The Pentagon's plan to defend the power grid against hackers

Amid increased attention on the critical infrastructure security from the Obama administration and industry, the Defense Advanced Research Projects Agency is working on a new plan to safeguard the grid.

The Pentagon's advanced research wing is looking for ways to safeguard America's most critical assets from attacks on the Internet – a network it helped create.

The Defense Advanced Research Projects Agency (DARPA), which pioneered much of the technology underpinning the Internet, is planning to invest $77 million over the next four years to develop methods to help utilities detect and recover from cyberattacks, which experts say is a growing threat to small and large power operators alike. 

"What we’re really looking at is a high-impact, low probability event," says John Everett, program manager at the Information and Innovation Office at DARPA who is overseeing the initiative. But, says Dr. Everett, "DARPA’s mission is to create and prevent technological surprises."

As electric power plants and other critical infrastructure facilities' increasingly rely on Internet-connected technologies and wireless communications, hackers appear to be uncovering new avenues to penetrate their networks. While cybersecurity experts have been warning about this for years, that threat gained new attention in the wake of last month's malware attack on a Ukrainian power plant and recent news reports of digital incursions at a small New York dam and at the major US power producer Calpine Corp. 

In addition to those attacks, President Obama issued a presidential proclamation in October that emphasized the need to shore up US critical infrastructure facilities against attack.

"There is a lot of discussion about what the potential for risk is, but we’d like to really get to the technical bedrock and understand the extent and nature of that," said Everett. 

The program that was first announced in December will focus on three main areas of technological innovation: situation awareness, network isolation, and rapid forensic analysis. If utilities can quickly detect digital attacks, says Everett, it has a better chance of preventing physical damage from occurring.

To date, there's no clear, public evidence that a cyberattack has caused widespread physical damage to the grid, but experts say malware is regularly found on Internet-connected industrial control systems.

A recent study by the cybersecurity firm Tripwire revealed that 82 percent of the oil and gas companies surveyed said they saw an increase in successful cyberattacks over the past year. More than half of the same respondents said the number of cyberattacks increased between 50 to 100 percent over the past month.

Still, it’s difficult to determine how serious these attacks are. Even if malicious hackers are able to gain access to a system, that doesn’t necessarily mean they know how to control it. A hacker would need a very detailed understanding of how a system operates in order to create an effect, one that could require an advanced degree in physics or engineering, experts say. 

"Anytime you open up a service and provide an interface to someone, a button to press or a way to push information into the system or take information out, you can probably develop a way to attack it," explains Rod Schultz, vice president of Rubicon Labs, a cybersecurity startup. "Those sources are being opened up by these new technologies and the attackers are going to test the waters. They’re just like little kids running around a classroom trying to see what they can get away with."

The same goes for green technology such as wind and solar power. Measures to make the grid more ecologically sustainable are opening new portals that could be breached. The German security researcher Maxim Rupp, for example, found that Web controls for certain models of wind turbines are highly vulnerable to hacking. And while the grid was originally designed to push energy in one direction, solar panel installation increases vulnerability by transforming the grid into a two-way street and pushing energy back into the system.

Amid this changing energy landscape, awareness about the need to protect energy supplies from cyberthreats is spurring innovation. In the Netherlands, for example, researchers are testing technology that would reconfigure the grid automatically after an attack to keep energy flowing. In this case, the European Union funded the research at a lab in Switzerland. 

In the US, DARPA appears fully aware that the adoption of energy-saving tech such as smart meters can bring about vulnerabilities, too. "With only a few million meters installed, maybe that’s not a huge threat today," says DARPA'S Everett. "But what happens if it proceeds over 10 years and most of the country is in that situation?"

While the government and the utility industry are clearly pouring more resources into the security of critical infrastructure facilities, Tim Erlin, director of IT security at Tripwire, warns the industry may need to move faster to defend against cyberthreats.

"Attackers continue to evolve their tools and techniques to defeat the protection controls that are put in place," he said. "The industry has to evolve to meet those new threats and defend against them."