Keeping Hackers Off the Electrical Grid

Biggest issue.

Keeping Hackers Off the Electrical Grid

By R. Colin Johnson

Commissioned by CACM Staff, June 20, 2023

ORNL researchers showed how to encode grid operating data into a unique color pattern hidden inside a single video frame, which can be transmitted to a grid control center computer using a Fibonacci sequence to encode/decode each sensor reading.

Credit: Oak Ridge National Laboratory

As attacks on grid substations increase—by 70% in 2022 alone, according to the Department of Energy's Oak Ridge National Laboratory (ORNL)—engineers there are anticipating new attack vectors and taking measures to protect from hackers using them.

"As researchers, we try to stay ahead of cyber threats, not just react to them after they occur," said ORNL's Peter Fuhr, who heads its Grid Communications and Security group. Fuhr's group recently demonstrated a new method of using a rotating color wheel to encode grid sensor data subliminally into a video feed, and using a novel Fibonacci sequence decoding key that rotates the color-wheel so each sensor reading uses a unique color code.

"ORNL has invented a compelling method to protect our critical grid infrastructure that builds upon known encryption technology," said Sterling Rooke, chief executive officer (CEO) of Brixon Inc. (Baltimore) , a company that manufactures electrical power monitoring instruments. "With the right application, there will be a need for this novel implementation—a kind of steganography that conceals critical information within the existing live video feeds from the grid substations themselves."

The technique, Fuhr says, translates the encrypted character codes utilities use today to a color-code hidden in video feeds from cameras that already monitor substation activity. EPB (formerly the Electric Power Board, Chattanooga, TN) successfully tested the technique for six months using a virtual local area network (VLAN) link between the central-EPB grid control center and its substations. "We proved the concept in the lab at ORNL, then extended the testing to a nearby substation, and eventually installed the color encoding/decoding equipment at both the EPB substation and its central-control computer," said Fuhr. "It's the real deal—tested and proven."

According to Fuhr, EPB and most industrial process control architectures in the U.S. follow the National Institute of Standards and Technology (NIST) SP800-82 guidelines for all industrial process control (IPC) systems—including factories, manufacturing, and automated testing, as well as the grid. His color encoding/decoding technique will work not only for grid communications from a grid central control computer to its substations, but for any operational technology (OT). In fact, several private companies have already shown interest in licensing his color-coding architecture, according to Fuhr.

Historically, Internet connections have offered an entry point for sophisticated hackers to insert malware into substations, which are almost universally run by SCADA (supervisory control and data acquisition) networks, which date back to the 1950s, when cybersecurity wasn't even a word. Even today, SCADA networks typically do not require any authentication to remotely execute commands on a control device. To solve most vulnerabilities, the NIST guidelines forbid the central control computer—which is typically connected to corporate IT—to extend Internet availability to the SCADA control system. NIST-compliant SCADA architectures are isolated from the Internet by firewalls that instead run a multi-channel virtual local area network (VLAN) to substations connected to its central control computers. Likewise, communicating data from sensors and to actuators run on different channels of the VLAN. Most operations are programmable, but run autonomously at unmanned substations; human operators can also use a graphical user interface (GUI) for high-level configuration and supervision of remote machines and processes.

Over the years as cybersecurity has become an increasingly important issue, many hacker-resilient modifications have been added to SCADA architectures. These security measures, however, have not been universally applied. The result has been numerous attacks dating back to 2000, when a disgruntled former employee took control of the Maroochy Shire sewage OT system in Queensland, Australia, using a single computer and a radio transmitter. Since the commercialization of the Internet, many hackers have attacked process control systems, including utilities, forcing new (and retrofit) SCADA industrial protocols to segment their networks with gateways, routers, one-way-only data-diodes, and white-listing that only passes traffic of a single type down each VLAN channel. In addition, VLAN channels are only bi-directional when they need to be, are segmented so they can only communicate with devices with which they were meant to communicate, and are not allowed to connect to the central corporate network without at least a firewall (for maximum security, with two firewalls on each side of a DMZ (demilitarized zone) server that securely forwards communications).  ... '