British company BAE Systems has secured an $8.6m contract from the US Defense Advanced Research Projects Agency (DARPA) to develop a technology for quick restoration of power after cyber attacks. The technology rapidly isolates both enterprise IT and power infrastructure networks from all channels of malicious attack. It also helps establish a secure emergency network (SEN) among trusted organisations to facilitate the coordination necessary to restore power to the complex electric grid.
The technology detects and disconnects unauthorised internal and external users from local networks within minutes after activation. It creates a hybrid network of data links secured by multiple layers of encryption and user authentication. The system depends on advances in network traffic control and analysis, which will allow utilities to establish and maintain emergency communications. They also establish the SEN by utilising advances in broadcast, satellite, and wireless technologies developed for agile communications in contested environments. Designed to function in the absence of prior coordination among affected organisations, BAE Systems’ technology operates regardless of power availability, internet connectivity, disparate IT networks and grid infrastructure technology.
BAE Systems’ communications and networking senior principal engineer and manager Victor Firoiu said: “Getting the power back on quickly after a cyber attack is critical to national defence. “Given the scale and complexity of the US power grid, and the chaos following a coordinated, large-scale attack, this is no easy task. Our work with DARPA is intended to stop ongoing attacks and minimise downtime.”
The chief of US Cyber Command has said it’s a matter of “when, not if” the US power grid is hit by cyber attackers. And a recent high-profile attack that shut down power in Ukraine showed it’s certainly possible. “We have power outages [in the United States] that last five or six hours that are regional in nature,” Thomas said. “You just don’t hear about them because they’re not that big a deal.” If hackers were to knock out 100 strategically chosen generators in the Northeast, for example, the damaged power grid would quickly overload, causing a cascade of secondary outages across multiple states. While some areas could recover quickly, others might be without power for weeks.
He added: “The goal of a cyberattack like that against the United States infrastructure from a nation-state … is going to be not just to turn the power off, but to keep it off for an extended period of time or an extended area impacting millions and millions of people.” The most damaging kind of attack, specialists say, would be carefully coordinated to strike multiple power stations.
A prolonged outage across 15 states and Washington, D.C., according to the University of Cambridge and insurer Lloyd’s of London, would leave 93 million people in darkness, cost the economy hundreds of millions of dollars and cause a surge in fatalities at hospitals.
“Foreign cyberactors are probing Americans’ critical infrastructure networks and in some cases have gained access to those control systems said Admiral Mike Rogers, the commander of the U.S. Cyber Command and director of the National Security Agency in testimony before the House Intelligence Committee. Trojan horse malware that has been attributed to Russia has been detected on industrial control software for a wider range of American critical infrastructure systems throughout the country. This malware can be used to shut down vital infrastructure like oil and gas pipelines, power transmission grids and water distribution and filtration systems.”
“I believe our advanced nation state adversaries have the ability to cause such damage. These nations lack a strong motive at this moment to conduct such an attack and are deterred only by the fear of U.S. retaliation. Our critical infrastructure networks are extremely vulnerable to such a damaging attack, and we can’t count on a deterrence if we’re already in an adversarial position with a nation like China or Russia. And we can’t count on the fact that less rational actors might also gain access to those critical systems.”
Hackers already target the energy sector more than any other part of U.S. critical infrastructure, according to the most recent government report. There are more reported cyber incidents in the energy industry than in healthcare, finance, transportation, water and communications combined — and those are just the intrusion attempts that get noticed and reported. “I believe that right now in Raqqa they’re working hard on trying to orchestrate cyberattacks [on the power grid], just as they are working hard on trying to develop weapons to be used,” said Sen. John McCain (R-Ariz.), who chairs the Armed Services Committee, referring to the Syrian city ISIS has claimed as its home base.
DARPA has launched the RADICS program with objective to develop technologies for detecting and responding to cyberattacks on critical U.S. infrastructure, with an ultimate goal of enabling cyber and power engineers to restore electrical service within seven days in the event of a major attack.
Suspected Russian cyber-attack on Ukraine power grid
A power company in western Ukraine, Prykarpattyaoblenergo, said on Dec. 2015 that a swath of the area it serves had been left without energy, including the regional capital Ivano-Frankivsk, due to “interference” in the work of the system. Oleg Senik, the company’s technical director, was quoted as saying that the company was still investigating the cause, but “so far the most likely version is interference in the workings of the automated control systems”. He said that repair teams had to restore power “manually” at substations.
In a coordinated assault, suspected Russian hackers penetrated Ukraine’s power grid, knocking out electricity for 225,000 people. The hackers flooded the customer service center with calls, causing technical difficulties and slowing the response.
With deliberate action, a remote individual had taken control of the operator workstation and was systematically opening breakers at 30 substations. Opening breakers doesn’t take much time; it was all over in 5 minutes. For the people disconnected, and the utility personnel deployed, recovery would take considerably longer. Kyivoblenergo wasn’t the only utility hacked remotely; two more control centers suffered similar compromises, blacking out a total of 225,000 customers for over 6 hours in cold weather.
