New toolkit to protect energy grids against cyber security threats and attacks
Deliberate disruptions of electrical power and energy systems are a game-changer. In 2015 in Ukraine, using BlackEnergy, targeted spear phishing campaigns were launched against energy companies, where the attackers accessed power network companies, then learned the operations and used the legitimate functionality of distribution management systems to disconnect substations from the grid, leaving over 225 000 customers without power. “Electrical power and energy systems are most frequently targeted by cyber-attacks like phishing, social engineering, whaling, distributed denial-of-service (DDoS) attacks, malware, and ransomware. The threat continues to evolve as attackers try to access industrial control systems through third parties. Thus, greater efforts are needed to manage cyber security risks,” says Otilia Bularca, project manager at Romania-based company Software Imagination & Vision SRL and coordinator of the EU-funded EnergyShield project. “Scientific and technical communities work together to innovate, design and deploy technologies that are more resilient and protective. EnergyShield is tackling the energy sector cyberthreats by adapting and integrating technologies for vulnerability assessment, supervision and protection in a defensive toolkit,” adds Bularca.
A set of different modules
The EnergyShield solution combines a broad set of tools that help increase resilience against different types and levels of cyber and privacy attacks and data breaches. A security behaviour analysis tool evaluates the current security readiness of an organisation. It allows operators to identify entry points, the so-called human attack surface that largely results from lack of awareness or inappropriate access control. A vulnerability assessment tool assesses the cyber security resilience through threat modelling and attack simulations. The tool collects the attacker’s most likely path and plots the probability of the attacker reaching the asset. The distributed denial-of-service mitigation module actively defends the systems against incoming traffic flooding. The module leverages machine learning-based algorithms to detect and mitigate application-layer DDoS attacks on the communication infrastructure. The anomaly detection module analyses the network traffic and points out unexpected events. It detects anomalies at the operational technology layer, protecting control infrastructure against man-in-the-middle or replay attacks. Finally, a security information and event management tool enables critical infrastructure operators to share early warning on cybersecurity risks and incidents as well as to report major breaches on their core services. All these tools are accommodated in a central federation coordinator with locally deployed federation members. The central component is responsible for maintaining the rules and standards and for common processing, while the federation members are responsible for local data collection and processing
Technology demonstrators
The project outcomes will be demonstrated in two pilot sites to validate the innovative models, algorithms and cybersecurity solutions. In Bulgaria, a city-level online demonstrator is proposed to investigate the cascading effects of cyberattacks throughout the electrical power and energy system value chain and analyse cybersecurity risks related to the cyber supply chain. A smaller offline demonstrator is being prepared in Italy where a cyberattack on a network control subsystem will be simulated. Project findings will serve as a proxy for developing best practices, guidelines and methodologies, encouraging widespread adoption of the project tools in the energy sector.
Keywords
EnergyShield, cybersecurity, toolkit, data breach, cyberattack, vulnerability assessment, DDoS