The objective of this project was to implement, and successfully demonstrate, an aware, fault and intrusion tolerant cyber defense-in-depth for a power plant’s control system network. A power plant operating with the cyber defense-in-depth technologies used in this project would be cyber-secure, Byzantine fault tolerant, and aware. A plant thus protected would be able to withstand nation state equivalent cyber-attacks. Demonstrating this cyber defense onsite in a commercial utility company’s power plant shows a practical cyber-secure path forward for DoD, Department of Homeland Security (DHS), and commercial utilities.

This project demonstrated a fault, intrusion tolerant, and cyber aware defense-in-depth of a utility grid SCADA architecture from the SCADA Master computer to the remote terminal units (RTU), and Programmable Logic Controllers (PLC) that control access to the field network endpoints. The fault and intrusion tolerant communications overlay was augmented with a machine-learning sensor (MLS), the Machine-learning Assisted Network Analyzer (MANA^TM) Network Intrusion Detection System (NIDS), trained to monitor SCADA information exchanges. It maintained situational awareness of traffic behavior within the Corporate Enterprise and Operations Technology (OT) networks. The fault and intrusion tolerant layers were provided by DARPA sponsored Johns Hopkins’ Spire technology consisting of a communications overlay on the SCADA network to assure reliable and timely information exchanges between the Human Machine Interface (HMI) and the RTUs and PLCs. The Spire solution, also featured an intrusion-tolerant replication solution to ensure system availability by presenting a diverse attack surface to an attacker. The defense-in-depth solution also took advantage of a DARPA R&D effort “Automating the Training of Machine-Learning Sensors” (ATMS) to reduce the labor intensive aspects of training of machine-learning algorithms for cyber defense applications. Technology performance was measured quantitatively by assessing the effectiveness of a Sandia National Lab red team to affect SCADA information exchange data properties of Confidentiality, Integrity, and Availability in the layered defense-in-depth architecture.  A NIST compliant, but otherwise undefended, architecture served as a control for the experiment.

The MANA^TM NIDS was able to detect all attacks from initial reconnaissance through exploit and port denial of service to hide the exploits. As a passive NIDS, MANA^TM did not induce latency or errors in the plant’s control systems, communications, or devices.

No systems protected by Spire were compromised. Illegal commands given to Spire protected plant equipment were ignored by the multi-compiled Prime replications within Spire. Additionally, neither MANA^TM nor Spire induced latency or errors in the plant’s control systems, communications, or devices. Plant engineers observed that in some areas Spire’s response time was faster (approximately twice as fast) than the baseline system.

The primary implementation issue is inertia and resistance to change. For an information technology professional, implementation of the Critical Energy Infrastructure Cyber Defense-in-Depth will be no harder than any standard day-to-day IT task using tools and technology they are familiar with. Except, that they will be installing in a power plant where they have no experience and may literally be lost. Conversely, for the plant engineer or operations technology network professional, this will be all new, even though it has been done routinely in the enterprise part of the utility’s network for decades. Plant personnel will also have one more screen to monitor, but it will provide near real-time, highly correlated, cyber situational awareness of threats to the plant.