Facing continued threats from nation-state adversaries directed at disrupting critical infrastructure networks, a recent exercise showed many energy grid utility personnel are still without the necessary security clearances to access classified information on cyber attacks.
The North American Electric Reliability Corporation (NERC) released a report March 30 with findings from a recent grid cyber exercise, which found many critical infrastructure employees unable to analyze and share information related to major cyber threat situations.
“The number of utility personnel who hold government security clearances is small and is not sufficient to share classified information under this severe scenario. Government should plan to quickly declassify information that utilities need to prevent or respond to attacks,” NERC officials wrote in their report.
NERC held the two-day GridEx IV security and emergency response exercise in November 2017, which included 6,500 participants from 450 American and Canadian energy grid infrastructure organizations.
“The exercise provided an opportunity for various stakeholders in the electricity sector to respond to simulated cyber and physical attacks that affect the reliable operation of the grid,” NERC wrote.
GridEx IV included a tabletop exercise with industry and government discussing current roadblocks to properly mitigating cyber vulnerabilities on energy grid infrastructure.
Participants during the discussion voiced concern about a lack of security clearances for the personnel likely to deal with cyber threat scenarios, according to NERC’s report.
The White House acknowledged in March that Russia was behind an ongoing cyber hacking campaign targeting the U.S. energy sector (Defense Daily, March 15).
Lawmakers on a Senate energy panel have also urged energy sector officials and private sector partners to adopt lower-grade technology that would allow grid personnel to more effectively isolate and mitigate cyber attacks (Defense Daily, March 9).