ArticlePDF Available

Abstract and Figures

The technological leap of smart technologies and the Internet of Things has advanced the conventional model of the electrical power and energy systems into a new digital era, widely known as the Smart Grid. The advent of Smart Grids provides multiple benefits, such as self-monitoring, self-healing and pervasive control. However, it also raises crucial cybersecurity and privacy concerns that can lead to devastating consequences, including cascading effects with other critical infrastructures or even fatal accidents. This paper introduces a novel architecture, which will increase the Smart Grid resiliency, taking full advantage of the Software-Defined Networking (SDN) technology. The proposed architecture called SDN-microSENSE architecture consists of three main tiers: (a) Risk assessment, (b) intrusion detection and correlation and (c) self-healing. The first tier is responsible for evaluating dynamically the risk level of each Smart Grid asset. The second tier undertakes to detect and correlate security events and, finally, the last tier mitigates the potential threats, ensuring in parallel the normal operation of the Smart Grid. It is noteworthy that all tiers of the SDN-microSENSE architecture interact with the SDN controller either for detecting or mitigating intrusions.
depicts the SDN-microSENSE business logic based on the SDN architectural model. It comprises three main conceptual frameworks [33], namely (a) SDN-microSENSE Risk Assessment Framework (S-RAF), (b) Cross-Layer Energy Prevention and Detection System (XL-EPDS) and (c) SDN-enabled Self-healing Framework (SDN-SELF) that are deployed throughout the four SDN planes: (a) Data Plane, (b) Control Plane, (c) Application Plane and (d) Management Plane. The term conceptual framework refers to a set of functions and relationships within a research area [33]. Therefore, the SDN-microSENSE frameworks mentioned earlier focus on the following cybersecurity-related research areas: (a) Risk assessment, (b) intrusion detection and correlation and (d) self healing and recovery. Each of the SDN-microSENSE frameworks takes full advantage of the SDN technology in order to detect, mitigate or even prevent possible intrusions. In particular, S-RAF instructs the SDN Controller (SDN-C) to redirect the potential cyberattackers to the EPES/SG honeypots. The EPES/SG honeypots constitute a security control of S-RAF. Next, XL-EPDS uses statistics originating from the SDN-C to detect possible anomalies or cyberattacks related to the entire SDN network. Finally, SDN-SELF communicates with the SDN-C in order to mitigate possible intrusions and anomalies. The following subsections analyse the components and the interfaces of each SDN-microSENSE framework. A more detailed view of the SDN-microSENSE architecture, along with the interfaces between the various planes, is depicted in Figure 1. The structural view is based on the SDN architecture, as defined by the Open Networking Foundation (ONF) [34] and Request for Comments (RFC) 7426 [35], and follows the rationale of decoupling the network control with the forwarding functions. Therefore, according to the above specifications, the conceptual frameworks are placed within the Data, Controller, Application, and Management Planes. In particular, the Data Plane contains the EPES/SG infrastructure, the honeypots and the SDN switches. The Controller Plane consists of multiple SDN controllers that receive guidance from the Application and Management Planes and configure the Data Plane accordingly. The conceptual frameworks and their components are placed within the Application Plane. In this plane, the most important operational decisions take place, such as the detection of a cyberattack or the decision to isolate a malicious network flow. Finally,
… 
Content may be subject to copyright.
Article
SDN-Based Resilient Smart Grid: The SDN-
microSENSE Architecture
Panagiotis Radoglou Grammatikis 1, Panagiotis Sarigiannidis 1,* , Christos Dalamagkas 2, Yannis Spyridis 3,
Thomas Lagkas 4, Georgios Efstathopoulos 3, Achilleas Sesis 3, Ignacio Labrador Pavon 5,
Ruben Trapero Burgos 5, Rodrigo Diaz 5, Antonios Sarigiannidis 6, Dimitris Papamartzivanos 7,
Sofia Anna Menesidou 7, Giannis Ledakis 7, Achilleas Pasias 8, Thanasis Kotsiopoulos 8, Anastasios Drosou 8,
Orestis Mavropoulos 9, Alba Colet Subirachs 10 , Pol Paradell Sola 10 , José Luis Domínguez-García 10 ,
Marisa Escalante 11 , Molinuevo Martin Alberto 11 , Benito Caracuel 12 , Francisco Ramos 12,
Vasileios Gkioulos 13 , Sokratis Katsikas 13 , Hans Christian Bolstad 14, Dan-Eric Archer 15 , Nikola Paunovic 16,
Ramon Gallart 17 , Theodoros Rokkas 18 and Alicia Arce 19


Citation: Grammatikis, P.R.;
Sarigiannidis, P.; Dalamagkas, C.;
Spyridis, Y.; Lagkas, T.;
Efstathopoulos, G.; Sesis, A.; Pavon,
I.L.; Burgos, R.T.; Diaz, R.; et al.
SDN-Based Resilient Smart Grid: The
SDN-microSENSE Architecture.
Digital 2021,1, 173–187. https://
doi.org/10.3390/digital1040013
Academic Editor: Yannis
Manolopoulos
Received: 27 April 2021
Accepted: 24 September 2021
Published: 30 September 2021
Publisher’s Note: MDPI stays neutral
with regard to jurisdictional claims in
published maps and institutional affil-
iations.
Copyright: © 2021 by the authors.
Licensee MDPI, Basel, Switzerland.
This article is an open access article
distributed under the terms and
conditions of the Creative Commons
Attribution (CC BY) license (https://
creativecommons.org/licenses/by/
4.0/).
1
Department of Electrical and Computer Engineering, University of Western Macedonia, 50100 Kozani, Greece;
pradoglou@uowm.gr
2Testing Research & Standards Center of Public Power Corporation SA, Leontariou 9, Kantza,
15351 Athens, Greece; c.dalamagkas@dei.gr
3Infinity Limited, 2A Heigham Road Imperial Offices, London E6 2JG, UK; yannis@0infinity.net (Y.S.);
george@0infinity.net (G.E.); achilleas@0infinity.net (A.S.)
4Department of Computer Science, International Hellenic University, 14th km Thessaloniki,
57001 Nea Moudania, Greece; tlagkas@cs.ihu.gr
5ATOS Spain SA, Calle De Albarracin 25, 28037 Madrid, Spain; ignacio.labrador@atos.net (I.L.P.);
ruben.trapero@atos.net (R.T.B.); Rodrigo.diaz@atos.net (R.D.)
6Sidroco Holdings Ltd., Petraki Giallourou 22, Office 11, Nicosia 1077, Cyprus; asarigia@sidroco.com
7UBITECH Limited, 26 Nikou & Despinas Pattchi, Limassol 3071, Cyprus; dpapamartz@ubitech.eu (D.P.);
smenesidou@ubitech.eu (S.A.M.); gledakis@ubitech.eu (G.L.)
8Center for Research and Technology Hellas, Information Technologies Institute, 6th km Charilaou-Thermi
Road, 57001 Thessaloniki, Greece; pasiasach@iti.gr (A.P.); kotsiopoulos@iti.gr (T.K.); drosou@iti.gr (A.D.)
9
Cyberlens Ltd., 10 12 Mulberry Green Old Harlow, Essex CM17 0ET, UK; orestis.mavropoulos@cyberlens.eu
10 Fundacio Institut De Recerca De L’Energia De Catalunya (IREC), C/ Jardins De Les Dones De Negre 1,
08930 Sant Adria de Besos, Spain; acolet@irec.cat (A.C.S.); pparadell@irec.cat (P.P.S.);
jldominguez@irec.cat (J.L.D.-G.)
11
TECNALIA, Basque Research and Technology Alliance (BRTA), Parque Cientifico Y Tecnologico De Bizkaia,
Astondo Bidea, Edificio 700, 48160 Derio Bizkaia, Spain; Marisa.Escalante@tecnalia.com (M.E.);
Alberto.Molinuevo@tecnalia.com (M.M.A.)
12
Schneider Electric, Rue Joseph Monier 35, 92500 Ruel Malmaison, France; benito.caracuel@gmail.com (B.C.);
francisco.ramos@se.com (F.R.)
13
Department of Information Security and Communication Technology, Norwegian University of Science and
Technology, Hogskoleringen 1, 7491 Trondheim, Norway; vasileios.gkioulos@ntnu.no (V.G.);
sokratis.katsikas@ntnu.no (S.K.)
14 SINTEF, Sem Saelandsveg 11, 7465 Trondheim, Norway; hans.christian.bolstad@sintef.no
15 CheckWatt AB, Marketenterivagen 1, 41528 Gotebord, Sweden; daneric.archer@checkwatt.se
16 Realaiz, Mihajla Bogicevica 7, 11000 Beograd, Serbia; nikola.paunovic@realaiz.rs
17 Estabanell, Calle Rec 26-28, 08400 Granollers, Spain; rgallart@estabanell.cat
18 INCITES Consulting, 130 Route d’Arlon, L-8008 Strassen, Luxembourg; trokkas@incites.eu
19 Control Systems Laboratory, Ayesa, 41092 Seville, Spain; aarce@ayesa.com
*Correspondence: psarigiannidis@uowm.gr
Abstract:
The technological leap of smart technologies and the Internet of Things has advanced the
conventional model of the electrical power and energy systems into a new digital era, widely known
as the Smart Grid. The advent of Smart Grids provides multiple benefits, such as self-monitoring, self-
healing and pervasive control. However, it also raises crucial cybersecurity and privacy concerns that
can lead to devastating consequences, including cascading effects with other critical infrastructures
or even fatal accidents. This paper introduces a novel architecture, which will increase the Smart
Grid resiliency, taking full advantage of the Software-Defined Networking (SDN) technology. The
proposed architecture called SDN-microSENSE architecture consists of three main tiers: (a) Risk
assessment, (b) intrusion detection and correlation and (c) self-healing. The first tier is responsible for
Digital 2021,1, 173–187. https://doi.org/10.3390/digital1040013 https://www.mdpi.com/journal/digital
Digital 2021,1174
evaluating dynamically the risk level of each Smart Grid asset. The second tier undertakes to detect
and correlate security events and, finally, the last tier mitigates the potential threats, ensuring in
parallel the normal operation of the Smart Grid. It is noteworthy that all tiers of the SDN-microSENSE
architecture interact with the SDN controller either for detecting or mitigating intrusions.
Keywords:
anomaly detection; blockchain; cybersecurity; energy management; honeypots; intrusion
detection; islanding; privacy; Smart Grid; Software Defined Networking
1. Introduction
The evolution of the Industrial Internet of Things (IIoT) is leading the conventional
Electrical Power and Energy Systems (EPES) into a new digital paradigm, widely known
as the Smart Grid (SG). Based on S. Tan et al.’s stufy [
1
], the SG will compose the biggest
Internet of Things (IoT) application in the near future. Thus, multiple benefits are provided
to both energy consumers and energy utilities, such as many customer choices, pervasive
control, self-monitoring and self-healing. However, this progression also creates severe
cybersecurity and privacy risks that can lead to devastating consequences or even fatal
accidents. It is noteworthy that due to the strict interdependence between the energy sector
and the other critical infrastructures, the EPES/SG cybersecurity incidents can severely
impact the other critical domains. A characteristic cyberattack against the energy sector
was an Advanced Persistent Threat (APT) [
2
], resulting in a blackout for more than 225,000
people in Ukraine. Similarly, multiple APTs have targeted EPES, such as
DragonFly
[
3
],
TRITON [4] and Crashoverride [3].
The vulnerable nature of EPES/SG is mainly related to the legacy Industrial Control
Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems. Such sys-
tems utilise insecure communication protocols, such as Modbus [5], Distributed Network
Protocol 3 (DNP3) [
6
] and IEC 60870-5-104 [
7
], that have not been designed with the essen-
tial authentication and authorisation mechanisms. While both academia and industry have
already provided useful security solutions, such as the IEC 62351 standard, unfortunately,
many vendors and manufacturers cannot adopt them, especially in real-time. Moreover, it
is worth mentioning that many challenges arise from the IoT area [
8
]. In particular, the IoT
inherits the vulnerabilities of the conventional Internet model. Secondly, the vast amount
of the IoT data is an attractive goal for potential cyberattackers.
Therefore, based on the aforementioned remarks, this paper presents the SDN-
microSENSE architecture, which aims to strengthen the EPES/SG resiliency. To this end,
SDN-microSENSE focuses on three tiers: (a) Risk assessment, (b) intrusion detection and
correlation and (c) self-healing. The proposed architecture takes full advantage of the
Software-Defined Networking (SDN) technology in order to recognise, mitigate or even
prevent the potential cyberattacks and anomalies. It should be noted that SDN-microSENSE
is a research Horizon 2020 programme co-founded by the European Union.
The rest of this paper is organised as follows. Section 2discusses similar works.
Section 3presented the proposed architecture, detailing the role of each component. Finally,
Section 5concludes this paper.
2. Related Work
Many papers have examined the cybersecurity and privacy issues of the energy sector.
Some of them are listed in [
9
17
]. In particular, in our previous work in [
14
], we provide
a detailed survey of the Intrusion Detection Systems (IDS) in SG. In [
9
],
P. Kumar et al.
present a comprehensive study, detailing the SG cyberattacks and relevant cybersecurity
incidents. Moreover, they introduce a threat model and taxonomy, discussing cyberattacks,
privacy concerns and appropriate solutions. In [
10
], I. Stellios et al. provide a methodology,
which is utilised in order to evaluate IoT cyberattacks for Critical Infrastructures. Based
on this methodology, they also identify relevant security controls. M. Hassan et al. in [11]
Digital 2021,1175
discuss differential privacy techniques for Cyber-Physical Systems (CPS).
In [12]
, H. Karim-
ipour et al. present a deep and scalable Machine Learning (ML) system in order to recognise
cyberattacks against large-scale SG environments.
T. Nguyen et al. in [13]
study various
countermeasures to increase the electrical power grid’s resiliency. In a similar manner,
the authors in [
15
] analyse and review various works concerning how the SDN technology
can improve the SG security. In [
16
], A. Musleh et al. provide a survey regarding the
detection of false data injection attacks in the SG. Finally, in [
17
], the authors provide a
survey about the firewall systems for SG/EPES. Next, we emphasise on similar works
regarding (a) threat modelling in SG, (b) intrusion detection in SG environments and (c)
mitigating or even preventing cyberattacks through SDN. Each paragraph focuses on a
dedicated case. Finally, based on this brief literature review, we identify how the proposed
architecture is differentiated.
In [
18
], E. Li et al. introduce a combined method for identifying and evaluating the po-
tential threats against a Distribution Automation System (DAS). In particular, the proposed
method relies on attack trees and the Common Vulnerability Scoring System
(CVSS) [19]
in order to specify the possible threats and then to assess them quantitatively. First, the au-
thors introduce the DAS architecture by identifying the functional characteristics and the
security requirements. Next, the authors explain how the CVSS is applied to the attack
tree by calculating the CVSS score for each leaf node and path, thereby calculating the
most threatening path. Next, based on the DAS architecture defined earlier, the authors
specify an attack tree, which considers both the network and physical attacks. Moreover,
the leaf nodes correspond to specific Common Vulnerabilities and Exposures (CVEs) whose
CVSS score is calculated by the US National Vulnerability Database. Therefore, the CVSS
is applied in the entire attack tree, and the most threatening tree is computed. Finally,
it is worth mentioning that the authors evaluate their method with a similar one, which
relies on the Bayes method and CVSS. Based on this evaluation, first, the proposed method
is verified since both methods compute similar results. Secondly, the proposed method
calculates higher attack probabilities than that using the Bayes methods and CVSS.
In [
20
], E. Rios et al. present a continuous quantitative risk management methodology
for SG environments. While the paper is focused on SG, the proposed method can be
applied in any Information Technology (IT) and IoT ecosystem. In particular, after dis-
cussing relevant works, the authors explain the proposed methodology, which consists
of five phases, namely (a) system Attack Defence Tree (ADT) modelling, (b) risk assess-
ment over ADT, (c) risk sensitivity analysis over ADT, (d) risk optimisation of defences
and (e) continuous refinement of risk evaluation. In the first phase, the ADT is formed,
by enumerating and structuring the various underlying threats as well as the respective
countermeasures. Next, the second phase calculates (a) the probability, (b) the impact,
(c) the cost and finally (d) the risk of each ADT node. Next, the risk sensitivity analysis
examines the sensitivity of each ADT node by investigating possible fluctuations in their
values. Subsequently, the risk optimisation of defences intends to optimise the counter-
measures, taking into account possible technical or administrative constraints, such as the
security budget. Finally, the last phase monitors and evaluates continuously the risk-related
values (probability, impact, cost and risk) during the system operation, thus providing the
appropriate feedback. The authors validate the proposed method by carrying out each
phase in a real smart home environment.
The authors in [
21
] provide an anomaly-based IDS for the IEC 60870-5-104 protocol,
which relies on essential access control and outlier detection. The proposed IDS consists
of two main components: (a) Sensor and (b) server. The sensor is composed of three
modules: (a) Network Traffic Monitoring Module, (b) Network Packet Access Control
Module, and (c) IEC-104 Flow Extraction Module. The Network Traffic Monitoring Module
undertakes to capture the IEC 60870-5-104 network traffic, using a switched port analyser.
The Network Packet Access Control Module adopts a whitelist, which defines the legitimate
Medium Access Control (MAC), the IP addresses and the 2404 port, which is the default
Transmission Control Protocol (TCP) port for the IEC 60870-5-104 protocol. If the details
Digital 2021,1176
of an IEC 60870-5-104 packet (i.e., source/destination addresses and source/destination
ports) do not agree with the whitelist, then an alert is raised. It is worth mentioning that
the alerts are stored in an Elasticsearch database on the server-side. Next, the IEC-104
Flow Extraction Module extracts the TCP/IP network flow statistics used by the outlier
detection mechanism for detecting possible anomalies. On the other hand, the server
consists of
(a) the
Anomaly Detection Module and (b) the Response Module. The Anomaly
Detection Module applies the outlier detection algorithm, which will distinguish whether
an IEC 60870-5-104 is anomalous or not. To this end, three outlier detection algorithms
were tested: (a) One-Class Support Vector Machine (SVM), Local Outlier Factor (LOF)
and Isolation Forest under different flow timeout thresholds: 15 s, 30 s, 60 s and 120 s.
Finally, the Response Module informs the security administrator via Kibana. Based on the
evaluation results, Isolation Forest achieves the best performance when the flow timeout is
defined at 120 s.
In our previous work [
22
], we developed DIDEROT. DIDEROT is an Intrusion De-
tection and Prevention System (IDPS) capable of detecting and mitigating cyberattacks
against the DNP3. The architectural model of DIDEROT consists of three modules, namely
(a) Data Monitoring Module, (b) DIDEROT Analysis Engine and (c) Response Module.
The Data Monitoring Module undertakes to capture the DNP3 network traffic and gener-
ate bidirectional network flow statistics. To this end,
Tshark
[
23
] and
CICFlowMeter [24]
were utilised respectively. Moreover, the Data Monitoring Module is responsible for nor-
malising these statistics by applying the min-max scaling function. Next, the DIDEROT
Analysis Engine is composed of two ML classifiers that operate complimentarily. The first
classifier detects particular DNP3 cyberattacks (i.e., multiclass classification), including
(a) DNP3 injection
, (b) DNP3 Flooding, (c) DNP3 reconnaissance, (d) DNP3 replay attacks
and
(e) DNP3
masquerading. If the first classifier classifies a network flow as normal, then
the second classifier is activated to distinguish a possible anomaly (i.e., binary classifica-
tion). The functionality of the first classifier relies on a decision tree, while the second
adopts the DIDEROT autoencoder. Finally, based on the outcome of the DIDEROT Analysis
Engine, the Response Module generates security events and informs the
Ryu
SDN controller
in order to corrupt the malicious network flow. The evaluation results demonstrate the
efficacy of DIDEROT to detect DNP3 cyberattacks.
In [
25
], P. Manso et al. provide an SDN-based IDPS, which combines the
Ryu
SDN
controller and Snort in order to mitigate DoS attacks. The architectural model consists of
three virtual machines representing (a) the internal network simulated by
Mininet
, (b) the
SDN-based IDPS and (c) online services. It is noteworthy that the second virtual machine
(i.e., that hosting the SDN-based IDPS) hosts both
Ryu
and
Snort
. First, Snort receives
the overall network traffic through a port mirroring capability provided by
Open vSwitch
(OVS)
[
26
] of the first virtual machine (i.e., Mininet). If Snort detects a potential cyberattack,
it informs
Ryu
based on a UNIX domain socket. Next,
Ryu
transmits the appropriate
OpenFlow commands to
OVS
of the first virtual machine (i.e.,
Mininet
), thus isolating the
malicious nodes. The authors evaluate their IDPS with three distributed denial-of-service
(DDoS) scenarios, measuring (a) DDoS mitigation time, (b) average Round Trip Time and
(c) packet loss. The experimental results demonstrate the efficiency of the proposed IDPS.
The authors in [27] present the SPEAR Security Information and Event Management
(SIEM) system. SPEAR SIEM focuses mainly on EPES/SG environments by detecting
and correlating relevant security events. In particular, SPEAR SIEM is composed of three
architectural layers: (a) Data Capturing layer, (b) Detection Layer and (c) Correlation
Layer. In the first layer, SPEAR sensors and the Data Acquisition and Parsing System
are responsible for gathering and pre-processing a variety of data, including (a) network
flow statistics, (b) packet payload information and (c) operational data (i.e., time-series
electricity measurements). Next, the detection layer undertakes to recognise potential
anomalies and cyberattacks. To this end, two components are utilised: (a) Big Data
Analytics Component and (b) Visual-based Intrusion Detection System (VIDS). The first is
capable of detecting a plethora of threats by adopting three detection kinds: (a) Network
Digital 2021,1177
flow-based detection, (b) packet-based detection and (c) operational data-based detection.
