Hacker-resistant software for controlling a power grid performed well in both a simulated cyber-intrusion and in a tryout in a real power plant, its developers say.
Though the Honolulu power plant where the tryout occurred was not generating electricity at the time, the test achieved its goal of showing that the software can operate without adverse effects on other plant systems.
Concern about the vulnerability of electric power grids to cyberattacks ratcheted up after two high-profile hacks turned out the lights in parts of Ukraine during the past two years.
A power grid needs to respond to adverse events within hundreds of milliseconds.
Neither outage in Kiev was long or extensive enough to cause serious harm or panic. However, the attacks served as a wakeup call, putting a spotlight on power grid security in the United States and elsewhere.
“Today, our power system is not designed to withstand the kind of attacks that happened in Ukraine,” says Yair Amir, professor and chair of computer science at Johns Hopkins University. “If even part of a power grid’s control system is compromised, the game is over. We need to make our grid more secure, resilient and intrusion-tolerant.”
The Spire system
Amir and colleagues hope to help boost resilience with their new open-source control system for power grids, called Spire. The intrusion-tolerant system is designed to keep power flowing even if part of it is compromised.
Last April, a Sandia National Laboratories hacker team remotely obliterated a commercial grid control system in hours, but could not penetrate the Spire system over three days. On the third day, the Sandia team was given remote access to part of Spire, but still could not disrupt the system’s operation.
Early in 2018, the researchers went to an offline Hawaiian Electric Co. plant in Honolulu and tested Spire on the power plant’s equipment with the help of HECO engineers. After a few days of setup and integration, Spire ran continuously without interruption for almost a full week.
A power grid needs to respond to adverse events—say, a circuit breaker tripping or a generator shutting down—within hundreds of milliseconds, Amir says.
“If a generator goes out, the system needs to quickly detect it and compensate by increasing power in other generators or by cutting power to parts of the grid,” he says.
On the last day of the Hawaii test, the team measured end-to-end reaction time. The plant’s commercial control system reflected a change in the grid’s power state within 900 milliseconds to one second. Spire showed the same change faster, within 400-500 milliseconds.
How it works
The system works in part through duplication. The researchers built it to contain six copies of the main control server; the parts work together to agree on what actions to take to protect the grid when problems crop up.
“If something goes slightly wrong, at least you don’t have a quarter-million people losing power.”
“Each replica votes on every … decision,” Amir says. “If one of the replicas is compromised and another is going through maintenance, then the other good replicas will enable the system to continue working properly and in a timely manner.”
The test took place in Hawaii in part because it was funded by the Defense Department, one of HECO’s largest customers. In addition, Amir says, a “mothballed” power plant with fully functional control systems but no active power generation was perfect for grid-level control system tests.
“If something goes slightly wrong, at least you don’t have a quarter-million people losing power,” he explains.
Open source solution
Making Spire open-source was kind of a “no-brainer,” Amir says. Though open-source code is freely available to potential hackers, it’s also available to “good guys” who help to fix any vulnerabilities they discover.
More important, says Amir, who has spent more than a decade working on intrusion-tolerant systems and networks, being so open increases awareness among others—including sellers of commercial power grid control products—that better security is possible.
“Having the system out there as open source, people will be less able to ignore the problem and to ignore the fact that there are good possible approaches to deal with this issue,” Amir explains.
“We have no ego in this,” he says. If manufacturers “want to take a look at what Spire does and develop similar or better capabilities in their own commercial products, making our power grid more resilient and intrusion-tolerant, we will be thrilled.”