SoS Musings #55 -
Strengthening Power Grid Cybersecurity
The potential for power grid intrusions by hackers continues to widen as utilities increasingly turn to renewable energy sources and implement components such as smart meters that multiply the number of connections and sensors within their networks. Daine Loh, a power and renewables analyst with Fitch Solutions, pointed out that power grids are growing more vulnerable to cyberattacks because of digitalization and the increased use of smart applications. As power plants and substations move from manual controls to automatic ones, they are becoming increasingly connected to public and private networks for remote access, thus making them more susceptible to hacking. Cybersecurity experts have emphasized that power grids, as well as other essential state infrastructures, will continue to be an attractive target for cyberattacks because the modernization of such infrastructures enables Internet connectivity, which in turn, makes them more vulnerable. As the modernization of the power grid continues, it is essential to explore and develop new safeguards to protect it from cyberattacks.
Different power grid cyberattacks have drawn attention to the importance of addressing associated weaknesses and developing advanced solutions. One of the most notable power grid attacks occurred in 2015, which resulted in power outages for about 225,000 people in Ukraine. The attack, attributed to Russia-backed hackers, involved the distribution of BlackEnergy malware through emails with attachments targeting specific individuals at different energy companies to gather administrator credentials and gain access to Ukrainian energy substation networks. The actors behind the attack also activated a destructive malware variant known as KillDisk to wipe data from hard drives and prevent system rebooting, which led to the power outages. The delivery of malware disconnected electrical substations, resulting in the blackout. In order to restore the substations' normal operations, on-site operators had to intervene manually, which included switching the dispatch control center to manual mode as the malicious actors infected the Supervisory Control and Data Acquisition (SCADA) manufacturer firmware. In 2017, the security firm Symantec warned of a series of power grid penetrations by hackers in a group called Dragonfly 2.0 that not only compromised energy companies in the US and Europe but also led to the malicious actors gaining access to power grid operations, which could have caused blackouts on American soil at any time. The hackers obtained "operational access," which would have allowed them to take control over interfaces used by power company engineers to send commands to circuit breakers and other equipment, giving them the ability to stop the flow of electricity into US homes and businesses. The North American Electric Reliability Corporation (NERC) released a report highlighting lessons learned from an incident that occurred on March 5, 2019, which impacted a US power grid entity. The hackers behind this incident exploited a known vulnerability to cause firewalls to repeatedly reboot. As a result, operators at the power control center started to lose communication with multiple remote power generation sites. Each reboot of the Internet-facing firewalls severed communication for minutes at a time between a controller and a generation site. This power grid cyberattack lasted for about 10 hours. The power grid operator discovered that they had failed to apply firmware updates for the targeted firewalls, emphasizing the importance of reviewing and deploying such updates. The incident did not result in the disruption of power supply as it occurred against "low impact" sites, but NERC pointed out that it could have caused loss of power if it had occurred in a key part of the US power grid in the middle of winter or the peak of summer. Such incidents stress the need for continued research and development of solutions and advancements for strengthening power grid cybersecurity.
Efforts have been made to bolster the cybersecurity of the power grid. Computer security experts at Johns Hopkins University developed Spire, a hacker-resistant SCADA system for the power grid. The system is designed to withstand attacks and compromises at the system and network levels without degrading the performance and timeliness of power grid monitoring and control systems. The Spire system works, in part, through the help of replicas. The researchers built it to contain multiple copies of the main control server, which all work together to agree on updates in the system. According to the researchers, six is the smallest number of replicas needed for good protection. They added that each copy votes on data and every decision, so even if one replica gets compromised and another is under maintenance, the other good replicas will still allow the system to continue functioning properly in a timely manner. Computational scientists at the US Department of Energy's (DOE) Argonne National Laboratory teamed up with researchers at Hitachi ABB Power Grids, a leading global technology company, in the development of a new security layer and decision framework to help identify and stop cyber threats facing a power grid so that the grid can continue operating even if it is under attack. Instead of taking a traditional IT-based approach, the team considered the power grid's physics. This work is part of the broader initiative overseen by Hitachi ABB Power Grids, with support from the DOE Office of Cybersecurity, Energy Security, and Emergency Response (CESER), to safeguard High-Voltage Direct Current (HVDC) transmission lines. HVDC is critical to stabilizing the US power grid against disturbances as it functions like an electricity highway. However, as the grid continues to be modernized and HVDC-based applications grow in deployment, they increasingly become an attractive target for malicious internal and external actors who could send incorrect commands that threaten the grid's stability. Since HVDC lines have a superior capacity to exchange power, their compromise can lead to significant disturbances to the power system, with the worst case being power grid destabilization and widespread outages and blackouts. Wide Area Monitoring, Protection, and Control (WAMPAC) is essential to implementing wide-area control with HVDC because it provides real-time data about grid operations. Since WAMPAC collects and synchronizes all the streams of data to increase visibility into grid operations, it allowed the team to develop a model for validating an HVDC system's actual behavior or the behavior of a surrounding system. They can then conduct data screening and identify abnormal signals or behaviors, as well as determine whether findings indicate a real failure or cyberattack. The framework developed by the team focuses on common but sophisticated attacks that traditional cyber intrusion systems and firewalls cannot always detect. Their detection algorithm automatically discovers chain reactions in grid systems caused by the injection of false data and then converts them into a set of rules that can be used to detect malicious data injections and set off alarms. Researchers from Idaho National Laboratory (INL) and Visgence Inc. designed a new cybersecurity technology called the Constrained Cyber Communication Device (C3D), which can block cyberattacks on the power grid. The researchers tested the C3D against a series of remote access attempts that indicate a cyberattack. In a live demonstration at INL's Critical Infrastructure Test Range Complex, the device issued alerts to operators about abnormal commands and automatically blocked them, preventing the attacks from accessing and damaging the power grid's critical components. Using advanced communication capabilities, the device autonomously reviews and filters commands sent to protective relay devices, which are crucial to the nation's power grid. These relays are designed to rapidly command breakers to turn off the flow of electricity if a disturbance is detected. They help prevent damage to expensive equipment in the event that a power line fails because of a storm. However, relays are not designed to impede upon the speed and stealthiness of a cyberattack, which can send commands to grid equipment within milliseconds. Therefore, an intelligent, automatic filtering technology must be put in place to protect the grid against such attacks. According to Jake Gentle, the INL program manager, the C3D sits deep inside a utility's network to monitor and block cyberattacks before they hit relay operations. In order to demonstrate the C3D's ability to block a cyberattack on the power grid, the researchers built a 36-foot-long mobile substation and connected it to INL's full-scale power grid testbed, establishing an at-scale power grid environment. When the entire system was online, they sent a sudden power spike command to the substation relays and observed the effects from a command center nearby. The C3D device immediately blocked the command and prevented the attack from damaging the larger grid. Such efforts must continue to be made to strengthen power grid cybersecurity.
The Science of Security (SoS) community needs to continue exploring and developing solutions towards strengthening the power grid against cyber threats while mitigating vulnerabilities.