Evaluating SPEAR in the Combined IAN/HAN pilot

10/31/2021

The third pilot of the SPEAR project was successfully carried out by the Innovation Hub of the Public Power Corporation S.A. (PPC), towards the final evaluation of the SPEAR solution during the user acceptance testing phase. The SPEAR demonstrations were implemented in two locations of PPC, the Innovation Hub in Athens, and the Unit no5 of the Combined-Cycle Thermal Power Plant in Lavrio, both in Greece. The main focus of this pilot was the multi-class classification problem of detecting and distinguish between a great variety of cyberattacks and reconnaissance attempts against Modbus TCP. The pilot considered a Home Area Network (HAN) and an Industrial Area Network (IAN) setup.

The involved infrastructure of the Innovation Hub includes smart meters, installed on an operational rooftop PV panel and the main laboratory switchboard (HAN part), as well as a Programmable Logic Controller (PLC) controlling the short-circuit generator of the High-Power Laboratory (IAN part). The corresponding apparatus is depicted in figures 1 and 2.

Figure 1: The PV panel at the Innovation Hub.

Figure 2: The short-circuit generator of the Innovation Hub.

The Lavrio power plant demonstration focused on a larger scale IAN validation, by employing three PLCs interfacing with the Distributed Control System (DCS) of the Unit no5 of the Lavrio power plant. The IAN was properly isolated from the operational network in order to avoid any security breaches. The involved apparatus is depicted in figures 3 and 4.

Figure 3: Part of the DCS in Lavrio. — Figure 1: Part of the DCS in Lavrio.

Figure 4: The Unit no5 power generator in Lavrio. — Figure 1: The Unit no5 power generator in Lavrio.

The performed scenarios are summarized as follows:

Scenario #1: Concerns the detection and reaction to a fuzzing Modbus writeSingleCoil cyberattack against both IAN and HAN networks of the Innovation Hub. Purpose of this cyberattack is to maliciously alter important configuration (e.g., IP address, power factor) of the smart meters and the PLC, rendering then uncapable of properly retrieving and transmitting electricity-related measurements. Moreover, another potential consequence of this cyberattack is the change of Boolean registers, that could indicate an overcurrent or can open/close a trip. As a result, this cyberattack can unwillingly open or close various circuits, that could lead to various undesirable cascading effects.
Scenario #2: Concerns the detection and reaction to a Modbus GetUID reconnaissance attack against the PLCs of the Lavrio power plant unit. Purpose of this attack is twofold. First, is to discover details about the industrial devices located in Lavrio IAN. Secondly, assuming the high frequency of sending GetUID messages, this cyberattack also behaves as a DoS activity, by aiming to “crash” the Modbus server processes of the PLCs, since they are “flooded” with dozens of messages, that they are unable to handle.
Scenario #3: Concerns the detection and reaction to a Modbus writeSingleRegister DoS against the smart meters of the Innovation Hub. Like SC3.1, this cyberattack aims to maliciously change settings of smart meters (e.g., IP address, power factor), rendering them unable to properly deliver electricity-related measurements.
Scenario #4.1: This scenario concerns the deployment of production honeypots after a cyber-incident, by utilising the SPEAR Game Theoretic Intelligence (GTI) engine. The honeypots are deployed in the Lavrio power plant, while GTI and the Honeypot Manager run in Innovation Hub premises.
Scenario #4.2: This scenario verifies the operation of the research honeypot deployed in PPC premises.