A team of researchers at a unique facility in downstate Illinois is working to answer questions around maintaining trust in the power grid, particularly when faced with cybersecurity threats.
The Cyber Resilient Energy Delivery Consortium (CREDC) is a federally funded collaboration between universities, national labs and private industry aimed at bolstering the security and reliability of a power grid that is becoming increasingly digitally connected.
In other words, CREDC is about building trust in a system that now resembles more a living, networked brain than it does an analog machine.
The digital security of the power grid is a growing concern for utilities, grid operators and regulators across the globe. Research firm Zpryme estimates that U.S. utilities alone will spend $7.25 billion on grid cybersecurity by 2020. In February, a U.S. Government Accountability Office review of federal work on grid cybersecurity found 27 different projects across the U.S. Department of Energy, the Department of Homeland Security and the Federal Energy Regulatory Commission.
In Illinois, the Illinois Commerce Commission in March established an Office of Cybersecurity and Risk Management — a rare step to take for state-level regulators.
CREDC, which was launched in 2015 with $22.5 million in DOE funding and $5.6 million in recipient cost-sharing, is based at the Information Trust Institute at the University of Illinois at Urbana-Champaign. It builds on two previous grid-cybersecurity efforts at the institute that date back to 2005.
At that time, it was a unique project, says Tim Yardley, associate director for technology at the Information Trust Institute. Today, there are only a handful of facilities like the CREDC across the globe.
“Cybersecurity is one of the most serious challenges facing grid modernization, which is why maintaining a robust, ever-growing pipeline of cutting-edge technologies is essential to helping the energy sector continue adapting to the evolving landscape,” Patricia Hoffman, assistant secretary for DOE’s Office of Electricity Delivery and Energy Reliability, said in a press release when CREDC was announced.
For Yardley, CREDC’s mission is by definition critical.
“The grid is the heart, basically, of everything else we have,” he says. “If your basketball team loses a game, some people riot. Imagine what happens if people take away all of our toys … our air conditioning, our food, our ability to cook, our ability to use computers, our ability to look up information, our ability to Tweet or take Snapchat photos. What would society do?”
Inside the facility
The core of CREDC is its test bed — a well-ventilated room full of computers, cables, monitors and hardware stacked atop hardware. It looks like it could be a small data center for a tech company, but instead of storing information on servers, these digital stacks constitute a virtual grid. A sprawling network of energy sources and energy consumers is compressed into a few refrigerator-sized boxes that sit in a room on the first floor of a parking garage on the UIUC campus.
The test bed is like having a flight simulator but for the power grid. Students, faculty and researchers can introduce viruses onto the network to see how they might behave — and how they might be contained — on a real power grid. Scenarios are run in which the grid fails and participants work to bring it back online.
CREDC also has its own set of custom-built smart meters that can be used to test for vulnerabilities or access points that malicious users might exploit. They look just like the electric meters that hang outside homes and businesses, but they afford researchers the ability to safely run experiments on critical infrastructure in a contained, laboratory setting.
This kind of academic work can lead to real-world solutions that ship in software and hardware used by utilities and grid operators across the globe. Indeed, the CREDC model “explicitly creates a pipeline that generates research results and takes them through to evaluation and deployment of prototypes in industrial settings, with a handoff to the sectors through licensing, startups, and open-source mechanisms.”
One example of this is NetAPT, a software tool developed by UIUC researchers that analyzes the complex web of firewalls that regulates access to systems, and helps system analysts see if parts of networks are being accessed in ways they shouldn’t be. The tool can be applied to any number of different systems, but the NetAPT was developed primarily with utilities in mind.
The power industry relies heavily on Supervisory Control and Data Acquisition systems for managing and monitoring the generation and distribution of electricity. In spring of 2013, NetAPT was spun off into a startup called Network Perception, which continues to build firewall-audit software for the power industry.
Yardley says utilities have come a long way toward embracing the kind of cybersecurity work CREDC does.
“When we first started doing cybersecurity research in this space, the utilities were like, ‘Cybersecurity? We don’t need that. We’re air-gapped, we’re protected, we have firewalls!” Yardley says. “As the threat evolved, and as their awareness evolved, their stories were different.”
Expanding the scope
Moving forward, CREDC is expanding the scope of its work beyond just the delivery of electricity. The consumption of energy requires moving all sorts of substances from crude oil to natural gas and beyond. Increasingly, these distribution networks — pipelines, namely — are as automated and as networked as the smart grid. CREDC hopes to take lessons learned in the power sector and apply them to other areas of energy distribution.
The change of administration in Washington D.C. calls into question future funding for CREDC and programs like it. The Trump administration has pledged deep cuts for the Department of Energy and other agencies that support smart-grid research. Still, cybersecurity retains largely bipartisan support and CREDC’s $28 million budget is relatively small in the broader context of federal appropriations.
Yardley remains cautiously optimistic — both about continued funding for the consortium’s work, and about the overall security of the 21st-century grid.
“Is there something that keeps me up at night? Well, yes: Everything,” he says. “But there’s only so much that you can worry about. There are certain things that are out of your control. So my whole reason for being in academia is to try to make the world a better place, so people have [fewer] worries.”