Over the last two months, two major hurricanes impacted the United States (US). On September 26, 2024, Hurricane Helene made landfall along Florida’s west coast, bringing catastrophic flooding and winds to communities across six states. Only two weeks later, on Wednesday, October 9, 2024, Hurricane Milton made landfall also along Florida’s west coast as a strong Category (Cat) 3 hurricane. In the event of large-scale disasters such as these, utilities, along with governments and other critical infrastructure entities, often focus on preparing for and responding to environmental hazards, providing opportunities for less visible hazards to persist.
One of these less visible hazards is threats to cybersecurity. According to the Cybersecurity and Infrastructure Security Agency (CISA), taking advantage of natural disasters and large-scale incidents to execute cyber-attacks or otherwise gain access to online systems of governments, businesses, individuals, and other organizations is, unfortunately, a frequent occurrence. Also common is bad actors attempting to scam individuals for money by posing as fraudulent charities or contractors, taking advantage of the confusion and stress caused by emergencies for financial gain. For example, after the Maui wildfires in 2023 impacted residents were targeted by real estate scams.
However, bad actors do not only target governments and individuals — utilities are also at risk. In a recent alert published September 26, 2024, CISA warned of continued attempts to exploit operational technology (OT) and industrial control systems (ICS) devices, especially in the water and wastewater sector. Critical infrastructure sectors, which includes water and wastewater, are intrinsically linked together, meaning attacks on one sector can create cascading impacts on another, such as the energy or communications sector. Between March and July of 2024, two large communications companies, Lumen and AT&T, both reported cyber-attacks. Additionally, in the finance sector, Evolve Bank and Trust reported a cybersecurity incident in August of 2024 that resulted in the breach of over seven million customers’ data. This particular incident involved a ransomware attack from a malicious hyperlink which first appeared to be a hardware failure.
By targeting systems and individuals that are already under stress from a disaster or other incident, bad actors can exploit gaps in security systems that would otherwise be inaccessible. For example, individuals actively working under pressure to restore power to communities as quickly as possible may be more susceptible to click on phishing scams when they are required to make many decisions quickly and are working in a high-stress environment. This is why identifying gaps in security measures and developing programs to close these gaps is vital to complete in advance of any kind of incident. One way to identify gaps in security is through conducting exercises in a simulated, controlled environment.
GridEx and GridSecCon
In 2011 the North American Electric Reliability Cooperation’s (NERC) Electric Information and Analysis Sharing Center (E-ISAC) began organizing GridEx, a biennial exercise for electric utilities to practice their response and recovery from coordinated cyber and physical attacks. With each iteration, the exercise scenario focuses on current threats to the electricity sector, in addition to other critical infrastructure sectors and government partners, to deliver an engaging training opportunity that helps utilities remain prepared in the face of an evolving risk landscape.
GridEx VIII will take place on November 18 and 19, 2025. Hagerty Consulting has partnered with the E-ISAC since 2020 to design and deliver GridEx to North America, in addition to supporting several utilities across the US in delivering their own GridEx exercises. To help promote GridEx and emphasize the importance of participating for utilities of all sizes, Hagerty Preparedness staff will participate in GridSecCon from October 22 to 25, 2024. GridSecCon is an annual grid security conference hosted this year by NERC, the E-ISAC, and the Midwest Reliability Organization (MRO).
GridSecCon provides the opportunity for attendees to learn about the current threat landscape and train with industry and government security leaders on effective threat mitigation and best practice. Participating in GridEx is one way to exercise cyber response and recovery techniques to various scenarios and threats. In GridEx VII, participating utilities were provided with opportunities to practice response to Distributed Denial of Service (DDoS) attacks, ransomware, and software update errors for distributed energy resources (DER), amongst other cyber and physical events.
Because of the dynamic, multi-faceted scenarios developed for GridEx, utilities that participate can exercise their response plans during an event with cascading impacts and multiple threats, creating the opportunity to identify gaps or areas for improvements in their procedures. The aim of GridEx is to assist electric utilities and their partners with improving their response, so that in the event of a real natural hazard or emergency event, they are better prepared to recognize potential cyber threats and respond, stopping bad actors from achieving their goals and destabilizing the security of the North American electric grid.
For more information on GridEx and how to participate, please visit the E-ISAC’s website. For support designing GridEx for your utility, energy agency, or emergency management agency, please contact us.
Cristina Mazzone is a Managing Associate with eight years of experience in emergency management, specializing in response, logistics, and training, as well as resiliency and sustainable development. Currently, she is supporting clients with a variety of energy, transportation, and training projects.