The US Department of Energy (DoE) has announced plans to conduct a ‘hands-on’ test of the consequences of cyber-attacks against the energy sector and the industrial control systems (ICS) responsible for the generation, transmission and metering of energy in homes and businesses.
As the energy industry becomes increasingly digitised, the threat of attacks against infrastructure has risen, as demonstrated by the 2015 attack on Ukraine’s power grid which caused widespread power cuts.
In response to such threats, the US government is planning to put its power grid to the test. The exercise, dubbed the ‘Liberty Eclipse’, will take place in November, and will examine how well the grid can recover from a simultaneous attack on electric, oil and natural gas infrastructure, simulating the re-energising the grid after a hacking incident.
Replicas of substation equipment will be incorporated into the exercise to enable a more accurate rehearsal of how the industry would respond to a cyberattack aimed at preventing participants from restoring power.
A planning memo from the DoE says that: “Together, [participants] will work to energise a blackstart cranking path by detecting the attack, cleaning malicious influence, and restoring crank path digital systems to operation”.
The test is to be conducted on Plum Island, a restricted-access site off the coast of New York.
DoE officials have previously expressed concern that the grid’s reliance on natural gas as a fuel may make it vulnerable to hackers, a fear which Liberty Eclipse is expected to highlight.
A leaked DoE memo from this summer said coal and nuclear power plants were threatened by the nation’s natural gas pipelines, which were said to be ‘difficult to protect’ from physical or cyber interference.
At a cybersecurity conference in New York last week Energy Secretary Rick Perry said: “Taking care of that infrastructure, from the standpoint of protecting it from cyberattacks — I don’t think it’s ever been more important than it is today”.
The general approach of attackers was discerned using data from cybersecurity group Cybereason, which masqueraded as a power transmission substation of a major electricity provider, an approach known as a honeypot. The sham substation was subject to an attack within two days of going live.
From the attack, Cybereason concluded that the perpetrators’ ultimate aim was accessing the operational technology (OT) environment as these are the systems that control the equipment that delivers to domestic and office power. Controlling the OT environment allows operators to decide who receives utilities such as electricity, gas and water.
Cybereason CISO Israel Barak said: “In two days, the attackers got into the environment, conducted reconnaissance aimed at finding an entry point from the IT environment to the OT environment, which is really what they wanted.”
He added that unlike other attackers who buy and sell access to compromised networks, the honeypot attackers showed no interest in activity such as running botnets for cryptomining, spamming and launching DDoS attacks.