SPARKS Examines Emerging Threats and Countermeasures to the Smart Grid in its Latest Workshop

The SPARKS project organised the third in its ongoing series of stakeholder workshops in Belfast on 26th August, 2016. The event was held alongside the excellent ICS-CSR conference, which we wrote about in a previous blog entry. The focus of the workshop was to highlight the emerging threats that smart grid stakeholders face, and the countermeasures they can apply to address these threats. There are many cybersecurity threats that one must consider, such as the insider threat, but we chose to highlight what we believe are two important new threats: advanced persistent cyber-physical threats that result in operational consequences, such a loss of supply; and compliance “threats”, emerging from new mandates from the European Commission.

Regarding the operational threat, we were once again able to present our multi-stage cyber-attack to a photovoltaic (PV) inverter — this demonstration was the highlight of our second workshop in Cork. However, there are two notable changes from the previous demonstration.

The first is how the cyber-attack has been improved by the project team, since Cork. It is fair to say that the initial version was fragile — held together by tape. The cyber-attack presented at this workshop is significantly more stable and has matured in a number of ways: for example, the initial version made use of Metasploit (a relatively large tool, whose download from the Internet could be detected) to exploit a Linux-based vulnerability; this part has been slimmed-down to a difficult-to-detect small Python script. Changes like these serve as a strong reminder of two important aspects about cybersecurity, in general, and these forms of threat, in particular: a once trailblazing, difficult and expensive to implement attack (e.g., Stuxnet) will be iterated on and become more accessible and commoditized; and attacks (and attacker behaviours) are always becoming more sophisticated and refined, in order to avoid detection.

However, a major barrier to entry for attackers to realise cyber-physical attacks, such as those considered in our demonstration, is the domain-specific knowledge that is needed about a target infrastructure — e.g., its SCADA systems and operational behaviour — in order to have a physical impact. For example, in the Ukraine, it is understood the attackers spent several months learning the operational behaviour of the targeted infrastructures, before causing a blackout. As energy systems (or smart grids) rely increasingly on open and Internet-oriented communication protocols, such as IEC 61850, and are more open and interconnected, this barrier could be significantly lowered … unless important cybersecurity measures are put in place. This leads nicely onto the second notable aspect of the demonstration.

The project was able to successfully demonstrate how our Supervisory Control and Data Acquisition (SCADA)-specific Intrusion Detection System (IDS) is able to detect the key final stage of the cyber-attack — the manipulation of the IEC 61850 protocol, which is used to control the behaviour of a PV inverter and ultimately switch if off. For more details on the project’s SCADA IDS, please take a look at SPARKS Deliverable D4.1. In short, the SCADA IDS uses a number of different detection approaches, such as signatures of malicious network traffic and so-called stateful analysis, to identify cyber-attacks that use various levels of sophistication to achieve their goal.

Similarly, at the workshop we presented the Security Information Analytics (SIA) Tool that has been developed in the project. This tool makes use of knowledge and data-driven approaches to detect anomalous behaviour, which could indicate the presence of a cyber-attack. Knowledge-driven detection relies on, for example, identifying when physical laws are apparently being violated, as suggested in measurements that are collected from smart meters — these violations are likely to indicate an attack or a fault. Meanwhile, data-driven approaches to detection make use of large volumes of sensor data and machine learning algorithms, such as One-class Support Vector Machines (SVMs), to identify anomalous system behaviour.

Both the SCADA IDS and SIA Tool are necessary (and complementary) to obtain situational awareness in the presence of advanced persistent threats in order to ultimately mitigate them.

At the workshop, we presented our research on Physically Uncloneable Functions (PUFs), including a part of the unique PUF testbed that we have developed in the project. PUFs are a technology that makes use of unique differences in microchip behaviour, e.g., related to timing, which are introduced in the manufacturing process, to create functions that yield a unique response when presented with a challenge. If a chip is tampered with as part of an attack, the behaviour of the PUF is changed and can be immediately identified. The aim is that PUFs can be used to authenticate field devices, such as smart meters, metering gateways, and equipment in substations, for example. A major benefit of PUFs is that you do not need to store key material on the device, thus reducing the cost of implementing authentication mechanisms for the smart grid. The SPARKS project is investigating suitable PUF designs that are robust to so-called side channel attacks and the environmental conditions that devices, such as smart meters, are subjected to in the real world. Ultimately, the goal is to improve the security and trust in field devices that will be part of the smart grid, in order to make threats, like the one presented at the workshop, harder for attackers to realise, by tampering with field devices.

We foresee two new major new compliance concerns that smart grid stakeholders will need to address in the very near future: the new General Data Protection Regulation (GPDR), which comes into force in early 2018, and the Network and Information Security (NIS) Directive. The former is, as the name suggests, largely focused on data protection issues, including defining data subjects’ rights and new requirements for organisations to implement a privacy impact assessment for novel IT services (smart grids and metering are examples of novel IT services). Meanwhile, the latter — the NIS Directive — is concerned with establishing a common level of information security across Europe, including provisions to encourage Member States to cooperate more readily.

At the workshop, we presented an overview of the NIS Directive, raising important questions regarding its implications for the smart grid. For example, it is not clear which actors are addressed in the Directive – “operators of essential services” and “digital service providers” are highlighted, for example. However, the Directive does not apply to micro- and small-enterprises. Therefore, it is not clear how operators of essentials services, such as virtual power plants (aggregators), which are likely to be cooperatives and classed as small enterprises, will be tackled to ensure necessary levels of cybersecurity that are required to address the forms of operational threat discussed earlier. We will examine questions like this in an upcoming workshop, which will take place in the European Parliament on 19th October, 2016. Expect more on this topic in the future.

Strongly related to these compliance issues is cybersecurity risk management. At the workshop, we heard from the SEGRID project about their approach to cybersecurity risk assessment for the smart grid. The project has placed a strong focus on analysing the threat actor capability and motivation, drawing on well-established risk assessment standards such as HMG IA Standard 1 and TVRA. In her presentation, Judith Rossebo from ABB, highlighted how considering threat actor motivation can change our understanding of the criticality of cybersecurity risks, drawing on the incident in the Ukraine as an example. Meanwhile, the SPARKS project, during a poster session, presented its research on risk assessment for the smart grid, where we have examined and developed tools to identify the power systems (operational) consequences of cyber-attacks through novel analytical and co-simulation methods. For further more information, please take a look at our deliverables on risk assessment.