CAREER: Towards Automated Security Vulnerability and Patch Management for Power Grid Operations
University Of Arkansas, Fayetteville AR
Investigators
Abstract
The power grid is a critical infrastructure for national security, the economy, and daily life, and faces many cybersecurity threats. A proof-of-concept attack hit the Ukraine in 2015, and cut off the power supply to hundreds of thousands of people for several hours. In many successful cyber attacks so far, security vulnerabilities in software have played an important role, exposing systems to attackers who aim to compromise and hence control the system. Vulnerabilities may exist in controllers, meters, circuit breakers, and control computers, and as such, electric utilities usually use vulnerability and patch management to monitor the security vulnerabilities of assets, analyze the remediation and mitigation action for each vulnerability (e.g., applying a patch), and deploy the action to secure the vulnerabilities before attackers exploit them. This remains a heavily manual process in the energy sector, where electric utilities spend a tremendous amount of time on such analyses over a large number of vulnerabilities, and increases the time window in which vulnerabilities are known but not mitigated, putting the system into a high risk of being attacked. This problem has received insufficient attention and has defied commercial solutions. This project will address this problem through automating this analysis process. If successful, it will drastically reduce the human resources and time spent by electric utilities on vulnerability and patch management, and increase the security of the nation's energy infrastructure through mitigating vulnerabilities much more quickly. This project will also develop a training course for security operators in electric utilities and a graduate-level course on vulnerability and patch management. Industry workshops and tutorials on security conferences will be developed to disseminate research discoveries. Undergraduate students and underrepresented students will be involved in the research. This project aims to develop methodologies for automated vulnerability and patch management in electric utilities that can expedite decision making of how to remedy and mitigate security vulnerabilities. It has several research tasks. (i) Develop an automated solution that can predict whether a vulnerability should be patched immediately or mitigated in other ways. A prediction model will be built using machine learning methods to predict human operators' remediation actions for vulnerabilities, and easy-to-verify rationale will be provided so that security operators can validate the predictions if needed. (ii) Design a quantitative approach for automating mitigation action analysis. This task will devise a data flow model to capture the interactions between mitigation actions and system components and the interactions among system components, and formulate mitigation action selection as an optimization problem, where the goal is to minimize the negative impact of the selected mitigation actions for a given set of vulnerabilities to the power grid. (iii) Develop a prototype of the proposed tools and conduct field tests in electric utility partners. (iv) Develop recommendations for the vulnerability and patch management ecosystem, including vendors, third-party services, regulation authorities, and standardization organizations. The recommendations to the whole ecosystem developed in this project aims for a systematic, multi-party approach for mitigating vulnerabilities, offering the potential to transform vulnerability and patch management practices in the energy sector from manual to automated operations. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
View original record on NSF Award Search →