Scientists Capture Lightning Data for Electric Grid Cybersecurity
A new technique uses lightning strikes to detect hacking activity.
Monitoring global lightning strikes could help detect cyber attacks on the U.S. electrical grid, according to Georgia Institute of Technology researchers who have a patent pending to do just that.
Lightning strikes roughly 3.5 million times per day on average. Each and every strike creates an electrical path miles tall that emits a very low frequency radio signal. Those signals bounce off the upper atmosphere and can be detected virtually anywhere in the world, explains Morris Cohen, an associate professor in the Georgia Tech School of Electrical and Computer Engineering.
“When lightning occurs pretty much anywhere on Earth, it releases an intense amount of radio energy for a very brief amount of time, roughly a millisecond or so. These signals can zigzag back and forth and make it all the way around the world,” Cohen elaborates. “Consequently, that means I can plop down a receiver that’s tuned to this frequency band here in Atlanta, and I can pick up these little bits of radiation from lightning that occurs in South America and Africa and Japan, almost the entire world from one location.”
Electrical power stations also emit radio signals, which are called side signals. Those side signals can indicate what is happening with the supervisory control and data acquisition (SCADA) system, the centralized system for monitoring and controlling the power station. SCADA systems are a high-value target for hackers. Cohen notes that when Russian hackers attacked Ukraine’s power grid in 2015, they opened substation breakers to cause a blackout, shutting off power to 230,000 people. They also hacked into monitoring systems and changed the data to convince power grid operators that the grid was operating normally.
“Hackers will break into these SCADA systems and basically synthesize a lot of data so that the operators think that everything is fine. Meanwhile, [the hackers] have free reign to destroy things. We’ve seen Russian hackers do this in the Ukraine, and there are hints that they’re trying to have that capability here. Although we don’t think it’s happened here, it’s certainly a possibility,” Cohen says.
Electrical substations side signals transmit in the low frequency band at around 60 Hertz. Lightning emissions fall in the very low frequency range at 30 kilohertz and below. For context, AM/FM radios operate at a much higher frequency range, hundreds of kilohertz to megahertz. “We’re dealing with frequencies that are far too low for any practical communications system to really use,” Cohen adds.
The receiver picks up both types of signals. “When we start to monitor the power grid, we’re detecting two things. First, we’re detecting what’s being emitted from the power grid. Second, we’re detecting all these natural signals that come flying through our receiver at the same time,” Cohen says. “The same equipment that’s picking up the emissions from the power grid invariably has to pick up the emissions from lightning. Even if the lightning is thousands of miles away, it’s going to come through. We’re going to see that in our data sets.”
Until now the lightning data was often seen as irrelevant. “The signals from the lightning are really like a noise source for most people. But in this case, it happens to be a very useful noise source,” Cohen says.
By combining SCADA data with worldwide lightning data, operators could detect anyone monkeying with a particular station or substation. Security staff remotely monitoring substations would be able to compare the lightning signals they detect to lightning data from other sources, such as one of the 70,000 or so other substations in the United States or a global lightning database. That would authenticate the information.
Lightning strikes are impossible to predict, and the resulting data nearly impossible to manufacture. “Synthesizing something to look like this is almost impossible. It’s physics and natural lightning, which we can then use to validate data sets,” he adds. “You can think of it like a random number generator that, at any given time, when and where lightning is happening at this exact moment, is generating this exact sequence of pulses in our data set that you cannot break in advance. There’s no way you can forecast it.”
The system is known as a radio frequency-based distributed intrusion detection system (RFDIDS), and the researchers have filed a provisional patent application on the system for processing the data to infer the power grid activity and validate its authenticity. If approved, the patent will be owned by Georgia Tech with the researchers listed as inventors. It combines specialized software with a traditional receiver. The hardware is a scientific instrument, a commonly used low-frequency radio receiver. “My background is in lightning and in sensing the upper atmosphere, so I’ve been operating this kind of receiver all around the world for many, many years now. The new part is the software and what you do with the data set,” Cohen offers.
The research has been tested at substations with two different electric utilities and by extensive modeling and simulation. The researchers, including graduate assistant Tohid Shekari, worked with two electric utilities to analyze the radio frequency signals produced when breakers were turned off for substation maintenance. They also used computer simulations to study a potential attack against the systems.
“We should be able to remotely detect any attack that is modifying the magnetic field around substation components. We are using a physical phenomenon to determine whether a certain action at a substation has occurred or not,” Raheem Beyah, Motorola Foundation professor in Georgia Tech’s School of Electrical and Computer Engineering and co-founder of Fortiphyd Logic Inc., says in a Georgia Tech article published earlier this year. Beyah also works on a cybersecurity robot known as Honeybot.
The researchers envision utility companies placing an antenna at or near a substation to pick up the substation’s side channel emissions. The receiver would act independently of other monitoring equipment and would also pick up lightning strikes. Because it operates independently, other systems would not need to be reconfigured or changed in any way. “It’s just an extra data set that appears through a different channel that helps to verify that what the operator is seeing is what is actually happening,” Cohen states.
Next, the team intends to work with three companies—two in Delaware and one in South Carolina. “We’re working with a few different utility companies that are interested in at least helping us collect the data sets, and they seem intrigued by the idea,” Cohen reports.
He stresses the importance of collecting the right data sets. “For example, we want to see what a breaker flip looks like in our data set, but it doesn’t happen very often. It’s not like breaker flips are daily occurrences, so we’ve had to work with utility companies to get them to tell us when a breaker flip might happen or when it has happened and have data in the right place at the right time.”
The researchers recently received funding from the National Science Foundation to continue developing the technology. “Working out the mathematics of how you do this validation will take a little bit of work. For example, the shape of these little signals we get from lightning can vary a lot, depending on how far away the lightning is, depending on the time of day even. There are ways to tune the algorithm to make this increasingly efficient, and that’s what we would like to do in the coming months,” he reveals.
In addition, as difficult as it would be for hackers to predict or mimic lightning data, the technology could be even more secure, Cohen indicates. “It’s not as secure as it can be. If a hacker has access to a database of lightning occurrences—which is available—then with a lot of work and specialized expertise, you could potentially reproduce the data, basically synthesize data. We’re working to make it sophisticated enough that even the best hacker could never do it.