Fortify Your Defenses: Strategic Budget Allocation to Enhance Power Grid Cybersecurity^††thanks: The research described in this paper is part of the Resilience Through Data Driven, Intelligently Designed Control (RD2C) Initiative at Pacific Northwest National Laboratory (PNNL). It was conducted under the Laboratory Directed Research and Development Program at PNNL, a multiprogram national laboratory operated by Battelle for the U.S. Department of Energy.

An increased reliance on Information Technology (IT) in various aspects of modern life has created a vast ecosystem of interconnected systems, networks and devices (Bansal and Kumar 2020). This provides a large attack surface for cyber adversaries to target, allowing them to gain unauthorized access, steal data, and disrupt operations. The availability of off-the-shelf hacking tools and malware in the underground market makes their task even easier to an extent, which allows them to initiate complex attacks without the requirement of sophisticated programming expertise (Liggett et al. 2019). Sophisticated malware, APTs and multi-stage cyber attacks involving multiple attack vectors are principal factors, which increase the complexity of these attacks and make them harder to detect and mitigate (Li and Liu 2021). This requires system owners and cybersecurity personnel to be well aware about the latest vulnerabilities and plan to mitigate them effectively.

The modern day energy infrastructure is equipped with smart devices, which aid in its monitoring and control. These devices are an integral part of the cyber-physical energy system (CPES). They form the link between the physical power grid and the communication network, allowing system operators to take online decisions and alter system conditions remotely. However, this comes at a cost of increased vulnerability to cyber attacks where adversaries can gain access to these devices and adversely impact the power grid infrastructure, leading to severe events such as widespread blackout. A typical CPES consists of multiple smart devices interlinked through a communication network. These smart devices (such as a smart inverter or a protective relay) can be accessed directly by a cyber adversary or via the communication network after a successful intrusion into a centrally situated device (such as a substation automation controller). Therefore, the goal of cybersecurity personnel is to protect these smart devices (or components) from adversarial cyber intrusions. From hereon, we use the terms ‘component’ and ‘smart device’ interchangeably. In this work, we aim to identify an optimal set of preventive cybersecurity measures for each component in the CPES in order to reduce the risk of adversarial cyber attacks.

A bottom-up approach involves evaluating the risk associated with the failure of a component by assessing the loss of power grid resilience or stability, and thereafter, allocating budget towards securing the ‘critical’ components (Zografopoulos et al. 2021). On the contrary, a top-down approach focuses on cyber vulnerabilities for a component, possible adversarial techniques used to exploit them, and preventive strategies to avoid them (Das et al. 2022; Dutta et al. 2022; Subasi et al. 2022). This involves develo** and implementing patches for individual vulnerabilities in a timely manner, which has been reported to be almost impossible (Culafi 2021). One of the major roadblocks responsible for this is the lack of resources required to cover the sheer surface area of diverse hardware and software vulnerabilities. To this end, an organizational effort is required which addresses the prioritizing the vulnerabilities and allocating available budget based on their priorities.

The MITRE Adversarial Tactics, Techniques, and Common Knowledge (MITRE ATT&CK) framework, developed by the MITRE Corporation, serves as a comprehensive and structured database to understand and organize information about cyber threats (MITRE Corporation 2023). The framework consists of tactics, or high-level objectives of an adversary during an attack, and techniques, or specific methods and procedures to accomplish their objectives within each tactic. It also provides detailed information about associated mitigation measures, which refer to strategies that organizations can employ to defend against or reduce the impact of specific techniques. However, information regarding both the cost of implementing the preventive mitigation measures and their efficacy against adversarial techniques are not included in the framework. This makes the task of evaluating the investment required to implement a proposed mitigation plan difficult to compute. At the same time, it is difficult to quantify how the presence or absence of mitigation measures affects the success rate of an adversarial technique.

