Researchers at Sandia National Laboratories in New Mexico have developed AI algorithms that detect cyber attacks on an electricity grid.

And this neural-network AI can run on inexpensive single-board computers or existing smart grid devices.

“As more disturbances occur, whether from extreme weather or from cyber attacks, the most important thing is that operators maintain the function and reliability of the grid,” said Shamina Hossain-McKenzie, a cyber-security expert and leader of the project. “Our technology will allow the operators to detect any issues faster so that they can mitigate them faster with AI.”

As the USA adds more smart controls and devices to the grid, it becomes more flexible and autonomous but also more vulnerable to cyber attacks and cyber-physical attacks. Cyber-physical attacks use communications networks or other cyber systems to disrupt or control a physical system such as the electric grid. Potentially vulnerable equipment includes smart inverters that turn the DC produced by solar panels and wind turbines into the AC used by the grid, and network switches that provide secure communication for grid operators, according to Adrian Chavez, a cyber-security expert involved in the project.

Because the neural network can run on single-board computers or existing smart grid devices, it can protect older equipment as well as the latest equipment that lack only cyber-physical coordination, Hossain-McKenzie said.

“To make the technology more accessible and feasible to deploy, we wanted to make sure our solution was scalable, portable and cost-efficient,” Chavez said.

The package of code works at the local, enclave and global levels. At the local level, the code monitors for abnormalities at the specific device where it is installed. At the enclave level, devices in the same network share data and alerts to provide the operator with better information on whether the issue is localised or happening in multiple places. At the global level, only results and alerts are shared between systems owned by different operators. That way operators can get early alerts of cyber attacks or physical issues their neighbours are seeing but protect proprietary information.

The Sandia team collaborated with researchers at Texas A&M University (engineering.tamu.edu) to create secure communication methods, particularly between grids owned by different companies.

The biggest challenge in detecting cyber-physical attacks is combining the constant stream of physical data with intermittent packets of cyber data, said Logan Blakely, a computer science expert who led development of the AI components.

Physical data, such as the frequency, voltage and current of the grid, are reported 60 times a second, while cyber data such as other traffic on the network are more sporadic. The team used data fusion to extract the important signals in the two different kinds of data.

Then the team used an autoencoder neural network, which classifies the combined data to determine whether they fit with the pattern of normal behaviour or if there are abnormalities with the cyber data, physical data or both. For example, an increase in network traffic could indicate a denial-of-service attack while a false-data-injection attack could include atypical physical and cyber data.

Unlike many other kinds of AI, autoencoder neural networks do not need to be trained on data labelled with every type of issue that may show up. Instead, the network only needs copious amounts of data from normal operations for training. The use of an autoencoder neural network makes the package pretty much plug and play.

Once the team constructed the autoencoder neural network, they put it to the test in three different ways.

First, they tested the autoencoder in an emulation environment, which includes computer models of the communication-and-control system used to monitor the grid and a physics-based model of the grid itself. The team used this environment to model various cyber attacks or physical disruptions, and to provide normal operational data on which the AI could train.

Then the team incorporated the autoencoder onto single-board computer prototypes that were tested in a hardware-in-the-loop environment. In hardware-in-the-loop testing, researchers connect a real piece of hardware to software that simulates various attack scenarios or disruptions. When the autoencoder is on a single-board computer, it can read the data and implement the algorithms faster than a virtual implementation of the autoencoder can in an emulation environment. Generally, hardware implementations are a hundred or thousand times faster than software implementations.

The team is working with Sierra Nevada (www.sncorp.com) to test how Sandia’s autoencoder AI works on the company’s existing cyber-security device, called Binary Armor.

“This will give a really great proof-of-concept on how the technology can be flexibly implemented on an existing grid security ecosystem,” Hossain-McKenzie said.

The team is testing both formats – single-board prototypes interfaced with the grid and the AI package on existing devices – in the real world at the Public Service Company of New Mexico (PNM, www.pnm.com) on its Prosperity solar farm as part of a cooperative research and development agreement. These tests began last summer.

“There’s nothing like going to an actual field site,” Chavez said. “Having the ability to see realistic traffic is a really great way to get a ground-truth of how this technology performs in the real world.”

The team also worked with PNM early in the project, to learn what AI design might be most useful for grid operators. It was during conversations with PNM staff that the Sandia team identified the need to connect cyber defenders with system operators rapidly and automatically.

This project built off and expanded upon a previous project called the Proactive Intrusion Detection & Mitigation System which focused on detecting and responding to cyber intrusions in smart inverters on solar-panels. The team is also expanding upon the autoencoder AI in similar projects.

The team filed a patent on the autoencoder AI (ip.sandia.gov/opportunity/gridna) and is looking for corporate partners to deploy and hone the technology in the real world. With a bit more work, the autoencoder could be used to protect other critical infrastructure systems such as water and natural gas distribution systems, factories or data centres.

“Whether or not our technology succeeds in the market, every utility around the world is going to need a solution to this problem,” Blakely said. “This is a fascinating area to do research in because one way or another, everyone is going to have to solve the problem of cyber-physical data fusion.”