IES ConnectWerx Proposal: Securing ENergy Technology ResiliencY (SENTRY)

\tableofcontents \newpage

Summary

Intelligent Energy Systems (IES), the pioneering designers and integrators of renewable distributed energy resources in islanded microgrids of Western Alaska, propose to develop, demonstrate, and most importantly deploy the A* framework, Green Defender and Green Sentinel devices, which are unique enablers for a secure, efficient, and reliable DAMS including protection for legacy systems and isolated community-scale utilities.

The proposed project would be completed in a 12-month period and would use prior experience, existing grant funding, and technology development for related components to optimize outcomes.

It is tailored to the specific needs of operators of islanded community-scale utilities and data centers, including advanced management control frameworks that are secure by design, with leading cybersecurity solutions natively embedded.

The group claims no expertise in the generic desktop IT area; we do, however, claim expertise in the development of provably secure and reliable control systems, operating systems, and electrical systems over the past 25 years. Team members have deployed systems for the United States Antarctic Program; have extensive experience in formal verification and operating systems; and has the experience required to ensure operational integrity and resilience during grid integration.

These systems are based around four unique solutions:

1. Green Defender which provides Man In the Middle Defense where each asset has its own Green Defender device that allows us to track all communications and provides resilient operation in the event of communications attack or failure.

The MicroKit platform that will be a basis for this was developed by Trustworthy Systems and IES staff. This is based on top of seL4, which provides a unique provable basis for isolation and security.

2. Formally verified Operating Systems based on the Trustworthy Systems, Laot and A*. The team includes Professor Gernot Heiser, FACM, FTSE, FIEEE, who led the team that produced seL4, the world’s first operating system with a mathematical proof of information correctness. He also co-founded Open Kernel Labs, which led to the L4-embedded microkernel being deployed on billions of mobile devices. OK Labs was sold to General Dynamics in 2012. Other members have experience in the development of formal methods for the development of defibrillators.
3. Operational Focus: the team are not focused on IT systems and instead are proposing simple, operationally focused, formally verified systems, which will have a lifetime of 25 years.
4. A* model for operational users, including configuration of the entire system, e.g., the model allows operations to securely perform updates using a modern distributed Append Only version control system.
5. Reliable recording without data loss due to sampling due the man in the middle architecture.

At the heart of this DAMS effort is the Green Defender, a stand-alone device installed in front of individual energy assets to provide device-level cybersecurity and control. It acts as a trusted gateway, intercepting all external commands before they reach the device.

1. Green Defender: a per asset/device protection device placed on the control channel between generation assets and the upper leave control system providing:
   • Policy based defense, e.g., limit voltage setpoint changes to +/- 0.1V/s.
   • Reliable recording which does not miss data samples due to sampling/polling/location since it sits directly in front of each asset and can see all.
   • Provides Man In the Middle defense including defense against data attacks.
   • In particular, provides protection to legacy and PLC systems.
   • Provides per device monitoring in order to detect attacks from unexpected network sources.
2. Green Sentinel: this provides reliable data recording and deals with the issues of:
   • Power Purchase Agreement: who did what when, who should pay the penalties.
   • Detailed electrical and other system modeling using the A* framework, e.g., if the grid goes down now, how much will voltage drop in the Data Center.
   • Visualisation of the data collected by the Green Defender and Green Sentinel using a simple framework (A*).
3. A*: a framework providing whole of life for a system. This provides a system for whole of system analysis and reporting and is funded by the OE0000976-IES MICROGRID/FOA 2934/Update Collaborative Development Micro-grid Controller for Remote Communities. The technology will be applied to the security analysis area in order to provide:
   • Whole of System Threat Analysis, i.e., it will describe how any attacker would move across the network/systems in order to damage plant or supply.
   • The team includes members with extensive experience in power electronics and generation, which allows to us to effectively model these attacks.

What: Use Cases and Benefits

1. Protection of a generation asset for a data center from external attack via the communications interface to the utility. The unique features are:

   • Formally verified assured isolation of components using seL4, Micro Kit, and LionsOS.
   • Policy protection using the Laot and A* providing device level protection, e.g., limit changes to V-set to +/- 0.1V/s between 670..680V.
   • This is based around the Green Defender, which is a small controller that protects each device. This is particularly required for legacy devices.

2. Assured recording and analysis of both electrical and control data for use in options and power purchase agreement enforcement. The unique features are:

   • Since the Green Defender is in between, it can observe and record all data with no risk of losing the data due to sampling rates and polling.
   • This is intended to avoid arguments between parties about whether the battery stopped by itself or because of a command.
   • Append Only data recording including configuration changes across the system.

3. The A* system provides a whole of system version control system that is

   • Reliable and Append Only
   • Easily checked by the operations team to see what has changed in the system has in the last week.

4. The A* framework provides support for the entire life cycle including site investigations, modeling, control, testing and deployment.

The information flow looks like:

{width=1in}\hfill {width=0.4in} \hspace{1.8in}

So What? Isn’t this just Common Good Practice?

The Laot Anti-FAQ describes some of the challenges solved by this system, including:

1. How do you protect a 12-year-old system using Windows 10 for its human interface.
2. How can you protect my legacy (or current) system if the company supplying it is out of business.
3. How can you protect against control system attacks such as Stuxnet or Aurora.
4. How do you secure 20 million lines of code for your Linux OS when the error rate is 1 error per 1000 lines of code.