In this paper, we approach the evaluation of optimal policies to improve a component’s cybersecurity in the CPES with an aim to alleviate its risk to adversarial threats. An important aspect of policy formulation is to prioritize the problems to address and partitioning available budget to implement appropriate solutions. We treat the cybersecurity budget to be representative of the labor/staff hours and associated resources required to implement the different mitigation measures. Hence, we identify multiple organizational sectors to segregate the mitigation measures based on the skill or number of staff hours required for implementation (Georgiadou, Mouzakitis, and Askounis 2021). Thereafter, our proposed approach evaluates the high priority mitigation measures required to be implemented and the optimal manner of partitioning the cybersecurity budget to achieve this task. The underlying assumption of our approach is that allocating budget in a particular sector implies prioritizing mitigation measures within that sector. This improves the overall efficacy of the mitigation against all adversarial techniques. The formal problem statement can be stated as follows: Given potential cyber-attack sequences for a cyber-physical component in the power grid, find the optimal manner to allocate an available labor budget to implement necessary preventive mitigation measures, which reduces the risk to adversary threats.

Risk assessment of CPES has been studied extensively using various methodologies, where the impact of cyber attacks on specific nodes in the power network is analyzed to identify the resulting damage. This has been done either through low fidelity simulation frameworks (Keliris et al. 2016; Chen et al. 2014; Georg et al. 2013; Dorsch et al. 2014; Queiroz, Mahmood, and Tari 2011) or through high fidelity real time simulation test beds (Vasisht et al. 2022; Sridhar et al. 2017; Haack et al. 2013; Stanovich et al. 2013). These frameworks are useful, since they provide means to identify critical components in terms of their impact on the power grid and enable system planners to focus their cybersecurity countermeasures. However, recent intrusion reports show complex cyber attack sequences, which utilize the interconnected nature of communication systems in order to gain system-wide access (MITRE Corporation 2023). This necessitates a top-down approach, which identifies possible cyber attack sequences and recommend countermeasures to prevent them.

Authors in (Nandi, Medal, and Vadlamani 2016) propose an interdiction plan by deploying countermeasures at optimal set of edges in an attack graph to minimize losses due to security breaches. However, this work assumes a deterministic graph, with a $100\%$ or $0\%$ breach success rate along the edges and also considers fixed budget for countermeasures along each edge in the graph The MITRE ATT&CK framework has been used in (Das et al. 2022; Dutta et al. 2022) to identify vulnerabilities in several CPES components and generate attack sequences. It provides list of mitigation measures to prevent adversarial techniques. However, a holistic framework to identify the optimal set of countermeasures to prevent a set of attack sequences is not available in the present literature.

The authors in (Li et al. 2019) have performed extensive survey to show how investing in various organizational sectors has affected the overall improvement of cybersecurity awareness in several organizations. The association of various mitigation measures specified in the MITRE ATT&CK framework to the cybersecurity culture of various organizations has been presented in (Georgiadou, Mouzakitis, and Askounis 2021). This allows a holistic approach to address cybersecurity gaps in infrastructure and policies for an organization. The allocation of resources to improve cybersecurity in an organization is a pertinent problem due to contrasting interest of different individuals (Srinidhi, Yan, and Tayi 2015). In this regard, the present literature lacks a framework capable of addressing the aspect of allocating budget to different organizational sectors serving a common goal of reducing vulnerability of adversarial cyber attacks. This paper aims to address this particular research gap.

MITRE ATT&CK framework. The MITRE ATT&CK framework (MITRE Corporation 2023) serves as a database of cyber attack scenarios and methods undertaken by adversaries for cyber intrusion. It contains an extensive list of tactics and techniques common to adversarial cyber attacks. The ‘tactics’ denote adversarial motivation and ‘techniques’ represent the instrumental means of achieving those tactical objectives. Moreover, each technique is associated with a list of mitigation measures such that a particular cyber defense system with a given set of mitigation measures will be able to prevent only their corresponding techniques. We denote sets of $N_{\mathscr{T}}$ techniques and $N_{\mathscr{M}}$ mitigation measures by $\mathscr{T}$ and $\mathscr{M}$ respectively and define a map** $g:\mathscr{T}\rightarrow\mathscr{M}$ to identify the set of mitigation measures $g\left(t\right)\subseteq\mathscr{M}$, which can prevent an adversary from performing technique $t$. The pre-image of a mitigation measure $m$ under $g$ provides the induced map** $g^{-1}:\mathscr{M}\rightarrow\mathscr{T}$ as the set of techniques $g^{-1}\left(m\right)$ which can be prevented when $m$ is available in the cyber defense system.

