Strategic and Intelligent Smart Grid Systems Engineering

Emmanuel Hooper
Harvard-MIT-Yale Cyber Security, USA
ehooper@fas.harvard.edu, ehooper@aya.yale.edu

Abstract
System engineering and smart grid technology The Bulk Generation generates electricity from
faces several challenges in the context of systems renewable and non renewable energy sources in bulk
engineering. First, smart grid development quantities. These sources can also be classified as
technology requires regular analysis and testing of renewable variable sources, such as solar and wind;
its performance in the transition from Supervisory renewable non-variable such as hydro, biomass,
Control and Data Acquisition (SCADA) and the geothermal and pump storage; or no renewable, non-
critical infrastructures it controls and monitors. variable, such as nuclear, coal and gas. It may also
Secondly, smart grid technology is based on several contain energy storage for later distribution (see
premises including the efficiency of renewable Figure 1 below).
energy versus traditional energy sources. Thirdly,
smart grids functions include the potential to provide The Transmission domain carries bulk electricity
accurate real-time prediction of the output energy over power transmission lines over long distances,
for dynamic adjustments of the output based on the connecting the bulk generation to the energy
load demand from consumers. However, none of consumption centers of the smart grid. It also
these address the greater challenge facing recent contains the power system substations; the
developments for the smart grid initiativesnamely, transmission and the distribution substations. It may
intelligence and smart grid performance. The also connect to energy storage facilities and
integration of smart grid with cyber infrastructures alternative distributed energy resources at the
is intended to provide cost-effective deployment and transmission level (see Figure 2 below).
additional features in the functions. This systems
engineering technology however, does not The Distribution domain distributes the electricity
adequately address the intelligent, system design, to and from the end customers. The distribution
data mining and accuracy of feedback input from network connects the smart meters and all intelligent
load demands and cyber-related issues of smart field devices; manages and controls them through a
grids. This is significant for Critical Infrastructure two-way wireless or wire line communications
Protection (CIP), Critical Energy Infrastructure network. It may also connect to energy storage
Information Protection (CII) and Critical Energy facilities and alternative distributed energy resources
Infrastructure Information Protection (CEII) and at the distribution level (see Figure 3 below).
Data Privacy for Transmission of Sensitive Data.

1. Introduction

The broader impact of the critical research and elated

datasets will address the following challenges:

Global Impact of Research on Cybersecurity

and Smart Grid
Regulatory Compliance
Government
Critical Infrastructure- Smart Grid and
Renewable Energy

The following recent IEEE and NIST standards on Figure 1. Smart Grid Conceptual Model
Smart Grid demonstrates the conceptual model: IEEE/NIST Smart Grid Framework
Smart Grid Conceptual Model: IEEE/NIST Smart Bulk Generation
Grid Framework:
 with all other domains and makes sure they are
coordinated in a competitive market environment.
The markets also handles the energy information
clearinghouse operation and information exchange
with third party service providers, like the inter
utility plug-in-vehicle roaming billing information
(see Figure 6 below).

Service Provider domain handles all third party

operations within the domains, such as the end
customers energy efficiency management through
energy web portals, data exchange for energy
Figure 2. Smart Grid Conceptual Model - management between customer and the utilities, and
IEEE/NIST Smart Grid Framework the electricity supplied to homes and buildings. It
The Transmission may also manage other utilities processes such as
demand response programs, outage management and
field services (see Figure 7 below).

2. Intellectual Merits
The intellectual merits of this inter-disciplinary
research includes the enhancement of US National
Security and legal, regulations, technology, and its
impact on related areas of financial, economic,
business, employment, insurance, medical, health
and renewable energy critical infrastructures,
Figure 3. Smart Grid Conceptual Model including the smart grid and cyber security.
IEEE/NIST Smart Grid Framework Furthermore, it will enhance collaboration between
The Distribution DOD and academia, including the Minerva initiative,
education, government, leadership, economics,
Customer consists of the end users (home, ethical standards, governance, compliance, and
commercial/building, and industrial) of electricity public policy development. The research will include
connected to the electric distribution network both exploration and development of strategic and
through the smart meters. The smart meters control effective solutions to address the emerging
and manage the flow of electricity to and from the challenges of 21st century global for US national
customers and provides energy information about security, intelligence, counter-intelligence and
energy usage and patterns. Each customer has its academia, industry and the society at large.
own domain comprised of electricity premise and
two way communications networks. It may also 3. New Approach for Critical
generate, store, and manage the use of energy and the Infrastructure Security
connectivity with plug-in-vehicles (see Figure 4
below). The research develop new effective approaches
of traceback and traceability for malicious activities
The Operations dimension manages and control the in critical information, cyber security and privacy
electricity flow of all other domains. It uses a two- transaction during data transfer of highly sensitive
way communications network to connect to data containing private at intermediary points of
substations, customer premises networks and other global critical infrastructures. The new approach will
intelligent field devices, providing monitoring, be successful and effective since the techniques and
reporting, controlling and supervision status and mechanisms for traceability examine relevant
important process information decision. Business attributes features at intermediary stages of data
intelligence processes gathers data from the customer transactions of the critical infrastructure. This is
and network and provides intelligence to support the followed by filtering for maximum occurrence of
decision making (see Figure 5 below). features pertaining to characteristics of normal and
abnormal transactions. These attributes are mined
Markets domain operates and coordinates the using hybrid data mining algorithms to identify
participants in electricity markets. It provides the unique classes in the traceability matrix for security
market management, the wholesaling, the retailing and privacy. The uniqueness in this approach for
and trading of energy services operation. It interfaces
traceability includes identification of both class-
specific feature attribute for specific traceability
patterns and classless attributes for suspicious,
unknown or unidentified transaction traces of events.
This includes a combination of data mining
algorithms in developing the traceability matrix for
each type of data transaction to determine the class,
group, category, subcategory, type or classless type
of activities at all intermediary nodes in the critical
cyber infrastructure.

