[00:00:03:15–00:00:34:16]

Navroop Mitter: 

Hello, this is Navroop Mitter, founder of ArmorText. I’m delighted to welcome you to this episode of The Lock & Key Lounge, where we bring you the smartest minds from legal, government, tech, and critical infrastructure to talk about groundbreaking ideas that you can apply now to strengthen your cybersecurity program and collectively keep us all safer. You can find all of our podcasts on our site, armortext.com, and listen to them on your favorite streaming channels. Be sure to give us feedback.

[00:00:34:18–00:00:44:08]

Navroop: 

Hello and welcome to The Lock & Key Lounge podcast. I am Navroop Mitter, your host for today, and I’m delighted to welcome Jesse Sythe to our program.

Jesse Sythe: 

Thanks, Navroop. Happy to be here.

[00:00:44:10–00:02:56:12]

Navroop: 

Really glad to have you on. Jesse Sythe serves as the Critics Program Manager at the Electricity Information Sharing and Analysis Center, better known as the E-ISAC, under NERC, or the North American Electric Reliability Corporation. Jesse spent over 20 years in the electricity sector, beginning his career as a reactor operator aboard the USS John C. Stennis and later serving as a transmission operator and leader in operations training and simulation at Eversource Energy.

His passion has always been improving operations through emergency response exercises, something he’s been doing since courting Eversource’s participation in GridEx II back in 2013. Now with the Electricity-ISAC, he leads the entire GridEx program, shaping how the industry prepares for the threats of today and tomorrow. Jesse holds degrees in nuclear engineering, technology, and English and is pursuing a master’s in energy policy and climate.

And when he’s not preparing the industry for chaos, you’ll find him in Atlanta, always up for good conversation on how to take—how to make exercisers better. 

Now, to set the stage for what we’re going to be discussing—the reliability of the electricity sector is increasingly being tested by both physical and cyber threats. Large-scale exercises like GridEx have played a critical role in shaping how industry leaders, asset owners, and operators respond to crises.

In this episode, Jesse and I will sit down to discuss his role as the Program Manager for Grid Electricity-ISAC and to discuss the role of these exercises in enhancing industry wide resilience. We’ll explore how GridEx has evolved over the years, the thought leadership that has emerged from key coordinating bodies like the ESCC, and what it takes to ensure executive-level engagement in response and remediation.

And with GridEx VIII on the horizon, Jesse will share insights into the most pressing threats facing the sector and how lessons learned from these exercises can be applied beyond the grid to other critical infrastructure sectors. 

Finally, we’ll also be addressing the recent policy changes affecting the ESCC and what that means for industry coordination going forward. 

So, Jesse, let’s just dig right in about the role and evolution of GridEx. GridEx has been running for over a decade now. How has the exercise evolved from its early days to where it is today?

[00:02:56:15–00:05:42:14]

Jesse: 

Yeah, well, the very first GridEx that we did in 2011, we just called it GridEx because we didn’t know it would be doing another. And it was purely focused on cybersecurity only. And once we did realize that there was a demand for more GridExes, we did GridEx II in 2013. We added physical security. 

In GridEx III, we added operations and operational impacts. And then, from GridEx IV and beyond, we’ve kind of been all in on this full-scale whole-of-organization participation and beyond. And the niche that GridEx has now come to fill is kind of that broader coordination between internal functions within your organization, as well as with external partners, whether that’s cross-sector partners, government partners, law enforcement, et cetera.

And we’re not the only exercise program out there. Many utilities—they run their own exercise programs, and they can do very specific functional, task-based exercises with a narrower scope and very specific outcomes. 

With GridEx, we cover kind of the broad scope—the 30,000-foot view—covering all aspects of response and recovery across the entirety of North America every two years. And I would say, as far as its kind of evolution, more recently, with how big GridEx has now become, we found that our next step is to kind of go a little smaller. 

Every organization that participates in GridEx is different, right? We have over 250 different organizations that participated in GridEx VII back in 2023. But some utilities out there can commit 20-plus people to their GridEx planning teams, and they can coordinate a full-scale exercise over the course of a year of preparation. 

