Search AFCEA Site

Enable breadcrumbs token at /includes/pageheader.html.twig

Researchers Develop AI-Enabled Cyber Protection for Critical Infrastructure

The technology is designed to detect danger from insiders and outsiders.
By George I. Seffers
Researchers at the Georgia Institute of Technology and the Georgia Technology Research Institute are developing an artificial intelligence-enabled system to identify abnormalities in electrical power grids and associated networks. Credit: Shutterstock/Black_Kira
Researchers at the Georgia Institute of Technology and the Georgia Technology Research Institute are developing an artificial intelligence-enabled system to identify abnormalities in electrical power grids and associated networks. Credit: Shutterstock/Black_Kira

Researchers at the Georgia Institute of Technology and the Georgia Tech Research Institute are developing an artificial intelligence (AI)-enabled system to detect abnormal behavior inside an electrical grid network. The GridLogic system is expected to go beyond traditional anomaly detection and could protect other critical infrastructure segments.

By developing a deep and comprehensive understanding of what constitutes “normal” operations inside electric power systems, cybersecurity researchers hope to identify abnormal and illogical control system commands that may indicate the presence of insider threats or malicious attackers, according to a Georgia Tech Research Institute press release. Both the understanding of normal operations and detection of suspicious activities will rely on AI to understand what the complicated grid systems normally do and to identify actions that logically shouldn’t be taking place.

The press release added that GridLogic will provide security at the levels of field devices, including distributed energy resources (DER)—solar panels and wind turbines, for instance—the network, and overall cyber-physical systems. Novel features of the system will include:

  • Grid and DER field control device security based on multifactor and hardware root-of-trust authentication and encryption.
  • Network traffic monitoring sensors and strategies will be developed that increase depth of visibility in the network topology, remote stations and power system protocols to determine attacker intent and trajectory toward malicious operation.
  • Cyber-physical, AI-based identification of combined communications network and power system states and actions that are detrimental to the system’s operational objectives, with automatic security escalation.

“I think what GridLogic will do is be able to distinguish the difference between anomalous and overtly malicious behavior,” Trevor Lewis, a GridLogic researcher and a senior research scientist at the Georgia Tech Research Institute, told SIGNAL Media. “We’ll be able to understand the system conditions, understand what’s normal, what’s abnormal, and then be able to identify overtly malicious behavior based on the context of everything that’s going on. It’s one step further than just anomaly detection, either from the network or the system operation perspective. That’s what we hope to achieve anyway.”

Santiago Grijalva, Southern Company Distinguished Professor in Georgia Tech’s School of Electrical and Computer Engineering and co-leader on the GridLogic project, explained that anomaly detection usually flags suspicious packets or suspicious traffic on the network. “What we’re trying to do here is combine some of those elements, but in addition, bring the security of the power grid. It has to be what is called a cyber-physical understanding of the system where you couple the network and cyber aspects with the physical aspects and the implications of that.”

Grijalva cited as an example someone opening a breaker. “Regular anomaly detection would not tell you anything is suspicious about an opening of a breaker, whereas GridLogic will tell you this is strange at this time because it will have this impact in the power grid: it will cause an outage.”

 

 

Members of the GridLogic research team pose with a display showing (l) a visualization of the power grids, water systems and oil/gas pipelines in the United States and (r) a proposal for network security monitoring in a power grid. Shown are (l-r) David Huggins, Trevor Lewis, Santiago Grijalva, Fabricio Ceschin, Vincent Mooney and Arman Allahverdi. Credit: Marion Crowder, Georgia Tech
Members of the GridLogic research team pose with a display showing (l) a visualization of the power grids, water systems and oil/gas pipelines in the United States and (r) a proposal for network security monitoring in a power grid. Shown are (l-r) David Huggins, Trevor Lewis, Santiago Grijalva, Fabricio Ceschin, Vincent Mooney and Arman Allahverdi. Credit: Marion Crowder, Georgia Tech

The GridLogic system will include specially designed sensors to provide visibility deep within the network. The sensors are needed because power system network architectures can be complex, and utility companies have difficulties monitoring and identifying malicious activity in remote areas.

“We came up with the concept of deep network visibility, where the depth is both topological—think of a network topology. It’s deep in the topology, but it’s also deep within each power station and within each power protocol,” Lewis offered. “For one of the core issues of being able to identify whether or not you know the system is being misoperated or operated in an illogical way, we need telemetry from every point of the system, and that includes the network.”

The prototypical sensors will use a small form factor and will be heat resistant so that they can be deployed in power substations or line pole cabinets and will be rugged to withstand demanding conditions in electric power applications, including heat, cold, vibration and electromagnetic interference. “Utilities have a variety of network topologies, whether it’s a ring or a line or a tree topology,” Lewis elaborated. “We’ll take all of that into consideration and deploy these small sensors out into strategic locations that give us the visibility of network traffic going to and from, either different stations or from the control center to these stations, and feed all that telemetry back to the central system.”

The central system will include an AI module known as a hypervisor, which will detect odd events or behaviors and discern whether it is malicious activity or the result of other circumstances, such as weather events. The module will “encapsulate some of the intelligence of the power operator and the network operator,” and as it learns, may complement or even replace some human-in-the-loop functions, Grijalva reported.

Lewis added that GridLogic offers total visibility of the entire system to identify potential attack vectors. “We have to consider all angles to this equation because we’re dealing with both malicious insiders and outsiders. Insiders have a tremendous amount of access already, so we need to know exactly what’s happening when and at what time to be able to get to the point of identifying anomalies and then identifying malicious operations.”

GridLogic builds on work from a previous project, GridTrust, which has been successfully tested in a real substation of a U.S. municipal power system. It combines the digital fingerprint with cryptographic technology to provide enhanced security for the utilities and other critical industrial systems that must update control device software or firmware.

GridTrust could help secure the supply chain by authenticating software updates to power stations. “That’s a very important threat vector nowadays from very big-name compromises in the recent past. The idea was to see if we can authenticate effectively the software updates going to these remote field devices, the things in substations and power stations that actually open and close breakers,” Lewis said.

Once developed, the technology could benefit other critical infrastructure sectors. “Very similar applications could be a benefit in the oil and gas industry, the transportation industry, manufacturing and defense as well,” Grijalva suggested. “And then things like, for instance, the hardware component with the physical functions for any type of control system that requires additional authentication.”

As the GridLogic research progresses, the team aims to develop a scalable framework for deploying technology in real-world scenarios, partnering with the city of Marietta and Marietta Power for a comprehensive demonstration in energy delivery systems and with the Southern Company to test it on microgrid setups, Georgia Tech reported in a separate press release.

The research will be done in two phases, a two-year research and development phase and a one-year demonstration phase, which will involve Georgia Power and Marietta Power. The demonstration phase will include city-level distribution circuits and campus-level microgrid demonstrations.

GridLogic received $3 million from the U.S. Department of Energy as part of a group of 16 cybersecurity projects announced in late February. The projects, with a total investment of $45 million, are geared toward discovering new cybersecurity tools and technologies to minimize cyber risks in energy infrastructure, followed by tech-transfer initiatives.

Other team members include Professor Vincent Mooney, a professor at the Georgia Tech School of Electrical and Computer Engineering and co-leader for GridLogic; Senior Research Engineer David Huggins; Principal Research Scientist Matt Guinn; and Research Engineer Sam Litchfield.

 

 

Enjoying The Cyber Edge?
The Cyber Edge is part of SIGNAL Magazine. Subscribe or join AFCEA to receive SIGNAL and its award winning news.
SUBSCRIBE NOW
LEARN MORE
JOIN AFCEA

Related Cyber Content