The “Essence” of cybersecurity

The online world can be a dangerous neighborhood. News of another huge data theft or malicious computer virus seems to arrive almost weekly. One study found that 740 million online records were hacked last year. Target, the giant retailer, revealed cyber-criminals had stolen information on as many as 70 million of its customers alone.

While it hasn’t received nearly as much publicity, cooperatives and other electric utilities haven’t been immune from this assault. Craig Miller, chief scientist for the National Rural Electric Cooperative Association (NRECA), says there are thousands of probes, big and small, into utility systems. These threats to the security and stability of the nation’s grid are only expected to grow.

But an ambitious effort by the Cooperative Research Network (CRN), the research and development arm of NRECA, and several partners is underway to make sure the systems delivering your power remain safe and secure. It’s called “Essence” and through the project, researchers are developing the next generation of automated cybersecurity for the industry.

That’s particularly important for co-op members and other consumers, who not only count on the power being there when they need it, but also on their electricity provider protecting their privacy. “The success of Essence will improve the protections around their personal information and it will improve the reliability of their power systems,” says Miller.

Miller says most of the attempts to hack into utility systems have been efforts to grab personal data or business information. Consumers obviously want to be sure bank account information, social security numbers or other personal data don’t fall into the hands of identity thieves.

But there have also been more ominous attacks that should concern any U.S. citizen. “There have been attempts on control systems. They are much rarer because they require a much higher level of expertise, and there’s no potential monetary gain,” Miller says. “But people have done it.”

The assumption, he says, is that some of these efforts are by “state actors,” other nations probing for potential weaknesses. Defense analysts also believe a cyber-attack on the nation’s power grid could be attractive to terrorists for its potential to create widespread chaos.

The essence of Essence is to protect Americans from all these threats. There are existing software programs with the same goal, but it’s how Essence safeguards utility systems that makes it a major advance in cybersecurity.

Most computer systems are protected through firewalls, special software that blocks suspicious attempts to connect or upload software. But these programs largely depend on lists of known threats that have to be constantly updated. “One of the challenges is that these security systems require expert users who are hyper-diligent about staying current,” says Miller. “They also have the potential for human error. This creates vulnerabilities.”

But Essence changes the balance of power in this constant battle. “Instead of monitoring what’s going in and out of the network, it monitors the network itself and uses advanced algorithms (procedures) to determine what is normal,” explains Maurice Martin, CRN’s project manager for cyber security. “Essence looks for anomalies – stuff that shouldn’t be happening – and then raises a red flag when it sees something that’s amiss.”

This means Essence doesn’t have to depend on lists of the latest dangers out there, or on humans keeping it up-to-date. It doesn’t need to know exactly what hackers are up to because anything that’s not right with the system will get its attention.

All this is accomplished by an unassuming device, small enough to be held in one hand, which can be added to a utility system in key spots to unobtrusively monitor what’s happening on the network.

Project managers also have taken several steps, including using storage in the cloud and open software standards, to keep costs down and make sure Essence doesn’t require extensive expertise to manage. “It’s going to bring state-of-the-art cybersecurity to co-ops of every size, from the biggest to the smallest,” says Martin. “The philosophy is no co-op left behind. Everyone will be able to use this.”

Essence is being developed through a $4 million grant awarded by the U.S. Department of Energy to research next-generation cybersecurity devices. CRN has partnered with Carnegie Mellon University, the Pacific Northwest National Laboratory, and the cyber security firm Cigital on the project. Several large corporations are also following the effort.

Researchers hope to have the first version of the Essence device in the field for tests early next year. If it’s as successful as expected, commercial partners will be brought in to produce the product, providing electric utilities with an affordable, automated cybersecurity system they can depend on.

That will be good news for consumers everywhere. As Martin notes, “Maintaining cybersecurity for your co-op or utility is a something that matters to anyone who’s on a power line.”

Reed Karaim writes on consumer and cooperative affairs for the National Rural Electric Cooperative Association, the Arlington, Va.-based service arm of the nation’s 900-plus consumer-owned, not-for-profit electric cooperatives.