Here’s DARPA’s Proposed Plan to Recover from a Massive Power Grid Hack
Now, they just need the technology.
Image: Flickr/Sebastian Vandrey
If a massive attack on America's power grid were to plunge the country into darkness tomorrow, the Pentagon estimates that it would take the nation's top engineers "many weeks" to bring everything back online. That's "many weeks" of the economy, and the military, being stuck at a standstill.
The Defense Advanced Research Projects Agency (DARPA), the US military's blue sky research wing, wants an automated system that can bring the recovery time for a devastating hack down to less than seven days by 2020. The idea is that the system could be deployed after an attack and quickly identify the source of security holes so engineers can fix them.
This is according to a solicitation for proposals for the agency's Rapid Attack Detection, Isolation and Characterization (RADICS) program, posted on Friday, which gives us the most insight into the program's requirements so far. A Proposers Day for companies interested in contributing to the project was scheduled to be held on Monday morning.
"A substantial and prolonged disruption of electric power would have profound economic and human costs for the United States," the DARPA solicitation states. "From a defense perspective, it would hamper military mobilization and logistics, impairing the ability of the Government to project force and pursue diplomatic solutions to international crises."
This would be, basically, the so-called "cyber armageddon" that US director of national intelligence James Clapper has stated is pretty unlikely to ever occur. This is despite the fact that researchers have discovered weak points in the networking equipment of thousands of internet-connected industrial control systems in the US. If an attacker targeted these weak points, and gained access to electrical systems, they could potentially alter the flow of electricity or even damage equipment.
Watch more from Motherboard: Oil and Water
DARPA is asking potential candidates to assume that US critical infrastructure is still a security disaster ten years from now. Proposed solutions must assume that, in the future, tight budgets and competition for investments—more internet-connected "smart meters" that will only increase the opportunities for a hack, for example—have resulted in a chronically insecure system. Actually securing the grid is outside of the scope of RADICS; this is for when shit really hits the fan.
The RADICS system will work in three parts. First, it must be able to detect a hack in its early stages. This is no easy feat, since, "equipment failures, accidents, improper configurations and unpredictable damage are the norm for power grid operation," the DARPA filing states. This stage of RADICS would also continuously scan the grid and keep engineers up to date on how the attack is progressing.
Next, the RADICS system will "create and maintain secure emergency networks for communication in the aftermath of an attack." This would involve disconnecting any affected utilities from the internet, and have them communicate on an alternate, secure network. Building this network may require cooperation among multiple telecommunications companies in the US.
The third and final stage of the RADICS system would scan all control devices connected to the grid and find out which ones are behaving incorrectly. Once a wonky device is identified, the system would be able to automatically detect what kind of malware was inserted into the system.
DARPA is also looking for companies to design testing and evaluation platforms for the RADICS system.
Work on the RADICS program is slated to begin on July 1, 2016, and will run for four years. DARPA will shell out $77 million in total for the program, and the agency expects to give out multiple awards for developing each stage of the RADICS system. After just six months of work, companies developing the technology will be expected to demonstrate its initial capabilities.
CORRECTION: An earlier version of this article stated that DARPA would be giving out $77 million in funding per award for developing the RADICS system, but in fact $77 million is the budget for the entire program. This article has been updated to reflect this, and Motherboard sincerely regrets the error.