But other organizations might have one person that they can dedicate to planning, and that person might also wear five hats, additionally, within the company. So those five-hat heroes might take one look at our mountain of materials we provided for GridEx VII and say, “Well, no thanks, I don’t have time for that.”

And that’s understandable. So, for GridEx VIII this November, we’re adding two additional options for participation—kind of within their own packages. 

There’s a GridEx in a Box package, which is a smaller-scale version of a live exercise, more focused on specific functions rather than a full-scale endeavor. And then there’s our tabletop package, where just one person with minimal prep could run folks through a scenario in a discussion format, either in person or remote.

So, we want all those options to be on the table—so everybody who wants to benefit from the scenario and all the work that’s been put into GridEx, they can. 

So, I think that answers your question.

[00:05:42:17–00:06:13:21]

Navroop: 

Absolutely. And actually, thinking about this—right? Oftentimes, we get asked what is the real impact of participating in these kinds of exercises, especially ones that take place across the entire sector rather than just at home, so to speak. 

You’ve had the unique position of having worked at both the utility side of the house, as well as now managing GridEx at the Electricity-ISAC. So from your perspective, what’s been the biggest impact of GridEx on strategic response and policy within the electricity sector?

[00:06:14:00–00:08:51:07]

Jesse: 

Yeah, that’s really good question because every GridEx, of course, brings its own unique lessons and improvements. We do have our lessons learned reports that we publicly post on the E-ISAC and NERC websites from each GridEx we’ve had. 

I think one of the big highlights I like to mention is how we included a pandemic in GridEx IV back in 2017. We explored the impacts that it would bring to the workforce within various aspects of critical infrastructure. And a big takeaway from that exercise was that many utilities and other organizations either had an insufficient pandemic plan or no plan at all. 

And I remember, as a participant on the utility side at that time, we heard some chatter and some feedback from folks saying, “Yeah, I mean, it’s the exercise flu. This is probably never going to happen.” And of course, now we know the reality. 

But I do believe, looking back, that GridEx in particular really did have one of the largest impacts—particularly in industry—in preparing us for a world-altering crisis. A lot of folks benefited from that GridEx at that time.

I will probably highlight one other lesson that I think has been pretty consistent throughout the GridEx program, and that’s that every time GridEx is used as an opportunity to practice that response to a cyber and physical security attack alongside government and law enforcement partners, we see huge gains in process improvement and lessons learned. 

This exercise does a great job as kind of serving as an opportunity to dispel assumptions and address any conflicts or inconsistencies between emergency response plans and recovery plans between industry and government.

There’s this—I’ve seen a common misconception that regular coordination between industry and government on things like weather and storms—that that’s going to translate into similar, consistent coordination on an event where you are the target of a cyber or physical attack. 

And it’s understandable, right? You have certain parts of the country and certain utilities that get a lot more practice in winter storms or hurricanes. But that assumption proves to be untrue as GridEx plays out—typically, with attack scenarios having a lot of additional snags and considerations that winter, storm, or hurricane wouldn’t really have. 

So, I think those are the highlights there.

[00:08:51:09–00:09:42:09]

Navroop: 

I imagine some of what has come out of all of that is the need for increased executive engagement, not just dealing with the nerds in the basement, right? And— 

Jesse:

Yeah.

Navroop:

—I think that’s a theme we’ve seen emerging in recent years, both from organizations themselves—recognizing that during an incident, their executives may have to play a role that they previously not prepared for—but also from a legal standpoint. 

Depending on where in the world you are, your interest in cyber security, and, in particular, incident response, become the purview of the board—elevating that’s even above just the executive teams. 

And it’s been kind of interesting. I’ve been wondering about that emerging theme and executive engagement and response planning. What steps have been taken to ensure senior executives are equipped to make critical decisions during an incident when it comes to things related to the electricity sector?

[00:09:42:11–00:13:10:13]

Jesse: 

Yeah, that’s a—a good thing to highlight here—is that that executive-level engagement, we, of course, encourage it within our kind of live play exercise. 

But we do have a kind of second side of the coin to the GridEx program, which is the executive tabletop exercise, which takes place the day after our live distributed play exercise wraps up. This executive tabletop exercise really focuses in on the strategic and executive-level coordination across the electric industry and within the US and Canadian governments as well. And that would be in response to various types of attack scenarios on critical infrastructure. 