However, cybersecurity risk assessment also requires us to identify the sequence of techniques which can be performed on the component. A HAG serves as an excellent tool for this purpose. These are synthetically generated graphs which are created based on past instances of cyber attacks reported in openly available cyber intrusion reports (Donald, Meyur, and Purohit 2023). An attack graph describes attack sequences through a set of possible techniques from the MITRE ATT&CK framework. The nodes in the graph represent adversarial techniques and the edges depict consecutive techniques used in an attack sequence.

A single attack sequence is represented as a path in the HAG, describing the progression of techniques. We denote an attack sequence of length $n$ as $\mathscr{A}:=\left\{t_{1},t_{2},\cdots,t_{n}\right\}$. The adversarial techniques $t_{1},t_{2},\cdots,t_{n}$ which comprise the sequence are nodes in the HAG. It is important to mention that we assume the following while creating a HAG: (i) the transition of techniques follow a predefined order of the associated tactics, and (ii) techniques are not repeated. An example HAG is shown in Fig. 2.

The goal of cybersecurity planning is to identify which mitigation measures to implement to reduce the vulnerability of the cyber-physical component under consideration. We define the optimal defender problem as follows.

The main challenge arises when evaluating the cost of implementing each mitigation measure—either in terms of monetary investment or required time commitment. Furthermore, the efficacy of each mitigation measure against the adversarial techniques is usually unknown. However, we note that allocating additional budget generally improves the efficacy of mitigation measures. Therefore, we formulate the problem in a way to to address how to allocate a limited cybersecurity budget to reduce component vulnerability. We state the strategic cybersecurity budget allocation problem as follows:

The underlying assumption is that allocating budget improves mitigation measure efficacy, i.e., the probability that a mitigation measure successfully prevents a technique. In our case, we also assume that for a given mitigation, this probability is uniform for all associated techniques. A mitigation measure $m_{i}\in\mathscr{M}$ belongs to one or more of the $N_{\mathscr{C}}$ sectors. We assume that in order to improve the efficacy of a mitigation, the budget must be allocated to all of the associated sectors to which it belongs. Therefore, we compute the fractional budget $f_{i}$ allocated for improving efficacy of mitigation measure $m_{i}$ as the weighted sum of the category budgets,

$$f_{i}=\frac{\sum_{j=1}^{N_{\mathscr{C}}}C_{ij}b_{j}}{\sum_{j=1}^{N_{\mathscr{C}}}C_{ij}}$$

(3)

Let ${\boldsymbol{f}}$ be the $N_{\mathscr{M}}$-length vector obtained by stacking the $f_{i}$ entries for all mitigation measures. The matrix version of (3) is written as ${\boldsymbol{f}}=\operatorname{diag}\left(\boldsymbol{C}\boldsymbol{1}\right)^{-1}\boldsymbol{C}{\boldsymbol{b}}$, where $\boldsymbol{1}$ is a vector of $1$s.

Let $\eta_{i,0}\in\left[0,1\right)$ denote the initial efficacy of the $i^{th}$ mitigation. This depends on the efficacy of the mitigation measures already in place – for example, the strength of firewall. We define an exponential improvement in the efficacy with increase in the cybersecurity labor budget, such that it is asymptotic to value of $1.0$ based on the following expression:

$$\eta_{i}=1-\left(1-\eta_{i,0}\right)e^{-\lambda f_{i}}$$

(4)

where $\eta_{i}$ is the improved efficacy and $\lambda$ is a suitable scaling factor to relate the improvement in efficacy to the overall budget allocation. Fig. 3 shows the exponential improvement in mitigation efficacy for $\lambda=0.1$. An exponential relation mimics the most natural behavior of diminishing returns on investments and has been used in similar models (Kubanek 2017).

