Adaptive and Proactive Security Assessment on Energy Delivery Systems

Summary Statement

Our approach is described as follows: first, we provide support for the creation of dedicated repositories depicting security requirements, which are to be modeled leveraging ontological representations, in such a way that an unambiguous and comprehensive description of requirements, as well as common vulnerabilities and exposures (CVEs) (Mitre 2016), is synthesized cohesively. Using ontologies, the relationships between different security concepts can be better modeled, thus allowing for the exploration and discovery of similar and complimentary requirements obtained from different sources. We have identified already a starting collection of documents which we plan to enhance over time as a result of our interactions with both industry and academic partners, in such a way that our requirements repository is effectively constructed from source materials that are deemed as relevant by the EDS and cybersecurity communities.

Second, we introduce an approach based on multi-view analysis (Lee and Gandhi, Ontology-based active requirements engineering framework 2005), to allow for different stakeholders in EDS, who may have different security requirements, to assess the security of EDS based on their unique viewpoints.

Figure 1 presents a graphical depiction, adapted from a previous one (Lee, Gandhi and Ahn 2007), that shows how security officials and system practitioners may obtain different information from a given ontology according to their different points of view, by traversing the different relationships, a.k.a., links, that are associated with the entities being modeled in a given ontology.

Third, even though stakeholders may have different needs and different security requirements, some security requirements may be related and share some common elements. Therefore, it is imperative to analyze the relationship links between different security requirements and extract the required assessment tasks for them, using an approach based on multi-link analysis (Lee, Gandhi and Ahn 2007). As an example, Figure 2 shows a security requirement, derived from different documents on cybersecurity guidelines for EDS, that suggests the implementation of different network security zones, each of them in turn representing its own security domain, in order to restrict network communications between system devices. This way, even when an attacker may have been able to compromise a given component such as an intelligent electronic device (IED), the extent of the attack, as well as its possible consequences, may be contained by preventing other devices within the system from falling under the attacker’s control. As suggested by Figure 2, such a requirement may in turn be implemented by a network partitioning strategy. For instance, a set of security-sensitive IEDs in a given EDS setting may be grouped together into a network partition corresponding to a security domain allowing for internal communication, but disallowing any external communication with other partitions, e.g., a partition containing other IEDs. Partitions may be defined beforehand taking into account the system-level purpose of each of its constituent devices as well as the level of trust placed on them. Later in this document, we will describe an approach for enforcing security requirements of this kind by leveraging technologies for network packet collection and analysis, as well as traffic rerouting.

Fourth, we will provide support for the automation of different security assessment tasks by introducing an approach based on process-driven workflows, which are to leverage the aforementioned multi-view and multi-link analysis. Such workflows are constructed by linking together a series of adaptive and proactive software modules that collect security-relevant data directly from EDS, e.g., by intercepting network traffic related to information input/output and command output, as well as modules that are intended to process such information for automated security assessment, e.g., by implementing security checks that can detect deviations indicating a potential vulnerability or even an attack being underway.

Within our proposed framework, both collecting and processing modules will be developed based on the requirements contained within our repository, thus effectively creating a collection of modules from which customized workflows can be later instantiated by following the results obtained from running the aforementioned multi-view and multi-link analysis techniques, thus allowing practitioners to dynamically run their own custom-made workflows. As an example, leveraging Figure 2, a security analysis based on our proposed techniques may result in the aforementioned requirement restricting communication between different network partitions enclosing IEDs. Such a requirement may be in turn implemented by a dedicated interceptor module that monitors and retrieves network traffic, which is then forwarded to a checker module that verifies that the source and destination IP addresses contained in a network packet do not correspond to an attempt to establish a disallowed communication between partitions. If an offending packet is found, a security alert can be raised as a result. An alternative technique may also include detecting unexpected or unauthorized protocols, e.g., DHCP in a network environment consisting of static IP addresses only. At runtime, these interceptor and checker modules may be selected from our module collection to create a dedicated workflow as a result of an analysis that implements the aforementioned requirement restricting network traffic for EDS devices. Since each EDS deployment may exhibit different network configurations with respect to number of devices and IP addresses assigned to them, a previous configuration step may be required before the newly-created workflow can be set to run. In addition, as mentioned above, different monitoring techniques may be implemented to detect violations to a given security requirement. This way, a robust approach may be in place, allowing for security alerts issued by different modules to be combined together and presented to an EDS operator for better decision making, thus potentially preventing false positives, and complicating attacks directed to disrupt our approach by producing misleading input to a specific data collection module. 

