Side channel signals and bolts of lightning from distant storms could one day help prevent hackers from sabotaging electric power substations

Georgia Tech researchers Tohid Shekari, Raheem Beyah, Morris Cohen, and Lukas Graber hold an antenna and home-built recording equipment for the VLF radio receiver, known as AWESOME, which is capable of detecting lightning radio bursts from around the world.
Christopher Moore, Georgia Tech

Signals from distant lightning could help secure electric substations

Side channel signals and bolts of lightning from distant storms could one day help prevent hackers from sabotaging electric power substations and other critical infrastructure, a new study suggests.

By analyzing electromagnetic signals emitted by substation components using an independent monitoring system, security personnel could tell if switches and transformers were being tampered with in remote equipment. Background lightning signals from thousands of miles away would authenticate those signals, preventing malicious actors from injecting fake monitoring information into the system.

The research, done by engineers at the Georgia Institute of Technology, has been tested at substations with two different electric utilities, and by extensive modeling and simulation. Known as radio frequency-based distributed intrusion detection system (RFDIDS), the technique will be described February 26 at the 2019 Network and Distributed System Security Symposium (NDSS) in San Diego.

“We should be able to remotely detect any attack that is modifying the magnetic field around substation components,” said Raheem Beyah, Motorola Foundation Professor in Georgia Tech’s School of Electrical and Computer Engineering. “We are using a physical phenomenon to determine whether a certain action at a substation has occurred or not.”

Opening substation breakers to cause a blackout is one potential power grid attack, and in December 2015, that technique was used to shut off power to 230,000 persons in the Ukraine. Attackers opened breakers in 30 substations and hacked into monitoring systems to convince power grid operators that the grid was operating normally. Topping that off, they also attacked call centers to prevent customers from telling operators what was happening.

“The electric power grid is difficult to secure because it is so massive,” Beyah said. “It provides an electrical connection from a generating station to the appliances in your home. Because of this electrical connection, there are many places where a hacker could potentially insert an attack. That’s why we need an independent way to know what’s happening on grid systems.”

That independent approach would use an antenna located in or near a substation to detect the unique radio-frequency “side channel” signatures produced by the equipment. The monitoring would be independent of systems now used to monitor and control the grid.

“Without trusting anything at all on the grid, we can use an RF receiver to determine if an impulse occurred in the shape of an ‘open’ operation,” Beyah said. “The system operates at 60 Hertz, and there are few other systems that operate there, so we can be sure of what we’re monitoring.”

However, hackers might be able to figure out how to insert fake signals to hide their attacks. That’s where the lightning emissions known as “sferics” come in.

“When a lightning flash hits the ground, it forms an electrical path miles tall, potentially carrying hundreds of thousands of amps of current, so that makes for a really powerful antenna radiating energy,” said Morris Cohen, an associate professor in the Georgia Tech School of Electrical and Computer Engineering. Each flash creates signals in the very low frequency (VLF) band, which can reflect from the upper atmosphere to travel long distances.

“Signals from lightning can zigzag back and forth and make it all the way around the world,” Cohen noted. “Lightning from South America, for example, is easily detectable in Atlanta. We’ve even seen lightning echo multiple times around the world.”

Security staff remotely monitoring substations would be able compare the lightning behind the 60 Hz substation signals to lightning data from other sources, such as one of the 70,000 or so other substations in the United States or a global lightning database. That would authenticate the information. Since lightning occurs more than three million times every day on average, there is plenty of opportunity to authenticate, he noted.

“Even if you could synthesize the RF receiver’s data feed digitally, generating something realistic would be difficult because the shape of the pulse from lightning detected by our receivers varies as a function of the distance from the lightning, the time of day, latitude and more,” Cohen said. “It would take a lot of real-time computation and knowledge of sophisticated physics to synthesize the lightning signals.”

Working with two different electric utilities, the researchers – including graduate research assistant Tohid Shekari – analyzed the RF signals produced when breakers were turned off for substation maintenance. They also used computer simulations to study a potential attack against the systems.

“The signal from a lightning stroke is very distinct – it is short, around a millisecond, and covers a huge frequency range,” Cohen added. “The only other process on Earth that is known to generate something similar is a nuclear explosion. The emissions from the power grid are very different and none of it looks like a pulse from lightning, so it is easy enough to separate the signals.”

The researchers have filed a provisional patent on RFDIDS, and hope to further refine the security strategy, which independent of equipment manufacturer. Beyah believes there could be applications beyond the power industry for remote monitoring of other RF-emitting devices. The system could tell transit operators if a train were present, for example.

“The power grid is our most critical piece of infrastructure,” Beyah notes. “Nothing else matters if you don’t have electrical power.”

