Across the United States, 3200 separate organizations own and operate electrical infrastructure. The widely dispersed nature of the nation’s electrical grid and associated control systems has a number of advantages, including a reduced risk that any single accident or attack could create a widespread failure from which it might take weeks to recover. Since the late 1990’s, however, cost pressures have driven the integration of conventional information technologies into these independent industrial control systems, resulting in a grid that is increasingly vulnerable to cyber-attack, either through direct connection to the Internet or via direct interfaces to utility IT systems.
A substantial and prolonged disruption of electric power would have profound economic and human costs for the United States. A prolonged outage across 15 states and Washington, D.C., according to the University of Cambridge and insurer Lloyd’s of London, would leave 93 million people in darkness, cost the economy hundreds of millions of dollars and cause a surge in fatalities at hospitals.
“If a well-coordinated cyberattack on the nation’s power grid were to occur today, the time it would take to restore power would pose daunting national security challenges,” said John Everett, DARPA program manager. “Beyond the severe domestic impacts, including economic and human costs, prolonged disruption of the grid would hamper military mobilization and logistics, impairing the government’s ability to project force or pursue solutions to international crises.”
The most chilling incidents to date are two cyberattack-induced blackouts in Ukraine—one in December 2015 and the next a year later in December 2016—that caused power outages for hundreds of thousands of residents in Kiev for a few hours each time. Both attacks are thought to have been perpetrated by Russian state-sponsored hackers. And though a similar incident hasn’t played out in the US so far, there is increasing evidence that various hacker groups have infiltrated US grid defenses. The Department of Homeland Security warned repeatedly this year that it has detected extensive Russian probing of the US grid.
Although utilities are increasingly focused on their cyber-defense needs, the process of identifying, purchasing and installing commercial host-defensive technologies across the industry may take many years. In an effort to address the cyber threat to the country’s electrical grid within a shorter time frame, DARPA released today a Broad Agency Announcement (BAA) detailing research aims for the early detection of cyber-attacks to power-grid infrastructure and seeking ways to reduce the time required to restore power.
DARPA launched the RADICS program in 2015 with objective to develop technologies for detecting and responding to cyberattacks on critical U.S. infrastructure, with an ultimate goal of enabling cyber and power engineers to restore electrical service within seven days in the event of a major attack. RADICS research is developing technology that cybersecurity personnel, power engineers, and first responders can utilize to accelerate restoration of cyber-impacted electrical systems.
The Defense Advanced Research Projects Agency (DARPA) organized a mass cyber resilience exercise on the US national power grid at Plum Island in Nov 2018. The scenario was that a digital strike took out one of two operational utility stations, and the other one was also under attack. A team of grid operators had to restore the power across the utilities and to the building deemed as a critical national asset. Moreover, the cyber security researchers assisting the grid operators had to use every piece of technology and know-how they had to ensure that utility stayed powered up, trustworthy and malware-free. As Nextgov reports, the exercise took place on Plum Island. A federal research facility off the north fork of Long Island, where DARPA researchers segregated a portion of the island on its own electric grid.
The Defense Advanced Research Projects Agency wants to integrate artificial intelligence in two of its programs aimed at addressing electric grid cybersecurity and getting ahead of 5G deployment. While leaving out the specifics of AI involvement, William Scherlis, director of the Information Innovation Office at DARPA, said the tech will be used in the Rapid Attack Detection, Isolation and Characterization Systems program, which is intended to recover power grid loss in case of a malware-caused full blackout. Scherlis further explained at an FCW AI workshop that the program will promote the development of new tech to accelerate power recovery.
DARPA’s Rapid Attack Detection, Isolation and Characterization Systems (RADICS)
The goal of the RADICS program is to develop innovative technologies for detecting and responding to cyber-attacks on U.S. critical infrastructure, especially those parts essential to DoD mission effectiveness says Dr. John Everett. DARPA is interested, specifically, in early warning of impending attacks, situation awareness, network isolation and threat characterization in response to a widespread and persistent cyber-attack on the power grid and its dependent systems.
An early warning capability for power suppliers could prevent an attack entirely or blunt its effects, such as damage to equipment. But the vast scale of the nation’s electrical infrastructure means that some number of systems are likely to be in an abnormal state at any given time, and it can be difficult to distinguish between routine outages and actual attacks. RADICS looks to develop advanced anomaly-detection systems with high sensitivity and low false positive rates, based on analyses of the power grid’s dynamics.
