A Security Simulation Framework for Smart Grids

Wilson Rivera Computer Science and Engineering Department

University of Puerto Rico at Mayaguez Mayaguez, PR 00660, USA

Fabio Andrade Electrical and Computer Engineering Department

University of Puerto Rico at Mayaguez Mayaguez, PR 00660, USA

Abstract—This paper describes a security simulation framework that uses distributed security components to simulate attacks to smart grids. The proposed security simulation framework integrates hardware in the loop (HIL) for real time evaluations, and software components to provide wide-area network emulation. Keywords—smart grid, security, honeypots

I. INTRODUCTION Smart grids enable bidirectional power flows and uses two-way communication and control capabilities. This is a departure from traditional power grids with one-way communication and limited control. In a smart grid, sensors, computers and communication networks are integrated into the power grid. The resulting infrastructure introduces new cybersecurity vulnerabilities and attacking scenarios [1]. Vulnerabilities in networked systems may now span smart grid domains increasing the likelihood of cascading failures. Because of the complexity of the power infrastructure and the increasingly sophisticated nature and speed of malicious attacks, current security responses are inadequate. One problem for example is that existing infrastructure are connected to the Internet without security considerations. Another problem is that the increased penetration of monitoring and control capabilities into the new system open the possibilities for breaches of security.

In this paper we describe the architecture of a distributed security framework that allows us to collect information from the smart grid using multiple distributed security components. This framework allows the simulation of security attacks and evaluation of anomaly detection techniques.

The paper is organized as follows. Section II describes related work. Section III introduces the framework architecture and describes design and implementation issues. Section IV presents preliminary results. Finally, some conclusions and future work are pointed out in Section V.

II. RELATED WORK The cyber security issues in smart grids have received

tremendous attentions in the past few years. Specific guidelines for smart grid cyber security can be obtained from NIST Smart Grid interoperability panel [2]. Wang et. al. [3] provides a comprehensive analysis of smart grid security standards. Smart

grid security requirement and concepts are well documented in several works [4-7]. Different cyber-physical testbeds for smart grid has been proposed [8-16].

Cardenas et. al. [17] evaluated the benefits and costs associated with both centralized or distributed intrusion detection system (IDS) solutions. The authors proposed a cost-model framework that can be used to make informed decisions to select IDS deployment architectures.

Farag et al. [18] proposed CyNetPhy, a conceptual layering model of the smart grid which coordinates between various layers to address operational and security requirements of the energy grid.

Sedjelmac and Senouci [19] proposed attack detection mechanism for a smart grid in which detection agents run in a distributed fashion at smart meters and in a centralized fashion at collector and control center nodes. In addition, rule-based detection and classification are used to detect both malware and Denial of Service (DoS) attacks.

Yang et. al. [20] presented SCADA oriented IDS which analyzes multiple attributes to provide a comprehensive solution. The proposed IDS allows the mitigation of security threats in smart grids.

Berthier et. al. [21] proposed a specification-based IDS which does not require empirical data to detect intrusions. The drawback of this implementations is the overhead associated so it may be impractical to run a specification-based IDS directly on some Smart Meters.

Wang et. al. [22] incorporated honeypots into the AMI network as a decoy system to detect and gather attack information. By analyzing the interactions between the attackers and the defenders, they derived optimal strategies for both sides. They also proved the existence of several Bayesian-Nash Equilibriums in the honeypot game.

Hasting et. al. [23] setup a test honeypot system to emulate a device on a utility network. They discussed widely how larger-scale systems in utilities may benefit from honeypot placement.

The distributed security simulation framework proposed in this paper is similar to the work discussed above in terms of the distributed nature of the IDS. However, it provides mechanisms to explore and evaluate anomaly detection techniques in a more scalable distributed environment under transactive energy considerations.

64 Int'l Conf. e-Learning, e-Bus., EIS, and e-Gov. | EEE'18 |

ISBN: 1-60132-474-X, CSREA Press ©

Our team at the University of Puerto Rico, Mayaguez (UPRM) is currently developing a novel smart grid concept called Open Access Smart Grids (OASIS) [24]. The smart grid is modeled as a collection of interdependent services. These services can be dynamically combined to establish service dependencies between energy producers and consumers. The underlying electric resources and services are open to access and provisioning by third parties, maximizing the benefits of smart grids. It has important societal dimension as it empowers common citizens, especially those living in vulnerable or underserved communities, to become key actors in a sustainable energy market and sway prices and infrastructure development in their favor. Hence, OASIS is a platform to implement the concept of Transactive Energy, in which distributed generators are coordinated through software, creating a type of software-defined electric grid and featuring a market-based mechanism to establish prices.