Learn more: Signals from distant lightning could help secure electric substations



The Latest on: Radio frequency-based distributed intrusion detection system

via Google News


The Latest on: Radio frequency-based distributed intrusion detection system

via  Bing News


Keeping electrical grids safe from GPS spoofing attacks

via UCSB

UCSB professor João Hespanha suggests a way to protect autonomous grids from potentially crippling GPS spoofing attacks

Not long ago, getting a virus was about the worst thing computer users could expect in terms of system vulnerability. But in our current age of hyper-connectedness and the emerging Internet of Things, that’s no longer the case. With connectivity, a new principle has emerged, one of universal concern to those who work in the area of systems control, like João Hespanha, a professor in the departments of Electrical and Computer Engineering, and Mechanical Engineering at UC Santa Barbara. That law says, essentially, that the more complex and connected a system is, the more susceptible it is to disruptive cyber-attacks.

“It is about something much different than your regular computer virus,” Hespanha said. “It is more about cyber physical systems — systems in which computers are connected to physical elements. That could be robots, drones, smart appliances, or infrastructure systems such as those used to distribute energy and water.”

In a paper titled “Distributed Estimation of Power System Oscillation Modes under Attacks on GPS Clocks,” published this month in the journal IEEE Transactions on Instrumentation and Measurement, Hespanha and co-author Yongqiang Wang (a former UCSB postdoctoral research and now a faculty member at Clemson University) suggest a new method for protecting the increasingly complex and connected power grid from attack.

The question that arises in any system that incorporates many sensors for monitoring is, what if someone intercepts the communication between two sensors that are trying to assess the health of the system? How does the system know not to believe — and act on — the false information?

Hespanha explained, “In the power grid, you have to be able to identify what the voltage and the current are at specific, highly precise points in time” for multiple points along the grid. Knowing the speed at which electricity moves, the distance between sensors, and the time it takes an oscillation to move between sensors, one can determine whether the oscillation is real.

Making these precise, high-resolution measurements anywhere in the grid is possible through the use of phase measurement units (PMUs) — devices that are aligned with the atomic clocks used in GPS. With the energy grid becoming increasingly distributed, power providers now have to monitor the system more, and PMUs are among the most important devices for doing so. While PMUs could be used to inform autonomous control systems, so far, they have seen limited use for one simple reason: they are vulnerable to GPS spoofing attacks.

“There is the possibility,” Hespanha said, “that someone will hack the system and cause a catastrophic failure.”

The attack could be as simple as someone taking a GPS jammer to a remote power-distribution station and tricking the system into providing false measurements, leading to a cascade effect as false readings ripple through the system and incorrect actions are taken. Since it is virtually impossible to prevent a hacker from getting close enough to a remote substation to jam its GPS, Hespanha said, “What you need is a control system that can process the information to make good decisions. The system has to keep hypothesizing that what it is reading is not real.”

How It Can Work

“The power-supply system is a distributed system, so measurements are being made in many places,” Hespanha explained. “If one of them starts to give erratic or unexpected measurements — a sudden current surge or a voltage drop — you should be able to determine whether those measurements make sense.”

In the case of an actual fluctuation, such as when many people in Los Angeles are using their air-conditioning on a hot summer day, the result may be a slight drop in the alternating-current frequency in the city. That drop creates a disturbance which propagates along the power grid stretching from western Canada south to Baja California in Mexico and reaching eastward over the Rockies to the Great Plains. As the disturbance travels through the grid, the power stations that feed the grid try to counteract it by generating extra power if the frequency is too low or decreasing production if the frequency becomes too high.

“You’re going to start by seeing oscillation on the grid,” Hespanha explained. “That’s exactly what the PMUs are looking for. You then compare the precise time you saw the disturbance in Los Angeles to the time you saw it in Bakersfield and then at other sensors as it continues north. And if those readings don’t reflect the physics of how electricity moves, that’s an indication something’s wrong. The PMUs are there to see oscillations and to help dampen them to prevent them from developing.”

But, if someone fooled an automated system, instead of damping the oscillations, the PMUs could create them instead.

So how would such an attack be recognized and stopped? To illustrate, Hespanha draws an electrical line running between Los Angeles and Seattle, with many smaller, ancillary lines running off to the sides. “If power is going in a certain direction, you should also be able to see any oscillation in the side lines in that direction. And you know the physical model of what things should do, so an attacker who changed the measurement on the main line would also have to mess up a lot of other measurements on the side lines along the way. And that would be very difficult.”

