EPRI teams up with Nvidia, Sygnia, member utilities, and other partners on the Hardware Accelerated Security at the Edge (HASE) project
Many data points illustrate the transformation of the electric power system over the past decade-plus. One of the most obvious is the dramatic increase in power generated by renewables like wind and solar. For example, the U.S. was expected to install over 40 gigawatts of new solar photovoltaics (PV) capacity in 2024, according to the Solar Energy Industries Association (SEIA) and the consultancy Wood Mackenzie. In 2015, by comparison, America installed less than six gigawatts of PV.
The shift in generation type has been accompanied by a huge proliferation in the number of generation facilities. In the U.S., for example, there was a net increase of 5,541 power generation facilities in the decade between 2012 and 2022. The are many implications to this changed generation landscape, including the daunting challenge of ensuring both new and existing facilities maintain robust cybersecurity.
Indeed, most new renewable generation facilities don’t have staff on-site continuously. Instead, they rely on remote monitoring and control capabilities. These include servers to aggregate data and provide remote monitoring; protective relays to secure electrical equipment; programmable logic controllers, or PLCs, to handle automation and control tasks; and firewalls for cybersecurity. Distributed generation facilities—along with large fossil fuel power plants—also utilize network interface cards (NICs) for networking communications, executing control commands, and interfacing with SCADA systems.
Unfortunately, there are limitations in the cyber protections this traditional ecosystem can provide to the quickly growing number of distributed generation assets, limitations that also apply to conventional power plants. One is simply that new-generation facilities that depend on connectivity to be remotely monitored and controlled have a dramatically expanded attack surface that increasingly sophisticated cyber criminals can exploit. An even more fundamental vulnerability is that generation facilities rely on existing control systems: they lack robust detection capabilities.
“You can’t respond to a cyberattack if you don’t know it’s happening. As defenders, we are oblivious without strong cyber detection,” said Jeremy Lawrence, principal technical leader in EPRI’s cybersecurity program. “The only way we know an attack is happening is if something turns off. The problem we need to solve is that the control systems that run power plants and critical infrastructure aren’t compatible with many of the detection tools we use in other IT (information technology) infrastructure.”
Leveraging the Security Power of Hardware and AI
EPRI and a group of partners, including Nvidia, Clemson University, Waterfall Security Solutions, Con Edison, Ameren, Southern Company, Emerson, and others, recently launched a three-year research project aimed at vastly improving the detection and response to cyberattacks targeting generation facilities. With funding provided by the U.S. Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response, EPRI and its collaborators kicked off the Hardware Accelerated Cyber Security at the Edge (HASE) project in the fall of 2024.
At the most basic level, the HASE initiative seeks to do a few things. The project will integrate data processing units (DPUs) and graphics processing units (GPUs) into control systems. These DPUs replace the NIC and add many detection capabilities built directly into the DPU. By integrating DPUs and GPUs, cybersecurity can benefit from greatly expanded OT network visibility, detection, and event response capabilities, including leveraging the power of artificial intelligence (AI).
Lawrence uses the analogy of a home equipped with both a personal computer and smart devices to illustrate the benefits of integrating hardware like DPUs and GPUs into a generation asset’s control system. “Let’s say you have a smart microwave and a laptop. You can install an antivirus program and several other tools on your computer to protect it. But you can’t install those on your microwave,” Lawrence said. “It’s exactly the same thing for all the tailor-made devices in a control system and a power plant. But you can install hardware, and that’s what we are doing. We are using pieces of hardware to replace that software that would be installed to provide detection and response.”
Integrating DPUs and GPUs into control systems bolsters cybersecurity in many ways, including harnessing the unique power of AI. For example, AI can analyze the enormous volume of raw data across a network and perform signature analysis to detect malware. AI can also incorporate heuristics and behavior to identify potential attacks.
This added intelligence can be especially helpful in understanding false positive alerts, which are a major challenge in cybersecurity. “Where the AI comes in is by analyzing all these different alerts, the raw traffic, and making the defenders’ job easier by filtering through things like false positives, but then also identifying attacks that maybe otherwise wouldn’t be seen,” Lawrence said.
