Early Detection and Recovery Measures for Smart Grid Cyber-Resilience

Early Detection and Recovery Measures for Smart Grid Cyber-Resilience

Ismail Butun, Alparslan Sari
DOI: 10.4018/978-1-7998-7468-3.ch005
(Individual Chapters)
No Current Special Offers


The internet of things (IoT) has recently brought major technological advances in many domains, including the smart grid. Despite the simplicity and efficiency that IoT brings, there are also underlying risks that are slowing down its adoption. These risks are caused by the presence of legacy systems inside existing infrastructures that were built with no security in mind. In this chapter, the authors propose a method for early-stage detection of cyber-security incidents and protection against them through applicable security measures. This chapter introduces security techniques such as anomaly detection, threat investigation through a highly automated decision support system (DSS), as well as incident response and recovery for smart grid systems. The introduced framework can be applied to industrial environments such as cyber-threats targeting the production generator as well as the electricity smart meters, etc. The chapter also illustrates the framework's cyber-resilience against zero-day threats and its ability to distinguish between operational failures as well as cyber-security incidents.
Chapter Preview


Cybersecurity has a very important role in information and computing technology (ICT) systems, such as ensuring the reliability and safety of the provided services. This is a non-trivial task hence cybersecurity of the systems is difficult to maintain and operate when compared to all other services being provided. One of the prominent reasons is that the traditional cyber-security solutions are becoming obsolete as many vulnerabilities are being discovered by hackers every day (such as in the case of Zero-day attacks) on the systems and networks that are being used today.

Apart from the ICT domain, cybersecurity in the power domain is even more important and difficult due to the diverse networking and communication technologies used which exposes the whole energy grid to be vulnerable to cyber-attacks and hacks. Recent history has taught us that cybersecurity in the power domain (including industrial networks) has utmost importance as the resulting failures and enforced accidents (cyber incidence-related disasters such as explosions) might be life-threatening to the people.

For instance, Stuxnet is a malware initially distributed over Microsoft (MS) Windows platforms. It became recognized after it attacked the Iranian nuclear reactor in June 2010. It attacked Siemens programmable logic controllers (PLCs) step-7 software through computers that are running MS Windows. Stuxnet specifically attacked the PLCs that are operating in Iranian nuclear facilities: 1) By gathering industrial systems' information, 2) initiating a sequence to cause centrifuges to enter in a super fast-spinning mode, 3) eventually the catastrophic events ended up by which the centrifuges have torn themselves apart and destroyed their surrounding structures (Karnouskos, 2011).

Smart Grid is also not resistant to cyber-attacks (Butun, dos Santos, 2020). It can be both targeted at the controller side (command capture attacks on electric utility providers) and distributor side (manipulation attacks on the billing). In a modern factory (e.g. that produces paper polishing material from marble dust), one can observe that several automated machinery equipments is armed with IIoT sensors and actuators for an illustration). Some of the equipment is mainly composed of: grinders, mixers, heaters, conveyor bands. These IIoT sensors and actuators facilitate mainly three functions (Forsström, 2018):

  • 1.

    Digitized on-the-go remote monitoring and control of equipment.

  • 2.

    Optimization of machines within a production line (monthly or annual) due to collected short/long-term process-related data.

  • 3.

    Instant alarming and shutting down of the equipment in the case of emergency situations.

In this specific factory example, adversaries can target function #1 and function #3. In this kind of facility, especially heat and pressure sensors are highly critical: Any kind of outside intervention might cause malfunctions which eventually would end up not only with batch and/or property damage but also casualties due to the unpreventable explosions. Hence these systems (sensors and actuators) are mostly IIoT enabled, they are hackable and reachable by adversaries unless special cyber-security precautions are taken.

Timely addressing the challenges and implications mentioned above in securing the Electrical Power and Energy Systems (EPES) sector against cyber-attacks and hackers is of utmost importance. This chapter broadly captures the needs of EPES operators and combines the latest technologies for vulnerability assessment, supervision, and protection to draft an imaginary vision of a defensive toolkit. For instance, in such a tool kit, anomalies that might be caused by the system users can be monitored; which later on would be mapped into the systems vulnerability analysis tool to identify and close the security gaps in the systems that will be used by the EPES vendors.

Key Terms in this Chapter

Firewall: A software or hardware that is designed to block and prevent unwanted or unauthorized network traffic between computer networks or hosts.

Denial-of-Service (DoS): Represents a class of attack in which the targeted network or system disconnects and halts the intended mode of operation.

Event: An expected or unexpected happening related to systems that are in operation. Events are especially useful for monitoring tools such as the SIEM.

Agent: It is part of a software (most generally a SIEM tool) and consists of a program installed at the host machine to execute the following tasks: Event filtering, event aggregation, normalization of aggregated events, sending the results to the central management software (the SIEM tool) for further inspection.

Anomaly: A deviation from the normal behavior (also called abnormal) of the system or user.

Security Risk Assessment: Identifying the vulnerabilities of a system along with the possible worst-case scenarios as well as the evaluation of total property losses in case of such events. This is also referred to as “vulnerability analysis” in the literature.

Intrusion: An event that an unauthorized user gathers a piece of information or an access right that he/she is not allowed to. Mostly represented by the events in IDSs.

Sensors: These are responsible for collecting evidence regarding events. Especially, if the agents mentioned earlier are in the form of hardware, they are referred to as “sensors.”

Log File: It is a file that keeps records of events, which happen, in an operating system or other software runs. Logging is the function of keeping a log in a specific place. Log files are especially useful for SIEM tools.

Complete Chapter List

Search this Book: