Involved PIs: Bernhard Beckert, Veit Hagenmeyer, Anne Koziolek

Active Researchers: Sophie Corallo, Florian Lanzinger

The focus of this Research Area is to identify vulnerabilities in software and hardware, as well as in the communication within energy control components. Investigating existing vulnerabilities and discovering new ones is essential to explore new possibilities. Understanding how vulnerabilities in the network and components of Smart Grids (SGs) can be combined by attackers to perpetrate an intrusion is crucial for developing efficient and adapted defense mechanisms[KG(1] . For instance, compromising one resource in the substation may increase the risk of compromising another.
 

In Research Group "Quantifying Security", Research Area 2 QuAC (Subtopic 1), we are developing an approach to compute a software component’s error probability – the probability that the component will violate its formal specification – based on a probability distribution over its input. We first compute the condition for which the software violates its specification using the software verification tool KeY, and then the probability of this condition using the architecture modeling tool Palladio. Both tools are co-developed at KIT. We will investigate how this approach can be applied to security-critical software components of an energy system, such as an access control system or an attack mitigation mechanism. This approach can also be applied to the energy system as a whole.
 

Statements about the security of a system are always based on assumptions. These assumptions become clearer and more refined as the design of the system becomes more detailed. Research Group Secure Computation and Communication (Subtopic 1) develops an approach to propagate such assumptions through different levels of software development. Security-related assumptions are made explicit, refined, and annotated to the critical components of the system at every level. The applicability and use of this approach will be demonstrated in the Security Lab Energy.

While AI-driven cybersecurity is showing evolving capabilities, the role of Large Language Models in critical infrastructure cybersecurity remains largely unexplored. By quantifying the capabilities of  these models to identify and exploit vulnerabilities in real-world energy systems, this research delivers insights into potential risks, limitations, and applicability.

Involved PIs: Veit Hagenmeyer, Martina Zitterbart

Active Researchers: Felix Neumeister

Concepts to secure communication within energy systems are being explored, including security mechanisms for different protocols specific to energy systems. Investigating the extent to which security standards can be applied in the communication structure of energy systems is essential.

Furthermore, to facilitate reliable communication in future Smart Grids (SGs), this Research Area explores the applicability of emerging networking technologies such as Software-Defined Networking (SDN) to improve resilience and ensure the availability of energy communication systems. An SDN testbed is initially built in the Energy Lab. Additionally, energy system-specific requirements are analyzed and addressed to facilitate the integration of methods that enhance communication resilience in SG environments, such as redundant multi-path routing and packet duplication and deduplication.

The Research Area also explores methods to mitigate DDoS attacks under energy system-related resource constraints. The focus is on combining SDN with machine learning techniques to achieve adaptive DDoS mitigation while maintaining low resource footprints. SDN-based concepts developed in this research area will be applied to and evaluated in the SDN testbed.

Involved PIs: Veit Hagenmeyer, Christian Wressnegger

Active Researchers: Nicolai Kellerer, Hemanth Kumar Mahdeva, Gustavo Sanchez

Smart substations are multidimensional, complex systems that integrate computational networks, control mechanisms, and physical environments to deliver advanced real-time functionalities, automation, and reliability. As critical components of smart grids, these substations face increased security risks due to extensive interconnections with corporate networks, integration of multiple communication protocols, and reliance on equipment from diverse vendors. Such complexity introduces numerous security vulnerabilities, threatening substation stability and operational effectiveness. Addressing these increased risks necessitates robust network monitoring and multi-layered defense solutions, including Intrusion Detection Systems (IDS).

This research aims to enhance electrical substation security by developing a hybrid IDS with improved robustness, high accuracy and low false alarm rates. By analyzing physical, electrical, and cyber activities at different substation levels, the research seeks to characterize normal operational behaviors distinctly from conditions indicative of an attack. To address limitations in current security solutions, the study proposes integrating multiple attack detection techniques.

To validate these approaches, practical case studies are implemented at the Security Lab Energy. This lab-scale setup integrates components from various manufacturers, enabling identification and exploitation of vulnerabilities in communication protocols and hardware components under both normal and attack scenarios. Additionally, adversarial attacks designed to evade machine learning (ML)-based IDS will be tested on a small-scale power generation setup.

Furthermore, the integration of rule-based detection methods alongside ML-based classifiers will be explored, aiming to reinforce defenses against sophisticated, evasive attackers and supporting the overall concept of HIDS.

Beyond device log collection, the research will include comprehensive network traffic monitoring and stateful analysis of supported protocols. Evaluation will extend to transport layer packet content, including tracking active sessions and legitimate packets, and assessing state transitions in application layer communications. Ultimately, the research will classify system behaviors into normal operations, cyberattack incidents, or electrical faults and disturbances.

Involved PIs: Veit Hagenmeyer, Jörn Müller-Quade

Active Researchers: Sine Canbolat, Clemens Fruböse, Eva Hetzel

Carrying out a comprehensive analysis of vulnerabilities, threats and risks is crucial to provide a secure decision-making process in energy systems. Within the Research Area project, we aim to conduct a risk assessment to better understand its sources and nature, enhance risk awareness, and support the decision-making process. Since, the analysis of vulnerabilities for the whole energy grid is extensive, for this Research Area, we start by focusing on substations in transmission and distribution domains. After evaluating first outcomes from Research Area, the scope can be extended in the future. In this context, we will conduct vulnerability analysis and risk assessment to quantify the impact of a Time Synchronization Attacks (TSAs).  To assess risk of TSAs broadly, the advantages of a combined qualitative and quantitative approach—a so-called hybrid approach—will be explored. In addition to enhancing risk assessment features, developing an effective security event correlation method within a Security Information and Event Management (SIEM) system will improve risk awareness and enhance the understanding of risk sources. As a concrete starting project, a risk assessment process, including quantification/qualification techniques for attack scenarios related to the Precision Time Protocol (PTP), will be carried out in the heterogeneous subsystem in the Security Lab Energy.