In 2015 and 2016, hackers caused massive power outages in Ukraine during one of the coldest times of the year. The December 2015 attack, which left 225,000 Ukrainians without electricity for the better part of a day, was the first known instance of a successful cyberattack on a nation's power grid. Ukrainian officials blamed the Russian government, calling the acts a demonstration of Russia's cyberwarfare capability. An investigation concluded that the hackers, however they were supported, had been in the system undercover for some six months.
In both attacks, the hackers targeted what are called supervisory control and data acquisition, known as SCADA, systems, which use computers and networked data communications to monitor and manage the processing of machinery, such as a generator, at the substation level. The SCADA network is essentially the brain of the operation. Gain control of it, and hackers can cause all sorts of mayhem. They can destroy the system's firmware or command the equipment to spin too fast or too slow, causing it to malfunction or shut down altogether. "This machinery has to operate at a very precise and coordinated frequency, and once it's damaged there is no quick fix or way to reset the system," says Yair Amir, a Johns Hopkins professor of computer science. Imagine remotely taking control of a truck and driving it off a cliff. "You can't undo that damage. It's game over," he says.
SCADA systems and power stations in the United States aren't exactly defenseless. Their networks sit behind robust firewalls. Complex system passcodes are changed frequently. But experts say there are holes in the system. Amir and a team of doctoral students at Johns Hopkins' Distributed Systems and Networks Lab feel we can do better—they want an unhackable power grid.
The result of their work is Spire, the world's first SCADA architecture security system that takes into account attacks at both the system (computer) and the network level, while meeting the timeliness requirements of power grid monitoring and control systems within a 200-millisecond threshold. Spire, seeded by a grant from DARPA, the U.S. Defense Advanced Research Projects Agency, features a SCADA master, a proxy server and software designed from scratch, and a human-machine interface that monitors and controls the system. One key element of Spire is its use of replication, essentially a predetermined set of SCADA copies—six or 12 depending on what it's protecting—that work together to maintain the current and optimal state of operation. For the system to function, the substations need to receive matching commands from a critical mass of these SCADA replicas. Even if a hacker were to take over one SCADA replica, the system would ignore any message it sends. Four out of six, for example, would have to say "spin faster" simultaneously.
To give the hackers a moving target, the SCADA replicas are periodically turned off, wiped clean, and then rebooted with a different and random attack surface. To a hacker, they essentially respawn with new identities. All this happens with no system downtime, as enough are kept active to keep things running. "They would need a coordinated attack to infiltrate several copies at the same time," Amir says. "The bar for them to climb over is that much higher."
Damaging just a few power stations could have a devastating effect. Over time, the power grid has become more connected to lower the probability that people will lose power. If a power company that serves one city or region goes offline, the grid can borrow power from a neighboring source. "If you can take down a relatively small but strategic group of generators, you can take out a widespread portion of the grid," says Thomas Tantillo, a Johns Hopkins doctoral student in Computer Science and co-creator of the system along with Amy Babay, also a doctoral student in that department. "It can have a very large impact."
In spring 2017, the Department of Defense tested the defense ability of Spire by handing it over to a team of white-hat hackers from Sandia National Laboratories. The team first attempted to take control remotely of an off-the-shelf SCADA system, which they did successfully within hours. The team, however, could not hack into the Spire system, even given three days and the source code. "All their attacks failed," Amir says. "They eventually gave up." In early 2018, Spire was test-deployed for a week by Hawaiian Electric Company at one of its mothballed power generation stations. The Spire system effectively controlled three of the station's breakers without fault, and in fact worked faster than commercial systems in terms of reaction time.
Despite the threat of cyberattacks, Amir says the nation's energy providers are highly regulated and resistant to change because the system works. "The prevailing thought is, We're going to be OK. We're still here, right?" says Amir with a smile. "That is one approach, but for me that doesn't hold water. If you have people who know what they're doing, they can break in."
Currently, Spire is available as open source on the Distributed Systems and Networks Lab's website, meaning any SCADA system developer can use the plans and source code to modify their equipment. But so can the bad guys, right? Amir isn't worried. "We're not doing security by obscurity, which routinely doesn't work," he says. "We're doing it in the open, and with more eyes on this system to make it even more resilient."