Skip to main content
Top

2023 | OriginalPaper | Chapter

SOAR4DER: Security Orchestration, Automation, and Response for Distributed Energy Resources

Authors : Jay Johnson, C. Birk Jones, Adrian Chavez, Shamina Hossain-McKenzie

Published in: Power Systems Cybersecurity

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config
loading …

Abstract

Monitoring data and control functionality presented by interoperable photovoltaic (PV) inverters and other Distributed Energy Resources (DER) can be used to improve site maintenance, prognostics, and grid operations. Unfortunately, DER communications present attack vectors which could lead to power systems impacts. Since adversary capabilities continually improve, avoiding catastrophic consequences requires intelligent intrusion detection and remediation systems that consider both physical and cyber features. New Security Orchestration, Automation, and Response (SOAR) technologies are equipping cyber-defenders with new capabilities to autonomously respond to network and host-based system alerts, threat hunting results, and cyber intelligence data streams. In this Chapter, we present a novel SOAR approach for DER systems, called SOAR4DER, that ingests data from multiple Intrusion Detection Systems (IDSs) to quickly block attacks and revert DER systems to known good states. Our implementation used a collection of IDS technologies on a Bump-in-the-Wire (BITW) device which incorporated physical and cyber data to detect abnormal and potential malicious behaviors. Multiple SOAR playbooks then used the IDS data streams to automatically defend the system. Laboratory testing of the SOAR4DER system showed detection and response times under 30 s for all adversary reconnaissance operations, denial-of-service attacks, malicious Modbus commands, brute force logins, and machine-in-the-middle attacks.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Literature
1.
go back to reference Johnson, J., Quiroz, J.E., Concepcion, R.J., Wilches-Bernal, F., Reno, M.J.: Power system effects and mitigation recommendations for der cyberattacks. IET Cyper-Phys. Syst. Theory Appl. 4, 240–249 (2019) Johnson, J., Quiroz, J.E., Concepcion, R.J., Wilches-Bernal, F., Reno, M.J.: Power system effects and mitigation recommendations for der cyberattacks. IET Cyper-Phys. Syst. Theory Appl. 4, 240–249 (2019)
2.
go back to reference FireEye Mandiant, “M-trends 2021,” special report, FireEye Mandiant Services, 601 McCarthy Blvd. Milpitas, CA 95035 (2021) FireEye Mandiant, “M-trends 2021,” special report, FireEye Mandiant Services, 601 McCarthy Blvd. Milpitas, CA 95035 (2021)
3.
go back to reference Rose, S., Borchert, O., Mitchell, S., Connelly, S.: NIST SP 800-207: Zero trust architecture. Special publication, National Institute of Standards and Technology, 100 Bureau Drive (Mail Stop 8920) Gaithersburg, MD 20899-8920 (Aug 2020) Rose, S., Borchert, O., Mitchell, S., Connelly, S.: NIST SP 800-207: Zero trust architecture. Special publication, National Institute of Standards and Technology, 100 Bureau Drive (Mail Stop 8920) Gaithersburg, MD 20899-8920 (Aug 2020)
4.
go back to reference R. Pompon, Assume Breach (Apress, Berkeley, CA, 2016), pp. 13–21 R. Pompon, Assume Breach (Apress, Berkeley, CA, 2016), pp. 13–21
5.
go back to reference J. Johnson, Roadmap for photovoltaic cyber security, Technical report SAND2017-13262, Sandia National Laboratories, Albuquerque, New Mexico 87185 and Livermore, California 94550 (Dec 2019) J. Johnson, Roadmap for photovoltaic cyber security, Technical report SAND2017-13262, Sandia National Laboratories, Albuquerque, New Mexico 87185 and Livermore, California 94550 (Dec 2019)
6.
go back to reference A. Ghosh, To level up your soc game, take one logical step at a time (13 Jan 2020) A. Ghosh, To level up your soc game, take one logical step at a time (13 Jan 2020)
7.
