{"id":5690,"date":"2022-10-04T16:42:00","date_gmt":"2022-10-04T16:42:00","guid":{"rendered":"https:\/\/new.www.purdue.edu\/newsroom\/?p=5690"},"modified":"2024-07-16T16:45:34","modified_gmt":"2024-07-16T16:45:34","slug":"as-ransomware-attacks-increase-new-algorithm-may-help-prevent-power-blackouts","status":"publish","type":"post","link":"https:\/\/www.purdue.edu\/newsroom\/2022\/Q4\/as-ransomware-attacks-increase-new-algorithm-may-help-prevent-power-blackouts","title":{"rendered":"As ransomware attacks increase, new algorithm may help prevent power blackouts"},"content":{"rendered":"

WEST LAFAYETTE, Ind. —<\/p> \n

Millions of people<\/a>\u00a0could suddenly lose electricity if a ransomware attack just slightly tweaked energy flow onto the U.S. power grid.\u00a0<\/p>\n<\/div>\n\n\n

No single power utility company has enough resources to protect the entire grid, but maybe all 3,000 of the grid\u2019s utilities<\/a> could fill in the most crucial security gaps if there were a map showing where to prioritize their security investments. <\/p>\n\n\n\n

Purdue University researchers have developed an algorithm to create that map. Using this tool, regulatory authorities or cyber insurance companies could establish a framework that guides the security investments of power utility companies to parts of the grid at greatest risk of causing a blackout if hacked.<\/p>\n\n\n\n

Power grids are a type of critical infrastructure<\/a>, which is any network \u2013 whether physical like water systems or virtual like health care record keeping \u2013 considered essential to a country\u2019s function and safety. The biggest ransomware attacks in history<\/a> have happened in the past year, affecting most sectors of critical infrastructure<\/a> in the U.S. such as grain distribution systems<\/a> in the food and agriculture sector and the Colonial Pipeline<\/a>, which carries fuel throughout the East Coast.<\/p>\n\n\n\n

With this trend in mind, Purdue researchers evaluated the algorithm in the context of various types of critical infrastructure in addition to the power sector. The goal is that the algorithm would help secure any large and complex infrastructure system against cyberattacks. <\/p>\n\n\n\n

\u201cMultiple companies own different parts of infrastructure. When ransomware hits, it affects lots of different pieces of technology owned by different providers, so that\u2019s what makes ransomware a problem at the state, national and even global level,\u201d said Saurabh Bagchi<\/a>, a professor in the Elmore Family School of Electrical and Computer Engineering<\/a> and Center for Education and Research in Information Assurance and Security<\/a> at Purdue. \u201cWhen you are investing security money on large-scale infrastructures, bad investment decisions can mean your power grid goes out, or your telecommunications network goes out for a few days.\u201d<\/p>\n\n\n\n

Protecting infrastructure from hacks by improving security investment decisions<\/strong><\/h2>\n\n\n\n

The researchers tested the algorithm in simulations of previously reported hacks to four infrastructure systems: a smart grid, industrial control system, e-commerce platform and web-based telecommunications network. They found that use of this algorithm results in the most optimal allocation of security investments for reducing the impact of a cyberattack.<\/p>\n\n\n\n

The team\u2019s findings appear in a paper presented at this year\u2019s IEEE Symposium on Security and Privacy<\/a>, the premier conference in the area of computer security. The team comprises Purdue professors Shreyas Sundaram and Timothy Cason and former PhD students Mustafa Abdallah and Daniel Woods.<\/p>\n\n\n\n

\u201cNo one has an infinite security budget. You must decide how much to invest in each of your assets so that you gain a bump in the security of the overall system,\u201d Bagchi said.<\/p>\n\n\n\n

The power grid, for example, is so interconnected that the security decisions of one power utility company can greatly impact the operations of other electrical plants. If the computers controlling one area\u2019s generators don\u2019t have adequate security protection, then a hack to those computers would disrupt energy flow to another area\u2019s generators, forcing them to shut down.<\/p>\n\n\n\n

Since not all of the grid\u2019s utilities have the same security budget, it can be hard to ensure that critical points of entry to the grid\u2019s controls get the most investment in security protection.<\/p>\n\n\n\n

The algorithm that Purdue researchers developed would incentivize each security decision maker to allocate security investments in a way that limits the cumulative damage a ransomware attack could cause. An attack on a single generator, for instance, would have less impact than an attack on the controls for a network of generators. Power utility companies would be incentivized to invest more in security measures for the controls over a network of generators rather than for the protection of a single generator.<\/p>\n\n\n\n

Building an algorithm that considers the effects of human behavior<\/strong><\/h2>\n\n\n\n

Bagchi\u2019s research shows how to increase cybersecurity in ways that address the interconnected nature of critical infrastructure but don\u2019t require an overhaul of the entire infrastructure system to be implemented.<\/p>\n\n\n\n

As director of Purdue\u2019s Center for Resilient Infrastructures, Systems, and Processes<\/a>, Bagchi has worked with the U.S. Department of Defense, Northrop Grumman Corp., Intel Corp., Adobe Inc., Google LLC and IBM Corp. on adopting solutions from his research. Bagchi\u2019s work has revealed the advantages of establishing an automatic response to attacks and has led to key innovations against ransomware threats, such as more effective ways to make decisions about backing up data<\/a>.<\/p>\n\n\n\n

