A research team from the University of Illinois at Urbana-Champaign has been developing a network solution that enhances power grid cybersecurity by making grids more agile, and therefore more resilient to failure.
As a fundamental part of modern smart grid infrastructure, a communication network connects massive grid devices over vast geographic areas to support the grid’s supervisory control and data acquisition (SCADA) system, which enables continuous energy delivery.
Routers and switches in power grid communication networks direct electricity where it’s needed, when it’s needed. By and large, the switches are managed by predetermined, preprogrammed commands. This static IP networking architecture is nearly impossible to reconfigure on the fly, hardly an ideal scenario given how quickly energy moves on the grid.
Without the ability to reroute energy at a moment’s notice, power grids are vulnerable to failure, especially when the cause is an unexpected incident or cyber-attack.
With support from the Siebel Energy Institute, a research team from the University of Illinois at Urbana-Champaign has been developing a network solution that enhances power grid cybersecurity by making grids more agile, and therefore more resilient to failure.
The team, led by Ravishankar Iyer, the George and Ann Fisher Distinguished Professor of Engineering and Professor Zbigniew Kalbarczyk, both in the the Department of Electrical and Computer Engineering at University of Illinois at Urbana-Champaign, adapted a new, more flexible network model for use in the power industry.
The model is called software-defined networking (SDN), and because it separates the network control function from the network forwarding function, it is much easier to reconfigure in real-time than Internet Protocol (IP) networks, the standard used by most utility companies. Such systems are being used in other industries but have not yet been widely adopted in the power industry.
The SDN system that Iyer and Kalbarczyk are investigating allows grid operators to not only respond to rapidly changing circumstances, but creates an environment in which new methods and algorithms (e.g., machine learning) can be deployed to detect anomalies before they wreak havoc on the grid.
As their study shows, an SDN system has a potential to rapidly move data from sensors and other grid related devices, making it possible for systems/operators to make decisions faster. The project, titled, “Virtualizing Grid Management and Control: A Case for Resilient Software Defined Networking,” employs rigorous testing of SDNs on a smart grid testbed where researchers combined simulated and real devices to facilitate experiments on potential use of SDN in the power sector.
SDN based smart grid security has been approved as a theme in new U.S. Department of Energy Cyber Resilient Energy Delivery Consortium (CREDC). Iyer and Kalbarczyk are currently investigating opportunities with the CREDC to see how their technology can be applied in the context of protecting nuclear power plants from cyber-attacks.
Iyer and Kalbarczyk spoke with the Siebel Energy Institute about the project.
Q: Is this the first such project to investigate how SDN could be applied to energy systems? If not, what is unique about your research?
This is the first project to investigate the Power Grid security in the context of SDN specifically, how SDN can support and enhance security of the grid. A unique aspect of this effort is a resiliency testbed (ER-TEST) that integrates a power system simulator with an SDN based real SCADA network to allow experimental assessment of resiliency of energy delivery. In a broader context, investigating SDN in the energy delivery system not only contributes to SDN research, but also introduces a previously unexplored direction to cyber physical system research.
Q: What would be a typical scenario where you would envision SDN capability being useful to a grid operator?
The adoption of advanced networking technology such as SDN in energy delivery systems (EDS) can improve control efficiency, reduce operational costs, and increase the resiliency of the overall system against accidents and cyber-attacks. As an example, we used the network programmability enabled by SDN to obfuscate the status of a system configuration that would be visible to a potential adversary in order to prevent the development of an attack strategies.
Q: How did you design the microgrid test bed that you used to test the SDN network?
The testbed consists of a Power Grid Simulation Server (PGSS) and a Control Center Simulation Server (CCSS), seamlessly integrated with the SDN-enabled switches. The PGSS leverages PowerWorld to emulate the physical processes of generators, a transmission system, and loads and implements real-time manipulation and access to the internal state (e.g., status of generators, load, meters, and circuit breakers). The CCSS implements grid monitoring and control applications including state estimation and automatic generation control. The intrusion detection system detects malicious control commands by predicting their execution consequences through advanced analytics and learning techniques.
Q: What was the most challenging aspect of designing the test bed experiments?
The primary objective of using the testbed is to evaluate SDN-based techniques and algorithms to detect system failures due to unintentional (i.e., accidental) and intentional (i.e., cyber-attacks) disturbances. The challenging aspects in designing such a testbed are: (i) obtaining and/or generating data representative of a smart grid operations, (ii) showing that the results from the testbed experiments scale up to real system configurations, and (iii) ensuring that that fault/attack models represent current and possibly zero-day future attacks.
Q: Why is it so valuable to bring theory and practice together when conducting experiments?
Sound theoretical foundation is essential to developing detection techniques and algorithms which take into account both cyber and physical aspects of the energy delivery systems and to mimicing attack models representative of real world system.
Q: How does machine learning enable the SDN system to detect, and even predict, suspicious activity?
SDN provides a mechanism for building a virtual network layer on top of physical communication links. This additional layer can help mitigate the impact of the hard-to- confirm attacks. By leveraging the control plane functionality, an SDN virtual network can enable finer-grained network status monitoring and hides the real state of the system so that it is invisible to a malicious (unauthorized) actor.
Separation of the control and data planes in SDN also allows for the integration of sophisticated algorithms (including machine learning) and techniques for preemptive (i.e., before the system is misused) detection of anomalies. A properly instrumented SDN controller can rapidly reset or even re-establish a virtual network for a grid control application to isolate suspicious switches or network activities.
Q: The research also shows how SDN can be used to prevent malicious attacks by luring attackers to decoys. What does that entail?
The network programmability enabled by SDN can be used to randomize the appearance of the two primary operations in power systems, i.e., data acquisition and control, to external users, while maintaining normal operation of the power grid. External users (e.g., attackers) who have no knowledge on the actual network connectivity fail to learn the complete set of physical measurements and expose themselves when they attempt to access “off-line” devices (i.e., temporary disconnected from the network). Further, we spoof device responses (e.g., generating decoy measurements), provided to external users accessing “off-line” devices. Deceived by the decoy measurements attackers launch ineffective attack strategies.
Q: What would you say is the biggest obstacle to overcome when it comes to convincing a utility provider to transition to SDN?
The challenge is to demonstrate that the proposed solutions do not negatively impact normal system operation and that the enhanced monitoring capabilities provide actionable information. Further, we need to show that assumptions about the SDN based network (e.g., communication delays) hold in practice.