We’ve been doing that executive tabletop for a while now. It wasn’t part of the very first GridEx, but you started to see it kind of develop from GridEd II to and build out into what it looks like today.

Historically, most recently, this has focused on two key groups, and that’s the Electricity Subsector Coordinating Council, or the ESCC and the Energy Government Coordinating Council, or EGCC. Between these two groups, that’s where you see the coordination between industry and government. And that’s usually to establish unity of effort, unity of message during large-scale crises. 

But the ESCC also plays a large role in communicating industry needs, coordinating mutual aid efforts, dealing with supply chain concerns, and a lot more.

So, I think in that way, the electric industry has been fairly advanced in the general realm of executive engagement in response planning for a while now. Many organizations, as I mentioned, that participate in GridEx distributed play—they also bring in their executive leadership into that real-time response. 

I will say that over the past few GridExes, we have consistently seen a few concerns with how this coordination across industry and government leadership might play out if telecommunication systems were heavily impacted.

When we go through these exercises, any time that we’d impact cellular networks or internet connection in our scenario, a lot of the normal order of business for these coordination processes would start to break down. And after GridEx VII back in 2023, we had the E-ISAC actually coordinated with the ESCC to work on making some improvements there.

We actually launched a project across about six months. We coordinated with our regular partners on GridEx—Hagerty Consulting, as well as Converge Strategies—to conduct this project to evaluate resilient communications technologies across the electric industry, and to look at how we can ensure that, particularly that executive-level leadership—the ESCC—how they can maintain that strategic inter-regional and cross-border coordination during large scale crises where communications might be impacted.

And I’m happy to say, since this project concluded over a month ago, we’ve actually coordinated further with the ESCC to develop some processes to ensure that several resilient communication—communications options are on the table for these critical leaders in the future, particularly when those primary and alternate methods of communication fail.

[00:13:10:17–00:14:24:23]

Navroop: 

That’s great to hear because communications resiliency is certainly something that we talk about all the time. 

One of the things that has routinely come up as we talk to folks in both energy and banking and manufacturing is the need to have some sort of resilient data connectivity. So, you have the ability not just to talk to someone but also the ability to do some additional work—some of which is going to be your response and remediation efforts on top of like an ArmorText—as you’re having to work through potentially what might be a breach of your systems in case it wasn’t just a complete whole-scale telecom outage or internet service provider outage, but rather someone trying to listen in on your email or your team-in-collaboration chat applications, whatever the case may be. 

And so, it’s a topic that is near and dear to our hearts and one that keeps coming up all the time. But I wanted to shift to something because you brought up the ESCC, and we’ve been discussing so much now—one of the—actually, the hype talk about—kind of the policy shifts that have left the status of the ESCC as an advisory council is somewhat in flux. 

Given its role in coordinating response and shaping policy, what does this mean for industry resilience and what, if anything, needs to fill that potential gap?

[00:14:25:00–00:16:10:10]

Jesse: 

Yeah, it’s an important question, and it’s definitely something we are keeping an eye on. From the Electricity-ISAC and just for the electric sector in general, and I will say—I can’t speak for the ESCC itself—but recent shifts, including the ending of CIPAC—that’s the Critical Infrastructure Partnership Advisory Council—that has kind of left the ESCC and other similar coordinating councils across other sectors.

And I would call it a bit of a limbo state. The ESCC and other councils like it—they serve a vital role in acting as liaisons between industry and government, along with a lot of other things that they’ve taken on over the years as far as this kind of policy shift and the ESCC’s status.

The good news is that that conversation is still going. The ESCC absolutely isn’t going away. Personally, I’m pretty confident that another partnership or policy or agreement is going to be created very soon to replace CIPAC. It might not look exactly the same, but we know, whether it’s across industry or government, that public-private partnerships are crucial, especially in critical infrastructure.

And our resilience depends on those partnerships. So, I do fully expect that spirit to continue. I’m hopeful without—I can’t say for sure what will happen in the future, but I’m hopeful that that is going to continue. And something will take the place of CIPAC, hopefully sooner than later. But in the meantime, the ESCC is still around and still very focused on on the resilience of our sector and beyond.