III. SIMULATION FRAMEWORK The proposed security simulation framework is a distributed

architecture (see Figure 1) which consists of (1) a hardware in the loop subsystem that enables real time emulation of a power system, (2) a simulation subsystem for modeling network communications and surrounding devices, and (3) a set of security engine nodes (SENs) deployed to monitor security parameters.

Figure 1: Framework Architecture

As illustrated in Figure 2, a security engine node (SEN) may be either a monitoring agent (MA) that detects micro-events from streaming data or an aggregation agent (AA) which applies machine learning (ML) to determine security issues. Each MA forwards information on specific events to the nearest AA which applies classification to detect potential attacks and then a trust analysis step is performed on it to produce a validated security event. We implement this technology as an API such that it can be easily extended to other platforms. To fully develop SENs we implement different mechanisms such as randomizing engine locations, establishing communication protocols between SENs, and synchronizing crossover information. We leverage on existing work on a service level

agreement platform [25]. The framework include profiles for a number of security attacks including IP spoofing, malicious software infection, and denial of services attacks. These profiles can be modified to reproduce certain attack scenarios

Figure 2: Hierarchical Distribution of Security Engine Nodes

Figure 3: Testing Platform Microgrid Laboratory

The scenarios are simulated through a co-simulation framework. It allows the modeling of entities at their system level by integrating them through operational coupling methods that enable them to exchange data while running on multiple domains with different time steps. We use Mosaik [26], a smart grid co-simulation framework that allows developers to create, modify, reuse, and combine new and existing simulators to create large-scale smart grid scenarios. This can be achieved through the Simulator class. Classes that inherit from this class must implement the create, step, and get data methods. In the create method the entities of a specific simulator are created with their unique identifiers and type. These identifiers differentiate the entities when, for example, communicating their information to other entities. Once the entities are created, the step method can be called to carry out their behavior. The step method performs a simulation step based on some input data for a time interval. This input data can be information posted by other entities during running time. For example, the information of all the houses in a simulator can be loaded in memory from a Comma Separated Values (CSV) file, at a specific time, allowing for operations to be done on it. Then,

Int'l Conf. e-Learning, e-Bus., EIS, and e-Gov. | EEE'18 | 65

ISBN: 1-60132-474-X, CSREA Press ©

this information is stored in a data structure that is later read in the get data method and posted to other entities. The step method returns the time at which the data is to be posted. It is important to remark that the time step of the simulators do not have to be the same, as Mosaik handles this by setting the global time step to the time step of the most frequent simulator. For instance, if time step of a simulator is t and that for another is t + n, the second would see the information posted by the first n times. In the get data method the data of a simulator is posted to other simulators. The data prepared in the step method is put in another data structure that contains the source entity unique identifier and the information it wants to post. The information must contain the attribute name and its associated value. Any information posted by a specific entity can only be read by the entities connected to it. Connections can be defined in a JavaScript Object Notation (JSON) file for PYPOWER and at running time implementing the connect, connect one to many, and connect randomly methods. The JSON file contains nodes, transformers, and branches with their respective relevant values. The branches are pairs of nodes or nodes with transformers, in this case. The connection methods are called on a world object that represents the scope of a simulation. The connect method connects two entities through their specified attributes. For example, a house can be connected to a node through their respective P out and P attributes. From the node’s point of view, the power flows out while from the house, it flows in.

For the hardware in the loop subsystem we use the infrastructure available from the Microgird laboratory at the University of Puerto Rico at Mayaguez (UPRM). The Micrigrid lab (illustrated in Figure 3) is a highly scalable SmartGrid Instrument that can run simulations of the power system and allows real-time operation solutions for advanced grid architectures (Microgrids) to enable extremely high penetration of renewable energies in a secure and reliable way. The Microgrid laboratory uses a communication tool to allow real-time interaction between the various components of the instrument. The framework contains the definition of two reusable application programming interfaces (APIs), a reference implementation of such APIs for JAVA, components to interface with simulation tools like MATLAB, Simulink and dSpace. The hardware in the loop subsystem consists of three major components, namely a real-time simulator, a controller personal computer and a server for hosting intelligent agents. Although in some cases it is possible to avoid using an intermediate host, we decided to use it in these initial tests to avoid overrun situations on the simulator, since everything on it must run in lock-step with the simulation. Supporting some of the I/O operations required for the programing interface (PI) within it might need additional consideration. The two handlers (Embedded and Host) are python scripts that use the platform-specific event handling framework of the simulation tool to connect it to the external world. Host call events are fired by the embedded handler at frequent intervals, when certain conditions in the model are met or when an explicit request is made by the model. The host can mask the electrical distribution network by creating virtual nodes (non-existent)

