The move to digitalization in the power industry is enabling many advances as the operational world integrates with the IT world. It is also providing more opportunities for cyber attacks and thus the need for greater security to protect against these. But while we most people are familiar with securing their IT systems, what about the OT systems? [Engerati-In Focus: Cybersecurity for the Hyperconnnected Smart Grid]
Remember Stuxnet back in 2010, a worm which lay undetected for approximately 18 months while it destroyed several nuclear centrifuges in Iran? Or last year an attack on Ukraine’s power grid which led to widespread outages? [Engerati-Electricity Authorities Face Severe Cybersecurity Attacks] And likely there have been many more that haven’t been reported as no company likes to admit to such events.
The latest annual report from the US Department of Homeland Security’s National Cybersecurity and Communications Integration Center/Industrial Control Systems Cyber Emergency Response Team (NCCIC/ICS-CERT) shows that the energy sector continues to exhibit the largest number of reported cyber vulnerabilities, along with manufacturing and the water and wastewater sector.
“These are a class of attacks that are aimed at creating physical damage to systems,” says Michael Shalyt, VP Product at Aperio Systems, an Israeli startup that was established to address such events. “And they work essentially by forging data that is then used to mimic the normal operation of the piece of equipment under attack.”
Physical approach to cyber security
Shalyt explains that as such attacks are against systems that are highly complex but exhibit a physical behaviour, a “physical approach” has been taken by Aperio in the development of its ‘Data Forgery Protection’ solution.
In essence, the solution comprises machine learning based algorithms. It is based on the premise that no machine exhibits completely stable behaviour, whether it is a centrifuge spinning or a turbine rotating. There will be small variations in the rotation speed of the centrifuge or the temperature of the turbine bearing. The patterns of such variations aren’t predictable by a cyber attacker to use in their data mimicry but can be ‘learned’ from an analysis of historical behaviour.
“We aim to look for mismatches from ‘normal’ behaviours in data streams, which may indicate the equipment is outside normal control,” Shalyt says. Such mismatches include an injection of new synthetic data, a replay of past data, or an online transformation such as a multiplication by a factor of the signal.
Once a variation is detected, an alert and report on the problem is issued enabling a real-time response from an operator or emergency response team.
Machine learning based
The solution is integrated to the host company’s historian and PI servers and the machine learning process can take from minutes to hours, depending on the span of the data and its complexity. In most cases, just a few months’ worth of data is sufficient for this purpose.
Shalyt is reluctant to give away too many details of the solution, which is applicable to all industrial control systems, saying that some of the algorithms are yet to be patented. But he comments that they enable several different approaches to allow for cross validation to improve its detection accuracy and integrity.
“Current solutions have focused on keeping hackers outside critical systems, but attacks like the one that took down the power grid in Ukraine clearly show that sophisticated attackers will eventually penetrate these systems. We regard the solution as a last line of defence in protecting systems against both insider and external threats.”
With an item of power equipment costing tens or hundreds of thousands of dollars and often likely to take weeks or months to obtain and install, during which time the system is down and not generating revenue, the potential for such solutions is evident.
The Aperio solution has been deployed in several energy companies in Israel and it is currently under test with Enel prior to deployment across its systems.
“We believe physical systems are different and companies are starting to understand that,” says Shalyt in summing up. “Every layer of security protects only so much and we see our methodology as complementary to the digital layer so that ultimately the equipment is fully protected and the lights stay on.”