go back to reference A. Chuvakin, A simple soar adoption maturity model (14 Jun 2022) A. Chuvakin, A simple soar adoption maturity model (14 Jun 2022)
8.
go back to reference T. Connect, Security operations maturity model (10 Jun 2022) T. Connect, Security operations maturity model (10 Jun 2022)
9.
go back to reference Rapid7, Security orchestration and automation (soar) playbook. Rapid7 (15 Apr 2022) Rapid7, Security orchestration and automation (soar) playbook. Rapid7 (15 Apr 2022)
10.
go back to reference C. Rieger, J. Gentle, A. Bochman, J. Miller, Distributed renewables cyber resilience. POWER Mag. (18 Apr 2022) C. Rieger, J. Gentle, A. Bochman, J. Miller, Distributed renewables cyber resilience. POWER Mag. (18 Apr 2022)
11.
go back to reference J. Gentle, Cybersecurity reference architecture for renewable energy: survey of vendors and application space. INL (18 Apr 2022) J. Gentle, Cybersecurity reference architecture for renewable energy: survey of vendors and application space. INL (18 Apr 2022)
12.
go back to reference S. Hossain-McKenzie, J. Johnson, Cyber-physical solutions for defending pv systems: proactive intrusion detection and mitigation system sensor, in SunSpec/Sandia DER Cybersecurity Workgroup Webinar Series (Aug 2021) S. Hossain-McKenzie, J. Johnson, Cyber-physical solutions for defending pv systems: proactive intrusion detection and mitigation system sensor, in SunSpec/Sandia DER Cybersecurity Workgroup Webinar Series (Aug 2021)
13.
14.
go back to reference A. Kirk, Soar solutions: best practices & benefits of automation,” in SOAR Solutions Forum 2022 (Mar 2022) A. Kirk, Soar solutions: best practices & benefits of automation,” in SOAR Solutions Forum 2022 (Mar 2022)
15.
16.
go back to reference Cortex XSOAR Platform-Content Repository. GitHub Cortex XSOAR Platform-Content Repository. GitHub
17.
go back to reference P. Fonash, P. Schneck, Cybersecurity: from months to milliseconds. Computer 48(1), 42–50 (2015)CrossRef P. Fonash, P. Schneck, Cybersecurity: from months to milliseconds. Computer 48(1), 42–50 (2015)CrossRef
18.
go back to reference G. Fragkos, J. Johnson, E.E. Tsiropoulou, Dynamic role-based access control policy for smart grid applications: an offline deep reinforcement learning approach. IEEE Trans. Human-Mach. Syst. 1–13 (2022) G. Fragkos, J. Johnson, E.E. Tsiropoulou, Dynamic role-based access control policy for smart grid applications: an offline deep reinforcement learning approach. IEEE Trans. Human-Mach. Syst. 1–13 (2022)
19.
go back to reference M.F. Haque, R. Krishnan, Toward automated cyber defense with secure sharing of structured cyber threat intelligence. Inf. Syst. Front. 23(4), 883–896 (2021)CrossRef M.F. Haque, R. Krishnan, Toward automated cyber defense with secure sharing of structured cyber threat intelligence. Inf. Syst. Front. 23(4), 883–896 (2021)CrossRef
20.
go back to reference S.Y. Enoch, Z. Huang, C.Y. Moon, D. Lee, M.K. Ahn, D.S. Kim, HARMer: cyber-attacks automation and evaluation. IEEE Access 8, 129397–129414 (2020)CrossRef S.Y. Enoch, Z. Huang, C.Y. Moon, D. Lee, M.K. Ahn, D.S. Kim, HARMer: cyber-attacks automation and evaluation. IEEE Access 8, 129397–129414 (2020)CrossRef
21.
go back to reference C.B. Jones, A.R. Chavez, R. Darbali-Zamora, S. Hossain-McKenzie, Implementation of intrusion detection methods for distributed photovoltaic inverters at the grid-edge, in 2020 IEEE Power Energy Society Innovative Smart Grid Technologies Conference (ISGT) (2020), pp. 1–5 C.B. Jones, A.R. Chavez, R. Darbali-Zamora, S. Hossain-McKenzie, Implementation of intrusion detection methods for distributed photovoltaic inverters at the grid-edge, in 2020 IEEE Power Energy Society Innovative Smart Grid Technologies Conference (ISGT) (2020), pp. 1–5
22.
