By developing a deep and comprehensive understanding of what constitutes “normal” operations inside electric power systems, cybersecurity researchers hope to identify “abnormal” and “illogical” control system commands that may indicate the presence of insider threats – or malicious attackers. 
 

Both the understanding of normal operations and detection of suspicious activities will rely on the application of artificial intelligence (AI) to understand what the complicated grid systems normally do – and to identify actions that logically shouldn’t be taking place.
 

With funding from the U.S. Department of Energy, researchers at the Georgia Institute of Technology (Georgia Tech) have begun work on the development of GridLogic, which builds on earlier work – a project known as GridTrust – aimed at keeping both outsiders and insiders from attacking the power grid. GridLogic will include collaborators from the National Renewable Energy Laboratory (NREL), Marietta Power, the city of Marietta, the Southern Company, Georgia Power and AVEVA, an industrial software provider.
 

“The overarching goal for this project is to build a system that monitors a power grid for illogical kinds of operations,” said Trevor Lewis, one of GridLogic’s researchers and a senior research scientist at the Georgia Tech Research Institute (GTRI). “That will require understanding the normal state for the power system and all cyber/IT components within the power system, which will allow us to pick out the signal of an insider threat, malicious attacker or remote attacker. We will look for actions taken against the system that are not logical for the system’s current state, based on the conditions surrounding it.”
 

Control systems used in critical infrastructure such as power generation and distribution focus on the necessary functionality and may assume that control actions initiated by operators are safe to implement. That means if an attacker gains access to controllers or obtains operator privileges, commands that are functionally valid – but malicious in a specific context – might be used to cause service interruption or even equipment damage. Threats from inside the system can be especially difficult to counter.
 

“Inside attackers have both knowledge and access to systems, making them particularly challenging to defend against,” said Santiago Grijalva, Southern Company Distinguished Professor in Georgia Tech’s School of Electrical and Computer Engineering (ECE) who is leading the GridLogic project with fellow ECE Professor Vincent Mooney. “Only through comprehensive measures can we effectively defend against and mitigate the risks posed by both external attackers and insider threats.”
 

Identifying malicious commands will require not only a deep understanding of the grid system and how it operates, but also a comprehensive monitoring system. 
 

“Our goal will be to look at the entire state of the power system and identify malicious actions from multiple points by distributing monitoring as far as we can out into the network,” said Lewis. “Providing total visibility of the power system from a cybersecurity standpoint and combining that with an understanding of how the system should logically be operating will give utility companies more confidence in the state of their power systems.”
 

The research team will develop a unique type of sensor and build a network of the devices throughout a power system to report what’s happening. The AI hypervisor of the project will interpret information being sent by the sensor network to help operators understand what is going on.
 

GridLogic will provide security at the levels of field devices, including distributed energy resources (DERs) – solar panels and wind turbines, for instance – the network, and overall cyber-physical systems. Novel features of the system will include:
 

• Grid and DER field control device security based on multi-factor and hardware root-of-trust authentication and encryption;
   
• Network traffic monitoring sensors and strategies will be developed that increase depth of visibility in the network topology, remote stations, and power system protocols to determine attacker intent and trajectory toward malicious operation;
   
• Cyber-physical, AI-based identification of combined communications network and power system states and actions that are detrimental to the system's operational objectives, with automatic security escalation.
   

With those components, GridLogic will make attacks on the grid, even those initiated by lone-wolf insiders, more difficult to carry out.
 

The project will include both a research and development phase, and a demonstration phase. The latter will include a demonstration on the Marietta Power distribution system and the Georgia Power Research Microgrid testbed. Finally, the researchers will extensively test the system against simulated threats using GTRI’s “red-teaming” expertise. 
 

“We know how these systems would likely be attacked, and what attackers would likely do step-by-step,” Lewis said. “Knowing how attacks could be mounted will allow us to design systems to detect them and differentiate malicious activities from normal activities in the grid networks.”
 

In addition to the researchers already mentioned, the project will also include other GTRI researchers: Senior Research Engineer David Huggins, Principal Research Scientist Matt Guinn, and Research Engineer Sam Litchfield.
 

GridLogic was selected to receive $3 million from the Department of Energy as part of a group of 16 cybersecurity projects announced in late February 2024. The projects, with a total investment of $45 million, are geared toward developing new cybersecurity tools and technologies to minimize cyber risks in energy infrastructure. The project also includes technology transfer initiatives.
 

-    Dan Watson, a communications officer in Georgia Tech’s School of Electrical and Computer Engineering, contributed to this article.
 

Writer: John Toon (john.toon@gtri.gatech.edu)
GTRI Communications
Georgia Tech Research Institute
Atlanta, Georgia USA

The Georgia Tech Research Institute (GTRI) is the nonprofit, applied research division of the Georgia Institute of Technology (Georgia Tech). Founded in 1934 as the Engineering Experiment Station, GTRI has grown to more than 2,900 employees, supporting eight laboratories in over 20 locations around the country and performing more than $940 million of problem-solving research annually for government and industry. GTRI's renowned researchers combine science, engineering, economics, policy, and technical expertise to solve complex problems for the U.S. federal government, state, and industry.