Testing suggests that Hespanha’s system would be resistant to attack and remain effective even if one-third of the sensor nodes were compromised. “That would allow for a much more autonomous system; that’s the next big step,” said Hespanha. “This is an enabling technology that will be needed to make a lot of this control come online. And it will be needed soon, because the system gets more complex all the time and is therefore more susceptible to attack.”

Learn more: Toward a Secure Electrical Grid



The Latest on: GPS spoofing attacks

via Google News


The Latest on: GPS spoofing attacks

via  Bing News


Device “Fingerprints” Could Help Protect Power Grid, Other Industrial Systems

via Georgia Tech

via Georgia Tech

Human voices are individually recognizable because they’re generated by the unique components of each person’s voice box, pharynx, esophagus and other physical structures.

Researchers are using the same principle to identify devices on electrical grid control networks, using their unique electronic “voices” – fingerprints produced by the devices’ individual physical characteristics – to determine which signals are legitimate and which signals might be from attackers. A similar approach could also be used to protect networked industrial control systems in oil and gas refineries, manufacturing facilities, wastewater treatment plants and other critical industrial systems.

The research, reported February 23 at the Network and Distributed System Security Symposium in San Diego, was supported in part by the National Science Foundation (NSF). While device fingerprinting isn’t a complete solution in itself, the technique could help address the unique security challenges of the electrical grid and other cyber-physical systems. The approach has been successfully tested in two electrical substations.

“We have developed fingerprinting techniques that work together to protect various operations of the power grid to prevent or minimize spoofing of packets that could be injected to produce false data or false control commands into the system,” said Raheem Beyah, an associate professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology. “This is the first technique that can passively fingerprint different devices that are part of critical infrastructure networks. We believe it can be used to significantly improve the security of the grid and other networks.”

The networked systems controlling the U.S. electrical grid and other industrial systems often lack the ability to run modern encryption and authentication systems, and the legacy systems connected to them were never designed for networked security. Because they are distributed around the country, often in remote areas, the systems are also difficult to update using the “patching” techniques common in computer networks. And on the electric grid, keeping the power on is a priority, so security can’t cause delays or shutdowns.

“The stakes are extremely high, but the systems are very different from home or office computer networks,” said Beyah. “It is critical that we secure these systems against attackers who may introduce false data or issue malicious commands.”

Beyah, his students, and colleagues in Georgia Tech’s George W. Woodruff School of Mechanical Engineering set out to develop security techniques that take advantage of the unique physical properties of the grid and the consistent type of operations that take place there.

For instance, control devices used in the power grid produce signals that are distinctive because of their unique physical configurations and compositions. Security devices listening to signals traversing the grid’s control systems can differentiate between these legitimate devices and signals produced by equipment that’s not part of the system.

Another aspect of the work takes advantage of simple physics. Devices such as circuit breakers and electrical protection systems can be told to open or close remotely, and they then report on the actions they’ve taken. The time required to open a breaker or a valve is determined by the physical properties of the device. If an acknowledgement arrives too soon after the command is issued – less time than it would take for a breaker or valve to open, for instance – the security system could suspect spoofing, Beyah explained.

To develop the device fingerprints, the researchers, including mechanical engineering assistant professor Jonathan Rogers, have built computer models of utility grid devices to understand how they operate. Information to build the models came from “black box” techniques – watching the information that goes into and out of the system – and “white box” techniques that utilize schematics or physical access to the systems.

“Device fingerprinting is a unique signature that indicates the identity of a specific device, or device type, or an action associated with that device type,” Beyah explained. “We can use physics and mathematics to analyze and build a model using first principles based on the devices themselves. Schematics and specifications allow us to determine how the devices are actually operating.”

The researchers have demonstrated the technique on two electrical substations, and plan to continue refining it until it becomes close to 100 percent accurate. Their current technique addresses the protocol used for more than half of the devices on the electrical grid, and future work will include examining application of the method to other protocols.

Because they also include devices with measurable physical properties, Beyah believes the approach could have broad application to securing industrial control systems used in manufacturing, oil and gas refining, wastewater treatment and other industries. Beyond industrial controls, the principle could also apply to the Internet of Things (IoT), where the devices being controlled have specific signatures related to switching them on and off.

“All of these IoT devices will be doing physical things, such as turning your air-conditioning on or off,” Beyah said. “There will be a physical action occurring, which is similar to what we have studied with valves and actuators.”

Learn more: Device “Fingerprints” Could Help Protect Power Grid, Other Industrial Systems



The Latest on: Electronic device fingerprints

via Google News


The Latest on: Electronic device fingerprints

via  Bing News


Utilities Cautioned About Potential for a Cyberattack After Ukraine’s



The Obama administration has warned the nation’s power companies, water suppliers and transportation networks that sophisticated cyberattack techniques used to bring down part of Ukraine’s power grid two months ago could easily be turned on them.