The benefits DPUs and GPUs can deliver in terms of fast processing power that AI demands can’t be matched by a NIC. “Traditionally, those perform basic functions, like communication, and that’s about it,” Lawrence said. “But AI requires lots of processing power, and DPUs and GPUs working together provide it. The DPUs can analyze data locally in real-time as it comes in, and then we have a separate communication back to the centralized GPU platform.” Think of it this way: the DPUs provide a frontline, initial layer of analytics, detection, and response, while the GPUs aggregate data to diagnose and respond to attacks even more powerfully.
Design
The initial phase of the project will be devoted to developing two lab proof of concept control system architectures following design engineering, stakeholder working groups, and software development. This first phase will take place in EPRI’s Charlotte laboratory and Clemson University’s lab.
Once the proof-of-concept designs are completed, they will be thoroughly tested in the lab. This will include assessing the basic functionality of the HASE, such as its effectiveness in detecting attacks. Then, the HASE platform will be subjected to a wide variety of simulated cyberattacks based on prevalent attack techniques highlighted by cyber threat intelligence (CTI) and attack frameworks developed by the not-for-profit organization MITRE. “We are going to see if HASE can protect and defend against attacks better than a software-based defense,” Lawrence said. “We want to see where there are weaknesses, and then we will tune HASE to solve those weaknesses.”
The design and lab testing phase will also include an assessment of HASE based on EPRI’s Cybersecurity Technical Assessment Methodology (TAM). TAM is a risk-informed methodology that provides step-by-step guidance that helps power plant operators assess their cyber defenses by prioritizing the protection of devices that are most essential to plant operations. Initial design work will also be informed by Cyber Informed Engineering (CIE) principles developed by the U.S. Department of Energy (DOE) and the Department of Homeland Security (DHS).
Utility Demonstration
The second phase of the project will be to demonstrate HASE in real-world utility conditions. Before that step, HASE must meet certain effectiveness, coverage, and compatibility metrics. “We want to make sure HASE is as good or better than existing solutions before we move forward to a utility demonstration,” Lawrence said. “We don’t want to introduce something that is less effective or isn’t compatible with what a utility is already doing.”
Once the lab work and utility demonstration are complete, an important deliverable of the HASE project is a commercialization plan. HASE is not meant to be a research and development (R&D) project yielding abstract lessons that can’t be applied. Developing a commercial strategy as part of the project is designed to speed the uptake of a more robust cybersecurity solution.
Strong Demand for Enhanced Security Tools
There is demand among utilities for more sophisticated cybersecurity tools that meet the needs of a changing power system. One indication of the demand is the participation of utilities like Con Edison, Ameren, and Southern Company in the HASE project.
For Charles Boohaker, principal engineer, research, environment, and sustainability for Southern Company Services, Inc., the potential for greater OT visibility was a big draw to partner in HASE. “As an operator of a large generating fleet, Southern Company is always looking for ways to improve the visibility and security of the OT network,” Boohaker said. “That’s why I am excited about the proposed R&D project that aims to develop hardware-based offloading solutions that can integrate with the existing fleet and generate more actionable alerts.”
Joseph Bradley, Sr., manager of cybersecurity at Ameren Digital, was eager to join the HASE project because it promises compatibility and flexibility to defend OT assets. “As a company that operates a wide range of critical infrastructure facilities, we need security detection solutions that are compatible with a wide range of OT equipment. The proposed Hardware Based project (HASE) is an agentless solution that provides the same visibility and control as an agent but with minimal overhead and impact on the device,” Bradley said. “These approaches increase interoperability across a wide array of OT devices, from legacy PLCs to modern loT sensors. Having the ability to improve the cybersecurity capabilities of critical infrastructure environments without needing to rip and replace significant components will significantly improve our ability to adapt effectively.”
Even as the HASE project moves forward, Lawrence can already anticipate future research and partnerships that can fully leverage the security benefits of hardware at the edge. For instance, control system vendors could integrate the hardware directly into their new products or retrofit existing control systems to include them. Future research could aid that effort by reducing the form factor of the hardware.
Regardless of the exact form or forms it takes, the use of hardware to better protect OT assets is a distinctive shift in how utilities can ensure cybersecurity. “It’s a different approach. The same old, same old is installing software. We want to make this as secure as possible right out of the box,” Lawrence said. “It’s a bit of a paradigm shift, and that’s why I’m excited about it.”
EPRI Technical Expert:
Jeremy Lawrence
For more information, contact techexpert@eprijournal.com.