go back to reference C.B. Jones, A. Chavez, S. Hossain-McKenzie, N. Jacobs, A. Summers, B. Wright, Unsupervised online anomaly detection to identify cyber-attacks on internet connected photovoltaic system inverters, in 2021 IEEE Power and Energy Conference at Illinois (PECI) (2021), pp. 1–7 C.B. Jones, A. Chavez, S. Hossain-McKenzie, N. Jacobs, A. Summers, B. Wright, Unsupervised online anomaly detection to identify cyber-attacks on internet connected photovoltaic system inverters, in 2021 IEEE Power and Energy Conference at Illinois (PECI) (2021), pp. 1–7
23.
go back to reference A. Chavez, C. Lai, N. Jacobs, S. Hossain-McKenzie, C.B. Jones, J. Johnson, A. Summers, Hybrid intrusion detection system design for distributed energy resource systems, in 2019 IEEE CyberPELS (CyberPELS) (2019), pp. 1–6 A. Chavez, C. Lai, N. Jacobs, S. Hossain-McKenzie, C.B. Jones, J. Johnson, A. Summers, Hybrid intrusion detection system design for distributed energy resource systems, in 2019 IEEE CyberPELS (CyberPELS) (2019), pp. 1–6
24.
go back to reference J. Jow, Y. Xiao, W. Han, A survey of intrusion detection systems in smart grid. Int. J. Sen. Netw. 23, 170–186 (2017)CrossRef J. Jow, Y. Xiao, W. Han, A survey of intrusion detection systems in smart grid. Int. J. Sen. Netw. 23, 170–186 (2017)CrossRef
25.
go back to reference C. Lai, A. Chavez, C. Jones, N. Jacobs, S. Hossain-McKenzie, J. Johnson, A. Summers, Review of intrusion detection methods and tools for distributed energy resources, Technical report SAND2021-1737, Sandia National Laboratories, Albuquerque, New Mexico 87185 and Livermore, California 94550 (Feb 2021) C. Lai, A. Chavez, C. Jones, N. Jacobs, S. Hossain-McKenzie, J. Johnson, A. Summers, Review of intrusion detection methods and tools for distributed energy resources, Technical report SAND2021-1737, Sandia National Laboratories, Albuquerque, New Mexico 87185 and Livermore, California 94550 (Feb 2021)
26.
go back to reference J. Johnson, L. Jencka, T. Ortiz, C. Jones, A. Chavez, B. Wright, A. Summers, Design considerations for distributed energy resource honeypots and canaries. Sandia Technical Report, no. SAND2021-11609 J. Johnson, L. Jencka, T. Ortiz, C. Jones, A. Chavez, B. Wright, A. Summers, Design considerations for distributed energy resource honeypots and canaries. Sandia Technical Report, no. SAND2021-11609
27.
go back to reference IEEE Standard for Interconnection and Interoperability of Distributed Energy Resources with Associated Electric Power Systems Interfaces. IEEE Std 1547-2018 (Revision of IEEE Std 1547-2003) (2018), pp. 1–138 IEEE Standard for Interconnection and Interoperability of Distributed Energy Resources with Associated Electric Power Systems Interfaces. IEEE Std 1547-2018 (Revision of IEEE Std 1547-2003) (2018), pp. 1–138
28.
go back to reference J. Johnson, B. Fox, K. Kaur, J. Anandan, Evaluation of interoperable distributed energy resources to ieee 1547.1 using sunspec modbus, ieee 1815, and ieee 2030.5. IEEE Access 9, 142129–142146 (2021)CrossRef J. Johnson, B. Fox, K. Kaur, J. Anandan, Evaluation of interoperable distributed energy resources to ieee 1547.1 using sunspec modbus, ieee 1815, and ieee 2030.5. IEEE Access 9, 142129–142146 (2021)CrossRef
29.
go back to reference S. Hossain-McKenzie, A. Chavez, N. Jacobs, C.B. Jones, A. Summers, B. Wright, Proactive intrusion detection and mitigation system: Case study on packet replay attacks in distributed energy resource systems, in 2021 IEEE Power and Energy Conference at Illinois (PECI) (2021), pp. 1–6 S. Hossain-McKenzie, A. Chavez, N. Jacobs, C.B. Jones, A. Summers, B. Wright, Proactive intrusion detection and mitigation system: Case study on packet replay attacks in distributed energy resource systems, in 2021 IEEE Power and Energy Conference at Illinois (PECI) (2021), pp. 1–6
30.
go back to reference Vern Paxon, Zeek: An Open Source Network Monitoring Tool. Online Vern Paxon, Zeek: An Open Source Network Monitoring Tool. Online
32.
33.
