This document discusses developing advanced security monitoring and threat detection for cyber resilience in operational technology (OT) environments. It outlines RSE's applied research on cyber security assessments for the electro-energetic sector. Topics covered include cyber challenges to the energy transition, European regulations, industrial control system cyber security analyses using security tools, advanced probabilistic models for anomaly detection and attack forecasting, and experimental platforms for security monitoring, anomaly detection and recovery. Machine learning and deep learning techniques are discussed for application to anomaly detection in OT environments.
2. About RSE
Applied research on the electro-energetic sector, experimental activities
including Cyber Security experimental assessment
January 2020, Berlin, Germany
3. Table of contents
January 2020, Berlin, Germany
• Cyber challenges to the energy transition
• European Regulations
• ICS cyber security analyses with state of art tools
• Advanced probabilistic models for anomaly detection and attack
forecast
• Experimental platform for security monitoring, anomaly detection and
recovery
• Application of machine/deep learning to cyber anomaly detection
4. Cyber challenges to the energy transition
The number of known attack groups increased from 140 in 2018 to 155 in 2019.6 [WEC]
January 2020, Berlin, Germany
5. Attack to Ukrainian Grid - details
• E‐ISAC | Analysis of the Cyber Attack on the Ukrainian Power
Grid | March 18, 2016
January 2020, Berlin, Germany
6. NIS Directive EU 2016/1148
CHAPTER IV
SECURITY OF THE NETWORK AND INFORMATION SYSTEMS OF
OPERATORS OF ESSENTIAL SERVICES
Article 14 Security requirements and incident notification
1.Member States shall ensure that operators of essential services take appropriate and proportionate technical and organisational
measures to manage the risks posed to the security of network and information systems which they use in their operations.
2.Member States shall ensure that operators of essential services take appropriate measures to prevent and minimise the impact of
incidents affecting the security of the network and information systems used for the provision of such essential services, with a view to
ensuring the continuity of those services.
3.Member States shall ensure that operators of essential services notify, without undue delay, the competent authority or the CSIRT of
incidents having a significant impact on the continuity of the essential services they provide. Notifications shall include information
enabling the competent authority or the CSIRT to determine any cross-border impact of the incident. Notification shall not make the
notifying party subject to increased liability.
7. Network Code on Cybersecurity
[Euopean Commission, Smart Grid Task Force, Expert Group 2]
January 2020, Berlin, Germany
8. Power System Resilience - Definition
CIGRE WG C4.47 Reference Paper
January 2020, Berlin, Germany
10. NIST Cyber Security Framework (cont.)
• Functions and categories
January 2020, Berlin, Germany
11. RSE Cyber Security Framework
Research and InnovationFoundations Experiments
ICT
Simulators
Power
Simulators
Standards
Regulations
Analysis
methodologi
es
AI
Algorithms
Technologies
January 2020, Berlin, Germany
13. ICS cyber security analyses
Field
Network
Corporate
Network
Control
Network
DMZ
Network
NIST 800-82
January 2020, Berlin, Germany
14. SecuriCAD based methodology
• SecuriCAD tool by Foreseeti (SE) allows the evaluation of the TTC indicator (Time
To Compromise); TTC represents the expected time an attacker would take to
compromise every single asset in the modelled ICT infrastructure
• Each asset on the model has specific attack steps associate with it that can be
exploited to control the component, this is dependent on the type of asset and the
values of the configured parameters
• Pre-determined attack steps
• Pre-defined attack step probability
• Graphical interface
17. Measure Success
% in
10 days
Success
% in 20
days
Success
% in 50
days
Δ%
Vs
Base
line
10
days
Δ% Vs
Baseline 20
days
Δ% Vs
Baseline 50
days
Firewall off 25% 38% 58% 19% 28% 36%
Baseline (fw on) 6% 10% 22% - - -
Baseline + Protocol security 5% 8% 21% -1% -2% -1%
Baseline + Protocol sec + IDS 4% 7% 18% -2% -3% -4%
Baseline + Protocol sec + IDS+IPS 3% 7% 20% -3% -3% -2%
Baseline + Protocol sec + IDS+IPS
+ AC sec (no default pw)
2% 4% 12% -4% -6% -10%
SecuriCAD Analyses
18. Probabilistic graphical models
Bayesian Networks
• based on real world knowledge and parameters