Recognizing that in some locations Internet infrastructure may not be operational after an attack, or that hackers may have embedded malicious code in utilities’ IT systems during an attack, RADICS also calls for the design of a secure emergency network that could connect power suppliers in the critical period after an attack. The creation of such a network will require new research into advanced security measures, as well as innovative technologies to facilitate the rapid connection of key organizations, without relying on advance coordination among them.
An attacker may continue network-based attacks during recovery efforts to delay power restoration. RADICS technologies will enable the creation of isolated emergency networks that would permit secure responder coordination. “Isolating affected utilities from the Internet would enable recovery efforts to proceed without adversary surveillance and interference,” Everett said, “and providing an alternative means for online coordination would enable a more orderly restoration of power among affected organizations.”
Finally, the RADICS BAA calls for the research and development of systems that can localize and characterize malicious software that has gained access to critical utility systems. These systems will augment the abilities of skilled cyber first responders to triage impacted systems and assist utility engineers with the rapid and safe recovery of power. Cyber-attacks on critical infrastructure can take many forms, including the corruption of configuration files and introduction of malicious code. RADICS technologies will safely and automatically map and assess the state and configuration of electrical power networks and detect and characterize power grid malware.
Potentially relevant technologies include anomaly detection, planning and automated reasoning, mapping of conventional and industrial control systems networks, ad hoc network formation, analysis of industrial control systems protocols, and rapid forensic characterization of cyber threats in industrial control system devices.
Program technologies will seek to accelerate recovery by maintaining situational awareness, enabling network isolation, and rapidly characterizing cyber-attacks:
- Enhanced situational awareness may enable operators to thwart an attack or blunt its effects and thereby minimize physical damage to electrical equipment that would otherwise take significant time to repair. RADICS technologies will improve situational awareness by providing accurate and timely information about grid state before, during, and after an attack.
- and power systems communication.
DARPA organized a mass cyber resilience exercise on the US power grid
RADICS conducted a relatively small black start pilot exercise on Plum Island in June 2018 ; the grid at that time was designed to be managed by a single utility running a diesel generator, known as Utility A, and a small cluster of substations. A grid is essentially made up of a utility’s generators—which power a system—substations that transform electricity from low to high voltage to be transmitted across power lines over long distances, substations that transform electricity back down to lower voltage for local distribution, and customers who receive electricity. For this month’s followup, which DARPA hosted in conjunction with the Department of Energy, RADICS expanded the test grid to include a second utility and generator, known as Utility B, and a number of additional substations.
In the scenario laid out for the exercise, a massive cyberattack knocks some portion of the grid offline for weeks—long enough that residual power and substation batteries would all be depleted. Utility B’s goal is to black start as quickly as possible, to deliver power to a customer that has been designated a critical asset. After failures plague Utility B, Utility A then needs to step in, restarting to offer redundant power to that same critical customer.
In order to interact and safely share electricity, utilities also need to get their electromagnetic frequencies in tune at around 60 hertz, so part of the exercise involved not just getting Utility A and B running, but syncing them.
“We had 18 substations, two utilities, two command centers, and we had two generation sources that we had to bring up a crank path and synchronize,” says Stan Pietrowicz, a researcher at Perspecta Labs who is working on a black start network analysis and threat detection tool through RADICS. A “crank path” is a plan for restoring substation networks and seeding power back into a grid. “It had a realism that you don’t really find in lab environments that made you rethink the approach. Do you turn up everything at once? Do you turn up smaller pieces of the grid and put them in a protected environment to do cyberforensics?
The Plum Island’s one is the fourth “black start” exercise led by DARPA’s Rapid Attack Detection, Isolation and Characterization Systems (RADICS) program. The first two ones were conducted in research labs. Last one one took place on Plum Island but on a smaller scale and without public observers. The new one, that involved more than 100 people, is the first one on a large scale. Moreover the RADICS doubled an Energy Department exercise called Liberty Eclipse. DARPA plans to continue this initiatives every six months. This until the RADICS program expires in 2020. After that, hopefully, the project will continue under the Energy Department or another federal agency.
Perspecta Labs develops three technologies for RADICS
The three technologies Perspecta Labs introduced under the DARPA RADICS program are: SHERLOC (Scalable and Holistic Energy Cyber Weapon Localization and Characterization), MANTESSA (Machine-Intelligence for Advance Notification of Threats and Energy-Grid Survivable Situational Awareness) and DADC (Distributed Assured and Dynamic Configuration).
· SHERLOC is a sensor-based, integrated three-axis cyber-weapon hunting system for the power grid. Its main goal is to expedite commercial power restoration by mechanizing critical cyber and power knowledge and automating tasks to rapidly identify compromised equipment, characterize the nature of the attack and malware that has gained access to US infrastructure, and support remediation and restoration efforts
· MANTESSA is a cyber-physical early detection and situational awareness system featuring advanced machine learning techniques to detect and analyze the effects of cyberattacks through large-scale power grid analysis, Bayesian inferencing and social media analysis
· DADC is a network configuration synthesis, analysis, visualization and emulation tool to efficiently create a secure emergency network using constraint solver technology
Perspecta Labs’ SHERLOC, MANTESSA and DADC technologies were tested over the course of six RADICS exercises, the most recent of which occurred in May 2019. In collaboration with the Department of Energy, its Liberty Eclipse program and the Department of Homeland Security, the exercises tested grid recovery tools during a staged, multi-faceted cyberattack on a model U.S. power grid built on Plum Island, N.Y. Through these realistic exercises, Perspecta Labs validated the success of the research behind its three technologies working side-by-side with utility transition partners, National Guard first responders and invited observers to improve the usability, expand tool capabilities and continue commercial transition. As part of the technology transition efforts, select innovations developed on RADICS are being offered as part of Perspecta Labs’ SecureSmart™ critical infrastructure solution line.
DARPA, has awarded Raytheon for early warning of impending cyber attacks
The Pentagon’s Defense Advanced Research Projects Agency, better known as DARPA, has awarded Raytheon multiple contracts to research and develop technologies that will detect and respond to cyber attacks on the U.S. power grid infrastructure. The contracts, which total $9 million, were awarded under DARPA’s Rapid Attack Detection, Isolation and Characterization Systems (RADICS) program.
“During the last two decades, industrial control systems have evolved so that most are now connected to the Internet, making them vulnerable to cyber attack,” said Jason Redi, vice president for the Raytheon BBN Technologies Networking and Communications unit. “A significant power disruption would have profound economic and human costs in the U.S, so our goals are to prevent attacks and to reduce the time required to restore power after an attack.”
Raytheon BBN will create technologies to enhance situational awareness by providing early warning of an impending attack and detecting adversary spoofing of power grid data collection and communication. These technologies will also maintain situational awareness in the immediate aftermath of an attack.
The company will also examine methods to maintain secure emergency communication networks in the aftermath of an attack. Raytheon BBN’s approach seeks to isolate affected organizations from the internet and establish a secure emergency network to coordinate power restoration without depending on external networks.
VENCORE LABS to-assist-darpa-in-protecting-the-nations-electrical-grid
Vencore Labs, Inc., a wholly owned subsidiary of Vencore, Inc., announced that it has been awarded two prime contracts for the Rapid Attack Detection, Isolation and Characterization Systems (RADICS) program led by the U.S. Defense Advanced Research Projects Agency (DARPA). The contracts have a total value of $17M and work is slated to begin in August of this year. Vencore Labs, a leader in smart grid security and monitoring, will conduct research and deliver technologies in three of five technical areas (TA). This new work draws on Vencore Labs’ expertise transitioning cybersecurity research technology to commercial use, as well as the company’s experience working with utilities to secure their networks through its first-of-its kind infrastructure monitoring solution, SecureSmart™.
Under TA-1, Vencore Labs intends to research, develop, demonstrate and deliver a system known as MANTESSA (Machine-Intelligence for Advance Notification of Threats and Energy-Grid Survivable Situational Awareness). the other participants include Princeton University and Carnegie Mellon University. The co-PIs within Columbia are Professors Dan Bienstock, Dan Rubenstein, and Vishal Misra.
The MANTESSA system aims to address the problem of early detection of cyber-attacks on the North American power grid. Specifically, the MANTESSA system intends to provide early warnings, spoofing detection and situational awareness, by means of continuously executing anomaly detection algorithms. WiMNet Lab’s contribution to the project will build on our previous work in the area of power grid and communication networks resilience.
