If somebody hacked communications to grid-connected devices and interrupted a demand response (DR) event, peak demand might not be cut, capacity prices could spike and that somebody could make a lot of money.
Because of the fast-rising number of grid-connected devices in DR programs like smart thermostats and water heaters and the even faster-rising number of smart phones and other Internet technologies through which customers communicate with DR programs, market manipulations like that are possible, cybersecurity experts from the Electric Power Research Institute (EPRI) told the Demand Response World Forum October 17. It is one of many potential intrusions of communications between utilities and customers with grid connected devices and distributed energy resources (DER), they said.
To counter these threats, data analytics experts are using the laws of physics and unprecedented masses of data to find cybersecurity breaches. And their work is leading to machine learning (ML) and artificial intelligence (AI) algorithms which, though only just beginning to find actual deployment, are expected to soon advance the ability to identify patterns to the intrusions and raise the level of protection for critical power systems.
"There are two types of cybersecurity threats to utilities — those that affect system hardware and connected devices and those that affect utility internet systems,"
"There is so much low hanging fruit in utility system challenges that can be addressed by advanced data analytic strategies that AI and machine learning are not the place to start."
Cybersecurity Manager, OSIsoft
Bryan Owen told Utility Dive. "We worry about the ones that can result in physical harms, but high levels of connected devices are making them an important cybersecurity issue now, too."
Collaborations between utilities and researchers at U.S. national labs are revealing new protections but also new challenges to secure data management that must be addressed. ML and AI can help utilities protect themselves and their customers from cyberattacks, but only if utilities can allow these new allies access to the data and systems that need protection.
Connected devices. exceeded the world's 7.3 billion population in 2014, EPRI Senior Program Manager Rish Ghatikar told the DR conference. At the 31.7% growth rate of U.S. connected homes reported by McKinsey for 2017, there were "over 1 billion connected home devices" in the U.S. by the end of 2018, he estimated. Each of those homes could have as many as 10 grid-connected devices, ranging from laptops and wireless modems to smart thermostats and smart inverter-based solar plus storage systems.
Businesses' internet-connected technology may be even more under assault, he added. In the first half of 2019, almost 38% of computers used in smart building systems were affected by cyberattacks, Navigant Research reported October 28.
Homes and businesses have their own "device ecosystems" of internet technology (IT) devices, smart thermostats, water heaters, other smart appliances, EV chargers, and smart inverter-based solar and batteries that utilities do not control, Ghatikar said. "They cannot manage what they cannot control, which makes the risk of intrusions exponentially higher and cybersecurity more relevant."
Cybersecurity for ICS is "a cat and mouse game where adversaries and defenders continue to evolve with one another."
Research Scientist, Sandia National Laboratory
EPRI is developing a framework to identify cybersecurity assets, threats, key players, and architectures on which researchers, utilities and device vendors can focus to find solutions, EPRI Engineer Scientist Alekhya Vaddiraj told the conference.
Cyberattacks can compromise reliability or resilience, impose financial losses, appropriate customer data, or threaten customers and system safety, she said. Although it is a "futuristic" scenario, the concept of false information or disrupted communications being used to manipulate power markets is also a realistic possibility, she and Ghatikar agreed.
But an estimated 1,500 outages have been caused by wildlife and only three by human attacks, according to CyberSquirrel, OSIsoft's Owen said. His company remains focused on protecting systems from the more common types of intrusions, though it continues to monitor the progress of ML and AI deployment.
"There is so much low hanging fruit in utility system challenges that can be addressed by advanced data analytic strategies that AI and machine learning are not the place to start," he said. Yet advanced work is already underway, he acknowledged.
AI is the big circle of a Venn diagram of computer operations, Sandia National Laboratory Research Scientist Adrian Chavez told Utility Dive. ML is "a subset of AI within the circle. AI is a fully automated system that can respond on its own, even to unknown attacks, and machine learning is a component that enables that response."
A Department of Homeland Security website shows ongoing cyberthreats to industrial control systems (ICS), including power sector operations, Chavez said. They "are becoming more and more sophisticated" and there is no "complete solution."
Cybersecurity for ICS is "a cat and mouse game where adversaries and defenders continue to evolve with one another," Chavez said. The adversaries that must be defended against have "a high level of sophistication" in "multiple fields spanning cybersecurity, physical security, and power engineering."
The "signature-based intrusion detection system" Chavez is developing monitors DER communications for "very specific strings of characters or bytes with known unique characteristics," he said. "It can automatically alert a grid operator of a potential malware intrusion if those strings are observed."
A more complex, "behavior-based" ML algorithm can use "statistics and past trends" to "analyze network communications for abnormal behavior," Chavez said. "If it recognizes abnormal patterns with a statistical probability of attack, even from an unknown intrusion, it can respond in real time or, if it does not have a mitigation strategy, alert an operator."
Utilities "are increasingly interested in how AI algorithms and deep learning can automate the protection of customer information, the optimization and balancing of the grid, and the finding of efficiencies in the details of customer usage."
A behavior-based algorithm "that autonomously identifies the attack, protects against the attack, and recovers from the attack without operator intervention, fits my definition of AI," he said. His algorithms have been "tested and verified within a 2.5 MW microgrid environment" but not "at a large utility scale."
Utilities tend to be hesitant about pilots that test autonomous detection and response technologies in real time, Chavez said. "Power systems are critical, and there is a lot of potential for these solutions in those environments, but utilities are very concerned about automation in live operational systems without a human in the loop because the consequences of mistakes are high."