[00:16:10:13–00:16:24:23]

Navroop: 

All right. Well, in that case, let’s actually look ahead to GridEx VIII and maybe some lessons that you can actually share that would help other sectors, right? But, starting with GridEx VIII, what are some of the key focus areas, particularly as threats to the grid continue to evolve?

[00:16:25:04–00:20:07:15]

Jesse: 

Yeah, it’s always fun getting started with the design of a new GridEx because what we start with is actually talking to the industry itself. We gather volunteers from across industry, as well as some of the national labs, and we get a design team, subject matter expert teams. Last couple of GridExes, we brought together teams of every reliability coordinator throughout North America.

And from them, I get to ask the fun question of what are the things that keep you up at night? What are the things that you really worried about in the next three to five to ten years? What are the things that you wish we were paying more attention to? And, of course, from there, we try and work as much of that into the scenario as we can.

Now, for this year, for GridEx VIII, one of the things that we really want to emphasize is how real the threats are. So, almost every inject—without giving away too many spoilers here—every inject that we are putting in GridEx VIII is either directly copied from a real event that has happened, that has been reported by our members, or that has occurred overseas.

Or it is very strongly inspired by an event that has already happened, with maybe a very slight adjustment to take it up one additional level or notch. I will say, the one question that I kind of get tired of answering from an exercise planner point of view is, “Is this realistic?” And the resounding answer is, “Absolutely, yes.” But we are taking, one additional—I would say two additional—ingredients that we are adding to make this a realistic threat. And that is funding and coordination. 

We have benefited from the fact that, thankfully, we have relatively few cyberattacks and physical attacks that cause an impact on operations and reliability. We receive the electric industry and other critical infrastructure sectors.

They can all tell you we are constantly under threat, whether it’s physical or cyber. But thankfully, most of these are not causing a large impact. But if you add layers of funding and coordination—maybe a nation-state actor or something like that that provides that—then a motivated and well-funded and well-coordinated adversary could unleash several coordinated physical attacks on substations combined with escalating and varied cyberattacks.

And we’re exploring communications impacts as well. Those kinds of things that unfold over a two-day exercise for GridEx—that’s what you can expect to see, in GridEx VIII. And we’re also looking at some additional places, especially things that folks are really concerned about now, such as the continuing expansion of data centers and the reliance on data centers, and then also recognizing that data center resilience is a very important thing to be concerned about.

And starting to explore—well, what if data centers were impacted? How does that impact utilities? How does that impact other sectors? How does that impact coordination and beyond? So, I know that was a lot to cover, while trying to stay at a high level and not give away spoilers, but hopefully that covers most of it.

[00:20:07:17–00:20:42:19]

Navroop: 

See, I was hoping we’d say breaking news. We’ve got your cheat sheet here from Jesse Sythe. I—actually, interesting note on when it comes to the inspiration for the exercises. Two questions and thoughts—one, are you drawing principally from things that have happened domestically or overseas, specifically with respect to electricity? Were you also looking at attacks that have happened on other sectors or potentially even the common large-scale providers that we all rely on, whether it’s like an Amazon or Microsoft, whomever—

Jesse:

Yeah.

Navroop:

—that everyone relies on all the time?

[00:20:42:21–00:21:38:13]

Jesse: 

That’s very astute of you. We are doing both. We are looking not just within our industry but beyond, and recognizing that a lot of us within these various sectors—and, of course, we have very good relationships with the various other sectors—that there’s, of course, and there’s an ISAC for just about every critical infrastructure sector you can think of.

So, the Comms-ISAC, the Downstream Natural Gas-ISAC, the Oil and Natural Energy-ISAC, the Water-ISAC and beyond. Financial Services-ISAC is very advanced, and it’s been a pleasure, honestly, working with them and hearing what threats they’re dealing with, and seeing how these can impact our sector or how it might be modified to be something that we would have to worry about as well.

So, yeah. Excellent question.

[00:21:38:15–00:21:48:10]

Navroop: 

That’s interesting. What about citations? When you get challenged like that, do you ever provide a citation to say, “Here’s what we drew from as inspiration,” and you keep a catalog of those?

