Defense against cyber-attacks on the Hydro Power Plant connected in parallel with Energy System

In today’s modern energy sector, driven more and more towards decentralization, which includes many smaller energy producers rather than huge government projects, security against cyber-attacks is becoming more crucial for the energy grid. Since many small energy plants do not have the resources to finance very expensive existing cyber-security systems, they often have no security system in place at all. Although with small energy producers, the risks of being under attack are not as devastating as in a huge power plants, they still pose a serious threat to the energy system and to the supply of electricity to whole regions. Moreover, in the era of technology, such cyber-attacks could be carried out simultaneously at many locations, thus risking the lack of electricity to larger areas. Since there was a clearly identified need for such an instrument, the SPEAR consortium, started to develop tailor made solution for different types of actors in the energy sector, to prevent such occurrences and help secure the energy system. One of the use cases, investigated in the project, is a real operating hydro power plant in the mountain area of Bulgaria called Leshnitsa, which will be one of the four sites to first test the functionality of the finished product. The plant had no previous cyber-security system in place and had already experienced one attack, where one of the computers in the plant was hacked and a ransom was demanded from the attackers to unlock it. Exactly events like this one are proof, that the energy sector has a need to protect the growing number of small independent actors in the energy system..


I. INTRODUCTION (HEADING 1)
The energy sector and its infrastructure have significantly improved with the integration of information technologies, which has increased the efficiency of generation, transmission and distribution of electricity services. Various use cases of the digitalization have been highlighted [1], indicating a more advanced, data-driven energy system. Smart cities and homes are also emerging where IoT is integrated with the energy provisioning. However, these advances also have their downside. The probability of attacks on the smart grid has increased [2], [3], [9].These attacks also put at risk personal data that may be associated with these smart technologies, including the Internet Protocol (IP) addresses and smart meters used to reach individual consumers [10], [11], [12], [13], [14].
A platform to overcome these problems will be used.
It will collect and deal the following types of data: network traffic, operating system shell commands, keystrokes, communications and syslogs collected from the devices in smart grid, sensors, gateways, etc.; quantitative data related to day-to-day activity (event data produced after processing collected raw data); and cyber attacks and threats data for information sharing through an anonymous channel/repository. The tools proposed by platform aim to provide effective detection, response and countermeasures against advanced cyber threats and attacks targeted at the smart grids. Such tools are important from a user perspective, as the ability to detect different kinds of attacks concerning confidentiality, integrity and availability, as well as timely detection of these attacks are key to their business model. If the settings of the smart grid are "manipulated with malicious intent, it can pose a serious threat to the business operations, plant equipment and grid equipment, safety of power plant personnel as well as safety of the local population" [61].This poses a threat of significant concern, requiring a thorough understanding of the needs of the energy operators in designing the proposed tools.
In all, this paper highlights the specific requirements methodologies of the platform software requirements-the process of determining the potential users' needs, the requirements to ensure that the requisite privacy and security controls are embedded into the architecture of the system to be developed using "data protection and security by design" approach.
The paper is outlined as follows. In the next chapter an overview of the developed platform is presented. In chapter III a methodology to capture the user, privacy protection, and data security requirements of the platform are given. Then in Chapter IV the concluding remarks for a multi-component tool that allows for detection and signalization, forensic investigation and possibly prevention of cyber-attacks are given in the last chapter.

II. OVERVIEW OF THE PLATFORM
The Platform aims to support energy operators with a tool that could be deployed for detecting, responding and taking countermeasures against advanced cyber threats and attacks targeted at modern smart grids. This platform is proposed as a three-tier system, where each part has a different yet complementary role: the first tier builds an advanced all-in-one, open source Security Information and Event Management (SIEM) tool. This is designed for timeously detecting threats and attacks in smart environments. The second tier provides a rigorous forensic framework (SPEAR Forensic Readiness Framework (SPEAR-FRF), aiming to assure forensic readiness in the sense that the applied network forensic strategies are deployed before a cyber-attack incident takes place. Innovative techniques employed in this tier include an Advanced Metering Infrastructure (AMI), and honeypots for attracting attackers and capturing the necessary attacks traces for forensic procedures that will secure a detailed and complete report of the launched attack for legal purposes. The third tier is designed in line with two major requirements of all security-oriented organizations: increasing the trust between smart grid operators and facilitating EU consensus towards confronting cyber-attacks. In this respect, platform not only proposes standalone solutions but goes beyond by inaugurating an anonymous and secure communication channel between all energy operators in the EU. To this end, all platform SIEM tools are interconnected via a common and distributed incident database, called platform Repository of Incidents (RI), where updates, patches and best practices are anonymously exchanged, in real time, without risking an organization's reputation or exposing weak parts of the grid. The objective of this task is to capture the user, privacy protection, and data security requirements of the SPEAR platform given the project's objectives. In general, the design of the SPEAR project is based on the ARCADE methodology framework [8]. For the tasks described in this report, desktop research, questionnaires and consultations with relevant project partners have been utilized to complete them. According to the common rules for the internal market in electricity, entities engaging in "electricity undertaking" include any natural or legal person carrying out at least one of the following functions: generation, transmission, distribution, supply, or purchase of electricity. This assisted in identifying and defining the SPEAR end-users, including consumers.

