By James Graham, Matt Turner and Adel Elmaghraby
Cybersecurity, which continues to be elusive for large cyber-physical systems, will become even more critical with the decentralization of the power grid due to proliferation of distributed renewable energy sources. This article provides an overview of the problem and some potential solutions, drawing on materials from a recent Kentucky Public Service Commission study and the National Institute of Standards and Technology Cybersecurity Framework.
The authors have previously discussed the results of a two-year study of smart-grid strategy for Kentucky funded by the Kentucky Public Service Commission in the IEEE Smart Grid newsletter here and here. Security of the grid against electronic intrusions was identified as one of many issues which will become more pressing with the decentralization caused by increased adoption of renewable energy sources and micro-grids. This article presents an overview of the extent of this problem and some approaches towards mitigation of this threat.
The December 2015 Ukraine power blackout serves as an illustrative example of cyber threats against the power grid. In this incident, hackers took control of the human-machine interfaces at three Ukrainian power plants and caused a blackout lasting 10 hours and affecting over 100,000 people. The postmortem conducted by a joint task force of the U.S. FBI, Department of Homeland Security ICS-CERT team, and Ukrainian authorities determined that the coordinated attacks initially targeted vulnerable software in the IT operations, then navigated through internal networks within minutes to attack the control systems. Power was restored relatively quickly by disconnecting the computer systems and manually restarting the systems, something that would be very difficult in many large U.S. power companies due to the higher level of system automation in most U.S. power utilities.
Cybersecurity Vulnerabilities in the Decentralized Grid
The Kentucky Smart Grid Project collected information on smart grid issues, including cybersecurity, from stakeholders through a series of statewide workshops and also from and extensive survey as reported earlier. Cyber security of the grid was identified as a top concern for both transmission and distribution with a perceived “large gap between current activities and the needs of the future” in the final report on the Smart Grid to the Kentucky PSC.
At the time of the survey, all 10 participating utilities indicated that they had active programs in cybersecurity at their installations. The consensus of the respondents was that most Kentucky utilities are currently at the “Initiating” maturity level (DL1) where traditional enterprise IT cybersecurity controls have been implemented, stakeholders are aware of NIST and IEC interoperability cybersecurity standards, and safety/security requirements are considered in all grid operations initiatives. Respondents further indicated that their companies planned to move forward with cybersecurity initiatives to achieve the “Enabling” maturity level (DL2) where application of risk management assessments are carried out “to identify critical sites and systems,” the utility works actively to develop internal metrics for cybersecurity, and safety and security considerations are built into all smart grid initiatives, in the previously referenced report. The inclusion of cybersecurity standards in advanced metering technology was specifically addressed by a recommendation that Kentucky follow the guidelines of NIST and NERC CIP-002 through CIP-009 for AMI.
New Approaches to Mitigate Cybersecurity Vulnerabilities
Several new standards and technologies can help to reduce power grid cybersecurity vulnerabilities and increase system resilience. The NIST Cybersecurity Framework specifies, in detail, five components: Identify, Protect, Detect, Respond, and Recover.
Identify speaks to the same risk management activities for critical assets noted above for the Kentucky efforts. Current planning at many Kentucky utilities includes development of contingency plans for responding to cyber incidents (Respond) and restoring normal operations (Recovery). This leaves Detect and Protect as two key areas where new technologies can, and should, be deployed. Many companies, including Digital Bond, Tripwire, Dragos and Indegy offer software that seeks to detect malware or anomalous cyber behavior. Owl Computing Technologies and Waterfall Security offer one way data-diodes that enforce communications protocols to reduce cyber intrusion. Finally Belden, icon Labs, Secure Crossing Research and Development, and True Secure SCADA offer industrial firewall solutions that protect field equipment such as programmable logic controllers (PLCs) and remote terminal units (RTUs) from intrusions. A careful combination of these technologies can provide the defense in depth needed by the next generation electrical grid.
Despite a lot of time, money and effort expended by governments and by industry over that past fifteen years to address cybersecurity issues in critical infrastructure, the US and the world-wide power industry remains in a precarious position, as illustrated by the recent cyber-induced blackout in the Ukraine. The problem will get worse with the decentralization of the power grid unless aggressive action is taken over the next few years. However, new standards and technologies are emerging that can help address this problem.
James H. Graham, an IEEE Senior Life Member, is the CEO of True Secure SCADA, a startup company in Louisville, KY specializing in control systems cybersecurity. He previously served 29 years as a faculty member of the JB Speed School of Engineering at the University of Louisville, including seven years as Chairman of the Department of Electrical and Computer Engineering. Educated at Rose-Hulman Institute of Technology and Purdue University, he worked as a product design engineer for General Motors Corporation and taught at Purdue University and Rensselaer Polytechnic Institute, before joining the University of Louisville faculty in 1985.
Matthew Turner, an IEEE member, is an assistant professor of electrical and computer engineering technology at Purdue University. Previously with the University of Louisville’s Conn Center for Renewable Energy Research, his research interests include power distribution system modelling, best practices for power systems education, and electric energy and public policy. Additionally, his work in wireless sensing and control networks for biomedical and smart grid applications has been recognized by the IEEE Circuits and Systems Society.
Adel S. Elmaghraby, an IEEE Senior Member, is a professor and Chairman of the Computer Engineering and Computer Science Department at the University of Louisville. He has also held appointments at Carnegie Mellon’s Software Engineering Institute and the University of Wisconsin-Madison, and has advised over 60 master's graduates and 24 doctoral graduates. His research and publications span intelligent systems, neural networks, cyber-security, visualization and simulation. The IEEE Computer Society has recognized his work with multiple awards including a Golden Core membership.