On the other side, VIDS utilises advanced visualisation techniques through which the
security administrator can recognise additional anomalies not detected previously by the
first component. Moreover, VIDS operates as the main dashboard of the SPEAR SIEM.
Finally, the last layer is responsible for correlating the security events produced by the
previous layer, thus composing security alerts and updating the trust values of the involved
EPES/SG assets.
The authors in [
28
] present an anomaly-based IDS for EPES/SG. The proposed IDS
uses operational data (i.e., time-series electricity measurements), and its architecture con-
sists of four modules, namely: (a) Data Collection Module, (b) Pre-Processing Module,
(c) Anomaly Detection
Module and (d) Response Module. The first module is responsible
for collecting the various operational data. The second module isolates and normalises the
necessary features. Next, the anomaly detection module uses an outlier detection model,
thus recognising possible outliers/anomalies. In particular, six outlier detection methods
are tested: (a) Principal Component Analysis (PCA), (b) OneClassSVM, (c) Isolation Forest,
(d) Angle-Based Outlier Detection (ABOD), (e) Stochastic Outlier Selection (SOS) and
(f) autoencoder
. Finally, based on the detection outcome, the Response Module informs
the user about the presence of potential security events. The main innovation of this work
is the complex data representation during the pre-processing step. The evaluation results
demonstrate the efficiency of the proposed IDS.
Admittedly, the previous works present useful methodologies and tools. They focus
mainly on detecting and mitigating potential threats. However, none of them provides an
integrated solution, combining the functional cybersecurity tiers illustrated by
Figure 1
.
In particular, the proposed solutions do not consider the unique characteristics of EPES/SG
in order to mitigate efficiently the various cyberattacks and anomalies. Before the ap-
plication of a mitigation strategy, the corresponding countermeasures should consider
the sensitive nature of EPES/SG. For instance, the isolation of some malicious network
flows corresponding to not critical disturbances can cause more disastrous consequences.
In addition, the above works do not consider emergencies where appropriate measures
should take place in near real-time in order to avoid cascading effects. Finally, the various
solutions have to take into account the quality of the energy grid. Therefore, appropriate
energy-related optimisation methods should take place when a cyberattack or anomaly is
carried out. Based on the aforementioned remarks, SDN-microSENSE aims to provide an
integrated solution that will incorporate detection, mitigation and optimisation systems
into a common platform. This paper focuses on the architecture behind SDN-microSENSE,
detailing the technical specifications of each component and their interfaces. It is notewor-
thy that due to the complexity of the overall SDN-microSENSE solution and the presence
of multiple components, this paper is devoted only to the SDN-microSENSE architecture
without discussing in detail the technical details for each component and the corresponding
evaluation results. To the best of our knowledge, SDN-microSENSE constitutes the first
solution, which integrates and harmonises (a) collaborative risk assessment, (b) intrusion
detection and correlation and (c) self-healing into a common platform. Some individual
works that demonstrate the efficiency of the corresponding SDN-microSENSE components
are given in [2932].
Digital 2021,1178
SDN DATAPATH 1
Relays Servers
SAS
PLCsRTUs
TSO SUBSTATIONS
NETWORK ELEMENT 1
SDN DATAPATH 2
NETWORK ELEMENT 2
SDN DATAPATH N
NETWORK ELEMENT N
o o o
DATA / INFRASTRUCTURE PLANE
Relays MDMS
RTU
PLCsSAS
DSO SUBSTATIONS
MTU SCADA
ICS
PCsHMI
CONTROL CENTERS
CONTROLLER PLANE
SDN-C1SDN-C2SDN-Cn
APPLICATION PLANE
SIEM
XL-EPDS
SS-IDPS
Advanced
Anomaly Detection
ARIEC Blockchain
Trading System
EMO
IIM
SDN-SELF
North Bound
Interfaces
South Bound
Interfaces
S-RAF/XL-EPDS
Interface
S-RAF/SDN-SELF
Interface
Applications/Data
Plane Interface
MANAGEMENT PLANE
RBAC
Privacy Policies
K-anonymity
Techniques
Private Information
Retrieval Techniques
Homomorphic
Techniques
Privacy Protection
Framework
COMMON USER
INTERFACE +
DASHBOARDS
Apps/Mngmnt
Plane Interfaces
Infrastructure /
Mngmnt Plane
Interfaces
Control/Mngmnt. Plane
Interfaces
PV Switch
SMs
Wind
CTRL
MICROGRIDS
Load Servers SCADA
SAS
PLCsICS
HONEYPOTS
Honeypots
Management
Risk Level Assessment
S-RAF
SDN-microSENSE STRUCTURAL (FUNCTIONAL) VIEW
EDAE
ASSETS INVENTORY
DATABASE
SDN SWITCHES SDN SWITCHES SDN SWITCHES
Vulnerabilities
Management
SDN SYNCHRONISATION
& COORDINATION
SERVICE
SDN-C3
Figure 1. SDN-microSENSE Architecture—Structural View.
3. SDN-microSENSE Architecture
Figure 2depicts the SDN-microSENSE business logic based on the SDN architectural
model. It comprises three main conceptual frameworks [
33
], namely (a) SDN-microSENSE
Risk Assessment Framework (S-RAF), (b) Cross-Layer Energy Prevention and Detection
System (XL-EPDS) and (c) SDN-enabled Self-healing Framework (SDN-SELF) that are
deployed throughout the four SDN planes: (a) Data Plane, (b) Control Plane, (c) Application
Plane and (d) Management Plane. The term conceptual framework refers to a set of functions
and relationships within a research area [
33
]. Therefore, the SDN-microSENSE frameworks
mentioned earlier focus on the following cybersecurity-related research areas: (a) Risk
assessment, (b) intrusion detection and correlation and (d) self healing and recovery. Each
of the SDN-microSENSE frameworks takes full advantage of the SDN technology in order
to detect, mitigate or even prevent possible intrusions. In particular, S-RAF instructs
the SDN Controller (SDN-C) to redirect the potential cyberattackers to the EPES/SG
honeypots. The EPES/SG honeypots constitute a security control of S-RAF. Next, XL-EPDS
uses statistics originating from the SDN-C to detect possible anomalies or cyberattacks
related to the entire SDN network. Finally, SDN-SELF communicates with the SDN-C in
order to mitigate possible intrusions and anomalies. The following subsections analyse the
components and the interfaces of each SDN-microSENSE framework.
A more detailed view of the SDN-microSENSE architecture, along with the interfaces
between the various planes, is depicted in Figure 1. The structural view is based on the
SDN architecture, as defined by the Open Networking Foundation (ONF) [
34
] and Request
for Comments (RFC) 7426 [
35
], and follows the rationale of decoupling the network control
with the forwarding functions. Therefore, according to the above specifications, the con-
ceptual frameworks are placed within the Data, Controller, Application, and Management
Planes. In particular, the Data Plane contains the EPES/SG infrastructure, the honeypots
and the SDN switches. The Controller Plane consists of multiple SDN controllers that
receive guidance from the Application and Management Planes and configure the Data
Plane accordingly. The conceptual frameworks and their components are placed within the
Application Plane. In this plane, the most important operational decisions take place, such
as the detection of a cyberattack or the decision to isolate a malicious network flow. Finally,
Digital 2021,1179
the Management Plane provides all complementary functionalities related to the system
usability, including dashboard, databases, and privacy preserving mechanisms to ensure
the privacy of data subjects affected by the SDN-microSENSE operation. It is worth men-
tioning that the Management Plane is placed vertically since it provides complementary
services to all planes. Indicatively, the Asset Inventory database is used by all components
of the Application Plane in order to access information related to the underlying EPES/SG
components. Concurrently, the SDN Synchronisation and Coordination Service (SCS) is ac-
cessed by both the Application Plane and the Controller Plane to retrieve the master SDN-C
for a particular switch and carry out the master SDN-C election process, respectively.
Collaborative Risk
Assessment, Vulnerability
Management, Honeypots,
Honeypot Management
Signature/Specification-based
detection, ML/DL-based detection,
Security Events correlation, visual-
based detection, Anonymous
Repository of Incidents
SDN-based Cyberattack
Mitigation, Islanding
Mechanisms, Energy
Management
Common web-based
Dashboard
SDN-microSENSE Business Logic
Integrated platform which harmonizes Security Management & Risk
Assessment, Intrusion Detection & Correlation, Privacy-Preserving, Self
Healing and Energy Management under the umbrella of SDN. Multiple
technologies: SDN, Honeypots, SIEM, IDPS, Machine Learning, MISP,
visual analytics and blockchain.
Integration
Self-Healing &
Energy Management
Intrusion Detection & Correlation,
Privacy-Preserving
Security Management &
Risk Assessment
S-RAF
XL-EPDS
Common
Dashboard
SDN-SELF
Data Plane &
Application
Plane
Application
Plane
Data Plane,
Control Plane
& Application
Plane
Management
Plane
Figure 2. SDN-microSENSE Business Logic.
3.1. S-RAF: SDN-microSENSE Risk Assessment Framework
S-RAF is a framework that undertakes to implement collaborative and dynamic
risk management. Moreover, apart from this role, S-RAF includes a set of EPES/SG
honeypots that hide and protect the real EPES/SG assets. The following subsections
analyse both the collaborative risk assessment and the EPES/SG honeypots of the SDN-
microSENSE architecture.
3.1.1. Security Management and Risk Assessment
An essential function of the SDN-microSENSE architecture is the collaborative and
dynamic risk assessment. To this end, S-RAF follows a methodology consisting of seven
steps: (a) determining the goal of the EPES risk assessment, (b) analysis of the EPES organi-
sations, (c) EPES cyberthreat analysis, (d) vulnerability analysis, (e) impact analysis
(f) risk
assessment and (g) risk mitigation. Thus, following this methodology, S-RAF receives the
security events and alerts coming from XL-EPDS and incorporates into this information a
cumulative risk value for each involved asset and the corresponding connections.
3.1.2. EPES/SG Honeypots and Honeypot Manager
According to [
36
], a honeypot is "an information system whose value lies in unautho-
rised or illicit use of the resource". In other words, honeypots are commonly used as an
extra security layer in order to act as a decoy, which lures the cyberattackers and captures
useful information about their identity and activities [
37
]. SDN-microSENSE provides a
Digital 2021,1180
variety of EPES/SG honeypots that implement realistic emulations for three EPES/SG com-
munication protocols: (a) IEC-61850, (b) IEC-60870-5-104, and (c) Modbus/TCP. In more
detail, the IEC-61850 honeypot emulates real intelligent electronic devices usually located
in circuit breakers of the substations by parsing the Intelligent Capability Description (ICD)
files. On the other side, the IEC-60870-5-104 and Modbus/TCP honeypots rely on Conpot.
Furthermore, it is noteworthy that the Modbus/TCP honeypot can imitate the responses of
the real EPES/SG assets by integrating a generative adversarial network.
