Towards Incident Response Orchestration and Automation for the Advanced Metering Infrastructure
Abstract: The threat landscape of industrial infrastructures has expanded exponentially over the last few years. Such infrastructures include services such as the smart meter data exchange that should have real-time availability. Smart meters constitute the main component of the Advanced Metering Infrastructure, and their measurements are also used as historical data for forecasting the energy demand to avoid load peaks that could lead to blackouts within specific areas. Hence, a comprehensive Incident Response plan must be in place to ensure high service availability in case of cyber-attacks or operational errors. Currently, utility operators execute such plans mostly manually, requiring extensive time, effort, and domain expertise, and they are prone to human errors. In this paper, we present a method to provide an orchestrated and highly automated Incident Response plan targeting specific use cases and attack scenarios in the energy sector, including steps for preparedness, detection and analysis, containment, eradication, recovery, and post-incident activity through the use of playbooks. In particular, we use the OASIS Collaborative Automated Course of Action Operations (CACAO) standard to define highly automatable workflows in support of cyber security operations for the Advanced Metering Infrastructure. The proposed method is validated through an Advanced Metering Infrastructure testbed where the most prominent cyber-attacks are emulated, and playbooks are instantiated to ensure rapid response for the containment and eradication of the threat, business continuity on the smart meter data exchange service, and compliance with incident reporting requirements.
- ENISA, “Threat Landscape report,” 2023. [Online]. Available: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2023
- Shaked, Avi et. al, “Operations-informed incident response playbooks,” Computers & Security, vol. 134, p. 103454, 2023.
- European Parliament and the Council of the European Union, “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).”
- Mavroeidis, Vasileios, Zych Mateusz, “Cybersecurity playbook sharing with stix 2.1,” arXiv preprint arXiv:2203.04136, 2022.
- Empl, Philip et. al, “Generating ics vulnerability playbooks with open standards,” International Journal of Inf. Sec., pp. 1–16, 2023.
- Zhang, Chunming et. al, “Modeling and defending advanced metering infrastructure subjected to distributed denial-of-service attacks,” IEEE Trans. on Net. Science and Eng., pp. 2106–2117, 2020.
- Nunes, Bruno Astuto A et. al, “A survey of software-defined networking: Past, present, and future of programmable networks,” IEEE Comm. surv. & tutor., 2014.
- Yi, Ping et. al, “A denial of service attack in advanced metering infrastructure network,” in 2014 IEEE ICC.
- A. Lekidis, “Cyber-security measures for protecting epes systems in the 5g area,” in 17th ARES conf., 2022, pp. 1–10.
- Zebari, Rizgar R et. al, “Distributed denial of service attack mitigation using high availability proxy and network load balancing,” in 2020 ICOASE. IEEE, 2020, pp. 174–179.
- Torkura, Kennedy A et. al, “Slingshot-automated threat detection and incident response in multi cloud storage systems,” in 2019 IEEE NCA.
- ISO/TS, “22317:2021 security and resilience - business continuity management systems - guidelines for business impact analysis.”
Paper Prompts
Sign up for free to create and run prompts on this paper using GPT-5.
Top Community Prompts
Collections
Sign up for free to add this paper to one or more collections.