of uncertainty. Training and drills should account for long-term system operation with damaged systems.
- Cyber incidents require close integration of IT and OT resources with ample advanced coordination.
- Root cause analysis, mitigation, and forensics must be highly coordinated among energy providers, vendors, cybersecurity analysts, and investigators.
- Government, media, and customers will look to technical personnel to explain technical details of a cyber attack and restoration estimates.
Specific opportunities to improve cyber resilience, response, and recovering among New York State energy providers were identified and are currently under discussion. However, one topic that received a lot of attention is determining the best way to develop an industry model for cyber mutual aid. I will explore this topic and other opportunities in an upcoming blog post.