Prior to opening the breakers, attackers reconfigured battery backup systems, disabling the automatic transfer functionality. Once the breakers opened, those backups failed to keep systems online, and placed operators in the same darkness. And while some details differ, a software component called KillDisk was also used to fully wipe the hard drives of corporate and control systems, requiring time-consuming reinstallation of the operating system and other important software.
Ukraine’s SBU state security service blamed Russia, which has not so far commented on the allegation. The SBU said in a statement that it had managed to thwart malware that was launched by “Russian security services”. John Hultquist, head of cyber espionage intelligence at iSight partners, a US-based threat intelligence company, said it was the first time the cyber security industry had seen a cyber attack result in the shutdown of power.
Slovakian cyber-security firm ESET said the cyberattack was ever wider, with malware similar to BlackEnergy found in the networks of at least two other utilities besides Prykarpattyaoblenergo, which serves the region. Ukraine’s Computer Emergency Response Team said that late last year the KillDisk module of Malicious software BlackEnergy, was also used in a 2014 cyberattack on U.S. utilities. BlackEnergy also infected media organizations and led to the permanent loss of video and other content, according to Ars Technica.
The root cause teams concluded the original infection was via malicious Microsoft Word and Excel documents sent to employees of the utility via public email. When opened on corporate systems, the Office documents would install malware that would spy on users and report that activity to attackers on the Internet. That malware captured usernames and passwords from the corporate desktops of remote personnel, and attackers then used these stolen credentials to access the control system. Once on the control system, the attacker had full access—and used that access to great effect.
DARPA, has awarded Raytheon for early warning of impending cyber attacks
The Pentagon’s Defense Advanced Research Projects Agency, better known as DARPA, has awarded Raytheon multiple contracts to research and develop technologies that will detect and respond to cyber attacks on the U.S. power grid infrastructure. The contracts, which total $9 million, were awarded under DARPA’s Rapid Attack Detection, Isolation and Characterization Systems (RADICS) program.
“During the last two decades, industrial control systems have evolved so that most are now connected to the Internet, making them vulnerable to cyber attack,” said Jason Redi, vice president for the Raytheon BBN Technologies Networking and Communications unit. “A significant power disruption would have profound economic and human costs in the U.S, so our goals are to prevent attacks and to reduce the time required to restore power after an attack.”
Raytheon BBN will create technologies to enhance situational awareness by providing early warning of an impending attack and detecting adversary spoofing of power grid data collection and communication. These technologies will also maintain situational awareness in the immediate aftermath of an attack.
The company will also examine methods to maintain secure emergency communication networks in the aftermath of an attack. Raytheon BBN’s approach seeks to isolate affected organizations from the internet and establish a secure emergency network to coordinate power restoration without depending on external networks.
SRI International to Lead Program to Develop Technology for Restoring Power to a Grid Facing a Cyberattack
Researchers from SRI International are leading a collaborative team to develop cutting-edge technology that can be used by utilities and cyber first responders to restore power to an electric grid that has come under a cyberattack. The Threat Intelligence for Grid Recovery (TIGR) project aims to provide new tools that enable power engineers to restore and protect electrical service within seven days of an attack that overwhelms the recovery capabilities of utilities and subsystems.
Funded by a $7.3 million award from the Defense Advanced Research Projects Agency (DARPA) for the Rapid Attack Detection, Isolation and Characterization Systems (RADICS) program, SRI International leads a team of expert organizations that includes Con Edison, Dartmouth College, New York University (NYU), Electric Power Research Institute (EPRI), and Narf Industries. Together, the team will develop threat analysis and characterization technology for localizing and containing malware – malicious software such as a computer virus – that has breached industrial control systems (ICS) power grid equipment and networks.
Currently, utility companies in North America have procedures and capacity to handle localized power outages caused by events such as extreme weather and high usage on hot days. However, there aren’t any tools available to resolve the type of widespread outages that can be caused using malware.
The goal of the TIGR project is to develop tools that can be rapidly deployed after an attack has occurred. The tools will support resilient power recovery within three days and full restoration after seven days. Today’s generators have limited ability to supply power beyond seven days, making this timeframe critical for ensuring minimal disruption to the civilian power infrastructure.
“Reacting to a power crisis caused by a cyberattack requires a rapid, reliable and resilient response that presents complex challenges,” said Michael Locasto, Ph.D., senior computer scientist at SRI International and principal investigator for the project. “Our team’s combined expertise makes us uniquely qualified to develop tools that support rapid and trustworthy power restoration. Through the combination of domain experience, agility, and research expertise, the team’s goal is to provide tools that significantly strengthen power grid resilience over the next decade.”
VENCORE LABS to-assist-darpa-in-protecting-the-nations-electrical-grid
Vencore Labs, Inc., a wholly owned subsidiary of Vencore, Inc., announced today that it has been awarded two prime contracts for the Rapid Attack Detection, Isolation and Characterization Systems (RADICS) program led by the U.S. Defense Advanced Research Projects Agency (DARPA). The contracts have a total value of $17M and work is slated to begin in August of this year.
