In 2015 and 2016, hackers caused massive power outages in Ukraine during one of the coldest times of the year. The December 2015 attack, which left 225,000 Ukrainians without electricity for the better part of a day, was the first known instance of a successful cyberattack on a nation’s power grid. Ukrainian officials blamed the Russian government, calling the acts a demonstration of Russian cyberwarfare. An investigation concluded the hackers, however they were supported, had been in the system undercover for some six months.
In both attacks, hackers targeted what are called supervisory control and data acquisition (SCADA) systems, which use computers and networked data communications to monitor and manage machinery, such as generators, at the substation level. The SCADA network is essentially the brains of the operation. Gain control of it and you can cause all sorts of mayhem. Hackers can destroy the system’s firmware or command the equipment to spin too quickly or too slowly, causing malfunctions or shut downs.
“This machinery has to operate at a precise and coordinated frequency, and once it’s damaged there is no quick fix or way to reset the grid,” says Yair Amir, a Johns Hopkins professor of computer science.
SCADA systems and power stations in the United States aren't exactly defenseless. Their networks are said to sit behind strong firewalls and complex passcodes are changed frequently. But experts say there are holes in the system. Amir and a team of doctoral students at Johns Hopkins’ Distributed Systems and Networks Lab believe we can do better; they want an unhackable power grid.
The result of their work is Spire, the world’s first SCADA architecture security system that takes into account attacks at both the system (computer) and network levels while meeting the requirements of power grid monitoring and control systems within a 200-millisecond threshold. Spire, seeded by a grant from the U.S. Defense Advanced Research Projects Agency (DARPA), consists of a SCADA master, proxy server, software written from scratch, and controls that also monitors the security system.
Spire makes use of replication in the form of a predetermined set of six or 12 SCADA copies, depending on what’s being protected. To get access to the grid, for example, the substations must receive matching commands from a certain number of SCADA replicas. Even if a hacker took over one SCADA replica, the grid would ignore any message it sends. Four out of six, for example, would have to give the same command simultaneously.
To provide the hackers with a more difficult target to hit, the SCADA replicas are periodically turned off, wiped clean, and rebooted with a different and random attack surface. To a hacker, they essentially are reborn with new identities. All this happens with no system downtime, as enough are kept active to keep things running. “They would need a coordinated attack to infiltrate several copies at the same time,” Amir says. “The bar for them to climb over is that much higher.”
But damaging just a few power stations could be devastating. Over time, the power grid has become more connected so that it’s less likely people will lose power. If a power company that serves one city or region goes offline, the grid can borrow power from a neighboring power plant.
“If you can take down a relatively small but strategic group of generators, you can take out a widespread portion of the grid,” says Thomas Tantillo, a Johns Hopkins doctoral student in computer science and co-creator of the system, along with Amy Babay, also a doctoral student in that department. “It can have a large impact.”
In spring 2017, the Department of Defense tested Spire by handing it over to a team of white-hat hackers from Sandia National Laboratories. The team first attempted to take control remotely of an off-the-shelf SCADA system, which it did successfully within hours. The team, however, could not hack into Spire, even after given three days and the source code.
“All their attacks failed,” Amir says. “They eventually gave up.”
In early 2018, Spire was tested for a week by Hawaiian Electric Co. at one of its mothballed power-generation stations. Spire effectively controlled three of the station’s breakers without fault, and in fact worked faster than commercial systems in terms of reaction time.
Despite the threat of cyberattacks, Amir says the nation’s energy providers are highly regulated and resist change because everything seems to work. “The prevailing thought is, ‘We’re going to be okay. We’re still here, right?’” says Amir. “That is one approach, but for me that doesn’t hold water. People who know what they’re doing can break in.”
Currently, Spire is available as open-source on the Distributed Systems and Networks Lab’s website, meaning any SCADA system developer can use the plans and source code to modify their equipment. But so can the bad guys, right? Amir isn’t worried. “We’re not doing security by obscurity, which routinely doesn’t work,” he says. “We’re doing it in the open, and with more eyes on this system to make it even more resilient.”