Sangoleye, Fisayo S.; Johnson, Jay; Chavez, Adrian R.; Tsiropoulou, Eirini E.; Marton, Nicholas
L.; Hentz, Charles R.; Yannarelli, Albert Y.
Microgrids require reliable communication systems for equipment control, power delivery optimization, and operational visibility. To maintain secure communications, Microgrid Operational Technology (OT) networks must be defensible and cyber-resilient. The communication network must be carefully architected with appropriate cyber-hardening technologies to provide security defenders the data, analytics, and response capabilities to quickly mitigate malicious and accidental cyberattacks. In this work, we outline several best practices and technologies that can support microgrid operations (e.g., intrusion detection and monitoring systems, response tools, etc.). Then we apply these recommendations to the New Jersey TRANSITGRID use case to demonstrate how they would be deployed in practice.
The electric grid has undergone rapid, revolutionary changes in recent years; from the addition of advanced smart technologies to the growing penetration of distributed energy resources (DERs) to increased interconnectivity and communications. However, these added communications, access interfaces, and third-party software to enable autonomous control schemes and interconnectivity also expand the attack surface of the grid. To address the gap of DER cybersecurity and secure the grid-edge to motivate a holistic, defense-in-depth approach, a proactive intrusion detection and mitigation system (PIDMS) device was developed to secure PV smart inverter communications. The PIDMS was developed as a distributed, flexible bump-in-the-wire (BITW) solution for protecting PV smart inverter communications. Both cyber (network traffic) and physical (power system measurements) are processed using network intrusion monitoring tools and custom machinelearning algorithms for deep packet analysis and cyber-physical event correlation. The PIDMS not only detects abnormal events but also deploys mitigations to limit or eliminate system impact; the PIDMS communicates with peer PIDMSs at different locations using the MQTT protocol for increased situational awareness and alerting. The details of the PIDMS methodology and prototype development are detailed in this report as well as the evaluation results within a cyber-physical emulation environment and subsequent industry feedback.
We present our research findings on the novel NDN protocol. In this work, we defined key attack scenarios for possible exploitation and detail software security testing procedures to evaluate the security of the NDN software. This work was done in the context of distributed energy resources (DER). The software security testing included an execution of unit tests and static code analyses to better understand the software rigor and the security that has been implemented. The results from the penetration testing are presented. Recommendations are discussed to provide additional defense for secure end-to-end NDN communications.
There are now over 2.5 million Distributed Energy Resource (DER) installations connected to the U.S. power system. These installations represent a major portion of American electricity critical infrastructure and a cyberattack on these assets in aggregate would significantly affect grid operations. Virtualized Operational Technology (OT) equipment has been shown to provide practitioners with situational awareness and better understanding of adversary tactics, techniques, and procedures (TTPs). Deploying synthetic DER devices as honeypots and canaries would open new avenues of operational defense, threat intelligence gathering, and empower DER owners and operators with new cyber-defense mechanisms against the growing intensity and sophistication of cyberattacks on OT systems. Well-designed DER canary field deployments would deceive adversaries and provide early-warning notifications of adversary presence and malicious activities on OT networks. In this report, we present progress to design a high-fidelity DER honeypot/canary prototype in a late-start Laboratory Directed Research and Development (LDRD) project.
The electric grid is rapidly being modernized with novel technologies, adaptive and automated grid-support functions, and added connectivity with internet-based communications and remote interfaces. These advancements render the grid increasingly 'smart' and cyber-physical, but also broaden the vulnerability landscape and potential for malicious, cascading disturbances. The grid must be properly defended with security mechanisms such as intrusion detection systems (IDSs), but these tools must account for power system behavior as well as network traffic to be effective. In this paper, we present a cyber-physical IDS, the proactive intrusion detection and mitigation system (PIDMS), that analyzes both cyber and physical data streams in parallel, detects intrusion, and deploys proactive response. We demonstrate the PIDMS with an exemplar case study exploring a packet replay attack scenario focused on photovoltaic inverter communications; the scenario is tested with an emulated, cyber-physical grid environment with hardware-in-the-loop inverters.
Recent trends in the growth of distributed energy resources (DER) in the electric grid and newfound malware frameworks that target internet of things (IoT) devices is driving an urgent need for more reliable and effective methods for intrusion detection and prevention. Cybersecurity intrusion detection systems (IDSs) are responsible for detecting threats by monitoring and analyzing network data, which can originate either from networking equipment or end-devices. Creating intrusion detection systems for PV/DER networks is a challenging undertaking because of the diversity of the attack types and intermittency and variability in the data. Distinguishing malicious events from other sources of anomalies or system faults is particularly difficult. New approaches are needed that not only sense anomalies in the power system but also determine causational factors for the detected events. In this report, a range of IDS approaches were summarized along with their pros and cons. Using the review of IDS approaches and subsequent gap analysis for application to DER systems, a preliminary hybrid IDS approach to protect PV/DER communications is formed in the conclusion of this report to inform ongoing and future research regarding the cybersecurity and resilience enhancement of DER systems.
