Menu Close

Multiple cyber-attacks against critical infrastructure (1/2)

Over the years, the Electrical Network has experienced a transformation on its operation. Although electricity is still flowing through the cables, a new component has been recently added, which is providing a more complex paradigm. We are talking about data and its transmission. Currently, the Electrical Network must deal with an unprecedented vast number of devices generating and sharing data through it. This situation converts the Electrical Power and Energy System (EPES) in a vulnerable infrastructure against cyber-attacks. Thus, one of the main objectives of the SDN-µSENSE project, was to design and demonstrate the robustness of the new resilient, multi-layered, and SDN-enabled microgrid architecture to tackle vulnerabilities.

For this issue, six large-scale pilots across Europe were design for testing the technology. In the case of this blog post, we will focus on Pilot 4, which was tackling coordinated cyber-attacks from multiple external sources targeting different components of the EPES infrastructure. Then, the main purpose was to validate the different SDN-µSENSE components, to guarantee that the system provides the necessary prevention and detection measures to handle cyber-attacks.

This pilot was composed by five partners from all over Spain forming five different scenarios. Thus, the main goal of this post is to provide a brief introduction of the basics of every scenario.

Scenario 1

This scenario was tackling an identity fraud attack against the substation SCADA and an IED. Since the whole scenario starts with a threat it is important to see the main operative of the hacker. Then, the hacker remotely enters the substation and address a cyber-attack against one of the IEDs which is controlling the circuit breaker of one line. The main objective of the hacker is to take the place of the real IED, by means of a DoS attack, and send fake information to the SCADA. Once this is achieved the hacker takes the control of the IED to operate the circuit breaker that is controlled by the IED, situation that eventually would cause a blackout downstream. This attack has been performed on Tecnalia´s Smart Grid Cybersecurity Lab, more specifically in a primary substation involving two input lines with two transformers and two output lines.

Hence, once the intention and operative of the hacker is known, it is time to discover the tools dedicated to address the cyber-attack. This scenario testes several components of the SDN platform: the SBT-Aware, XL-SIEM, the IEC 61850 Honeypot and ARIEC.

Taking a closer look to the tools and its operative, the SBT-Aware is an intrusion detection system based on the information extracted from substation configuration files. This tool oversees the hacker attempts of committing fraud by comparing the real operation of the IED. The XL-SIEM, based in ATOS premises, is a tool that receives the events from the SBT-Aware, generates security alarms and send them to Local ARIEC which stores and share incident information with other stakeholders. The scenario also validates the use of the SBT-Aware and the IEC 61850 Honeypot in the detection of a hidden activity of a hacker in the substation.

Scenario 3

This scenario was validating islanding mechanisms, considering the inclusion of DER in the grid, and the emergency restoration of power supply during a situation of islanding in a microgrid. This scenario has been carried out on the IREC’s laboratory, emulating ANELL’s electricity grid. 

Thus, for this scenario, the tools that integrate the SDN-µSENSE platform and finally participated in this scenario were OTSC EMO, IIM components, S-RAF and AIDB.

The scenario starts when the S-RAF detects a vulnerability and sends an alert where a substation connected to the microgrid has a high-risk. This incident message is received by IIM Components, which oversees the computing of a new electric scenario including islands to increase the grid’s resilience, and triggers two actions by this tool. Firstly, it is requested the grid model and the last status of the grid from AIDB, which is a component of the SDN-µSENSE system that maintains an updated inventory of all the infrastructure data and their status. Secondly, IIM Components starts the calculation of a new islanding scheme. Then, these islanding schemes are displayed on the IIM dashboard and must be approved by the system operator before being applied to the system. The test ends when the islanding schemes are applied to IREC’s laboratory and the microgrid starts working on islanding mode.

Once the island is created, the OTSC-EMO, oversees the energy balance on the islands by sending setpoints to the controllable elements to balance the microgrid. Specifically on the laboratory microgrid node of this case, it is expected that these setpoints orders to curtail the PV generation when the consumption is low. The execution of this tool can take approximately one week where the tool monitors the electric grid and sends the limitations to the solar generation and other controllable devices to maintain the energy on every island created in the scenario.

Lluís Cànaves Navarro