Imagine a day when the lights go out, not from a storm, but from a silent, coordinated attack. Communications fail. Power plants go offline. Disinformation spreads like wildfire on social media, sowing chaos. This isn’t a movie plot; it’s the exact scenario North America’s energy sector prepares for every two years in a massive security drill called GridEx.
Hosted by NERC’s Electricity Information Sharing and Analysis Center (E-ISAC), GridEx is the continent’s largest and most demanding grid security exercise. It’s a live-fire stress test designed to push utilities, government agencies, and critical infrastructure partners to their breaking point. Why? Because as NERC leaders have stated, our adversaries are actively looking for ways to exploit the system, and the only defense is relentless preparation.
Whether you’re a seasoned security professional or new to the world of operational technology (OT), preparing for GridEx is crucial. This guide will break down the key lessons from past exercises, provide actionable steps to bolster your defenses, and show you how to get involved in GridEx 2025.
What is GridEx?
Think of GridEx as the Super Bowl of grid security. It began in 2011 as a modest exercise to test responses to a significant cyber incident involving just 75 organizations. The scenario featured a stealthy digital threat—an Advanced Persistent Threat (APT)—designed to erode trust in the grid itself.
Fast forward to today, and GridEx has evolved into an all-out, all-hazards proving ground. Participation has ballooned to over 15,000 individuals from 250 organizations. The scenarios are no longer just about cyber threats. They now include:
- Coordinated Physical Attacks: GridEx II in 2013 introduced physical assaults on substations happening at the same time as cyberattacks, cementing the link between digital and physical security.
- Information Warfare: GridEx IV in 2017 added social media disinformation campaigns, forcing teams to fight a battle for public trust while trying to restore power.
- Supply Chain Compromises: Recent exercises have woven in attacks that start with trusted vendors, reflecting one of the most insidious threats facing critical infrastructure today.
This evolution isn’t random. It’s a direct reflection of the real-world threats our energy grid faces. Participating in GridEx isn’t just about compliance; it’s about ensuring you’re ready for the real thing.
Lessons from the Trenches: What GridEx VII Taught Us
To prepare for the future, you must understand the past. The after-action report from GridEx VII in 2023 is a goldmine of insights into the grid’s biggest vulnerabilities. The scenario was intentionally extreme, designed to test the industry’s ability to recover “under the most extreme circumstances.”
Here’s what the exercise revealed:
- Foundational Systems Can Fail: The exercise simulated the complete failure of the Inter-Control Center Communications Protocol (ICCP)—the system operators use to “see” and control the grid. It proved that even systems with layers of redundancy can be a single point of failure in a sophisticated attack.
- Communications are Brittle: Even robust, backed-up voice communication systems for grid operators were overwhelmed in the scenario. When the phones go down, how do you coordinate a recovery?
- Plans Can Clash: The exercise highlighted potential conflicts between a utility’s technical restoration plan and the priorities of government agencies during a national crisis.
- Hybrid Work is a Hurdle: Teams are still struggling to coordinate effectively in a hybrid work environment, with challenges in secure information sharing for remote and in-person responders.
These lessons are not just theoretical. They are a clear warning. The key takeaway? You must plan for the failure of systems you’ve always taken for granted.
Building Your Fortress: 3 Foundational Steps Before GridEx
Before you can fight off advanced adversaries, you need a strong defense. Mastering these three foundational OT security principles is the most critical part of preparing for a GridEx-level event.
-
Know Your Battlefield (Asset Inventory)
You can’t protect what you don’t know you have. A complete, continuously updated inventory of every piece of hardware, software, and firmware in your OT environment is the bedrock of security. This isn’t a simple spreadsheet; it’s a detailed map of your entire operational landscape. In OT, you must prioritize passive discovery tools that listen to network traffic, as aggressive “active” scanning can knock critical legacy devices offline.
-
Build Digital Walls (Network Segmentation)
A flat network is an attacker’s dream, allowing them to move from one compromised machine to your most critical systems with ease. The Purdue Model provides the classic framework for separating your IT (business) and OT (industrial) networks. But you must go further, creating isolated “micro-segments” within your OT environment. An attack in one substation shouldn’t be able to spread to another. A secure “demilitarized zone” (DMZ) between IT and OT is non-negotiable.
-
Guard the Gates (Access Control)
Controlling who and what can access your critical systems is paramount. This means enforcing the Principle of Least Privilege (PoLP), where every user and program has the absolute minimum access required to do its job. All remote access must be funneled through a single, hardened “bastion host” that is intensely monitored. And passwords are not enough. Phishing-resistant Multi-Factor Authentication (MFA) should be mandatory for any access to the OT environment.
The Playbook for Pandemonium: Responding When Things Go Wrong
Detection is useless without a plan for what comes next. An Incident Response (IR) playbook is a step-by-step guide that ensures your team can act swiftly and effectively under extreme pressure.
But remember, OT incident response is not IT incident response. The priorities are inverted:
- Safety First: Your first priority is always human life and safety.
- Maintain Control: The next priority is keeping control of the physical process to prevent damage or disruption.
- Availability Last: Keeping the service running comes after ensuring safety and control.
This means an IT admin’s first instinct—to unplug a compromised server—could be catastrophic in an OT environment. Your playbooks must be developed by a joint team of cybersecurity experts and OT engineers who understand the physical consequences of every action.
Your team should have practiced playbooks for key GridEx scenarios:
- Ransomware on an HMI
- Loss of View/Loss of Control
- Supply Chain Compromise
- Coordinated Cyber-Physical Attack
A well-defined team with pre-assigned roles is just as important as the playbook itself. During a crisis, you don’t have time to figure out who’s in charge.
Get in the Game: How to Participate in GridEx 2025
Ready to test your mettle? The GridEx VIII Distributed Play will take place on November 18-19, 2025.
Recognizing that not everyone has the same resources, NERC has introduced new tiered participation options for GridEx VIII, making it more accessible than ever.
| Participation Tier | Target Audience | Key Benefit |
| Standard Scenario | Large, mature organizations with dedicated planning teams. | A full-scale, complex exercise to test customized objectives and drive maximum improvement. |
| GridEx-in-a-Box | Smaller teams or organizations new to GridEx. | A simplified, pre-packaged functional exercise that builds core capabilities with less overhead. |
GridEx is the ultimate opportunity to see how your people, processes, and technology hold up under pressure. By preparing diligently, you can help ensure that when the worst day comes, you’re ready.
Click to view our GridEx Checklist
Can’t Make it to Gridex?
If your organization can’t participate in GridEx —or if you need an experienced facilitator to guide your team through the exercise—Insane Cyber can bring the training to you. Our OT tabletop experts design and run realistic, high-pressure scenarios tailored to your environment, so your operators, engineers, and security teams can practice critical decision-making without the logistical overhead of the full event.
Whether you’re looking to simulate a ransomware outbreak on a control system, a supply chain compromise, or a coordinated cyber-physical attack, we deliver the same rigor and lessons you’d gain from GridEx—on your schedule, virtually or at your facility.