SUMMARY - Current power grids increasingly emerging into smart networked grids and are more accessible from the public internet which poses new cyber threats in the grid. More computer based systems are introduced into power networks in order to monitor and control the network. Future model smart grid and micro grid systems will be based on data flows for communication of system status, usage and control throughout the network infrastructure in addition to the power flow. This creates new security threats on the power grid. Instead of relying mainly on power plants for power generation, there will be a combination of multiple generation sources and at the same time wider use of electrical computer based equipment by consumers. Both increase the amount of data flows in the network as well as introduce additional vulnerable spots. Vulnerability of the power grid to cyber-attacks increases even more because of the wide use of SCADA networks. SCADA networks are more accessible to the internet and lack authentication and authorization mechanisms therefore expose the grid to threats such as DDOS, Data interception, Data alteration and additional hacking threats. The transition from present to future model has already begun and rapidly growing while it already poses new security challenges which must be attended immediately. It is essential to introduce immediately a single comprehensive security solution which will provide fast detection and prevention tools to cope with a variety of threats with different nature and from multiple sources. The solution should not be tightly coupled with each device in the network so it won’t require upgrade of the devices inside the grid. The Cyber defense solution should be versatile using variety of cyber technologies such as Firewalls, anomaly detection, Big Data analytics, machine learning and more in a network wise combination.

1. * yuval.illuz@ecitele.com
CYBER SECURITY TRANDS FOR FUTURE SMART GRID SYSTEMS
Y. Illuz* G. Wainblat S. Barda
ECI Telecom ECI Telecom ECI Telecom
Israel Israel Israel
SUMMARY - Current power grids increasingly emerging into smart networked grids and are
more accessible from the public internet which poses new cyber threats in the grid.
More computer based systems are introduced into power networks in order to monitor and control the
network.
Future model smart grid and micro grid systems will be based on data flows for communication of
system status, usage and control throughout the network infrastructure in addition to the power flow.
This creates new security threats on the power grid.
Instead of relying mainly on power plants for power generation, there will be a combination of
multiple generation sources and at the same time wider use of electrical computer based equipment
by consumers. Both increase the amount of data flows in the network as well as introduce additional
vulnerable spots.
Vulnerability of the power grid to cyber-attacks increases even more because of the wide use of
SCADA networks. SCADA networks are more accessible to the internet and lack authentication and
authorization mechanisms therefore expose the grid to threats such as DDOS, Data interception,
Data alteration and additional hacking threats.
The transition from present to future model has already begun and rapidly growing while it already
poses new security challenges which must be attended immediately.
It is essential to introduce immediately a single comprehensive security solution which will provide
fast detection and prevention tools to cope with a variety of threats with different nature and from
multiple sources. The solution should not be tightly coupled with each device in the network so it
won’t require upgrade of the devices inside the grid.
The Cyber defense solution should be versatile using variety of cyber technologies such as Firewalls,
anomaly detection, Big Data analytics, machine learning and more in a network wise combination.
KEYWORDS - Cyber Security, Smart Grid, DDOS, Big Data
XVI ERIAC
DECIMOSEXTO ENCUENTRO
REGIONAL IBEROAMERICANO DE CIGRÉ
Comité de Estudio D2 - Sistemas de Información y Telecomunicaciones para Sistemas de Potencia
D2-05Puerto Iguazú, Argentina 17 al 21 de mayo de 2015

