Spear2020 News

Empowering Cybersecurity across EU Smart Grids

The proliferation of IoT devices in Electrical Grids, in line with the usage of new Information and Communication Technologies, has transformed the traditional Electrical Grids into Smart Grids. The major drawback that emerges with the use of Smart Grids are new cybersecurity risks. In order to address cyber-attacks in critical Smart Grid infrastructures, protect from human failures, accidents and targeted attacks from inside, boost trust, and increase society's resilience, cybersecurity risk assessment for Smart Grids is necessary. On the same note, with the objective to proactively protect the cyber hygiene of the environment, cyber hygiene methods and policies ought to be applied internally in Smart Grid infrastructures.

In accordance with the above, in the scope of the SPEAR project, the SPEAR Anonymous Repository of Incidents, a cyber incidents and cyber intelligence information sharing system, has been set up, SPEAR Smart Grid Cyber Hygiene Courses will be provided, and a SPEAR EU-wide Consensus has been established. The Smart Grid Security Guide brings together these resources.

Figure 1: The Smart Grid Security Guide.

The SPEAR EU-wide Consensus consists of a Library of EU and international Smart Grid cybersecurity resources, the SPEAR Risk assessment methodology for cybersecurity in Smart Grids and the Cyber Hygiene Maturity Model (CHMM) that have been defined and delivered as objectives of the SPEAR project.

Figure 2: The Smart Grid Security Guide - EU-wide Consensus resources.

Relying on the SPEAR EU-wide Consensus the Smart Grid Security Guide provides the Smart Grid Security Guide Tool for cybersecurity status assessment based on the SPEAR Risk assessment methodology and CHMM.

The SPEAR Risk assessment methodology for cybersecurity in smart grids is primarily based on the internationally recognized and widely used Framework for Improving Critical Infrastructure Cybersecurity of National Institute of Standards and Technology (NIST). In this context, the assessment is organized into four system layers and five functions, namely the system layers are Physical, Network, Application and Organizational, and the functions are Identify, Protect, Detect, Respond and Recover.

The Cyber Hygiene Maturity Model (CHMM) is a self-assessment Cyber Hygiene Framework (CHF) tailored to the needs and specificities of Smart Grids. The term cyber hygiene draws from the concept of personal hygiene and can be easily projected to an organizational level and level of infrastructure. The CHMM has been designed to perform an assessment of cyber hygiene of the Smart Grid, both in terms of technical components and in total, by measuring the cyber hygiene levels (CHLs) in three distinct dimensions: infrastructure, organization, and people awareness.

The proposed Smart Grid Guide Cybersecurity Tool aims firstly, to combine the insights extracted from the risk and maturity assessment and present them in a comprehensible format to the user, and secondly, to provide smart grid cybersecurity recommendations responding to the needs of the organization on whose behalf the assessment is performed.

The Smart Grid Guide Cybersecurity Tool assesses the cybersecurity status of an organization by integrating risk and maturity assessment, and provides prioritized cybersecurity recommendations according to the organization type. The tool targets three types of organizations/facilities: smart homes, substations, and power plants, and allows for the definition of custom options in case of a different type of organization/facility. It employs three questionnaires; the Risk Assessment Questionnaire (mandatory) based on the SPEAR Risk assessment methodology for cybersecurity in smart grids, the Maturity Level Assessment Questionnaire (mandatory) based on the Cyber Hygiene Maturity Model, and the Priority Ranking Questionnaire (optional - for the custom definition of priorities).

Figure 3: The Risk Assessment Questionnaire of the Smart Grid Security Guide Tool.

Apart from the evaluation of the preparedness levels and the maturity levels of the organization, elicited from the Risk Assessment Questionnaire and the Maturity Level Assessment Questionnaire respectively, the tool also prompts the user to define target levels for both the preparedness and the maturity. Subsequently, the security practices necessary to bridge the gap between current and target levels are identified (gap identification is performed on a set of 140 recommendations) and prioritized according to the type of the organization. The results of the cybersecurity status assessment are presented to the user in the form of radar charts that highlight the current and target levels, along with the prioritized security practices, in the form of ordered recommendations consisting of proposed practices to be applied as well as evidences (i.e., documents, records or logs) to be kept.

Figure 4: The visualized results of the cybersecurity status assessment and the corresponding recommendations of Smart Grid Security Guide Tool.

Integrating AI to cybersecurity for critical infrastructure

The constantly increasing cybersecurity threats in critical infrastructure stress the need for the adoption of new techniques capable to provide the next generation of cyber security. Future cyber security systems should continually learn and improve, adopting their mechanisms to new information covering new cyber-threats, providing protection even to zero-day attacks. The integration of AI allows cybersecurity systems to learn iteratively from new experiences and, eventually, act dynamically to new cyber threats. In the rise of these new cyber-threats, critical infrastructure (CI) is a domain that requires special attention from cybersecurity experts.

There are different CI sectors whose assets, systems, and networks are considered so vital to the community that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. System administrators in CI must face multiple tasks while they are overwhelmed by a great volume of data, such as network traffic, assets monitoring, firewall setup, etc. On top of that, the training process for new system administrators is a time and resource-consuming process creating a skill shortage in the domain. Therefore, there is a need for the integration of AI aspects into CI cybersecurity.

The integration of AI methods into the cybersecurity domain can increase the accuracy in the detection of true positive instances reducing the load of incidents the security managers receive, allowing them to focus on strategic aspects of cybersecurity. The integration of AI will enable superior predictive intelligence by looking at behavioural patterns, system administrators can recognize the difference between normal and suspicious traffic. Overall, AI will automate a series of processes, such as threat detection, increasing the level of cybersecurity and accelerating the transition of CI to the new era of cybersecurity.

The steps that have to be followed to offer the new generation cybersecurity include training the AI algorithms right data, testing the algorithms for bias, and ensuring the robustness of the system. Because AI algorithms usually follow a data-driven approach, they require multiple data sets for their training phase, meaning that it requires many distinct sets of malware codes, non-malicious codes, and anomalies. Acquiring all of these data sets is time-intensive and requires investments that most organizations cannot afford. In the context of SPEAR, new datasets that emulate the different type of cyber-attacks have been created, novel AI algorithms have been trained, and the execution of the different pilots ensure the robustness of the system.

Anomaly Detection using Autoencoders and Generative Adversarial Networks (GANs) for Cybersecurity over Network Traffic

Information (data) being generated from infrastructural, industrial, and consumer devices are progressively being digitised, stored, and processed in many ways and for various applications. Moreover, electronic systems embedded in critical infrastructure (e.g., power stations), industrial processes (e.g., robotic assembly lines), and consumer goods (e.g., autonomous vehicles) are increasingly being linked together in various layers of network connectivity frameworks (e.g., IoT, Industry 5.0, etc.). As this new reality of big data accumulation and digital transformation is being established, in recent years there has been an exponential increase of attacks against governments, organisations and individuals who hold and process this type of data, manage critical facilities, or even use electronic goods. Collectively referred as “cyberattacks” and typically categorised in various ways such as Denial of Service (DoS), ransomware, phishing, and malware amongst many others, these malicious incursions have grown in sophistication and impact, and are manifested in several ways depending on the physical and digital infrastructural networks involved. Focusing on the Industrial Internet of Things and the Smart Grid (SG) technologies, that provide substantial advantages, such as self-healing, pervasive control and improved utilisation of resources. However, the evolution of the smart technologies introduces severe cybersecurity issues due to (a) the new attack surface introduced by the smart technologies, (b) the vulnerability nature of the TCP/IP protocol and (c) the presence of legacy systems, such as Industrial Control Systems and Supervisory Control and Data Acquisition.

Cyber-attacks lead to system failures, release of sensitive information or restrict people from accessing critical infrastructure. In the past such cyber-attacks were identified and processed by experts and trained personnel using specialised tools and manual processes to detect suspicious activity over the network traffic. Recently, solutions based on machine learning (ML) and deep learning (DL) have been introduced and have the potential to make these cyber watchdogs even more effective and efficient. If a DL model could identify anomalous packets of data traveling through a network autonomously and accurately, then human security professionals would waste less time sifting through network traffic alerts and log files.

The detection of anomalies or outliers over the network traffic is one of the classic approaches used to identify cyber-attacks in real time. The current ML techniques for outlier detection in cybersecurity include mainly unsupervised solutions. One of the main reasons is due to the available data. In other ML problems such as object detection and recognition data are available and are well balanced among all the supported types. In the case of anomaly detection the amount of normal data is significantly higher compared to the ones with anomalies (i.e. with cyber-attacks). Another reason explaining the need of unsupervised solutions is that these methods allow the detection of attacks that have not been discovered or recorded in the past.

Unsupervised methods are based on clustering and they are defined as a division of data into group of similar objects. It is expected that each cluster, consists of similar objects and dissimilar to objects in other clusters. There are various methods to perform clustering that can be applied for the anomaly detection. Following is the description of some of the proposed approaches:

k-Means clustering is a cluster analysis method where we define k disjoint clusters on the basis of the feature value of the objects to be grouped. Here, k is the user defined parameter and the obtained cluster centroids are then used for fast anomaly detection for the new acquired data. During the training stage given a data sample of n-dimensions the methods determines a clustering of segment points, and the corresponding centres or centroids of the clusters. These cluster centroids provide library of "normal" data sample shapes. During the testing stage the method tries to reconstruct the given new sample data using cluster centroids learned during training. Poor reconstruction error on an individual segment indicates an anomaly.
Stochastic Outlier Selection - Affinity-based outlier selection (SOS) is an unsupervised outlier-selection algorithm that takes as input either a feature matrix or a dissimilarity matrix and outputs for each data point an outlier probability. Intuitively, a data point is considered to be an outlier when the other data points have insufficient affinity with it.
One of the classic approaches used for anomaly detection is the One Class Support Vector Machine (OC-SVM), which estimates the hyperplane that separates the anomalous data from the normal (origin) with the greatest distance. This approach offers high accuracy and efficiency on noisy cybersecurity network traffic data, but the complexity and processing time requirements increase for high dimensional data.
The Isolation Forest (IF) algorithm deliberately “overfitting” models aiming to detect anomalies. Considering that outliers have more empty space around them, they take less steps to memorize. The IF is using decision trees and outliers are regarded the points with lower path length. First we measure the path length between the root and each data point (leaf) and we compare them with the average path length. This path it is expected be relatively short for the outliers.
One Class Deep Neural Networks: Anomaly detection methods based on One Class DNNs are categorised either as “mixed” or “fully deep”. In mixed approaches, representations are learned separately in a preceding step before these representations are then fed into classical AD methods like the Isolation Forest or OC-SVM. Fully deep approaches, in contrast, employ the representation learning objective directly for detecting anomalies. In general all existing deep AD approaches rely on the reconstruction error with deep autoencoders and Generative Adversarial Networks (GANs) to be the main approaches used for deep AD.

Autoencoders is a type of deep neural networks which aim to find the identity function by producing an intermediate representation of lower dimensionality. The training process of these deep networks involves an error minimization procedure. Consequently autoencoders remove the main variation factors from normal samples and then provide an accurate reconstruction, but for samples that are not normal and therefore these common factors are not present the reconstruction accuracy is very low. As a result autoencoders can be considered in mixed approaches, this includes the case of using the latent space into classical AD methods, but also by fully integrating them in deep architectures, by deploying as an anomaly score the reconstruction error. Autoencoders do not have as an objective the detection of anomalies but to provide mechanisms for dimensionality reduction. Therefore, one of the main challenges is to identify the right level of compression or number of dimensions. This process of selecting the right level of compactness is tricky due to their unsupervised nature and the unknown intrinsic dimensionality of the data.

Apart from auto encoders, a novel deep AD method based on Generative Adversarial Networks (GANs) have been proposed in SPEAR called MENSA (anoMaly dEtection aNd claSsificAtion). The concept if this method follows the principles of GANs and it trains a GAN to generate sample data according to the provided normal training dataset. During the testing stage it aims to reconstruct a given sample from the generator’s latent space that is closest to the provided test input. Therefore, if the GAN has learned the distribution of the training normal samples then given samples should result an accurate representation in the latent space if they are normal but the reconstruction will be poor for anomalous samples.

The proposed model introduces new concepts and it combines simultaneously two Deep Neural Networks (DNNs): (a) autoencoder and (b) Generative Adversarial Network (GAN). We validated the efficiency of MENSA with a variety of datasets including Modbus/TCP, DNP3 network flows, and operational records (i.e., time-series of electricity measurements). This architecture is achieved by encapsulating the autoencoder model into the GAN network. The Generator becomes the Decoder, while the Discriminator is structured as the Encoder. This model is utilised for the anomaly detection procedure and it comprises the input to the latent layer. In particular, it is used to perform dimensionality reduction to the latent space. At this point, the Generator-Decoder has learned to generate close to real data that imitates the normal samples. To calculate the anomaly score for the real sample, the Adversarial Loss function is utilised. The Adversarial Loss is the difference between the generated and the real sample.

The next generation Electrical Grid, commonly known as Smart Grid, offer advantages (two-way power flow, self-monitoring, etc.) and challenges (e.g. cybersecurity concerns) in society. In this project, we implemented anomaly detection models capable of detecting more than 15 Modbus/TCP and DNP3 cyberattacks combined and potential anomalies related to operational data. The proposed solution MENSA combines two DNNs, an Autoencoder and a GAN, with a novel minimisation function, considering both the adversarial error and the reconstruction difference. The efficiency of MENSA was validated in several Smart Grid environments and was compared with other state of the art solutions and DL architectures. Our future plans include the design of more advanced DL models able to support other ICS/SCADA protocols, (Ether-Cat, Profinet, etc.) and detect cyberattacks against them. Also, optimisation mechanisms are considered and will be investigated aiming to improve the performance, inference time and model size.

Towards a Cybersecurity Certification of ICT Products, Services and Processes in the EU: Impact for the Smart Grid

The electricity sector has benefited immensely from the advances in information and communication technologies (ICTs). This is easily appreciated within the smart grid where these technologies have enabled a bi-directional flow of electricity and data, self-healing, and much more, resulting not only in a more efficient way of analysing, reacting to and optimizing electricity demands but also allowing electricity consumer to actively participate in the power supply system (prosumers). Within the grid ecosystem, several ICT-enabled components are deployed in the power plants and substations, enabling better performance and advance capabilities through the Internet of Things (IoT), advanced metering infrastructure, industrial automation and control systems, networking systems, etc. These components embed security functions, due to the critical roles they perform in the grid, and it is important that these security features are trustworthy and function as purported. However, it is not always the case; in many instances, it is difficult to assess if the security controls in these components and system are implemented correctly or will operate as intended to meet the security challenges before they are deployed. Over the years, a complex system of certification has emerged globally, which aims to attest these security functionalities, yet in many cases, vulnerabilities from these components have exposed and caused the systems in which they are deployed to be compromised.

