The Pentagon will deploy local, self-contained electric grids, or microgrids, to 134 Army bases, beginning in May. But first they tested the technology at DEF CON, looking for hackers’ help finding potentially crippling vulnerabilities so they can better preempt cyberattacks.
The collaboration unfolded at the annual cybersecurity and hacking conference this past weekend in Las Vegas where more than 1,700 DEF CON attendees participated in Pentagon’s microgrid hacking challenge, with many of them successfully shutting down the mock grid.
Benny was one of them. An ethical hacker from Colorado who did not want to reveal his last name, he short-circuited the Pentagon’s model microgrid after several minutes of trying different attacks.
“If we lose our public infrastructure, we lose stability so getting hackers thinking about how to break in and how to manipulate the data and what the data will do if it is manipulated — I think it’s a really good idea,” he said.
That’s exactly the Pentagon’s aim. Defense officials said they came to DEF CON in hopes of finding potential hacks — and working to prevent them — because they understand microgrids can be vulnerable.
“The newer microgrids, like the more experimental one we’re looking at, rely on [being] … automatically connected to weather data,” said Katie Olson, the Pentagon’s Deputy Chief Digital and AI Officer and director of the Defense Digital Service (DDS), a team of hackers, engineers and data scientists inside the Defense Department. Olson said she believes hackers will see that as an easy opportunity to wreak havoc on the grids by forcing “a bunch of data in that [falsely] says, ‘There’s a lot of wind today,’ and causes [it] to overload.”
The Army is pushing the microgrid effort because the systems are energy efficient, cost-effective and can keep bases up and running even if a cyberattack or natural disaster takes out the larger power grid. But there’s a downside, too. Because microgrids depend on advanced technology to connect various components providing intelligence and automation, they are vulnerable to a wide range of attacks.
“In general, renewable energy projects are very often smart energy projects, which are inherently connected to online systems and networks in such a way that they can be much more susceptible to cybersecurity attacks,” said Morgan Higman, a fellow in the Energy Security and Climate Change program at the Center for Strategic and International Studies. “Not doing the due diligence with some of these hacking exercises could set us up for some serious security concerns or operational concerns, particularly for military installations.”
The hackers at DEF CON tried plenty of creative ways to disrupt the grid. One of the most successful involved injecting bad code into National Oceanic and Atmospheric Administration weather forecasts the microgrids rely on to function.
That’s how Benny and many other hackers at DEF CON were able to disable a wind turbine and solar panels powering the brightly lit model neighborhood that anchored the game. Lights inside the neighborhood’s houses flickered on and off and the miniature wind turbine turned red, smoked and ground to a halt whenever a hacker won the challenge. What was valuable to DDS, officials said, was seeing the various inventive ways the DEF CON attendees found to manipulate the forecast data the model microgrid relied upon.
Nick Ashworth is the technical architect at DDS working on microgrid resilience. He’s a seasoned engineer and former Navy tactical cyber electronic warfare expert. But on Saturday, he was outwitted by a teenager who figured out that because the microgrids run on the Kelvin temperature scale, which does not use negative values, she could insert negative numbers into the forecast models for the grid and crash the system.
He said the hack was one no one at DDS had thought of yet.
“She came up, she had fun, she kicked ass,” Ashworth said. “I was explaining the math to her because it’s Kelvin and one of the Easter eggs is setting to absolute zero and she was like, ‘Well, can I go lower than zero?'”
Ashworth told her she could. When the girl asked what would happen, he says he told her that “everything would get really f—ed up because the rest of the world doesn’t go lower than zero in Kelvin. Physics has a real problem with that.”
It is important the Pentagon gets microgrid’s cybersecurity protections right, officials say. In addition to the worrisome national security implications of having Army installations without power, the microgrids’ performance also will affect the public since neighborhoods near Army installations will be on the network, too.
Ashworth said that’s a good thing, pointing to the powerful winter storms that hit Texas in February 2022, killing 246 people. If those storms had occurred at a time when Army installations had microgrids running, he said, the systems could have powered homes where vulnerable populations lived.
That may well be true, but experts say that despite their status as a fail safe for the normal electricity grid, microgrids are more susceptible to cyberattacks. Given this fact, some wonder if microgrids are safe to count on for backup power.
“You’re actually making [the Army base] more susceptible to cyberattacks by making a smart grid because there’s points of entry and penetration that people can get into and trick the system,” said Rob Cuzner, the director of the Center for Sustainable Electrical Energy Systems at the University of Wisconsin at Milwaukee and a consultant to the Navy’s microgrid project. “There isn’t so much networking communications with more conventional grids.”
That’s why Paul Farnan, the Army’s principal deputy assistant secretary for installations and environment, believes that DDS support is important, he said.
“We need the technical expertise that DDS brings and that this whole community here brings to educate us,” said Farnan, who said he was unaware of DDS before the microgrid partnership.
California’s Fort Hunter Liggett will be the first Army installation to get a microgrid when construction concludes next year with a reported price tag of $21.6 million. Ashworth’s team will head out west to conduct penetration testing on site, manually checking the grid for vulnerabilities, in February. DDS is also planning a bug bounty program to further test the microgrid. Ashworth said the Army will use the findings as a template to create new cybersecurity standards for microgrids.
Ashworth and his team see the project as high stakes, but that doesn’t mean they weren’t having fun at DEF CON. Thinking back on the teenage girl’s Kelvin trick, Ashworth grinned and said, “Yeah, that was a valid attack.”
Correction: Aug. 16, 2022: This story has been corrected to update the timeframe for expected microgrid construction. It is planned to begin in May. Also, the story was updated to reflect Katie Olson’s new title. She is Deputy Chief Digital and AI Officer.