Officials of the U.S. Department of Homeland Security announced in March 2018 that Russian hackers had gained access to some portion of the U.S. power grid. While the report about the hacking campaign included detailed recommendations to electrical grid operators to mitigate and defend against such attacks, much of the information released to the general public failed to include details such as how deeply the hack penetrated into the grid's operational control systems, which have historically operated on separate networks from its administrative networks.
Those historical separations are no longer so ubiquitous, according to William H. Sanders, professor of electrical and computer engineering at the University of Illinois at Urbana-Champaign and a longtime researcher at the forefront of national efforts to make the U.S. power grid more secure and resilient. In recent testimony, he told members of the U.S. Senate Committee on Energy and Natural Resources that successful attacks thus far have been mainly limited to utility business systems, in part because operational systems have fewer attack surfaces, fewer users with more limited privileges, greater use of encryption, and more use of analog technology.
"However, there is a substantial and growing risk of a successful breach of operational technology systems, and the potential impacts of such a breach could be significant," Sanders testified. "These risks are growing in part because, as the grid is modernized, there is greater reliance on grid components with significant cyber controls. In addition, further integration of operational technology systems with utility business systems, despite its potential for increased efficiency, also poses serious risks."
The key to defending the grid against such cyberattacks will not come from the magical thinking that a completely impregnable security protocol will be in the offing. Rather, Sanders told the Senate panel, the concept of cyber resilience, of creating systems that can attempt to heal themselves from attacks while continuing to provide critical services, needs to be considered.
One promising component of a resilient grid is the microgrid. As its name suggests, a microgrid is a small, self-contained grid capable of integration with a larger regional grid, or of islanding itself when it detects trouble in the larger grid system.
The microgrid operated by Princeton University demonstrated the payoff of islanding itself when the regional grid became crippled by the storm that began as Hurricane Sandy (before it became a "superstorm" that caused more than $71 billion in damages). For a two-day period, while the grid in New Jersey and metropolitan New York suffered partial or complete outages, the university remained powered and served as a place of refuge for emergency responders and local residents in need of device-charging stations and a place to get warm and dry.
However, another rationale for the Princeton microgrid, that of being able to lower the university's electrical costs through real-time analysis of the comparative cost to produce power internally vs. buying from the regional grid—and even selling excess capacity to the regional grid—has been the dominant rationale for many other such grids.
As more microgrids come online and are tied to regional grids, researchers such as the University of Pittsburgh's Gregory Reed believe cybersecurity in the microgrid can be—in fact, will need to be—investigated and implemented, to some extent, to the grid at large.
Reed, director of the university's Center for Energy and the Energy GRID Institute, has done extensive research on tying microgrids into larger grids. He said the societal push toward including more distributed small-scale renewable generation capabilities into the larger grid should also stimulate greater consideration of how to secure the communications equipment in those components. It is at the grid tie-in to things such as an individual homeowner's solar panels and inverters, which are usually connected to the Internet—which Reed calls "prosumer" networks that combine production and consumption—where the greatest vulnerability to malware coming into the grid exists.
Reed's uneasiness about the security of prosumer equipment has been explored at length by Dutch researcher Willem Westerhof, who discovered numerous vulnerabilities in photovoltaic inverters, and theorized a coordinated attack on enough of these installations could bring a grid down.
There is no shortage of research and development of secure microgrid control systems emerging from both academia and private sector engineers. Reed, for example, said he is still exploring concepts he and colleagues published in IEEE Transactions on Smart Grid in 2015, which center on inserting network intelligence into DC-to-AC converters. Reed said adding the ability for utilities to have information about various microgrids within their service areas was another layer to the problem.
"The more of these microgrids we have, the larger the resources coming in from the end use side, the utilities have to have some visualization into those," he said. "You can't just keep putting them up and utilities not knowing there are resources out there.
"Do we need to look at all of these as aggregate generators as well as being load, and do the regional ISOs (Independent System Operators) all have to now gain access to those distribution facilities? If they do, it is unlikely that we will take the historic path of the hard-wired off-the-Internet system. You'll build a lot of security layers in there, but that's where you start to develop a communications and control infrastructure that creates the risk we are worried about."