Consumers and users do not always have a reliable way to verify these security claims, as they are replete with technical complexities and details. Within the EU, certification schemes have also evolved in a fragmented manner at the national level. In most cases, recognition of these schemes across member states has also been daunting and complex. The adoption of the EU Cybersecurity Act (CSA) in 2019 represents an effort to bridge this gap. The Act introduces certification schemes for ICT products, services and processes that incorporate security functionality, with the aim of establishing a common framework to validate and verify security products. Since its adoption, several developments have occurred towards rolling out the various schemes as envisaged in the CSA.

In general, the CSA permits two approaches to assessing ICT products, services, and processes: a self-assessment and a third-party assessment. It also provides for three security assurance levels: basic, substantial, and high assurance levels. On the one hand, the manufacturer of an ICT product, service or process may perform a self-assessment. Here, the manufacturer evaluates the product against the criteria associated with security assurance level basic and issues an EU statement of conformity that the product, service, or process conforms to requirements stated therein. On the other hand, a third-party assessment is performed by an accredited independent conformity assessment body (CAB) which evaluates the product against a defined set of criteria. When fully established, a manufacturer or service provider who wishes to obtain the certification shall apply to the appropriate conformity assessment body and provide evidence supporting the security assurance level it seeks to confirm. The CAB shall then review this evidence and conduct applicable conformity assessment activities (design review, source code review, security functional testing, penetration testing, etc.) and generate an evaluation report indicating if the certification is to be granted or not.

To implement the CSA, ENISA, which is the EU’s agency dedicated to achieving a high common level of cybersecurity across Europe, is tasked with monitoring, and developing the cybersecurity certifications schemes, including drafting the candidate cybersecurity schemes which shall specify criteria and specific requirements for conformity assessments. So far, ENISA has developed Common Criteria based European candidate cybersecurity certification scheme (EUCC) for the certification of ICT products, services or processes that meet the substantial and high assurance levels. It recently published a Methodology for a Sectoral Cybersecurity Assessment, and efforts are proceeding rapidly towards establishing sector-specific schemes such as for cloud services, and 5G networks.

It is important to note that there will be a post-certification duty on the holder of a European cybersecurity certificate. Such entity shall inform the competent authority or conformity assessment body of any subsequently detected vulnerabilities or irregularities concerning the security of the certified ICT product, service or process that may affect its compliance with the requirements related to the certification. That authority or body shall forward that information without undue delay to the national cybersecurity certification authority concerned.

Undoubtedly, cybersecurity certification is particularly important to the energy sector as one of the critical infrastructures under the Network and Information Security (NIS) Directive. As a sector that thrives by employing different technologies and services from diverse areas, ranging from ICT systems that are part of the internal information security management system (ISMS) to ICT products, infrastructure and services by external vendors, the existence of a common framework for verifying the security of relevant products also helps to achieve security by design and default, which are key for data protection and security compliance. For the smart grid, certifications schemes that target smart meters, network equipment, industrial and automation control systems, IoT, Cryptography, supply chain security, etc., will be relevant to secure the grid. For example, industrial and automation control systems deployed in sub-stations would benefit from secure components and products that do not form weak links to compromise the substations. Electrical grids are highly sensor-intensive operations, and the IoT technologies that regulate these sensors should not create security vulnerabilities. Similarly, the communication and network technologies used to send and receive data, for example, from the smart meters should securely perform this function, protecting the confidentiality, integrity, and availability of relevant data. Other examples abound, all suggesting an immense benefit from certification schemes that target products and services deployed in the grid.

Once these certification schemes are established in coherent and interoperable manner, smart grid stakeholders could leverage the framework to assess the products they deploy based on the risk associated with their intended use. This will not only support their security by design approach but also serve as an avenue to ensuring regulatory compliance where they only purchase and integrate products and services with the required assurance level. Although the certification framework is a voluntary scheme, it presents a huge opportunity for stakeholders in the energy sector to increase trust and security for European consumers and businesses. This will invariably assist in developing the digital single market, making it competitive globally. Broadly, through certification schemes, manufacturers, users, and service providers will find a less complex way of assessing the security assurance level associated with products, services, and processes offered in the market. The SPEAR project has contributed to this ecosystem by developing security functional tools: an integrated platform of methods, processes, and tools for timely detecting evolved security attacks using big data analytics, advanced visual-aided anomaly detection tools, and smart node trust management schemes. In the future, when the cybersecurity certification schemes are fully set up, adopters of these tools can benefit from appropriate schemes, such as security incident detection and response services certification where they choose to go for such certifications.

Evaluating SPEAR in the Combined IAN/HAN pilot

The third pilot of the SPEAR project was successfully carried out by the Innovation Hub of the Public Power Corporation S.A. (PPC), towards the final evaluation of the SPEAR solution during the user acceptance testing phase. The SPEAR demonstrations were implemented in two locations of PPC, the Innovation Hub in Athens, and the Unit no5 of the Combined-Cycle Thermal Power Plant in Lavrio, both in Greece. The main focus of this pilot was the multi-class classification problem of detecting and distinguish between a great variety of cyberattacks and reconnaissance attempts against Modbus TCP. The pilot considered a Home Area Network (HAN) and an Industrial Area Network (IAN) setup.

The involved infrastructure of the Innovation Hub includes smart meters, installed on an operational rooftop PV panel and the main laboratory switchboard (HAN part), as well as a Programmable Logic Controller (PLC) controlling the short-circuit generator of the High-Power Laboratory (IAN part). The corresponding apparatus is depicted in figures 1 and 2.

Figure 1: The PV panel at the Innovation Hub.

Figure 2: The short-circuit generator of the Innovation Hub.

The Lavrio power plant demonstration focused on a larger scale IAN validation, by employing three PLCs interfacing with the Distributed Control System (DCS) of the Unit no5 of the Lavrio power plant. The IAN was properly isolated from the operational network in order to avoid any security breaches. The involved apparatus is depicted in figures 3 and 4.

Figure 1: Part of the DCS in Lavrio.

Figure 1: The Unit no5 power generator in Lavrio.

The performed scenarios are summarized as follows:

Scenario #1: Concerns the detection and reaction to a fuzzing Modbus writeSingleCoil cyberattack against both IAN and HAN networks of the Innovation Hub. Purpose of this cyberattack is to maliciously alter important configuration (e.g., IP address, power factor) of the smart meters and the PLC, rendering then uncapable of properly retrieving and transmitting electricity-related measurements. Moreover, another potential consequence of this cyberattack is the change of Boolean registers, that could indicate an overcurrent or can open/close a trip. As a result, this cyberattack can unwillingly open or close various circuits, that could lead to various undesirable cascading effects.
Scenario #2: Concerns the detection and reaction to a Modbus GetUID reconnaissance attack against the PLCs of the Lavrio power plant unit. Purpose of this attack is twofold. First, is to discover details about the industrial devices located in Lavrio IAN. Secondly, assuming the high frequency of sending GetUID messages, this cyberattack also behaves as a DoS activity, by aiming to “crash” the Modbus server processes of the PLCs, since they are “flooded” with dozens of messages, that they are unable to handle.
Scenario #3: Concerns the detection and reaction to a Modbus writeSingleRegister DoS against the smart meters of the Innovation Hub. Like SC3.1, this cyberattack aims to maliciously change settings of smart meters (e.g., IP address, power factor), rendering them unable to properly deliver electricity-related measurements.
Scenario #4.1: This scenario concerns the deployment of production honeypots after a cyber-incident, by utilising the SPEAR Game Theoretic Intelligence (GTI) engine. The honeypots are deployed in the Lavrio power plant, while GTI and the Honeypot Manager run in Innovation Hub premises.
Scenario #4.2: This scenario verifies the operation of the research honeypot deployed in PPC premises.

SPEAR Newsletter #7 (October 2021)

The 7th newsletter of SPEAR project is now available. In this issue we inform you about the latest publications and blog posts of the SPEAR consortium. Click here to view and download the document in PDF format.

https://www.spear2020.eu/cmsMedia/Uploads/News/SPEAR_Newsletter_Oct21.pdf

A review of cascading events in the panEuropean electricity network

Energy infrastructures are complex systems which have physical, geographical, logical and, finally, cyber interdependencies with other critical infrastructures, e.g. transport, telecommunications, water, agriculture, health, finance, chemical industry and networks supporting the government, central and territorial entities, emergency services, as well as military- and civil defense. A disruption in the normal operation of critical energy infrastructures can have a negative cascading effect on other infrastructures, as well.

In the interconnected panEuropean electricity network, these disruptions can have significant impacts in the adjacent electricity systems, and even lead to a wide area collapse of frequency and black outs. The disruptions mentioned can be caused by human errors, weather events, physical failures on critical infrastructures and cyber attacks. Some significant events that occurred during the last years are presented hereafter.

On 4 November 2006, the disconnection without any warning of a high voltage line in Germany deprived 15 million Europeans of electricity for several hours, even causing the Spain Morocco interconnection to trip. The cause of these cascading events leading to blackout was a planned routine disconnection of the EMS power line crossing in Northwest Germany to allow a ship to pass beneath the overhead cables. This outage change was communicated to the neighboring TSOs and they did simulations to ensure stability. However, another change to the shipyard schedule requested the shut-off to change once again. This new change was not communicated to the neighboring TSOs until very late so a full analysis was not done. Thus, an electrical blackout had cascaded across Europe extending from Poland in the north-east, to the Benelux countries and France in the west, through to Portugal, Spain and Morocco in the south-west, and across to Greece and the Balkans in the south-east.
On 23 December 2015, hackers remotely compromised information systems of three energy distribution companies in Ukraine and temporarily disrupted the electricity supply to consumers. Thirty (30) substations (7 110kV substations and 23 35kV substations) were disconnected from the grid, and approximately 230000 people were affected, ICS physically damaged, and the end consumers suffered lack of electricity for a period from 1 to 6 hours. The substations were manually operated for several weeks after the event.
On March 2020, ENTSO-E, the European Network of Transmission System Operators, has announced that it found evidence of a successful cyber intrusion in its office network. ENTSO-E represents 43 electricity transmission system operators from 36 countries across Europe, thus extending beyond EU borders. According to the organization, a risk assessment has been performed and contingency plans are now in place to reduce the risk and impact of any further attacks. The malware attack caused the website and electronic filing system to go offline, but no sensitive or confidential data was compromised. However, it's important to note that the ENTSOe keeps records of technical information on power plants and operations networks of the utilities and other entities it regulates - and if attackers were able to obtain such information, it could be used to facilitate operations against the utilities directly.
On 24 July 2021, due to a major incident in France, the transmission systems of Portugal and Spain, together with a small part of the French transmission system, were disconnected from the synchronous area Continental Europe. Subject to further investigation, the cause of the event is presumed to have been a forest fire in the vicinity of the transmission lines.
On 8 January 2021, the synchronous area of Continental Europe was separated into two parts due to outages of several transmission network elements in a very short time. The initial event was the tripping of a 400 kV busbar coupler in the substation Ernestinovo (Croatia) by overcurrent protection. This resulted in a decoupling of the two busbars in the Ernestinovo substation, which in turn separated North-West and south-east electric power flows in this substation. This event lead to the shifting of electric power flows to neighbouring lines which were subsequently overloaded. This was followed by the further tripping of lines due to distance protection, and eventually to other disconnections that resulted to the separation of the Continental Europe Synchronous Area.

References

https://www.entsoe.eu
B.Miller, and D.C.Rowe, Symantec, ICS-CER, NERC
“Cyber attacks and Energy Infrastructures: Anticipating Risks”, IFRI Centre for Energy, January 2017.

SPEAR Anonymization Techniques

Figure 1: Anonymisation Techniques.

The insurance of user privacy is of utmost importance in the context of SPEAR. Therefore, in order to achieve anonymity of the exchanged data three well-known anonymization techniques are being reviewed for usage. These three techniques are k-anonymity, ℓ-diversity and group signatures. Group signatures enable the anonymous upload of data, while k-anonymity is used to verify the anonymity of the data and ℓ-diversity is used for group anonymization. In a group signature scheme, a group of users is formed, where each member of the group can sign a message on behalf of the group using their private key. A public group key is used to verify the signature of the message, but it is impossible to identify the signer using the public key. The group manager is responsible for adding and removing users and revealing the identity of the singer in case of legal disputes. Although the data are anonymously uploaded using group signature schemes, it is not sufficient to fully ensure anonymity. It is possible to identify the members of the group by matching the uploaded data, or by recognizing unique characteristics.

k-anonymity is property possessed by anonymized data, assuring that the data’s owner cannot be re-identified. It ensures that each record in a dataset has at least k-1 indistinguishable records, while it protects against identity disclosure. Finally, it does not provide sufficient protection against attribute disclosure. The two common methods for achieving k-anonymity are suppression and generalization.

ℓ-diversity, is a form of group-based anonymization that is used to preserve privacy in data sets by reducing the granularity of a data representation. The ℓ-diversity method was created to further k-anonymity by additionally maintaining the diversity of sensitive fields. The principle behind ℓ-diversity is that a q-block (a set of tuples in a published table T whose non-sensitive attribute values generalize to q) is ℓ-diverse if it contains at least ℓ ‘’well-represented ‘’ values for the sensitive attribute S. A table is ℓ-diverse if every q block is ℓ-diverse. The main advantage of ℓ-Diversity is that it provides privacy even when the data publisher does not know what kind of knowledge is possessed by the adversary. Additionally, the values of the sensitive attributes are well-represented in each group. In ℓ-diversity, each equivalence class must have both enough different sensitive values and those values must be distributed evenly enough. In each equivalence class, the entropy of the distribution of the sensitive values must be at least log(ℓ). In cases where some values are common, the table may have a very low entropy which leads to less conservative notion of ℓ-diversity. The limitations of ℓ-diversity can be observed in situations where a single sensitive attribute or very different degrees of sensitivity exist i.e. in a table where 1% of the patients are HIV positive and 99% are HIV negative. In addition to that, it is difficult to have a distinct 2-diversity in large records i.e 10000 records in total can be at most 10000*1%=100 equivalence classes [1].

Group signature methodology can be defined as the signing scheme proposed for groups which benefits by giving authority to a member in the team or group to sign instead of his team. In the group signature methodology only members of the group can sign messages and the receiver can verify that it is a valid group signature, but cannot discover which group member made it. Additionally, if necessary, the signature can be “opened”, so that the person who signed the message is revealed. Finally, in Group signature method the group manager plays the most crucial role since he is the one who both manages the group and can reveal the identity of the anonymized signer.

References

Machanavajjhala, A., Gehrke, J., Kifer, D., & Venkitasubramaniam, M. (2006). ℓ-Diversity: Privacy beyond k-anonymity. Proceedings - International Conference on Data Engineering, 2006, 24. https://doi.org/10.1109/ICDE.2006.1.

Visual analytics for Anomaly Detection in IοT networks

Internet of things (IoT) is defined as the embodiment of various physical devices or objects to Internet. Due to the frequency of utilization of such connected devices in our daily activities and the unattended and open operations of the network, numerous inherent security challenges in IoT systems have emerged. Treatment of these challenges could be achieved both via using anomaly detection algorithms and monitoring of different types of data produced by devices within an IoT network via visual analytics techniques.

Because of the fact that human domain expertise and computational results can differ from each other, visual analytics can be used to integrate human knowledge with analytics results to solve this issue. Visual analytics anomaly detection has been mainly based on statistical, machine learning and deep learning techniques. There are some special challenges in this field to be resolved, such as the unstable boundary between normal and abnormal cases, and the difficulty of collecting annotated data with exact labels. Generally, the deployed anomaly detection models should on the one hand take into account the fact that there are not clear bounds in distinguishing normal and abnormal patterns and on the other hand not only be based on users’ feedback in analysis stage [1]. More specifically, visual analytics should find answers in a range of problems such as the interpretation of multidimensional data from IoT sensors and devices, the creation of accurate normal behavioral models from data, the detection of anomalous points and interpretation of abnormal events [2].

To face those problems, numerous approaches have been recommended. Some examples are the affection of later model time epochs by real-time data and the integration of user feedback without the re-computation of anomaly detection model based on historical pattern of data [3]. Moreover, it is essential that the data representation should be interpretable in order to assist human interaction with the system [1].

SPEAR visual analytics techniques for anomaly detection aim to respond to the aforementioned challenges by monitoring data from many different sources and devices belonging to a smart infrastructure. Specifically, visual analytics tool utilizes data sources such as network traffic data (network flow statistics, deep packet inspection data) and operational data of an infrastructure IoT devices (e.g. battery data, PV data and smart meters’ data in the case of a smart home IoT network).

Visual analytics module in SPEAR system, apart from numerous ways of data visualization, has special functionalities for anomaly detection. This special visualization and analytics module not only is based in data context and comprises visual data comparisons and correlations, but also offers real-time detection and visual annotation of abnormalities, in order to assist users to give accurate feedback. The capacity of system to allow users to record the results and monitor data analysis progress undeniably is an important requirement for the system. The user feedback is essential, so that new anomalous patterns corresponding to cyber-attacks are discovered and the detection capability of intrusion detection systems that operate in parallel is enhanced with new knowledge [1]. SPEAR security infrastructure utilizes interactive visualization charts to monitor real-time data and to detect anomalies, possibly related with cyber-attacks, through a variety of deep learning algorithms. The deployed models have been trained to learn the normal patterns from different data sources, in order to detect unusual behaviors that significantly deviate from expected operation. If the maximum reconstruction error of a data instance overcomes a calculated threshold, this is being labeled as anomalous.

Figure 1: User interface of Visual analytics module under cyber-attack.

The other module for Visual analytics is the GTM module. The purpose of GTM is to quantify the severity of the various security events and calculate a reputation value for each asset of the smart-grid. This quantification intends to measure the impact of the detected anomaly as well as each asset individually.

Figure 2: Prognostic tab from the GTM module visualizing the compromised assets.

In conclusion, visual analytics is an anomaly detection and visualization system tool with trust management functionality. Additional capabilities include security events creation, display of network topology with information about all the assets, periodic remote notifications to end users through Instant Message (IM) application regarding the status of the network and potential anomalies. One special capability of the system is the interaction with the user to receive feedback, in order to link anomalous instances indicated by the anomaly detection models with cyber-attacks.

References

N. Cao, C. Lin, Q. Zhu, Y.-R. Lin, X. Teng and X. Wen, "Voila: Visual Anomaly Detection and Monitoring with Streaming Spatiotemporal Data," IEEE transactions on visualization and computer graphics, vol. 24, no. 1, pp. 23-33, 2017.
M. Riveiro, M. Lebram and M. Elmer, "Anomaly detection for road traffic: A visual analytics framework," IEEE Transactions on Intelligent Transportation Systems, vol. 18, no. 8, pp. 2260-2270, 2017.
A. Saad and N. Sisworahardjo, "Data analytics-based anomaly detection in smart distribution network," in 2017 International Conference on High Voltage Engineering and Power Systems (ICHVEPS), IEEE, 2017, pp. 1-5.

Forensic Readiness in Critical Infrastructures

According to various studies [3] [4] UK companies losses reach up to 37 billion euro per year (27 billion pounds), which is comparative to the European Commission’s budget in Innovation, Research and Development over a three-year period for the entire Horizon 2020 program. Across the European Union, the “average cost of cybercrime in Europe has risen steeply to $57,000 (€50,000) per incident” [5], while recent figures also show that the median cost to companies that suffered cyber incidents and breaches jumped to €50,000 over the past 12 months (2019-2020), representing a near six-fold increase on the previous year’s €9,000.

Currently, the approach of the majority of organisations to cyber-incidents focuses on business continuity and disaster recovery. However, this approach often includes actions that contradicts the principles of forensic investigations. Organizations tend to be reactive to cyber-incidents, meaning that once a security incident or data breach occurs their first course of action is to try to handle it and perform forensic investigations, followed by actual evidence collection.

Evidence

What is evidence? The Compact Oxford English Dictionary defines “evidence” as [22] :

evidence (noun): The available body of facts or information indicating whether a belief or proposition is true or valid
1.1 Law Information drawn from personal testimony, a document, or a material object, used to establish facts in a legal investigation or admissible as testimony in a law court.
1.2 Signs or indications of something.

In this blog we are concerned with both of the above definitions, and we define “evidence” in the broadest sense as any recordable event, or an artefact of an event, that can be used towards understanding the cause and nature of the observed incident/event.

Digital and Network Forensics

According to [10] forensics is: “the application of scientific knowledge to legal problems, especially scientific analysis of physical evidence, as from a crime scene”. The forensics process is dominated by ruling out potential explanations for the security events under investigation. Adopting E. F. Schumacher, great truths of philosophical map making, as described in his book “A Guide for the Perplexed”, we can reason that forensics is a convergent problem where cybersecurity is a divergent one. Simply putting it attempted solutions gradually converge on one answer.

Multiple definitions exist regarding Digital Forensics. According to [7] Digital Forensics can be defined as “the use of computer and information systems (IS) knowledge, coupled with legal knowledge, to analyze in a legally acceptable manner digital evidence acquired, processed and stored in a way that is legally acceptable”. According to [9] Digital Forensics science corresponds to the “application of computer science and investigate procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation.”

According to [8] Network Forensics can be defined as "The use of scientifically proved techniques to collect, fuse, identify, examine, correlate, analyse, and document digital evidence from multiple, actively processing and transmitting digital sources for the purpose of uncovering facts related to the planned intent, or measured success of unauthorized activities meant to disrupt, corrupt, and or compromise system components as well as providing information to assist in response to or recovery from these activities."

Network forensics is a sub-branch of digital forensics, relating to the monitoring and analysis of network traffic for the purposes of gathering information, including legal evidence. Network forensics is the art of capturing, storing and analysis of host and network-based evidence, aiming to identify the source of a network attack. Any forensic process aims to identify profound information in and about the network and the infrastructure not previously known.

Digital and network forensics are mainly used for investigations that aim to address legal issues and are likely to end up in court; hence, the emphasis on legal value of collected evidence. They are complex processes in which methodologies, tools and human intelligence combine for the purpose of investigation.

Chain of custody

When an incident occurs, evidence should be collected and stored securely, while at the same time, it should be protected against degradation, considering that evidence is extremely volatile and can be easily lost or distorted. When handling evidence, careful registration is very important, as it ensures the integrity and traceability of the evidence from origin to the courtroom. Breaches of this integrity affect the legal value of the evidence. Lack of strict control over the personnel responsible for the evidence, at any given point of time, may result in its degradation or compromise.

Furthermore, to preserve evidence integrity, we should document, preserve and make available for review all activities relating to the seizure, examination, storage, or transfer of digital evidence. Any breach to this integrity will directly affect the legal value of the proof.

Any organization can carry out digital investigations for own purposes, without the need to handle evidence in a legally acceptable manner. However, in case something is uncovered that requires legal action (e.g., espionage, fraud), it necessitates that all evidence presented in a court must be collected and documented in a legally acceptable manner for admissibility.

These issues are addressed by the Chain of Custody process that validates the collection, storage, movement and protection of evidence. It provides the forensic link, an audit trail of ‘who did what’ and ‘when it happened’ to a particular piece of evidence. A good monitoring chain can help prove that the evidence in the chain was never left without supervision. Moreover, lack of strict control over who is responsible for the evidence, at any given point of time, may result in its degradation or compromise. An example of a CoC form can be downloaded from the National Institute of Standards and Technology (NIST) website.

Forensic Readiness

Having a Forensic Readiness Plan ensures that forensic investigations and any evidence discovered can be handled and presented so that the organization does not lose a case.

Multiple definitions exist regarding Forensic Readiness. According to [1] Forensic readiness is defined as “…the ability of an organisation to maximise its potential to use digital evidence whilst minimising the costs of an investigation”. According to [19], Forensic Readiness is “having an appropriate level of capability in order to be able to preserve, collect, protect and analyze digital evidence so that this evidence can be used effectively: in any legal matters; in security investigations; in disciplinary proceeding; in an employment tribunal; or in a court of law.”

As literature review reveals, forensic readiness is a broad subject and includes a number of elements. Forensic readiness is also not well understood since the term is often used interchangeably with the term “information security”. [20]

In some cases, gaining this capability can seem expensive as it involves a number of processes, that require new hardware and software as well as people with specialised skill sets in order to implement any Forensic Readiness Plan. Various studies ([8], [14], [15], [16], [17], [18]) suggest that for a successful network investigation, the network itself must be equipped with the infrastructure to fully support this investigation.

Organisations, in the course of their operation, generate a lot of digital data, that can become central pieces of evidence during a security event investigation. However, not all digital evidence is collected, due to the difference usages of it, including internal purposes, regulatory or legal requirements, or other external reasons. It is thus not easy to forecast when and what digital evidence is necessary. To this extend forensic readiness aims to assist organizations in laying the groundwork for incident readiness, so that retrieval of digital evidence is structured and documented, resulting in digital evidence being appropriately collected and stored even “before an incident occurs”, without services interruption.

As already mentioned, digital evidence is extremely volatile and thus, we should safeguard its integrity, authenticity and traceability from origin to a courtroom. A forensic readiness plan ensures that when digital evidence is required, it will be made available in a legally accepted form. This requires proper processes and policies to be in place, as well as careful planning.

Forensic readiness planning is part of a quality information risk management approach. Risk areas have to be identified and assessed and measures must be taken to avoid and minimize the impact of such risk. Organizations with a good risk assessment and information security framework would find it easier to adopt a forensic readiness plan. [12]

According to [1] a forensic readiness plan should have the following goals:

To gather admissible evidence legally without interfering with business processes
To gather evidence targeting potential crimes and disputes that could have adverse impact on an organization
To allow investigations to proceed at costs proportional to the incident
To minimize interruption of operations by investigations
To ensure that evidence impacts positively on the outcome of any legal action

Benefits

The benefits of being forensically ready include: [13], [1]

Being ready to respond to the potential need for digital evidence. In case an organization has to bring matters to a trial, where digital evidence is required, there will be a need for digital forensics. This in turns requires electronic evidence to be provided quickly and in a forensically sound manner when requested. According to the OSCAR network forensics methodology (presented in [2]) during the collection phase, all data related to a specific event should be collected and stored in an appropriate manner, while ensuring that its integrity is preserved, so that it is readily available when requested. In this phase, the Chain of Custody process is initiated.
Minimized cost of cyber investigations, since the evidence is gathered and acquired in anticipation of an incident. Costs, time to respond as well as the disruption of operations are reduced and investigations are efficient and rapidly completed.
Easier and faster detection and understanding of attack vector.
Reduced costs of regulatory or legal requirements for data disclosure, since the evidence is collected and stored in a proper manner. Regulatory requirements in many EU countries require security and assurance strategies and policies, such data retention, disaster recovery and business continuity, to be in place, and lack of compliance can result in financial penalties. Moreover, failure to provide stored evidence, when requested by regulatory authorities or law enforcement agencies, in an appropriate and timely manner also results in serious adverse costs, to the organization.
Complete and faster damage restoration and eradication, since post-incident activities could be much optimized with Forensic Readiness, regarding cost, time and effort.
Reduced insurance premiums, since organisations can prove that are ready to respond to cyber incidents
Successful security operations program, since potential incidents can be uncovered before they become security incidents or detected early enough before they escalate, while greater cyber-threats can be uncovered, traced and prevented.
Demonstrates due diligence and good corporate governance of the company's information assets as well as regulatory compliance.

Implementing

An organized approach is key to a successful investigation. As reflected on the results of the “SPEAR Smart-Network Forensics Specification”, organisations should seek for advice/help from a forensic investigator, that can assist them:

Review and analyse security posture including relevant controls, policies, procedures and skill sets, in order to improve upon what is in place and ensure a good forensic readiness plan.
Identify security goals, objectives and risk appetite, in order to determine what would be considered significant or relevant risk, what type of incidents should be expected, and how to respond to them.
Define the scenarios that require digital evidence.
Identify potential event sources, where they are stored, how they can be accessed, who should be contacted to get permission to access and collect them and how forensically sound they are.
Identify the resources available for event log collection, aggregation and analysis including evidence storage space, available time, tools, systems, and staff for collection and analysis.
Identify how the sources of evidence and the network itself will be impacted by evidence collection, network or equipment slowness or outages might be experienced. This helps determine whether devices can be removed from the network, if they can be powered off, if they can be accessed remotely and as a last resort if they can be accessed at specific times or schedule a downtime, to minimise the impact.
Prioritize sources of evidence, by reviewing the list of possible sources of evidence and identify those that are likely to be of the highest value to the investigation, while also considering the effort needed to obtain them.
Plan evidence acquisition by discussing and determining which organisation personnel (system and/or network administrators) can provide access to the evidence and what kind of access will be given (physical or remote).
Enable collection and storage of evidence in a secure and forensically sound manner. Tips for evidence collection include fast and lawful acquisition, creation of cryptographically verifiable copies, analysis only on the copies, usage of reputable and reliable tools and finally documentation of everything we do.
Establish and maintain a chain of custody policy including appropriate awareness on the importance of maintaining the chain of custody among people handling evidence.
Select the appropriate methodologies and tools for recovering evidence material from the forensic working image.
Document evidence-based cases, in a way that they are understandable by non-technical persons like managers, judges, etc. Forensics Technical Report must be factual and defensible in detail. Consequently, all claims must be supported by evidence.

