Real-time Cyber Analysis to Improve Operational Response to a Cyber Attack

Activity Leads: 
Industry Collaborators: 
  • Austin Energy
  • We are actively seeking adtional collaborators from companies involved in EDS.
Summary Statement: 

Solution Approach: The research team has already investigated several cybersecurity simulations available for improving operational performance. These tools offer environments that simulate a variety of cyber incidents and give operators practice in responding. We believe a more complete solution is needed to provide for real-time incident management, as well as training for cyber-incidents.

Our research team has worked together with industry partners to better understand cybersecurity needs for operators. Part of this research is to examine the current operations to better understand the EDS operator environment and to more closely represent that environment in the simulation.

The database of response strategies and the simulator of response plans will benefit from theories of cybersecurity, decision-making, and risk management, as well as experience and knowledge acquired from EDS experts.

Overview of the simulation tool and the database of response strategies: The simulator tool will first assist the operators in diagnosing a cyber incident (a breach, or a threat, or other cyber incidents). The simulator will create consequences of the incident, based upon different levels of uncertainties and the initial actions the operators made in the first step of the simulation. The database of response strategies will offer specific plans for operators to respond to the incident. This allows the operators to consider alternative choices and different levels of uncertainties of their inputs to the simulation, and monitor the potential consequences of their responses. Below we discuss the details of the simulation and the database of response strategies.

As shown in Figure 1, we will develop a database of response strategies based on three main parts: 1) empirical cases (e.g., the Ukrainian power grid incident); 2) simulation cases (e.g., hypothetical cases based on NESCOR failure scenarios or NIST 800-61 R2); and 3) real-time simulation.  For the first two parts, the scenarios and response actions will be generated based on the existing standards, guidance, best practices and empirical cyber incidents. Then the response actions will be allocated with the scenarios, using the simulator, to understand the consequences of these actions as well as the operators’ behavior patterns. In this way, we can populate the scenario-action database in our database of response strategies. At the time of an incident, an operator can benefit from the database and learn about the consequences of actions. Operators can benefit from the real time simulator where the simulation engine generate outputs (i.e., consequences of actions) based on operators’ inputs. These cases will also be saved into the database for future use, helping enhance the database over time.

Within any of the three large boxes on the left in Figure 1, threat intelligence is used to generate cyber-attack scenarios including cyber kill chains. Threat intelligence contains historical information about the case, best practices, and information about the attack. With the generated scenarios, along with information about cyber-physical-systems, we will develop a cyber-related energy delivery system simulation to simulate the consequences of the scenarios and the impacts of attacks on the cyber-side of the power grids. This simulation engine, which will be developed with the assistance of PNNL, is not limited to power grids and can be used in other energy delivery systems (e.g., oil and gas).  

The left box in Figure 1 shows the simulation analysis process. The process begins with a review of key principles of cyber resilience from the utility guidebooks (e.g., NIST 800-61 R2). The briefing includes key issues operators might face, and the kinds of responses they have available to them. Based on the NESCOR failure scenarios and other guidelines, the discussion includes a set of possible operator actions. This information along with details about physical infrastructure will be entered into the cyber-related energy delivery system simulation. Consequences of the scenarios are generated and will be used in the database of response strategies to generate new effective response-based recommendations for operators.

Furthermore, our database of response strategies will be used to collect information on the actions and decisions made by operators in a virtual environment to analyze operators’ behavior and provide insights about effective strategies to improve operator performance. This information will be used to understand operator behaviors and provide insight into what types of additional information is needed to improve their performance in a cyber crisis—and also to improve the database and the simulator. This information will be useful for the managers of the operators to identify systemic needs and higher level performance improvement strategies. It will also highlight policies and practices that can be used to improve the tool and operator performance in future events. The initial implementation will focus on power systems but the design of the database and simulator will easily facilitate other energy delivery systems.

Energy Delivery System (EDS) Gap Analysis: 

Energy delivery systems (EDS) operators have multiple guidelines for protecting their environments from a cyber incident. However, all these guidelines are only helpful if the operator can access them effectively in real-time to respond to a crisis.  Furthermore, operators typically have much better insight into operating the grid than they do in understanding how the cyber control of the grid actually works. We cannot assume that if guideline suggests, for example, to reboot a router that the operator will understand what affects this action has on situational awareness and control. This research is intended to aid operators in these situations by providing potential actionable plans and the ability to monitor the consequences of each plan. Operators may understand the importance of cybersecurity and make effective response plans to enhance the cyber resiliency of the EDS, but supplementing their abilities with a tool that allows them to incorporate the guidelines and understand outcomes will provide better incident response capabilities, as well as providing a vehicle for training for incident response.

Furthermore, our experience working with the energy sector and our interviews with several EDS experts and operators reveal that these recommendations and guidelines are not being fully implemented in part because the quantity and detail can be overwhelming. The complexity and uncertainties of cybersecurity make rapid decision making a challenge for the operators, especially when they are under pressure. Some approaches to reducing complexities such as security argument graphs [4] and simulation engines such as power world simulators [5] have been developed. However, improving operator cybersecurity awareness and providing tools for real-time incident response remains a challenge.

This project addresses this challenge with a database and a simulation tool for operators that provide them with response strategies and help them monitor the cyber-related consequences of their response plans. Recommendations, best practices, and guidelines will be built into the simulation to insure operators follow the most up-to-date information on managing cyber-attacks.

Reference the research activity fact sheet (PDF) for an extended gap analysis and bibliography. References noted as [4] and [5] in the gap analysis are listed in this PDF fact sheet.

How does this research activity address the Roadmap to Achieve Energy Delivery Systems Cybersecurity?

  • Manage cyber incidents through:
    • providing all possible response plans in an actionable format
    • choosing effective response plans using the simulator

Providing suggestions (based on simulation results) for sustaining the impact of response plans and further security improvements

Status of Activity: 
Active