Adding more confusion regarding what information regional grids will need to know about microgrid status is the lack of any central regulatory jurisdiction. Sanders, Reed, and Darrell Massie, founder and CTO of West Friendship, MD-based Intelligent Power & Energy Research Corporation (IPERC), which manufactures military-grade microgrid controllers, all said the hodgepodge of state-level laws and regulations regarding the U.S. power industry make creating a unified cybersecurity architecture for microgrids difficult. For instance, Sanders said, many of the things one associates with the smart grid—smart meters, microgrids, and technology to support plug-in electric vehicles, to name a few—fall completely outside the scope of North American Electric Reliability Corporation Critical Infrastructure Protection Committee (NERC CIP) security mandates.
"This is well-known," Sanders said. "There are public utility commissions in all of the states that, to varying degrees, are concerned about and aware of cybersecurity. There are some public utility commissioners who are very security savvy and aware, but there are many who are not. And a very serious consequence of this is that even if the 50 different public utility commissions were aware, we are still at a stage where they are writing their own regulations for procurement, and there are no regulations that I know of for auditing like NERC CIP on the transmission side. Procurement cybersecurity regulations are state and local regulations, and the engineering firms and vendors that provide that equipment have told me that because those regulations differ, it is very difficult to meet those regulations in a cost-effective way."
Massie, whose firm has been granted Authority to Operate (ATO) certification on several U.S. military bases after rigorous testing of its controllers on base microgrids, said he thinks there will be some cross-pollination between the stringent ATO standards for critical infrastructure and other industry best practices.
For example, the U.S. Defense Department-sponsored Smart Power Infrastructure Demonstration for Energy Reliability and Security (SPIDERS) project was characterized as a groundbreaking program to bolster the cybersecurity and energy efficiency of U.S. military installations and transfer the knowledge gained to non-military critical infrastructure. The project showcased a microgrid security architecture that included IPERC technology. Key elements of the SPIDERS microgrid cybersecurity architecture featured the creation of autonomous "enclaves" of components that have a logical need to work together or in a proximate location, limiting communication between enclaves (and between enclaves and the outside world) to only pre-approved "whitelisted" applications. In its final report on the project in December 2015, the SPIDERS team noted "limiting communication outside of an enclave reduces the need for communication bandwidth," and that limiting communication bandwidth within the network is an effective strategy for reducing vulnerability to denial-of-service cyberattack.
The status quo of cybersecurity in the grid, as elsewhere on the Internet, is always an evolving cat-and-mouse game, and blockchain, the immutable distributed ledger system best know for documenting cryptocurrency exchanges, is also getting tested out in microgrids. While pioneering installations, such as a Brooklyn, NY, microgrid, use blockchain to enable peer-to-peer trading transactions between microgrid participants, blockchain's use in grid security is also being investigated.
Researchers at the Cyber Resilient Energy Delivery Consortium (CREDC) just announced a project that seeks to develop a blockchain-based tool that will provide provenance for the power grid supply chain, ensuring that the chain of custody for firmware and software from third-party suppliers has not been interrupted or compromised by a malicious actor.
"Blockchain is one building block of many that may be very useful in building a new energy infrastructure that is distributed rather than one that has centralized control," Sanders, CREDC's co-principal investigator, said. "It's not a panacea, but it's an important implementation of ideas from distributed systems from the computer science and engineering community, some 20 and 30 years old, that may have some real potential in this field."
Sanders said principles of foundational computer science research beyond blockchain might also find great traction in making the grid resilient.
"We need to build a system that is architecturally resilient, in the sense it can tolerate partially successful attacks occurring," he said. "It can treat attacks just as we've treated accidental failures in the grid for so many years in order to maintain availability and keep the lights on. This is a well-known approach in the field of fault tolerant and dependable computing, which historically has dealt with accidental failures, so that community has much to say in how to do this. But it's a much more difficult problem in that the attacker is now human, is malicious, and will target the attack in the places where he or she sees a vulnerability."
Gregory Goth is an Oakville, CT-based writer who specializes in science and technology.
No entries found