Closing Remarks

Forensic investigations pose a myriad of challenges. To meet these challenges, investigators must carefully assess each investigation and develop a realistic strategy that takes into account both the investigative goals and the available resources. [2]

As Sun Tsu wrote 2,500 years ago: “A victorious army first wins and then seeks battle; a defeated army first battles and then seeks victory.” Strategize first; then collect your evidence and conduct your analysis. By considering the challenges unique to your investigation up front, you will meet your investigative goals most efficiently and effectively. [2]

While organizations are currently aware of the importance and need for business continuity and disaster recovery plans, they fail to recognize the importance of a forensic readiness plan. Organizations, including operators of critical infrastructures, fail to develop a forensic capability, due to culture and budget considerations, and instead they tend to implement a reactive rather than proactive response to security breaches. As a result, evidence is acquired, processed and stored in a way that it is not legally acceptable.

Forensic readiness greatly minimizes these problems, since evidence is collected in anticipation of an incident in a legally acceptable manner and before investigations begin. As a result, time and money are saved. An outdated forensic readiness plan is of little use, so ownership is essential to ensure it is kept up-to-date. To paraphrase Computer Security expert Bruce Schneier, ‘Forensic readiness is a process, not a product’.[21]

References

Robert Rowlingson,” A Ten Step Process for Forensic Readiness,” International Journal of Digital Evidence, vol. 2, issue. 3, Winter 2004.
Sherri Davidoff and Jonathan Ham, “Network Forensics, Tracking Hackers through Cyberspace”, 2012, ISBN-13: 978-0-13-256471-7
The cost of incidents affecting CIIs, Systematic review of studies concerning the economic impact of cyber-security incidents on critical information infrastructures (CII) AUGUST 2016, ENISA
Cyber-Attacks: Effects on UK companies, Oxford Economics, 2014
Cost of cybercrime per incident jumps six-fold to €50,000, June 2020, consultancy.eu
NICS, Forensics Readiness Guidelines, 2011
Sule, Dauda; “Digital Forensics 101: Case Study Using FTK Imager,” eForensics Magazine, February 2013, https://eforensicsmag.com/download/a-practical-approach-to-malware-memory-forensics-with-eforensics-open-2/
G. Palmer, “A road map for digital forensic research,” in Digital Forensic Research Workshop, Utica, New York, 2001
Zatyko, K. (2007). Defining Digital Forensics, Forensic Magazine.
Dictionary by Merriam-Webster: forensic, https://www.merriam-webster.com/dictionary/forensic
Sommer, Peter; Digital Evidence, Digital Investigations and E-dislosure: A Guide to Forensic Readiness for Organizations, Security Advisers and Lawyers, 3rd Edition, Information Assurance Advisory Council, March 2013
Rebecca Wynn, Digital Forensic Readiness Planning and Readiness Checklist in Order to Reduce Business Risk
Ziela Shidi, BENEFITS OF DIGITAL FORENSIC READINESS, March 2017
Electronic Crime Scene Investigation: A Guide for First Responders, U.S. Department of Justice: National Institute of Justice, July 2001
N. Beebe and J. G. Clark, “A hierarchical, objectives-based framework for the digital investigations process.” Digital Investigation, vol. 2, no. 2, pp. 147–167, 2005
V. Baryamureeba and F. Tushabe, “The enhanced digital investigation process model,” in Digital Forensic Research Workshop, Utica, New York, 2004.
B. Carrier and E. H. Spafford, “Getting physical with the digital investigation process, “International Journal of Digital Evidence, vol. 2, no. 2, 2003.
A. Almulhem and I. Traore, “Experience with engineering a network forensics system,” Lecture Notes in Computer Science, vol. 3391, pp. 62–71, Jan. 2005.
The National Archives; Digital Continuity to Support Forensic Readiness, 2011
Collie, Jan, “A Strategic Model for Forensic Readiness”, 2018, Athens Journal of Sciences, 5(2) pp. 167–182.
Karen Green, “Forensic Readiness Plans”, Deloitte Issue 18, 2014
Oxford Dictionaries Online – English Dictionary,” Oxford Dictionaries, https://en.oxforddictionaries.com/definition/evidence

Progress on the SPEAR pilots

One of the most critical stages for implementing a project is when all the developed tools have to be tested in the operational environment of the end user or in laboratories that emulate realistic conditions. The evaluation and the market potential of the SPEAR solution, that the consortium has been working on during the last three years, depends on the response of these pilots.

The first six Working Packages of the SPEAR project contributed towards preparing the SPEAR platform. The objective of SPEAR is to provide effective solutions for detecting, responding, and taking countermeasures against advanced cyber threats and attacks that target modern smart grids.

At the beginning of the project, the security and privacy requirements were extracted from the end users and energy stakeholders, forming the basis of the SPEAR architecture and the innovations behind it. Then, the technical work focused on the SPEAR SIEM, that can collect, analyse, detect, and visualise ongoing cyberthreats against the most popular industrial Internet of Things (IoT) protocols, including Modbus TCP, MQTT, DNP3, and IEC-61850. Together with the forensic readiness and privacy preserving framework, the intelligent honeypots, and the cyber-hygiene policies that are provided to the end users, the integrated SPEAR platform was realized to be tested in the final phase of the project, the user acceptance testing.

In the last phase of the project, it is necessary to test together all the functionalities provided by the SPEAR platform and compare the obtained results against pre-defined Key Performance Indicators (KPIs) that evaluate the accuracy, efficiency, and reliability of the platform for accomplishing its role. The evaluation results are obtained by performing real cyberattacks in the existing industrial infrastructure of the end users, which includes Programmable Logic Controllers (PLCs), energy meters and Remote Terminal Units (RTUs).

During April 2021 two pilots have been finished with positive results: The Smart Home scenario in CERTH and the Substation scenario in the Tecnalia laboratories. The rest two pilots, the Combined IAN and HAN scenario in PPC and the Hydro Power Plant scenario in VETS, will be implemented during May 2021.

Current state of the substation scenario by Schneider Electric

Schneider Electric, as leader in energy and automation digital solutions collaborates in the H2020 SPEAR project. Schneider Electric is focusing its contribution on one of the four use cases: “The Substation Scenario”. The objective of the use case is to validate the SPEAR platform in a realistic scenario based on an electrical substation.

Schneider Electric contributes to the use case with its substation devices. In particular, it provides its Remote Terminal Units (RTU). A remote terminal unit (RTU), controlled by a microprocessor, connects objects in the physical world to a distributed control system or SCADA (supervisory control and data acquisition) system by transmitting telemetry data to a master system, and by using messages from the master supervisory system to control connected objects. A variety of protocols are used to communicate with RTUs. An RTU is a critical asset in the control system because it provides relevant information to the control center and it operates directly in the substation.

Schneider Electric provides the SPEAR project with the Easergy T300 and Saitel RTUs. Easergy T300 provides remote control and monitoring for energy distribution automation. It is a modular platform of hardware and firmware, and an application building block for Medium Voltage and Low Voltage public distribution network management. Saitel is a high-performance, versatile, scalable and compact platform for secure automation and communication applications. Saitel acts as a communication gateway, measurement center and automation processor. Also, Schneider Electric provides the EcoStruxure™ Cybersecurity Admin Expert (CAE) tool for the RTU cybersecurity configuration has the capability to assign roles to user. A user with a role is then allocated permission to access or block resources of a system (for example permission to read or write device settings, download a new firmware version etc). The tool is suited to use within the Operational Technology (OT) environment as it authorizes the configuration of permissions of many different devices such as: network devices (switches, firewalls), personal computer and intelligent electronic devices/protection relays aligned with IEC 62351.

At this stage, the substation scenario is divided into two LANs and linked by a Firewall/Router.

Control Center LAN is located on the left side of the above figure. The components deployed are SCADA, SAM who collects the cybersecurity logs, SAT(CAE), SNTP Server, Switch and SPEAR sensor. The main function of this LAN is to control the Substation LAN.
Substation LAN is located on the right side of the above figure. The components deployed are HMI, SAITEL Front End RTU, SAITEL Acquisition RTU, Easergy T300 RTU, Switch with port-mirroring, SPEAR Sensor and Honeypot RTUs. The main function of this LAN is the generation and communication of the substation data.

As a result of the collaboration in SPEAR project, Schneider Electric will enhance the cybersecurity of its substation components, testing the developments in a realistic scenario and validating the solution in collaboration with cybersecurity experts and end-users of the project.

A Review of Critical Infrastructure Domains in Europe

Based on EC 2008/114 of the European Council as a European critical infrastructure (ECI), we can define critical infrastructure located in Member States that the disruption or destruction of which would have a significant impact on at least two Member States [1]. Damage or destruction of critical infrastructures by natural disasters, terrorism and criminal activity may have negative consequences for the security of the EU and the well-being of its citizens. Thus, it is very crucial to protect the ECIs since they play vital role for the functioning of a society and economy.

Table 1 presents an indicative list of CIs sectors and services identified by the EU Member States [2] :

Table 1: Indicative list of ECI sectors
Sector	Product or service
I Energy	1 Oil and gas production, refining, treatment and storage, including pipelines 2 Electricity generation 3 Transmission of electricity, gas and oil 4 Distribution of electricity, gas and oil
II Information, Communication Technologies, ICT	5 Information system and network protection 6 Instrumentation automation and control systems (SCADA etc.) 7 Internet 8 Provision of fixed telecommunications 9 Provision of mobile telecommunications 10 Radio communication and navigation 11 Satellite communication 12 Broadcasting
III Water	13 Provision of drinking water 14 Control of water quality 15 Stemming and control of water quantity
IV Food	16 Provision of food and safeguarding food safety and security
V Health	17 Medical and hospital care 18 Medicines, serums, vaccines and pharmaceuticals 19 Bio-laboratories and bio-agents
VI Financial	20 Payment services/payment structures (private) 21 Government financial assignment
VII Public & Legal Order and Safety	22 Maintaining public & legal order, safety and security 23 Administration of justice and detention VIII Civil administration 24 Government functions 25 Armed forces 26 Civil administration services 27 Emergency services 28 Postal and courier services
IX Transport	29 Road transport 30 Rail transport 31 Air traffic 32 Inland waterways transport 33 Ocean and short-sea shipping
X Chemical and nuclear industry	34 Production and storage/processing of chemical and nuclear substances 35 Pipelines of dangerous goods (chemical substances)
XI Space and Research	36 Space 37 Research

Over the last years, CI systems are increasingly being targeted by attackers. Most of these systems use outdated security protocols and weak security mechanisms, a fact that easily creates attack surfaces for a large group of attackers [3]. Moreover, the period from when a vulnerable system is breached by a malicious outsider to the breach being discovered and vulnerabilities identified and patched, is currently on average about 200 days [4].

It is important to understand that the protection of ECI should be a sector that the EU will always support and innovate. But what exactly are the threats we should face? The rest of the article is dedicated on three major CI systems.

Industrial Networks

Industrial Networks refer to networks that deal with transfer of data on a large scale (most of the times to cover real-time needs). These networks allow us to connect various devices across large spaces and enable communication between them by allowing us to transfer huge chunks of data between them. Most operations on all CI sectors are highly dependent to computer‐based control systems. These systems are increasingly connected to open networks such as the Internet, exposing them to cyber risks. Components such as SCADA systems, unsecure servers, remotely accessed operational networks could be accessible to anyone with basic knowledges of using attacking tools. For example, SQL worms (such as SQL Slammer Worm), or vulnerable Smart Meters able to spread malwares from point to point, are known to disrupt electric system control systems and cause grid failures or catastrophic problems [5] [6].

Healthcare

In healthcare systems the emergence of "online" applications has generated various risks to both patient’s health and their information security. Malicious operations general speaking lies on two major categories, the identity thefts and healthcare frauds where the attacker aims the security of patient’s EPHI (Electronic Patient Healthcare Information) to steal sensitive information, and the network and communication systems, where the malicious actions might have negative impact on patients and affect the proper use of their medication and drugs.

Based on a 2017 Accenture survey found that healthcare data breaches have affected 26% of U.S. consumers with average cost around $2.5 thousand, for each one of the individuals [7].

Security threats are mainly created by unauthorized access, system’s vulnerabilities, illegitimate activities and are mainly formed in taxonomies such as denial of service (DoS) and distributed denial of service (DDoS) attacks, man-in-the middle and remote brute-force attack, password sniffing, trojan horses, data tampering etc. These attacks threat the confidentiality, the availability, and the integrity, of a healthcare service provider’s information assets.

Telecommunication Networks

Telecommunication systems, computer networks and satellite communication systems consists a major category where a user can easily gain unauthorized access to private information and critical resources. The attackers aim at the communications links between the systems trying to force a malfunction to the system. Attacks such as DoS (Denial of Service) on satellites could cause tremendous effects in application such as military communications to become unavailable at critical moments or in business to prevent legitimate clients from accessing necessary services. Moreover, satellite systems and systems that relies on wireless communications are increasingly vulnerable to various attacks, such as RF jamming and network traffic spoofing, which can result in a total signal loss or even in receiving malicious signals [8].

Over the past year, advanced malwares have been developed to target improperly protected critical infrastructure. Since several CI systems relies on weak security mechanisms and communication protocols, new attack surfaces for exploitation are revelled for the attackers every day. Thus, Critical infrastructure service providers and operators must constantly seek for cost-effective and comprehensive secured solutions for their systems.

