By Tim Lieuwen and Christopher Perullo
This article is the first of a multi-part series on how plant owners and operators can cyberharden their physical generation assets. Our key point is that the same competencies that the industry has developed over the last decades in terms of monitoring centers, monitoring software and digital twins of their generation assets can be leveraged to protect these same assets from hostile intrusions.
Where are we now?
A rash of new buzzwords, standards, and activity has emerged related to cybersecurity in the electric power sector, and many plant operators have made great strides in recent years to protect themselves from cyber-attacks. Many layers of a business can be disrupted due to an attack including billing, customer data, protected personal data (social security numbers or health information), and disruption of the power plant operations.
To date, a heavy emphasis has been rightly focused on IT systems. Most of us are familiar with IT systems, but a growing concern is focused on protecting OT systems. To help understand the difference, consider this simplified example. The internet router you have in your home is an IT system. If you have a smart bulb system, that’s an OT system; it might consist of several smart bulbs and a control bridge. The IT and OT systems communicate with each other, but they have different purposes. The IT system controls the flow of digital information. The OT system serves a specific purpose (providing light).
As another example, consider what is publicly known about the Colonial Pipeline hack, that led to major disruptions in gasoline for the east coast. The company obviously has a host of IT (routers, servers) and OT (valves, regulators, pumping stations) systems. In this case the hackers installed ransomware which compromised the IT systems involving billing and accounting.  This prevented normal business operations and operations were curtailed until systems were operational.
OT devices might also communicate amongst themselves and use different methods or protocols than the IT system. Your router (IT) has a firewall to prevent intrusion, but OT devices are often hacked to provide access. If an attack makes it past the IT systems, can the OT system detect that it is malfunctioning? In almost every case the answer is, no. While a hacked lightbulb might be an annoyance as the attacker could rapidly turn it on and off, a hacked generating asset OT system could be used to cause catastrophic damage. Most readers will have heard of the Target hack in 2013 when hackers obtained access to the business network through an HVAC system.
It’s also important to realize that most OT systems at a power plant consist of cyber-physical systems. In simple terms there’s often a controller, a sensor, and an actuator integrated to provide a useful purpose. In our light bulb example, you might set the control to turn on at dusk and off at dawn. A sensor on the bulb might detect when dusk and dawn happen, and an internal switch (the actuator) will turn the bulb on and off. If any of these three items are compromised, the light bulb will fail to function as intended by the user. Hacking the controller settings will obviously change on and off behavior. Hacking the actuator could cause the bulb to fail to turn on or off. Finally, compromising the sensor signal could cause the bulb to behave strangely, such as turning on when it’s daylight because the controller thinks it’s dark.
Ok, what does all of this have to do with power plants? As shown above, a power plant has a large number of OT systems, including sensors, actuators, controllers and communication infrastructure. A few examples of types of devices that could be compromised are listed, but the reality is the list is much longer. In the light bulb example, you would most likely notice it’s hacked because you can physically see the light. In a power plant, we’re often reliant on the sensor reading as the truth. An operator doesn’t often have the luxury of direct observation of the cyber-physical OT system.
Nonetheless, the industry has developed very sophisticated approaches to monitoring and diagnostics of their sensitive generation assets – approaches built upon development of digital twins that build out physics-based models of the plant, down to models of each component and even the sensors, including things like what a reasonable sensor reading will look like, or be correlated with other sensors. These models are augmented with (1) data from the plant and/or aggregated over a set of plants, (2) sophisticated software, often based upon artificial intelligence approaches to detect anomalies, and (3) dedicated monitoring centers that are staffed by professionals who have developed a highly tuned ear and eye for “when something just doesn’t seem right.” Integration of these O&M competencies and assets with cybersecurity operations is low hanging fruit for the industry.
Unfortunately, a large amount of existing monitoring and diagnostics are focused on correlating the sensor signals. This leaves the middle of the OT information chain unmonitored. Consider that attackers often test their ability to make changes before committing to a full-scale attack. Has your credit card ever been stolen? Sometimes thieves will apply a small charge first to see if it works before purchasing something larger.
In a power plant, they may make a minor control change to test access before causing more severe damaging of the asset. In fact, this occurred in 2012 when, according to the U.S. Justice Department, Iran conducted an attack on the Bowman Dam in New York. The dam controls storm surges and the SCADA system was accessed in an apparent test to see if direct control of the infrastructure was possible. 
There are other incidents where the OT systems were compromised and hardware was destroyed or severely compromised. In 2014, attackers gained access to the IT business network of a German steel mill which provided further access to the control systems. The attackers disabled the ability to shutdown a blast furnace properly, resulting in significant damage.  Obviously, some attacks are more likely to be carried out than others, but actively monitoring OT assets for attacks creates a second line of defense.
This article is the first of a series that will explore examples and suggestions for auditing your current monitoring practices for gas turbines, photovoltaics, and wind to examine where you can add additional OT attack monitoring. Not all attack vectors are critical or the optimum pathway for an attacker. Creating cyber-attack specific models for detecting sensor, actuator, and controller attacks will help provide the second line of defense needed to prevent critical remote attacks.
 Colonial Pipeline hack explained: Everything you need to know (techtarget.com)
 S. Prokupecz, T. Kopan, and S. Moghe, Former social: Iranians hacked into New York dam, CNN, www:cnn:com/2015/12/21/politics/iranian-hackers-new-york-dam/index:html), December 22, 2015.
 Hemsley, K., Fisher, R., “History of Industrial Control System Cyber Incidents,” INL/CON-18-44411-Revision-2
About the Authors:
Chris Perullo is Director of Engineering at Turbine Logic. He leads day-to-day development of customized monitoring and diagnostic solutions and services for natural gas and renewable energy assets.
Tim Lieuwen is Regents’ Professor and Executive Director of the Strategic Energy Institute at Georgia Tech, and founder of Turbine Logic.
Turbine Logic (www.turbinelogic.com) is an analytics firm specializing in the power generation industry, that develops software for monitoring power generating assets, and provides consulting services to OEM’s, utilities, users, and related organizations around the world. Applications of this work include O&M, financial plant models, energy markets, and cybersecurity.