The deployment and the lifecycle management of the aforementioned EPES/SG
honeypots are provided by the Honeypot Manager (HM). The HM constitutes a web-based
interface, which allows the security administrator to inspect the security events and alerts
received by XL-EPDS and decides regarding the deployment of an EPES/SG honeypot.
In addition, the HM leverages the northbound interface of the SDN-C by dynamically
redirecting the malicious network traffic towards the EPES/SG honeypots. The redirection
can be activated manually by the HM operator based on the security events and alerts
received by XL-EPDS. This mechanism aims to enforce the cyberattackers to react with the
EPES/SG honeypots, thus collecting useful information about their activities.
3.2. XL-EPDS: Cross Layer Energy Prevention and Detection System
The XL-EPDS framework utilises various kinds of data in order to detect timely
and reliably potential EPES/SG intrusions and anomalies. To this end, the framework
integrates a SIEM system especially designed for the energy sector. The proposed SIEM
system called XL-SIEM includes a plethora of intrusion and anomaly detectors related to
the EPES/SG communication protocols. Moreover, it ensures the privacy of the involved
entities through the Overlay Privacy Framework (OPF). Finally, XL-EPDS incorporates an
anonymous repository of incidents called ARIEC, which allows the EPES organisations
to share with each other the cybersecurity incidents. Each XL-EPDS component is further
analysed below.
3.2.1. XL-SIEM and Detectors
XL-SIEM composes a SIEM system capable of detecting multiple EPES cyberattacks by
allowing the interconnection with a myriad of security detectors. In particular, the XL-SIEM
consists of (a) XL-SIEM agents for processing information received from security detectors
and distributed across the EPES infrastructure and (b) the XL-SIEM core, which integrates
an event correlation engine, a database and a management dashboard. The security detec-
tors are deployed throughout the EPES infrastructure and undertake to recognise various
EPES cyberattacks and anomalies, generating the respective security logs. To this end,
both signature/specification-based techniques and ML/DL-based methods are applied.
First,
Suricata
is used with the
Quickdraw ICS
signatures and specification rules devel-
oped during the project. Next, a set of ML/DL-based detectors [
38
] are responsible for
discriminating cyberattacks and anomalies against a plethora of EPES protocols, such as
Modbus/TCP, DNP3, IEC 61850 (Generic Object Oriented Substation Event (GOOSE)), IEC
60870-5-104, Message Queuing Telemetry Transport (MQTT) and Network Time Protocol
(NTP). Moreover, there is a detector called
Nightwatch
, which is able to discriminate poten-
tial anomalies related to the entire SDN network based on the statistics given by the SDN-C.
OPF constitutes another detector of XL-SIEM, ensuring the privacy of EPES/SG entities
and transferring relevant security logs to XL-SIEM whether they are relevant violations.
Finally, the Discovery tool constitutes a visual-based anomaly detector, which provides the
appropriate visual interfaces through which the security administrator can distinguish the
presence of an anomaly that possibly cannot be detected by the aforementioned detectors.
Next, the XL-SIEM agents are responsible for collecting and normalising the various secu-
rity logs generated by the XL-SIEM detectors with a standardised format. The normalised
events are called security events and are transmitted by the XL-SIEM agents to the XL-SIEM
engine or external components. Subsequently, the XL-SIEM engine receives the security
events and correlates them, thus producing security alerts. A security alert is defined as a
Digital 2021,1181
set of security events related to each other through the correlation rules defined by security
experts. Finally, the XL-SIEM database and XL-SIEM dashboard store and visualise the
security events and alerts generated by XL-SIEM, respectively.
3.2.2. ARIEC: Cloud-Based Anonymous Repository of Incidents
To be aligned with the Directive on security of Network and Information Systems
(NIS) [
39
], which requires mandatory reporting of the cybersecurity incidents by the
EPES organisations, the SDN-microSENSE architecture introduces ARIEC, which is a
repository of anonymised security events and alerts originating from XL-SIEM. In the
context of ARIEC, both security events and alerts are called cybersecurity incidents. They
are also accompanied by the risk information calculated by S-RAF. Therefore, ARIEC
allows storing and sharing technical details of the cybersecurity incidents among different
EPES organisations belonging to a trusted network without identifying the victim identity
or other sensitive information that can affect the reputation of the EPES organisation.
ARIEC follows a centralised architecture, which relies on the Malware Information Sharing
Platform (MISP) and anonymisation procedures based on the differential privacy and
Natural Language Processing (NLP) techniques.
3.3. SDN-SELF: SDN-enabled Self-hEaLing Framework
The goal of the SDN-SELF framework is twofold. First, it mitigates the possible
anomalies and intrusions detected by XL-EPDS. Secondly, SDN-SELF is responsible for the
energy management and optimisation required after the mitigation processes. In particular,
SDN-SELF comprises five components: (a) Electric Data Analysis Engine (EDAE),
(b) the
Islanding and optImisation fraMework (IIM), (c) the rEstoration Machine-learning frame-
wOrk (EMO) and (d) the Blockchain-based Energy Trading System. Each component of the
SDN-SELF framework is further analysed in the following subsections, respectively.
3.3.1. EDAE: Electric Data Analysis Engine
Leveraging the SDN programming capabilities, EDAE undertakes to maximise the
grid observability and protect the EPES/SG infrastructure in case of cyberattacks or failures.
In particular, EDAE continuously monitors the underlying network against Quality of
Service (QoS) constraints (e.g., latency and available bandwidth) provided by the EPES/SG
operator and the cybersecurity incidents delivered by S-RAF. In comparison to existing state
of the art, refs. [
40
44
] EDAE aims to combine the satisfaction of QoS, security and observ-
ability requirements in a single optimisation scheme. Three main scenarios are distinguished,
namely:
Scenario A: QoS constraints are not satisfied. Supposing the communication quality is
degraded in a manner that criteria of minimum latency cannot be satisfied. In that
case, EDAE employs the PaDe [
45
] genetic algorithm in order to decompose the multi-
objective problem of path reconstruction to multiple single-objective ones that are
resolved using the asynchronous generalised island model to distribute the solution
process [
46
]. The final solution (i.e., the optimal path that maximises the grid QoS
and observability) is obtained as the set of the best individual solution in each single-
objective island.
Scenario B: An EPES/SG device is disconnected from the network. In a more specific scenario
that a Phase Data Concentrator (PDC) is disconnected from the network, the Phasor
Measurement Units (PMUs) connected to that PDC should be reallocated to the next
available PDC so that the security and QoS constraints are not validated for any of the
existing PMUs. In this case, a Mixed-Integer Linear Programming algorithm chooses
and applies the best PMU reallocation scheme to minimise the overall network latency.
This problem is also studied by [
40
]; however, authors are limited to maximising
observability, while EDAE also addresses QoS and security requirements.
Scenario C: Change of security risk. Supposing that the security risk of an intermediate
switch changes dramatically, EDAE finds alternative paths so that the risk level of
Digital 2021,1182
the rest infrastructure will be maintained while the QoS requirements of the rest
applications are intact.
3.3.2. IIM: Islanding and optImisation fraMework
The purpose of IIM is to preserve the stability of the EPES infrastructure by offering
intentional islanding schemes in case of severe disturbances (e.g., disruptions caused by cy-
berattacks, extreme natural phenomena or human errors), thus avoiding cascading failures
that can potentially lead to a blackout. Activated as a response to specific security incidents
received from S-RAF, IIM collects information regarding the triggering event, as well as the
current status of the grid, and delivers appropriate islanding recommendations, which are
evaluated and applied by the system operator. More specifically, the islanding solutions
aim to partition the grid into several segments, creating islands that isolate the affected
assets and at the same time minimise the power imbalance while maintaining supply to the
maximum number of consumers. IIM employs two different methods for calculating the
islanding schemes, namely: (1) a genetic algorithm, which provides the optimal solution
at the cost of increased time-complexity and (2) a deep learning architecture [
31
] which
addresses the islanding problem by utilising graph convolutional neural networks, able to
provide the solution in real-time.
3.3.3. EMO: rEstoration Machine-learning framewOrk
EMO acts as a modern energy restoration and management framework, incorporating
procedures for restoring the electrical grid when there are failures, thus avoiding further
damage to the EPES/SG infrastructure. Towards this goal, EMO continuously observes the
grid status, aiming to identify islanding cases and automatically commences the required
restoration and management processes, ensuring the real-time operation through the
optimal allocation of the network capacity. In more detail, the key functionalities of this
component are the following:
Regulating the local variables of Distributed Energy Resources (DERs) (i.e., voltage
and frequency), to achieve high power quality that leads to less losses and results in
more robust islands in terms of load-balancing capabilities.
Maintaining the stability of the electrical grid and balancing the available energy of
the islands.
Managing load shedding, including decisions on when, where, and how much load
should be shed according to the priorities at each island, in order to mitigate the
impact to the end-users.
Computing the energy exchange feasibility within the islands, after receiving the
trading requests from the Blockchain-based Energy Trading System.
At its core, EMO consists of two modules, the first responsible for the economic
management of the power flow between the DERs and the second undertaking to control
the voltage-reactive and the frequency-active power, based on a hybrid multi-agent system
that optimally allocates the requested energy between the units.
3.3.4. Blockchain-Based Energy Trading System
The Blockchain-based Energy Trading System is placed on top of SDN-SELF and aims
to secure transactions taking place among the islanded parts of the EPES/SG. In more
detail, it consists of two modules, namely the e-auction module and the Blockchain-based
Intrusion and Anomaly Detection (BIAD) module. The e-auction module establishes secure
and trustworthy networks among the parties involved in energy transactions, including
consumers and prosumers and Energy Service Company Organisations that manage the
financial transactions. The Vickrey-Clarke-Groves (VCG) [
47
] mechanism is adopted by
e-auction with the aim to reveal the actual valuations of the user’s bids by concealing the
bids submitted by other users. The communication among the participants is performed
through a fabric blockchain network based on the Hyperledger Fabric. Finally, the status
of each participating device (e.g., smart meters) is monitored by BIAD. In particular,
Digital 2021,1183
BIAD constitutes an XL-SIEM detector, which monitors the integrity of the various logs,
transmitting the corresponding security logs to XL-SIEM.