References

http://kemea.gr/images/documents/EC1142008CIP.pdf
Green paper on a European program for Critical Infrastructure protection (2005), https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52005DC0576&from=EN [accessed on 20th Oct 2020]
Trend Micro, A Security Evaluation of AIS, http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-a-security-evaluation-of-ais.pdf, 2015
Infosecurity, Hackers Spend 200+ Days Inside Systems Before Discovery, http://www.infosecurity-magazine.com/news/hackers-spend-over-200-days-inside/, 2015
Andres, Richard B. and Loudermilk, Micah J. (2012), National Security & Distributed Power Generation. livebetter Magazine Issue Number 24, Sep 2012
Vaas, Lisa (2012), Nuclear power plant cybersecurity warnings silenced by legal threats, http://nakedsecurity.sophos.com/2012/10/31/nuclear-security-silence/ [accessed on 20th Oct 2020]
One in Four US Consumers Have Had Their Healthcare Data Breached, Accenture Survey Reveals (February 20, 2017), https://newsroom.accenture.com/news/one-in-four-us-consumers-have-had-their-healthcare-data-breached-accenture-survey-reveals.htm [accessed on 20th Oct 2020]
Northcutt, Stephen (2007), Are Satellites Vulnerable to Hackers? http://www.sans.edu/research/security-laboratory/article/satellite-dos [accessed on 20th Oct 2020]

SPEAR Newsletter #6 (March 2021)

The sixth newsletter of SPEAR project is now available. In this issue we inform you about the awards that the SPEAR consortium has received for publications in scientific conferences. Click here to view and download the document in PDF format.

https://www.spear2020.eu/cmsMedia/Uploads/News/SPEAR_Newsletter_Mar21.pdf

2021 IEEE CSR Workshop on Electrical Power and Energy Systems Security, Privacy and Resilience (EPES-SPR)

SPEAR and SDN-microSENSE are co-organizing the 2021 IEEE CSR Workshop on Electrical Power and Energy Systems Security, Privacy and Resilience (EPES-SPR).

The smart technologies digitize the conventional model of the Electrical Power and Energy Systems (EPES) into a new architectural paradigm, known as the Smart Grid (SG), thus introducing multiple services, such as two-way communication, pervasive control and self-healing. Based on the current situation of the COVID-19 pandemic and future pandemics, this evolution and in general the complete digitization of the cyber-physical infrastructures become necessary than ever. However, despite the benefits, this progression leads to challenging cybersecurity issues due to the vulnerabilities of the new technologies and the necessary presence of the legacy systems, such as Supervisory Control and Data Acquisition (SCADA) / Industrial Control Systems (ICS) that rely on insecure communication protocols. Moreover, the automatic and autonomous nature of the Industrial Internet of Things (IIoT) entities raises additional cybersecurity and privacy concerns. Current Advanced Persistent Threats (APTs) have demonstrated the aforementioned cybersecurity issues such as TRITON, DragonFly, BlackEnergy3 and Crashoverride.

On the other side, anticipating the critical issues of EPES/SG, both academia and industry have developed appropriate countermeasures, considering the advances in the Artificial Intelligence (AI) and the networking domains. An indicative example is the IEC 62351 standard composed of 14 parts that define a set of security controls and guidelines for EPES. Moreover, AI and especially Machine Learning (ML) and Deep Learning (DL) allow the implementation of detection mechanisms capable of discriminating malicious behaviors as well as zero-day vulnerabilities. Emerging solutions in this sector include Security Information and Event Management (SIEM) systems and Intrusion Detection and Prevention Systems (IDPS). Other emblematic technologies that can mitigate or even prevent cyberattacks are honeypots, Software-Defined Networking (SDN), Network Function Virtualization (NFV) and intentional islanding.

Topics of Interest

Prospective authors are encouraged to submit previously unpublished contributions from a broad range of topics, which include but are not limited to the following:

Intrusion/anomaly detection and mitigation in EPES/SG

SDN/NFV-based architectures for resilient EPES/SG

EPES/SG honeypots and honeynets

SIEM systems in EPES/SG

Self-healing in EPES/SG

Federated learning solutions for anomaly and cyberattack detection in EPES/SG

Security management and risk assessment in EPES/SG

Threat modelling and vulnerability analysis in EPES

Security management and risk assessment in EPES/SG

Emerging privacy-preserving mechanisms and techniques in EPES/SG

Important Dates

Paper submission deadline: ~~April 19~~ May 10, 2021 AoE (firm)

Authors’ notification: ~~May 3~~ May 24, 2021 AoE

Camera-ready submission: ~~May 10~~ May 31, 2021 AoE

Early registration deadline: May 31, 2021

Workshop date: July 28, 2021

More info on the following link: https://www.ieee-csr.org/workshops/epes-spr/

SPEAR co-organises the 3rd IEEE SecSoft

SPEAR co-organises with the following H2020 projects: ASTRID, CYBER-TRUST, GUARD, DataVaults, RAINBOW, and SIMARGL the

3rd International Workshop on Cyber-Security Threats, Trust and Privacy Management in Software-defined and Virtualized Infrastructures (SecSoft)

co-hosted at the 7th IEEE International Conference on Network Softwarization (NetSoft2021) that will be held from June 28 to July 2, 2021, in Tokyo, Japan. SecSoft 2021 workshop homepage: https://www.astrid-project.eu/secsoft/. SPEAR participates in the Technical Program Committee of SecSoft 2021 with Panagiotis Sarigiannidis from the University of Western Macedonia.

Call for papers

The SecSoft workshop aims to gather together novel approaches for providing organizations the appropriate situational awareness in relation to cybersecurity threats allowing them to quickly detect and effectively respond to sophisticated cyber-attacks. The specific target is complimentary research works on complementary cyber-security aspects for virtualized and software-defined infrastructures, including but not limited to:

Cyber-security platforms and architectures for digital services;
Security, trust and privacy for industrial systems and the IoT (including smart grids);
Monitoring and advanced data collection and analytics;
Virtual and software-based cyber-security functions;
Orchestration and Automatic Configuration of security functions;
Novel algorithms for attack detection and threat identification;
Intelligent attack mitigation and remediation;
Machine learning, big data, network analytics;
Secure runtime environments, including trustworthy systems and user devices;
Formal methods and policies for security and trust;
Novel threat and attack models;
Authentication, Authorization and Access control;
Honeypots, forensics and legal investigation tools;
Threat intelligence and information sharing.

Multi-disciplinary and collaborative research projects are encouraged to submit joint papers describing their integrated architectures and cyber-security platforms, with special emphasis on how they address the challenging cyber-security requirements of softwarized environments and critical infrastructures.

Interested authors are invited to submit papers according to the following guidelines:

papers must be up to 7 pages long, including tables, figures and references
the style to be used is IEEE 2-column US-letter style using IEEE Conference template, and papers must be submitted in pdf format

Important dates

Workshop paper submission deadline: ~~February 12, 2021~~ March 5, 2021
Workshop paper acceptance: March 27, 2020
Camera-ready papers: April 11, 2020
Workshop date: July 2, 2020

Submission guidelines

Papers must be submitted by EDAS, by selecting the proper track (short/regular papers). Click here to submit now. Please check NetSoft's Publication and No-Show Policy before submitting.

6th SPEAR Plenary Meeting

Due to the COVID-19 emergency situation, the 6th plenary meeting of the SPEAR project took place virtually during 15 and 16 January 2021.

Towards the end of the project and the final evaluation by the end-users, the meeting was focused on the progress of deploying the SPEAR platform on each of the four pilots, namely, a) the VETS hydropower plant, b) the substation laboratory at Tecnalia, c) Both the Testing, Research and Standards Centre and the Lavrio Power Plant of PPC, and d) the smart home of CERTH.

During each demonstration, the end-users performed cyberattacks against the industrial devices used in each pilot, and the SPEAR platform successfully detected these attacks and visualised the relevant security events. Finalising the SPEAR deployments in pilots, the final evaluation and user acceptance testing will follow in the next months.

SPEAR Project Coordinator Interview - ERT3 TV

The SPEAR Project Coordinator, Dr. Panagiotis Sarigiannidis, Assistant Professor at the University of Western Macedonia, gave an interview at ERT3 TV about the SPEAR project and the challenges that we face in terms of cybersecurity and privacy in smart grids.

The full video of the interview (Greek) is available on our YouTube channel: https://www.youtube.com/watch?v=JYG0Gj4cFaY

Sharing threat intelligence across EU: Harmonization and new Network Code on Cybersecurity

The electricity grid and gas transport pipelines are strongly interconnected across Europe. Energy reliability is a pan-EU issue across countries; a single failure in one energy system can have a potential cascading effect across regions, as shown in a major European blackout in 2006, caused by a planned disconnection of a transmission line and inadequate security analyses by system operators [1]. Additionally, Non-EU countries such as Norway and Switzerland are connected to the European electricity network and they follow similar technical guidelines will interconnected with Europe.

Cyber-attacks on the electricity networks do not respect geographical borders and an EU or nation-wide attack can have an EU-wide impact, through the interconnected panEU transmission backbone. The focus of cyber security in the electricity supply sector is to support the reliability and resilience even in the event of a cyber-attack. Unlike IT systems, a control system that is under attack cannot be easily disconnected from the electricity network as this could potentially result in safety issues, brownouts or even blackouts.

EU harmonization in internal energy market: In order to harmonize and liberalize the EU’s internal energy market, measures have been adopted since 1996 to address market access, transparency and regulation, consumer protection, supporting interconnection, and adequate levels of supply. In the electricity market, the basic means of rules harmonization are the Network Codes. These are sets of rules drafted by ENTSO-E (European Network of Transmission System Operators of Electricity), with guidance from the Agency for the Cooperation of Energy Regulators (ACER), to facilitate the harmonization, integration and efficiency of the European electricity market. Each Network Code is an integral part of the drive towards completion of the internal energy market and achieving the European Union’s energy objectives.

Development of harmonized electricity rules- Network Code for Cybersecurity: According to the Regulation (EU) 2019/943 of the European Parliament and of the Council of 5 June 2019 on the internal market for electricity, the Commission has identified Cybersecurity as a key area for rules harmonization. To address potential cyber threats and to be fit for the digital age, Article 59(2)(e) of the Electricity Regulation provides for the establishment of a network code on sector-specific rules for cyber security aspects of cross-border electricity flows, including rules on common minimum requirements, planning, monitoring, reporting and crisis management. Through a open consultation process the European Commission has welcomed the feedback of stakeholders on the need and adequate scope of new electricity network codes on cybersecurity [2]. Stakeholders have already publicized their opinion to the public [3]

References:

Intelligent honeypots weaponized against APTs

The financial crisis of the last decade led to a budget reduction in Information Technology infrastructures (IT) [1]. These reductions had a significant impact to the evolution of the cybersecurity related technologies and their ability to compete with modern threats from malicious parties. Concurrently, the development of cyberattacking and data theft technologies has greatly advanced. Some of the most common types are known as Advanced Persistent Threats (APTs). Just to mention some examples: In 2010, Stuxnet, a malicious computer worm that targeted the supervisory control and data acquisition systems is believed to be responsible for causing substantial damage to the nuclear program of Iran. In 2011, Dugu a collection of computer malware, thought to be related to the Stuxnet, looks for information that could be useful in attacking industrial control systems. Although, its purpose is not to be destructive, the known components are trying to gather crucial system information. In 2012, Red October, a cyberespionage malware program was reportedly operating worldwide for up to five years prior to discovery. The purpose of Red October was to transmit information ranging from diplomatic secrets to personal information. The malware was installed to the systems via email attachments that exploited vulnerabilities in Microsoft Word and Excel. Last but not least, APTs made by Cozy Bear, a Russian hacker group that targets commercial entities and government organizations in Germany, Uzbekistan, South Korea and the US, including the US State Department and the White House, is believed to have caused a multitude of attacks. These attacks include the attempt to steal data on vaccines and treatments for COVID-19 being developed in the UK, US, and Canada in July 2020.

Even though the cybersecurity and scientific communities have developed several defensive mechanisms against APTs, there is a number of different challenges that have not been fully addressed. One of these challenges is the distribution of information related to APT campaigns. These types of information are most of the time found in technical reports and scientific publications that have neither been collected nor visualized in order to facilitate a potential exchange of intelligence. These sources often contain lots of valuable information such as: Domain names, IPs and malware hexes, which have been used in each APT campaign. In addition to that, these sources contain useful elements that can lead to the detection of a multitude of social engineering attacks of which their main target is the human factor. This factor is usually being ignored when it comes to augment the capabilities of honeypots. Additionally, malicious parties often reveal information about their activities through social media, which can contribute another valuable source of information. Among the many challenges that conventional incident detection and classification mechanisms have to face is the threat of adversaries who aim to harm defending mechanisms that use machine learning introducing a new field of research called adversarial machine learning. If an attacker becomes aware of the machine learning techniques used in defensive strategies, it is possible to lower the accuracy rate of all detection capabilities. The reported issues are in alignment with the two pillars on which cybersecurity community should depend on: Attribution and cybersecurity situational awareness. These aspects reflect the need to identify the responsible party for the orchestration of a cyber-attack i.e. the cyber attacker. The more efficient this identification is, in terms of detection time, the less impact it will have on the defender’s side. Furthermore, as social engineering attacks take advantage of the human factor cybersecurity situational awareness must increase towards protecting cyber infrastructures. The SPEAR framework aims to address all these challenges that emerge from the aforementioned APTs. The novel honeypot technologies under SPEAR will improve the detection capabilities of zero-day exploits and social engineering attacks. The Game theoretic defences (such as the Honeypot Game) are incorporated into SPEAR with the purpose of mitigating the actions of sophisticated APT attackers. Finally, the network forensics introduced by SPEAR are envisioned to generate evidence that will lead to the attribution of malicious parties by developing individual components such as: APT Collectors & Analysers, incident Identification & Response Recommendation mechanisms and Threat Visualization systems.

Citations

[1] Pitropakis, N., Panaousis, E., Giannakoulias, A., Kalpakis, G., Rodriguez, R. D., & Sarigiannidis, P. (2018). An enhanced cyber attack attribution framework. International Conference on Trust and Privacy in Digital Business, 213–228. https://doi.org/10.1007/978-3-319-98385-1_15

Dimensionality reduction for visualization purposes in the SPEAR V-IDS

Dimensionality reduction (DR) is a procedure that transforms high-dimensional data into a lower dimensional representation, usually involving the minimum number of features required to adequately describe the key properties of the data. It is mainly used with different types of real-world data (such as time-series, images, medical records, unstructured text, etc.) and enables processes of visualization, classification, compression and others.

