Skip to main content
Organization News

Deep Cyberia: How ORNL protects the grid and keeps the lights on

When the power lines stop humming, the world around them stops, too.

In the shadow of the transformers and substations that help move electricity around the nation, Oak Ridge National Laboratory researchers work to advance the science of national security and keep the power grid safe from interference, whether by terrorists, hackers, or natural disaster.

It’s no easy task for analysts and engineers contending with a far-flung spiderweb of local utility systems, mostly patched together over the past century with little thought of cybersecurity, digital components or the Internet.

“These systems were designed to be simple yet remarkably reliable without any cyberprotective features whatsoever,” said Juan Lopez, who leads ORNL’s Energy and Control Systems Security Group, part of what will become the Cyber Resilience and Intelligence Division of the National Security Sciences Directorate after Oct. 1.  “People expect to flip a switch and watch the lights come on. Adding cybersecurity now is like trying to put all the security features of an iPhone on an eight-track tape.”

Interdisciplinary teams from across the Laboratory have taken up the challenge to advance the science underpinning cybersecurity, which is complicated by the need to keep the grid running as work takes place.

“The grid must stay operationally functional around the clock, every day,” Lopez said. “People, businesses, and government depend on it nonstop. How do we tighten up cybersecurity without turning everything off and replacing it?”

Lopez and his team aim to probe deeper, beyond the typical security upgrade. Most systems monitor the grid from the outside. That approach works until sophisticated hackers take control of the digital displays to conceal their presence – the equivalent of looping video on a security camera or cutting an alarm wire. Disruptions might not trigger an alert at first, costing repair crews precious time.

What if utility operators could monitor the grid from the inside out? A volt’s-eye-view would allow agencies to monitor power generation and transmission, water treatment, traffic signaling, and other activity as it happens. Surges and outages could be spotted – even predicted -- in an instant.

Achieving that kind of insight requires digging down through layer upon layer of hardware, software, relays and switches down to the individual sensors, typically built with legacy equipment older than the digital era. Blueprints for some systems no longer exist, and most of the original technicians who strung the wires, connected the circuits and mapped the networks in their heads a generation ago have retired or died.

“We basically design security for systems at higher levels where inter-networking protocols exist,” Lopez said. “Where the rubber meets the road is at the boundary of the sensor level and the actual physical system. A lot of the devices at this level use analog signals. They’re often not interoperable with other models. They’re not meant to be accessible to the outside world. They were built to last a couple of decades before needing replacement. If you cut that system off from all the layers above it, the physical system at the bottom level will keep functioning on its own as long as it goes undisturbed. That’s where we need to be, at the sensor’s edge.”

Lopez and his team coined a name for their undiscovered territory: “Deep Cyberia.” Getting there takes not dogsleds and snowshoes but careful study and manipulation of the surface data. Lopez compares the approach to a geologist digging through layers of snow and permafrost to collect soil samples. Analysts can crunch the numbers, run tests and build high-speed computer models to learn patterns and predict how a system will behave.

The vast differences from one utility to another mean the model for one system won’t necessarily work for others. Lopez and his team hope to use their findings to build a digital twin – a virtual model that can simulate various utility grids and offer not just real-time tracking but compress time and distance to spot trouble before it strikes.

“The digital twin would be an exact clone of the real system,” he said. “You can replicate distance up to hundreds or thousands of miles. You can step the voltage up or down. Say somebody plants malware. The twin can load the system and run a simulation of 24 hours of activity in the space of one hour to see what triggers the malware to go off. You can see the whole thing in slow motion as it happens to learn the pathology – as long as you can get the twin to behave like the real system.”

With enough time, data and computing power, scientists could use artificial intelligence to act like a mechanical immune system, making measurements and collecting other data to anticipate outages or peak demand, cut off damaged networks and fix problems before operators even notice – what ORNL researchers describe as a self-aware, self-healing network. A demonstration at ORNL spotted a cyberattack in progress, despite hacked readouts that falsely showed everything as normal.

Lopez expects more researchers to join his mission as ORNL expands its cyber security research and development programs. As the power lines keep humming, he and his team keep digging – and Deep Cyberia gets a little closer.   ~ Matt Lakin, NSSD Science Writer