Sampling of EPRI Projects
DISTRIBUTED NETWORK PROTOCOL
HARDWARE SECURITY
Digital Twins
Digital Twins for Real-Time Cyber Attack Identification, Evaluation, and Mitigation
Digital twins in the utility industry are generally thought of as tools that can improve the operations and maintenance of grid equipment or bolster the efficiency and reliability of an increasingly complex grid. Until recently, digital twins have not been thought of as a tool to enhance cyber security.
Over the past two years, EPRI has been exploring the potential benefits that can come from the traditional approach of modeling and analyzing security and operational data separately to instead combine that information into an integrated model. The Digital Twin project will build on those initial steps and seek to demonstrate its value using digital twins. More specifically, the project will explore the value of what EPRI terms hybrid digital twins.
Hardware-Accelerated Security at the Edge (HASE), Artificial intelligence (AI), and machine learning (ML) have enormous potential to reliably manage an increasingly complex, digitized, and distributed grid. The International Energy Agency (IEA) even labeled AI and energy “the new power couple,” partly because of AI’s capacity to unlock the flexibility needed to balance supply and demand when the grid has an abundance of variable wind and solar generation.
But AI also provides cybercriminals with an unprecedentedly powerful tool for exploiting vulnerabilities in a power system where so much is happening at the grid’s edge. “Now that we are decentralizing with the energy transition, there are going to be a lot more processes that are occurring by themselves at the device level on the grid edge,” Hollern said. “Providing visibility of that activity to cyber defenders so they can respond to any event faster will be extremely important in this new energy environment.”
Distributed Network Protocol (DNP3) Authentication and Authorization: Over 90 percent of utilities in North America use cyber to monitor and control OT devices across their transmission and distribution systems. As more distributed energy resources (DER) like solar and energy storage are interconnected, the need for DNP3 to authenticate grid-connected devices increases significantly. Put another way, assets connecting to a more distributed and digitized grid need to communicate with a common and secure language.
Working with Salt River Project, EPRI will develop and test two communications standards: the Distributed Network Protocol Secure Authentication version 6 (DNP3-Sav6) and the Authorization Management Protocol (AMP). These will be built to authenticate and authorize devices using a zero-trust architecture.
“Zero-trust means that I can’t trust anything that’s talking to me until I have a way to understand that the person on the other side of the computer or the device talking to me is who they say they are,” Hollern said. “If they’re not, they could send me a bad command. They could steal my information. There’s a lot of bad things that can happen. Once you implement a zero-trust architecture that requires authentication and rules that apply to the different roles of devices and people, you significantly increase the entire network’s security.”
In the HASE project, EPRI is working with several partners, including Ameren, Southern Company, ConEd, Sygnia, Waterfall Security, Clemson University, and NVIDIA, to develop the next generation of advanced AI hardware to detect and stop cyber attacks. The project implements purpose-built Data Processing Units (DPU) to provide hardware security and replace traditional Network Interface Cards (NIC). The project will use NVIDIA’s hardware-accelerated DPUs to provide analytics and telemetry in industrial control system components used to control critical infrastructure processes. “The DPUs provide the communications on the network and have onboard capabilities to monitor the traffic locally at the device and detect when a cyberattack may be occurring on that network,” Hollern said.
The detection capabilities provided by the DPU are enhanced by AI, and responses to attacks can be automated or guided by security personnel. Indeed, AI capabilities can pinpoint when activities and processes are normal and when they may indicate an attack is underway. “The device can then take automated actions to start securing itself or hardening itself in real-time during an attack,” Hollern said. “Or it can recommend certain actions, and then a human can decide if they want to take those actions or not.”
For utilities like Missouri-based Ameren, a partner in the HASE project, the ability to enhance security with minimal disruption is especially appealing. “As a company that operates a wide range of critical infrastructure facilities, we need security detection solutions that are compatible with a wide range of OT equipment,” said Joseph Bradley, Senior Manager of OT Cyber Security for Ameren Digital. “The HASE project is an agentless solution that provides the same visibility and control as an agent but with minimal overhead and impact on the device. These approaches increase interoperability across a wide array of OT devices, from legacy PLCs to modern IoT sensors. Improving the cyber security capabilities of critical infrastructure environments without needing to rip and replace significant components will significantly improve our ability to adapt effectively.”
Southern Company is another utility partner in the project. Like Ameren, Southern Company is enthusiastic about how the research can provide more tools to defend the utility’s assets. “As an operator of a large generating fleet, Southern Company is always looking for ways to improve the visibility and security of the OT network,” said Charles Boohaker, Principal Engineer, Research and Development for Southern Company Services. “That’s why I am excited about the proposed R&D project that aims to develop hardware-based offloading solutions that can integrate with the existing fleet and generate more actionable alerts.”
“Hybrid digital twins model the physical assets, so we understand the actual processes occurring,” Hollern said. “But then we also take live data or historical data from the historian and feed it into the model, and that’s what makes it a hybrid.” This approach can be extremely effective in improving cyber security because a hybrid digital twin can predict how a piece of grid equipment should perform based on certain inputs and determine how cyberattacks would impact the equipment.
Put more simply, a hybrid digital twin allows for comparisons that alert grid operators that a cyberattack is underway. “We can compare the actual performance of the asset to how the asset should be performing based on the digital twin,” Hollern said. “If there is a threat actor that’s attacking that physical system, there will be differences in the performance of that system compared to the digital twin. It is a mechanism to detect when a cyberattack could be occurring.”
Hybrid digital twins do more than just detect when a cyberattack is underway. They also develop attack scenarios that anticipate the impact of an attack on a utility’s physical systems. This is helpful information in constructing defenses and responses. “By developing the attack scenarios, we can start to characterize physical equipment impacts based on the type of attacks that could occur on that system,” Hollern said. “By simulating those attacks on the digital twin, it’ll give us a library of what to look for and what to expect. When those types of attacks actually occur, it won’t be the first-time defenders will have seen them, and they can move more quickly to respond.”
As the electric power system continues to evolve, so too will the threats against it. These collaborative projects will build on EPRI’s long history of cyber security research and help develop the tools needed to ensure that a transformed electricity sector is safer, more reliable, and more resilient than ever before.
PREVIOUS
NEXT