One of the main benefits of applying dimensionality reduction to a dataset is that it helps in visualizing the data. Offering a comprehensive visualization of data in higher dimensions is not an easy task, so reducing the space to 2 or 3 dimensions allows to plot and observe patterns more clearly. For instance, in cybersecurity applications an Intrusion Detection System (IDS) is used to monitor network traffic and operational data over time, and as a result, hundreds of parameters are captured at each time instantly and need to be observed by the system operator. DR assists in providing a simple 2D or 3D visualization of all the obtained parameters forming patterns that can be easily interpreted by the system operator without significant knowledge requirements on data analytics. The SPEAR V-IDS incorporates DR techniques that provide the required visualization capabilities and allows the end user to discern otherwise undetectable security issues through the formed patterns.

Inside the V-IDS dashboard, the visual statistics tab offers an overview of the network condition by providing a comprehensive set of visualization methods for the operational data, based on dimensionality reduction. Through the different graphs provided, the operator is able to observe the live status of the network traffic and detect potential anomalies by interpreting the visual patterns. The system also allows the user to observe the status of the network at previous dates utilizing the historical data stored in the V-IDS database. This functionality enables the operator to have a simultaneous overview of the live and historical status, allowing a straightforward comparison between them. The live diagrams are updated every minute according to the incoming operational data. The user can choose between 5 different visualization models and select the representation in either 2 or 3 dimensions. The analytics are executed once the representation has been selected.

The first diagram presented is a line-chart displaying the anomaly score of the operational data over time. The red horizontal line represents the threshold of normal values, calculated as the statistical centre of the normal data. The black line represents the distance from this threshold, indicating how close to normal the incoming traffic is at each time instant. There are 2 such diagrams offered, one for the live operational data and one for historical data stored in the VIDS database. In the latter, the user can select a time window (i.e. 3 hours) and scroll through the diagram, observing the anomaly score over that window throughout the day.

The graphs presented next are scatter plots depicting the reduced dimensionality space of the operational data. Here the user can choose between a representation in either 2 or 3 dimensions, with the options offered again for both live and historical data. At each time instant, the live scatter plot displays the current status of the network, after executing the visual statistics algorithms using the most recent operational data. In the case of the historical data, the scatter plot represents the status of the grid throughout the whole selected date. The visual patterns formed in these diagrams allow the operator to observe the network’s status and determine anomalies by looking at the position and tint of the projected points. As demonstrated in the example figure above, potential anomalies are showcased by grouped points having a red tint.

The final visualization is offered in the form of a dependency wheel diagram, which displays the correlation between the recorded features of the operational data. A higher line width indicates a stronger influence between the corresponding features. The user can hover at each line and observe the actual value of the connection. Values close to “0.05” indicate no correlation, while values close to “1” recommend strong relation. As with the case of the scatter plot, the live dependency diagram shows the status corresponding to the most recent operational data at each time instant. The historical diagram displays the average value throughout the selected date for each connection, as calculated in the VIDS backend services.

SPEAR Newsletter #5 (September 2020)

SPEAR Newsletter #5

The fifth newsletter of SPEAR project is now available. In this leaflet we inform you about the outcomes of the second SPEAR review as well as about our latest publications and blog posts. Click here to view and download the document in PDF format.

Link: https://www.spear2020.eu/cmsMedia/Uploads/News/SPEAR_Newsletter_Sept20.pdf

Factors affecting the SPEAR market adoption

To identify the main factors that would affect the adoption of SPEAR, a survey using the Fuzzy Analytic Hierarchy Process (AHP) method has been conducted within the project. AHP is a structured technique capable of dealing with complex decisions, based upon a rational and comprehensive framework for decomposing an unstructured complex problem into a multi-level hierarchy of interrelated criteria, sub-criteria and decision alternatives. The survey revealed experts’ vision regarding the significance of the critical factors anticipated to influence the introduction and acceptance of SPEAR as a technology solution.

The list of the most important factors and subfactors that was compiled is presented in the following figure.

Figure 1: Significant factors that affect the adoption of the SPEAR solution

According to the opinions of the experts, the most important criterion for SPEAR is the Performance with a weight equal to 0.43 (43%), followed by Technology at 0.26 (26%). Security follows with a weight equal to 0.20 (20%), while the Business criterion comes last at 0.11 (11%).

Figure 2: Main criteria for adopting the SPEAR solution

Performance is the highest rated and clearly the most important factor that SPEAR must address according to expert opinion. Users are most interested in the set of features that will be critical to the development of the final product.

Technology and Features of the SPEAR solution receives the second highest weight, as experts value the different technologies that must be adopted and implemented within the final product but not as highly as their performance.

Security and Compliance come in the third place, below performance and technology. An interpretation of this result is that the security aspects of the developed tools are self-evident and considered to be implemented de-facto in the SPEAR tool.

The Business criterion has the lowest weight, an outcome that can be attributed to the fact that SPEAR is still in the development process of the different modules and not yet a product with high TRL close to commercialization, thus experts are more concerned about the criteria associated with the development of the final product. At this stage of the project, the business aspects of SPEAR are less mature and not as important as the other criteria.

A different interpretation of the results is that the decision making does not always imply a discrete choice between alternatives, but could also refer to probabilities, possibilities or considerations concerning opportunities vs. risks. The usage of fuzzy numbers could then be employed to guarantee the minimum and maximum values. An α-cut can also be taken into account to define narrower lower and upper limits of the relevant weightings based on risk considerations.

More details about the methodology and the results can be found in Deliverable 8.6: Market Analysis, Roadmap and Business Modelling Report

ENISA Guidelines in the Energy Domain and its Synergy with the SPEAR Project

The energy sector is one of the vital areas of any economy. It is not surprising that there is constant reform in this sector to ensure its sustainability and security, especially with the integration of information and communication technology (ICT) with legacy electricity infrastructure to make the power grid “smart”. While this integration brings many benefits in terms of efficiency, it also raises significant cybersecurity threats. It is in this regard that the work of the European Union Agency for Cybersecurity (ENISA) in the energy sector is relevant. Over the years, ENISA has issued several guidelines and recommendations on cybersecurity targeted at the energy sector, including among others:

ENISA Smart Grid Security Recommendations
Smart Grid Threat Landscape and Good Practice Guide
Communication Network Interdependencies in Smart Grids
Report on Cyber Security Information Sharing in the Energy Sector
Power Sector Dependency on Time Service: Attacks against Time-sensitive Services.

For example, in its recent publication on power sector dependency on time service, ENISA describes specific threats against energy providers’ services that depend on the availability of precise timing and communication networks and offers some recommendations on how to secure such systems. Notably, time measurement technologies used in the power grid have become so essential due to their functions in monitoring grid operation and power balancing, as well as identification of unwanted events, among others. Attacks against time services can have an impact on the power infrastructure. They can affect the confidentiality, integrity, and availability (CIA) of time services in various ways, such as by causing synchronisation failures and monitoring errors between the Transmission/ Distribution operator and the power stations.

In light of the above, it is vital for there to be continuous advances and improvements in cybersecurity, and emergency incident management systems in the smart grid sector, and here current EU research projects are playing a key role. One such project is SPEAR (Secure and PrivatE smArt gRid) in which LUH is participating, through the Institute for Legal Informatics. In turn, this project proposes to develop effective solutions in detecting, responding and taking countermeasures against advanced cyber threats and attacks targeted to modern smart grids. SPEAR’s three-tier platform is designed to timeously detect threats and attacks in smart environment, provide a rigorous forensic framework and increase trust among smart grid operators by providing a secure communication channel for information sharing. In developing the project’s requirements, various ENISA documents were utilised in designing the privacy by design approach as well as other relevant requirements. In this regard, ENISA’s work in the area of cybersecurity offers a key strategy for the protection of the energy sector.

References

https://www.enisa.europa.eu/publications/ENISA-smart-grid-security-recommendations
https://www.enisa.europa.eu/publications/smart-grid-threat-landscape-and-good-practice-guide
https://www.enisa.europa.eu/publications/communication-network-interdependencies-in-smart-grids
https://www.enisa.europa.eu/publications/information-sharing-in-the-energy-sector
https://www.enisa.europa.eu/publications/power-sector-dependency

SPEAR Newsletter #4 (June 2020)

SPEAR Newsletter #4

The fourth newsletter of the SPEAR project is now available. In this issue we inform you about our latest achievements in the project and our latest blog posts. Click on the following link to view and download the document in PDF format.

Link: https://www.spear2020.eu/cmsMedia/Uploads/News/SPEAR_Newsletter_Jun20.pdf

Deception Technologies for Smart Grid Protection

One of the focus of SPEAR project work is placed on deception technologies which are part of the overall cyber defence strategy of an organization. These technologies aim at fulfilling multiple purposes at the same time; they are set up to act as a decoy to lure cyber-attackers, and to support the detection and learning about zero-day cyber threats and other types of attacks. Therefore, they lead to improved decision making about cyber security strategies.

The greatest impact of deception technologies is at detection phase of organisational cyber risk management programs. Nowadays it is difficult to detect zero-day advanced attacks against production systems; for instance, we remember well-known attacks as the Cyber Attack on the Ukrainian Power Grid [1]. Deception techniques such as the use of honeynets can support and complement the intrusion detection systems deployed in the Smart grid as a new source of incoming data that needs to be considered as malicious.

Within SPEAR, we have published a complete survey about these technologies and how they are being applied on the Smart grid domain. This article can be found here: https://zenodo.org/record/3834751 (Survey on honeypots, honeynets and their applications on smart grid)

References

[1] R. Lee, M. Assante, T. Conway, Analysis of the Cyber Attack on the Ukrainian Power Grid, A Defense Use Case, E-ISAC Electricity Sector Information Sharing & Analysis Center (Mar. 2016). https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

Enel in the SPEAR project

The Smart Grids, among other things , remotely manage the elements maneuvers on the electrical substations that allow to transport and to distribute the electric power of the network. This enables control in different environments like the System of Control of Supervision and the Acquisition of Information (SCADA), Distribution Manager Systems (DMS), and other small configurations of control systems as Programmable Logic Controller (PLC) or Remote Terminal Unit (RTU) often found in the critical infrastructures sector.

The Smart Grids are exposed to a great number of threats, internally or externally, with the consequent risks. The materialization of the mentioned threats, done by negligence or mistake (voluntary or involuntary), cyber-attacks etc. can instigate all kinds of security incidents that affect the assets of information owned by the organization, or even to the safety of the persons who could be in the field facilities.

Despite the revolution of new cybersecurity topics, it is evident that know-how and expertise from of related domains information security, telecommunications, is essential for the development of cybersecurity and resilience in the future.

Enel as a multinational energy company and one of the world’s leading integrated electricity operators, collaborates in the H2020 SPEAR project with the main objective to plan, validate and evaluate the four proof-of-concept SPEAR use cases. Four scenarios under protection of the SPEAR platform will be tested in order to assurance the smart grid robustness:

The hydro power plant
The substation
The combined IAN and HAN
The Smart Home

Enel is responsible to elaborate the experimental planning of this project. This is necessary for executing the required tests and finally for having a complete result of this cybersecurity project. After this phase, Enel will also participate in the use cases validation, carrying out the experiment running of the four use cases with the expected results according to the detailed planning report. All the use cases will run concurrently.

The last main task for Enel will be the evaluation analysis of the SPEAR platform, making an evaluation of the four use cases validation. Enel will describe the lessons learnt oriented for the exploitation plans of the SPEAR project. Enel expects to perform all these phases correctly in order to validate this cybersecurity development. We are very interested to have an additional tool in the smart grids available in the next future, that could help us to response properly in case of cyberattack.

Enel expectations in this project are to improve the knowledge on cyber-security, learn new methods of defense against cyber-attacks and develop a new robust platform to protect the Smart Grids, guaranteeing systems confidentiality, availability and integrity. Await to improve the protection and defense against cyber-attacks in critical infrastructures through last generation tools and techniques and share knowledge and experiences related to cyber-security with the project partners are also objectives of the project.

The SPEAR Early Integrated Prototype is Coming Soon

The SPEAR components (SPEAR SIEM, SPEAR FRF and SPEAR RI) developed in the technical work packages are currently being integrated towards a complete functional prototype in the framework of the Integration work-package (WP6). The SPEAR platform that is built on a novel three-tier approach, unifies the different modules and converges into an overall system that provides to security administrators of the Smart Grid (SG) systems not only a friendly and useful but also a more effective and reliable tool to detect, respond and take countermeasures against advanced cyber threats and attacks.

Figure 1 displays the integration infrastructure that is hosting 11 Virtual Machines (VMs), one per architectural component.

Figure 1: Integration Infrastructure Architecture

In the screenshots bellow you can find samples of the ready-components, already integrated into the early prototype, using European Dynamics’s Qlack2 Web desktop, which simulates a desktop environment. The main benefit of such an implementation is that a user’s applications are easily accessible from any terminal machine. Also, all the application related information is loaded and shown on the user’s browser, avoiding installations and taking advantage of centrally performed updates. Finally, the fact that the web desktop environment is operated via the browser, makes its use platform-independent.

The Qlack2 Web desktop is based on responsive design, bearing in mind the user needs for multiplatform use.

Figure 2: SPEAR Login Screen

After logging in, the user is navigated to the web desktop workspace screen (Figure 3), which essentially serves as an applications container.

Figure 3: SPEAR Workspace

The user can access installed SPEAR applications by selecting their respective icon on the menu.

Figure 4: SPEAR Start Menu

Figure 5: Coexistence of two applications that overlap

SPEAR co-organises the EPESec workshop

SPEAR is co-organizing the EPESec workshop in conjunction with the ARES EU Projects Symposium 2020 at 15th International Conference on Availability, Reliability and Security (ARES 2020 – http://www.ares-conference.eu).

The EPESec 2020 workshop aims at collecting the most relevant ongoing research efforts in the Electrical Power Energy Systems (EPES) security field. It will also serve as a forum for relevant projects in order to disseminate their security-related results, boost cooperation, and foster the development of the EPES Security Community made of security experts and practitioners.