that can fool malicious scripts in search of security holes. The host handler should get back to the embedded handler with results as fairly quickly, so it is limited to two simple quick operations: (1) Queue new or processed read, write, subscribe or call-back transactions to the transaction out queue; (2) De-queue new or returning read, write, subscribe or call-back transactions from the transaction in queue.

IV. EXPERIMENTAL RESULTS

We can simulate several transactive energy scenarios including centralized generation with one way and two-way communications and distributed generation also under one way and two-way communication. Each scenario implements a model or combination of models that enforce energy demand response simulation. For example, one possible scenario is that the value of Emax is set to the number of consumers multiplied by 47.43 kWh, the average house energy consumed per day obtained from the data sets used for the experiments of these scenarios. In this model the controllers reside at the consumers side and exchange information within themselves. The producer entities are dispersed along the topology of the scenario one per house. Figure 4 shows the results of the malware attack experiment comparing the actual power consumption data to the tampered values forwarded by the malware agent to the central controller. The experiment shows the simulation of an attacker agent injecting tampered data into the customer premises to emulate a reduction of energy consumption.

Figure 4: Malware Anomaly Detection

V. CONCLUSION AND FUTURE WORK This paper presented a distributed security framework that

allows us to collect information from the smart grid using multiple distributed security components. This framework can be used for the simulation of security attacks and evaluation of anomaly detection techniques. It combines co-simulation and hardware in the loop components. It is a preliminary work with room for improvement. For example, as future work we plan to use complex event correlation analysis to identify intrusions,

66 Int'l Conf. e-Learning, e-Bus., EIS, and e-Gov. | EEE'18 |

ISBN: 1-60132-474-X, CSREA Press ©

and use that information to create self-deceptive mechanisms to defense against attacks.

ACKNOWLEDGMENT This project is funded in part by NSF, under grant # ACI-

1541106. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science.

REFERENCES [1] National Institute for Standards and Technology (2010). “Guidelines for

smart grid cyber security.” [2] The Smart Grid Interoperability Panel – Cyber Security Working Group,

Guidelines for smart grid cyber security, NISTIR 7628 (2010) 1–597. [3] Y. Wang et al., "Analysis of Smart Grid security standards," 2011 IEEE

International Conference on Computer Science and Automation Engineering, Shanghai, 2011, pp. 697-701.

[4] C.-W. Ten, J. Hong, and C.-C. Liu, “Anomaly Detection for Cybersecurity of the Substations,” IEEE Trans. Smart Grid, vol. 2, no. 4, pp. 865-873, Dec. 2011.

[5] C.-C. Liu, A. Stefanov, J. Hong, P. Panciatici, “Intruders in the Grid,” IEEE Power and Energy Magazine, vol. 10, no. 1, pp. 58-66, Jan.-Feb. 2012.

[6] J. Hong, C.-C. Liu and M. Govindarasu, “Integrated Anomaly Detection for Cyber security of the Substations,” Submitted to IEEE Trans. Smart Grid, 2013.

[7] J. Hong, C.-C. Liu, and M. Govindarasu, “Detection of Cyber Intrusions Using Network-based Multicast Messages for Substation Automation,” Submitted to IEEE Innovative Smart Grid Technologies (ISGT) Conference, 2014.

[8] J. Hong, R. Nuqui, D. Ishchenko, Z. Wang, T. Cui, A. Kondabathini, D. Coats, and S. Kunsman, “Cyber-Physical Security Test Bed: A Platform for Enabling Collaborative Cyber Defense Methods,” PAC World Americas, Sep. 2015.

[9] J. Mirkovic, T. V. Benzel, T. Faber, R. Braden, J. T. Wroclawski, and S. Schwab, “The deter project: Advancing the science of cyber security experimentation and test,” in Technologies for Homeland Security (HST), 2010 IEEE International Conference on. IEEE, 2010, pp. 1–7.

[10] A. AlMajali, A. Viswanathan, and C. Neuman, “Analyzing resiliency of the smart grid communication architectures under cyber attack,” in 5th Workshop on Cyber Security Experimentation and Test, 2012.

