Cyber Deception for Integrated Energy Systems: Cyber-Attacks Simulations and Defense Mechanisms

As the Operational Technology (OT) domain is constantly evolving, innovative approaches are needed to enhance existing cybersecurity systems. By strategically hosting intelligent cybersecurity tools (decoys - ‘Snare and Prowl’) both within and outside the utility network operator’s environment to mimic faux services and targets, internet-based, in-network adversaries, and Advanced Persistent Threats (APTs) are identified and engaged. Moreover, decoy Techniques, Tactics, and Procedures (TTPs) are tracked for attack characterisation based on their Threat Intelligence Profiles (TIPs) and narratives employed to effectively discern the attacker's capability to laterally progress across the network. This poster shares the lessons learned from a proof of concept study to investigate the capabilities of a cyber deception framework within an operational technology energy network to detect, analyse and alert of internal and external facing threats.

In this study, different cyber attack scenarios were emulated in an OT environment with and without cyber deception frameworks. The case study trial is based on servers and database attack simulations critical for a more flexible, reliable, resilient, secure and sustainable integrated energy system. In attack scenario 1, breadcrumbs are used to prevent an attempt to attack narrative deployment for Apache and SSH Servers. In the second attack scenario, decoys detect attacks with indicators of intelligence based on privileged access through active port scans. In attack scenario 3, lessons on the impact of network environment changes on the overall system’s security are monitored. In each of the test scenarios, the Common Vulnerabilities and Exposures (CVEs) specific to Distribution Network Operators (DNO), TTPs leveraged by adversaries, and strategic locations within the DNO network for deception deployment were identified to improve system security.