Topics of Interest include but are not limited to:

Security policies
Risk analysis and management
Vulnerability assessment and metrics
Awareness, training and simulation
Security standards
Privacy and Anonymity in smart/ micro grids
Threat modeling
Security architectures
Access control
Malware and cyber weapons
Intrusion detection and visualization
Defense in depth
Monitoring and real time supervision
Perimeter security
Safety-security interactions
Cyber security engineering
Secure communication protocols
Formal models for security
Hardware Security
Resilient ICS/CPS
Application Security
Secure Firmware
Incident Response and Digital Forensics
Case studies

You can find more details in the following page: https://www.ares-conference.eu/workshops-eu-symposium/epesec-2020/

Important dates:

Submission Deadline: 11/05/2020

Author Notification: 05/06/2020

The workshop is co-organized by the following H2020 R&D projects:

SPEAR (https://www.spear2020.eu/)
SDN-microSENSE (https://sdnmicrosense.eu/)
FORESIGHT (https://foresight-h2020.eu/)
CYBER-TRUST (https://cyber-trust.eu/)

Special Issue "Cybersecurity and Privacy-Preserving in Modern Smart Grid"

The need for an energy transition in Europe, and worldwide, is becoming major, and is faced by significant and far-reaching challenges. More than ever, transportation, communications, resource management (water and air), and even agriculture are enabled by modern electrical power and energy systems (EPESs) promoting automation. It is clear that energy is going more to be electrical and this is a great chance to integrate a higher share of renewables, promoting a more efficient and decentralized energy system, by involving advanced digital technologies and systems such as smart devices, faster and more flexible gateways, smart meters, and Internet of things (IoT). However, this transition comes with a significant cost: The need for cyber-defense measures, strategies, algorithms, schemes, tools, and frameworks to maintain or improve the infrastructure’s security posture.

The electric smart grid (ESG) is a modern EPES. This endeavor constitutes the evolution of the traditional electric grid, focusing on generating and conditioning electricity, while efficiently distributing, controlling, and monitoring it in real-time. Being beneficial not only for power industries, but also for consumers, ESGs also aim to preserve information privacy and offer protection against intrusions. However, due to their critical nature, vast scale and their expanded attack surface, ESGs are bound to face existing and evolving cyberthreats targeting vulnerable deployments. Recently ESG infrastructures have faced several cyberattacks that have raised questions regarding security inefficiencies and their large impact on system robustness, productiveness, and integrity.

This Special Issue of Sensors (ISSN 1424-8220) seeks to make an in-depth, critical contribution to this evolving field of cybersecurity in EPES. In the context of this Special Issue, we intend to bring together state-of-the-art research contributions providing new insights in securing the EPES from data breaches, managing threats, preventing and detecting cyber intrusions, and preserving sensitive and private information. The topics that can be addressed include (but are not limited to) the following:

Intrusion detection systems and big data analytics for accurate anomaly detection for smart grids.
Cybersecurity mechanisms, tools, and frameworks in modern smart grids.
Anonymity in modern smart grids.
Privacy-preserving tools, frameworks, and schemes in modern smart grids.
Security information and event management in modern smart grids.
Privacy standards and certificates for smart grids and energy networks.
State of the art privacy-preserving mechanisms and techniques in smart grids and energy networks.
Modern and advanced access control schemes for modern smart grids for safeguarding energy network reliability and integrity.
Blockchain technologies for accessing and sharing energy data in modern smart grids.
Anonymous communication channels in smart grids and energy networks.
Trust management and mechanisms in modern smart grids.
Recent cybersecurity incidents and data breaches in smart grids and energy domains.
Security certification processes in electric smart grids.
GDPR-compliant mechanisms and schemes in critical infrastructure and modern smart grids.
Security information and event management tools for critical infrastructure and modern smart grids.
Light encryption and new cryptography methods in electrical power and energy systems.
Homomorphic encryption in modern smart grids and energy systems.
Big data analytics, machine learning tools, and deep learning techniques for anomaly detection in smart grids and energy systems.
Cyber threat intelligence management and sharing in smart grids.
Risk management in modern EPESs.
Security and privacy by design in smart grids.
Security metrics and evaluation in smart grids.
Deception mechanisms in smart grids.

Guest editors: Dr. Panagiotis Sarigiannidis, Dr. Thomas Lagkas, Dr. Konstantinos Rantos and Dr. Francisco Ramos.

Manuscript Submission Information

Manuscripts should be submitted online at www.mdpi.com by registering and logging in to this website. Once you are registered, click here to go to the submission form. Manuscripts can be submitted until the deadline. All papers will be peer-reviewed. Accepted papers will be published continuously in the journal (as soon as accepted) and will be listed together on the special issue website. Research articles, review articles as well as short communications are invited. For planned papers, a title and short abstract (about 100 words) can be sent to the Editorial Office for announcement on this website.

Submitted manuscripts should not have been published previously, nor be under consideration for publication elsewhere (except conference proceedings papers). All manuscripts are thoroughly refereed through a single-blind peer-review process. A guide for authors and other relevant information for submission of manuscripts is available on the Instructions for Authors page. Sensors is an international peer-reviewed open access semimonthly journal published by MDPI.

Please visit the Instructions for Authors page before submitting a manuscript. The Article Processing Charge (APC) for publication in this open access journal is 2000 CHF (Swiss Francs). Submitted papers should be well formatted and use good English. Authors may use MDPI's English editing service prior to publication or during author revisions.

Deadline for manuscript submissions: 28 February 2021.

Source: https://www.mdpi.com/journal/sensors/special_issues/Cybersecurity_Smart_Grid

SPEAR publication in the prestigious IEEE Communications Surveys and Tutorials

Supervisory Control and Data Acquisition (SCADA) systems are widely deployed to monitor and control critical infrastructures, including transportation, telecommunication networks, factories and power grids. Although, SCADA systems are characterised by severe security vulnerabilities that can expose critical infrastructures to new risks.

Our recent work entitled "A Survey on SCADA Systems: Secure Protocols, Incidents, Threats, and Tactics" provides an overview of the SCADA architecture and the utilised communication protocols, along with specific security incidents and threats. Moreover, an extensive review of security strategies to secure SCADA systems is carried out as well as the current research trends and future advancements are presented.

The research paper has been published in IEEE Communications Surveys & Tutorials, the top journal for Computer Science and Electronics with Impact Factor of 22.973, according to Guide2Research.

You can read our article by clicking on the following link: https://www.spear2020.eu/cmsMedia/Uploads/Publications/09066892.pdf To access all of our articles, you can visit the following page: https://www.spear2020.eu/Publications

Secure and Private Smart Grids: The SPEAR Architecture

The power grid consists one of the so-called “critical infrastructures” that are essential to vital societal functions. The transformation of conventional power grids to the smart grids of the future has introduced numerous benefits, including flexibility, pervasive control, and utilisation of resources, but also created significant challenges that risk the operation of the power grid and, therefore, can cause cascading effects to essential societal sectors.

An unavoidable effect caused by the deployment of Information and Communication Technologies (ICT) in the power grid is the increasing attack surface of the critical infrastructure, which is now exposed to a growing number of (known and unknown) threats. As a result, efficient and dynamic systems are needed to tackle the susceptibilities introduced by the digitalisation of the power grid, while the societies and the economies benefit from the resiliency and efficiency of the modern smart grid.

The SPEAR solution, proposed by this project, aims to provide the ability to energy operators to timely detect cyberthreats against their infrastructures, considering in parallel privacy-related issues and the collection of forensic-related data. Moreover, SPEAR intends to enhance situational awareness of energy-related stakeholders by establishing an anonymous repository of incidents. In a nutshell, the novelties of SPEAR are compiled in the following pillars:

Intrusion detection using big data and visual analytics
Honeypots
Network forensics
Cybersecurity information sharing

The above technology pillars are the basis of the SPEAR architecture, which is illustrated in the figure bellow. In particular, the SPEAR architecture is analysed to the following frameworks:

SPEAR SIEM

The Security Information and Event Management (SIEM) system is the major framework of the SPEAR architecture that is composed of a) AlienVault OSSIM, b) SPEAR SIEM Basis, c) Big Data Analytics Component (BDAC), d) Visual-aided Intrusion Detection System (V-IDS) and e) Grid-Trusted Module (GTM). In more detail, AlienVault OSSIM collects network traffic from the infrastructure and focuses on signature-based anomaly detection, whilst SIEM Basis captures and pre-processes network traffic and operational data (e.g., various electricity measurements) to be received by other components further processing. BDAC provides User and Entity Behaviour Analysis (UEBA) by employing machine learning and deep learning techniques to analyse network traffic and operational data to detect possible anomalies. Moreover, GTM indicates how dangerous each asset is for the business operations by assigning a corresponding reputation value, which is calculated by assessing security events and static data about the infrastructure, combined with fuzzy logic techniques. Finally, V-IDS depicts the security events generated by all SPEAR components and further facilitates the detection of anomalies by providing advanced visual analytics that can be used by the security administrator or facility operator to detect and indicate additional security events that were not detected automatically.

SPEAR FRF

The Forensic Readiness Framework (FRF) provides the necessary tools and procedures to enable forensic readiness for smart grid operators by employing the Camunda BPM tool as well as privacy awareness compliant to the EU legislation by supporting a Privacy Impact Assessment (PIA). FRF consists of three main components, namely a) Forensic Repository (FR), b) AMI Honeypots and c) Honeypot Manager. In more detail, FR is responsible for collecting information and evidence from the infrastructure that can be used for legal purposes, while focusing on user privacy and the requirement that the evidences should remain unforged in order to be valid. AMI Honeypots are software components that aim to lure cyber-attackers by imitating real devices of the smart grid ecosystem. Their goal is twofold: i) to hide the real assets and ii) collect intelligence about the malicious activities. SPEAR Honeypots (based on Cowire and Conpot) can emulate various communication protocols, including Modbus, BACnet, GOOSE/MMS and SSH amongst others. The honeypots provided by the SPEAR solution are further enhanced by Generative Adversarial Networks (GANs), an AI solution that enables honeypots to be trained by network traffic data in order to generate more realistic responses, thus being more convincing. Finally, the Honeypot Manager acts as the orchestrator of those honeypots and a decision support system that applies a game theoretic model to calculate the optimal deployment of honeypots in the infrastructure, based on a cost-benefit analysis.

SPEAR RI

The Repository of Incidents (RI) provides a common communication channel for all energy-related stakeholders that adopt the SPEAR solution across Europe to exchange anonymously information regarding cybersecurity incidents without exposing their identity. RI (based on MISP) ensures privacy and anonymity of the participating organisations by applying various anonymization techniques to new security events received by SPEAR SIEM, before being published, including k-anonymity, i-diversity, t-closeness and pseudo-anonymisation.

Schneider Electric in the SPEAR project

Schneider Electric, as leader in energy and automation digital solutions collaborates in the H2020 SPEAR project. Schneider Electric is focusing its contribution on one of the four use cases: “The Substation Scenario”. The objective of the use case is to validate the SPEAR platform in a realistic scenario based on an electrical substation.

Schneider Electric contributes to the use case with its substation devices. In particular, it provides its Remote Terminal Units (RTU). A remote terminal unit (RTU), controlled by a microprocessor, connects objects in the physical world to a distributed control system or SCADA (supervisory control and data acquisition) system by transmitting telemetry data to a master system, and by using messages from the master supervisory system to control connected objects. A variety of protocols are used to communicate with RTUs. An RTU is a critical asset in the control system because it provides relevant information to the control center and it operates directly in the substation.

Schneider Electric provides the SPEAR project with the Easergy T300 and Saitel RTUs. Easergy T300 provides remote control and monitoring for energy distribution automation. It is a modular platform of hardware and firmware, and an application building block for Medium Voltage and Low Voltage public distribution network management. Saitel is a high-performance, versatile, scalable and compact platform for secure automation and communication applications. Saitel acts as a communication gateway, measurement center and automation processor. Also, Schneider Electric provides the EcoStruxure™ Cybersecurity Admin Expert (CAE) tool for the RTU cybersecurity configuration has the capability to assign roles to user. A user with a role is then allocated permission to access or block resources of a system (for example permission to read or write device settings, download a new firmware version etc). The tool is suited to use within the Operational Technology (OT) environment as it authorizes the configuration of permissions of many different devices such as: network devices (switches, firewalls), personal computer and intelligent electronic devices/protection relays aligned with IEC 62351.

Figure: Schneider Electric Easergy T300

In the first phase of the project, Schneider Electric worked together with Enel and Tecnalia in the “Use Case Preparation, Architecture, Security & Privacy Requirements”; participating in the requirement and technical specification definition for the use case. In addition, Schneider Electric has been collaborating with the developers of SPEAR platform within the development work packages, giving support in those activities where the substation scenario will be used.

Schneider Electric is also working in the “Integration and Deployment” and “Pilots, Validation and Evaluation” phases of the project, contributing with new development of its substation components at cybersecurity level. In these phases Schneider Electric, in collaboration with Enel and Tecnalia has design and is deploying a representative architecture for the substation scenario based in critical assets of the substation, such as: SCADA, HMI, RTUs, CAE, SAM and IT devices (router, firewall and switches).

SPEAR co-organises the second SecSoft Workshop

SPEAR co-organises with the following H2020 projects: ASTRID, CYBER-TRUST, FutureTPM, GUARD and SIMARGL the

2nd International Workshop on Cyber-Security Threats, Trust and Privacy Management in Software-defined and Virtualized Infrastructures (SecSoft)

co-hosted at 6th IEEE International Conference on Network Softwarization (NetSoft2020) that will be held from June 29 to July 3, 2020 in Ghent, Belgium. SecSoft 2020 workshop homepage: https://www.astrid-project.eu/secsoft/index.html

SPEAR participates in the organizing committee of SecSoft 2020 with Erkuden Rios from Tecnalia, Spain, who will serve as TPC co-chair.

Call for papers

The SecSoft workshop aims to gather together novel approaches for providing organizations the appropriate situational awareness in relation to cyber security threats allowing them to quickly detect and effectively respond to sophisticated cyber-attacks. The specific target is complementary research works on complementary cyber-security aspects for virtualized and software-defined infrastructures, including but not limited to:

The workshop will accept the following type of contributions:

short papers [maximum length: 4 pages, excluding references]
presenting industrial innovations, architectural references of research projects, main outcomes from demos and field trials, and preliminary research activities;
regular papers [maximum length: 7 pages, excluding references]
presenting research results or technical developments.

Important dates

Workshop paper submission deadline: ~~February 14, 2020~~ March 2, 2020
Workshop paper acceptance: March 23, 2020
Camera-ready papers: April 6, 2020
Workshop date: July 3, 2020

Submission guidelines

Papers must be submitted by EDAS, by selecting the proper track (short/regular papers). Click here to submit now.

SPEAR Newsletter #3 (December 2019)

SPEAR Newsletter #3

The third newsletter of the SPEAR project is now available. In this issue we inform you about our recent dissemination activities. Click on the following link to view and download the document in PDF format. Link: https://www.spear2020.eu/cmsMedia/Uploads/News/SPEAR_Newsletter_Dec19.pdf

Short presentation of SPEAR

The integration of critical power infrastructure to the Smart Grid introduces multiple security vulnerabilities. Consequently, the Smart Grid is becoming an attractive target for hackers. According to security experts, hacking groups (such as the APT33 group [1]) are shifting their focus on critical infrastructure targets. The increasing proliferation of the Smart Grid concept, as well as the development of novel cyberattacks and tools, call for the development of advanced Intrusion Detection Systems that are tailored to the traits and security requirements of the Smart Grid.

