COUNTERMEASURES AGAINST COORDINATED CYBER-ATTACKS TOWARDS POWER GRID SYSTEMS : A systematic literature study

Abstract: A study on countermeasures against coordinated cyber-attacks (CCA) towards power grid systems has been carried out. A coordinated cyber-attack is a cyber-based attack where multiple attackers use multiple attack-mechanisms towards multiple targets in a coordinated fashion. The coordination is based on that the different attack-mechanisms help each other in attacking the target. A CCA is made up of different stages where each stage consists of a number of attack-mechanisms and together have a certain purpose. The different stages are used to systematically advance towards its goal, which is to compromise the operation of internal systems or to steal confidential data. For example, the first stage may be used to locate entry points at the target system, and a second stage may be used to locate vulnerable hosts by sniffing ongoing network activity to further itself towards its attack goal.     Power grids that are used to generate, transmit, and distribute electricity over large geographical areas are connected to the Internet. Within these environments, commercial IT systems have been adopted to control their electrical equipment, which poses cybersecurity risks to the power grid.     Intrusion Detection Systems (IDS) are designed provide internal network protection in case of intruders. However, state-of-the-art IDSs has been found to have certain limitations in protecting against multi-stage and slow attacks. The inadequacy of state-of-the-art IDSs for protecting against CCAs motivates the need to identify alternate countermeasures that can mitigate CCAs, when the target is a power grid system. The method of choice to address this problem in this study is a systematic literature study where 48 countermeasures were identified and assessed to which extent they are suitable to mitigate CCAs. Results suggest to follow three approaches, namely to preemptively identify technical vulnerabilities in the local system, to distribute intrusion detection hosts across a larger network for better situational awareness, and to implement new types of IDS technologies. Countermeasures with references to specific publications are also provided. The study contributes to how security operators of power grids can fulfil the requirement on cybersecurity as demanded by the NIS directive of the European Union regarding protection against CCAs.