3.1. Intellectual Merits and Broader Impacts

Figure 6. Smart Grid Conceptual Model
The intellectual merit of the research includes IEEE/NIST Smart Grid Framework
contributions to both research and development The Market

Figure 7. Smart Grid Conceptual Model

IEEE/NIST Smart Grid Framework
The Service Provider
Figure 4. Smart Grid Conceptual Model
IEEE/NIST Smart Grid Framework of effective solutions to the major emerging and
The Customer rapidly increasing problems of astute cyber data
transaction evasive and malicious activities in
complex infrastructures with sensitive, security and
private data applications. This research will enhance
traceback and traceability analysis, forensics and
effective design of complex information
infrastructures, cyber security, privacy and protection
design. The broader impacts resulting from the
research include effective solutions to the
challenging and rapidly increasing problems of
evasive and intelligent attacks that face cyber
security and protection consisting of complex
information infrastructures that carry data-intensive
applications. The research will provide efficient,
robust, scalable, adaptable, accurate and effective
intelligent counter-attack solutions in both real-time
Figure 5. Smart Grid Conceptual Model - responses and offline forensic analysis for enhanced
IEEE/NIST Smart Grid Framework cyber security, counter-terrorism to combat cyber-
The Operations crime, identity theft in global data transfer and
countermeasures in Critical Information
Infrastructures.

4. Research Method
The research methodology consists of effective
traceability and traceback techniques. The first step
consists of relevant data acquisition and extraction fitness function [6, 9] were used for traceback and
from monitoring and filtering detection mechanisms analysis of categories and subcategories of anomaly
of counter-intelligence for evasive interceptions of patterns. For traceback of subtle and complex attacks
highly sensitive data considered secure information a Framework of Hybrid consisting of Rule Induction
at intermediary points of critical infrastructures. using Holtes 1R rule [4] and Statistical Analysis [5]
Secondly, we extract these relevant feature attributes, were applied via the Rosetta toolset [6], followed by
classes, subclasses pertaining to the security and filtering for maximum support of conditional
privacy of data transactions to generate a traceability attributes to increase accuracies. Various cases of
matrix for cyber forensics in critical information classes were selected at random and algorithms were
infrastructure applications and databases. Thirdly, we applied to each class type. This produces a set of
use a combination of data mining algorithms to decision rules or general patterns via minimal
design a traceability matrix for each type of data attribute subsets that distinguish on a per object
transaction: class, group, category, subcategory, type basis. This is followed by filtering rules with
or classless type of activities at each intermediary maximum support for each transaction in order to
points of the critical cyber infrastructure to identify obtain an optimum set of conditions for each ruleset
security levels. This comprises aggregation, for class, group, category, subcategory, type or
correlation and data mining using hybrid algorithms classless type of activities at each intermediary node
to identify unique characteristics of each type of data in the critical cyber infrastructure. This was followed
transaction and their associated security. This by development of matrix - table of conditions for
ensures effective traceback and traceability matrix to each attribute in rulesets. Subsequently, for each
indicate the real extent of security and privacy in attribute value item, if-then rules were developed
anonymization during data transactions in the critical based on the attribute values each conditional ruleset.
information infrastructure. Finally we use the results A program was written using the conditional rules
to implement and enforce future traceability, from the Table (Matrix) of rulesets for each class of
auditing, logging and filtering of security and the specfied cases in the training data. Finally, there
privacy feature attribute matrices. These are was validation of the accuracies of traceback and
applicable towards effective traceback, traceability, traceability using test data. See summary of results in
transparency and auditability for forensics in cyber Table 1.
and critical infrastructure networks, applications and
databases. 5.2. Research Results

