Dec 16 2015

DARPA Wants New System to Detect and Recover from Cyberattacks on Electric Grid

The Defense Department’s research arm is seeking proposals on early-warning and recovery systems for attacks on critical infrastructure.

Although James Clapper, the director of national intelligence, has said that the United States is unlikely to be hit by a “catastrophic” cyberattack, that doesn’t mean the Defense Department isn’t preparing for one. The Defense Advanced Research Projects Agency, DOD’s research arm, is soliciting proposals for a new system to detect and respond to large-scale cyberattacks, especially on the nation’s electric grid.

DARPA said in its request for proposals, which it released Dec. 11, that it’s specifically interested in “early attack detection, network isolation and threat characterization in response to a widespread and persistent cyber-attack on the power grid and its dependent systems.” The agency is looking for “revolutionary” approaches to dealing with the threat.

The solicitation is for a DARPA program known as Rapid Attack Detection, Isolation and Characterization Systems, or RADICS. DARPA expects the program to start July 1, 2016, and to run for four years; it will be composed of three 16-month phases. DARPA plans to dole out $77 million in total and to have multiple awards for the different parts of the RADICS program. DARPA scheduled a “proposers day” on Dec. 14 to offer more information on the program to those interested in submitting proposals.

Defining the Threat

In the proposal announcement, DARPA states that “a substantial and prolonged disruption of electric power would have profound economic and human costs for the United States. “From a defense perspective, it would hamper military mobilization and logistics impairing the ability of the Government to project force and pursue diplomatic solutions to international crises,” DARPA says. The agency further explains that RADICS “will research ways to enable early detection of cyber threats to power grid infrastructure and to reduce the time required to restore power.”

DARPA notes that security researchers have found malware that is “apparently focusing on — although not attacking — industrial control systems [ICS].”

“ICS configuration details, in combination with information publicly available on the Internet could potentially enable a sophisticated adversary with substantial resources to mount a large-scale attack,” DARPA warns.

The agency explains that RADICS “will address the power grid and its key dependencies as they exist today and as they are likely to evolve over the next 10 years,” noting that during this time there might be “improved cyber-physical defenses from Government-funded and private sector innovation.” However, DARPA warns potential bidders to “assume a worst-case scenario, in which limited budgets and competing demands for capital investment result in insufficient adoption of such technologies.” Although the utility industry will be making investments in smart meters and other areas in addition to cyber-defenses, the technology solutions that interested companies put forth in their proposals “should not depend on utility deployment of the proposed technologies prior to an attack.”

The program’s goal is to “enable skilled cyber and power engineers to restore power within seven days of an attack that overwhelms the recovery capabilities of the affected organizations.”

“If an attack were to occur today,” the agency asserts, “utility engineers would eventually restore power, but the process could take many weeks, creating an unacceptable impact on national security.”

RADICS will devise “innovative automated systems to accelerate the recovery process.” Although an early-warning system could blunt the effects of a cyberattack, DARPA thinks it might be difficult to implement such an early-warning system. Consequently, in the aftermath of an attack, it will be critical that first responders get a handle on the situation and possibly even isolate affected utilities from the Internet. However, after an attack, in order to restore power, these utilities will have to work with one another, so they will require a secure temporary network to communicate over.

The Different Parts of RADICS

As Motherboard notes, the RADICS system is to entail three activities, the first of which is to detect an attack before it happens or just as it is beginning. This is a key element but extremely difficult to achieve. Quoting the DARPA announcement to explain why, Motherboard reports, “equipment failures, accidents, improper configurations and unpredictable damage are the norm for power grid operation.”

This normal activity might mask the initial stages of a large-scale cyberattack. But as DARPA notes, “early warning of only a few minutes may be sufficient for grid operators to take actions that would protect vulnerable equipment.” The system should be able to scan the grid and inform engineers of how the attack is progressing.

RADICS will also “create and maintain secure emergency networks for communication in the aftermath of an attack.” This will involve researching and developing technologies for isolating from the Internet organizations that have been affected by a cyberattack and then establishing a secure emergency network to restore parts of the grid without relying on the external transmission network.

Additionally, RADICS should be able to quickly locate and characterize what kinds of malicious code have attacked grid infrastructure. The systems in this part need to be able to determine which pieces of industrial control systems are behaving incorrectly and then discover and characterize the malware.

Matej Moderc/ThinkStock

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT