* yuval.illuz@ecitele.com

CYBER SECURITY TRENDS FOR FUTURE SMART GRID SYSTEMS

Y. Illuz* G. Wainblat S. BardaECI Telecom ECI Telecom ECI Telecom

Israel Israel Israel

SUMMARY - Current power grids increasingly emerging into smart networked grids and are more accessible from the public internet which poses new cyber threats in the grid. More computer based systems are introduced into power networks in order to monitor and control the network. Future model smart grid and micro grid systems will be based on data flows for communication of system status, usage and control throughout the network infrastructure in addition to the power flow. This creates new security threats on the power grid. Instead of relying mainly on power plants for power generation, there will be a combination of multiple generation sources and at the same time wider use of electrical computer based equipment by consumers. Both increase the amount of data flows in the network as well as introduce additional vulnerable spots. Vulnerability of the power grid to cyber-attacks increases even more because of the wide use of SCADA networks. SCADA networks are more accessible to the internet and lack authentication and authorization mechanisms therefore expose the grid to threats such as DDOS, Data interception, Data alteration and additional hacking threats. The transition from present to future model has already begun and rapidly growing while it already poses new security challenges which must be attended immediately. It is essential to introduce immediately a single comprehensive security solution which will provide fast detection and prevention tools to cope with a variety of threats with different nature and from multiple sources. The solution should not be tightly coupled with each device in the network so it won’t require upgrade of the devices inside the grid.The Cyber defense solution should be versatile using variety of cyber technologies such as Firewalls, anomaly detection, Big Data analytics, machine learning and more in a network wise combination.

KEYWORDS - Cyber Security, Smart Grid, DDOS, Big Data

XVI ERIACDECIMOSEXTO ENCUENTRO

REGIONAL IBEROAMERICANO DE CIGRÉ

Comité de Estudio D2 - Sistemas de Información y Telecomunicaciones para Sistemas de Potencia

D2-05Puerto Iguazú, Argentina 17 al 21 de mayo de 2015

Smart Grid and IoT

Smart Grid technologies will allow for utility operators to have greatly improved situational awareness

about grid operations. These systems will improve the resiliency and reliabity of the grid, as power can

be quickly rerouted around damaged components, and as utilities can more quickly detect and repair

affected portions of the grid.

Smart Grid technologies will also allow for the connection of many appliances, systems and tools that

previously remained unconnected to the grid [1].

Smart Grid customers are the Internet of Things - the network of physical objects that contain

embedded technology to communicate and sense or interact with their internal states or the external

environment.

The growth in IoT will far exceed that of other connected devices, resulting in a population of about

26 billion units by 2020 [2].

With these innovations there are significant security challenges as these devices represent a new attack

vector for malware or other disruptions. Securing these components will be vital to the health and

success of widespread smart grid adoption and the use of connected smart appliances.

As new renewable energy sources (e.g. wind, solar and hydropower) will become widely available in

addition to traditional ones (e.g. nuclear energy and fossil energy - like oil, coal and natural gas) [3],

smart grid management and security will become crucially important.

However, IoT is not only about the billions of new connected objects and inspecting the staggering

amount of data they are producing. While the dramatic increase in the number and types of connected

objects certainly expands the attack surface and dramatically increases the diversity of threats, they are

only part of the IoT security challenge. Another new challenge is the convergence of the

organization’s existing IT network with the Operational Technology (OT) network (e.g.

manufacturing floors, energy grids, transportation systems, and other industrial control systems) [4].

Cyber Threats

In general, many types of threats decorate the cyber threat landscape of the recent years: Information

Warfare, Cyber Espionage, Cyber Crime, Cracking, Hacktivism and Cyber Terror [5].

Protecting the national electricity grid from cyber-attacks is a critical national security issue. Evidence

collected suggests that cyber-attacks on key energy infrastructure - and on the electricity system in

particular - are increasing, both in frequency and sophistication. These trends are alarming because the

potential consequences of a successful large-scale cyber-attack - or combined cyber and physical

attack - on the electric power sector are difficult to overstate.

As previous grid failures have shown, any event that causes prolonged power outages over a large area

would not only be extremely costly, it would wreak havoc on millions of people’s daily lives and

could profoundly disrupt the delivery of essential services, including communications, food, water,

health care, and emergency response. Moreover, cyber threats, unlike traditional threats to electric grid

reliability such as extreme weather, are less predictable in their timing and more difficult to anticipate

and address. A cyber-attack could come from many sources and - given the size and complexity of the

nation-wide electric grid - could target many potential vulnerabilities. For this reason, experts agree

that the risk of a successful attack is significant, and that the system and its operators must be prepared

to contain and minimize the consequences [6].

There is a substantial amount of data that flows within the Smart Grid networks, used to connect

between the distributed energy sources and multiple consumers in a smart, balanced and controlled

way. This information flow is sometimes accessible to the public networks (e.g. Internet), hence

exposing the Smart Grid network to potential multi-layered cyber-attacks. Many typed of attacks

combine several attack vectors into the target network.

Figure [1] - Percentage of critical infrastructure enterprise executives reporting large-scale DDoS

attacks and their frequency [7]

Cyber Security Protection Approach

The right approach for providing a proper Cyber Security Solution is to define a holistic, intuitive and

customized approach which provides safe network against multilayer cyber-attacks, including zero day

attacks.