One of the main objectives of the Horizon 2020 Secure and PrivatE smArt gRid (SPEAR) research project is the development of an integrated security solution in order to accurately and timely detect Smart Grid attacks. Within the SPEAR research project, the cybersecurity is considered across all domains and components of the Smart Grid. To this end, novel methods and tools that leverage Big Data analytics are being developed. In addition, SPEAR provides a framework for forensic readiness and trust modeling, integrated in a single platform. The concept of honeypots is also utilized as an effective approach to increase forensic readiness. A number of honeypots are deployed across the power generation and distribution infrastructure, in order to attract and monitor potential cyber attackers in order to discover new attack patterns.

Following the European Program for Critical Infrastructure Protection challenges [2], four high-impact use cases are selected, in order to evaluate the efficiency of the SPEAR security solution. Learn more about our use cases, by visiting the following link: https://www.spear2020.eu/UseCases/

[1] https://www.teiss.co.uk/apt33-targeting-ics-systems/

[2] https://ec.europa.eu/energy/en/topics/infrastructure/protectioncritical-infrastructure/

The SPEAR project in the European Utility Week 2019

The SPEAR project and its progress was presented by representatives of PPC and 0INFINITY, during the European Utility Week (EUW) 2019. SPEAR took part in a very inspiring panel discussion of the session: "Digitalising the energy sector ' the greening by design paradigm", about the European goal for low carbon emissions and the role of concepts like smart grids, digitalisation and cybersecurity towards a Green Energy transition.

A great event with massive turn-up took place in Paris during 12-14 November 2019 and SPEAR's pod in the EU project's zone gained a lot of attention presenting the project's innovative solutions. In numbers, 18000 visitors and 800 exhibitors participated in this event from 100 countries.

Photos from the event are available in our Gallery: https://www.spear2020.eu/Gallery

SPEAR at the Open Day Go 4 Green event

In the context of preparations for the Go 4.0 Green Crowdhackathon, the Greek Ministry of Environment and Energy organized in 22nd October 2019 the Open Day Go 4 Green event, inviting startups, programmers, researchers, students and stakeholders to contribute in an open discussion about open data and how they can be used to develop new innovative solutions around green solutions and digital transformation.

The SPEAR project participated in this event, represented by Dr. Konstantinos Stamatakis, Director of the Testing Research and Standards Centre of Public Power Corporation (PPC). Dr. Stamatakis presented the innovative solutions that SPEAR provides through its architecture, towards digital transformation and secured modern smart grids. During the event, SPEAR tried to inspire the audience by providing specific ideas for the hackathon that were based on the AI technologies utilised by the project. Last, the initiatives of European Commission to foster R&D efforts were also presented, like the H2020 framework and the EC Open Research Data Pilot.

The SPEAR project was mentioned by Energypress [GR]

In light of the recent best paper award received by the SPEAR project's team, the Greek online newspaper Energypress mentioned the SPEAR project and its efforts towards protecting the smart grid critical infrastructure.

You can read the full article (in greek) by following this link: https://energypress.gr/news/tehnognosia-aihmis-gia-tin-antimetopisi-kindynon-apo-kyvernoepitheseis-sti-diathesi-tis-dei

SPEAR co-organises the S^2 Hack4Energy HACKATHON

S²Hack4Energy HACKATHON

A joint SPEAR-SIT4Energy event

The rapid progression of the Information and Communication Technology transforms the electrical grid into a new paradigm called Smart Grid. Smart Grid enables the development of smart energy-related applications, considering both efficiency potentials in the local energy production and consumption. However, at the same time, this revolution raises severe cybersecurity issues since Smart Grid is characterized by multiple heterogeneous and interconnected technologies. In this context, the SPEAR (https://www.spear2020.eu/) and SIT4Energy (https://sit4energy.eu) projects join forces towards co-organizing a hackathon event that will focus on innovative approaches on energy-related cyber-security and end-user engagement, respectively.

When?

The hackathon event will consist of 4 challenges (2 per project) and will last two days on 23-24 October 2019.

Where?

The hackathon is available online through the F6S platform: https://www.f6s.com/s2hack4energy. For any parties that would like to attend physically, you will be able to do so at CERTH premises (6th km Harilaou-Thermis, Thessaloniki, Greece - https://goo.gl/maps/Q6cjk31BRHiSPuLn6). So get your laptop, and get ready.

How?

All you have to do is to get a ticket for the S²Hack4Energy event by the F6S platform: https://www.f6s.com/s2hack4energy.

Awards

To make the day even more exciting the winners will take home several prizes:

1st Prize: Dell Latitude 5501, I7-9850H/15.6 FHD/16GB/512GB SSD/Webcam/Win10 Pro, Black
2nd Prize: 300,00 € Amazon Gift Card
3rd Prize: MLS Prime Tablet

The SPEAR project in the European Utility Week / POWERGEN 2019

We are happy to inform you that the SPEAR project will participate in the European Utility Week (EUW) / POWERGEN 2019 event in Paris, France.

EUW is the premier landmark event in Europe for the entire smart utility sector, accumulating over 12.000 international smart energy stakeholders and 650 exhibitors. An innovation and information platform in the form of a conference-led exhibition, the event facilitates greater networking and content sharing opportunities across the entire energy spectrum from generation to end use.

Powergen is a prestigious large-scale event that gives serious attention to the conventional power sector. It focuses on the operation, upgrading and maintenance of existing assets and on the increasing growth of decentralised generation assets, thermal or renewable and the new investments in the energy sector.

The combined events will create the only industry gathering that provides a total "end-to-end" power experience. The SPEAR project will be one of the research projects that will be presented in European Utility Week 2019 / Powergen 2019, in the EU project zone (endorsed by EU).

The event will be held in 12-14 November, Paris Expo Porte de Versailles. You can learn more about this event by visiting the official website: https://www.powergeneurope.com/welcome and, if you are interested in joining us, you can follow this link: https://l.feathr.co/euw-pge-2019---guest-spear. Join us in stand m70.a2, talk to our experts and learn all about our innovative platform for cybersecurity and privacy in smart grids!

See you in Paris!

SPEAR Newsletter #2 (September 2019)

SPEAR Newsletter #2

The second newsletter of the SPEAR project is now available. In this issue we inform you about the first review meeting held in Brussels and we provide you an overview of the SPEAR architecture. Click here to view and download the document in PDF format.

Link: https://www.spear2020.eu/cmsMedia/Uploads/News/SPEAR_Newsletter_Sept19.pdf

The Best Paper Award for the SPEAR consortium in IEEE CAMAD 2019

The SPEAR consortium is proud to announce that the paper entitled 'Operational Data Based Intrusion Detection System for Smart Grid', authored by G. Efstathopoulos, P. Radoglou-Grammatikis , P. Sarigiannidis, V. Argyriou, A. Sarigiannidis, K. Stamatakis, M. Angelopoulos, and S. Athanasopoulos, won the Best Paper Award in the #IEEE #CAMAD Conference (https://camad2019.ieee-camad.org/)!

The IEEE CAMAD (Computer-Aided Modeling and Design of Communication Links and Networks) is a well-known IEEE Conference, which attracts researchers, scientists, manufacturers, and engineers from all over the world.

The awarded research paper was created by a joined effort of the SPEAR consortium, where industry (Public Power Corporation S.A.), SMEs (0 Infinity Limited, Sidroco Holdings Limited), and academia (University of Western Macedonia) joined their forces for providing a compelling, high-impact, and stemming from real-world data research result in the context of the SPEAR Project.

The awarded paper provides an anomaly-based intrusion detection system, especially designed for the smart grid by utilizing operational data from a real power plant. In particular, many machine learning and deep learning models were deployed, introducing novel parameters and feature representations in a comparative study. The evaluation analysis demonstrated the efficacy of the proposed system in real-world smart grid applications.

You can view and download the paper by visiting the following link: https://www.spear2020.eu/cmsMedia/Uploads/Publications/SPEAR_Awarded_Paper.pdf

SPEAR in Education Festival 2019

Education Festival is an annual event, organized by IIEK ALFA and the Mediterranean College, that offers more than 140 training seminars on various topics, including Information Technology (IT), financing, management, and engineering amongst others. The seminars are open to the public, upon registration, and are usually attended by students, stakeholders, professionals and individuals that seek specialisation in specific domain.

In this context, on 31st May 2019, a seminar entitled "Smart grids and challenges - The SPEAR project - Transition from conventional to modern power grid" was organised by SPEAR and Public Power Corporation (PPC) and hosted by IIEK ALFA in Athens, Greece. During this event, the concept of smart grids was presented as well as their benefits and the cybersecurity challenges that modern societies face during the transition to smart grids. Moreover, an overview of the SPEAR project was presented focusing on the motivation and the innovation that the project introduces.

SPEAR co-organises the first SecSoft 2019 Workshop

SPEAR co-organises with the following H2020 projects: ASTRID, CYBER-TRUST, REACT, SHIELD and 5GENESIS the

1st International Workshop on Cyber-Security Threats, Trust and Privacy Management in Software-defined and Virtualized Infrastructures (SecSoft)

co-located with IEEE NetSoft 2019, will be held on June 24, 2019, in Paris, France. SecSoft 2019 workshop homepage: https://www.astrid-project.eu/secsoft/cfp.html.

SPEAR participates in the organizing committee of SecSoft 2019 with the following members:

Panagiotis Sarigiannidis (SPEAR coordinator) from the University of Western Macedonia, Greece, will serve as TPC co-chair and Scientific sessions co-chair.
Manos Panaousis from the University of Surrey, UK, will serve as Panel co-chair.

Call for papers

The SecSoft workshop aims to gather together novel approaches for providing organizations the appropriate situational awareness in relation to cybersecurity threats allowing them to quickly detect and effectively respond to sophisticated cyber-attacks. The specific target is complementary research works on complementary cyber-security aspects for virtualized and software-defined infrastructures, including but not limited to:

Cyber-security platforms and architectures for digital services;
Security, trust and privacy for industrial systems and the IoT (including smart grids);
Monitoring and advanced data collection and analytics;
Virtual and software-based cyber-security functions;
Orchestration of security functions;
Novel algorithms for attack detection and threat identification;
Intelligent attack mitigation and remediation;
Machine learning, big data, network analytics;
Secure runtime environments, including trustworthy systems and user devices;
Formal methods for security and trust;
Novel threat and attack models;
Authentication, Authorization and Access control;
Honeypots, forensics and legal investigation tools;
Threat intelligence and information sharing.

The workshop will accept the following type of contributions:

short papers [maximum length: 5 pages, including references]
presenting industrial innovations, architectural references of research projects, main outcomes from demos and field trials, and preliminary research activities;
regular papers [maximum length: 9 pages, including references]
presenting research results or technical developments.

Important dates

Workshop paper submission deadline: February 15, 2019
Workshop paper acceptance: March 22, 2019
Camera-ready papers: April 5, 2019
Workshop date: June 24, 2019

Submission guidelines

Papers must be submitted by EDAS, by selecting the proper track (short/regular papers). Click here to submit now.

SPEAR Newsletter #1 (May 2018)

SPEAR Newsletter #1

The first newsletter of SPEAR project is now available. In this leaflet we inform you about the first kick-off meeting and SPEAR's use cases. Click here to view and download the document in PDF format.

Link: https://www.spear2020.eu/cmsMedia/Uploads/UserFiles/News/SPEAR_Newsletter_May18.pdf

Spear2020 News

Empowering Cybersecurity across EU Smart Grids

Integrating AI to cybersecurity for critical infrastructure

Anomaly Detection using Autoencoders and Generative Adversarial Networks (GANs) for Cybersecurity over Network Traffic

Towards a Cybersecurity Certification of ICT Products, Services and Processes in the EU: Impact for the Smart Grid

Evaluating SPEAR in the Combined IAN/HAN pilot

SPEAR Newsletter #7 (October 2021)

A review of cascading events in the panEuropean electricity network

References

SPEAR Anonymization Techniques

References

Visual analytics for Anomaly Detection in IοT networks

References

Forensic Readiness in Critical Infrastructures

Evidence

Digital and Network Forensics

Chain of custody

Forensic Readiness

Benefits

Implementing

Closing Remarks

References

Progress on the SPEAR pilots

Current state of the substation scenario by Schneider Electric

A Review of Critical Infrastructure Domains in Europe

Industrial Networks

Healthcare

Telecommunication Networks

References

SPEAR Newsletter #6 (March 2021)

2021 IEEE CSR Workshop on Electrical Power and Energy Systems Security, Privacy and Resilience (EPES-SPR)

Topics of Interest

Important Dates

SPEAR co-organises the 3rd IEEE SecSoft

Call for papers

Important dates

Submission guidelines

6th SPEAR Plenary Meeting

SPEAR Project Coordinator Interview - ERT3 TV

Sharing threat intelligence across EU: Harmonization and new Network Code on Cybersecurity

References:

Intelligent honeypots weaponized against APTs

Citations

Dimensionality reduction for visualization purposes in the SPEAR V-IDS

SPEAR Newsletter #5 (September 2020)

SPEAR Newsletter #5

Factors affecting the SPEAR market adoption

ENISA Guidelines in the Energy Domain and its Synergy with the SPEAR Project

References

SPEAR Newsletter #4 (June 2020)

SPEAR Newsletter #4

Deception Technologies for Smart Grid Protection

References

Enel in the SPEAR project

The SPEAR Early Integrated Prototype is Coming Soon

SPEAR co-organises the EPESec workshop

Special Issue "Cybersecurity and Privacy-Preserving in Modern Smart Grid"

Manuscript Submission Information

SPEAR publication in the prestigious IEEE Communications Surveys and Tutorials

Secure and Private Smart Grids: The SPEAR Architecture

SPEAR SIEM

SPEAR FRF

SPEAR RI

Schneider Electric in the SPEAR project

SPEAR co-organises the second SecSoft Workshop

Call for papers

Important dates

Submission guidelines

SPEAR Newsletter #3 (December 2019)

SPEAR Newsletter #3

Short presentation of SPEAR

The SPEAR project in the European Utility Week 2019

SPEAR at the Open Day Go 4 Green event

The SPEAR project was mentioned by Energypress [GR]

SPEAR co-organises the S^2 Hack4Energy HACKATHON

S2Hack4Energy HACKATHON

A joint SPEAR-SIT4Energy event

When?

Where?

How?

S²Hack4Energy HACKATHON