President Obama wasn’t necessarily talking about General Electric in a recent interview that touched on cybersecurity, which he said should focus less on traditional "walls" and take more of a cue from medicine and the way doctors fight viruses.
Nevertheless, that’s exactly the approach the industrial giant is taking as part of a Department of Energy (DoE)-funded project to build a new layer of protection for industrial control systems in power networks. The approach calls for a team of scientists at GE Global Research—a kind of innovation unit inside GE—to think about cybersecurity in terms of human biology. They’ll use what they learn from how the body identifies and attacks threats like pathogens and infections to help the company take its ability to ward off cyberattacks to the next level.
Fittingly, the GE engineer leading the project, Lalit Mestha, also has a background in biomedical engineering.
GE’s machines already use sensors that can detect or even forecast potential cyberdisruptions, Mestha says. The team wants to go beyond detecting anomalies, though, and enable the use of controls technology to equip machines to automatically adjust their own operations in response to attacks it detects itself—the same way the human body does.
"The first two years we’re doing R&D," Mestha says. "In that stage, we’re trying to do the detection of the attacks. It’s like a pathogen coming through the body. Inside the body, we have the lymphatic system, and the lymphatic system has cells that do the surveillance and detection."
That’s what GE is trying to replicate—a detection system, Mestha explains, that’s as good as what the human body uses to flag and repel pathogens and other invaders.
"Any stealthy attacks, false data injection attacks, any that come through the system—we want to be able to detect them," says Mestha, who has studied closely how endocrine, respiratory, circulatory, and other systems interact. "And then, after you detect, what does the body do? It creates a defense. These cells that go in to kill these pathogens, they come and start attacking. What we propose to do is, once we do the detection, we want to neutralize the attack. Learning from the human body is what we’re trying to accomplish here. Overall, the principal is similar."
Mestha says GE’s project will span three years. It’s one of 12 awards totaling $34 million in investment from the DoE for projects meant to upgrade and protect the nation’s energy infrastructure.
The DoE’s award to GE was about $3 million. With a cost share from GE, the total project funding will top $4 million.
Funding is also going to entities like the National Rural Electric Cooperative Association in Arlington, Virginia, which is working on a project to develop technology that quickly identifies anomalies in electric utility control communications. GE’s specific task, according to the DoE, includes a mandate to "develop and demonstrate an automatic cyberattack anomaly detection and accommodation system for power plants."
Thinking about new and different tools to defend against today’s cybersecurity threats is, of course, no mere academic exercise. Device security, hacking, the proliferation of cyberthreats, and inherent security gaps in the so-called Internet of Things (IoT) have all captured significant attention in recent days, especially with the widespread cyberassault that attacked much of the web in late October—an attack that relied on co-opted IoT devices and hit everything from Twitter to the New York Times.
Only days beforehand, leading security expert Bruce Schneier parsed some worrying signs and produced a prescient blog post with the headline: "Someone is Learning How to Take Down the Internet."
It’s the kind of thing that keeps GE’s scientists and engineers up at night—the idea that the next cyberattack could target the nation’s power infrastructure. This is all the more troubling considering that, according to GE, the utility giant produces about one-third of the world’s electricity.
Justin John, manager of optimization and controls at GE Global Research, describes what GE is doing with its human body-related project—specifically, its development of a "detection algorithm"—as adding another layer to the two traditional layers of security in control systems.
"The two layers of cybersecurity today are the traditional IT layer—things like Norton, Symantec, and we have our own product. And the outer layer called the OT [operational technology] layer," John says.
"Once you’re past that, you’re into the actual control system, into that part that’s controlling your actuators and getting feedback from your sensors. That’s the basic infrastructure you have in any single controls system in the world, regardless of what company you’re talking about. What we’re trying to do here is just add a brand new layer that raises the bar of difficulty [for an attack]."