3.4. SDN Controller
The SDN-C undertakes to program the underlying intermediary network devices (i.e.,
SDN switches) according to the instructions from the Application Plane, using OpenFlow
v1.3. Based on the
Ryu
SDN controller [
48
], the SDN-C is a multi-modular application
that deploys multiple modules that extend the
Ryu
functionalities. In particular, SDN-C
integrates the following new modules: (a)
simpleswitch
_
enhanced
, and (b) the
ZooClient
module. In more detail, the
simpleswitch
_
enhanced
module undertakes to re-actively fill
the OpenFlow tables of the underlying SDN switches. In comparison to the original
Ryu
implementation, the enhanced reactive application of SDN-microSENSE keeps a record
of source MAC addresses and ingress ports of Ethernet frames; therefore, the SDN-C can
detect cases of broadcast storms and inserts the corresponding OpenFlow rules to prevent
them. The loop-free topology relies on EDAE in order to apply optimisations and enable
redundant paths. The SDN-C undertakes to program the underlying intermediary network
devices (i.e., SDN switches) according to the instructions from the Application Plane, using
OpenFlow v1.3. Based on the
Ryu
SDN controller [
48
], the SDN-C is a multi-modular
application that deploys multiple modules that extend the
Ryu
functionalities. In particular,
SDN-C integrates the following new modules: (a)
simpleswitch
_
enhanced
, and (b) the
ZooClient
module. In more detail, the
simpleswitch
_
enhanced
module undertakes to
re-actively fill the OpenFlow tables of the underlying SDN switches. In comparison to
the original
Ryu
implementation, the enhanced reactive application of SDN-microSENSE
keeps a record of source MAC addresses and the ingress ports of Ethernet frames; therefore,
the SDN-C can detect cases of broadcast storms and inserts the corresponding Open-
Flow rules to prevent them. The loop-free topology relies on EDAE in order to apply
optimisations and enable redundant paths.
4. SDN-microSENSE Use Cases and Implementation Considerations
SDN-microSENSE intends to address security and privacy requirements that cover the
whole energy value chain, involving traditional electricity generators, Transmission System
Operators (TSOs), Distribution System Operators (DSOs), DER operators and prosumers.
The full potential of the proposed architecture is demonstrated and validated through six
use cases/pilots that address various cybersecurity requirements in the area of EPES/SG:
Use Case 1 - Investigation of Versatile Cyberattack Scenarios and Methodologies Against
EPES: This use case deals with a variety of cybersecurity threats against substations,
including station and process buses.
Use Case 2 - Massive False Data Injection Cyberattack Against State Operation and Auto-
matic Generation Control: This use case focuses on false-data injection attacks against
the whole energy value chain, including generation (power plants), TSO and DSO
substation architectures as well as smart metering infrastructures.
Use Case 3 - Large-scale Islanding Scenario Using Real-life Infrastructure: The third use case
treats the aftermath of a cyberattack or critical failure that results in an unbalanced
grid. The SDN-microSENSE platform acts as a decision support system for the TSO
in order to decide on intentionally islanding segments of the affected grid or to shed
redundant load in order to balance energy demand and supply [49].
Use Case 4 - EPES Cyber-defence against Coordinated Attacks: This use case aims to
evaluate the SDN-microSENSE platform against the detection and mitigation of
coordinated cyberattacks, taking place in substations.
Use Case 5 - Distribution Grid Restoration in Real-world PV Microgrids: This use case
deals with the detection and mitigation of cyberthreats occurring in the industrial
network of a real photovoltaic station.
Digital 2021,1184
Use Case 6 - Realising Private and Efficient Energy Trading among PV Prosumers: This use
case realises the decentralized energy trading environment that SDN-microSENSE
proposes, by involving PV prosumers.
Unarguably, the SDN technology is one of the main enablers that pave the way to
a holistic cybersecurity solution that addresses detection and mitigation of cyberthreats.
However, it should be noted that SDN introduces new organisational and technical chal-
lenges for potential end-users.
First of all, the required technologies (e.g., OpenFlow) require replacement or upgrade
of the intermediary network equipment. On top of that, compatibility and vendor inte-
gration issues may arise due to vendor-specific implementations that deviate from the
standards. Moreover, the IT personnel needs to have specialized knowledge on SDN in
order to troubleshoot network issues caused by the SDN control. To sum up, despite its
benefits on network management, SDN may introduce unforeseen technical and manage-
rial complications, increase financial costs during adoption, and possibly be rejected by the
management if the drawbacks outweigh the benefits [50].
Understanding the concerns of EPES/SG operators on ensuring business continuity,
SDN-microSENSE intends to alleviate the drawbacks of SDN by providing unique op-
timisation and network security options (e.g., detection and isolation of cyberthreats at
the access layer [
51
]), which would be unavailable without the SDN technology. More-
over, business continuity is ensured since the coordination of multiple SDN-Cs employed
by SDN-microSENSE prevents the single point of failure caused by software failures or
cyberattacks against the Controller Plane.
5. Conclusions
The rise of the IIoT transforms the typical EPES model into a new digital era, thus
introducing multiple benefits. However, this progression creates severe cybersecurity and
privacy issues. This paper presents the SDN-microSENSE architecture, which introduces a
set of cybersecurity and privacy mechanisms based on the umbrella of the SDN technology.
SDN-microSENSE defines three main frameworks: S-RAF, XL-EPDS and SDN-SELF. S-RAF
applies a collaborative and dynamic risk assessment, thus determining the risk related to
each security event and alert. The security events and alerts are generated by XL-EPDS via
advanced intrusion detection and correlation mechanisms. Finally. SDN-SELF introduces a
set of mitigation and energy management actions that can ensure the normal operation of
the EPES/SG organisations.
Author Contributions:
Conceptualization, P.R.G., P.S., C.D., T.L.; Methodology. I.L.P., R.T.B., R.D.;
Software, P.R.G., P.S., C.D., Y.S., G.E., T.L., A.S. (Achilleas Sesis), A.S. (Antonios Sarigiannidis),
R.T.B., D.P., S.A.M., G.L., A.P., T.K., A.D., O.M., A.C.S., P.P.S., J.L.D.-G., M.E., M.M.A., B.C., F.R.;
Investigation, P.R.G., P.S., C.D., Y.S., G.E., T.L., A.S. (Achilleas Sesis), A.S. (Antonios Sarigiannidis),
R.T.B., D.P., S.A.M., G.L., A.P., T.K., A.D., O.M., A.C.S., P.P.S., J.L.D.-G., M.E., M.M.A., B.C., F.R.;
Validation, V.G., S.K., H.C.B., D.-E.A., R.G.; Resources, N.P.; Writing—Original Draft Preparation,
P.R.G., C.D., Y.S.; Writing—Review & Editing, P.R.G., C.D., Y.S., T.R.; Supervision, P.S., T.L.; Project
Administration, A.A. All authors have read and agreed to the published version of the manuscript.
Funding:
This project has received funding from the European Union’s Horizon 2020 research and
innovation programme under grant agreement No. 833955.
Institutional Review Board Statement: Not applicable.
Informed Consent Statement: Not applicable.
Data Availability Statement: Not applicable.
Acknowledgments:
This project has received funding from the European Union’s Horizon 2020
research and innovation programme under grant agreement No. 833955.
Conflicts of Interest:
The authors declare no conflict of interest. The funders had no role in the design
of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript; or
in the decision to publish the results.
Digital 2021,1185
Abbreviations
The following abbreviations are used in this manuscript:
ABOD Angle-Based Outlier Detection
ADT Attack Defence Tree
APT Advanced Persistent Threat
BIAD Blockchain-based Intrusion and Anomaly Detection
CVE Common Vulnerabilities and Exposures
CVSS Common Vulnerability Scoring System
DAS Distribution Automation System
DDoS Distributed Denial-of-Service
DERs Distributed Energy Resources
DNP3 Distributed Network Protocol 3
DSO Distribution System Operator
EDAE Electric Data Analysis Engine
EMO rEstoration Machine-learning framewOrk
EPES Electrical Power and Energy Systems
GOOSE Generic Object Oriented Substation Event
HM Honeypot Manager
ICD Intelligent Capability Description
ICS Industrial Control System
IDPS Intrusion Detection and Prevention System
IDS Intrusion Detection System
IIM Islanding and optImisation fraMework
IIoT Industrial Internet of Things
IoT Internet of Things
IP Internet Protocol
IT Information Technology
LOF Local Outlier Factor
MAC Medium Access Control
MISP Malware Information Sharing Platform
ML Machine Learning
MQTT Message Queuing Telemetry Transport
NIS Network and Information System
NLP Natural Language Processing
NTP Network Time Protocol
ONF Open Networking Foundation
OPF Overlay Privacy Framework
OVS Open vSwitch
PCA Principal Component Analysis
PDC Phase Data Concentrator
PMU Phasor Measurement Unit
QoS Quality of Service
RFC Request for Comments
SCADA Supervisory Control and Data Acquisition
SCS Synchronisation and Coordination Service
SDN Software-Defined Networking
SDN-C SDN Controller
SDN-SELF SDN-enabled Self-healing Framework
SG Smart Grid
SIEM Security Information and Event Management
SOS Stochastic Outlier Selection
S-RAF SDN-microSENSE Risk Assessment Framework
SVM Support Vector Machine
TCP Transmission Control Protocol
TSO Transmission System Operator
VCG Vickrey-Clarke-Groves
XL-EPDS Cross-Layer Energy Prevention and Detection System
Digital 2021,1186
References
1.
Tan, S.; De, D.; Song, W.Z.; Yang, J.; Das, S.K. Survey of security advances in smart grid: A data driven approach. IEEE Commun.
Surv. Tutor. 2016,19, 397–422. [CrossRef]
2.
Alshamrani, A.; Myneni, S.; Chowdhary, A.; Huang, D. A survey on advanced persistent threats: Techniques, solutions,
challenges, and research opportunities. IEEE Commun. Surv. Tutor. 2019,21, 1851–1877. [CrossRef]
3.
Stellios, I.; Kotzanikolaou, P.; Psarakis, M. Advanced persistent threats and zero-day exploits in industrial Internet of Things. In
Security and Privacy Trends in the Industrial Internet of Things; Springer: Berlin/Heidelberg, Germany, 2019; pp. 47–68.
4.
Di Pinto, A.; Dragoni, Y.; Carcano, A. TRITON: The First ICS Cyber Attack on Safety Instrument Systems. In Proceedings of the
Black Hat USA, Mandalay, LV, USA, 4–9 August 2018; Volume 2018, pp. 1–26.
5.
Radoglou-Grammatikis, P.; Siniosoglou, I.; Liatifis, T.; Kourouniadis, A.; Rompolos, K.; Sarigiannidis, P. Implementation and
Detection of Modbus Cyberattacks. In Proceedings of the 2020 9th International Conference on Modern Circuits and Systems
Technologies (MOCAST), Bremen, Germany, 7–9 September 2020; pp. 1–4.
6.
Darwish, I.; Igbe, O.; Saadawi, T. Vulnerability Assessment and Experimentation of Smart Grid DNP3. J. Cyber Secur. Mobil.
2016
,
5, 23–54. [CrossRef]
7.
Radoglou-Grammatikis, P.; Sarigiannidis, P.; Giannoulakis, I.; Kafetzakis, E.; Panaousis, E. Attacking IEC-60870-5-104 SCADA
Systems. In Proceedings of the 2019 IEEE World Congress on Services (SERVICES), Milan, Italy, 8–13 July 2019; Volume 2642,
pp. 41–46.
8.
Radoglou-Grammatikis, P.I.; Sarigiannidis, P.G.; Moscholios, I.D. Securing the Internet of Things: Challenges, threats and
solutions. Internet Things 2019,5, 41–70. [CrossRef]
9.
