March 1, 2016 – Georgia Tech researchers are using the same principle behind human voice recognition to identify devices on electrical grid control networks and help determine which signals are legitimate and which might be malicious.

Human voices are individually recognizable because they’re generated by the unique components of each person’s voice box, pharynx, esophagus and other physical structures.

Similarly, control devices used in the power grid produce signals that are distinctive because of their unique physical configurations and compositions. Security devices listening to signals traversing the grid’s control systems can differentiate between these legitimate devices and signals produced by equipment that’s not part of the system.

“We have developed fingerprinting techniques that work together to protect various operations of the power grid to prevent or minimize spoofing of packets that could be injected to produce false data or false control commands into the system,” said Raheem Beyah of Georgia Tech. “This is the first technique that can passively fingerprint different devices that are part of critical infrastructure networks.”

The networked systems controlling the U.S. electrical grid and other industrial systems often lack the ability to run modern encryption and authentication systems, and the legacy systems connected to them were never designed for networked security, explain researchers. Because they are distributed around the country, the systems are also difficult to update using the ‘patching’ techniques common in computer networks. And, on the electric grid, keeping the power on is a priority, so security must not cause delays or shutdowns.

Beyah, his students and colleagues set out to develop security techniques that take advantage of the unique physical properties of the grid and the consistent type of operations that take place there.

Another aspect of the work takes advantage of simple physics. Devices such as circuit breakers and electrical protection systems can be told to Open/Close remotely, and they then report on the actions they’ve taken. The time required to open a breaker or a valve is determined by the physical properties of the device. When an acknowledgement arrives too soon after the command is issued—less time than it would take for a breaker or valve to open, for instance—the security system could suspect spoofing, Beyah explained.

To develop the device fingerprints, the researchers built computer models of utility grid devices to understand how they operate. Information to build the models came from ‘black box’ techniques—watching the information that goes into and out of the system—and ‘white box’ techniques, which utilize schematics or physical access to the systems.

“Device fingerprinting is a unique signature that indicates the identity of a specific device, or device type, or an action associated with that device type,” Beyah explained. “We can use physics and mathematics to analyze and build a model using first principles based on the devices themselves. Schematics and specifications allow us to determine how the devices are actually operating.”

The researchers have demonstrated the technique on two electrical substations, and plan to continue refining it until it becomes close to 100% accurate. Their current technique addresses the protocol used for more than half of the devices on the electrical grid, and future work will include examining application of the method to other protocols.

Because they also include devices with measurable physical properties, Beyah believes the approach could have broad application to securing industrial control systems used in manufacturing, oil & gas refining, wastewater treatment and other industries. Beyond industrial controls, the principle could also apply to the Internet of Things, where the devices being controlled have specific signatures related to switching them On and Off.

“All of these IoT devices will be doing physical things, such as turning your air-conditioning On or Off,” Beyah said. “There will be a physical action occurring, which is similar to what we have studied with valves and actuators.”

While device fingerprinting isn’t a complete solution in itself, admit researchers, the technique could help address the security challenges of the electrical grid and other cyber-physical systems.

PHOTO: Researchers at Georgia Tech are ‘fingerprinting’ devices on the grid to improve security. Shown with grid devices and a schematic are (left to right) graduate student David Formby; associate professor Raheem Beyah; and assistant professor Jonathan Rogers. Photo by Rob Felt, courtesy Georgia Tech.