the sparks project motivation, objectives and results · © the sparks consortium eu fp7 programme...

© The SPARKS Consortium

EU FP7 Programme Contract No. 608224

The SPARKS Project

Motivation, Objectives and Results

Ivo Friedberg

[email protected]

AIT Austrian Institute of Technology

PowerWeb Day: Smart Grid Cyber Security

9th June, 2017, Delft, Netherlands

mailto:[email protected]



The SPARKS Project

Demonstration

Sites

AIT SmartEST

Laboratory

Nimbus

Microgrid

SWW Wunsiedel

Smart Grid

AIT Austrian

Institute of

TechnologyFraunhofer

AISEC

EMC

RSA

Landis + Gyr

The Queen’s

University

Belfast SWW

Wunsiedel

GmbH

United

Technologies

Research

Centre

Royal Institute

of Technology

(KTH)

Consortium

Energy Institute at

the J. Kepler

University Linz

Budget:

3.4M €

Start date:

1st

April, 2014

Duration:

3 years

Key

Figures

2



Motivation: New Cybersecurity

Concerns for Energy Utilities

Operational Risks Compliance Concerns

3



Advanced Persistent Cyber-Physical

Threat: SPARKS Demonstration

Phishing email & social engineering

Install Remote Access Trojan (RAT) in office PC

Network mapping & lateral movement

Exploit vulnerability & pivot to SCADA network

Deploy SCADA attack payload

Attack physical system functions

4

For video visit:

https://project-sparks.eu/events/2nd-sparks-

stakeholder-workshop/

https://project-sparks.eu/events/2nd-sparks-stakeholder-workshop/












SPARKS Risk Assessment

Framework

Based on ISO/IEC 27005

Familiar to the information security community

Well-aligned with emerging cyber security requirements and compliance needs for critical infrastructure protection

Guidance on how to implement the risk management process for a set of smart grid use cases

5



Security Architectures and

Technologies

Consolidation an analysis of

existing standards, architectural

guidelines and best practices

Guidance on the application of

material to operators

Recommendations regarding

future topics that should be

addressed

Exploration of the use of PUF technology to

secure smart meters and gateways

Unique testbed to evaluate PUF designs and

their robustness to side channel attacks, etc.

6


EU FP7 Programme Contract No. 608224 7

C. G. Rieger, D. I. Gertman, M. A. McQueen, Resilient control systems: Next generation design research, in: Human System Interactions, 2009. HSI '09. 2nd Conference on, 2009, pp. 632-636. doi:10.1109/HSI.2009.5091051.

A resilient control system is one that maintains state awareness and an accepted level of operational normalcy in response to disturbances, including threats of an unexpected and malicious nature.

A resilient industrial control system (RICS) is the one that is designed and operated in a way that: • most of the undesirable incidents can be mitigated; • the adverse impacts of undesirable incidents can be minimized… • it can recover to normal operation in a short time.

D. Wei, K. Ji, Resilient industrial control system (RICS): Concepts, formulation, metrics, and insights, in: Resilient Control Systems (ISRCS), 2010 3rd International Symposium on, 2010, pp. 15-22. doi:10.1109/ISRCS.2010.5603480.

Arghandeh, R., von Meier, A., Mehrmanesh, L., & Mili, L. (2016). On the definition of cyber-physical resilience in power systems. Renewable and Sustainable Energy Reviews, 58, 1060–1069. doi:10.1016/j.rser.2015.12.193

Power system cyber-physical resilience is the system's ability to maintain continuous electricity flow to customers given a certain load prioritization scheme. A resilient power system responds to cyber-physical disturbances in real-time or semi real-time, …

What is Resilience?



Multi-Attribute SCADA IDS Concept

8



Multi-Attribute SCADA IDS

Implementation

Network

Traffic

Whitelist

Generation

Signature

Generation

Stateful Rule

Generation

Protocol

Violation

Rule Generation

Machine

Learning

System

Configurations

3rd Party

Signature DB

Protocol

Standards

Normal

Data

Attack

Data

Whitelist

Signatures

Violation &

Stateful Rules

Models

ELK (Elasticsearch, Logstash, Kibana)

9



Resilient Control in Low Voltage Grid

Adaptation of PV controller

behaviour, based on

security information

Evidential network used to

determine system state

– Dempster-Shafer Theory

used to address alert

uncertainty

Demonstration in the AIT

SmartEST Lab

10



Inverter Control

11



Cyber-attack Demo Architecture

Lab lin

k mid

dlew

are

Simulation Domain Laboratory Domain

PV Inverter

Power Amp

61850 Stack

Distribution Grid Simulator (DIgSILENT

PowerFactory)

G

Smart Low Voltage Grid

Controller

61850 Stack

Communication System Simulator (NRL Core)

C

IDS Att. RC PV

RC PV

SCADA | WAN | Field

SCADA … Supervisory Control and Data Akquisition WAN … Wide Area Network IDS … Intrusion Detection System RC … Resilient Controller PV … Photovoltaic Inverter



Cyber Attacks

Man-in-the-middle

Set point manipulation Communication System Simulator

(NRL Core)

C

IDS Att. RC

PV

RC

PV

SCADA | WAN | Field

Normal traffic

Attack traffic

SCADA … Supervisory Control and Data Acquisition WAN … Wide Area Network IDS … Intrusion Detection System RC … Resilient Controller PV … Photovoltaic Inverter


EU FP7 Programme Contract No. 608224 14

Flip Droop Law Oscillation

Q

U

Q

U

Worse voltage situation - Increase high voltages - Decrease low voltages

Instable around nominal voltage very high gain

Attack Signals



Intrusion Detection

Layered Defense and Resilient Control

Whitelist Generation

Signature Generation

Stateful Rule Generation

Protocol Violation Rule Generation

Machine Learning

Intrusion Detection

Controller

IDS

RC

PV

SCADA

Field

WAN

Agent #1

Agent #2

alerts & info

alerts

traffic

traffic



Interaction Intrusion Detection

and Resilient Controller

1st Example:

16

Attack detected!

2nd Example:

Original

Set points

Some PVs got attacked!

Applying stricter rules!

RC IDS

# of PVs

attacked RC IDS



Conclusions

More future cyber-attacks will cause physical effects

– Lower entry barrier (standardised protocols, …)

– Critical Infrastructures are more open but also more complex

– Threat actors with seemingly indefinite resources

No single system can guarantee protection

– Physical system should be taken into consideration

– Need for an intelligent integration of different techniques

(detection, mitigation, …) to limit the effects of attacks

Shift from preventive Security to Resilience

– Prevent, Detect, Control, Mitigate

– How can resilience be measured to evaluate solutions?

17



Questions

Website

https://project-sparks.eu

Follow Us

@eusparks

Email

[email protected]

[email protected]

Telephone

+43 (0) 664 883 90031

18

https://project-sparks.eu/



https://www.twitter.com/eusparks

https://www.twitter.com/eusparks



the sparks project motivation, objectives and results · © the sparks consortium eu fp7 programme...

Documents