Kumar, P.; Lin, Y.; Bai, G.; Paverd, A.; Dong, J.S.; Martin, A. Smart grid metering networks: A survey on security, privacy and
open research issues. IEEE Commun. Surv. Tutor. 2019,21, 2886–2927. [CrossRef]
10.
Stellios, I.; Kotzanikolaou, P.; Psarakis, M.; Alcaraz, C.; Lopez, J. A survey of iot-enabled cyberattacks: Assessing attack paths to
critical infrastructures and services. IEEE Commun. Surv. Tutor. 2018,20, 3453–3495. [CrossRef]
11.
Hassan, M.U.; Rehmani, M.H.; Chen, J. Differential privacy techniques for cyber physical systems: A survey. IEEE Commun. Surv.
Tutor. 2019,22, 746–789. [CrossRef]
12.
Karimipour, H.; Dehghantanha, A.; Parizi, R.M.; Choo, K.K.R.; Leung, H. A deep and scalable unsupervised machine learning
system for cyber-attack detection in large-scale smart grids. IEEE Access 2019,7, 80778–80788. [CrossRef]
13.
Nguyen, T.; Wang, S.; Alhazmi, M.; Nazemi, M.; Estebsari, A.; Dehghanian, P. Electric Power Grid Resilience to Cyber Adversaries:
State of the Art. IEEE Access 2020,8, 87592–87608. [CrossRef]
14.
Radoglou-Grammatikis, P.I.; Sarigiannidis, P.G. Securing the smart grid: A comprehensive compilation of intrusion detection and
prevention systems. IEEE Access 2019,7, 46595–46620. [CrossRef]
15.
Rehmani, M.H.; Davy, A.; Jennings, B.; Assi, C. Software defined networks-based smart grid communication: A comprehensive
survey. IEEE Commun. Surv. Tutor. 2019,21, 2637–2670. [CrossRef]
16.
Musleh, A.S.; Chen, G.; Dong, Z.Y. A survey on the detection algorithms for false data injection attacks in smart grids. IEEE
Trans. Smart Grid 2019,11, 2218–2234. [CrossRef]
17.
Radoglou-Grammatikis, P.; Sarigiannidis, P.; Liatifis, T.; Apostolakos, T.; Oikonomou, S. An overview of the firewall systems
in the smart grid paradigm. In Proceedings of the 2018 Global information infrastructure and networking symposium (GIIS),
Thessaloniki, Greece, 23–25 October 2018; pp. 1–4.
18.
Li, E.; Kang, C.; Huang, D.; Hu, M.; Chang, F.; He, L.; Li, X. Quantitative Model of Attacks on Distribution Automation Systems
Based on CVSS and Attack Trees. Information 2019,10, 251. [CrossRef]
19.
Johnson, P.; Lagerström, R.; Ekstedt, M.; Franke, U. Can the common vulnerability scoring system be trusted? a bayesian analysis.
IEEE Trans. Dependable Secur. Comput. 2016,15, 1002–1015. [CrossRef]
20.
Rios, E.; Rego, A.; Iturbe, E.; Higuero, M.; Larrucea, X. Continuous Quantitative Risk Management in Smart Grids Using Attack
Defense Trees. Sensors 2020,20, 4404. [CrossRef] [PubMed]
21.
Radoglou-Grammatikis, P.; Sarigiannidis, P.; Sarigiannidis, A.; Margounakis, D.; Tsiakalos, A.; Efstathopoulos, G. An Anomaly
Detection Mechanism for IEC 60870-5-104. In Proceedings of the 2020 9th International Conference on Modern Circuits and
Systems Technologies (MOCAST), Bremen, Germany, 7–9 September 2020; pp. 1–4.
22.
Radoglou-Grammatikis, P.; Sarigiannidis, P.; Efstathopoulos, G.; Karypidis, P.A.; Sarigiannidis, A. DIDEROT: An intrusion
detection and prevention system for DNP3-based SCADA systems. In Proceedings of the 15th International Conference on
Availability, Reliability and Security, Virtual Event, Ireland, 25–28 August 2020; pp. 1–8.
23. Tsoukalos, M. Using tshark to watch and inspect network traffic. Linux J. 2015,2015, 1.
24.
Habibi Lashkari, A.; Draper Gil, G.; Mamun, M.S.I.; Ghorbani, A.A. Characterization of Tor Traffic using Time based Features. In
Proceedings of the 3rd International Conference on Information Systems Security and Privacy, Porto, Portugal, 19–21 February
2017; SCITEPRESS—Science and Technology Publications: Porto, Portugal, 2017; pp. 253–262. [CrossRef]
25.
Manso, P.; Moura, J.; Serrão, C. SDN-based intrusion detection system for early detection and mitigation of DDoS attacks.
Information 2019,10, 106. [CrossRef]
26.
Pfaff, B.; Pettit, J.; Koponen, T.; Jackson, E.; Zhou, A.; Rajahalme, J.; Gross, J.; Wang, A.; Stringer, J.; Shelar, P.; et al. The Design
and Implementation of Open vSwitch. In 12th USENIX Symposium on Networked Systems Design and Implementation (NSDI 15);
USENIX Association: Oakland, CA, USA, 2015; pp. 117–130.
Digital 2021,1187
27.
Radoglou-Grammatikis, P.; Sarigiannidis, P.; Iturbe, E.; Rios, E.; Martinez, S.; Sarigiannidis, A.; Eftathopoulos, G.; Spyridis, I.;
Sesis, A.; Vakakis, N.; et al. SPEAR SIEM: A Security Information and Event Management system for the Smart Grid. Comput.
Netw. 2021,193, 108008. [CrossRef]
28.
Efstathopoulos, G.; Grammatikis, P.R.; Sarigiannidis, P.; Argyriou, V.; Sarigiannidis, A.; Stamatakis, K.; Angelopoulos, M.K.;
Athanasopoulos, S.K. Operational data based intrusion detection system for smart grid. In Proceedings of the 2019 IEEE 24th
International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD), Limassol,
Cyprus, 11–13 September 2019; pp. 1–6.
29.
Lazaridis, G.; Papachristou, K.; Drosou, A.; Ioannidis, D.; Chatzimisios, P.; Tzovaras, D. On the Potential of SDN Enabled Network
Deployment in Tactical Environments. In IFIP Advances in Information and Communication Technology; Springer: Berlin/Heidelberg,
Germany, 2021, pp. 252–263.
30.
Charalampos-Rafail, M.; Thanasis, K.; Vasileios, V.; Dimosthenis, I.; Dimitrios, T.; Panagiotis, S. Cyber Attack Detection and Trust
Management Toolkit for Defence-Related Microgrids. In IFIP Advances in Information and Communication Technology; Springer:
Springer: Berlin/Heidelberg, Germany, 2021; pp. 240–251.
31.
Sun, Z.; Spyridis, Y.; Lagkas, T.; Sesis, A.; Efstathopoulos, G.; Sarigiannidis, P. End-to-End Deep Graph Convolutional Neural
Network Approach for Intentional Islanding in Power Systems Considering Load-Generation Balance. Sensors
2021
,21, 1650.
[CrossRef]
32.
Ivanova, A.; Paradell, P.; Domínguez-García, J.L.; Colet, A. Intentional Islanding of Electricity Grids Using Binary Genetic
Algorithm. In Proceedings of the 2020 2nd Global Power, Energy and Communication Conference (GPECOM), Izmir, Turkey,
20–23 October 2020; pp. 297–301.
33. Leshem, S.; Trafford, V. Overlooking the conceptual framework. Innov. Educ. Teach. Int. 2007,44, 93–105. [CrossRef]
34. SDN Architecture; Technical Report for SDN ARCH 1.0 06062014; Open Networking Foundation: Palo Alto, CA, USA, 2014.
35.
Overview of RFC7426: SDN Layers and Architecture Terminology–IEEE Software Defined Networks. Available online: https:
//sdn.ieee.org/newsletter/september-2017/overview-of-rfc7426-sdn-layers-and-architecture-terminology (accessed on 27 April
2021).
36.
Holz, T.; Raynal, F. Detecting honeypots and other suspicious environments. In Proceedings of the Sixth Annual IEEE SMC
Information Assurance Workshop, West Point, NY, USA, 15–17 June 2005; pp. 29–36.
37.
Diamantoulakis, P.; Dalamagkas, C.; Radoglou-Grammatikis, P.; Sarigiannidis, P.; Karagiannidis, G. Game Theoretic Honeypot
Deployment in Smart Grid. Sensors 2020,20, 4199. [CrossRef] [PubMed]
38.
Kotsiopoulos, T.; Sarigiannidis, P.; Ioannidis, D.; Tzovaras, D. Machine Learning and Deep Learning in Smart Manufacturing:
The Smart Grid Paradigm. Comput. Sci. Rev. 2021,40, 100341. [CrossRef]
39.
Markopoulou, D.; Papakonstantinou, V.; de Hert, P. The new EU cybersecurity framework: The NIS Directive, ENISA’s role and
the General Data Protection Regulation. Comput. Law Secur. Rev. 2019,35, 105336. [CrossRef]
40.
Qu, Y.; Liu, X.; Jin, D.; Hong, Y.; Chen, C. Enabling a Resilient and Self-healing PMU Infrastructure Using Centralized Network
Control. In Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function
Virtualization, Tempe, AZ, USA, 21 March 2018; ACM: Tempe, AZ, USA, 2018; pp. 13–18. [CrossRef]
41.
Pham, T.A.Q.; Hadjadj-Aoul, Y.; Outtagarts, A. Deep reinforcement learning based qos-aware routing in knowledge-defined
networking. In Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering; Springer:
Berlin/Heidelberg, Germany, 2018; pp. 14–26.
42.
Rezaee, M.; Yaghmaee Moghaddam, M.H. SDN-Based Quality of Service Networking for Wide Area Measurement System. IEEE
Trans. Ind. Inform. 2020,16, 3018–3028. [CrossRef]
43.
Hong, J.B.; Yoon, S.; Lim, H.; Kim, D.S. Optimal Network Reconfiguration for Software Defined Networks Using Shuffle-Based
Online MTD. In Proceedings of the 2017 IEEE 36th Symposium on Reliable Distributed Systems (SRDS), Hong Kong, China,
26–29 September 2017; pp. 234–243. [CrossRef]
44.
Wang, M.; Liu, J.; Mao, J.; Cheng, H.; Chen, J.; Qi, C. RouteGuardian: Constructing secure routing paths in software-defined
networking. Tsinghua Sci. Technol. 2017,22, 400–412. [CrossRef]
45.
Mambrini, A.; Izzo, D. PaDe: A Parallel Algorithm Based on the MOEA/D Framework and the Island Model. In Parallel Problem
Solving from Nature – PPSN XIII; Springer International Publishing: Berlin/Heidelberg, Germany, 2014; pp. 711–720. [CrossRef]
46.
