Plum Island, just off New York’s northeastern coast, is a sparsely populated outpost with a century-long legacy of defending national interests. During the Spanish-American War, the island hosted soldiers that protected coastal communities. During World War II, Plum Island served as a training ground for U.S. troops.
More recently, scientists have used Plum Island to research ways to protect U.S. agriculture from catastrophic disease outbreaks.
Now, the 840-acre island’s national security legacy continues through an annual exercise known as Liberty Eclipse. This exercise trains power companies, industry experts, and government officials to respond to cyberattacks that could disrupt the flow of commercial electricity and natural gas.
A modern training ground
The exercise designs and delivers full-scale cybersecurity scenarios in intense, hands-on training events to improve national energy resilience. It’s sponsored by the Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER), and is supported by two national laboratories and the University of Illinois Urbana-Champaign.
“Liberty Eclipse allows utilities to operate in an environment that closely mirrors their own systems,” said Brian Marko, the exercise’s director. “This year, we hope utility teams learned how to be better prepared for the challenges of defending critical infrastructure in the real world.”
The comprehensive training program began as a 2018 Defense Advanced Research Projects Agency (DARPA) project addressing the military’s reliance on the commercial power grid. DARPA’s Black Start Exercise demonstrated the value of developing technology to restore the grid after a cyberattack. DOE then expanded this mission to include power utilities, especially those protecting critical infrastructure. The first full-scale Liberty Eclipse exercise was held in 2022.
Months prior to the exercise, Daniel Hearn, a senior computer security researcher at the Idaho National Laboratory, led a red team consisting of utility and international partners and national lab researchers that designed attack scenarios based on current threat intelligence.
“Liberty Eclipse gives industry professionals a chance to experience real cyberattacks, using known techniques and methodologies from advanced actors, in a controlled environment,” Hearn said.
This year’s exercise includes scenarios simulating real-world threats focused on various types of attacks with specific intentions and behaviors: low-skilled and noisy, criminal data theft, wanton disruption, and stealthy and skilled compromise with engineered effects.
Stress testing grid resilience
Utility participants help design and structure the island’s grid to emulate their environments, from infrastructure to internal team dynamics, to procedures and response plans. During the exercise, they test their integrated security posture, and the capabilities and limits of their tools and operational technology to detect cyberattacks.
“Liberty Eclipse enhanced my understanding of the collaboration required between information technology, operational technology, and real-time operations professionals,” said Tom Huth, Principal at Energy Markets Cyber Incident Coordination at the Australian Energy Market Operator. “The exercise taught me how to effectively respond to modern cyber threats to electricity infrastructure.”
According to Mandi Peters, INL’s Liberty Eclipse program manager, the exercise unites public and private cybersecurity experts, utility operators, and defenders of U.S. critical energy infrastructure like the National Guard and DOE hunt teams.
“This collaboration allows us to ‘practice like we fight’ and advance research and development tools, techniques, and procedures that utilities implement in their operations and cyber protection teams use to refine their strategies,” Peters said.
The impact of the exercise goes well beyond just the 300-plus in-person participants on the island and remote participants over the five-day event.
Unlike most exercises that are structured like a competition, Liberty Eclipse lets utilities learn in a collaborative environment by sharing knowledge and networking with industry participants and national laboratory experts.
Utility participants are grouped into three cross-functional blue teams, using the island’s standalone grid and dedicated communication system as a test bed. They work in security and control operations centers, responding to continuous cyberattacks that impact their energized substations operations with power fluctuations, equipment stress, ransomware attacks, and living-off-the-land attacks with data exfiltration.
Utility participants leverage tools and procedures that they use in their operational environments to detect (in real time or forensically), respond to and recover from the attacks. Other participants are assigned to hunt teams that practice tuning their tools and procedures to be more effective in operational technology environments.
Mike Typer, information systems manager at Cybersecurity Operations at the Los Angeles Department of Water and Power, participated for the first time this year. “Our team found it to be immediately applicable to our day-to-day operations,” said Typer. “Liberty Eclipse is a unique event that plays a critical role in helping teams prepare and learn about the crucial role in defending the power grid.”
The exercise allows organizers to collect observations and data to help utilities evaluate their performance, infrastructure configurations and procedures, and to identify areas for improvement.
U.S. utilities have largely averted severe cyberattacks affecting operations, but adversaries are developing more sophisticated and complex techniques. Liberty Eclipse provides an unpredictable, live-fire attack environment on a realistic power grid that trains operators to develop a professional “sixth sense” to interrogate, analyze and respond to anomalies.
– Ethan Huffman
