The National Renewable Energy Laboratory (NREL) has developed an intrusion visualisation tool, IViz-OT, which can locate and visualise anomalies on the electrical grid that might otherwise go unnoticed.
NREL's cyber range can visualise emulated power systems. This capability was used to validate IViz-OT and ensure that its alerts reflected activity on the grid. Image: NREL IViz-OT
According to NREL, existing cybersecurity solutions are mostly designed for Information Technology (IT)-based applications and are not directly suitable for Operational Technology (OT)-based networks.
The IViz-OT tool is a threat finder and interprets cyber and physical events on the grid. It uses grid information and network data to deliver state awareness to system owners and operators. NREL cites how the current market lacks such a technology, which can provide defence-in-depth visualisation through analytical approaches.
“We identified a market need, built a prototype technical solution and worked with industry to mature it into viable technology,” said Dane Christensen, NREL group manager of cybersecurity science and simulation.
Cyber alerts
IViz-OT works with the NREL-developed Hybrid Intrusion Detector for Energy Systems (HIDES) to process grid information, detect intrusions and create a log of alerts.
The generated log from HIDES is not necessarily human-readable, so IViz-OT decrypts the alert log into simple scenarios that are easy to understand by operators.
“This is a much-needed tool to bridge the valley of death between research-and-development innovations and technology commercialisation,” said Vivek Kumar Singh, an NREL senior cybersecurity researcher who is leading the effort. “IViz-OT is hardware agonistic, scalable through virtualisation, compatible and supports plug-and-play functionality.”
As alerts come in from HIDES, IViz-OT screens cyber and physical data to determine the nature, cause and location of an anomaly. IViz-OT aims to provide a deeper level of intelligence by correlating events over time.
This way, multiple or ongoing events can be recognised and flagged as a wider problem, described by NREL as a meta-analysis that uncovers the true scope and source of issues.
Testing and validation
IViz-OT and HIDES have been tested and validated in the NREL cyber range, where cyber-physical experiments can be customised and visualised.
The cyber range setup mimicked a small distribution system, which used hardware and several emulated devices like an electric vehicle charging equipment meter, a power inverter and site meters.
The cyber range allows engineers to visualise the power and communications flow in 3D to witness how IViz-OT and HIDES would respond to various real attacks. Although further developments are planned, IViz-OT is ready for deployment and available for license.
The tool was developed with support from the US Department of Energy (DOE) office of cybersecurity, energy security, and emergency response and in collaboration with US power management company Eaton.
The work was funded through the Technology Commercialization Fund, a programme within the DOE Office of Technology Transitions.
