An initiative is underway at the Energy Department’s National Renewable Energy Laboratory (NREL) aiming to prevent hackers from gaining control of parts of the nation’s power grid, or Industrial Control System (ICS).
As the grid gets smarter, threats increase, including damage to electrical equipment, local power outages, operational halts to production, and more.
The initiative calls for a transition to a more efficient and more reliable “smart grid.” This transition will have communication and control devices to distant corners of the power grid so that utilities have greater situational awareness and can respond quickly to issues.
According to a Booz Allen Hamilton report, ICS operators reported more security incidents in 2015 than in any other year prior.
“Awareness of the risks associated with these systems is important, not just for the operational technology cybersecurity professionals responsible for securing these networks and devices, but also for information technology professionals, organizational leaders, and regular employees,” Booz Allen noted in a threat briefing. “The impacts of attacks on ICS can be devastating.”
Erfan Ibrahim, the center director at NREL, is managing this challenge along with his team at the Cyber Physical Systems Security and Resilience Center. They built a Test Bed for Secure Distributed Grid Management, which is a hardware system that mimics the power grid. After making the test bed as secure as possible, they tried to hack it.
“In three and a half months, we were able to pull a real-scale test bed together, attack it, and figure out what works and what doesn’t work from a protection perspective,” Ibrahim said. “Now we’re sharing our findings with the industry to accelerate the adoption of empirically proven cybersecurity controls to systemically protect critical infrastructure.”
The team found a single vulnerability, which was due to a misconfigured cybersecurity device. This one vulnerability allowed the hacker inside the system.
“Before you go deploying something out in the field, don’t just take a point test in the lab and extrapolate to production; you need something in between,” Ibrahim said. “And that’s the test bed. With our power-hardware-in-the-loop testing in our test bed, we can scale up and run full-scale experiments–some real, some simulated–before a company goes into production with a new product.”