The Army Reserve Installation Management Directorate and Fort Hunter Liggett, in cooperation with the Defense Digital Service (DDS) and industry-partner Bugcrowd, conducted the “Hack the Army Microgrid” cyber resilience assessment at Fort Hunter Liggett, CA. The assessment, based on a "bug bounty" model, was conducted by 11 pre-vetted independent security researchers over four consecutive days to look for exploitable vulnerabilities in the installation’s solar-powered microgrid. Fort Hunter Liggett’s “Hack The Army Microgrid” assessment will set the precedent for cyber commissioning of future microgrids.

“After a decade of sustainability and resilience projects, Fort Hunter Liggett has led the Department of Defense in establishing an energy microgrid powered by clean renewable resources for use during times of utility disruption,” explained Col. Stephen S. Trotter, Garrison Commander. “Now we’re taking it a step further to ensure the cybersecurity of the system is hardened. With threats to California power grids from drought conditions and wildfires to man-made attacks, our backup energy system must be reliable to support our Soldiers and the mission.”

Microgrid cyber resilience initiatives started nearly three years ago when Fort Hunter Liggett was asked to participate in a project for DDS Hack the Pentagon portfolio. DDS, under the Department of Defense’s Chief Digital and Artificial Intelligence Office, facilitates bug bounties to enable ethical hackers to find and address vulnerabilities in a rapid, cost-effective way before the adversary does. Fort Hunter Liggett and DDS started attending hacking events in 2022 as the initial step to vet ideas and generate interest in testing the microgrid cybersecurity in the ethical hacker community. With the Army Reserve-funded installation’s microgrid project completion and commissioning taking place in September 2024, the team got to work enlisting the help of industry partner Bugcrowd to manage a “Hack the Army Microgrid” bug bash to find vulnerabilities.

“The assessment had 12 testing objectives which researchers attempted to meet over the four days,” explained Isaac Pires, Product Manager and Hack the Pentagon Portfolio Lead at the DDS. “Each objective referred to a hypothetical scenario that a vulnerability type could lead to. By the end of the event, all 12 testing objectives were conducted by the researchers, and they acknowledged that the cyber resilience of the microgrid that they encountered was above what they initially expected.”

“Bugcrowd sent a robust team with diverse skillsets to attempt to exploit our systems and discover hidden vulnerabilities,” added contractor Jarrod Ross, Fort Hunter Liggett Resource Efficiency Manager. “They worked in various groups to conduct a series of cyber resilience testing on our battery storage, solar arrays, integration controllers, radio frequency, and a portion of our local enterprise network that connects to the microgrid’s monitoring system.”

The researchers even took it a step further and tested the microgrid’s integrated control system, which is an offshoot of the Army Reserve’s Enterprise Building Control Systems (EBCS) program. EBCS integrates advanced meters and selected building control systems to provide robust central monitoring, control, and advanced analytical features. “One of the researcher’s focus areas was attempting to bypass our devices that integrate into our operational technology network,” shared Eric McKay, who serves as the Army Reserve’s contract EBCS Sustainment Coordinator. “This proved to be a tougher than expected task. The design guide that is part of our EBCS program is crucial to the cybersecurity posture of our program.”

Findings from the assessment will position the U.S. Army Reserve to adopt cybersecurity considerations into future microgrid commissioning. “Each microgrid system is a snowflake – meaning they are all constructed differently to meet the needs of a site. One size does not fit all when it comes to cyber resilience approaches,” added Ross. “We’ve created a process to do this in the future to make it a normal part of microgrid implementation. Testing our established protocols is the only way to 100% validate and ensure the safety of our systems. The documented findings from this bug bash will strengthen Fort Hunter Liggett’s microgrid as well as future microgrids implemented across the Army Reserve. This will help protect our energy resilience in the times our Soldiers need it the most.”