The private sector has already deployed AI for purposes ranging from cybersecurity to marketing, but change in utilities requires "incremental steps" that demonstrate ML and AI can readily detect abnormal events without system disruption, Chavez said. Using ML and AI could take "another five to 10 years," but it could happen sooner because "a lot of people at the national labs are using Department of Energy (DOE) funding to work in this area."
Utilities want modern cybersecurity, but "legacy devices and protocols deployed decades ago are not capable of supporting it," he said. "That makes upgrades expensive and it makes upgrading hardware and software a potential interruption of operations."
"This is a whole new game for utilities," Colin Gounden, CEO of data specialist VIA agreed. "They are increasingly interested in how AI algorithms and deep learning can automate the protection of customer information, the optimization and balancing of the grid, and the finding of efficiencies in the details of customer usage," he told Utility Dive. "But AI requires access, particularly to data."
The difference between AI and ML is that "ML can identify the notes in a piece of music and AI can create music," VIA's Gounden said. "Some problems, like disaggregation of home appliances on a distribution system, are better solved with ML. AI is better for optimizing the distribution system."
Both require an enormous amount of data, but it can be protected the same way email is scanned for spam by an AI algorithm "because it is too big a dataset for a person," Gounden said.
Machines have learned by being given rules, but establishing comprehensive rules for today's complex systems is very difficult, he said. In the past five years, ML has become possible because computing power has increased exponentially, and algorithms can use it to "do more and faster unsupervised learning from the massive datasets in the internet cloud."
AI has shown its potential by advancing voice recognition and autonomous driving capabilities, but its use by utilities for cybersecurity remains limited, Gounden said.
"They have been doing a lot of data science and statistics, but they have not been able to deploy AI because many individual utilities do not have enough data for algorithms to learn from," he said. And there has been no way to securely aggregate data from multiple utilities to allow shared learning while "keeping the data safe and secure and making sure it is used properly."
VIA uses AI to curate a securely aggregated library of utility data for cybersecurity research. The Hawaiian Electric Company (HECO) utilities, New Zealand's Vector, and "many others" are participating, Gounden said. "Interest is increasing because there are so many different ways to steal data." The ultimate goal is an AI algorithm "that can allow data sharing on a system-wide basis" for applications ranging from cybersecurity and customer engagement to predictive maintenance.
Companies like Apple, Google and Amazon are accelerating their ML and AI capabilities because they have huge volumes of system and user data, he added. Utilities' "critical infrastructure standard" for reliability should not prevent them from also using algorithms to protect their systems from cyberattacks, support their human resources, optimize value from DER, and support decision-making.
Skepticism and the laws of physics
Utility members of the National Rural Electric Cooperatives Association (NRECA) are working in DOE-funded pilots to test ML and AI algorithms, NRECA Analytics Research Program Manager David Pinney told Utility Dive. The primary focus is protection of communications to smart inverter-based solar and battery storage systems from cyberattacks.
"In lab work, these devices have been hacked," Pinney said. A recent HECO software update was safely sent to "about 800,000 smart inverters." It was apparently to improve performance and reduce outages, but these pilots simulate the huge impact an update of that size infected with malware could have.
The pilots will identify smart inverter settings not readily destabilized by hackers, he said. "A big part of the solution is using machine learning to train utility networks to repeatedly find new protective settings as hackers change their attacks. The next step is helping our co-ops introduce these protections into their individual systems."
High costs, computational limits, inadequate interoperability standards, and a lack of access to data all contribute to an "appropriate level of skepticism" from co-ops toward autonomous operations, Pinney said. But skepticism raised "great questions" about safety during previous demonstration deployments of advanced technology that led to "a better understanding of the technology," he recalled. "We expect the same to happen with machine learning-based controls."
Utilities' key vulnerability is to cyberattacks on their IT systems, OSIsoft's Owen stressed. The 2010 Stuxnet attack on Iran's nuclear facility came through a thumb drive on a laptop, and Norsk Hydro's $52 million production loss earlier this year started with an intrusion through its email system.
"AI is being used to protect email," he acknowledged. "But anybody who looks at their inbox would probably say it is not working very well."
OSIsoft instead relies on data analysis and the laws of physics to identify cyberattacks, he said. "Electricity moves according to the laws of physics. Our system data on voltage, temperature and other factors can show if a system is acting normal, and if a measurement is out of line with others, it is reported for investigation, whether it is a hack or an equipment failure."
ML "can be very good at learning how a DER device operates, identifying when it is not operating properly, and blocking that operation," Owen said. "But it may encounter an event like a power outage that it has never seen before and respond in the wrong way." An example is a threat described in an August 2018 Princeton University paper, he added.
Aggregated DER could be used "to manipulate the power demand," Princeton researchers reported. Simulations demonstrated that such manipulations could cause "local power outages and in the worst cases large-scale blackouts" or "be used to increase the operating cost of the grid to benefit a few utilities in the electricity market."
The research showed the "vulnerability" of the power grid and similar systems and the need for attention to cybersecurity, the report concluded. Addressing that vulnerability is what AI and ML researchers like Sandia's Chavez hope to do.
It is a vulnerability currently being addressed largely by data analytics and the laws of physics, OSIsoft's Owen insisted. But it is a vulnerability that the growth of connected devices may increase, which is why learning what ML and AI have to offer and "incrementally adding security as we go" is necessary, he acknowledged.