NREL Develops System to Wall Off Smart Grid from Hackers

The National Renewable Energy Laboratory (NREL) is developing communication and control devices that could be used by utilities to help prevent hackers from potentially damaging electrical equipment and causing localized power outages.

The two-way communications technologies work like an independent "electricity-only internet" with access restricted to utilities. They are aimed at giving utilities greater situational awareness of their grid and permit them to respond quickly to disturbances.

The test bed can be applied to cybersecurity for online energy devices like wind turbines. Image credit: NREL/Dennis Schroeder.

To develop the technologies, NREL built the Test Bed for Secure Distributed Grid Management, a hardware system that mimics the communications, power systems and cybersecurity layers for a utility's power distribution system. It includes the hardware and software that utilities use to control a distribution system. That includes a distribution management system, enterprise data management system and two substation management systems. In turn, the substation management systems can interact with real field equipment, such as electric storage systems and electric vehicle chargers, as well as computer-simulated devices, such as solar photovoltaic systems.

To help ensure the test bed's security, it includes a system that hides a "token" within the first packet of each communication session. If a hacker gets into the system and tries to establish his or her own communication session, the packet will be rejected because it lacks the hidden token. Other technologies "cloak" the network from unauthorized users, so that hackers can't detect the computer server. Another approach maintains a so-called "airgap" which is an information exchange with no network connectivity.

"In three and a half months, we were able to pull a real-scale test bed together, attack it and figure out what works and what doesn't work from a protection perspective," says Erfan Ibrahim, director of NREL's Cyber Physical Systems Security and Resilience Center. "Now we're going to share our findings with the industry to accelerate the adoption of empirically proven cybersecurity controls to protect critical infrastructure."

The team's intent is to invite cybersecurity product vendors and system integrators to experiment with and refine the test bed. Once ready, the test bed will be opened to utilities and product developers for their use; the team is currently targeting early 2016.

Meanwhile, the project has already yielded insights for the NREL research team. "One lesson was that protocols will not provide security in themselves; it's how you dress up the system that gives you the ultimate security," Ibrahim says.

The cybersecurity test bed relies mainly on devices that tap into the data streams, rather than being an in-line part of the communications. That makes it virtually impossible for a hacker to defeat those devices. The test bed also keeps the communications, control and cybersecurity layers separate to help isolate unwanted intrusions. Visualization tools show any unusual, unexpected connections (say, to Siberia) or any strange behavior, such as when the command arriving at a field device is not the same command that came from the control center.

Ibrahim also sees a potential industrial use of the test bed in verifying the cybersecurity of new grid-connected commercial products.

"Before you go deploying something out in the field, don't just take a point test in the lab and extrapolate to production; you need something in between," Ibrahim says. "With our power-hardware-in-the-loop testing in our test bed, we can scale up and run full-scale experiments—some real, some simulated—before a company goes into production with a new product."

Although the test bed was designed to handle power distribution grids, Ibrahim says it can be applied to cybersecurity for other online energy devices such as electric vehicles, wind turbines, home energy networks, thermostats and demand-response systems.