News Brief #6: Publication of policy brief “Cyber Ranges for a Resilient Europe”

Smart electrical power and energy systems build upon existing electrical grid infrastructure enabling service providers to manage the operation of power generation plants and adapt to end-user power demands, monitor the state of substations to maintain high service availability, as well as interface with end-users’ controllable electric loads (with mostly industrial or large-scale power needs) or power generation/storage capabilities (i.e., microgrids). They consist of a heterogeneous mix of devices of different age and vendors, deployed in complex networks highly-specific to end-user needs. The bidirectional nature of the communication between end-users and service providers increases the attack surface considerably, while the nature of the provided service, access to the electrical grid, makes attacks potentially catastrophic. At a high level, smart grids can be viewed through the interaction of five major components.

Customer premises networks

Customer premises networks are formed by end-user owned and operated devices which may be potentially unpatched, misconfigured, or otherwise vulnerable, lying outside of the service provider’s control. Depending on their scale and electric load requirements, they can be classified as:

  • Home area networks, including, among others, smart home appliances, electrical vehicle chargers, and home automation systems allowing both end-users and service providers to monitor and optimise their energy consumption.
  • Business area networks, a more complex version of home area networks with a larger number of devices and higher electric load requirements. For example, a single house may have a couple of electric vehicle chargers, whereas businesses need to support electric vehicle fleets or a large number of employee vehicles.
  • Industrial area networks, with entirely different electric load requirements to the others, as they connect industrial control systems, often operating heavy machinery, alongside traditional computing devices (servers, workstations, etc.) and industrial-scale heating, ventilation and air conditioning (HVAC) systems.

Takeaway point: The direct connection of vulnerable end-user operated devices to the smart grid dramatically increases its attack surface. Even if these devices fell under the control of the service providers, it would be impossible to secure most legacy or unsupported devices, thus leaving permanent points of entry for attackers to exploit. Service providers should consider end-user operated devices as possible attack points and include them in their cybersecurity training programs.

Smart meters

As measurement devices installed at the customer premises, they are the primary connection point to the power distribution network. As logical gateways to the smart grid, they allow service providers to monitor the power consumption of their customers, as well as perform remote load control by interfacing with building management systems. Successful exploitation can have serious consequences, as they are a single point of failure for a building’s electrical connection, they are usually installed in physically insecure locations, and store sensitive data about end-user power consumption habits. Attackers may, through exploited smart meters, attack customer premises networks, other smart meters in the vicinity, or the smart grid itself.

Takeaway point: Smart meters are a neuralgic point of smart grid systems. Cybersecurity training programs should focus on them, as they have a higher potential of being involved in a large amount of cybersecurity incidents than other components. By necessity, training programs will be highly specific to each service provider, as each one sources smart meters from different, and often times multiple, vendors.

Power distribution and transmission networks

As the backbone of the electrical grid, they are formed by substations connecting customer premises to power generation plants through the power distribution and transmission networks. The former follow more complex topologies which are highly dependent on the needs of the area they serve, while the latter follow a stricter structure and operate at higher transmission-level voltages. Both networks consist of substations with the necessary field devices for the operation, control, and monitoring of the electrical grid. As with smart meters, service providers source field devices from different vendors, most of which implement a mix of standard and proprietary protocols. Substations may also consist of a mix of older and newer devices, with different capabilities and designed to different standards. Attackers with access to a substation can cause service disruption, manipulate both human operators and automated systems to act in an unwanted manner, or attack other implicitly trusted smart grid components.

Takeaway point: Substations have been the main target of serious cybersecurity incidents. The composition of field devices, which is unique to each vendor, the use of proprietary protocols, the lack of public information, and increased physical security makes attacks against them significantly more difficult. This raises the skill bar of potential attackers, but also increases the complexity of cybersecurity training programs. Technicians and cybersecurity professionals must be trained in substation environments that closely resemble the real substations they are employed to protect.

Bulk and distributed power generation

Large-scale power generation plants, distributed power generation plants (wind, solar, diesel generators, etc.), and power storage systems controllable by a service provider are also vulnerable to cyberattacks. Threats against the former are very similar to those against traditional industrial environments, while threats against the latter are more similar to those against substations.

Takeaway point: As with substations, the highly-specific nature of the deployed equipment requires cybersecurity training programs tailored to each plant or system.

Control centres and corporate offices

Control centres manage the operation of both power generation plants and substations (transmission and distribution), while also interfacing with any controllable electrical loads or distributed power generation/storage systems. Corporate office networks consisting of more common computing systems (desktop computers, servers, etc.) may also have the ability to interact with the smart grid, enabling service providers to offer better and faster customer service (e.g., by enabling electric service without liaising with technical staff, if the customer is already physically connected to the grid).

Takeaway point: As peripheral components of the smart grid, control centers, corporate offices connected to the smart grid, and their staff must be considered part of the attack surface. Cybersecurity training programs should not neglect their inclusion, both in context of targeted attacks and training.

Cybersecurity training in power grid

With the increasing digitalization of power grids and complex environments, it is important that cybersecurity training can be domain-specific when needed. While attackers can leverage well-known attack vectors to compromise traditional networks, blue teams accommodate their defence plan so as to minimize the expected impact to the system. The power grid sector does not only expand the attack vector window but further requires the focus to fall on maintaining availability. Considering the usage of domain-specific equipment, the always increasing attack surface, intricate and obscure network topologies and contrasting defence priorities, it is important for organisations to formulate or search for solutions that address the problem directly. A proper cybersecurity training plan must not deviate from what is already known to the industry, but should incorporate new practices and knowledge for protecting those critical infrastructures. The training program must be a product of a tight collaboration between cybersecurity experts and grid operators in order to teach the trainees to develop and implement cybersecurity solutions that are tailored to power grid’s unique requirements, technologies, and equipment. Moreover, to propel critical thinking and strengthen the decision-making capabilities of trainees, it is important to include many instances of hand-on exercises in segregated and/or virtualized environments.

The FORESIGHT platform Considering all the above, the FORESIGHT platform comes into play. FORESIGHT is a state-of-the-art platform that extends the capabilities of existing cyber-ranges. It provides an innovative training curriculum that tightly connects a plethora of practical exercises with all theoretical knowledge required in the context of cybersecurity. Realistic and dynamic scenarios have been developed that are based on identified and forecasted trends so as to keep up to date with the latest cyber-attacks and an evolving threat landscape. Specifically, the power-grid training program offers network replicas of regular offices, SCADA networks, a small hybrid power grid infrastructure and a semi-automatic cloning & deployment solution. The training program targets both grid operators and security practitioners, aims to enhance the security tactics of blue teams and instruct red teams on attacking both office and power grid components as a means to improve their defensive tactics and develop overall better security measures.