[00:21:48:12–00:22:13:21]

Jesse: 

Yeah. It’s—that’s a really good point. It’s actually something that we have—we may not have necessarily done as much of in the past, but we’ve tried to be a little better about that. We, of course, give credit wherever we can and where it’s due. If it’s a real-world event, we might reference a E-ISAC portal post to members to say, “Hey, this is where the inspiration came from.”

So, we haven’t always done that. I think that’s something we’re trying to do more. If we get inspiration from something. Although, if we do use anybody’s actual work, of course, we do provide the citation. We ask for permission prior to using.

[00:22:27:18–00:22:37:21]

Navroop: 

No, of course, that—I just meant in terms of like, “Here’s a global outage of X or Y that is taking place. Three years later, we may have forgotten about that outage.”

Jesse: 

Yeah.

[00:22:38:03–00:22:58:01]

Navroop: 

Just a day was a blip in everyone’s travel schedules. But when you can actually provide the citation that says, “Hey, by the way, this is what inspired this type of outage here, right? This malicious or non-malicious update to system caused airline travel to be completely impacted for two days. And that’s why everyone could have reached the site where they had to go to coordinate certain things.”

Jesse: 

Absolutely. Yeah. And that’s helpful for planners to see that that inspiration so that if they want to dive deeper beyond just the materials we provide, they have that option.

[00:23:09:21–00:23:32:04]

Navroop: 

Absolutely. So, coming now to lessons that might be beneficial to others—in a GridEx system has been specifically designed for the electricity sector—but many of its lessons are probably applicable well beyond it. What are the biggest takeaways that other critical infrastructure sectors could adopt from the way the electricity industry has approached resilience planning?

[00:23:32:07–00:24:06:16]

Jesse: 

Yeah, that’s—it’s a good question. I think that we—one of the big things that GridEx heavily focuses on, especially in more recent iterations, has been interdependencies between various critical infrastructure sectors—oil and gas, telecommunications, water, wastewater, and financial services. Those have probably been the the biggest ones that we focused on. 

And as far as cyber and physical security goes and the exercises that we do, I would say that the electric industry has been kind of leading the way in critical infrastructure for a long time alongside—I would say—the financial sector. And we teach each other, and we learn from each other each time that we engage in these exercises together. And these impacts that we see—they can cascade into other sectors, and exercises really help us better understand how to mitigate and respond when these attacks start to spread like that. But with GridEx very focused on the electric sector first.

Honestly, I just think it’s been great to see kind of inspiration taken from that, and many other exercises begin to either grow or evolve or have new exercises pop up. Just some examples—in 2022, the NGX launched, which is the first nationwide tabletop drill focused on natural gas, with a focus on that physical and cybersecurity response.

We’ve had tri-sector exercises across energy, telecommunications, and finance. The Water-ISAC launched H2OEx last year, which, right now, is just focused on a regional resilience exercise, but that also coordinates with local and federal government. 

And then, of course, speaking of government, they’re kind of like they’re our own sector in and of itself. And they run their own exercises, and they continue to invite more and more industry participation in these exercises.

A couple of examples from recent memory. About a month ago, I actually participated in Natural Resources Canada’s Energy Command exercise alongside several different utilities. Department of Energy runs their annual Clear Path exercise series, which brings in a wide range of energy infrastructure participants. And then, Department of Defense—they’ve incorporated several sectors into a few of their exercises of late.

And really, I think every sector should be engaging in exercises like this wherever they can. You don’t want to be looking back after a real event and thinking, “Gosh, we really could have done more to prepare for this.”

[00:26:12:22–00:26:19:05]

Navroop: 

I love that everyone else is now jumping on the bandwagon. I mean, honestly, it’s—

Jesse: 

It’s a good bandwagon to be on.

[00:26:19:05–00:26:39:19]

Navroop: 

A great bandwagon to be on, right? This is the one where we want everyone to join. And so, given that then—and given that you’ve got so many years of experience working on GridEx and transmission operations in general—what’s the thing you wish all the industry leaders, whether in energy or other sectors, understood then about running large-scale resilience exercises?