Under TA-3, Vencore Labs plans to research, develop, demonstrate and deliver a Scalable and Holistic Energy CybeR-weapon Localization and Characterization (SHERLOC) system which is intended to rapidly localize and characterize cyber-weapons that have gained access to power grid infrastructure. The SHERLOC system aims to map Industrial Control Systems (ICS), gather and analyze configuration data, determine which devices are behaving incorrectly, and discover and characterize malware to help with restart operations.
BAE Systems developing tech to restore electric grid quickly after cyber attack
British company BAE Systems has secured an $8.6m contract from the US Defense Advanced Research Projects Agency (DARPA) to develop a technology for quick restoration of power after cyber attacks. The technology rapidly isolates both enterprise IT and power infrastructure networks from all channels of malicious attack. It also helps establish a secure emergency network (SEN) among trusted organisations to facilitate the coordination necessary to restore power to the complex electric grid.
The technology detects and disconnects unauthorised internal and external users from local networks within minutes after activation. It creates a hybrid network of data links secured by multiple layers of encryption and user authentication. The system depends on advances in network traffic control and analysis, which will allow utilities to establish and maintain emergency communications.
They also establish the SEN by utilising advances in broadcast, satellite, and wireless technologies developed for agile communications in contested environments. Designed to function in the absence of prior coordination among affected organisations, BAE Systems’ technology operates regardless of power availability, internet connectivity, disparate IT networks and grid infrastructure technology.
BAE Systems’ communications and networking senior principal engineer and manager Victor Firoiu said: “Getting the power back on quickly after a cyber attack is critical to national defence. “Given the scale and complexity of the US power grid, and the chaos following a coordinated, large-scale attack, this is no easy task. Our work with DARPA is intended to stop ongoing attacks and minimise downtime.”
BAE Systems’ RADICS technology is designed to operate in the absence of prior coordination among affected organizations and regardless of power availability, Internet connectivity, disparate IT networks and grid infrastructure technology, situational awareness, and ongoing disruption efforts by adversaries. Work on the RADICS project will be performed in Burlington, Massachusetts; Merrimack, New Hampshire; and Arlington, Virginia.
SRI International to Lead Program to Develop Technology for Restoring Power to a Grid Facing a Cyberattack
Researchers from SRI International are leading a collaborative team to develop cutting-edge technology that can be used by utilities and cyber first responders to restore power to an electric grid that has come under a cyberattack. The Threat Intelligence for Grid Recovery (TIGR) project aims to provide new tools that enable power engineers to restore and protect electrical service within seven days of an attack that overwhelms the recovery capabilities of utilities and subsystems.
Funded by a $7.3 million award from the Defense Advanced Research Projects Agency (DARPA) for the Rapid Attack Detection, Isolation and Characterization Systems (RADICS) program, SRI International leads a team of expert organizations that includes Con Edison, Dartmouth College, New York University (NYU), Electric Power Research Institute (EPRI), and Narf Industries. Together, the team will develop threat analysis and characterization technology for localizing and containing malware – malicious software such as a computer virus – that has breached industrial control systems (ICS) power grid equipment and networks.
Currently, utility companies in North America have procedures and capacity to handle localized power outages caused by events such as extreme weather and high usage on hot days. However, there aren’t any tools available to resolve the type of widespread outages that can be caused using malware. The goal of the TIGR project is to develop tools that can be rapidly deployed after an attack has occurred. The tools will support resilient power recovery within three days and full restoration after seven days. Today’s generators have limited ability to supply power beyond seven days, making this timeframe critical for ensuring minimal disruption to the civilian power infrastructure.
“Reacting to a power crisis caused by a cyberattack requires a rapid, reliable and resilient response that presents complex challenges,” said Michael Locasto, Ph.D., senior computer scientist at SRI International and principal investigator for the project. “Our team’s combined expertise makes us uniquely qualified to develop tools that support rapid and trustworthy power restoration. Through the combination of domain experience, agility, and research expertise, the team’s goal is to provide tools that significantly strengthen power grid resilience over the next decade.”
Additionally, the Vencore Labs team will serve as a sub-contractor under TA-2.