the sparks project motivation, objectives and results · © the sparks consortium eu fp7 programme...
TRANSCRIPT
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
The SPARKS Project
Motivation, Objectives and Results
Ivo Friedberg
AIT Austrian Institute of Technology
PowerWeb Day: Smart Grid Cyber Security
9th June, 2017, Delft, Netherlands
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
The SPARKS Project
Demonstration
Sites
AIT SmartEST
Laboratory
Nimbus
Microgrid
SWW Wunsiedel
Smart Grid
AIT Austrian
Institute of
TechnologyFraunhofer
AISEC
EMC
RSA
Landis + Gyr
The Queen’s
University
Belfast SWW
Wunsiedel
GmbH
United
Technologies
Research
Centre
Royal Institute
of Technology
(KTH)
Consortium
Energy Institute at
the J. Kepler
University Linz
Budget:
3.4M €
Start date:
1st
April, 2014
Duration:
3 years
Key
Figures
2
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
Motivation: New Cybersecurity
Concerns for Energy Utilities
Operational Risks Compliance Concerns
3
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
Advanced Persistent Cyber-Physical
Threat: SPARKS Demonstration
Phishing email & social engineering
Install Remote Access Trojan (RAT) in office PC
Network mapping & lateral movement
Exploit vulnerability & pivot to SCADA network
Deploy SCADA attack payload
Attack physical system functions
4
For video visit:
https://project-sparks.eu/events/2nd-sparks-
stakeholder-workshop/
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
SPARKS Risk Assessment
Framework
Based on ISO/IEC 27005
Familiar to the information security community
Well-aligned with emerging cyber security requirements and compliance needs for critical infrastructure protection
Guidance on how to implement the risk management process for a set of smart grid use cases
5
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
Security Architectures and
Technologies
Consolidation an analysis of
existing standards, architectural
guidelines and best practices
Guidance on the application of
material to operators
Recommendations regarding
future topics that should be
addressed
Exploration of the use of PUF technology to
secure smart meters and gateways
Unique testbed to evaluate PUF designs and
their robustness to side channel attacks, etc.
6
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224 7
C. G. Rieger, D. I. Gertman, M. A. McQueen, Resilient control systems: Next generation design research, in: Human System Interactions, 2009. HSI '09. 2nd Conference on, 2009, pp. 632-636. doi:10.1109/HSI.2009.5091051.
A resilient control system is one that maintains state awareness and an accepted level of operational normalcy in response to disturbances, including threats of an unexpected and malicious nature.
A resilient industrial control system (RICS) is the one that is designed and operated in a way that: • most of the undesirable incidents can be mitigated; • the adverse impacts of undesirable incidents can be minimized… • it can recover to normal operation in a short time.
D. Wei, K. Ji, Resilient industrial control system (RICS): Concepts, formulation, metrics, and insights, in: Resilient Control Systems (ISRCS), 2010 3rd International Symposium on, 2010, pp. 15-22. doi:10.1109/ISRCS.2010.5603480.
Arghandeh, R., von Meier, A., Mehrmanesh, L., & Mili, L. (2016). On the definition of cyber-physical resilience in power systems. Renewable and Sustainable Energy Reviews, 58, 1060–1069. doi:10.1016/j.rser.2015.12.193
Power system cyber-physical resilience is the system's ability to maintain continuous electricity flow to customers given a certain load prioritization scheme. A resilient power system responds to cyber-physical disturbances in real-time or semi real-time, …
What is Resilience?
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
Multi-Attribute SCADA IDS Concept
8
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
Multi-Attribute SCADA IDS
Implementation
Network
Traffic
Whitelist
Generation
Signature
Generation
Stateful Rule
Generation
Protocol
Violation
Rule Generation
Machine
Learning
System
Configurations
3rd Party
Signature DB
Protocol
Standards
Normal
Data
Attack
Data
Whitelist
Signatures
Violation &
Stateful Rules
Models
ELK (Elasticsearch, Logstash, Kibana)
9
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
Resilient Control in Low Voltage Grid
Adaptation of PV controller
behaviour, based on
security information
Evidential network used to
determine system state
– Dempster-Shafer Theory
used to address alert
uncertainty
Demonstration in the AIT
SmartEST Lab
10
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
Inverter Control
11
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
Cyber-attack Demo Architecture
Lab lin
k mid
dlew
are
Simulation Domain Laboratory Domain
PV Inverter
Power Amp
61850 Stack
Distribution Grid Simulator (DIgSILENT
PowerFactory)
G
Smart Low Voltage Grid
Controller
61850 Stack
Communication System Simulator (NRL Core)
C
IDS Att. RC PV
RC PV
SCADA | WAN | Field
SCADA … Supervisory Control and Data Akquisition WAN … Wide Area Network IDS … Intrusion Detection System RC … Resilient Controller PV … Photovoltaic Inverter
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
Cyber Attacks
Man-in-the-middle
Set point manipulation Communication System Simulator
(NRL Core)
C
IDS Att. RC
PV
RC
PV
SCADA | WAN | Field
Normal traffic
Attack traffic
SCADA … Supervisory Control and Data Acquisition WAN … Wide Area Network IDS … Intrusion Detection System RC … Resilient Controller PV … Photovoltaic Inverter
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224 14
Flip Droop Law Oscillation
Q
U
Q
U
Worse voltage situation - Increase high voltages - Decrease low voltages
Instable around nominal voltage very high gain
Attack Signals
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
Intrusion Detection
Layered Defense and Resilient Control
Whitelist Generation
Signature Generation
Stateful Rule Generation
Protocol Violation Rule Generation
Machine Learning
Intrusion Detection
Controller
IDS
RC
PV
SCADA
Field
WAN
Agent #1
Agent #2
alerts & info
alerts
traffic
traffic
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
Interaction Intrusion Detection
and Resilient Controller
1st Example:
16
Attack detected!
2nd Example:
Original
Set points
Some PVs got attacked!
Applying stricter rules!
RC IDS
# of PVs
attacked RC IDS
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
Conclusions
More future cyber-attacks will cause physical effects
– Lower entry barrier (standardised protocols, …)
– Critical Infrastructures are more open but also more complex
– Threat actors with seemingly indefinite resources
No single system can guarantee protection
– Physical system should be taken into consideration
– Need for an intelligent integration of different techniques
(detection, mitigation, …) to limit the effects of attacks
Shift from preventive Security to Resilience
– Prevent, Detect, Control, Mitigate
– How can resilience be measured to evaluate solutions?
17
© The SPARKS Consortium
EU FP7 Programme Contract No. 608224
Questions
Website
https://project-sparks.eu
Follow Us
@eusparks
Telephone
+43 (0) 664 883 90031
18