A. User requirements investigation
This section describes only the user requirement investigation based on the viewpoint requirement extraction of the ARCADE framework. Three complementary methods were applied in parallel in order to achieve better results in the collection of the SPEAR user requirements. As follows, these methods are quantitative and qualitative methods: • Observation and field visit: These are types of correlational methods in which an analysis team observes users (i.e., energy providers) as they work and takes notes of the activities that occur during the execution of their job tasks. In the SPEAR project, each use case partner and end-user partner conducted this user observation and field visit in its own premises in order to collect and extract user requirements. Some academic partners (e.g.UOWM) more familiar with the concept of Quality Assurance and Project Management technics visited the use case partners (e.g.,VETS) premises as the analysis team.
• Interview: This is the most common technique for gathering requirements. The users are interviewed by the requirements analysis team, to receive information about their needs and requirements in relation to the new system. In the SPEAR project, the interviews were conducted in a form of teleconferences among the use case partners, the end-users in order to understand and detect user requirements.

B. Privacy and security requirements investigation
The privacy and security requirements investigation comprise both the identified requirements of the users, as well as the general system requirements of SPEAR (during the system's development and actual use in a real environment). The users' aspect was obtained with the method above • Questionnaire: To identify whether personal data will be processed in the development and actual use of the platform, a questionnaire was also sent by to all the other project partners to describe the nature of the data they intend to process in the project. The questionnaire introduces the meaning of personal data as well as records the intention of the partners to collect and process personal data within the scope of platform.
• System architecture analysis: The description of the SPEAR system's input and output data was analyzed to obtain the privacy and security requirements for the system. Privacy and security experts in the project collaborated in this task of which the use case scenarios afforded the opportunity to imagine some of the input and output data of the system.
• Desktop research: The legal and ethical framework-laws, guidelines, standards, etc., relevant for privacy and security in the smart energy systems was investigated through desktop research and analyzed using a doctrinal approach.
C. Requirements specification model and link with the system's specification and architecture 1) User requirements elicitation As mentioned earlier, a user-oriented approach [62] has been adopted to identify the SPEAR user requirements. In their responses to the questionnaire circulated by LUH asking for requirements, the SPEAR end-users represented by the Use Case partners (VETS, Schneider/Enel, PPC, and CERTH) highlighted a number of key aspects, even though some of them are beyond the scope of SPEAR. First, these users stressed the need for a quick response time, in which the SIEM would detect and allow responses to cyber-attacks, preferably near real-time; the time interval for the forensic analysis to be ready was seen as less critical, with 3-7 days suggested by one respondent as a reasonable margin. Second, as regards the type of threat users regarded as most requiring protection against, this varied to some extent according to the nature of their enterprise. Thus VETS, in the context of running its hydroelectrical power station, flagged as critical the risk a cyberintruder might gain access to the main control unit and manipulate the parameters or settings of the unit; this could involve direct physical means (malware on a USB stick). In the Smart Home scenario, CERTH noted the specific added risk of eavesdropping and extortion attacks that aim to steal information from the occupants as a basis for committing fraud or even extortion against the latter.
For their part, Schneider/ENEL, and PPC from the perspective of large utility providers, stressed the need for their Smart Grid to be safeguarded from DDOS attacks. However, they also flagged as important that the SIEM send an alert (including by email or SMS to key offsite personnel) in case a cyber-attacker seeks to take over remote control of devices and communications: this presupposed that the SIEM would be able to identify attacker behavior that deliberately mimics the real behavior of the system. PPC identified the IAN and HAN scenarios in its Testing, Research and Standards Centre as especially central to its security needs.
A further suggestion of VETS was that the system could allow for the disconnection of elements under attack, while maintaining just the most critical components for the essential plant functioning. It was also deemed important that, in visually presenting attack information, the Visual-based IDS should employ a chronological dimension that allows the user quickly to understand the way different incidents unfold and relate to each other across time. Ideally, this information should be layered, with the user able to click on a given incident to see further details for it presented in an 'expert mode'. In relation to cyber-hygiene issues, the partners identified the need for the SPEAR system to reflect and support information security standards and frameworks, such as the ISO 27000 specifications, IEC 62351 and IEC 62443, as well as the data protection requirements of the GDPR as best as possible to assist them in achieving them.