There\u2019s a compelling reason why incentivizing good security decisions would work, Bagchi said. He and his team designed the algorithm based on findings from the field of behavioral economics, which studies how people make decisions with money.<\/p>\n\n\n\n

\u201cBefore our work, not much computer security research had been done on how behaviors and biases affect the best defense mechanisms in a system. That\u2019s partly because humans are terrible at evaluating risk and an algorithm doesn\u2019t have any human biases,\u201d Bagchi said. \u201cBut for any system of reasonable complexity, decisions about security investments are almost always made with humans in the loop. For our algorithm, we explicitly consider the fact that different participants in an infrastructure system have different biases.\u201d<\/p>\n\n\n\n

To develop the algorithm, Bagchi\u2019s team started by playing a game. They ran a series of experiments analyzing how groups of students chose to protect fake assets with fake investments. As in past studies in behavioral economics, they found that most study participants guessed poorly which assets were the most valuable and should be protected from security attacks. Most study participants also tended to spread out their investments instead of allocating them to one asset even when they were told which asset is the most vulnerable to an attack.<\/p>\n\n\n\n

Using these findings, the researchers designed an algorithm that could work two ways: Either security decision makers pay a tax or fine when they make decisions that are less than optimal for the overall security of the system, or security decision makers receive a payment for investing in the most optimal manner.<\/p>\n\n\n\n

\u201cRight now, fines are levied as a reactive measure if there is a security incident. Fines or taxes don\u2019t have any relationship to the security investments or data of the different operators in critical infrastructure,\u201d Bagchi said.<\/p>\n\n\n\n

In the researchers\u2019 simulations of real-world infrastructure systems, the algorithm successfully minimized the likelihood of losing assets to an attack that would decrease the overall security of the infrastructure system.<\/p>\n\n\n\n

Bagchi\u2019s research group is working to make the algorithm more scalable and able to adapt to an attacker who may make multiple attempts to hack into a system. The researchers\u2019 work on the algorithm is funded by the National Science Foundation, the Wabash Heartland Innovation Network and the Army Research Lab. <\/p>\n\n\n\n

Cybersecurity is an area of focus through Purdue\u2019s Next Moves<\/a>, a set of initiatives that works to address some of the greatest technology challenges facing the U.S. Purdue\u2019s cybersecurity experts offer insights and assistance<\/a> to improve the protection of power plants, electrical grids and other critical infrastructure.<\/p>\n\n\n\n

About Purdue University<\/strong><\/h2>\n\n\n\n

Purdue University is a top public research institution developing practical solutions to today\u2019s toughest challenges. Ranked in each of the last five years as one of the 10 Most Innovative universities in the United States by U.S. News & World Report, Purdue delivers world-changing research and out-of-this-world discovery. Committed to hands-on and online, real-world learning, Purdue offers a transformative education to all. Committed to affordability and accessibility, Purdue has frozen tuition and most fees at 2012-13 levels, enabling more students than ever to graduate debt-free. See how Purdue never stops in the persistent pursuit of the next giant leap at https:\/\/stories.purdue.edu<\/a>.<\/p>\n\n\n\n

\n\n\n\n

TASHAROK: Using Mechanism Design for Enhancing Security Resource Allocation in Interdependent Systems<\/p>\n\n\n\n

DOI: 10.1109\/SP46214.2022.00106<\/a><\/p>\n\n\n\n

The abstract and author list are available online.\u00a0<\/p>\n\n\n

\n
\n
\n

\n Writer, media contact:<\/strong>\u00a0Kayla Wiles, 765-494-2432,\u00a0wiles5@purdue.edu<\/a>
Source:<\/strong>\u00a0Saurabh Bagchi,\u00a0sbagchi@purdue.edu<\/a> <\/p>\n <\/div>\n

\n
\n

Note to journalists:<\/p>\n

\n A high-resolution\u00a0photo of Saurabh Bagchi<\/a>\u00a0and\u00a0b-roll of Purdue University\u2019s campus<\/a>\u00a0are available via Google Drive. <\/p>\n <\/div>\n <\/div>\n <\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

WEST LAFAYETTE, Ind. — Millions of people\u00a0could suddenly lose electricity if a ransomware attack just slightly tweaked energy flow onto the U.S. power grid.\u00a0 No single power utility company has enough resources to protect the entire grid, but maybe all 3,000<\/p>\n","protected":false},"author":2,"featured_media":5691,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[54,7],"tags":[],"department":[31,58],"source":[29],"purdue_today_topic":[66],"coauthors":[64],"class_list":["post-5690","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-featured","category-research-excellence","department-engineering","department-purdue-moves","source-purdue-news","purdue_today_topic-research"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/posts\/5690","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/comments?post=5690"}],"version-history":[{"count":1,"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/posts\/5690\/revisions"}],"predecessor-version":[{"id":5692,"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/posts\/5690\/revisions\/5692"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/media\/5691"}],"wp:attachment":[{"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/media?parent=5690"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/categories?post=5690"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/tags?post=5690"},{"taxonomy":"department","embeddable":true,"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/department?post=5690"},{"taxonomy":"source","embeddable":true,"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/source?post=5690"},{"taxonomy":"purdue_today_topic","embeddable":true,"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/purdue_today_topic?post=5690"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.purdue.edu\/newsroom\/wp-json\/wp\/v2\/coauthors?post=5690"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}