go back to reference Steffen Siering, Filebeat: Lightweight shipper for Logs. Online Steffen Siering, Filebeat: Lightweight shipper for Logs. Online
34.
go back to reference Steffen Siering, Logstash: Centralize, transform & stash your data. Online Steffen Siering, Logstash: Centralize, transform & stash your data. Online
35.
go back to reference Shay Banon, Elasticsearch: Search. Observe. Protect. Online Shay Banon, Elasticsearch: Search. Observe. Protect. Online
37.
38.
go back to reference G. Lyon, Nmap: the Network Mapper. nmap.org G. Lyon, Nmap: the Network Mapper. nmap.org
41.
43.
44.
go back to reference R. Scalco, B. Waugaman, More situational awareness for industrial control systems (MOSAICS), in Integrated Cyber (Mar 2018) R. Scalco, B. Waugaman, More situational awareness for industrial control systems (MOSAICS), in Integrated Cyber (Mar 2018)
45.
go back to reference I.S. Organization, Iso 8601-1:2019 date and time-representations for information interchange-part 1: basic rules, ISO (2019) I.S. Organization, Iso 8601-1:2019 date and time-representations for information interchange-part 1: basic rules, ISO (2019)
46.
go back to reference Bart De Schuvmer, ebtables: firewall tool for Linux bridges. Online Bart De Schuvmer, ebtables: firewall tool for Linux bridges. Online
49.
go back to reference O. Yoachimik, J. Desgats, Cloudflare blocks 15m rps https ddos attack. Cloudflare, (27 Apr 2022) O. Yoachimik, J. Desgats, Cloudflare blocks 15m rps https ddos attack. Cloudflare, (27 Apr 2022)
50.
go back to reference G. Ravikumar, A. Singh, J.R. Babu, A. Moataz, M. Govindarasu, D-ids for cyber-physical der modbus system-architecture, modeling, testbed-based evaluation, in 2020 Resilience Week (RWS) (2020), pp. 153–159 G. Ravikumar, A. Singh, J.R. Babu, A. Moataz, M. Govindarasu, D-ids for cyber-physical der modbus system-architecture, modeling, testbed-based evaluation, in 2020 Resilience Week (RWS) (2020), pp. 153–159
52.
go back to reference H. Li, G. Liu, W. Jiang, Y. Dai, Designing snort rules to detect abnormal dnp3 network data, in 2015 International Conference on Control, Automation and Information Sciences (ICCAIS) (2015), pp. 343–348 H. Li, G. Liu, W. Jiang, Y. Dai, Designing snort rules to detect abnormal dnp3 network data, in 2015 International Conference on Control, Automation and Information Sciences (ICCAIS) (2015), pp. 343–348
53.
go back to reference Crowdstrike, Brute Force Attacks (Mar 2021). (Online) Crowdstrike, Brute Force Attacks (Mar 2021). (Online)
55.
go back to reference Cisco, Security configuration, cisco catalyst pon series switches. Cisco (10 Dec 2021). Online Cisco, Security configuration, cisco catalyst pon series switches. Cisco (10 Dec 2021). Online
56.
go back to reference Common Smart Inverter Profile: IEEE 2030.5 Implementation Guide for Smart Inverters, Version 2.1 (2018) Common Smart Inverter Profile: IEEE 2030.5 Implementation Guide for Smart Inverters, Version 2.1 (2018)
57.
go back to reference Dragos, Pipedream: Chernovite’s emerging malware targeting industrial control systems. Dragos (21 Apr 2022). (Online) Dragos, Pipedream: Chernovite’s emerging malware targeting industrial control systems. Dragos (21 Apr 2022). (Online)
58.
go back to reference Cisco, Multiple cisco products snort modbus denial of service vulnerability. Cisco (21 Apr 2022). (Online) Cisco, Multiple cisco products snort modbus denial of service vulnerability. Cisco (21 Apr 2022). (Online)
59.
go back to reference SolarWinds, Solarwinds security advisory. SolarWinds (6 Apr 2021). (Online) SolarWinds, Solarwinds security advisory. SolarWinds (6 Apr 2021). (Online)
Metadata
Title
SOAR4DER: Security Orchestration, Automation, and Response for Distributed Energy Resources
Authors
Jay Johnson
C. Birk Jones
Adrian Chavez
Shamina Hossain-McKenzie
Copyright Year
2023
DOI
https://doi.org/10.1007/978-3-031-20360-2_16