Researchers at the Georgia Institute of Technology have developed a technique using the unique electronic "fingerprints” of devices on electrical grid control networks to determine which signals are legitimate and which signals might be from attackers.

“We have developed fingerprinting techniques that work together to protect various operations of the power grid to prevent or minimize spoofing of packets that could be injected to produce false data or false control commands into the system,” says Raheem Beyah, associate professor of electrical and computer engineering. “This is the first technique that can passively fingerprint different devices that are part of critical infrastructure networks.”

The networked systems controlling the U.S. electrical grid and other industrial systems often lack the ability to run modern encryption and authentication systems, and the legacy systems connected to them were never designed for networked security. Because they are distributed around the country, often in remote areas, the systems are also difficult to update using the “patching” techniques common in computer networks. On the electric grid, keeping the power on is a priority, so security can not cause delays or shutdowns.

The device-fingerprinting approach has been successfully tested in two electrical substations. Image credit: Fitrah Hamid/Georgia Tech. Beyah and his students and colleagues in Georgia Tech’s George W. Woodruff School of Mechanical Engineering set out to develop security techniques that take advantage of the unique physical properties of the grid and the consistent type of operations that take place there.

For instance, control devices used in the power grid produce signals that are distinctive because of their unique physical configurations and compositions. Security devices listening to signals traversing the grid’s control systems can differentiate between these legitimate devices and signals produced by equipment that is not part of the system.

Another aspect of their work takes advantage of simple physics. Devices such as circuit breakers and electrical protection systems can be told to open or close remotely, and they then report on the actions they’ve taken. The time required to open a breaker or a valve is determined by the physical properties of the device. If an acknowledgement arrives too soon after the command is issued—less time than it would take for a breaker or valve to open, for instance—the security system could suspect spoofing.

To develop the device fingerprints, the researchers built computer models of utility grid devices to understand how they operate. Information to build the models came from “black box” techniques—watching the information that goes into and out of the system—and “white box” techniques that utilize schematics or physical access to the systems.

The researchers' current technique addresses the protocol used for more than half of the devices on the electrical grid and has been demonstrated on two electrical substations. Future work will include examining application of the method to other protocols, as well as to securing industrial control systems in other sectors—such as manufacturing, oil and gas refining and wastewater treatment—as they also include devices with measurable physical properties.

Beyond industrial controls, the principle could also apply to the Internet of Things (IoT), where the devices being controlled have specific signatures related to switching them on and off.

“All of these IoT devices will be doing physical things, such as turning your air-conditioning on or off,” Beyah says. “There will be a physical action occurring, which is similar to what we have studied with valves and actuators.”