Security and Privacy

Maximizing Power Grid Security

Developing hybrid attack graphs to identify, and mitigate, potential attacks on the U.S. electrical grid.


The cybersecurity of the U.S. power grid is a vital national concern, aimed at preventing individuals, criminal organizations, and state-sponsored actors from causing blackouts, electrical infrastructure damage, ransomware payouts, wartime attacks, and advanced persistent threats (APTs, code that infiltrates otherwise-secure computers undetected to send data to adversaries over long periods of time).

Mitre Corp., a not-for-profit organization that manages the National Cybersecurity Federally Funded Research and Development Center (NCF), has documented more than 3,000 cyberattack vectors, over 50 of which it has designated as relevant to energy grids (used singly or together in multi-stage attacks).

The Pacific Northwest National Laboratory (PNNL) analyzed those energy-grid-relevant attack vectors and has released a mathematical framework to mitigate them. Called a hybrid attack graph, it uses artificial intelligence (AI) to identify the most probable attack vectors end to end (from cyber-physical entry point to final nefarious goal), then prioritizes the optimal way of preventing them, within a particular energy-grid’s available budget. The work was conducted under the auspices of the PNNL’s Resilience through Data-Driven Intelligently Designed Control (RD2C) Initiative.

Explained Bobbie Stempfley, vice president and Business Unit Security Officer at Dell Technologies Inc. (familiar with the project as chairman of the RD2C advisory board but not involved in the actual work reported on here), “PNNL’s RD2C research tackles one of the most challenging issues in the security and resilience of critical infrastructures as cyber-physical systems grow in complexity and connectivity. Being able to understand and model the threats and adverse conditions that impact the resiliency of these systems is a vital requirement to knowing where and how to increase their resiliency. This particular research has served to narrow the problem space through the novel application of Hybrid Attack Graphs. The leveraging of AI to design the scope of these experiments to understand the systems under attack will help PNNL design novel sensing and control approaches.”

PNNL’s hybrid attack graph cybersecurity framework was developed by PNNL data scientists Sumit Purohit and Rounak Meyur and presented at the recent Association for the Advancement of Artificial Intelligence annual conference in Vancouver, Canada.

According to Jerry Cochran, director of PNNL’s Cybersecurity & DigitalOps Division, as well as its RD2C initiative leader (but not directly involved with the work reported on here), “This RD2C project leverages AI to help us analyze and assess that attack surface, and to optimize risk mitigation options, as well as provide experimental and research insights that will lead to new sensing and control approaches that enhance the resilience of the U.S. energy grid.”

Legacy power grids parceled out energy from traditional coal-fired and hydroelectric power generators as it was demanded by homes, industrial plants, and government installations. The central control system sent commands to each substation’s computer controller to alter its operating parameters in response to the power output demands on each substation.

Today, however, the energy grid is increasingly more complex, with multiple independent sources of power being called upon by multiple independent powered devices, each of which has operating parameters of its own, many of which are independently set up by smart devices including automated controllers and end-users’ smartphones. As a result, the source, intent, and execution of cyberattacks are becoming increasingly complicated.

“The attack surface is being greatly expanded at both ends—by green power generation sources including solar cells and wind turbines, and by all the new smart energy consumption controllers such as smart thermostats, smart meters, and other residential automation. In addition, rooftop solar panels are generating electricity both for local use and to contribute to the grid, including in-home electric vehicle recharging stations, and even local energy storage devices,” said Purohit.

In addition to the possibility of attack vectors originating from all these new device types, many of them are beyond the direct control of power-grid operators. What’s worse is many smart devices in home, industrial, and government installations are being controlled by Internet- and cellular-based devices, and thus more widely open to cyberattack.

“Wi-Fi, Bluetooth, and cellular-based devices are all expanding the attack surface that must be monitored to prevent cyber-attacks,” said Meyur.

The sheer complexity of the expanding vulnerability of energy grid attacks prompted PNNL to create and make available its hybrid attack graph approach, which includes tools that allow operators to prioritize their most important vulnerabilities. Tools provided to grid operators today include asset management, cybersecurity infrastructure improvement, incident response planning, and employee training. The overall goal is to protect modern smart energy grids from adversarial cyber intrusions.

PNNL’s cybersecurity framework also contains a novel parameter call the “defender skill,” which allows operators to include the quality of the skill-set provided by each of its members to achieve the highest return on investment. Grid operators use these tools—with the help of a mixed integer linear program (MILP)—to identify an optimal defense configuration, including a set of particular mitigation measures which together minimize the vulnerability to potential attack vectors for a particular energy-grid configuration. (See the paper for the mathematical details of this MILP.)

“While you are in the planning stage, our framework provides multiple factors to improve security—what we think of as the ‘knobs’—to turn to optimally close security gaps,” said Purohit.

To develop its framework, PNNL used historical data sources, including Mitre’s, to test the ability of its ‘knobs’ to improve the cybersecurity of past incidents, with the hope of optimizing the energy grid operators’ performance against future incidents.

Meyur said an important factor to consider “is the purpose of an adversary’s attack, which range from financial motives, to a national attack, to just wanting to cause instability for the thrill of it. In general, despite the underlying motive, attacks generally start from a communications side intrusion before moving to an actual attack on power grid hardware.”

A disadvantage faced by PNNL is that the skill set required by bad actors bent on causing destructive havoc is shrinking daily, as turnkey hacking tools and off-the-shelf malware, available for sale on the dark web, make the odious tasks of attacking the power grid easier to execute, even for novice hackers. As a result, these PNNL researchers aimed their hybrid attack graphs at uncovering both off-the-shelf and custom-programmed attack vectors.

PNNL’s AI-controlled hybrid attack graphs depict power grid vulnerabilities in a form that includes not just the grid’s smart component vulnerabilities (such as the smart inverters and protective relays accessed directly or via a substation’s automation controller). but also the vulnerabilities of the communication paths among a power grid’s many cyber-physical energy systems (CPESs).

As mentioned, one of the most novel aspects of hybrid attack graphs is that they uniquely identify and manage the budgetary constraints to implement each vulnerability’s mitigation tactic—including mathematical tools for calculating how altering budgeting options modifies the associated cybersecurity risk. The difficulty in measuring how cyber-attack mitigation efforts will reduce the intrusion rate of an adversarial tactic was approached by developing optimal policies to harden each component of a smart grid and thereby alleviate, in steps, the overall risk to adversarial threats. The cost of this risk reduction—the cybersecurity budget—was calibrated by measuring labor/staff hours expended, plus the cost of the resources required to implement each different mitigation measure. In the end, the optimal mitigation strategy for a given budget was determined to be the one which reduces the adversary’s intrusion rate for the maximum number of hypothetical attack vectors.

Regardless of motive and intent, future energy grid planning—and the planning of all cyber-physical systems for that matter—are destined to use AI as a foundation for optimization, according to PNNL, so its energy grid toolkit is just the first of many destined to be released by the RD2C Initiative.

R. Colin Johnson is a Kyoto Prize Fellow who ​​has worked as a technology journalist ​for two decades.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More