Networked microgrids are clusters of geographically-close, islanded microgrids that can function as a single, aggregate island. This flexibility enables customer-level resilience and reliability improvements during extreme event outages and also reduces utility costs during normal grid operations. To achieve this cohesive operation, microgrid controllers and external connections (including advanced communication protocols, protocol translators, and/or internet connection) are needed. However, these advancements also increase the vulnerability landscape of networked microgrids, and significant consequences could arise during networked operation, increasing cascading impact. To address these issues, this report seeks to understand the unique components, functions, and communications within networked microgrids and what cybersecurity solutions can be implemented and what solutions need to be developed. A literature review of microgrid cybersecurity research is provided and a gap analysis of what is additionally needed for securing networked microgrids is performed. Relevant cyber hygiene and best practices to implement are provided, as well as ideas on how cybersecurity can be integrated into networked microgrid design. Lastly, future directions of networked microgrid cybersecurity R&D are provided to inform next steps.
The penetration of Internet-of-Things (IoT) devices in the electric grid is growing at a rapid pace; from smart meters at residential homes to distributed energy resource (DER) system technologies such as smart inverters, various devices are being integrated into the grid with added connectivity and communications. Furthermore, with these increased capabilities, automated grid-support functions, demand response, and advanced communication-assisted control schemes are being implemented to improve the operation of the grid. These advancements render our power systems increasingly cyber-physical. It is no longer sufficient to only focus on the physical interactions, especially when implementing cybersecurity mechanisms such as intrusion detection systems (IDSs) and mitigation schemes that need to access both cyber and physical data. This new landscape necessitates novel methods and technologies to successfully interact and understand the overall cyber-physical system. Specifically, this paper will investigate the need and definition of cyber-physical observability for the grid.
Reducing the risk of cyber-attacks that affect the confidentiality, integrity, and availability of distributed Photovoltaic (PV) inverters requires the implementation of an Intrusion Detection System (IDS) at the grid-edge. Often, IDSs use signature or behavior-based analytics to identify potentially harmful anomalies. In this work, the two approaches are deployed and tested on a small, single-board computer; the computer is setup to monitor and detect malevolent traffic in-between an aggregator and a single PV inverter. The Snort, signature-based, analysis tool detected three of the five attack scenarios. The behavior-based analysis, which used an Adaptive Resonance Theory Artificial Neural Network, successfully identified four out of the five attacks. Each of the approaches ran on the single-board computer and decreased the chances of an undetected breach in the PV inverters control system.
In recent years the use of security gateways (SG) located within the electrical grid distribution network has become pervasive. SGs in substations and renewable distributed energy resource aggregators (DERAs) protect power distribution control devices from cyber and cyber-physical attacks. When encrypted communications within a DER network is used, TCP/IP packet inspection is restricted to packet header behavioral analysis which in most cases only allows the SG to perform anomaly detection of blocks of time-series data (event windows). Packet header anomaly detection calculates the probability of the presence of a threat within an event window, but fails in such cases where the unreadable encrypted payload contains the attack content. The SG system log (syslog) is a time-series record of behavioral patterns of network users and processes accessing and transferring data through the SG network interfaces. Threatening behavioral pattern in the syslog are measurable using both anomaly detection and graph theory. In this paper it will be shown that it is possible to efficiently detect the presence of and classify a potential threat within an SG syslog using light-weight anomaly detection and graph theory.
Historically, control systems have primarily depended upon their isolation from the Internet and from traditional information technology (IT) networks as a means of maintaining secure operation in the face of potential remote attacks over computer networks. However, these networks are incrementally being upgraded and are becoming more interconnected with external networks so they can be effectively managed and configured remotely. Examples of control systems include the electrical power grid, smart grid networks, microgrid networks, oil and natural gas refineries, water pipelines, and nuclear power plants. Given that these systems are becoming increasingly connected, computer security is an essential requirement as compromises can result in consequences that translate into physical actions and significant economic impacts that threaten public health and safety. Moreover, because the potential consequences are so great and these systems are remotely accessible due to increased interconnectivity, they become attractive targets for adversaries to exploit via computer networks. Several examples of attacks on such systems that have received a significant amount of attention include the Stuxnet attack, the US-Canadian blackout of 2003, the Ukraine blackout in 2015, and attacks that target control system data itself. Improving the cybersecurity of electrical power grids is the focus of our research.
Energy resilience has emerged as a national security priority over the past fifteen years. Recent research efforts have aimed to develop metrics and analysis methods for energy resilience, but most of those efforts have focused on extreme weather and other natural hazards as the threat of interest. This paper introduces a novel set of resilience metrics and exemplifies how they can be applied to analyze resilience for growing concerns about cyber threats. The metrics are formally described with mathematical equations and demonstrated in a case study that evaluates the resilience benefits of a new moving target defense technology.
Proceedings - 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications and 12th IEEE International Conference on Big Data Science and Engineering, Trustcom/BigDataSE 2018
To ensure reliable and predictable service in the electrical grid it is important to gauge the level of trust present within critical components and substations. Although trust throughout a smart grid is temporal and dynamically varies according to measured states, it is possible to accurately formulate communications and service level strategies based on such trust measurements. Utilizing an effective set of machine learning and statistical methods, it is shown that establishment of trust levels between substations using behavioral pattern analysis is possible. It is also shown that the establishment of such trust can facilitate simple secure communications routing between substations.