Full Report
The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response brought utilities, industry experts, and government defenders together on Plum Island, New York, for the annual Liberty Eclipse exercise, a full-scale cyber training event designed to strengthen U.S. energy grid resilience. Using an isolated 840-acre grid that mirrors real utility environments, participants from power companies, national laboratories, and partner organizations tested their ability to detect, respond to, and recover from a range of simulated cyberattacks, from noisy intrusions and ransomware to stealthy, engineered compromise scenarios.
Analysis Summary
# Incident Report: Liberty Eclipse 2026 Cyber Training Exercise Summary
## Executive Summary
The Department of Energy's 2026 Liberty Eclipse exercise was a full-scale cyber training event conducted on Plum Island, NY, designed to enhance U.S. energy grid resilience. Participants from utilities and government agencies tested response capabilities against simulated attacks, which ranged from noisy ransomware intrusions to sophisticated, stealthy compromises targeting operational technology environments. The exercise focused heavily on improving cross-functional collaboration between IT, OT, and real-time operations teams.
## Incident Details
- **Discovery Date:** N/A (Training Exercise Start Date)
- **Incident Date:** N/A (Exercise Period, initiated Jan 30, 2026)
- **Affected Organization:** Multiple participating utility companies and national laboratories (Simulated)
- **Sector:** Energy/Electrical Power Grid (Critical Infrastructure)
- **Geography:** Plum Island, New York (Controlled Exercise Environment)
## Timeline of Events
*Note: As this is a summary of a training exercise simulating various attacks, the timeline below structures the *types* of scenarios tested.*
### Initial Access
- **Date/Time:** During Exercise Execution
- **Vector:** Simulated various vectors including "noisy intrusions" and initial points of compromise for stealth attacks.
- **Details:** Scenarios included methods that would lead to the observed attack types (ransomware, data theft, disruption).
### Lateral Movement
- **Date/Time:** During Exercise Execution
- **Vector:** Implied techniques used to move from initial compromise to operational technology (OT) or critical control systems, as defined by the red team scenarios.
- **Details:** Attack simulations focused on demonstrating the progression necessary for engineered compromise scenarios.
### Data Exfiltration/Impact
- **Date/Time:** During Exercise Execution
- **Vector:** Simulated data theft and wanton disruption.
- **Details:** Testing the impact of ransomware deployment and engineered effects aiming to disrupt the isolated grid environment.
### Detection & Response
- **Date/Time:** Throughout the exercise duration
- **Vector:** Internal detection capabilities; external monitoring by DOE hunt teams.
- **Details:** Participants tested their integrated security posture, tools, and operational technology capabilities to detect the intrusions across IT/OT environments. Response plans were practiced across IT, OT, and real-time operations groups.
## Attack Methodology
The red team designed scenarios based on current threat intelligence, covering a spectrum of attacker sophistication:
- **Initial Access:** Covered via simulated "noisy intrusions" and methods leading to stealthy compromise.
- **Persistence:** Implicit in the "stealthy, engineered compromise scenarios."
- **Privilege Escalation:** Implied requirement to reach critical systems for ransomware/disruption.
- **Defense Evasion:** Key focus during the "stealthy" attack simulations.
- **Credential Access:** Required for executing complex compromise scenarios.
- **Discovery:** Implicit in the progression toward achieving the scenario's final objective.
- **Lateral Movement:** Tested across the simulated utility infrastructure.
- **Collection:** Tested via "criminal data theft" scenarios.
- **Exfiltration:** Tested under "criminal data theft" scenarios.
- **Impact:** Ranged from "wanton disruption" to system compromise resulting in control loss/system failure (simulated).
## Impact Assessment
- **Financial:** Not applicable (Training Exercise; costs associated with the exercise only).
- **Data Breach:** Simulated data theft scenarios were executed.
- **Operational:** Tested the ability to respond and recover from disruptions to the simulated electrical grid.
- **Reputational:** Not applicable (Controlled, private exercise).
## Indicators of Compromise
*As this is a training exercise summary, specific IOCs are not published. The exercise utilized known techniques and methodologies from advanced actors.*
- **Network indicators:** N/A (Simulated using known threat TTPs)
- **File indicators:** N/A (Simulated use of ransomware and custom malware techniques)
- **Behavioral indicators:** Successful execution of TTPs associated with known threats targeting critical infrastructure.
## Response Actions
- **Containment measures:** Utilities practiced integrated containment strategies across IT and OT environments.
- **Eradication steps:** Teams practiced procedures for clearing threats from compromised zones.
- **Recovery actions:** Tested procedures for data restoration and restoration of grid operations following simulated failures, building upon the previous DARPA Black Start focus.
## Lessons Learned
- Enhanced understanding of the critical collaboration required between Information Technology (IT), Operational Technology (OT), and real-time operations professionals during an incident.
- Gained experience in detecting and responding to modern cyber threats targeting electricity infrastructure.
- Identified limits of current tools and operational technology in detecting advanced cyberattacks.
- The training helped build a professional ‘sixth sense’ among defenders for confronting sophisticated threats.
## Recommendations
- Continue regular, full-scale exercises (like Liberty Eclipse) that mirror real utility environments and integrate IT/OT response planning.
- Further refine cross-functional response plans based on scenarios that test stealthy/engineered compromise techniques.
- Advance research and development tools and procedures implemented by utility operations and cyber protection teams.