Securing Cyber-Physical Components of the Smart Grid

Cyberattacks are an ever-evolving challenge for the energy sector. The U.S. power grid comprises 6,413 power plants with more than 1 TW of installed generation. With a diverse mix of hardware and software connected to the grid, there’s no shortage of exploitable prey for nation-states, hackers, and other bad actors. 

The nation’s 79,000 transmission substations and other facilities are increasingly vulnerable, as physical security incidents resulting in outages have risen by 71% since 2021. Dozens of physical and cyber attacks and vandalism occurred in 2023. Two cyber incidents in Texas and Florida threatened system adequacy and reliability. In Washington, another halted monitoring processes at a staffed bulk electric system control center for at least 30 minutes. In a vandalism/theft event in Florida, someone attempted to compromise a bulk electric system.

 

A transmission pylon. Image used courtesy of Pixabay/by jplenio

 

As utilities and grid operators work to combat cyber-physical risks, Washington-based Pacific Northwest National Laboratory (PNNL) is developing an AI-enabled model prioritizing the most impactful threats to grid infrastructure. 

 

How Is the Power Grid Vulnerable? 

Utility-owned programmable devices like transformers and generators can be juicy targets for adversaries motivated to disrupt critical infrastructure. The grid also has a growing share of inverter-based resources like solar panels and batteries, adding to the wide net of potentially-at-risk assets. 

 

Hackers can compromise the power grid through networked consumer devices. Image used courtesy of the Government Accountability Office (Figure 3, Page 23)

 

Grid-targeted cyberattacks could gain unauthorized access to control systems in critical operational components like transformer tap changers. If attackers penetrate a central device like a substation automation controller, they can access connected devices like protective relays and smart inverters directly or through a communication network. 

Foreign adversaries can use malware and other tools to bypass physical security measures. The Cybersecurity and Infrastructure Security Agency (CISA) recently reported a Chinese state-sponsored campaign, Volt Typhoon, infiltrated the energy sector’s IT networks through compromised credentials. This could allow the attackers to manipulate heating, ventilation, and HVAC systems in server rooms and cause additional disruptions to energy and water controls. 

Another issue is yet-to-be-patched software. CISA regularly flags new threats in energy-related products. Recent advisories name prominent suppliers like Hitachi Energy. In late 2023, CISA noted vulnerabilities in Hitachi’s MACH control system for HVDC transmission systems and its Electronic Shift Operations Management System and Energy Asset Suite for the power generation industry. 

 

PNNL Maps Out Cyber Attack Prevention Strategies

The PNNL’s project employs hybrid attack graphs (HAGs), which map and track attack routes as they evolve or as defenses effectively stop them. The researchers used historical grid attack data to train the AI model via reinforcement learning. The team noted that while there are thousands of ways to attack grid operations, the reinforcement learning model flagged less than 100 of the highest-priority items. 

PNNL’s project is based on work by the nonprofit MITRE Corporation to link adversaries’ high-level objectives with existing attack techniques and relevant prevention methods. The researchers utilized the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework, a database with information about cyber threats, to define the efficacy of mitigation efforts and the success rate of different attack sequences. 

 

The researchers’ framework used vulnerability and attack pattern databases to obtain a list of possible techniques targeting a smart inverter. Image used courtesy of PNNL (Figure 1, Page 3)

 

MITRE ATT&CK was designed to help organizations implement protective measures, but it doesn’t estimate costs. Grid operators often have limited cybersecurity budgets. The PNNL researchers wanted to address both needs by mapping the propagation of potential attack sequences from the access point to the end objective. Next came allocating a budget to prevent those potential sequences. 

PNNL used a mixed-integer linear programming (MILP) formulation to determine an ideal budget, partitioned into organizational teams, to improve the security of a given smart device. They found that the selection of mitigation measures and associated risks changed based on the budget allocation for asset management, cybersecurity infrastructure improvements, incident response planning, and staff training.

 

A sample HAG of potential attack sequences targeting a smart inverter. Image used courtesy of PNNL (Figure 2, Page 3)

 

Hybrid Cyber Attack Graphs

Drawing on publicly available records, PNNL assembled a HAG showing the sequence of techniques that can be performed on a substation automation controller and a smart inverter. After finding which MITRE ATT&CK techniques can be executed on each component, the researchers used the HAG framework to generate 100 sample HAGs. 

The researchers identified 397 possible attack sequences for substation automation controllers and 364 for smart inverters. They narrowed the list to adversarial techniques with the highest impact in the ATT&CK framework. 

PNNL assumed the HAG techniques had a 100% success rate without mitigation. The goal was to lower the success rate as much as possible while efficiently using budget resources. 

Next, they used the optimization framework to allocate the budget into organizational sectors: assets (hardware/software asset management, network), continuity (measures to continue operations after a data breach), access and trust (staff policies), operations (risk assessment via threat intelligence), defense (firewalls), governance (audit log management), and individual (training and awareness). 

 

Attack technique success rates after implementing the optimal mitigation measures for securing a smart inverter. Image used courtesy of PNNL (Figure 5, Page 6)

 

The framework also considered the impact of staff skill levels. Naturally, the higher the defender’s skill level, the lower the component’s vulnerability. If an unskilled defender was assigned to a substation automation controller, the model recommended prioritizing the access sector in the budget. If a more skilled defender was needed, the model chose sectors like assets and defense. 

The smart inverter case revealed similar results, but the budget was divided into assets and access sectors for skilled defenders.

 

Budget allocation for securing a substation automation controller (left) and a smart inverter (right). Image used courtesy of PNNL (Figure 6, Page 7)

 

PNNL plans to refine the model in collaboration with energy and cybersecurity experts. 

The PNNL team presented their work at last month’s AAAI Conference on Artificial Intelligence in Canada. The project is part of the laboratory’s new Center for AI arm.