5. Research Experiments The preliminary research results for traceback

accuracies using various data mining techniques are
The research experiments analyze real network shown in Table 1.
traffic in a commercial environment consisting of
Intrushield IDS [7]. The experiment consists of 5.3. Eective Traceback and Identication of
traceback data mining; collection and analysis in a Hybrid Data Mining of Intelligence on
network environment comprising the following Cyber Security
architecture (see Figure 8). The cumulative traffic is
diverted to the data mining databases for analysis The research provides effective strategies for
and the results are sent to the traceback database for effective traceback and traceability data mining for
subsequent analysis based on their statuses. The critical information infrastructure networks,
additional remote data transactions are logged, applications and databases security for cyber security
controlled, segregated and filtered using Cisco and privacy. This involves data acquisition of
Secure Access Control Servers (ACS) [1] routers to security and privacy parameters from complex
prevent access to sensitive segments of the internal network infrastructure environments and interfaces.
VPNs. The aggregated logs consist of data and application
server logs, database transactions, and monitoring
5.1. Applying Data Mining Techniques tools and systems including firewalls, intrusion
detection, prevention and response systems, and
The steps in Experimental Methods: Data Mining aggregating systems. Our new approach uses all
Analysis including Classication, Clustering, Genetic these datasets in effective traceback data mining
Algorithm, Pattern Generation and Analysis, Rule analysis to distinguish between normal and unknown
Induction and Statistical Analysis. Data Mining malicious activities by applying data mining
Techniques: The Data Mining Analysis involving algorithms of classification, clustering, rule-
Classification and Genetic Algorithm [6, 9] in induction, heuristics, and genetic algorithms and
Pattern Analysis for known attacks. fuzzy sets analysis. This consists of rigorous, robust
Rule Induction using C5.0 [8], K-means clustering
[2, 3] and the Genetic Algorithm for computing a
 Figure 8. Traceback Using Efficient Data Mining Analysis

Table 1. Results: Traceback Data Mining Techniques Accuracies Summary

Table 2. Results: Adaptive Firewall Packet Filters highly sensitive data. This includes automated
using NQC-IDS test dataset - Remote to traceback analysis of security, privacy, transparency,
Local (R2L) Confusion Matrix Accuracy auditability, traceability, accountability and forensics
Summary on transactions and breaches in cyber and complex
infrastructures for effective homeland security and
counter-intelligence in information infrastructure
protection.

7. References
[1] Cisco Systems Inc. Cisco Secure ACS for
Windows, version 4.0, 2005. San Jose, CA, USA.

and scalable traceback of patterns of astute [2] J. A. Hartigan. Clustering Algorithms. JohnWiley
infrastructure malicious activities. This includes and Sons, Inc., New York, USA, 1975.
effective aggregation and correlation, filtering for
maximum efficiencies and hybrid algorithmic data [3] J. A. Hartigan and M. A. Wong. A k-means
mining for effective traceability in architectures of clustering algorithm. Applied Statistics, 128(3):100
critical information infrastructures using multiple 108, JulySeptember 1979.
protocols, applications and sensitive data for
forensics in cyber security. This section describes the [4] R. C. Holte. Very simple classification rules
results of the effective use of firewall packet filters in perform well on most commonly used datasets.
the intelligent response strategies using the Network Machine Learning, 11:6390, 1993.
Quarantine Channels (NQC) and Hybrid Data
Mining. This results in effective in the final [5] R. C. Holte, A. L., and B. W. Porter. Concept
responses to normal hosts seeking to establish learning and the problem of small disjuncts. In
connections in the internal network and malicious Proceedings of the Eleventh International Joint
intentions and hosts. The packet filters improved the Conference on Artificial Intelligence, pages 813
response capability of the IDS after accurate 818, San Mateo, CA, 1989.
detection of the final status of the packets (see Table
2). [6] A. hrn. Discernibility and Rough Sets in
The results of the experiments are significant Medicine: Tools and Applications. PhD thesis,
since they provide effective responses, reduce false Norwegian University of Science and Technology,
positives and improve the detection and response Department of Computer and Information Science,
capability of the IDS. The test accuracies are 1999. http://www.idi.ntnu.no/ aleks/thesis.
significant as they indicate high detection accuracy
and reduction in false positives. These accuracies [7] Network Associates. McAfee Intrushield IDS:
demonstrate the significance of the strategies in 4000 Series, 2007. Santa Clara, CA, USA.
using adaptive policies and alert filters in the NQC in
reducing false positives and distinguishing between [8] Rulequest Research. Rule Induction with C5.0,
benign connections and actual attacks in real-time. See5/Cubist software, 2005.

6. Conclusion [9] S. Vinterbo and A. hrn. Minimal approximate

hitting sets and rule templates. International Journal
The research provides intelligent techniques for of Approximate Reasoning, 25(2):123143, 2000.
effective cyber and infrastructure security and
forensics. This enables effective traceback data
mining analysis including identification and
forensics for astute, evasive and subversive activities
in emerging cyber infrastructures for effective
security and privacy traceability. The techniques
provide new and effective embedded monitoring and
filtering traceback mechanisms and countermeasures
against evasive interceptions of highly sensitive data
at intermediary points of critical information
infrastructures. This involves hybrid data mining
techniques of traceback, source identification and
forensics of categories, subcategories and attributes
and types for secure transmission interception of