The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response brought utilities, industry experts, and government defenders together on Plum Island, New York, for the annual Liberty Eclipse exercise, a full-scale cyber training event designed to strengthen U.S. energy grid resilience. Using an isolated 840-acre grid that mirrors real utility environments, participants from power companies, national laboratories, and partner organizations tested their ability to detect, respond to, and recover from a range of simulated cyberattacks, from noisy intrusions and ransomware to stealthy, engineered compromise scenarios.
The exercise fosters collaboration across information technology, operational technology, and real-time operations teams and allows utility operators to refine tools, procedures, and cross-functional response plans in a realistic setting. With adversaries advancing in sophistication, Liberty Eclipse aims to build a professional ‘sixth sense’ among defenders, giving them the experience needed to confront and mitigate real cyber threats to critical electrical infrastructure.
“Liberty Eclipse allows utilities to operate in an environment that closely mirrors their own systems,” Brian Marko, the exercise’s director, said in a media statement. “This year, we hope utility teams learned how to be better prepared for the challenges of defending critical infrastructure in the real world.”
The comprehensive training program began as a 2018 Defense Advanced Research Projects Agency (DARPA) project addressing the military’s reliance on the commercial power grid. DARPA’s Black Start Exercise demonstrated the value of developing technology to restore the grid after a cyberattack. DOE then expanded this mission to include power utilities, especially those protecting critical infrastructure. The first full-scale Liberty Eclipse exercise was held in 2022.
Months before the exercise, Daniel Hearn, a senior computer security researcher at the Idaho National Laboratory, led a red team consisting of utility and international partners and national lab researchers that designed attack scenarios based on current threat intelligence.
“Liberty Eclipse gives industry professionals a chance to experience real cyberattacks, using known techniques and methodologies from advanced actors, in a controlled environment,” Hearn said.
This year’s exercise includes scenarios simulating real-world threats focused on various types of attacks with specific intentions and behaviors: low-skilled and noisy, criminal data theft, wanton disruption, and stealthy and skilled compromise with engineered effects.
Utility participants help design and structure the island’s grid to emulate their environments, from infrastructure to internal team dynamics, to procedures and response plans. During the exercise, they test their integrated security posture and the capabilities and limits of their tools and operational technology to detect cyberattacks.
“Liberty Eclipse enhanced my understanding of the collaboration required between information technology, operational technology, and real-time operations professionals,” said Tom Huth, Principal at Energy Markets Cyber Incident Coordination at the Australian Energy Market Operator. “The exercise taught me how to effectively respond to modern cyber threats to electricity infrastructure.”
According to Mandi Peters, INL’s Liberty Eclipse program manager, the exercise unites public and private cybersecurity experts, utility operators, and defenders of U.S. critical energy infrastructure like the National Guard and DOE hunt teams.“This collaboration allows us to ‘practice like we fight’ and advance research and development tools, techniques, and procedures that utilities implement in their operations and cyber protection teams use to refine their strategies,” he added.
The impact of the exercise extends far beyond the more than 300 in-person participants on the island, reaching remote teams and organizations involved throughout the five-day event and influencing broader grid defense practices across the sector. Unlike most exercises that are structured like a competition, Liberty Eclipse lets utilities learn in a collaborative environment by sharing knowledge and networking with industry participants and national laboratory experts.
Utility participants are grouped into three cross-functional blue teams, using the island’s standalone grid and dedicated communication system as a test bed. They work in security and control operations centers, responding to continuous cyberattacks that impact their energized substations’ operations with power fluctuations, equipment stress, ransomware attacks, and living-off-the-land attacks with data exfiltration.
These participants use the same tools and procedures deployed in their operational environments to detect attacks in real time or through forensic analysis, then respond to and recover from them. Other participants serve on hunt teams, where they refine and tune tools and workflows to improve their effectiveness in operational technology environments.
Mike Typer, information systems manager at Cybersecurity Operations at the Los Angeles Department of Water and Power, participated for the first time this year. “Our team found it to be immediately applicable to our day-to-day operations,” said Typer. “Liberty Eclipse is a unique event that plays a critical role in helping teams prepare and learn about the crucial role in defending the power grid.”
The exercise allows organizers to collect observations and data to help utilities evaluate their performance, infrastructure configurations and procedures, and to identify areas for improvement.
U.S. utilities have largely averted severe cyberattacks affecting operations, but adversaries are developing more sophisticated and complex techniques. Liberty Eclipse provides an unpredictable, live-fire attack environment on a realistic power grid that trains operators to develop a professional ‘sixth sense’ to interrogate, analyze and respond to anomalies.