The objective of the RADICS program is to develop technologies for detecting and responding to cyberattacks on critical U.S. infrastructure, with an ultimate goal of enabling cyber and power engineers to restore electrical service within seven days in the event of a major attack. Vencore Labs, a leader in smart grid security and monitoring, will conduct research and deliver technologies in three of five technical areas (TA).
This new work draws on Vencore Labs’ expertise transitioning cybersecurity research technology to commercial use, as well as the company’s experience working with utilities to secure their networks through its first-of-its kind infrastructure monitoring solution, SecureSmart™.
“Vencore Labs is honored to be included as part of the RADICS program,” said Petros Mouchtaris, Ph.D., president of Vencore Labs. “As experts in cybersecurity monitoring and assessment services, we are excited to bring our unique experience and methodologies working with utility customers to this critical DARPA program.”
Under TA-1, Vencore Labs intends to research, develop, demonstrate and deliver a system known as MANTESSA (Machine-Intelligence for Advance Notification of Threats and Energy-Grid Survivable Situational Awareness). the other participants include Princeton University and Carnegie Mellon University. The co-PIs within Columbia are Professors Dan Bienstock, Dan Rubenstein, and Vishal Misra.
The MANTESSA system aims to address the problem of early detection of cyber-attacks on the North American power grid. Specifically, the MANTESSA system intends to provide early warnings, spoofing detection and situational awareness, by means of continuously executing anomaly detection algorithms. WiMNet Lab’s contribution to the project will build on our previous work in the area of power grid and communication networks resilience.
Under TA-3, Vencore Labs plans to research, develop, demonstrate and deliver a Scalable and Holistic Energy CybeR-weapon Localization and Characterization (SHERLOC) system which is intended to rapidly localize and characterize cyber-weapons that have gained access to power grid infrastructure. The SHERLOC system aims to map Industrial Control Systems (ICS), gather and analyze configuration data, determine which devices are behaving incorrectly, and discover and characterize malware to help with restart operations.
Additionally, the Vencore Labs team will serve as a sub-contractor under TA-2.
DARPA’s Rapid Attack Detection, Isolation and Characterization Systems (RADICS)
The goal of the RADICS program is to develop innovative technologies for detecting and responding to cyber-attacks on U.S. critical infrastructure, especially those parts essential to DoD mission effectiveness ays Dr. John Everett.
DARPA is interested, specifically, in early warning of impending attacks, situation awareness, network isolation and threat characterization in response to a widespread and persistent cyber-attack on the power grid and its dependent systems. Potentially relevant technologies include anomaly detection, planning and automated reasoning, mapping of conventional and industrial control systems networks, ad hoc network formation, analysis of industrial control systems protocols, and rapid forensic characterization of cyber threats in industrial control system devices.
Threat of cyberattacks on power grid and their devastating impacts
“Stores are closed. Cell service is failing. Broadband Internet is gone. Hospitals are operating on generators, but rapidly running out of fuel. Garbage is rotting in the streets, and clean water is scarce as people boil water stored in bathtubs to stop the spread of bacteria. And escape? There is none, because planes can’t fly, trains can’t run, and gas stations can’t pump fuel.” This is the “nightmare scenario” that lawmakers have been warning you about, KATIE BO WILLIAMS and CORY BENNETT write in the HILL.
Since power networks rely on physical infrastructure, they are vulnerable to natural disasters, such as earthquakes, hurricanes, floods, and solar flares, or to physical attacks, such as an electromagnetic pulse (EMP) attack. Developing tools for identifying vulnerabilities is of utmost importance for network monitoring, strengthening, and modernization.
Power grids are vulnerable to cyber attacks and to physical attacks (e.g., the Apr. 2014 attack on a California substation ). These attacks may cause large-scale failures, initiate cascades, and have devastating effects on almost every aspect of modern life. The two main components of the power grid are (i) the physical infrastructure of the power transmission system (power lines, substations, power stations), and (ii) the Supervisory Control and Data Acquisition (SCADA) system responsible for monitoring and controlling the grid (referred to it as the control network). Physical attacks target the former while cyber attacks target the latter. The effects of a physical attack can be mitigated, if the control center has accurate understanding of its impacts and acts quickly to compensate for failures. However, if physical attacks are accompanied by cyber attacks that make information about the status of the attacked zones unavailable, the control center cannot take effective action.
Therefore, Researchers are focusing on joint cyber and physical attacks and develop methods for recovering the information about the status of the power grid following a joint cyber and physical attack as well as on studying the resilience of different topologies and the resilience to different attacks.
Researchers are also studying the structural properties of the North American grids and developing algorithms for generating synthetic power grids (i.e., spatially embedded networks with similar properties to a given grid). This work is motivated by the fact that the development of algorithms for enhancing the resilience of the power grid requires evaluation with topologies of real transmission networks but such topologies are usually not publicly available.
The article sources also include: