Researchers at Georgia Tech have discovered that side channel signals and bolts of lightning from distant storms could one day help prevent hackers from sabotaging electric power substations and other critical infrastructure.
Side channel signals and bolts of lightning from distant storms could one day help prevent hackers from sabotaging electric power substations and other critical infrastructure, a new study found.
By analyzing electromagnetic signals emitted by substation components using an independent monitoring system, security personnel could tell if switches and transformers were being tampered with in remote equipment. Background lightning signals from thousands of miles away would authenticate those signals, preventing malicious actors from injecting fake monitoring information into the system.
The research, done by engineers at the Georgia Institute of Technology, has been tested at substations with two different electric utilities, and by extensive modeling and simulation. It is known as radio frequency-based distributed intrusion detection system (RFDIDS).
āWe should be able to remotely detect any attack that is modifying the magnetic field around substation components,ā said Raheem Beyah, Motorola Foundation Professor in Georgia Techās School of Electrical and Computer Engineering . āWe are using a physical phenomenon to determine whether a certain action at a substation has occurred or not.ā
Opening substation breakers to cause a blackout is one potential power grid attack, and in December 2015, that technique was used to shut off power to 230,000 persons in the Ukraine. Attackers opened breakers in 30 substations and hacked into monitoring systems to convince power grid operators the grid was operating normally. Topping that off, they also attacked call centers to prevent customers from telling operators what was happening.
Easy to hack
āThe electric power grid is difficult to secure because it is so massive,ā Beyah said. āIt provides an electrical connection from a generating station to the appliances in your home. Because of this electrical connection, there are many places where a hacker could potentially insert an attack. Thatās why we need an independent way to know whatās happening on grid systems.ā
That independent approach would use an antenna located in or near a substation to detect the unique radio-frequency āside channelā signatures produced by the equipment. The monitoring would be independent of systems now used to monitor and control the grid.
āWithout trusting anything at all on the grid, we can use an RF receiver to determine if an impulse occurred in the shape of an āopenā operation,ā Beyah said. āThe system operates at 60 Hz, and there are few other systems that operate there, so we can be sure of what weāre monitoring.ā
However, hackers might be able to figure out how to insert fake signals to hide their attacks. Thatās where the lightning emissions known as āsfericsā come in.
āWhen a lightning flash hits the ground, it forms an electrical path miles tall, potentially carrying hundreds of thousands of amps of current, so that makes for a really powerful antenna radiating energy,ā said Morris Cohen, an associate professor in the Georgia Tech School of Electrical and Computer Engineering. Each flash creates signals in the very low frequency (VLF) band, which can reflect from the upper atmosphere to travel long distances.
āSignals from lightning can zigzag back and forth and make it all the way around the world,ā Cohen noted. āLightning from South America, for example, is easily detectable in Atlanta. Weāve even seen lightning echo multiple times around the world.ā
Compare lightning
Security staff remotely monitoring substations would be able compare the lightning behind the 60 Hz substation signals to lightning data from other sources, such as one of the 70,000 or so other substations in the United States or a global lightning database. That would authenticate the information. Since lightning occurs more than three million times every day on average, there is plenty of opportunity to authenticate, he said.
āEven if you could synthesize the RF receiverās data feed digitally, generating something realistic would be difficult because the shape of the pulse from lightning detected by our receivers varies as a function of the distance from the lightning, the time of day, latitude and more,ā Cohen said. āIt would take a lot of real-time computation and knowledge of sophisticated physics to synthesize the lightning signals.ā
Working with two different electric utilities, the researchers ā including graduate research assistant Tohid Shekari ā analyzed the RF signals produced when breakers were turned off for substation maintenance. They also used computer simulations to study a potential attack against the systems.
āThe signal from a lightning stroke is very distinct ā it is short, around a millisecond, and covers a huge frequency range,ā Cohen said. āThe only other process on Earth that is known to generate something similar is a nuclear explosion. The emissions from the power grid are very different and none of it looks like a pulse from lightning, so it is easy enough to separate the signals.ā
The researchers have filed a provisional patent on RFDIDS, and hope to further refine the security strategy, which independent of equipment manufacturer. Beyah believes there could be applications beyond the power industry for remote monitoring of other RF-emitting devices. The system could tell transit operators if a train were present, for example.
āThe power grid is our most critical piece of infrastructure,ā Beyah said. āNothing else matters if you donāt have electrical power.ā
This content originally appeared onĀ ISSSource.com.Ā ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media,Ā [email protected].
