The Department of Energy on July 24 celebrated its research collaborations with the electric industry at the annual National Labs Day on Capitol Hill, featuring remarks by members of Congress, a reception and displays on current projects. Here’s some of what we heard.
Utilities Learning to Work with Government
Sen. James Risch (R-Idaho) said he and many of his colleagues on the Select Committee on Intelligence are convinced “that the next large incident that we have in America is not going to be a kinetic attack; it’s going to be a cyberattack that can be just as devastating.”
Risch, co-chair with Sen. Dick Durbin (D-Ill.) of the Senate National Laboratory Caucus, said utilities have overcome their reluctance to cooperate with the federal government on cybersecurity.
“When I first got here [11 years ago] … they were very, very resistant to engage with the United States government as a partner in cybersecurity. … It was less than 36 months later that they were begging for us to help because they realized the magnitude of the cybersecurity threat — and also, by that time there had been some breaches. They realized how catastrophic it would be. So today we are very much partnering with the electric utility industry — and have to be — on cybersecurity.”
North American Energy Resiliency Model
Among the exhibits on display was one on the North American Energy Resiliency Model, which DOE plans to release in September. The model will input threats such as severe weather and cyberattacks and provide outputs such as the possibility of voltage collapse and gas pipeline outages.
Craig Miller, chief scientist for the National Rural Electric Cooperative Association (NRECA), which has advised the national labs on the project, was on hand to explain it to visitors.
Miller said it will provide grid planners and federal officials with an “integrated analysis” tool to help them determine the most cost-effective investments in resilience and reliability. “For example, should we harden against a wind storm in Florida, or is it more important to deal with earthquakes in Missouri with the New Madrid Fault?”
He called the new tool “a massive improvement” over the first attempt at developing a model after Hurricane Sandy in 2012. “There was a quick [effort] to pull it together. It was good, and lessons were learned, and some fine thinking was done. But this is a much more sophisticated, integrated model,” he said.
Bruce Walker, assistant secretary of DOE’s Office of Electricity, has been touting the model since after FERC rejected the department’s proposed rule to require “full cost recovery” for coal and nuclear plants with on-site fuel supplies.
But Miller said he is convinced the project has not been tainted by politics or special interests. “The work is being done by the national labs. And the national labs are fundamentally committed to doing honest analysis. They are at heart scientists and engineers,” he said.
Miller said NRECA, which represents more than 900 electric cooperatives covering two-thirds of the U.S. by geography, plans to offer recommendations on how to improve the tool after its release.
“Even though we only have 40-some million customers … the national infrastructure doesn’t operate without us,” he said.
DarkNet: Moving Critical Infrastructure off the Public Internet
The project has been tested through a partnership between the lab and Chattanooga, Tenn.’s municipal utility, EPB (formerly the Electric Power Board).
“We use our system as a test bed,” said James A. Ingraham, EPB’s vice president of strategic research. “We’ve had almost a five-year relationship with Oak Ridge. We have a 6,000-mile fiber optic network, along with over 1,200 automated switches and interrupters on our system, so the entire thing is automated. We think it’s the most automated electric distribution system in the world. So, it gives us a unique path to generate a lot of data instantaneously. So we’re doing cybersecurity, sensors, transformer design, renewable generation, energy storage, electric vehicle, microgrid design, microgrid networks. All of these things are going on in cooperation with DOE on our system.”
Ingraham said the utility built the fiber optic capacity when it modernized its 70-year-old system.
“We entered the computer age. We deployed 29 software platforms, state-of-the-art [supervisory control and data acquisition] and [emergency management system]. We deployed all the switching and automated metering, but you had to have the high-speed communications to make it all work,” he said. “We built a modern infrastructure and integrated energy and communications together. And people see the difference. We’ve eliminated 60% of our outage minutes in the last five years. People know when the power goes off, it’s going to come right back on as the switches reroute power.”
Sandia’s SCADA Simulator and WeaselBoard
Brian J. Wright demonstrated Sandia National Labs’ SCADA emulator, which is used in training and the evaluation of malware. “It’s kind of a sandbox environment. It also enables us to do hardware-in-the-loop” simulations, he said.
Wright showed a screen showing the CrashOverride malware that Russians hackers deployed in the December 2016 attack on a utility in Ukraine. (See Experts ID New Cyber Threat to SCADA Systems.)
“It had a specific module aimed at ABB’s power relay. So, we actually put it in as hardware-in-the-loop to this simulation.
“You’ve got a power simulation in the background informing emulated models of relays and power systems, a SCADA module, HMI [human-machine interface], everything in a substation. It allowed us to execute the malware and effect that physical relay as if we had built a real substation.”
Wright also demonstrated Sandia’s WeaselBoard, which allows operators to see and respond to physical and input/output (I/O) changes on their system.
“So, if I wiggle out an I/O module, you can see it’s alerted this card that sends a message to the HMI to alert that there is a module that’s been removed,” he said.
Wright said the WeaselBoard protects against malware such as Stuxnet, which the U.S. and Israel allegedly used to attack Iran’s nuclear weapons program — deceiving operators about what was actually going on in the physical process.
“What the WeaselBoard allows us to do is see the communications between cards and between the card and CPU, between the CPU and the network port out. It enables us [to know] the ground truth of what’s actually happening, so we can alert to anomalies in I/O, hardware changes, firmware changes.”
Why it called a WeaselBoard? “I am not privy to the history of the name,” he laughed.
Structured Threat Intelligence Graph
Rita A. Foster of the Idaho National Lab demonstrated an open source visualization tool called the Structured Threat Intelligence Graph (STIG) that can be used for understanding cybersecurity vulnerabilities.
It was funded by the California Public Utilities Commission under its California Energy Systems for the 21st Century (CES-21) program and included involvement by the state’s investor-owned utilities.
“Those lines are showing the relationship between attack patterns and indicators of compromise,” she said pointing to a fan-like pattern on her screen. “We’re going to query on this attack pattern and get all the other malware associated with that attack pattern, because one attack pattern has a lot of different malware associated with it. … You can tell that’s the attack pattern you want to look at because fixing that fixes a big, huge set of problems.”
— Rich Heidorn Jr.