• oriented to the power system
• predictive and diagnostic analysis
• for planning, assessment, detection, forecasting
January 2020, Berlin, Germany
19. Analysis types
planning
• security measures
• monitoring sensors setup
detection
• early detection of intrusions
assessment
• effectiveness of security measures
• effectiveness of monitoring system
forecasting
• adversarial moves
23. Attack process to power control infrastructure
Field Network
Corporate Network
Control Network
DMZ Network
Power Control Area
Attack Graph
IT Area
Attack Graph
23
24. Methodological approach
Attack Graph
24
Bayesian Network
IT techniques
• MITRE ATT&CK - scores based on attack groups,
software, references
OT techniques
• US ICS-CERT Vulnerability Advisories - CVSS scores
Analytics
• events whose observation is significant to the security
analyst
• MITRE CAR + power domain specific
25. Predictive/Diagnostic Analysis
25
Detection: Importance of monitoring system security
Planning /Assessment: Network
specific risk assessment for defence
planning
Planning/ Assessment :
Relevance of analytics in the
planning of the monitoring
system
D. Cerotti, D. Codetta-Raiteri, L. Egidi, R. Terruggia, G. Dondossola, «Analysis and
Detection of Cyber Attack Processes targeting Smart Grids», 2019 IEEE PES
Innovative Smart Grid Technologies Europe (ISGT-Europe), September2019
27. Analysis and Correlation
Detection of anomalies
Alert
Prevention/ Recovery
SNMP Syslog
Evidence
Monitoring values Logs
Collection
January 2020, Berlin, Germany
Detection and Response Process
28. Traditional IT detection
• Transport layer
• Information flow
Context specific detection
• Application level detection
Syntactic vs semantic analysis
Indicators
Machine learning & Big Data approach
Detection @ different layers
January 2020, Berlin, Germany
29. RSE Power Control System Resilience Testing
PCS-ResTest Lab
January 2020, Berlin, Germany
33. NextGen Cyber Security Analyses
New technologies = more cyber security opportunities
January 2020, Berlin, Germany
34. Supervised
• Expert-> Labelling -> Analysis ->
Prediction
Log/event analysis
Selection of algorithm is based on the problem statement
‘’bad’’
‘’good’’
‘’good’’
Unsupervised
• Clustering algorithms
January 2020, Berlin, Germany
Machine learning for anomaly detection
35. AI
Machine learning
Deep learning
Deep learning
• Multi layer
• High level features from raw data
• Artificial neural networks
• “non linear” decision boundaries
• Supervised, unsupervised or semi-
supervised type of problems
Bayesian belief networks
• Inference and learning in Bayesian
networks
• Describe a multivariate distribution
representing the relations between
evidences and system status
Machine Learning approach
Anomaly detection
Monitoring
Evidences
Logs
36. • Studies related to cyber anomalies/attack
processes to power-digital infrastructures
including IoT/Fog/Cloud platforms
• Monitoring & Logging of IT/OT indicators
• Attack emulations to power-digital
infrastructures including IoT/Fog/Cloud
platforms
• Cyber anomaly detection with Machine
and Deep Learning
AI techniques applied to anomaly detection
37. • Simulation of power control schemes
• Attack emulations
• Cyber anomaly monitoring, detection, visualization,
recovery (MDVR) platforms
• Integration of IT/OT MDVR platforms in power control
simulations
• Evaluation of cyber resilient scenarios
Resilience of Cyber-Power Systems
38. References
1. World Energy Council, “Cyber challenges to the energy transition”, 2019
2. E‐ISAC | Analysis of the Cyber Attack on the Ukrainian Power Grid | March 18, 2016
3. NIST Cybersecurity Framework Version 1.1, April 2018,
https://www.nist.gov/cyberframework/framework
4. Smart Grid Task Force-Expert Group 2-Cybersecurity , «Recommendations to the European
Commission for the Implementation of Sector-Specific Rules for Cybersecurity Aspects of Cross-
Border Electricity Flows, on Common Minimum Requirements, Planning, Monitoring, Reporting and
Crisis Management,» 2019
5. R. Terruggia, G. Dondossola, M. Ekstedt, “Cyber security analysis of Web-of-Cells energy
architectures”, 5th International Symposium for ICS and SCADA Cyber Security Research 2018,
Hamburg, August 2018
6. G. Dondossola, R. Terruggia, “Amonitoring architecture for smart grid cyber security”, Cigré Science
and Engineering, February 2018
7. D. Cerotti, D. Codetta-Raiteri, L. Egidi, R. Terruggia, G. Dondossola, «Analysis and Detection of Cyber
Attack Processes targeting Smart Grids», 2019 IEEE PES Innovative Smart Grid Technologies Europe
(ISGT-Europe), September 2019
38