The electric grid powers everything from traffic lights to pharmacy fridges. However, it regularly faces threats from severe storms and advanced attackers.
Researchers at Sandia National Laboratories have developed brain-inspired AI algorithms that detect physical problems, cyberattacks, and both at the same time within the grid. And this neural-network AI can run on inexpensive single-board computers or existing smart grid devices.
“As more disturbances occur, whether from extreme weather or from cyberattacks, the most important thing is that operators maintain the function and reliability of the grid,” said Shamina Hossain-McKenzie, Cybersecurity Expert and Project Leader. “Our technology will allow the operators to detect any issues faster so that they can mitigate them faster with AI.”
Here is an exclusive Tech Briefs interview, edited for length and clarity, with Hossain-McKenzie.
Tech Briefs: The article I read says, “The biggest challenge in detecting cyber physical attacks is combining the constant stream of physical data with intermittent packets of cyber data.” Can you talk about how the team used data fusion to overcome this, please?
Hossain-McKenzie: Because we're looking at these very diverse data streams, the cyber data is sampled at a different level and then the power system data is sampled much faster because we're worried about dynamic issues. So, a lot of our work was first around feature analysis — which features do we need to look at for our effective detection. But second was windowing. There was a lot of work in varying the windowing to achieve these cyber physical data sets that then we could feed into the auto and coded neural networks.
Tech Briefs: Can you explain in simple terms how the technology works?
Hossain-McKenzie: We prototyped it on a single-board computer, but we also developed software containers. So, it could be that single-board computer that's retrofit into a system, or it could be a software container on an existing grid security device. The device itself is collecting cyber and physical data. Either it could query for those data streams or be bumping the wire to say communication traffic to do that. Or, if you already have that data being collected by your network sensor or your phasor measurement units, we can tap into that data. So, by collecting that data, we do our pre-processing and cleaning steps and that feature analysis as I mentioned, and that's fed into the auto encoder neural networks. Auto encoder neural networks, of course, are trying to encode and decode patterns in the data.
It has a model of what it expects a normal signal to look like. As we feed in our new data sets, it produces the signal, it reconstructs the signal, and it will actually output a reconstruction error comparing our actual signal to our normal model of a signal. That reconstruction error enables us to understand, ‘Do I have an anomaly going on?’
Furthermore, we have reconstruction errors per feature — per cyber and physical features. That's how we can start to understand ‘Am I having a purely cyber event, purely physical event, or a combined cyber physical event’ by looking at those per-feature reconstruction errors. Then of course, normal operation, the reconstruction errors; so low, I don't have an event going on. So that's a high level on how the classification works. But the grid DNA technology is also a distributed anomaly detection.
So, we have multiple good DNA sensors, and they can have peer-to-peer communication. They can share data and also alerts and we can start understanding if we have an event propagating. We also developed local enclave and global good DNA sensors. The local being what I described at that individual location, tapping into data sets in, say, a specific component level.
Then within the single owner system we can have multiple grid DNA sensors, and that's where we do the enclave analysis. I can have the raw data streams, the classification output from the individual local grid DNA sensors, and then this broader situational awareness on if an event is propagating and how do I alert other systems.
And then lastly, the global grid DNA sensor, what if we had multiple system owners? What if you had private wind systems connected to a utility distribution system? How do we alert between them? In this case, I don't want to share raw data or my system topology. And in that case, we developed kind of obfuscated alerts and more, ‘Hey, you have a cyber-attack that may be coming in here, some details.’ In that case, we also developed some secure data exchange type methodology so that we can secure information exchange in that manner.
Tech Briefs: Do you have any set plans for further research, work, etc.? And, if not, what are your next steps?
Hossain-McKenzie: First, I think the most unique thing about our grid DNA technology is not only are we doing this distributed anomaly detection, but we're also incorporating the physics layer. So, we're having cyber physical analysis. So when we say we can extend to other critical infrastructure systems, oftentimes the operational technology or OT communication network is pretty similar. We have similar protocols and so we can adapt to those networks easily and leverage a lot of the data sets that we already know. But what would change when you adapt to a different critical infrastructure is the physics data. That's where we think with a little work, if I understand what the power system operation should be and the metrics that I need to track to understand normal vs. abnormal operation like voltage, current, and frequency. So, for a water system, what are the flows and pressures that I need to track.
Then we are looking into extending into, say, the nuclear power domain and understanding what are the nuclear power-type metrics that we need to look at interconnected with, say, electric grid system.
Transcript
00:00:01 [Music] We developed grid DNA which is a cyber physical situational awareness sensor that helps defend critical infrastructure systems by improving their cyber security. And it does this by collecting cyber physical data across a critical infrastructure system and using advanced data fusion and AI methods to detect abnormal events and
00:00:26 also unear any cyber physical interdependencies we may have been unaware of before. Overall it helps improve um the accuracy of detection of those cyber physical events including cyber attacks. also the speed of mitigation to help um restore the system to a normal operation and then finally also helps improve the coordination between system operators as well as
00:00:47 cyber defenders. The historical separation between cyber security teams and system operators is no longer feasible for the modern electric grid. For example, in our local utility, those teams are housed in separate buildings, literally siloed. But the threats cross over those boundaries and cyber intrusions impacting physical systems are increasingly common. The overarching
00:01:08 focus of grid is to determine how cyber physical situational awareness can improve monitoring capabilities and overall transform how critical infrastructure planning, operation, and mitigation is conducted and also addressing the cyber physical gap in the critical infrastructure data ecosystem. Our work with unsupervised artificial intelligence in the realm of cyber
00:01:29 physical data fusion represents a cuttingedge approach to critical infrastructure security. By leveraging AI algorithms, we are able to autonomously analyze and integrate vast amounts of data from both cyber and physical sources. This dynamic AIdriven capability ensures that our critical infrastructure remains resilient and secure. Grid DNA is a firstofits-kind
00:01:49 cyberphysical monitoring capability that revolutionizes critical infrastructure cyber security and it does this by detecting cyber physical events more accurately and in a faster manner such that system operators as well as cyber defenders can coordinate their response and stop the system impact um before it gets too serious. We can also understand how these cyberphysical events are
00:02:12 impacting the system, how they're going to be propagating and understand those early indicators of compromise such that we can detect them even before system impact occurs using cyber data and physical data from multiple sources and then leveraging AI based tools to extract insights. This provides system operators a holistic view of the system which they've never had before and the
00:02:32 increasing complexities require tools like this to ensure safe and secure operation of the system. Grid DNA is revolutionizing how we do critical infrastructure cyber security through its cyber physical monitoring and analysis capabilities. Um specifically is really helping match the system operators as well as the cyber defenders such that they can have much faster
00:02:53 detection of cyber physical events occurring in the system. understand which cyberphysical events need coordination and response between the two teams and then finally also understanding when to deploy that response in a intelligent manner such that we can mitigate any system impact and prevent the system from deteriorating and so overall grid DNA is
00:03:14 greatly improving the resilience of critical infrastructure systems to cyber attacks or any other type of disturbance um and also helping us understand our cyber physical system and its interdependencies Please.
