Department of Defense (DoD) operates over 500,000 buildings and structures with diverse inventory encompassing barracks, commissaries, data centers, office buildings, laboratories, and aircraft maintenance depots. As DoD works towards incorporating more networked (“smart”) devices to improve building operational efficiency and increase capability, threat and vulnerability to cyber-attacks has also increased. In fact, it is one of the fastest growing threats to DoD installations’ information technology (IT) and operational technology (OT). SCADA (Supervisory Control and Data Acquisition) systems must ensure continuous availability and correct operation in the presence of compromises and attacks at both the system and network level. Currently, the most common approach to protecting OT from cyber-attack is to create a separate dedicated control system network that is “air gapped” from the business network and public internet. In many cases, this approach is cost prohibitive and still requires additional process security measures to ensure protection from the various threat vectors.

To fully realize the benefits of smart technologies, new solutions for identifying and protecting against cyber threats need to be developed. To address this critical need, ESTCP issued a topic on cybersecurity, “Cybersecure Connectivity for Energy System Components and Military Installation Energy Infrastructure”, under its FY16 annual solicitation. The topic called for proposed solutions that would improve installation energy system’s cybersecurity by enabling components of building energy systems to use military networks to send/receive data and control signals and automatically sense and respond to ancillary service signals. These solutions are required to meet the DoD RMF requirements.

One of the proposed solutions selected under this topic was the project EW-201607, Critical Energy Infrastructure Cyber Defense In-Depth, led by Mr. Kevin Jordan of Resurgo, LLC. The objective of this project was to successfully demonstrate an Intrusion Tolerant Cyber-secure defense-in-depth of an electrical power plant against attacks representative of Tier V/Nation-state actors. And, to demonstrate a new capability to mitigate and recover quickly from online and insider cyber activities directed against SCADA infrastructure.

In the demonstration, two technologies, Machine-learning Assisted Network Analyzer (MANATM) and Spire, were used to defend the Hawaiian Electric Company (HECO) power plant in an operational test. Spire is a suite of fault and intrusion tolerant technologies and MANA is an Intrusion Detection System (IDS) that uses machine-learning based tools to catch new and morphed (altered) attacks that traditional signature sensors cannot catch. Both Spire and MANA are compatible with all networks using IP based traffic to include variations such as MODBUS over Transmission Control Protocol/Internet Protocol (TCP/IP). Spire defended the network and certain hardware, while the MANATM Network Intrusion Detection System (NIDS) provided the operator with cyber situational awareness (SA) missing from the Spire technologies. The MANATM NIDS is passive and received all traffic via a one-way network tap. Together, both technologies successfully defended the HECO plant from intrusion attack.

The MANATM NIDS was able to detect all attacks from initial reconnaissance through exploit and port denial of service to hide the exploits. Spire successfully protected all systems it was implemented on. Illegal commands given to Spire protected plant equipment were ignored by the multi-compiled Prime replications within Spire. Additionally, neither MANATM nor Spire induced latency or errors in the plant’s control systems, communications, or devices. Plant engineers observed that in some areas Spire’s response time was faster (approximately twice as fast) than the baseline system.

Additional details on the performance and cost can be found in the Final Report, which will soon be posted on the project webpage.