Cybersecurity Situational Awareness and Moving Target Defense for DER Networks in Smart Grid

Abstract

The electric power grid system of today has evolved into a densely interconnected cyber-physical system. This massive transformation has taken place across all generation, transmission, and distribution systems that transformed the traditional grid system into a smart grid system that provides reliability, efficiency, and sustainability. The incorporation of Distributed Energy Resources (DER) like solar photo-voltaic panels, wind farms, electric vehicles, and energy storage facilities into the smart grid is becoming essential as utilities use these technologies to delay, reduce, or even eliminate the need to obtain additional power infrastructure while providing power support and enhancing local reliability and energy sustainability. This led to a rapid evolution in the DER networks with growing infrastructure digitization and increased data exchange and high dependence on insecure communication protocols, with an increase in smart meters and sophisticated controls. Due to its heterogeneous nature, criticality, and high impact, this digital evolution exposed DER networks to increasing cyber attacks and threats. Various malicious attempts including targeted hacking, malware, malicious code, and botnets are being used to infringe DER systems and networks, compromising their confidentiality, integrity, and availability. Conventional IT-based cybersecurity solutions are not adequate to detect these evolving cyber attacks in the power system networks. The need for securing the smart grid has never been greater to create security measures that can transform the current vulnerable grid into an intrusion-resilient grid of the future.

The overall objective of this dissertation is to develop and evaluate machine learning-based (ML-based) algorithms for cybersecurity situational awareness and tailor Moving Target Defense (MTD)-based proactive defense algorithm for DER networks. The dissertation analyzes possible cyber attack surfaces and illustrates how DER networks are vulnerable to various stealthy cyber threats that can affect its normal operation. To create a holistic cybersecurity model for the DER networks we propose four major contributions through this dissertation that have been grouped into two main solutions tailored for DER characteristics, a cybersecurity situational awareness system and a proactive MTD-based defense mechanism. The cybersecurity situational awareness system encompasses the first three major contributions of this dissertation: (1) ML-based Anomaly Detection for DER Communication (Modbus and Distributed Network Protocol 3 (DNP3)), (2) Multi-Step ML-based Event and Alert Correlation for DER Networks, and (3) Real-Time Cybersecurity Situational Awareness for DER Networks. The fourth major contribution of this dissertation is a Proactive Attack Prevention model for Software Defined Network (SDN)-enabled DER using Moving Target Defense Technique.

In the first contribution of the study, two anomaly detection models are proposed to detect intrusions and improve the resiliency of DER networks. We propose ML-based anomaly detection models (ML-ADS) for detecting known and unknown attacks tailored for DER communication (Modbus and DNP3). The first model represents a ML-ADS for DER Modbus communication. It proposes a novel architecture and methodology for developing five supervised ML-based algorithms for detecting stealthy information technology (IT) and operational technology (OT) attacks on the DER Modbus communication. To ensure high compatibility to DER characteristics, for training the model, we created DER-specific datasets and used feature engineering techniques to extract DER physics and pattern-based traffic thresholds. The second model represents a ML-ADS for DER DNP3 communication which extends the previous methodology to develop seven ML-algorithms tailored for DER DNP3 stealthy IT and OT intrusions. The proposed ML-algorithms have the ability to distinguish intrusions with high detection accuracy at a fine granularity, satisfying real-time latency requirements so further effective mitigations can be triggered.

The second contribution of the study represents a multi-stage ML-based alert and event correlation model (ML-AC) for DER networks that can identify the relationships between attack alerts, and provide meaningful insights into the network intrusions and establish high detection confidence. We propose a novel architecture and methodology for using several alert correlation techniques on the output attack alerts from the first contribution (ML-ADS) to provide holistic temporal-spatial network incident awareness for DER networks. We propose a hybrid 2-tier multi-stage alert correlation model that utilizes several similarity-based and time-series statistical-based machine learning algorithms to provide cybersecurity situational awareness and detection confidence tailored for DER characteristics while being protocol and environment neutral and intrusion and anomaly detection system (IADS) platform agnostic. The proposed model was trained using DER-specific datasets and features to reduce, verify, and track known/unknown attacks at a fine granularity and high correlation accuracy. The proposed approach has the ability to precisely correlate fine-grained alerts into comprehensive incidents for system-wide cybersecurity situational awareness with high reduction rates. This results in higher-level correlated graphical and incident representations allowing for severity-based effective mitigations.

The third contribution of the study represents a real-time cybersecurity situational awareness system that can provide end-to-end system-wide cybersecurity monitoring and control for DER networks. We propose and developed a novel 2-tier DER cybersecurity situational awareness architecture incorporating the two previous proposed contributions; DER anomaly detection models (ML-ADS) and DER alert correlation models (ML-AC), utilizing multi-agent distributed programmable physical Edge Intelligent Devices (EID) sensors and centralized cloud-based Security Information and Event Management (SIEM) implementation and integration. We validated the practical feasibility and efficacy of the proposed system on a close to real-world Hardware-In-the-Loop (HIL) Cyber Physical Systems (CPS) DER Testbed. A wide range of stealthy IT-based and OT-based attacks were used to evaluate the system performance and behavior. The proposed architecture could achieve high intrusion detection accuracies with feasible implementation and functional interoperability between multiple ML-ADS/ML-AC sensors (EID platform) and ML-ADS/ML-AC master engine (cloud platform) with minimal latency allowing for DER normal operation.

The fourth contribution of the study represents a proactive attack prevention model for DER using SDN-enabled moving target defense technique. We propose a MTD-enabled route hopping/switching using SDN-based WAN (SD-WAN) for DER networks. The proposed technique has the ability to switch between the physical and cyber layers of the grid in order to mitigate the impacts of a Denial-of-Service (DoS) attack on the DER network communications. We developed a fully customizable SD-WAN network with automated MTD path hopping/switching and implemented this architecture on a realistic HIL Testbed in order to showcase the feasibility and efficacy of such a system in a close to real-world environment. Several DoS attacks volumes and MTD switching frequencies were evaluated, and the results showed the advantages of the proposed MTD-enabled SDN technique for DER networks with significantly reduced impacts from the DoS attacks as compared to a traditional static DER communication network.

For future work, this research opens up several avenues for future research that may include: (1) active intrusion response models for DER networks, by incorporating the proposed anomaly detection models with the SD-WAN architecture, to help in thwarting DER network attacks by filtering or blocking malicious data packets at the first point of entry into the DER SD-WAN, (2) anomaly detection for other DER communication protocols, adopting the proposed ML-ADS model to have more DER communication coverage, and (3) Expanding and adopting the proposed cloud-based 2-tier architecture for other DER cybersecurity implementations.