DoE’s ‘Liberty Eclipse’ shows just how bad a power grid cyberattack could be

libertyeclipse.jpg

Photo Credit: Department of Energy

A cyber incident occurs, resulting in power outages across eight states in the Mid-Atlantic and New England regions. The incident directly affects 16.7 million people and more broadly affects 37 million.

Power is temporarily restored to some, but additional outages occur sporadically and randomly while equipment is manually restored. Officials are concerned the outages could spread beyond the initially impacted regions.

Batteries supplying backup power to radio and commercial cellular communications are depleted within hours, rendering the services unusable.

Emergency backup power to water and wastewater facilities requires more fuel within 24 hours of the outage to sustain operations.

Meanwhile, petroleum fuel production grinds to a halt at refineries across three states, removing 975,000 barrels daily from the market. The outage paralyzes most East Coast refining capacity, which equates to approximately 22 million gallons of gasoline and 17 million gallons of distillate and jet fuel per day. The sequential restart of equipment required to resume production will take seven to 10 days.

Officials estimate that some Americans could lose access to safe water and gasoline, as well as the ability to purchase goods and supplies at retail outlets such as grocery stores, for up to three weeks.

These circumstances were part of the scenario that government and industry professionals faced on Dec. 8-9, 2016 in Newport, R.I., at the Department of Energy’s exercise dubbed “Liberty Eclipse.” DoE released a report on the exercise earlier this week.

The exercise’s goal was to engage federal, state and industry professionals in discussions about cyber incident preparedness and response, according to Devon Streit, DoE’s deputy assistant secretary, infrastructure security and energy restoration.

DOE’s report includes 10 key findings – eight related to cyber incident coordination policy and two related to exercise design – along with proposed actions that government and industry can take to improve existing plans for how to respond to such a scenario, should one ever occur. Many of the findings highlight the difficulties of information sharing, coordination between stakeholders (in the public and private sectors) and communication with the general public during and after such events.

Because exercises such as Liberty Eclipse inevitability uncover flaws in existing plans, experts say they serve as invaluable preparation, regardless of whether the precise circumstances ever materialize in a real-world scenario or not.

“Exercises, such as ‘Liberty Eclipse,’ are an excellent initiative, as it not only identifies where improvements can be made and affirms what is working well, but highlights the importance of cybersecurity processes and systems to prevent these kinds of widespread outages and confusion,” said Edgard Capdevielle, CEO of Nozomi Networks. “As this is the first simulation of its kind in this region, it provides a perfect benchmark for improvement.”

For years, experts have warned of the U.S.’s vulnerability to variations of the scenario presented in Liberty Eclipse, while urging government, operators and manufacturers of critical infrastructure technologies to focus on resilience.

Earlier this week, in a written version of his first public speech as DHS Secretary, Gen. John Kelly (ret.) called for a U.S. government-private industry partnership to “build in resilience to our digital and physical infrastructure” to better sustain cyber incidents.

Gerry Cauley, president of the grid operators group North American Electric Reliability Corporation, testified to the Senate Energy and Natural Resources Committee on April 4 that the potential for a major cyberattack against the nation’s power grid is “at an all-time high.”

Patricia Hoffman, acting assistant secretary at the DoE’s Office of Electricity Delivery and Energy Reliability, said in the same April 4 hearing that the department is working on “an ecosystem of resilience.”

On April 3, Maine Sen. Angus King (I) and Idaho Sen. Jim Risch (R) gained support from a key Senate subcommittee for proposed legislation to protect the electric grid from cyberattacks by retroactively introducing more manual processes.

The December 2016 Liberty Eclipse exercise occurred just weeks before the Ukraine power grid experienced its second cyberattack in a year. The 2016 Ukraine cyberattack resulted in power losses throughout sections of Kiev. It followed a December 2015 cyberattack that also resulted in power outages across multiple regions of the Ukraine, affecting over 220,000 people.

The threat actor in the Ukraine grid cyberattacks is unknown, but many – including Ukrainian President Petro Poroshenko – believe Russia was involved in some capacity. Russia has denied the accusations.

Russia is viewed by many experts as one of the nation-states most capable of carrying out a cyberattack that could create a real-world scenario like that simulated by Liberty Eclipse.

With tensions high over a number of political and military issues, Secretary of State Rex Tillerson said on April 12, while on a visit to Moscow, that current U.S.-Russia relations are “at a low point.”

Meanwhile, U.S. tensions with North Korea and Iran, separately, also remain elevated. Experts view both nation-states as potentially capable of inflicting damage on the U.S. power grid via cyberattack.