A Firewall Optimization for Threat-Resilient Micro-Segmentation in Power System Networks

TL;DR

This paper introduces a meta-heuristic method to optimize firewall placement and rules for securing power system networks, specifically targeting cyber-physical infrastructure vulnerabilities in critical electric grids.

Contribution

It proposes a novel meta-heuristic approach for optimal security zone formation and a prototype tool for auto-configuring firewalls in large-scale power systems.

Findings

Optimized security perimeters reduce firewall count and costs.

The approach enhances cyber-physical security in power grids.

Results show improved risk management in synthetic 2000-bus models.

Abstract

Electric power delivery relies on a communications backbone that must be secure. SCADA systems are essential to critical grid functions and include industrial control systems (ICS) protocols such as the Distributed Network Protocol-3 (DNP3). These protocols are vulnerable to cyber threats that power systems, as cyber-physical critical infrastructure, must be protected against. For this reason, the NERC Critical Infrastructure Protection standard CIP-005-5 specifies that an electronic system perimeter is needed, accomplished with firewalls. This paper presents how these electronic system perimeters can be optimally found and generated using a proposed meta-heuristic approach for optimal security zone formation for large-scale power systems. Then, to implement the optimal firewall rules in a large scale power system model, this work presents a prototype software tool that takes the optimization results and auto-configures the firewall nodes for different utilities in a cyber-physical testbed. Using this tool, firewall policies are configured for all the utilities and their substations within a synthetic 2000-bus model, assuming two different network topologies. Results generate the optimal electronic security perimeters to protect a power system's data flows and compare the number of firewalls, monetary cost, and risk alerts from path analysis.