The proposed answers are the Green Defender and Green Sentinel systems, which uniquely provide:

1. Man In the Middle Defense based on a Formally Verified Operating System seL4/MicroKit. One of the authors was involved in the development of the MicroKit and has developed distributed power systems.
2. Provably Reliable Distributed Control and Monitoring for utility and isolated power systems since it’s low ceremony. The A* framework is intended to reduce the variety of platforms that the operations must deal with.
3. Analysis including electrical modeling based on the models and data collected.

Version and change control of systems is of vital importance yet many modern control systems do not support this in any meaningful way. This systems uses:

1. Distributed component version control.
2. It’s append only, i.e., you cannot change history.
3. Strongly signed.
4. Easily navigable for the operations team.

This is not new in the software industry but remains a challenge for large legacy systems as well as standalone and remote community-scale systems.

Reliable measurements of control signals is a challenge, which is effectively addressed with this technology. In particular, all samples are captured by the recorders, unlike polling systems which may miss samples. This avoids the uncomfortable question of whether an incorrect command was sent by a device and not recorded.

Of particular concern is that modern industrial PLC and historians use a shared storage model where an error in one part can corrupt another. This is prevented in this system by the use of seL4 Operating Systems.

We also make extensive use of Design By Contract and Isolation in all parts of the system to ensure reliability.

The particular areas where A* is different from the systems the author is familiar with are: \note{Distinct from other efforts?}

1. Automated generation of a whole of life system model including controls, financials, testing and operational data suitable for islanded remote community utilities.
2. Distributed Man In the Middle measurement and defense using a formally verified Operating System and Design By Contract. The team has members with significant expertise and experience in these areas.
3. Emphasis is on using existing toolsets and subject matter expertise in order to cooperate with other efforts. The system includes the ability to use components with separate licensing, formal revision control and bill of materials generation. \note{How will your proposed solution fit into the existing ecosystem, including any potential positive interactions will existing technologies?}
4. The whole of lifetime and support using a framework that includes existing tools and expertise. For example, we can capture the entire system as part of our normal microgrid development process and then use that data for a security/pentration analysis using Common Off The Shelf technologies.
5. The emphasis is on Small, Safe, Secure and Simple.

The proposal does not:

1. Deal with traditional IT security and analysis. We are approaching this from the OT and tradesman side. We do have a strategy for long term support of tools based around the methods described previously. This is crucial.
2. Use large systems which cannot be verified and validated independently.
3. Include significant one time reports. Instead, it concentrates on the demonstration of appropriate reporting, which will be able to be reused in support of these systems.

It will significantly advance the state of the art in distributed high renewable contribution systems at low risk in relation to the project goals. It also builds on previous DOE and Australian Defence Force funding.

Summary: common good practice is not as common as we would hope and this project aims to improve it for both small and large organizations.

Who: Organizations, Team Members and Roles

Intelligent Energy Systems (IES): Prime Recipient

Dennis Meiners - Project Leader, Founder/CEO of IES, which has spearheaded the development of microgrid technology since its beginning in Alaska, including developing high-contribution wind/solar/diesel systems with remote controls for Alaska communities such as Atmautulak, Kongiganak, Kwigillingok, Chefornak, Kipnuk, and Kwethluk.

• Design of village-scale high contribution renewable/diesel energy systems
• Deployment of advanced grid stabilization technologies, energy storage, load control, microgrid controllers
• Community-led microgrid design tailored for remote communities

Phil Maker - Technical Lead, Architect for A* and member of the Laot team developing developing MicroKit with Gernot Heiser and the Trustworthy Systems team at UNSW. Phil’s experience has included:

• Development of the Laot system.
• GE Microgrid Architect for Asia Pacific (aka A*).
• Development of distributed systems including deploying them to McMurdo.
• Adjunct Research Professor at ACEP.

Ian Knapp - Data Scientist, Intelligent Energy Systems

• Developed data collection systems for power systems
• Conducted statistical analysis of power production data
• Commissioning of control, battery energy storage, and network metering systems

Team members have developed and deployed distributed microgrid systems in Alaska, Azores, Australia and Asia, Antarctica since the initial work in the area. All of these systems have had high reliability and security requirements within limited budgets.

Trustworthy Systems Group

Professor Gernot Heiser FACM, FIEEE, FTSE led the team that produced seL4, the world’s first operating system with a mathematical proof of information correctness.

He co-founded Open Kernel Labs, which led to the L4-embedded microkernel being deployed on billions of mobile devices. OK Labs was sold to General Dynamics in 2012.

Trustworthy Systems have around 30 full-time staff whom we will use on an as-required basis.

External Review

We have reviewers organized in order to check assumptions, in particular Dave Middleton and Kirk Wolffe.

Outcomes

We believe the project is both technically and commercially feasible and solves real problems, to summarize:

Deliverables:

1. Develop: Green Defender
2. Demonstrate: Man in the Middle Defense
3. Demonstrate: Electrical systems based attack reliability based on the A* model. In essence, an attack graph and reliability results suitable for small utilities.
4. Deploy: to a single site and provide training, which is the key to longer term support in small utilities.

Commercial:

1. The application is unique, useful, achievable, and cost-effective.
2. It clearly has substantial commercial areas of application in all electrical systems.
3. It’s small, safe, secure and simple.

Further Requests for Information Requirements

1. Short presentations.
2. Videos/Screen Casts.
3. Resumes for all staff.
4. Project references and letters of support.

We appreciate the low ceremony approach adopted by ConnectWerx.