2. Smart Grid and IoT
Smart Grid technologies will allow for utility operators to have greatly improved situational awareness
about grid operations. These systems will improve the resiliency and reliabity of the grid, as power can
be quickly rerouted around damaged components, and as utilities can more quickly detect and repair
affected portions of the grid.
Smart Grid technologies will also allow for the connection of many appliances, systems and tools that
previously remained unconnected to the grid [1].
Smart Grid customers are the Internet of Things - the network of physical objects that contain
embedded technology to communicate and sense or interact with their internal states or the external
environment.
The growth in IoT will far exceed that of other connected devices, resulting in a population of about
26 billion units by 2020 [2].
With these innovations there are significant security challenges as these devices represent a new attack
vector for malware or other disruptions. Securing these components will be vital to the health and
success of widespread smart grid adoption and the use of connected smart appliances.
As new renewable energy sources (e.g. wind, solar and hydropower) will become widely available in
addition to traditional ones (e.g. nuclear energy and fossil energy - like oil, coal and natural gas) [3],
smart grid management and security will become crucially important.
However, IoT is not only about the billions of new connected objects and inspecting the staggering
amount of data they are producing. While the dramatic increase in the number and types of connected
objects certainly expands the attack surface and dramatically increases the diversity of threats, they are
only part of the IoT security challenge. Another new challenge is the convergence of the
organization’s existing IT network with the Operational Technology (OT) network (e.g.
manufacturing floors, energy grids, transportation systems, and other industrial control systems) [4].
Cyber Threats
In general, many types of threats decorate the cyber threat landscape of the recent years: Information
Warfare, Cyber Espionage, Cyber Crime, Cracking, Hacktivism and Cyber Terror [5].
Protecting the national electricity grid from cyber-attacks is a critical national security issue. Evidence
collected suggests that cyber-attacks on key energy infrastructure - and on the electricity system in
particular - are increasing, both in frequency and sophistication. These trends are alarming because the
potential consequences of a successful large-scale cyber-attack - or combined cyber and physical
attack - on the electric power sector are difficult to overstate.
As previous grid failures have shown, any event that causes prolonged power outages over a large area
would not only be extremely costly, it would wreak havoc on millions of people’s daily lives and
could profoundly disrupt the delivery of essential services, including communications, food, water,
health care, and emergency response. Moreover, cyber threats, unlike traditional threats to electric grid
reliability such as extreme weather, are less predictable in their timing and more difficult to anticipate
and address. A cyber-attack could come from many sources and - given the size and complexity of the
nation-wide electric grid - could target many potential vulnerabilities. For this reason, experts agree
that the risk of a successful attack is significant, and that the system and its operators must be prepared
to contain and minimize the consequences [6].
There is a substantial amount of data that flows within the Smart Grid networks, used to connect
between the distributed energy sources and multiple consumers in a smart, balanced and controlled
way. This information flow is sometimes accessible to the public networks (e.g. Internet), hence
exposing the Smart Grid network to potential multi-layered cyber-attacks. Many typed of attacks
combine several attack vectors into the target network.

3. Figure [1] - Percentage of critical infrastructure enterprise executives reporting large-scale DDoS
attacks and their frequency [7]
Cyber Security Protection Approach
The right approach for providing a proper Cyber Security Solution is to define a holistic, intuitive and
customized approach which provides safe network against multilayer cyber-attacks, including zero day
attacks.
Multi-layered approach – in order to provide comprehensive and coherent protection, one must
design and set in place defense mechanisms through layer 1 till 7 of the OSI model [8], adding Layer 8
as user's layer. The following figure depicts the conceptual multi-layered approach for Smart Grid
protection.
Figure [2] – Graphical representation of holistic Cyber Security approach for Smart Grid networks
DDOS Protection - A real-time, behavioral based attack mitigation device that protects the
organization infrastructure against network and application downtime. Appropriate solution must
provide distributed denial of service (DDoS) mitigation and SSL-based protection to fully protect
applications and networks against known and emerging network security threats such as denial of
service attacks, DDoS attacks, Internet pipe saturation, attacks on login pages, attacks behind CDNs,
and SSL-based flood attacks.