Multi-layered approach – in order to provide comprehensive and coherent protection, one must

design and set in place defense mechanisms through layer 1 till 7 of the OSI model [8], adding Layer 8

as user's layer. The following figure depicts the conceptual multi-layered approach for Smart Grid

protection.

Figure [2] – Graphical representation of holistic Cyber Security approach for Smart Grid networks

DDOS Protection - A real-time, behavioral based attack mitigation device that protects the

organization infrastructure against network and application downtime. Appropriate solution must

provide distributed denial of service (DDoS) mitigation and SSL-based protection to fully protect

applications and networks against known and emerging network security threats such as denial of

service attacks, DDoS attacks, Internet pipe saturation, attacks on login pages, attacks behind CDNs,

and SSL-based flood attacks.

Network Anomaly Detection - Profiles the normal behavior of the network and detects the subtle

behavior deviations that could represent suspicious activity. This technology doesn't require user

defined inputs (e.g. custom rules). As input, it receives mirror traffic as well as DPI results from

another IDS engines while producing session based information which indicates the existence of

malicious agents.

Figure [3] – Graphical representation of Network Anomaly Detection

Big Data - Centralized mechanism for collected alarms aggregation, normalization, correlation and

prioritization from distributed Cyber cards and managed devices.

Cyber Management System logging module should maintain all historical occurrences of

alarms/events and ability to export them sored for UI purposes.

Alarms collection mechanism from all managed devices is useless unless there is a synchronization of

the collected information into a singular view describing the security breach.

Data Analytics - Sophisticated logical analysis of cross-data patterns to identify breaches and threats

based on multiproduct and multilayer information logic:

Logs/database collection from any Network Element into a data-lake

Set of heuristics/algorithms to identify security attacks

Tools for cross reference identification based on variety of data

Figure [4] – Graphical representation of Big Data Analytics

Machine Learning - Use such techniques on known breaches to provide future-proof security

protection (e.g. against Zero-day attacks) and anomaly behavior identification.

Protection from Zero Day attacks:

Develop measuring, preprocessing and learning models which based on current known

patterns of behavior and produce prediction of future breaches patterns.

After optimization process, one can load those patterns on IDS/IPS Cyber engines to provide

future proof protection.

Anomaly behavior identification - Present methods for anomaly behavior identification of cyber data,

alerting when suspicious and possibly malicious activity occurs.

SCADA Protection – in order to keep Utilities OT network out of harm's way, there is a need to use a

holistic approach, comprised of several technologies: SW/HW unidirectional protection, FW for

SCADA protocols and SCADA DPI (Deep Packet Inspection).

1. SW Unidirectional protection - A dual-node approach for securing the network from the

outside. Recommended solution uses a two-tier deployment architecture, comprising of

External Node and Internal Node.

The role of the external node is to act as a front-end to all services published. This node

ensures that only legitimate session data can pass through into the internal network. It operates

without opening any ports within the external firewall. The role of the internal node it to pull

the session data into the internal network from the external node, scan it using various

application level security techniques, and then pass it on to the destination application server.

2. SCADA DPI - Fast and optimized pattern match mechanism: state-full aware, per packet deep

inspection, quickly identify existence of common signatures within the packet, match to

signatures based on set of rules, ability to load any rule/signature on run time with no traffic

affecting, dynamically updated signatures, focus on MODBUS, DNP3, BACnet and additional

SCADA protocols.

Analysis process composed of two levels:

1. Quickly filters out the vast majority of traffic which is clearly harmless (looking for

simple signatures at a low CPU cost). Traffic which marked as suspicious (common attack

signature found), forwarded to additional analysis.

2. Seeks deeper in the packet and keeps tracking the connection to increase level of certainty

and reduce false positives.

3. SCADA Unidirectional Firewall - Central Cyber NFV [9] Card located at the control center

ensure first line of defense for SCADA protocol handles, such as protocol validations, user

and network authentication, secure encrypted channel to other cyber cards located at the edge

of the OT network (substations).

Edge Cyber cards located at the substations ensures only legitimate SCADA traffic designated

to the substation will pass-through: connected through the secure channel to the main cyber

card, retrieve only the related sessions which finds as legitimate to be processed.

Performs a set of additional, rigorous investigation rules (which complete the first set of rules)

to validate completely the sessions

Both engines should include Layer 3, 4 and layer 7 filtering in addition to granular content

state-full inspections of industrial applications and traffic role-based validation of SCADA

flows.

BIBLIOGRAPHY

[1] Securing the U.S. Electrical Grid (Center for the Study of The Presidency & Congress, July

2014)

[2] "Gartner Says the Internet of Things Installed Base Will Grow to 26 Billion Units By 2020"

(Gartner, December 2013)

[3] Energy.gov

[4] To Succeed with Big Data, Enterprises Must Drop an IT-Centric Mindset; Securing IoT

Networks Requires New Thinking (Cisco Blog, October 2014)

[5] Cyber Security Threats, Dr Paul Twomey (The Lowy Institute for International Policy,

September 2010)

[6] Cybersecurity and the North American Electric Grid: New Policy Approaches to Address an

Evolving Threat (Bipartisan Policy Center’s Electric Grid Cybersecurity Initiative, February

2014)

[7] Smart Grid - Safe, Secure, Self-Healing (IEEE Power & Energy, January 2012)

[8] ISO/IEC standard 7498-1:1994

[9] Network Functions Virtualization - Introductory White Paper (ETSI, October 2012)