DARPA’s program to develop technologies for rapidly restoring power after a grid cyberattack successfully completed its seventh live exercise in a testbed environment. Some of the program’s technologies have already been transitioned to operational use on parts of the U.S. power grid, with plans for wider deployment in the future.
“The tools and technologies developed under the RADICS program could provide situational awareness and other measures to aid in recovery efforts following a cyberattack on the U.S. grid,” Walter Weiss, DARPA program manager in the Information Innovation Office (I2O), said in an interview.
The tech developed under DARPA’s program — which was dubbed Rapid Attack Detection, Isolation, and Characterization Systems (RADICS) — emerges at a time when U.S. authorities are increasingly wary of cyberattacks by adversaries. One RADICS toolset is now operationally deployed by several electric co-ops and another is in use on parts of the U.S. grid.
DARPA’s announcement came just days before security company Recorded Future published a report on RedEcho, a threat actor group with links to China. Amid ongoing India-China border skirmishes, RedEcho conducted a targeted cyber campaign against Indian critical infrastructure, particularly the power grid, according to Recorded Future. It’s just the latest example of nation-states pre-positioning for a potential cyberattack on an adversary’s power grid.
But the question is, did more than pre-positioning occur in India? Mumbai suffered a large-scale power outage, its worst in decades, in October 2020. In November, Indian cybersecurity authorities began suggesting publicly that the outage may have been caused by malware. Recorded Future’s new report on RedEcho’s 2020 activities now have some again speculating about the possibility of a Chinese cyberattack on India’s grid.
Maharashtra Energy Minister Nitin Raut has claimed the Mumbai blackout resulted from a cyberattack “carried out by Chinese hackers,” but the government has not released any forensic evidence to support the claim. Recorded Future did not reach a certain conclusion in its report, due to limited access to the malicious code and the environments in which it was deployed, but the American company did notify Indian authorities of their findings.
Those attacks may not be over. Telangana Transco and Genco Chairman and Managing Director Prabhakar Rao said Tuesday that “Chinese malware in 40 substations” had to be removed earlier this week, according to The Times of India. India’s Central Electricity Authority alerted the Telangana government to the malware activity after India’s Computer Emergency Response Team alerted the CEA on Monday.
These recent events in India, as well as the cyberattacks on Ukraine’s power grid in 2015 and 2016, make DARPA’s work timely and relevant to today’s cyber threats.
The RADICS program began in 2016. The fundamental idea behind RADICS tech is to limit the damage from a grid cyberattack while enabling a “black-start recovery,” which refers to restoring normal operations when electrical system components are down.
“RADICS’ pivot to ‘black start’ occurred in 2017 when I took it over,” Weiss explained. “A number of debates occurred in the lab as to what infrastructure could be counted on, or what percent of the grid would still be up. The problem with this mindset is that once you can count on something, or something ‘must be up’ in order to achieve success — that is what the adversary will target. RADICS’ focus on the austere conditions of black start made sure the researchers were able to fully map all interdependencies in order to create the most relevant tools to national security and restoration.”
To achieve its goals, RADICS developed a toolset to provide three core capabilities:
- Visibility, or “situational awareness,” allowing operators to understand the state of the grid before, during, and after a cyberattack based on timely information;
- The ability to isolate emergency networks transporting supervisory control and data acquisition (SCADA) traffic from compromised networks during an attack;
- and the ability to characterize grid cyberattacks and counteract specific elements of the attack, such as corrupted configuration files or malicious code injected into control systems.
If some aspects of the above sound vaguely familiar to things you’ve read about past grid cyberattacks, there’s a reason. These capabilities directly address weaknesses in grid operations and incident response that were uncovered during and after the 2015 and 2016 cyberattacks on Ukraine’s power grid.
For instance, RADICS tech focuses, in part, on starting power restoration at substations knocked offline. Substations’ underlying control systems were one of the attack vectors in the Ukraine grid cyberattacks, which affected multiple distribution substations in 2015 and a single transmission substation in 2016. Both attacks incorporated malicious code that took the substations completely offline and then corrupted files to hinder recovery. Substations were also allegedly targeted this week in India, but no details on the precise methods used there are publicly available yet.
Weiss noted, “Former DARPA Program Manager John Everett originally conceived of RADICS in 2015, and the hack of Ukraine’s power grid was indeed a global wake-up call.”
While Weiss led RADICS from 2017 to its conclusion in December 2020, many organizations and individuals were involved. The University of Illinois Urbana-Champaign had spent a decade on testbed architecture, which Weiss drew on. The Department of Homeland Security worked with DARPA to build the testbed environment at DHS’s Plum Island Animal Disease Center in Orient Point, N.Y., a step Weiss viewed as important to program success.
“I spent the first year of RADICS trying to better understand how we could measure success. Specifically, I was frustrated by the simulations in the lab and the fact that our simulation was incomplete. I realized that it would be more cost-effective and valuable to purchase enough grid devices to actually simulate a restoration on the real grid. I worked closely with my leadership and DHS to secure Plum Island’s cooperation as a test site for future experimentation.”
With the testbed built, the Department of Energy recruited volunteers from the power utility sector to participate in live exercises which involved representatives from DARPA, DHS, DOE, the National Guard, and 12 private-sector entities. The multi-year effort culminated in October 2020, when the team ran a live, five-day exercise at the DHS testbed site.
“In the national security space, people sometimes ask, ‘What is DARPA’s authority?’” Weiss said. “And the answer is that we conduct research. I would encourage anybody looking to better understand these threats, especially cyber-physical, to move beyond simulators, get out of the lab, and conduct research.”
Weiss said there are already plans for follow-on research funding, transitions to the DOE, transitions to the Department of Defense, commercialization, and future academic research.
“Post-RADICS deployments will continue to increase,” Weiss said. “The technologies and tools developed on the RADICS program are transitioning across all categories. We’re encouraged by the different transitions pathways that have resulted from this research and development effort, and hope to continue to see them evaluated and used by U.S. entities, particularly as the threat landscape continues to evolve.”