Izzo, D.; Ruci ´nski, M.; Biscani, F. The Generalized Island Model. In Parallel Architectures and Bioinspired Algorithms; Springer:
Berlin/Heidelberg, Germany, 2012; pp. 151–169. [CrossRef]
47.
Sessa, P.G.; Walton, N.; Kamgarpour, M. Exploring the Vickrey-Clarke-Groves Mechanism for Electricity Markets. IFAC-
PapersOnLine 2017,50, 189–194. [CrossRef]
48. Ryu SDN Framework. Available online: https://ryu-sdn.org/ (accessed on 6 July 2021).
49.
Towards Securing Large-Scale Grid Interconnection Infrastructures—SDN microSENSE. Available online: https://www.
sdnmicrosense.eu/ (accessed on 7 July 2021).
50.
Sokappadu, B.; Hardin, A.; Mungur, A.; Armoogum, S. Software Defined Networks: Issues and Challenges. In Proceedings
of the 2019 Conference on Next Generation Computing Applications (NextComp), Mauritius, 19–21 September 2019; pp. 1–5.
[CrossRef]
51.
Campus Network for High Availability Design Guide. Available online: https://www.cisco.com/c/en/us/td/docs/solutions/
Enterprise/Campus/HA_campus_DG/hacampusdg.html (accessed on 7 July 2021).
... In [11], A. Ghosal and M. Conti analyse study and analyse key management systems for Advanced Metering Infrastructures (AMIs). Similarly, in [12], the author presents an overall architectural design that takes full advantage of the SDN technology in order to mitigate and prevent potential cybersecurity incidents in a timely manner. In [14], M. Asghar et al. focus on the privacy issues related to the smart meters. ...
... The authors in [12] present the SDN-microSENSE architecture, a three tier architecture consisting of a. risk assessment framework (S-RAF), b. an intrusion detection and correlation framework (XL-EDPS) and c. a self-healing framework (SDN-SELF). S-RAF is responsible for collaborative risk assessment and honeypot deployment management. ...
... However, the dynamic risk assessment and cybersecurity certification remain critical issues. In [12], the authors provide a dynamic risk assessment process based on Common Vulnerability Scoring System (CVSS). However, CVSS is characterised by some operational limitations [26]. ...
Conference Paper
Full-text available
The digitisation of the typical electrical grid introduces valuable services, such as pervasive control, remote monitoring and self-healing. However, despite the benefits, cybersecurity and privacy issues can result in devastating effects or even fatal accidents, given the interdependence between the energy sector and other critical infrastructures. Large-scale cyber attacks, such as Indostroyer and DragonFly have already demonstrated the weaknesses of the current electrical grid with disastrous consequences. Based on the aforementioned remarks, both academia and industry have already designed various cybersecurity standards, such as IEC 62351. However, dynamic risk assessment and certification remain crucial aspects, given the sensitive nature of the electrical grid. On the one hand, dynamic risk assessment intends to re-compute the risk value of the affected assets and their relationships in a dynamic manner based on the relevant security events and alarms. On the other hand, based on the certification process, new approach for the dynamic management of the security need to be defined in order to provide adaptive reaction to new threats. This paper presents a combined approach, showing how both aspects can be applied in a collaborative manner in the smart electrical grid.
... Despite these shortcomings, the electricity sector has benefited immensely from the advances in ICTs. This is easily appreciated within the smart grid where these technologies have enabled a bidirectional flow of electricity and data, self-healing, and many other benefits, resulting not only in more efficient ways of analysing, reacting to and optimizing electricity demands but also in allowing electricity consumers to actively participate in the power supply system (prosumers) [1]. Within the grid ecosystem, several ICT-enabled components deployed in the power plants and substations have enabled better performance and advanced capabilities through the Internet of Things (IoT), advanced metering infrastructure, industrial automation and control systems and networking systems, among others. ...
... ENISA further clarifies that 'Art. 42 (1) requires that a certification mechanism under GDPR must concern an activity of data processing. Such an activity may be (also an integral) part of a product, a system, or service, but the certification must be granted in relation to the processing activit(ies), and not to the product, system or service as such (e.g., certification of data deletion process in product X)' [17]. ...
Article
Full-text available
Cybersecurity concerns have been at the forefront of regulatory reform in the European Union (EU) recently. One of the outcomes of these reforms is the introduction of certification schemes for information and communication technology (ICT) products, services and processes, as well as for data processing operations concerning personal data. These schemes aim to provide an avenue for consumers to assess the compliance posture of organisations concerning the privacy and security of ICT products, services and processes. They also present manufacturers, providers and data controllers with the opportunity to demonstrate compliance with regulatory requirements through a verifiable third-party assessment. As these certification schemes are being developed, various sectors, including the electrical power and energy sector, will need to access the impact on their operations and plan towards successful implementation. Relying on a doctrinal method, this paper identifies relevant EU legal instruments on data protection and cybersecurity certification and their interpretation in order to examine their potential impact when applying certification schemes within the Electrical Power and Energy System (EPES) domain. The result suggests that the EPES domain employs different technologies and services from diverse areas, which can result in the application of several certification schemes within its environment, including horizontal, technological and sector-specific schemes. This has the potential for creating a complex constellation of implementation models and would require careful design to avoid proliferation and disincentivising of stakeholders.
... This paper has showcased a containerized and integrated testbed, incorporating all necessary networking elements to achieve connectivity over 5G, while also supporting the implementation of and mitigation against different attacks, as seen in [9]. Using the proposed testbed, we were able to extract useful datasets at various levels, containing 5G traffic corresponding to cyberattacks and nominal traffic alike. ...
Conference Paper
Full-text available
As the networking and communications landscape moves towards 5G and an increasing number of users are already accessing the Internet over 5G systems at an increasing pace, security issues rise and the corresponding vulnerabilities are in need of being addressed. The work presented in this paper constitutes an attempt at addressing the issue of training defenders capable of tackling cyberattacks and detection systems capable of timely notifying of security events. The key contribution of this paper is the proposal of a fully containerized testbed, incorporating a 5G cellular core, a radio access network (RAN), a set of potentially vulnerable hosts, and the appropriate entry points as interfaces. Attackers and defenders alike, can perform attacks or implement defensive measures correspondingly, without needing to exit the established sandbox. The developed testbed and emulation framework is envisaged to pave the path towards facilitating the generation of realistic datasets containing malicious traffic captured over 5G tunnels for enhancing the security of next generation networks.
... Smart Grid applications have the capability of being utilized in different types of sectors and IoT application fields, due to their energy management features [29]. Such examples incorporate a Smart Grid system into a) a Smart Home infrastructure for lighting and temperature control, b) warehousing and manufacturing for control of industrial processes, c) monitoring and controlling microgrids of power generation such as solar, wind, and hydro energy generators, d) conversion of energy storage into electricity [30]. ...
Article
Full-text available
The research interest in Digital Circular Economy models is constantly growing, especially by studying the impact and implications of circular principles and Internet of Things technologies in modern society. Up until now, Industry 4.0 has been recognized as a vital enabler of circular approaches, building the first step towards sustainable Industry 5.0 solutions, while creating new growth opportunities. To fully understand digital Circular Economy each field needs to be investigated. We achieve that by conducting a systematic review with a thorough analysis on the Internet of Things, Digital Circular Economy, and their collaborative relationship independently, by studying business models, architectures, applications, and their respective features.
... Moreover, Telekom-Fruhwarnsystem [12] was started in 2013 to collect various datasets related to honeypot activities. Finally, H2020 SPEAR [25] and H2020 SDN-microSENSE [26] implemented various industrial honeypots for the smart electrical grid. ...
Article
Full-text available
The progression of Software Defined Networking (SDN) and the virtualisation technologies lead to the beyond 5G era, providing multiple benefits in the smart economies. However, despite the advantages, security issues still remain. In particular, SDN/NFV and cloud/edge computing are related to various security issues. Moreover, due to the wireless nature of the entities, they are prone to a wide range of cyberthreats. Therefore, the presence of appropriate intrusion detection mechanisms is critical. Although both Machine Learning (ML) and Deep Learning (DL) have optimised the typical rule-based detection systems, the use of ML and DL requires labelled pre-existing datasets. However, this kind of data varies based on the nature of the respective environment. Another smart solution for detecting intrusions is to use honeypots. A honeypot acts as a decoy with the goal to mislead the cyberatatcker and protect the real assets. In this paper, we focus on Wireless Honeypots (WHs) in ultradense networks. In particular, we introduce a strategic honeypot deployment method, using two Reinforcement Learning (RL) techniques: (a) e−Greedy and (b) Q−Learning. Both methods aim to identify the optimal number of honeypots that can be deployed for protecting the actual entities. The experimental results demonstrate the efficacy of both methods.
... The proposed solution adopts a security policy-based mechanism to enforce honeynets orchestration and facilitate IoT network management. The authors in [256] propose an SDN architecture to enhance security automation in smart grids. The architecture comprises three layers, risk assessment, threat detection, and self-healing to dynamically evaluate the threat level, detect and correlate threat events, and thwart the potential threats. ...
Article
Full-text available
Software-defined networking (SDN) is a networking paradigm to enable dynamic, flexible, and programmatically efficient configuration of networks to revolutionize network control and management via separation of the control plane and data plane. The SDN market has evolved in response to the demands from large data centers toward the aggregation of multiple types of network connections. On the one hand, SDNs have provided solutions for high-demand resources, managing unpredictable data traffic patterns, and rapid network reconfiguration. They are further used to enhance network virtualization and security. On the other hand, SDN is still subject to many traditional network security threats. It also introduces new security vulnerabilities, primarily due to its logically centralized control plane infrastructure and functions. In this paper, we conduct a comprehensive survey on the core functionality of SDN from the perspective of secure communication infrastructure at different scales. A specific focus is put forward to address the challenges in securing SDN-based communications, with efforts taken up to address them. We further categorize the appropriate solutions for specific threats at each layer of SDN infrastructure. Lastly, security implications and future research trends are highlighted to provide insights for future research in the domain.
Conference Paper
Full-text available
The rapid growth of computer networks in various sectors has led to new services previously hard or impossible to implement. Internet of Things has also assisted in this evolution offering easy access to data but at the same time imposing constraints on both security and quality of service. In this paper, an SDN fault tolerant and resilient SDN controller design approach is presented. The proposed solution is suitable for a wide range of environments. Benefits stemming from actual scenarios are presented and discussed among other solutions.