4. Network Anomaly Detection - Profiles the normal behavior of the network and detects the subtle
behavior deviations that could represent suspicious activity. This technology doesn't require user
defined inputs (e.g. custom rules). As input, it receives mirror traffic as well as DPI results from
another IDS engines while producing session based information which indicates the existence of
malicious agents.
Figure [3] – Graphical representation of Network Anomaly Detection
Big Data - Centralized mechanism for collected alarms aggregation, normalization, correlation and
prioritization from distributed Cyber cards and managed devices.
Cyber Management System logging module should maintain all historical occurrences of
alarms/events and ability to export them sored for UI purposes.
Alarms collection mechanism from all managed devices is useless unless there is a synchronization of
the collected information into a singular view describing the security breach.
Data Analytics - Sophisticated logical analysis of cross-data patterns to identify breaches and threats
based on multiproduct and multilayer information logic:
 Logs/database collection from any Network Element into a data-lake
 Set of heuristics/algorithms to identify security attacks
 Tools for cross reference identification based on variety of data
Figure [4] – Graphical representation of Big Data Analytics
Machine Learning - Use such techniques on known breaches to provide future-proof security
protection (e.g. against Zero-day attacks) and anomaly behavior identification.
Protection from Zero Day attacks:
 Develop measuring, preprocessing and learning models which based on current known
patterns of behavior and produce prediction of future breaches patterns.
 After optimization process, one can load those patterns on IDS/IPS Cyber engines to provide
future proof protection.

5. Anomaly behavior identification - Present methods for anomaly behavior identification of cyber data,
alerting when suspicious and possibly malicious activity occurs.
SCADA Protection – in order to keep Utilities OT network out of harm's way, there is a need to use a
holistic approach, comprised of several technologies: SW/HW unidirectional protection, FW for
SCADA protocols and SCADA DPI (Deep Packet Inspection).
1. SW Unidirectional protection - A dual-node approach for securing the network from the
outside. Recommended solution uses a two-tier deployment architecture, comprising of
External Node and Internal Node.
The role of the external node is to act as a front-end to all services published. This node
ensures that only legitimate session data can pass through into the internal network. It operates
without opening any ports within the external firewall. The role of the internal node it to pull
the session data into the internal network from the external node, scan it using various
application level security techniques, and then pass it on to the destination application server.
2. SCADA DPI - Fast and optimized pattern match mechanism: state-full aware, per packet deep
inspection, quickly identify existence of common signatures within the packet, match to
signatures based on set of rules, ability to load any rule/signature on run time with no traffic
affecting, dynamically updated signatures, focus on MODBUS, DNP3, BACnet and additional
SCADA protocols.
Analysis process composed of two levels:
1. Quickly filters out the vast majority of traffic which is clearly harmless (looking for
simple signatures at a low CPU cost). Traffic which marked as suspicious (common attack
signature found), forwarded to additional analysis.
2. Seeks deeper in the packet and keeps tracking the connection to increase level of certainty
and reduce false positives.
3. SCADA Unidirectional Firewall - Central Cyber NFV [9] Card located at the control center
ensure first line of defense for SCADA protocol handles, such as protocol validations, user
and network authentication, secure encrypted channel to other cyber cards located at the edge
of the OT network (substations).
Edge Cyber cards located at the substations ensures only legitimate SCADA traffic designated
to the substation will pass-through: connected through the secure channel to the main cyber
card, retrieve only the related sessions which finds as legitimate to be processed.
Performs a set of additional, rigorous investigation rules (which complete the first set of rules)
to validate completely the sessions
Both engines should include Layer 3, 4 and layer 7 filtering in addition to granular content
state-full inspections of industrial applications and traffic role-based validation of SCADA
flows.
BIBLIOGRAPHY
[1] Securing the U.S. Electrical Grid (Center for the Study of The Presidency & Congress, July
2014)
[2] "Gartner Says the Internet of Things Installed Base Will Grow to 26 Billion Units By 2020"
(Gartner, December 2013)
[3] Energy.gov
[4] To Succeed with Big Data, Enterprises Must Drop an IT-Centric Mindset; Securing IoT
Networks Requires New Thinking (Cisco Blog, October 2014)
[5] Cyber Security Threats, Dr Paul Twomey (The Lowy Institute for International Policy,
September 2010)
[6] Cybersecurity and the North American Electric Grid: New Policy Approaches to Address an
Evolving Threat (Bipartisan Policy Center’s Electric Grid Cybersecurity Initiative, February
2014)
[7] Smart Grid - Safe, Secure, Self-Healing (IEEE Power & Energy, January 2012)
[8] ISO/IEC standard 7498-1:1994
[9] Network Functions Virtualization - Introductory White Paper (ETSI, October 2012)