Most war exercises are starkly visual, intimidatingly loud experiences. Weapons, hardware, maybe even smoke and booms are involved.
The cyberwar is a different animal altogether, with an invisible enemy probing for weakness along the wall separating information and operations. Most are fended off, but Ukrainian power generators learned the hard way after malware shut down their grid in 2015.
The Ukraine attack forced cybersecurity to top of mind for many utilities in the U.S. Exelon Corp. decided to do something about it, undertaking a live exercise to disconnect its real-time network from the corporate network in the case of an intruder within its system.
Exelon IT and cybersecurity experts shared their insights during the “Live Cybersecurity Exercises against Production Systems” session Tuesday at DISTRIBUTECH International in San Antonio. The panel also featured West Monroe Partners, which worked with Exelon on the live exercises from 2017 to August 2019.
The live exercises disconnected the Exelon corporate network from the real-time system for about a four-hour period, testing how operations handled the break and how things were brought back together. The Exelon event involved hundreds of collaborations among its various utilities and infrastructure vendors.
Participants include communication system engineers, transmission system operators, compliance experts, physical and corporate security, among many others. To even attempt the exercise Exelon’s experts had to understand the data architecture intimately – which they did – but also learned how spread out and complex the connections were.
“There were some things we thought would work a certain way and they didn’t work,” said Mike Kuberski, director of IT for utility communications at Exelon. “We capture what went well, what didn’t go well.”
Ted Johnson, director of IT, real-time solutions for Exelon unit ComEd, said the goal was to minimize disconnection time. The first step was to perform pre-disconnection checks, then disconnect, validate the critical functionalities, validate retained and lost functionality, reconnect, validate normal operations and then backfilling of data, if necessary.
The system isolated from the enterprise network include the transmission and distribution SCADA (supervisory control and data acquisition) system, advanced metering infrastructure, operations management systems and more.
“This was meant (to simulate) an external attack” Kuberski said, “that would come through the corporate network into the real-time network.”
The Exelon utilities which participated in their own live exercises over the two-year period included ComEd, PECO, Baltimore Gas & Electric, Atlantic City Electric, Delmarva Power and Pepco.
DISTRIBUTECH continues through Thursday at the Henry B. Gonzalez Convention Center in San Antonio.
Originally published on power-grid.com