Before we connect the dots on national smart power grid strategy, we need to be able to ensure its safety from malevolent cyber attacks. A new NSF-funded endeavor aims to begin this process.
Cybersecurity experts from the International Computer Science Institute (ICSI) at the University of California, Berkeley, and the University of Illinois’ National Center for Supercomputing Applications (NCSA) and Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) project received a $1.6 million NSF grant to boost the security of the nation’s critical infrastructure such as electrical grids and other utilities. Over the next three years, the team will be focused on refining the software that protects the power grid infrastructure so that it is capable of detecting the most nuanced of attacks.
There is a saying that the best computer security is air, and in the days before ubiquitous Internet connectivity, industrial control systems (ICS) reflected this principle. These were isolated systems, and the lack of Internet connectivity provided immunity from remote attacks. But in the new cloud era, connectivity offers a host of benefits. For example, it can enable real-time analysis that makes processes more efficient and effective. But the benefits come at a cost, namely increased threat from outside entities.
Current monitoring software is insufficient in the face of today’s sophisticated attacks. Recent research has shown that even the smallest of changes can destabilize a power grid and cause outages and it can do this without being detected by traditional monitoring systems.
“Detecting this type of attack requires semantic understanding of the greater network to understand the true impact of these innocuous looking commands,” says one of the project’s principal investigators Ravi Iyer of TCIPG.
The problem with current methods is that they require a degree of foresight that is not usually possible with network attacks.
Co-PI Adam Slagell, senior research scientist and chief information security officer at NCSA, explains. “Other intrusion detection systems are signature based – you have to know about an attack to detect it,” he says. “But almost every attack in the power grid community is zero day, meaning it hasn’t been seen before.”
The team is working to build a new set of network monitoring tools that can detect sophisticated semantic attacks – attacks that would otherwise fail to arouse suspicions.
The investigators’ first task will be to study “the ICS network activity in order to develop a deep understanding of operational semantics in terms of actors, workloads, dependencies, and state changes over time.”
They they will use this knowledge to build domain-specific behavior models that can read into the meaning behind commands. Finally, they will integrate these models into real-time network monitoring systems and transition the software into industry practice.
In the last stage of the project – the “transition to practice” phase – the new tools will be integrated into Bro, a popular open-source network monitoring platform maintained by ICSI and NCSA that is used by numerous universities, government labs and business organizations.