Strengthening cybersecurity in the energy sector

Almost every online shopping site influences buying decisions by providing a rating system for its products. Five stars? Looks like a good buy. One star? Maybe it’s good enough for what I need. 

Similarly, government-backed certification programs like ENERGY STAR offer clarity by vetting specialized claims against a formal set of standards.

Researchers at ORNL are working on a certification system for one of the biggest emerging needs facing electric utilities: cybersecurity.

Energy infrastructure is so interconnected that cascading failures can have wide-reaching effects on access to safe food, winter heating and life-sustaining medical devices. Recognizing this, companies selling components for the grid tout an array of features to strengthen it against cyberattack. But utilities can have difficulty navigating this barrage of marketing about new product features.

The cybersecurity certification system under development at ORNL will quantify the value and effectiveness of security features, letting utilities understand the strength and weakness appropriate to meet their cybersecurity needs.

ORNL’s Cyber Resilience and Intelligence Division also helps energy companies find bugs, knockoff parts, undocumented functionality and other cyber weaknesses in equipment already operating.

Unlike personal electronics, most energy infrastructure components have a long life cycle. That means cyber weaknesses can last decades or arise while old technology is still being used, explained Tricia Schulz, group leader for Embedded Systems Security.

“Think of all the vulnerabilities that have been found in the past five or 10 years. If systems aren’t updated, many of those might still be around in our critical infrastructure,” Schulz said. “Can we update the equipment to eliminate those vulnerabilities without causing unacceptable downtime? How do we plan to do that for the weaknesses we find in the next 10 years?”

Validating cybersecurity claims

To address these challenges in the short term, some suppliers offer cybersecurity upgrades.

“They advertise features but don’t tell you the level of robustness,” explained Juan Lopez, group leader for Energy and Control Systems Security.

For example, a utility could pay extra for a password system controlling login access to remote equipment without understanding how much protection they’ll receive. Password options can range from a basic three letters to a much more secure combination of numbers, digits, and symbols with a lockout feature for failed attempts.

“We’re trying to come up with a star rating for truth in marketing,” Lopez said. “It’s a win-win for the manufacturers that make the components and the customers that buy them.”

Vendors benefit from quality differentiation. Users benefit from consistent and assured performance.

ORNL scientists are piloting a star rating for three types of products or security features: passwords, real-time automation controllers and secure shell; these act as an encrypted tunnel for network services. Such features are commonly available or can be easily added with an upgrade to firmware, the code embedded in network-connected devices. The rating scale would award one star to products with minimal cybersecurity and four or five stars to the most robust. 

“And companies can decide whether that level of protection is needed, so you can tailor your spending to your actual needs,” Lopez added.

The framework, based on proven compliance certification approaches like ENERGY STAR, uses a semiautomated process to verify product performance in a hardware test bed. The system can be scaled up to large grids or down to microgrids.

The testing framework could eventually be used by a third party to run the rating program, said Lopez, who provided a demonstration to several public utility partners in September. The project was funded by DOE’s Cybersecurity for Energy Delivery Systems R&D program.

Finding fakes through “fingerprints”

Cyber challenges to the supply chain continue after purchasing, though, and ORNL researchers are also ferreting out vulnerabilities after components have already been bought or installed. In some cases, nefarious tampering may have added bugs or secret functions. In others, a replacement part might just be cheap junk that looks like the real thing.

“In the power grid, I’m worried about both problems,” Lopez said. “Counterfeit components are being purchased legally and installed in critical infrastructure as companies do repair and replacement. These knockoffs may be less safe.” For example, a counterfeit version could explode because it can’t take the same heat and pressure as the more robust original.

“The operator who has this in his system has no way to differentiate the products,” Lopez said.

To solve this problem, Lopez’s group has developed a handheld tool to verify parts in inventory or even while operating. The tool aims ultra-wideband signals at a component, which don’t interfere with its internal systems. When these signals bounce back, returning waves are detected using small-aperture radar. A mathematical process removes background noise from the signal. The result is a type of 3D signature for each component.

“The idea came from a technology that has been around for years: This needs to be like fingerprints,” Lopez said. “Once you get even a partial fingerprint, you can still get a match. If you don’t have a match, what you have is probably counterfeit, and you need to investigate further.”

The tool can also be used to check whether a part has changed since installation. “A utility can scan hundreds of devices and determine fairly quickly if they match,” said Lopez, adding that the Tennessee Valley Authority has expressed interest in field-testing this technology as well.

Understanding firmware, hidden functions and the Smart Grid

ORNL scientists are also working to identify, understand and eliminate other device-based vulnerabilities that could harm energy infrastructure. They analyze hardware, software and firmware, investigating the capabilities of all the components within a device.

“It’s often cheaper for companies to reuse a printed circuit board design and only use components of the software they need than to make a new version of the board,” Schulz said. “That doesn’t mean the other functionality doesn’t exist.” Hostile actors could activate those latent functions to cause the device to fail, behave in an unexpected way or open a door to cyber intrusion.

Schulz’s group also partners with the Vulnerability Science Group at ORNL to study the security of firmware embedded inside internet-networked consumer devices such as appliances and thermostats, often called the Internet of Things, or IoT. These edge devices, too, may have capabilities that aren’t initially active or obvious, such as microphones in home security systems.

“Sometimes vendors include hardware that can expand a device’s capability with a future software release, but if that functionality is not obvious at the time of purchase, then it is difficult to fully understand the risk,” Schulz says. “Similarly, we need to understand the software and its potential weaknesses.”

To improve understanding of device firmware, the Vulnerability Science Group developed a process that enables experts to find and mitigate vulnerabilities before firmware is deployed into critical systems such as the power grid.

While these types of vulnerabilities might concern individual homeowners, the networking of such devices can broaden their potential for damage. Their cyber weaknesses could be leveraged to interfere with how the electric grid operates internally or to create unexpected power fluctuations.

For example, a vulnerability in widely used electric vehicle charging equipment could be used to trigger a sudden, huge power draw.

“It’s almost an overwhelming problem,” Schulz said. “Chargers are in people’s houses. How do you find all the owners? How do you tell all the owners they need to update?”

Her team works on mitigating such vulnerabilities. “We are moving toward a smart grid,” she said. “You have this whole chain of different devices that are increasingly able to communicate over the internet. Being able to understand the risks associated with that, and to reduce those risks, is important.”