GridEx: Is This Exercise Enough to Protect Critical Infrastructures?
GridEx bottom line upfront
GridEx is a biennial exercise run by North American Electric Reliability Corporation (NERC). The latest iteration, GridEx IV, was held on November 15-16, 2017. Most Americans have never heard of GridEx and didn’t even know it was taking place. If fact, most people don’t really have a clear understanding of what “the grid” is and what role NERC (a private not-for-profit corporation) and the federal government play in regulating the grid.
Bottom line up front:
- GridEx is a voluntary exercise designed to test the grid’s response to large-scale power outages.
- GridEx lacks transparency – very little public information is available. NERC says: “Due to the sensitive nature of the scenario discussion, this exercise program is not open to the general public or the media. A public report will be available after the exercise concludes.”
- GridEx is held for two days every two years.
- Very limited overview reports are available to the public for the last three GridEx exercises. They don’t say much.
GridEx is too little, not often enough and with little transparency. While any exercise involving testing the bulk power system’s capabilities, resilience and response is admirable and seemingly useful, it seems to me that GridEx is the minimum necessary for the bulk power industry to avoid having the federal government step in – which no industry wants.
But is GridEx sufficient to protect the United States from the catastrophic, existential threats to the power grid? Unfortunately, the answer is no.
What is the grid?
The bulk power system – or “the grid” – is not really one thing. The grid is actually thousands of companies, both public and private sector, that operate in an interconnected system to facilitate the generation, transmission and distribution of electrical power. The grid is made up of power generation – such as power plants, wind turbines and solar farms, high voltage transmission lines that span long distances across the country and local distribution lines which bring the power from the street to your house.
This interconnected (and vulnerable) patchwork is what allows the United States to support her human population. Everything that enables 325 million people in the country to survive is wholly reliant on the grid. All of our critical infrastructures – food, water, fuel, transportation and medical systems are all 100% dependent on the grid.
How is the grid regulated?
The grid is self-regulated (similarly to Wall Street). The federal government under current law can’t tell “the grid” what to do. The North American Electric Reliability Corporation (NERC) is a not-for-profit corporation. It acts as the self-regulatory organization “whose mission is to assure the reliability of the bulk power system (BPS) in North America.” The Federal Energy Regulatory Commission (FERC) is an independent federal agency that regulates the interstate transmission of electricity, natural gas, and oil. FERC’s specific authority over the electric grid is to “oversee the reliability of the bulk power system.” The regulatory scheme of the grid between NERC and FERC is mind-numbingly complex. (Just the way most industries prefer their relationship with the federal government to be.)
The Energy Policy Act of 2005 added Section 215 to the Federal Power Act. This gave FERC the authority to certify an organization as an “Electric Reliability Organization” (ERO) which would develop reliability standards for the industry, subject to FERC’s approval. Yes, you read that right – the industry writes its own reliability standards.
On July 20, 2006, FERC certified NERC as the ERO. Other entities objected and administrative appeals and litigation ensued. Section 215 does give FERC the authority to “upon its own motion or upon complaint, may order the Electric Reliability Organization to submit to the Commission a proposed reliability standard or a modification to a reliability standard that addresses a specific matter if the Commission considers such a new or modified reliability standard appropriate to carry out this section.” In English, FERC can order NERC to develop a particular standard and submit it for FERC’s review and approval, but this again is very time consuming.
Thus, FERC (the government) can’t easily tell NERC (the industry) what to do: There is a convoluted and time consuming rule making process involved. Before FERC can order NERC to take any action, they have to issue a proposed rule, solicit and consider any public comments (including those of the regulated entities and their representatives) and then issue a final rule (which is subject to industry lawsuit). This can take an incredibly long time. In terms of “sausage making” this rule making process is no way to get anything done quickly. A final rule can literally take years to issue. In some contexts, perhaps this regulatory scheme makes sense, but the protection of the grid and the dependent critical infrastructures is a national security issue – an issue of survival for families and the country. But it gets worse.
There is no federal law that says that the grid has to protect itself from hazards and threats. In fact, as previously noted, “itself” is thousands of separate companies that regulate themselves through NERC. Our very survival is dependent on the industry’s willingness to do the right thing. They are not required to do the right thing. This is why, in my estimation, GridEx is the bare minimum that the industry felt they had to do to avoid the government getting off its slow and lumbering buttocks and doing something drastic to protect the grid – and the United States – from catastrophe.
GridEx is not sufficient to protect the United States from Catastrophe
The only thing standing between America and catastrophe are thousands of moving parts, a self-regulatory organization (NERC) and a regulator (FERC) with little actual power to protect us. Moreover, as we saw from the Great Northeast Blackout of 2003, a weakness in one of these thousands of moving parts can have cataclysmic consequences for the whole. In 2003, untrimmed foliage in Ohio started a chain of failures which resulted in a blackout for over 50 million people in the U.S. and Canada.
So, with the United States facing increasing threats from cyberattack, terrorism, electromagnetic pulse (EMP), geomagnetic disturbance (GMD) as well as the traditional threats to the grid, is a biennial (once every two years) two-day voluntary exercise enough? In the last GridEx (2015), only “364 organizations across North America participated in GridEx III, including industry, law enforcement, and government agencies.” 364 organizations out of thousands voluntarily participated.
The public reports from the three past GridEx exercises are not confidence inspiring. They lack detail about how the exercises were conducted. They are all spun to make each exercise seemingly a “success.” All objectives were met. Perhaps they were, but there is not enough detail to really assess how effective these exercises actually were. If you want to decide for yourself, here are the public reports.
In order for GridEx to be more meaningful, here is what should happen.
- GridEx participation should be mandatory – this is an issue of national security.
- GridEx should be held annually.
- “Lessons Learned” should be turned to action items for NERC, FERC and DHS.
- More information should be available to the public and press – In the GridEx III report, it actually said that they constructed the exercise reporting to thwart Freedom of Information Act requests!
- The Department of Homeland Security should use this opportunity to implement the provision of the National Defense Authorization Act for FY 2017 that requires DHS to “include in national planning frameworks the threat of an EMP or GMD event.”
- Congress should insist that the results of future GridEx events be reported to the House and Senate Homeland Security Committees.
- Finally, local emergency management organizations across the country need to participate.
In sum, I am not against GridEx by any stretch of the imagination. I just think in its present form, GridEx is a paper tiger. And we live in a real jungle.