1) The Hydro Power Plant Scenario a) Description of the Hydro Power Plant
Hydro power is an essential part of the electricity mix and is the biggest contributor to the renewable energy production worldwide, constituting more than 50% of the global RES production [64].Hydro power plants vary in size and technology and have a different impact on the local or regional grid. The hydro power plant scenario includes real testing of the developed SPEAR tools and components in an operational electricity production facility. HPP Lenishta is located in the mountain area of Bulgaria (near the city of Razlog) and has an installed capacity of 500kW. The plant is connected to the distribution grid via 370 meters long 20 kV transmission line. The SPEAR components will be running to detect attacks. Types of attacks will vary in order to confirm the SPEAR ability to differentiate between a cyber-attack and anomalies caused by extreme weather conditions.

) Components and related data for the Hydro Power Plant scenario
The components existing in the Hydro Power Plant are as follows: • Plant equipment-(valve, turbine, generator, transformer, switchgear, sensors) -all power plant components generate signals and communicate them to the PLC units. A set of sensors perform measurements of pressure, temperatures, water levels and other critical parameters for operation.
• Control Module PLC-gathers data from the plant equipment either directly, or through additional PLC units and makes decisions about the plant operation based on the received values and the preset limits.
• HMI-visualizes information from the control module and allows for monitoring and operating the power plant. This can also be done through remote control of the HMI.
• Particle Photon (IoT)-an open source product, which communicates through Modbus TCP/IP with the Control module and collects data, which it then visualizes on an IoT application. The Blynk application is used for remote monitoring of the PLC visualization module. Currently, control functions are also being developed • Raspberry Pi (IoT)-two separate devices that collect data about the plant performance from the Control module. The first one sends data to the balancing operator which is necessary for correct forecasting of production and grid stability. The other one collects information about operational data and sends it to the O&M operator for continuous monitoring of the power plant status and enables timely preventive maintenance measures.
The potential SPEAR components to be integrated and the required functionalities from them are the following: • SPEAR SIEM-the detection tool with its related components will detect and warn about any suspicious activities, which may constitute a cyber-attack. The platform will use state of the art analytics tools, graphical-aided visualization techniques and trust management mechanisms in order to detect anomalies and disruptions in the data traffic and alert about it in real time.
• Honeypots -that simulate the vulnerable hydro power plant PLCs and IoT devices, and capture as much information about the attack and attacker, including IP addresses, timestamp, access ports and communication protocols and other.
Data collected during the deployment of the use case and the lifespan of the project: • Communication Data-data communication between the plant equipment, PLC and smart devices includes strictly industrial measurement data regarding operational readiness. Metrics like equipment temperatures, water levels, voltage and other hydro power related measures do not include any personal information.
• Data from the Honeypots-Honeypots simulating the PLC controller and the IoT devices will collect detailed information regarding the attack and attacker which may include personal data. Outputs: • Visual-based IDS shall provide a visual representation of the SPEAR SIEM functionalities in the hydro power plant architecture.
• PLC Honeypot shall store logs and generated network traffic. Table 2 describes the Hydro Power Plant scenarios while figure 3 shows the roles of the actors identified for this use case. • Platform Security Engineer-a person responsible for installation, monitoring and operation of the SPEAR platform in the hydro power plant. Since the Lenishta power plant is fully automated and does not require human presence full time, the security engineer would be accessing the plant and platform software remotely. He is responsible for receiving notifications from the platform and taking the necessary measures to react to the cyber-attack.

c) Hydro Power Plantuse case scenario definition
• Hydro power plant operator-a person with technical and operational knowledge of the plant, who when necessary physically controls the facilities through the control module or the HMI inside the control room.
• Cyber-attacker-a person conducting the cyber-attack either remotely or by physically connecting a hard drive with malicious software to the control module or HMI

IV. CONCLUSION
In order to address the growing concern for cyber-security in the modern decentralized energy sector, the SPEAR consortium has developed a state of the art security product, which can be deployed at many different actors in the energy sector. The SPEAR platform is a multi-component tool, that allows for detection and signalization, forensic investigation and possibly prevention of cyber-attacks. The consortium has included end users from for very different actors in the energy sector to ensure the platform is accessible and applicable to any stakeholders. In the presented hydro power plant Leshnica, the SIEM component of the platform will monitor the network traffic between all components in the hydro power plant and using its advanced analytic tools will detect any anomalies or discrepancies almost instantly. Once it has detected it, the platform will immediately send signals to the security operator of the plant, who can assess the information from the visualization screen of the platform and take the necessary measures to minimize the possible risks and damages. Additional components of the platform, such as the AMI honey pots and the SPEAR-RFR will try to "distract" the attacker from the actual components and record as much information about the attack/attacker, as possible and also as permitted by personal data regulations. Overall, the SPEAR platform will provide security and improve productivity not only in hydro power plants, but all energy stakeholders, including power generating plants, substations, smart homes and more.