[11] T. Yardley, R. Berthier, D. Nicol, and W. H. Sanders, “Smart grid protocol testing through cyber-physical testbeds,” in Innovative Smart Grid Technologies (ISGT), 2013 IEEE PES. IEEE, 2013, pp. 1–6.

[12] D.C.Bergman,D.Jin,D.M.Nicol,andT.Yardley,“The virtual power system testbed and inter-testbed integration,” in Proc. 2nd Workshop Cyber Security Exp. Test, Aug. 2009.

[13] G. Dondossola, G. Garrone, J. Szanto, G. Deconinck, T. Loix, and H. Beitollahi, “ICT resilience of power control systems: Experimental re- sults from the CRUTIAL testbeds,” in Proc. IEEE/IFIP Int. Conf. De- pendable Syst. Netw. (DSN), Jul. 2009, pp. 554–559.

[14] G. Dondossola, G. Deconinck, F. Garrone, and H. Beitollahi, Testbeds for Assessing Critical Scenarios in Power Control Systems. Berlin, Germany: Springer-Verlag, 2009, pp. 223–234.

[15] M. Mallouhi, Y. Al-Nashif, D. Cox, T. Chadaga, and S. Hariri, “A testbed for analyzing security of SCADA control systems (TASSCS),” in Proc. IEEE PES Innov. Smart Grid Technol. (ISGT), Jan. 2011, pp. 1–7.

[16] J. Hong, S.-S. Wu, A. Stefano, A. Fshosha, C.-C. Liu, P. Gladyshev, and M. Govindarasu, “An intrusion and defense testbed in a cyber- power system environment,” in Proc. IEEE Power Energy Soc. Gen. Meet., Jul. 2011.

[17] A. Cárdenas et al., "A Framework for Evaluating Intrusion Detection Architectures in Advanced Metering Infrastructures," in IEEE Transactions on Smart Grid, vol. 5, no. 2, pp. 906-915, March 2014.

[18] M. M. Farag, M. Azab and B. Mokhtar, "Cross-layer security framework for smart grid: Physical security layer," IEEE PES Innovative Smart Grid Technologies, Europe, Istanbul, 2014, pp. 1-7.

[19] H. Sedjelmaci and S. M. Senouci, "Smart grid Security: A new approach to detect intruders in a smart grid Neighborhood Area Network," 2016 International Conference on Wireless Networks and Mobile Communications (WINCOM), Fez, 2016, pp. 6-11.

[20] Y. Yang et al., "Multiattribute SCADA-Specific Intrusion Detection System for Power Networks," in IEEE Transactions on Power Delivery, vol. 29, no. 3, pp. 1092-1102, June 2014.

[21] R. Berthier, W. H. Sanders, and H. Khurana, “Intrusion Detection for Advanced Metering Infrastructures: Requirements and Architectural Directions,” in 2010 First IEEE International Conference on Smart Grid Communications, 2010, pp. 350–355.

[22] K. Wang; M. Du; S. Maharjan; Y. Sun, "Strategic Honeypot Game Model for Distributed Denial of Service Attacks in the Smart Grid," in IEEE Transactions on Smart Grid , vol.PP, no.99, pp.1-1

[23] J. Hastings, D. M. Laverty and D. J. Morrow, "Tracking smart grid hackers," 2014 49th International Universities Power Engineering Conference (UPEC), Cluj-Napoca, 2014, pp. 1-5.

[24] M. Rodriguez-Martinez, E. O'Neil-Carrillo, M. Perez, F. Andrade, W. Rivera, A. Irizarry-Rivera, R. Ridriguez, C. Ortiz, and E. Lugo, "A Case for Open Access Smart Grids (OASIS)", IEEE SusTech 2016.

[25] W. Rivera and M. Rodriguez-Martinez (2016). “Towards Cloud Services in Smart Power Grids.” IEEE PES Innovative Smart Grid Technologies Conference, Melbourne, Australia.

[26] Steffen Schutte, Stefan Scherfke, and Michael Sonnen- schein. “Mosaik - Smart Grid Simulation API”. In: Proceedings of SMARTGREENS 2012 - International Conference on Smart Grids and Green IT Systems 2 (2012), pp. 14–24.

Int'l Conf. e-Learning, e-Bus., EIS, and e-Gov. | EEE'18 | 67

ISBN: 1-60132-474-X, CSREA Press ©