[00:26:39:22–00:28:51:18]

Jesse: 

Yeah, the biggest point I would make about this, especially when speaking to industry leadership, is the more that you put into it, the more you will get out of it. And that starts with leadership, because across the broad spectrum of 250-plus participating organizations back in GridEx VII, the ones that got the most out of it—the most lessons learned, the most action items, the ones who saw the most improvement and resilience after the exercise—they are the ones who also had full-throated support and commitment from their executive leadership, from the CEO down. 

And CEOs that prioritized the exercise, they committed resources and personnel to the exercise, and they ensured that their people were supported as well throughout the planning process. There were, in fact, some CEOs that even agreed to allow themselves to be deepfaked for their internal exercises, which is an impressive bridge to cross. That, I think, they’re keeping those pretty tight under lock and key there, but that’s commitment. 

And for some, that may just mean maybe hiring someone additional to help support the exercise. Maybe, for others, it might mean hiring a contractor or simply shifting away from other work priorities. But with that addition that we’re doing for GridEx VIII—those new participation options, GridEx in a Box tabletop package—we’ve also made it easier than ever to get started with the exercise, to join the exercise if folks haven’t done it before, and to try and gain some benefit from GridEx regardless of the resources available. 

So, I guess that’s the biggest message I would say is—please understand that the more that you put in, the more resources you commit to it, the more benefit you’re going to get. And it doesn’t have to start from a full-scale, crazy exercise. Start with a tabletop. Start with something small. Build your exercise programs over time. It’s essential to building resilience and being prepared for the threat landscape we face today.

[00:28:51:23–00:29:20:09]

Navroop: 

Jesse, I’ve been thoroughly enjoying our conversation today, and we’re nearing the end of our time. But if you’ve got a minute, I’d like to ask you one last, just kind of fun, wrap up question.

Jesse: 

Of course.

Navroop: 

All right. So, imagine it’s the last day of GridEx VIII, right? It’s that evening. Everything’s coming to an end. You’ve just run the electricity sectors biggest stress test. What’s your go-to weight on wine? What’s that favorite libation or cocktail, or what are you going to go grab?

[00:29:20:10–00:29:59:23]

Jesse: 

Oh gosh, I mean, I am—I’m not much of a drinker, I will admit. I actually really enjoy, a Fever-Tree Ginger Beer or the one that just shoots right up your nose and clears your sinuses out. But, honestly, my go-to stress release ends up probably being going for a run.

I ran my first marathon back in 2019. And on that day, I also learned it would be my last marathon, because it really stopped being fun after about mile 20 or so. But ever since then, good 2- or 3-mile run—it’s the perfect way to unwind and just kind of let the stress go.

[00:30:00:01–00:31:10:01]

Navroop: 

Well, while I will never join you on a run—I find zero pleasure in that—I will absolutely join you in Fever-Tree Ginger Beers or a wide assortment of the other 30 or 40 that I’ve come across. 

Jesse:

Excellent. 

Because I also love ginger beers, and there’s actually a place outside—as you approach Las Vegas from LA—I believe that road trip, there’s a place that specializes in just ginger beers. 

Jesse:

Ooh.

Navroop:

Right. So maybe—

Jesse: 

Well, I’ll have to check that out.

Navroop: 

Yeah, we might have to make it a field trip going after the next GridSecCon. Are we heading to Vegas later this year?

Jesse: 

Absolutely. GridSecCon is October 7 through 10 at the MGM Grand in Las Vegas. It is always a blast, and I will absolutely be there.

Navroop: 

Awesome. We will see you there. And with that, we’re going to bring this episode of The Lock & Key Lounge to a close. We thank all of you who stayed on and listened with us.

Jesse: 

Take care, everybody.

Navroop: 

Take care. Cheers.

[00:31:10:03–00:31:42:17]

Narrator (Matt Calligan): 

We really hope you enjoyed this episode of The Lock & Key Lounge. 

If you’re a cybersecurity expert or you have a unique insight or point of view on the topic—and we know you do—we’d love to hear from you. Please email us at lounge@armortext.com or our website, armortext.com/podcast. I’m Matt Calligan, Director of Revenue Operations here at ArmorText, inviting you back here next time, where you’ll get live, unenciphered, unfiltered, stirred—never shaken—insights into the latest cybersecurity concepts.