Advanced Networking Technology for Energy Delivery Systems

Activity Leads: 
Industry Collaborators: 
  • Schweitzer Engineering Laboratories
  • Ameren Technical Application Center
  • Currently seeking additional collaborators to evaluate the proposed access mechanism in a real utility network environment. Contact David Nicol to discuss how you can engage or collaborate with our research team.
Summary Statement: 

NOTE: this is no longer an active CREDC research activity. 

This research activity is to develop and demonstrate new technology (Raincoat) and associated tools to support an adaptive monitoring environment based on the use of SDN to enhance the grid resiliency to variety of attack models. We will develop an SDN-based approach and algorithms to continuously mislead an attacker into designing ineffective attack strategies, thereby exposing the attacker presence in the system and preventing system damage. We plan to integrate this approach with an adaptive intrusion detection system such as Bro. To validate our approach, we will use a cyber-physical testbed (which we developed prior to this activity) which integrates the simulation of SDN-based communication network and the power grid, and enables validation of methods, algorithms and tools we will develop for system monitoring and response to accidental failures and malicious attacks.

Energy Delivery System (EDS) Gap Analysis: 

The advanced networking technology (such as SDN) can introduce new attack vectors to affect EDS’s control. Example attack scenarios we are targeting include: (i) SCADA system issues invalid commands and (ii) malicious code injected into substation equipment via physical access. Both scenarios are part of the typical cybersecurity threats to smart grids documented by NESCOR.

Moving target defense mechanisms proposed in the past were targeting mainly general computing environments, e.g., assigning end hosts with random IP addresses and port numbers to disrupt attackers’ knowledge of the network. In the context of ICS, researchers proposed randomizing: (i) the measurements used in state estimation to detect false data injection attacks or (ii) communication paths to detect intrusions in advanced meter infrastructures. These approaches target detection of malicious operations. We aim at disrupting the preparation of an attack strategy by a malicious actor.

Similarly, the idea of Honeypots was adopted for ICSs to collect an attacker’s activities when accessing PLCs (Programmable Logic Controllers). Such Honeypots only mimic the cyber infrastructure of an ICS (e.g., the network protocols); they do not mimic the physical infrastructure. A randomly generated measurements sent by the Honeypot can reveal the presence of a bogus environment to attackers. Our approach investigates means of generating decoy measurements that follow the physical model of a power system and can be used to mislead an attacker in designing an ineffective attack strategy. Recently vendors (e.g., Schweitzer Engineering Laboratories) introduced on the market new generation, SDN-enabled switches dedicated to support critical infrastructures such as power grids. This creates an opportunity to build an experimental platform for evaluating our approach.

Reference the research activity fact sheet (PDF) for an extended gap analysis and bibliography.

How does this research activity address the Roadmap to Achieve Energy Delivery Systems Cybersecurity?
This activity supports Roadmap strategies to “Develop and Implement New Protective Measures to Reduce Risk” as well as “Sustain Security Improvements.” Specifically, we develop new security solutions (SDN-based) that aim at exposing and misleading attackers while they are preparing attack strategies. Our approach deters attackers’ ability to compromise the system and gives time for a defender to respond and prevent system damage.

Status of Activity: