U.S. - Israel Energy Center
Theme 1: CPS Data Preparation
Theme 1 models the Cyber-physical system (CPS) of energy systems and establishes the knowledge database of cyberattacks.
Project 1: Physical Processes as Cybersecurity Assets
Current Industrial Control Systems (ICS) detection technologies are mostly looking at available data gathered from Information Technology (IT) and Operational Technology (OT) systems, without the ability to inspect the technological processes themselves. In Project 1, we address the problem by developing a technology that understands the underlying kinetic/physical processes, digitally representing them, and using them as a baseline that provides analytical context to IT/OT convergence cyber analytics.
Task 1: Realization of advanced energy management applications in T&D
We plan to develop a tool to realize advanced energy management applications in power system transmission and distribution systems. The anticipated applications include system monitoring, observability, and control, which will be attained through the following tasks: advanced topology processor, developing and validating data-driven load, DER and power system models, formulating an advanced state estimation, optimal energy management system, and design and validate system-level control strategies for power systems.
Task 2: Digital representation of physical processes and operational process modelling
It is becoming clear that there is a need to integrate within the detection process, domain knowledge in the form of models that represent the actual operation process. These are difficult tasks since it usually requires the involvement of a domain expert (i.e., CPS engineer) and therefore, cannot scale. In this task, we will develop a method for modeling the physical processes of such an environment and will integrate such knowledge with attack and anomaly detectors.
Task 3: Data collection and aggregation
This task includes the data collection that will be performed by the utility partners with the help of industrial partners. The main purpose is that all the data for analysis should be gathered in the same platform so that all other stakeholders of the project could run their analysis on top of the data lake. The correct way to execute this task is to have a testbed with all relevant data sources. In addition to the testbed, once decided on a “real use case” proof of concept environment, the same adjustments should take place in the destination as well.
Project 2: Knowledge Base Establishment and Representation Learning of Threats
Project 2 deals mostly with addressing known attack vectors and Tools, Techniques, and Procedures (TTPs) by automating threat hunting processes and connecting them with multi-level threat intelligence spouts. Knowledge base that helps formulate viable attack hypotheses through accumulated cyber threat intelligence (CTI) is created for future systems monitoring and control.
Task 4: Multi-level threat intelligence knowledge base.
In this task, we plan to build a comprehensive attack knowledge base spanning multiple levels of abstraction from high-level TTPs, through malware and campaigns, down to the specific IOCs and any telemetry / sensory information that may be relevant according to data fused from major CTI sources.
Task 5: GANs for generating adversarial attacks
This task will develop adversarial examples to evaluate the vulnerability of power system detectors to event-mimicking cyberattacks. To this aim, we consider a traditional attack-defender bilevel linear program with neural network architectures, such as GANs. We also leverage modern optimization algorithms to generate adversarial examples using very few measurements, thereby enabling our studies suitable for real-time decision making.
Task 6: Threat hunting
The task aims to facilitate the OODA (observe, orient, decide, act) loop for threat hunting at the ICS domain. Specifically, we will map the data collected by partners to the common sensor information already mapped in the ICS CTI knowledge base. We will use the ICS CTI knowledge base to identify the events and sensors that need to be monitored in order to increase the accuracy of attack hypotheses generation and CTI based alert correlation. We will also develop algorithms for correlating anomalous events based on their related techniques.
Theme 2: Data Analytics for Monitoring
Theme 2 develops advanced tools and technology for the IT/OT monitoring.
Project 3: Cyberattacks Detection of IT/OT Architecture
In Project 3, we address unknown threats using unique technologies developed specifically for this consortium. This will be accomplished by developing a suite of AI-based solutions working in parallel, to achieve optimally orchestrated defense-in-depth. Moreover, we address the problem of AI Explainability by developing systems that are explainable by design. We also employ the principle of “secure-by-design” by addressing social engineering attack vectors.
Task 7: Malware threats mitigation
Our goal is to design, develop, evaluate, and demonstrate the SCATOPSY, a suite of novel ICS-specific tools for detecting, characterizing, and mitigating a variety of advanced ICS malware attack vectors. SCATOPSY enhances the cybersecurity of operation technology (OT) environments by mitigating ICS malware threats using new models that characterize essential ICS malware behaviors from multiple correlation points.
Task 8: Detect Event Mimicking Attacks
This task will develop a highly efficient PMU and SCADA measurements-driven event detector to detect event-mimicking attacks using modern state-of-the-art machine learning algorithms. The developed detectors can identify key event features using a spatio-temporal footprint in PMU measurements in order to efficiently identify true and events. Furthermore, we will employ visual analytics, to “open the black box” of the developed detectors to help operators understand the anomalous features of the malicious data streams.