For the purposes of data collection and forwarding, we will explore how software-defined networks (SDN) (Hu 2014) can be leveraged to observe, control and analyze network packets within EDS. As an example, we have envisioned an approach in which network monitoring rules, expressed in the scripting language of the well-known Bro framework (PAXSON 1999), can be translated into compatible SDN traffic rules and configuration settings, in such a way that not only are offending packets detected, but on-the-fly modifications to the set of network flows are possible, allowing for implementing a first-response countermeasure as described before in this document. Figure 3 shows how the aforementioned security requirement disallowing network communication between IEDs can be implemented by leveraging this idea: a Bro Script (1) implements a traffic policy restricting communication between different partitions (2). In addition, an interceptor SDN application (3) populates the flow tables implemented by each SDN-based switch in order to forward suspicious to the SDN controller and ultimately to the SDN application itself. A suspicious packet may in turn be processed by means of a checker module (4) implementing the Bro Monitoring Framework. When a suspicious packet is found to be in violation of the traffic policy, our SDN Application can then either raise an alert to EDS operators or implement a series of updates to the switch tables (using the SDN control and data planes) to prevent such a traffic flow from taking place, thus implementing a first-response that may give time for analyst to further process the incident.   

Figure 4 presents an architectural depiction of the EDS Security Automated Tool (EDS-SAT), a proposed implementation of our approach. Domain experts and developers are to be in charge of collecting and updating security requirements as mentioned before (1), and the requirements are in turn handled by means of a dedicated repository (2). Next, such requirements, along with information obtained from data collected directly from EDS infrastructure are fed to our proposed process-driven workflows, which in turn implement security assessment duties (3) (4) (5). Later, EDS domain experts and security officers may leverage the information provided by such tools and the proposed processing framework to perform various types of security-related assessment based on continuous real-time information. Finally, new security measures in the EDS domain may be elaborated based on the information obtained from our proposed tool (7).

We have envisioned different use cases an operator may employ to use our proposed EDS-SAT tool:  first, the attainment of knowledge specific to security requirements about security and EDS system components. Second, leveraging its data monitoring capabilities to gain an understanding of the current system state. Third, using its security assessment capabilities combining the previous two use cases to help assess the system and determine potential improvements needed to protect the system. Fourth, leveraging its first-response countermeasure tools, as shown in Figure 3, to collect evidence of security incidents for further decision making. Figure 5 shows an example following the first and second use case, in which an EDS operator may want to determine what security techniques are specifically related to network security, along with the system components such techniques would be implemented on (1). The operator would pose a question to the EDS-SAT tool asking about network security techniques, which would be automatically translated into a query and search through the security requirements and relationships contained within our ontology to find relevant requirements for the user (2). Next, a data collection module would be utilized to pull data measurements from the system related to networking configurations, and a data processing module would compare such measurements against the expected configurations described in the previously pulled system requirements (3). Finally, the tool would return information related to network security requirements and the components they should be applied to, along with any configuration mismatches and potential security techniques or other improvements that could be added to the system to mitigate potential threats (4).

Energy Delivery System (EDS) Gap Analysis

Recently, energy delivery systems (EDS) have undergone an intensive modernization process that includes the introduction of dedicated cyber-infrastructures for the purposes of monitoring, control, and optimization of resources. While extremely convenient, such a process has also opened the door for sophisticated attacks that included a well-thought out combination of strategies at various levels of abstraction. Whereas previous approaches have been proposed for detecting ongoing attacks, they typically hold a limited scope and lack a well-defined foundation for incorporating security requirements from a broader knowledge base, therefore, they fall short in representing policies that can effectively tackle the distributed and heterogeneous nature of EDS and cannot provide an accurate detection of policy deviations, which can potentially indicate when an attack as the ones described before is underway. With this in mind, this project provides an approach for modeling security requirements based on cybersecurity guidelines for EDS, and later using them to implement an adaptive and customizable framework for the collection and processing of EDS data, thus supporting automated security monitoring, assessment, as well as the implementation of first-response countermeasures as a result, which can assist security officials and operators in effectively preventing and mitigating security incidents.

Reference the research activity fact sheet (PDF) for an extended gap analysis and bibliography.

How does this research activity address the Roadmap to Achieve Energy Delivery Systems Cybersecurity?
In this new activity, we will build a security assessment framework and corresponding systems as follows: first, we will provide support for the efficient monitoring of security-related data, in such a way that the effective assessment of security risks in the context of automated EDS deployments can be achieved as a result, thus allowing for operators to evaluate the state of their EDS infrastructure against a well-defined set of security requirements. Additionally, our approach supports better management of security incidents, e.g., prevention, detection and mitigation, by allowing for security officials to provide data-based evidence that informs the development and implementation of new protective measures to reduce risk, e.g., by providing quantifiable data such that the effectiveness of new technologies for risk reduction can be evaluated and informed decision made to improve OT cyber-security.  

More Information

Research Posters:

• Adaptive and Proactive Security Assessment for Energy Delivery Systems (2017 Industry Workshop)
• Key Distribution for the Internet of Energy (2016 Industry Workshop)
• Robust and Scalable Security Monitoring and Compliance Management for Dynamic Energy Delivery Systems (2016 Industry Workshop)