As emergency managers prepare their organizations for the threats and hazards that could affect the safety of their communities, the role of the energy sector continues to rise in importance and prominence in emergency planning.
Long-term disruptions to the electrical grid and the fuel supplies that power our cities, counties, and states can quickly become life-safety events. Incidents like the 2022 Winter Storm in Buffalo, New York; Winter Storm Uri that significantly impacted large portions of Texas in 2021; and the Pacific Heat Dome in 2021 – all of these events included blackouts and resulted in the loss of life. Threats faced by the energy sector and the electrical grid are not limited to just natural hazards. In testimony to the United States (US) House Committee on Energy and Commerce in July 2023, Manny Cancel, the Chief Executive Officer of the Electricity Information Sharing and Analysis Center (E-ISAC), highlighted that there was a 10.5 percent increase in physical security incidents reported to the E-ISAC in 2022 compared to 2021. This increase in attacks culminated in the 2022 attack on a substation in Moore County, NC, which caused 40,000 customers in a county of approximately 100,000 residents to go without electrical power for days, contributed to the death of one resident, forced the local hospital to operate on generator power, and led to a multi-day curfew in the county.
In addition to the natural and human-caused disruptions that can affect our country’s electrical system, Mr. Cancel also highlighted the evolving cybersecurity threats to the grid. While there has not yet been a situation when a cyberattack prevented the North American electric grid from meeting the demand of customers, the increase in attacks and vulnerabilities is considerable. In July 2023, the National Institute of Science and Technology (NIST) identified 15,000 new cyber vulnerabilities in the US electrical grid so far in 2023, signaling that the system is on track to overcome the previous record of 25,000 vulnerabilities set last year.
Considering the changing nature of the threats to the systems that power our way of life, Hagerty is honored to be supporting the E-ISAC in the planning and delivery of GridEx VII, the 2023 iteration of the biennial exercise for North American utilities and government organizations that serves as a rehearsal for how the organization would respond to and recover from an attack on the grid.
Why Emergency Managers Should Take Note
This week, hundreds of organizations across the US and Canada are participating in GridEx to simulate their responses to a combined physical and cyberattack on our nation’s grid. The scenario, designed to provide a challenging set of issues and problems for exercise participants to work through, has taken on a new level of importance in the past week.
In a report released on November 9, 2023, cybersecurity firm Mandiant outlines the first reported instance of a combined physical and cyberattack on an electrical system and highlights the rapid escalation in risks that energy providers face.
The report, and less technical summaries of the incident, show how Russian intelligence carried out a cyberattack in November 2022 that caused an unplanned power outage in a Ukrainian city while simultaneously launching a missile attack on that same city. This incident marked the first time that a threat actor paired their digital activities with physical attacks on the local population.
While a combined cyber and rocket attack on North America’s critical infrastructure might be unlikely, well-planned small-arms attacks that take advantage of other cyber events are quite plausible and could have very serious consequences. Regardless, reports and summaries of past incidents provide a sobering reminder about the need to proactively prepare our organizations and communities for an evolving set of risks. Events like GridEx help ensure that our need to advance our readiness for future disasters stays at the forefront of our attention and does not get pushed aside for tasks that feel urgent now.
Actions Emergency Managers Can Take Today
For emergency managers looking to further their preparedness, response, and recovery capabilities and consider their readiness for disruptions to their community’s power supply, Hagerty recommends exploring the following four discussion topics with your local utilities and your state energy offices. In our experience, each of these topics has helped to foster a collaborative understanding of what will be needed to lead a community through planned and unplanned power outages and develop greater resilience to power supply disruptions.
- Planning: In addition to their emergency operations plan, energy providers also maintain a set of detailed energy restoration plans that local emergency managers can benefit from understanding. These plans often include assessment procedures, prioritization processes, communication plans with customers and external stakeholders, restoration procedures, and resource management considerations.
- Risk Identification: With access to customer data, equipment records, and supply and demand forecasting models, utilities and state energy offices may have identified vulnerable populations within communities that emergency managers are likely unaware of.
- Mitigation Activities: Some utilities are spending billions of dollars to mitigate the risks to their equipment and the hazards they create in their service territory. These mitigation actions can drastically reduce the absolute value of any risk a community is exposed to while also highlighting areas of vulnerability throughout the community that were previously identified.
- Training and Exercise Program: Many utilities pursue aggressive training and exercise programs, allowing for opportunities to deepen relationships and dive into disaster response scenarios. As local government leaders, emergency managers can support utilities in the exercise simulation cell or during planned external coordination meetings. These events contribute to the readiness of the utility while also deepening the understanding of response protocols for supporting agencies.
Conclusion
While grid experts work to secure and make our energy grids more resilient, emergency managers must work closely with industry partners to ensure positive crisis response outcomes within their communities. Emergency managers should leverage existing tools and resources, such as the E-ISAC, which provides an opportunity to gain real-time knowledge and understanding of the cyber and physical threats impacting the electricity industry. Additionally, as we saw from GridEx VI, communication, collaboration, and coordination between industry and government, between states and localities, and across international borders are fundamental to a successful emergency response.
This week, it is inspiring to see so many utilities, partners, clients, and jurisdictions come together this week after over a year of planning for GridEx VII. Hagerty wishes each exercise participant a productive and valuable exercise to advance their readiness for future disasters.
Patrick Van Horne is Hagerty’s Deputy Director of Preparedness and an emergency management professional with nearly 20 years of experience in the private sector, local government, and the military. With extensive experience in organizational leadership and project management, Patrick has supported government and energy-sector clients in pursuing disaster preparedness initiatives that include developing emergency plans, designing and facilitating training and exercise programs, leading after-action analyses, as well as reporting and performing program assessments.