After an extensive inquiry, American investigators concluded that the attack in Ukraine on Dec. 23 may well have been the first power blackout triggered by a cyberattack — a circumstance many have long predicted. Working remotely, the attackers conducted “extensive reconnaissance” of the power system’s networks, stole the credentials of system operators and learned how to switch off the breakers, plunging more than 225,000 Ukrainians into darkness.

In interviews, American officials said they have not completed their inquiry into who was responsible for the attack. But Ukrainian officials have blamed the Russians, saying it was part of the effort to intimidate the country’s political leaders by showing they could switch off the lights at any time.

“They could be right,” said one senior administration official. “But so far we don’t have the complete evidence, and the attackers went to some lengths to hide their tracks.”

Even after it has reached a conclusion, the White House might decide not to name the attackers, just as it decided not to publicly blame China for the theft of 22 million security files from the Office of Personnel Management.

But American intelligence officials have been intensely focused on the likelihood that the attack was engineered by the Russian military, or “patriotic hackers” operating on their behalf, since the first reports of the December blackout. The officials have found it intriguing that the attack did not appear designed to shut down the entire country. “This appears to be message-sending,” said one senior administration official with access to the intelligence, who requested anonymity to discuss the ongoing inquiry.

Equally interesting to investigators was the technique used: The malware designed for the Ukrainian power grid was directed at “industrial control systems,” systems that act as the intermediary between computers and the switches that distribute electricity and guide trains as they speed down the track, the valves that control water supplies, and the machinery that mixes chemicals at factories.

The most famous such attack was the Stuxnet worm, which destroyed the centrifuges that enriched uranium at the Natanz nuclear site in Iran. But that is not an example often cited by American officials — largely because the attack was conducted by the United States and Israel, a fact American officials have never publicly acknowledged.

Experts in cybersecurity regard the Ukraine attack as a teaching moment, a chance to drive home to American firms the vulnerability of their own systems. “There’s never been an intentional cyberattack that has taken the electric grid down before,” said Robert M. Lee of the SANS Institute. Mr. Lee said that while it was still not possible to determine who conducted the attack — what is called “attribution” in the cyber industry — he noted that it was clearly designed to send a political message.

Learn more: Utilities Cautioned About Potential for a Cyberattack After Ukraine’s



The Latest on: Cyberattack industrial control systems

via Google News


The Latest on: Cyberattack industrial control systems

via  Bing News


Lights out: research shows urgent need to address instability of world’s power supplies

A new study reveals the urgent need to address instabilities in the supply of electrical power to counteract an increase in the frequency and severity of urban blackouts.

Research by Hugh Byrd, Professor of Architecture at the University of Lincoln, UK, and Steve Matthewman, Associate Professor of Sociology at the University of Auckland, New Zealand, highlights the insecurities of power systems and weakening electrical infrastructure across the globe, particularly in built-up urban areas.

The work builds on previous studies which examined a sharp increase in electrical usage over recent years, and warned the world to prepare for the prospect of coping without electricity as instances of complete power failure become increasingly common.

Professor Byrd explained: “We have previously highlighted that demand for new technology continues to grow at an unprecedented rate. Our new research emphasises why energy sources are becoming increasingly inadequate, and simply cannot continue to meet this demand.

“Throughout our study, we observed a number of network failures due to inadequate energy, whether through depletion of resources such as oil and coal, or through the vagaries of the climate in the creation of renewable energy.”

The British energy regulator Ofgem has predicted a fall in spare electrical power production capacity to two per cent by 2015, meaning there is now even less flexibility of supply to adjust to spikes in demand.

The issue of energy security exists for countries which have access to significant renewable power supplies too. With rain, wind and sunshine becoming less predictable due to changes brought about by global warming, the new research found that severe blackouts in Kenya, India, Tanzania and Venezuela, which all occurred during the last decade, were caused by shortages of rain in hyrdro-dams.

Further to the irregularities involved in renewable power generation, the study concludes that worldwide electricity supply will also become increasingly precarious due to industry privatisation and neglect of infrastructure.

Professor Matthewman said: “Over the past two decades, deregulation and privatisation have become major global trends within the electrical power industry. In a competitive environment, reliability and profits may be at cross-purposes — single corporations can put their own interests ahead of the shared grid, and spare capacity is reduced in the name of cost saving. There is broad consensus among energy specialists, national advisory bodies, the reinsurance industry, and organisational sociologists that this has exacerbated blackout risk.”

Read more . . . 


The Latest on: Power Grid

via Google News


The Latest on: Power Grid

via  Bing News