Article
Supervisory Control and Data Acquisition (SCADA) systems supervise and monitor critical infrastructures and industrial processes. However, SCADA systems running on conventional network architecture have scalability and manageability limitations. Through its programmable dynamic architecture, Software Defined Network (SDN) technology offers rapid configuration, scalability, and better manageability for SCADA systems. Combining existing SCADA systems with SDN has produced more practical SDN-based SCADA systems. However, due to their sensitive positions, SCADA systems are the targets of highly dangerous cyberattacks. In particular, failure to accurately detect and take action against cyberattacks like Distributed Denial of Service (DDoS) may lead to service disruption in SDN-based SCADA systems which may cause loss of life or massive financial losses. This study suggested the Recurrent Neural Network (RNN) classifier model, including two separate parallel deep learning-based methods, Long Short-Term Memory (LSTM) and Gated Recurrent Units (GRU), to better the detection of DDoS attacks targeting SDN-based SCADA systems. The proposed parallel structure was trained from end to end with a training dataset and tested with the validation dataset. This model was processed in the transfer learning procedure. The features were extracted with the training dataset, and the extracted features were classified with Support Vector Machines (SVM). While in transfer learning, the validation data was used in feature extraction and obtained features were classified with a trained SVM classifier. As part of the work, a sample dataset containing both DDoS attacks and regular network traffic data was created using an experimentally generated SDN-based SCADA topology. While experimental works yielded an accuracy of 97.62% for DDoS attack detection, transfer learning allowed a performance improvement of around 5%. The results have shown that the proposed RNN deep learning classifier model can effectively detect DDoS attacks targeting SDN-based SCADA systems.
Article
Full-text available
The rapid advanced technological development alongside the Internet with its cutting-edge applications has positively impacted human society in many aspects. Nevertheless, it equally comes with the escalating privacy and critical cybersecurity concerns that can lead to catastrophic consequences, such as overwhelming the current network security frameworks. Consequently, both the industry and academia have been tirelessly harnessing various approaches to design, implement and deploy intrusion detection systems (IDSs) with event correlation frameworks to help mitigate some of these contemporary challenges. There are two common types of IDS: signature and anomaly-based IDS. Signature-based IDS, specifically, Snort works on the concepts of rules. However, the conventional way of creating Snort rules can be very costly and error-prone. Also, the massively generated alerts from heterogeneous anomaly-based IDSs is a significant research challenge yet to be addressed. Therefore, this paper proposed a novel Snort Automatic Rule Generator (SARG) that exploits the network packet contents to automatically generate efficient and reliable Snort rules with less human intervention. Furthermore, we evaluated the effectiveness and reliability of the generated Snort rules, which produced promising results. In addition, this paper proposed a novel Security Event Correlator (SEC) that effectively accepts raw events (alerts) without prior knowledge and produces a much more manageable set of alerts for easy analysis and interpretation. As a result, alleviating the massive false alarm rate (FAR) challenges of existing IDSs. Lastly, we have performed a series of experiments to test the proposed systems. It is evident from the experimental results that SARG-SEC has demonstrated impressive performance and could significantly mitigate the existing challenges of dealing with the vast generated alerts and the labor-intensive creation of Snort rules.
Chapter
Full-text available
Modern critical operations and defence applications require highly demanding information and communication systems, making ad hoc networks, which are mainly used nowadays in tactical zones, to be difficult to manage. The evolution of the Software Defined Networking (SDN) technology has brought new perspectives to security and defence applications, making them more reliable, more stable, more secure and more portable. This research paper proposes an SDN topology for secure communications in a tactical environment, overcoming several challenges that a conventional network faces. Moreover, an Artificial Intelligence (AI) methodology, exclusively used in SDN environments is presented, providing Quality of Service (QoS) features to the network, based on which rerouting paths can be calculated. Finally, our routing methodology is illustrated using representative evaluation scenarios.
Article
Full-text available
The technological leap of smart technologies has brought the conventional electrical grid in a new digital era called Smart Grid (SG), providing multiple benefits, such as two-way communication, pervasive control and self-healing. However, this new reality generates significant cybersecurity risks due to the heterogeneous and insecure nature of SG. In particular, SG relies on legacy communication protocols that have not been implemented having cybersecurity in mind. Moreover, the advent of the Internet of Things (IoT) creates severe cybersecurity challenges. The Security Information and Event Management (SIEM) systems constitute an emerging technology in the cybersecurity area, having the capability to detect, normalise and correlate a vast amount of security events. They can orchestrate the entire security of a smart ecosystem, such as SG. Nevertheless, the current SIEM systems do not take into account the unique SG peculiarities and characteristics like the legacy communication protocols. In this paper, we present the Secure and PrivatE smArt gRid (SPEAR) SIEM, which focuses on SG. The main contribution of our work is the design and implementation of a SIEM system capable of detecting, normalising and correlating cyberattacks and anomalies against a plethora of SG application-layer protocols. It is noteworthy that the detection performance of the SPEAR SIEM is demonstrated with real data originating from four real SG use case (a) hydropower plant, (b) substation, (c) power plant and (d) smart home.
Article
Full-text available
Intentional islanding is a corrective procedure that aims to protect the stability of the power system during an emergency, by dividing the grid into several partitions and isolating the elements that would cause cascading failures. This paper proposes a deep learning method to solve the problem of intentional islanding in an end-to-end manner. Two types of loss functions are examined for the graph partitioning task, and a loss function is added on the deep learning model, aiming to minimise the load-generation imbalance in the formed islands. In addition, the proposed solution incorporates a technique for merging the independent buses to their nearest neighbour in case there are isolated buses after the clusterisation, improving the final result in cases of large and complex systems. Several experiments demonstrate that the introduced deep learning method provides effective clustering results for intentional islanding, managing to keep the power imbalance low and creating stable islands. Finally, the proposed method is dynamic, relying on real-time system conditions to calculate the result.
Article
Full-text available
Industry 4.0 is the new industrial revolution. By connecting every machine and activity through network sensors to the Internet, a huge amount of data is generated. Machine Learning (ML) and Deep Learning (DL) are two subsets of Artificial Intelligence (AI), which are used to evaluate the generated data and produce valuable information about the manufacturing enterprise, while introducing in parallel the Industrial AI (IAI). In this paper, the principles of the Industry 4.0 are highlighted, by giving emphasis to the features, requirements, and challenges behind Industry 4.0. In addition, a new architecture for AIA is presented. Furthermore, the most important ML and DL algorithms used in Industry 4.0 are presented and compiled in detail. Each algorithm is discussed and evaluated in terms of its features, its applications, and its efficiency. Then, we focus on one of the most important Industry 4.0 fields, namely the smart grid, where ML and DL models are presented and analyzed in terms of efficiency and effectiveness in smart grid applications. Lastly, trends and challenges in the field of data analysis in the context of the new Industrial era are highlighted and discussed such as scalability, cybersecurity, and big data.
Conference Paper
Full-text available
Supervisory Control and Data Acquisition (SCADA) systems play a significant role in Critical Infrastructures (CIs) since they monitor and control the automation processes of the industrial equipment. However, SCADA relies on vulnerable communication protocols without any cybersecurity mechanism, thereby making it possible to endanger the overall operation of the CI. In this paper, we focus on the Modbus/TCP protocol, which is commonly utilised in many CIs and especially in the electrical grid. In particular, our contribution is twofold. First, we study and enhance the cyberattacks provided by the Smod pen-testing tool. Second, we introduce an anomaly-based Intrusion Detection System (IDS) capable of detecting Denial of Service (DoS) cyberattacks related to Modbus/TCP. The efficacy of the proposed IDS is demonstrated by utilising real data stemming from a hydropower plant. The accuracy and the F1 score of the proposed IDS reach 81% and 77% respectively.
Conference Paper
Full-text available
The transformation of the conventional electricity grid into a new paradigm called smart grid demands the appropriate cybersecurity solutions. In this paper, we focus on the security of the IEC 60870-5-104 (IEC-104) protocol which is commonly used by Supervisory Control and Data Acquisition (SCADA) systems in the energy domain. In particular, after investigating its security issues, we provide a multivariate Intrusion Detection System (IDS) which adopts both access control and outlier detection mechanisms in order to detect timely possible anomalies against IEC-104. The efficiency of the proposed IDS is reflected by the Accuracy and F1 metrics that reach 98% and 87%, respectively.
Conference Paper
Full-text available
In this paper, an Intrusion Detection and Prevention System (IDPS) for the Distributed Network Protocol 3 (DNP3) Supervisory Control and Data Acquisition (SCADA) systems is presented. The proposed IDPS is called DIDEROT (Dnp3 Intrusion DetEction pReventiOn sysTem) and relies on both supervised Machine Learning (ML) and unsupervised/outlier ML detection models capable of discriminating whether a DNP3 network flow is related to a particular DNP3 cyberattack or anomaly. First, the supervised ML detection model is applied, trying to identify whether a DNP3 network flow is related to a specific DNP3 cyberattack. If the corresponding network flow is detected as normal, then the unsupervised/outlier ML anomaly detection model is activated, seeking to recognise the presence of a possible anomaly. Based on the DIDEROT detection results, the Software Defined Networking (SDN) technology is adopted in order to mitigate timely the corresponding DNP3 cyberattacks and anomalies. The performance of DIDEROT is demonstrated using real data originating from a substation environment.
Article
Full-text available
Although the risk assessment discipline has been studied from long ago as a means to support security investment decision-making, no holistic approach exists to continuously and quantitatively analyze cyber risks in scenarios where attacks and defenses may target different parts of Internet of Things (IoT)-based smart grid systems. In this paper, we propose a comprehensive methodology that enables informed decisions on security protection for smart grid systems by the continuous assessment of cyber risks. The solution is based on the use of attack defense trees modelled on the system and computation of the proposed risk attributes that enables an assessment of the system risks by propagating the risk attributes in the tree nodes. The method allows system risk sensitivity analyses to be performed with respect to different attack and defense scenarios, and optimizes security strategies with respect to risk minimization. The methodology proposes the use of standard security and privacy defense taxonomies from internationally recognized security control families, such as the NIST SP 800-53, which facilitates security certifications. Finally, the paper describes the validation of the methodology carried out in a real smart building energy efficiency application that combines multiple components deployed in cloud and IoT resources. The scenario demonstrates the feasibility of the method to not only perform initial quantitative estimations of system risks but also to continuously keep the risk assessment up to date according to the system conditions during operation.
Chapter
The rise of microgrids in defence applications, as a greener, more economical and efficient source of energy and the consequential softwarization of networks, has led to the emerge of various cyber-threats. The danger of cyber-attacks in defence microgrid facilities cannot be neglected nor undermined, due to the severe consequences that they can cause. To this end, this paper presents a cyberattack detection and cyber attack severity calculation toolkit, with the aim to provide an end-to-end solution to the cyberattack detection in defense IoT/microgrid systems. Concretely, in this paper are presented and evaluated the SPEAR Visual Analytics AI Engine and the SPEAR Grid Trusted Module (GTM) of the SPEAR H2020 project. The aim of the Visual Analytics AI Engine is to detect malicious action that intend to harm the microgrid and to assist the security engineer of an infrastructure to easily detect abnormalities and submit security events accordingly, while the GTM is responsible to calculate the severity of each security event and to assigns trust values to the affected assets of the system. The accurate detection of cyber-attacks and the efficient reputation management, are assessed with data from a real smart home infrastructure with an installed nanogrid, after applying a 3-stage attack against the MODBUS/TCP protocol used by some of the core nanogrid devices.