Active forensics to defend against cyber grid blackouts

Cyber attacks power grid Japan blog

SRI-led team designed a standalone technology called TIGR that uses sensors and machine learning to diagnose and respond to cyber attacks against utilities

The idea that a hacker could gain control of the U.S. power grid or an oil pipeline might sound like the plot of a spy movie. But these kinds of threats are real enough that the Defense Advanced Research Projects Agency (DARPA) awarded SRI International and its partners a $7.3 million contract in 2016 to design technology capable of helping first-responders rapidly recover and restart a power grid after a cyber attack.

Four years later, the result is the Threat Intelligence Grid Recovery (TIGR) package. Housed in a rugged battery-powered portable device, TIGR uses lightweight sensors and machine-learning algorithms to diagnose a cyber attack at the source.

“The TIGR project is really an attempt to figure out how to support what I call ‘active forensics’ in industrial control system (ICS) computers,” explained Michael Locasto, Ph.D., former Principal Computer Scientist at SRI International and Principal Investigator for the DARPA-funded Rapid Attack Detection, Isolation and Characterization Systems (RADICS) program.

The term “active forensics” may conjure up an image of law enforcement officials preserving evidence and collecting snapshots. That’s only part of the picture. In the world of cybersecurity, the response includes a rapid triage of compromised devices or services such as a power outage. It’s more like investigating and stopping a crime in real-time.

High voltage sign
Source: DARPA

Bridging analog and digital systems

Protecting the patchwork of systems that monitor and regulate electrical distribution isn’t as easy as merely designing new antivirus software. There is no centralized computer system keeping the energy flowing through the 55,000 substations and 160,000 miles of power lines that make up the U.S. energy grid.

Instead, digital and analog control systems make up a hybrid network where the standard rules of digital engagement don’t apply. Connecting a digital control network to the legacy software and hardware used to monitor and control power systems is challenging. Much of the infrastructure itself is physically inaccessible — buried underground or located in remote places.

While the power grid’s industrial control systems (ICS) are smart enough to respond to regular blips in the system — calibrating a response to a branch that falls into a power line, for example — they could be tricked by intruders to cause widespread outages or trigger catastrophic failures. And once hackers have buried themselves in a utility’s control system, they are much harder to dislodge, due to existing and unique “special purpose” hardware.

“All of these things make the problem very, very difficult,” Locasto noted.


Critical utilities around the nation are at risk

In December 2015, the world witnessed the first successful cyberattack against a country’s power grid when hackers knocked out power to nearly 250,000 people in Ukraine for six hours. Last year, cybercriminals targeted more than a dozen small utilities, many located near critical infrastructure like dams.

“I’ve come to appreciate over the past four years how important this actually is, because if something like this happens, even on a partial basis, the U.S. military loses the ability to project force around the world,” Locasto said.

The danger that hackers could infiltrate the power grid with malicious software spurred DARPA to launch a program to develop a solution for detecting and assessing a cyber attack away from an office-based computer terminal by working directly in the field, according to Locasto.

TIGR proves itself field-ready

Designing and testing TIGR in a real-world situation meant the technology had to be portable and adaptable to a wide range of equipment. The rugged battery-powered device for example, contains compartments for its internal power supply of military-grade batteries, which have proven to last over two days of continuous operation. Lightweight sensors connect to a power utility’s control systems to monitor different aspects of the system’s behavior and send back packets of data for TIGR’s artificial intelligence to analyze, model and provide remediation support.

“In a nutshell, this box essentially validates the integrity of the most important properties,” Locasto explained. TIGR’s active forensic tools sweep through a control system’s internal program to detect anomalies, check the integrity of its data storage and memory, and verifies that communications being sent and received by the power grid have not been compromised.

While the technology itself is quite complicated, TIGR dramatically simplifies the job of a non-computer scientist responding to a cyber breach. The concept is that a first-responder, such as a National Guardsman, could deploy several TIGR boxes along a power grid’s substations. The devices monitor and analyze information from the grid providing vital clues to help reboot the grid.

Turning TIGR loose in the real world

The 3D design, fabrication and demonostration deployment of TIGR took the SRI-led team just three months to complete. “We did not contemplate building a TIGR box at the start of this proposal, but it’s something we did, and SRI had the flexibility and the know-how to do,” Ulf Lindqvist, Senior Technical Director in the Computer Science Laboratory at SRI International said.

TIGR not only demonstrated SRI’s technical expertise but also showcased its ability to manage large multi-disciplinary teams. SRI’s partners in the RADICS program included Con Edison, Dartmouth College, New York University, the Electric Power Research Institute, and Narf Industries.

While the program may be winding down, the SRI team is now looking at ways to transition the TIGR technology to utilities and other potential users who can benefit from the device’s unique forensic tools. Grid equipment manufacturers are often hesitant to use third-party applications on their sensitive equipment. But Lindqvist believes the combined reputations of SRI and DARPA will open minds to the potential of TIGR as an invaluable diagnostic tool. He is also in discussion with National Guard units that engage in cyber-protection missions in Maryland, Delaware, New Jersey and Pennsylvania.

After four years of learning the ins and outs of ICS and cybersecurity, Lindqvist says that he and his team are eager to apply their newly acquired knowledge for other private sector and government customers.

“There is definitely an audience for this type of capability,” he said. “You could move it into a cloud, for example, because all of our sensors actually work even better in complex computing environments.” Department of Defense classified weapons platforms could also benefit from the capabilities demonstrated by TIGR, Lindqvist added.

“What’s the next thing? How can we have an impact? What other research can we do?” are among the questions that Lindqvist — and every scientist at SRI — asks everyday on the job.

Read more from SRI