Task 9: False data injection
We will adjust framework and algorithmic models to real-time high sampling rate data collected from multiple sites to gain insights into cyberattacks at the power distribution grid. We will also generate Insights from Sensor Data & Process Data received from different assets in the power distribution. In addition, we will design enhanced event detectors that use offline learning algorithms to identify real from fake events. Further, to develop an OT+IT software to enhance existing EMS visualization methods to provide transparency into why detectors perceive an event as a probable cyberattack through false data injection.
Task 10: Multilayer anomaly detection
Our goal in this task is to develop a novel multi-layer anomaly detection framework that integrates multiple data sources. We will develop an innovative multi-layer anomaly detection framework. We will also representing the raw multivariate time series data (MTSD) originated from multiple utility layers and sensors to profile and capture temporal behavior, both benign and malicious (or anomalous). In addition, we will improving the detection of an attack and Anomalous Behavior based on temporal mining of multiple utility sources and layers at the SOC level.
Task 11: AI based Intrusion detection
This task will develop a plug-in to integrate enterprise OT management tools for process control with the ICS NIDS tools that provide evidence of breaches in the cyberinfrastructure that can lead to physical consequences affecting operations. A unique aspect of the algorithms developed will be combining Specification-based ICS NIDS with and Statistical ICS NIDS, using a digital twin to generate labeled data that can train a deep neural network to 1) recognize the source of the attack; 2) approximate an optimum policy that can advise the operators about what are the preferred remedial actions. In this task, we will also develop a tool which will exploit an attacker’s deepfake technology by forcing the model to generate artifacts by pushing its limitations.
Task 12: Explainable cyber AI analytics
The task objective is to use the explanations provided to anomalies revealed by an Autoencoder for other sub-tasks: reducing false-positive anomalies rate, by differentiating between benign and malicious anomalies, and identifying hidden similarities between explanations as a mean to classify anomalies to known threats. An evaluation methodology will be developed to assess the quality of explanations. We will also develop a Temporal-based Explainability module for the Detection Algorithm.
Theme 3: Control and Validation
Theme 3 designs control tools to achieve resilience and robustness in future-proof architecture.
Project 4: Cyber Resilience and Robustness for Control Actions
Whilst projects 2 and 3 dealt with a trusted detection of cybersecurity events in ICS, Project 4 builds further on this assumption of compromise. This project aims to realize cyber resilience and robustness for power system controllers. Here, we develop a technology that would enable a survival capability even under the conditions of an ongoing cyber-attack.
Task 13: Firmware verification
To ensure the security of embedded devices such as PLCs in OT environments, this task proposes to leverage various types of side-channel emissions and apply machine learning techniques to detect zero-day malware intrusions. Specifically, we will design the system architecture, which uses the EMI-based detection framework to stop an attack or recover the monitored device.
Task 14: Cyberattack tolerance
In this task, we will develop BFT++ Toolset and integrate into PLC development environment, allowing the system developer to easily deploy cyberattack resilience technique (BFT++). BFT++ is agnostic to the specificity of cyberattack and hence will tolerate all CPS’ direct cyber exploits; known (n-day) and unknown (0-day).
Task 15: Self-healing and auto-remediation
In this task, we will develop an automatic and collaborative self-healing mechanism for CPS devices. We will also develop a technology allowing better response to a variety of attacks and anomalous behaviors by identifying attacks’ types and their similar variants, by developing an important capability of categorization and identification of the specific attack or anomalous situation, based on prior knowledge and attacks in our repository.
Task 16: Reinforcement learning for CPS control
This task will automate the training of policies that determine how to best respond to attacks to distributed energy resources (DER) using deep reinforcement learning to train the optimum policies.
Project 5: Future-proof Architectures
In Project 5, we look further into the future and ask how we could build a secure ICS facility from scratch, instead of “retrofitting” security into existing solutions. Accordingly, this project aims to realize cyber resilience and robustness for ICS systems, including software and hardware in a holistic security perspective; in order to create a blueprint for secure ICS facilities.
Task 17: ICS security by design
This task focuses on mapping and evaluating the state-of-art ICS security architecture proposals, and creating a secure ICS architecture by design, to be used as a future reference for vendors, energy facilities, engineering, and integration companies, as well as governments and regulators. Such architecture should improve upon current ICS technology and provide secured communication, trust among the participating elements, redundancy, continuous trusted monitoring, and auto-remediation capabilities.
Task 18: Hardware-in-the-loop validation
This task aims to simulate and validate the proposed algorithms through HIL. The task has five steps listed as follows: 1) Set up hardware for HIL test facility; 2) Develop test protocols and detailed test plans; 3) Develop scripts and databases for experiments; 4) Conduct HIL tests for different cyberattack scenarios.; 5) Finalize market transformation and dissemination plan.
Task 19: Innovation, Education, Review, Coordination, and Marketing Programs
This task will create effective programs of the Consortium, including management, communications, innovation programs, education, review, coordination, and exchange programs.