An award-winning project has expanded the toolbox that helps utilities and manufacturers prevent cybersecurity attacks from affecting the U.S. electric grid. In 2019, the U.S. Dept. of Energy (DOE) Solar Energy Technologies Office (SETO), in collaboration with other DOE program offices, invested $4.5 million for the development of a first-of-its-kind software tool. The software identifies cybersecurity vulnerabilities in the firmware of devices like solar inverters or controllers and improves the defense of these devices and the electric system.
The Annotated Translated Disassembled Code (@DisCo) software, which can be downloaded online at no cost, allows utilities and equipment manufacturers to automatically detect changes in firmware and find unwanted threats. The @DisCo software performs analysis to determine if the detected changes expose vulnerabilities that can be exploited by a cyber or ransomware attack. First, it uses a powerful, machine-learning capability that compares the different versions of the firmware, each with hundreds of thousands of lines of source code, to detect any inconsistencies; then, it organizes the information using a standardized language for threat structure as well as an intuitive graph-based visualization. Analyzing firmware manually can take months to years with potentially thousands of different types of inverters or controllers in one utility’s system. @DisCo analysis takes only hours to days to conduct vulnerability discovery through code analysis and mitigate the threats.
Once the utility and manufacturer are aware of a possible vulnerability, they can take preventive action to minimize impact to the power system or other critical infrastructures. Utilities and manufacturers can also use the software to easily share the vulnerability information securely with other partners.
SETO, in partnership with other DOE offices including the Office of Cybersecurity, Energy Security and Emergency Response, funded the @DisCo project through the Grid Modernization Lab Call Fiscal Year 2019-2021. Idaho National Laboratory developed the software. Argonne National Laboratory, National Renewable Energy Laboratory and Sandia National Laboratories tested it for different technologies and applications. In addition to the national labs, many project partners including universities, utilities and equipment manufacturers contributed to its development and implementation.
“The @DisCo project marks the first time solar technologies and other distributed energy resources have access to a tool of this kind, providing context to binary components with visualizations of code,” said Rita Foster, principal investigator for the @DisCo project at Idaho National Laboratory. “The @DisCo software helps further protect the U.S. electric grid against bad actors and bolster grid security.”
The innovation and functionality of the software tool earned @DisCo a 2023 R&D World Award in the software and services category. The R&D 100 Awards is a renowned worldwide science and innovation competition with winners from all over the globe.
News item from SETO
