As attacks on grid substations increase—by 70% in 2022 alone, according to the Department of Energy's Oak Ridge National Laboratory (ORNL)—engineers there are anticipating new attack vectors and taking measures to protect from hackers using them.
"As researchers, we try to stay ahead of cyber threats, not just react to them after they occur," said ORNL's Peter Fuhr, who heads its Grid Communications and Security group. Fuhr's group recently demonstrated a new method of using a rotating color wheel to encode grid sensor data subliminally into a video feed, and using a novel Fibonacci sequence decoding key that rotates the color-wheel so each sensor reading uses a unique color code.
"ORNL has invented a compelling method to protect our critical grid infrastructure that builds upon known encryption technology," said Sterling Rooke, chief executive officer (CEO) of Brixon Inc. (Baltimore) , a company that manufactures electrical power monitoring instruments. "With the right application, there will be a need for this novel implementation—a kind of steganography that conceals critical information within the existing live video feeds from the grid substations themselves."
The technique, Fuhr says, translates the encrypted character codes utilities use today to a color-code hidden in video feeds from cameras that already monitor substation activity. EPB (formerly the Electric Power Board, Chattanooga, TN) successfully tested the technique for six months using a virtual local area network (VLAN) link between the central-EPB grid control center and its substations. "We proved the concept in the lab at ORNL, then extended the testing to a nearby substation, and eventually installed the color encoding/decoding equipment at both the EPB substation and its central-control computer," said Fuhr. "It's the real deal—tested and proven."
According to Fuhr, EPB and most industrial process control architectures in the U.S. follow the National Institute of Standards and Technology (NIST) SP800-82 guidelines for all industrial process control (IPC) systems—including factories, manufacturing, and automated testing, as well as the grid. His color encoding/decoding technique will work not only for grid communications from a grid central control computer to its substations, but for any operational technology (OT). In fact, several private companies have already shown interest in licensing his color-coding architecture, according to Fuhr.
Historically, Internet connections have offered an entry point for sophisticated hackers to insert malware into substations, which are almost universally run by SCADA (supervisory control and data acquisition) networks, which date back to the 1950s, when cybersecurity wasn't even a word. Even today, SCADA networks typically do not require any authentication to remotely execute commands on a control device. To solve most vulnerabilities, the NIST guidelines forbid the central control computer—which is typically connected to corporate IT—to extend Internet availability to the SCADA control system. NIST-compliant SCADA architectures are isolated from the Internet by firewalls that instead run a multi-channel virtual local area network (VLAN) to substations connected to its central control computers. Likewise, communicating data from sensors and to actuators run on different channels of the VLAN. Most operations are programmable, but run autonomously at unmanned substations; human operators can also use a graphical user interface (GUI) for high-level configuration and supervision of remote machines and processes.
Over the years as cybersecurity has become an increasingly important issue, many hacker-resilient modifications have been added to SCADA architectures. These security measures, however, have not been universally applied. The result has been numerous attacks dating back to 2000, when a disgruntled former employee took control of the Maroochy Shire sewage OT system in Queensland, Australia, using a single computer and a radio transmitter. Since the commercialization of the Internet, many hackers have attacked process control systems, including utilities, forcing new (and retrofit) SCADA industrial protocols to segment their networks with gateways, routers, one-way-only data-diodes, and white-listing that only passes traffic of a single type down each VLAN channel. In addition, VLAN channels are only bi-directional when they need to be, are segmented so they can only communicate with devices with which they were meant to communicate, and are not allowed to connect to the central corporate network without at least a firewall (for maximum security, with two firewalls on each side of a DMZ (demilitarized zone) server that securely forwards communications).
Nevertheless, utility networks not adhering to NIST's recommendations have still been exploited, including a multi-pronged attack on a grid central control computer, a simultaneous denial-of-service attack on the phone system, and malware downloaded into SCADA networks in 2016, shutting down seven substations leading to a grid power outage for 80,000 customers in the Ukraine. Likewise, Triton malware, which has been traced to Russia's Central Scientific Research Institute of Chemistry and Mechanics by White Hats (security hackers) at Mandiant, was loaded onto a Windows PC used to configure a Saudi Arabian OT installation, where it infected a SCADA process control system in 2019. A comparable infection happened in 2011, when the Stuxnet malicious worm successfully attacked Iranian OT-controlled centrifuges enriching uranium.
Today, commercial OT networks in the U.S. that strictly follow the NIST guidelines are more secure, but according to Fuhr, new attack vectors are being opened by the numerous "smart" electric meters rolled out in recent years which, on the positive side, allow grid operators to manage power more efficiently, but on the negative side form new vulnerabilities in the OT control infrastructure.
"The proliferation of smart meters and grid-controlled home automation devices is outside the scope of our current research project, and realistically a variety of network configurations are used so there is no single answer, but to employ an overused phrase, the attack surface is certainly increasing," said Fuhr.
Fuhr emphasizes that his color encoding/decoding technique reduces the attack surface by providing new layers of security protocols to protect the grid infrastructure and other OTs. ORNL's addition of its color-coding technique increases the difficulty of hackers intercepting and substituting (spoofing) sensor readings arriving at SCADA-run grid substations and forwarded to central grid control computers.
"Our architecture is designed to prevent hackers from spoofing, say thermal sensors readings by reporting a very low temperature that might cause fans to shut off, which could cause overheated equipment to fail, triggering a blackout," said Fuhr.
In testing ORNL's technique with the EPB grid, existing sensor readings—for instance, temperature, pressure, voltage, current and electromagnetic fields—are encoded into the stream of characters, as the substation normally does. Then Fuhr's added hardware encodes the characters as colors from a color wheel and hides them in a video frame—subliminally to the naked eye—of the video feed already remotely observing every substation. Since the video signal travels on a separate network channel of the VLAN from the color-decoding key, it adds yet another security layer for a hacker to penetrate.
"Our deployments have been tested with utilities that already use separate VLAN channels for differing types of information traffic between a substation's networked devices, further complicating any hacking attempts," said Fuhr.
The position of the color-wheel, which changes for each sensor reading, travels on the separate VLAN channel that the characters normally used to encode the sensor reading. The color wheel is turned a different amount for each reading, which changes about 10 times per second, and is calculated using a Fibonacci algorithm which rotates the color wheel number by the sum of the two previous rotation amounts. As a result, to spoof a sensor reading, a hacker would need to penetrate two separate VLAN channels, determine how the color-encoding scheme works, calculate the rotation amounts, and locate the colors in the subliminal frame—all in the tenth of a second before the next sensor reading.
Fuhr claimed these extra levels of security, on top of a NIST-compliant OT, make it highly unlikely that hackers could successfully attack the U.S. electrical grid or other IPC OT architectures.
R. Colin Johnson is a Kyoto Prize Fellow who has worked as a technology journalist for two decades.
No entries found