No single power utility company has enough resources to protect the entire grid, but maybe all 3,000 of the grid’s utilities could fill in the most crucial security gaps if there were a map showing where to prioritize their security investments.
Purdue University researchers have developed an algorithm to create that map. Using this tool, regulatory authorities or cyber insurance companies could establish a framework that guides the security investments of power utility companies to parts of the grid at greatest risk of causing a blackout if hacked.
Power grids are a type of critical infrastructure, which is any network — whether physical like water systems or virtual like health care record keeping — considered essential to a country’s function and safety. The biggest ransomware attacks have happened in the past year, affecting most sectors of critical infrastructure in the U.S. such as grain distribution systems in the food and agriculture sector, and the Colonial Pipeline, which carries fuel throughout the East Coast.
With this trend in mind, Purdue researchers evaluated the algorithm in the context of various types of critical infrastructure in addition to the power sector. The goal is that the algorithm would help secure any large and complex infrastructure system against cyberattacks.
“Multiple companies own different parts of infrastructure. When ransomware hits, it affects lots of different pieces of technology owned by different providers, so that’s what makes ransomware a problem at the state, national, and even global level,” said Saurabh Bagchi, a professor in the Elmore Family School of Electrical and Computer Engineering and Center for Education and Research in Information Assurance and Security at Purdue. “When you are investing security money on large-scale infrastructures, bad investment decisions can mean your power grid goes out, or your telecommunications network goes out for a few days.”
The researchers tested the algorithm in simulations of previously reported hacks to four infrastructure systems: a smart grid, industrial control system, e-commerce platform, and web-based telecommunications network. They found that use of this algorithm results in the most optimal allocation of security investments for reducing the impact of a cyberattack.
The team’s findings appear in a paper presented at this year’s IEEE Symposium on Security and Privacy, the premier conference in the area of computer security. The team comprises Purdue professors Shreyas Sundaram and Timothy Cason, and former PhD students Mustafa Abdallah and Daniel Woods.
“No one has an infinite security budget. You must decide how much to invest in each of your assets so that you gain a bump in the security of the overall system,” Bagchi said.
The power grid, for example, is so interconnected that the security decisions of one power utility company can greatly impact the operations of other electrical plants. If the computers controlling one area’s generators don’t have adequate security protection, then a hack to those computers would disrupt energy flow to another area’s generators, forcing them to shut down.
Since not all of the grid’s utilities have the same security budget, it can be hard to ensure that critical points of entry to the grid’s controls get the most investment in security protection.
The algorithm that Purdue researchers developed would motivate each security decision maker to allocate security investments in a way that limits the cumulative damage a ransomware attack could cause. An attack on a single generator, for instance, would have less impact than an attack on the controls for a network of generators. Power utility companies would have incentives to invest more in security measures for the controls over a network of generators rather than for the protection of a single generator.
https://techxplore.com/news/2022-10-ransomware-algorithm-power-blackouts.html
