Hardening Europe’s Electricity Supply Against Cyber Threats

Globalisation is in decline, and Europe is not alone in its exposure to cyber threats by malicious actors seeking either to profit financially from cyberattacks, or to weaken public support for opposition to rogue states that undermine international laws and human rights. Cyber threats include ransomware, data leaks and denial of service attacks. For electrical power and energy systems (EPES), cyber attacks threaten power outages, and physical damage to key infrastructure. Cyber attacks further threaten escalation to a full blown declaration of war and all that that entails.

Increasingly adversaries are seeking to evade detection by avoiding the need for installing malware, e.g. by exploiting legitimate credentials and built-in tools. This underlines the case for a robust strategy for cyber security. The UK’s National Cyber Security Centre, for instance, recommends ten steps for improved cyber security and risk management (2021):

1. Risk management: take a risk-based approach to securing your data and systems.
2. Engagement and training: collaboratively build security that works for people in your organisation.
3. Asset management: know what data and systems you have, and what business need they support.
4. Architecture and configuration: design, build, maintain and manage systems securely.
5. Vulnerability management: keep your systems protected throughout their lifecycle.
6. Identity and access management: control who and what can access your systems and data.
7. Data security: protect data where it is vulnerable.
8. Logging and monitoring: design your systems to be able to detect and investigate incidents.
9. Incident management: plan your response to cyber incidents in advance.
10. Supply chain security: collaborate with your suppliers and partners.

The SDN-microSENSE project has demonstrated robust, resilient, distributed cyber-defence capabilities, including the use of software defined networks (SDN) for self-healing, isolation and integration of honeypots to minimise disruptions. Many of the techniques are applicable to other sectors. This blog post attempts to summarise these techniques at a high level, their realisation in the project’s pilots, and some suggestions for other sectors.

Strong security is based upon threat modelling, real-time monitoring of anomalous behaviour, threat assessment, and speedy decisions on counter measures for mitigation. A key component is the use of software defined networking (SDN) as a basis for increased resilience, including isolating malicious network traffic, and directing it to honeypots as a means to surveil the attacker. A combination of machine-learning and rule-based policies allow for detection and mitigation.

The SDN-microSENSE architecture features three layers for: intrusion detection and correlation, dynamic risk assessment, and self-healing. The first layer is responsible for detecting and correlating security events. Next, the second layer undertakes to re-evaluate the severity of each smart grid asset in a dynamic manner. Finally, the last layer executes mitigation actions, ensuring the normal operation of electrical and power energy systems. All the layers of the SDN-microSENSE architecture communicate with the SDN controller either for detecting or mitigating potential threats.

The pilots have demonstrated the effectiveness of these approaches in respect to:

1. Investigation of versatile cyber attack scenarios and methodologies against EPES. This included attacks on the communication between supervisory control and data acquisition (SCADA) and applications, attacks on substation bus communication, and attacks related to process bus communication. Detection of attacks with the security information and event management system (SIEM), and implementation of countermeasures and healing procedures.
2. Massive false data injection cyber attack against state operation and automatic generation control. This included data injection and man-in-the-middle attacks against high and low voltage transmission systems, with machine learning-based detection monitoring Modbus TCP/IP communications.
3. Mitigation actions including islanding and grid restoration. Islanding is a means to isolate part of the EPES infrastructure from the rest of the grid. On detecting a cyber attack or significant failure, an islanding scheme is calculated, along with an updated grid model for the load/supply balance and recommended actions to restore grid stability.
4. Identity fraud, denial of service and command attacks, validation of islanding mechanisms, attacks on photovoltaic plant inverters, and mitigation through reconfiguration. This pilot featured honeypots for collecting information and forward it to the SIEM. Detection of traffic from unrecognised IP addresses. Detection of unauthorised activities. Detection of denial of service attacks. Detection of operations involving ARP spoofing. Monitoring use of the IEC104 protocol.
5. Distribution grid restoration in real-world photovoltaic microgrids, including detection and mitigation of denial-of-service attacks on Modbus, and man-in-the-middle attacks, e.g., ARP poisoning, along with photovoltaic park isolation and energy balancing against distributed denial of service attacks. This pilot featured the machine learning Modbus traffic detector.
6. Realising private and efficient energy trading among photovoltaic prosumers. This pilot addresses data privacy breaches against smart metering infrastructure, along with handling attacks on a Blockchain based framework for energy trading transactions.

These approaches to cyber threats are also relevant to the Internet of Things and to cyber-physical control systems. The exact details may vary, but the general principles remain the same. This is also true for public facing and enterprise internal websites. Strong cyber security isn’t cheap, and requires continuous attention as malicious actors adapt to evade defences. We will all benefit by pooling resources, threat and mitigation intelligence as we seek to outwit would be attackers.

W3C/ERCIM is proud to have been part of the SDN-microSENSE project. ERCIM is the European Research Consortium for Informatics and Mathematics, and the European host for the World Wide Web Consortium. We aim to foster collaborative work within the European research community and to increase co-operation with European industry. ERCIM includes leading European research institutes: CNR, CWI, FNR, FORTH-ICS, Fraunhofer, INESC, INRIA, ISI, NTNU, RISE, SBA Research, SIMULA, UCY, UWAW and VTT.