A new initiative could prevent hackers from gaining control of parts of the nation’s power grid.
The White House and the Energy Department have called for our nation’s power grid to transition to a “smart grid,” which will be more responsive to changing power needs, more able to integrate renewable energy, more efficient, and more reliable.
The American Recovery and Reinvestment Act of 2009 provided the Energy Department with $4.5 billion to modernize the electric power grid. One key to this transition is adding communication and control devices to distant corners of the power grid, so utilities have greater situational awareness of their grid and can respond quickly to disturbances.
The two-way communications technologies being added to the power grid work like an independent “electricity-only Internet” (sometimes using a cordoned-off part of the actual Internet) with access restricted to utilities — but just like the real Internet, these systems are subject to hack attacks, and they need a strong cyber security system.
That’s why the National Renewable Energy Laboratory (NREL) established a strategic initiative for energy system cyber security and in March 2015 brought in Erfan Ibrahim as director of the Cyber Physical Systems Security and Resilience Center, under NREL’s Energy Systems Integration (ESI) directorate.
“If you look at utilities today, and independent power producers, you will see a tremendous appetite now for cyber security solutions that work,” Ibrahim said. “Unfortunately, utilities currently have to rely on the sales pitches presented to them by the cyber security vendors. And this is where I believe that research labs, especially national research labs, have a unique role to play. The time for hype is over.”
To tackle that challenge, Ibrahim’s team built the Test Bed for Secure Distributed Grid Management, a hardware system that mimics the communications, power systems, and cyber security layers for a utility’s power distribution system, the part of the power grid that carries power from substations to homes and businesses.
The test bed includes hardware and software that utilities would use to control a distribution system, including a distribution management system, an enterprise data management system, and two substation management systems. In turn, the substation management systems can interact with real field equipment, such as electric storage systems and electric vehicle chargers, as well as computer-simulated devices, such as solar photovoltaic systems.
The test bed also incorporates technology for cyber security in an attempt to make the system as secure as possible. As just one example, in typical computer-based communications systems, like the Internet, data is broken up into small “packets” exchanged between the communicating computers. The NREL test bed includes a system that hides a “token” within the first packet of each communication session. If a hacker gets into the system and tries to establish his own communication session, his packet will end up rejected because it lacks the hidden token.
Another approach “cloaks” the network from unauthorized users, so hackers can’t even detect the computer server. You can’t attack what you can’t detect. Yet another approach maintains an “airgap” — an information exchange with no network connectivity. You can’t use an online attack for a device that is not online.
Once Ibrahim and his team had the “perfect system” set up to secure the test bed, they tried to break it. They broke out their hacker tools and tried to break into the system. Approaching the system from three different angles, they found only one vulnerability, which was due to a misconfigured device. Through just that one error, the hacker was able to get into the system, gain administrator rights, and take control. Those are the types of insights the test bed could provide. One cyber security firm refined its product after seeing how it performed on the test bed.
“In three and a half months, we were able to pull a real-scale test bed together, attack it, and figure out what works and what doesn’t work from a protection perspective,” Ibrahim said. “Now we’re going to share our findings with the industry to accelerate the adoption of empirically proven cyber security controls to protect critical infrastructure.”