In practice, the parameter $\lambda$ denotes the organization’s efficiency in utilizing the allocated budget to improve the overall cybersecurity. A high $\lambda$ means a higher rate of improvement in efficacy for a given increase in budget allocation factor. Further, note that for a given $\lambda$, the maximum improvement in efficacy of mitigation $i$ occurs when budget is allocated to all the associated sectors.

Let $\boldsymbol{M}\in\left\{0,1\right\}^{N_{\mathscr{M}}\times N_{\mathscr{T}}}$ denote the mitigation-technique relation matrix. The entry $M_{ik}$ along the $i^{th}$ row and $k^{th}$ column of $\boldsymbol{M}$ is $1$ if the technique $t_{k}\in\mathscr{T}$ is mitigated by mitigation measure $m_{i}\in\mathscr{M}$; otherwise the entry is $0$. This is constructed from the MITRE ATT&CK framework. Fig. 4 shows the matrix through a heat-map where the rows denote the mitigation measures and columns represent techniques. The techniques for each tactic are grouped together. The opacity of every element in the matrix shows the efficacy of the mitigation measure against the adversarial technique. We call this matrix as the mitigation profile.

We want to identify the set of mitigation measures $\mathscr{M}_{\operatorname{S}}\subseteq\mathscr{M}$ which would reduce the vulnerability of the component ${\mathrm{D}}$ with possible attack sequences listed in $\mathscr{S}_{{\mathrm{D}}}$. Let $x_{i}\in\left\{0,1\right\}$ denote the absence/presence of mitigation measure $m_{i}$ in the set $\mathscr{M}_{\operatorname{S}}$. Note that the mitigation measures which are not present in the cyber system cannot affect the success rate of an adversarial technique. Using (5) we can write

$$p_{ik}=\eta_{i}x_{i}M_{ik}$$

(6)

Observe that $1-p_{ik}$ indicates the probability that technique $t_{k}$ is not avoided by mitigation measure $m_{i}$. We consider each event of technique $t_{k}$ being avoided by mitigation $m_{i},~{}\forall m_{i}\in\mathscr{M}$ to be independent. Therefore, the success rate of a technique $t_{k}$ in the cyber system with a set of mitigation measures $\mathscr{M}_{\operatorname{S}}$ is computed as

$$r_{k}=\prod_{i,m_{i}\in\mathscr{M}_{\operatorname{S}}}{\left(1-p_{ik}\right)}=\prod_{i=1}^{N_{\mathscr{M}}}{\left(1-x_{i}M_{ik}\eta_{i}\right)}$$

(7)

The logarithm of (7) is computed as

$$L_{k}=\log\left(r_{k}\right)=\sum_{i=1}^{N_{\mathscr{M}}}\log\left(1-x_{i}M_{ik}\eta_{i}\right)$$

(8)

It is interesting to note that

$$\log\left(1-x_{i}M_{ik}\eta_{i}\right)=\begin{cases}\log\left(1-\eta_{i}\right)\quad~{}~{}\textrm{if}~{}x_{i}=1,M_{ik}=1\\ 0\quad\quad\quad\quad\quad\quad~{}\textrm{otherwise}\end{cases}$$

(9)

which helps us simplify the log success rate of a technique $t_{k}$ as

$$L_{k}=\log\left(r_{k}\right)=\sum_{i=1}^{N_{\mathscr{M}}}x_{i}M_{ik}\log\left(1-\eta_{i}\right)$$

(10)

Using (4) and (10) we have

$$\log\left(r_{k}\right)=\sum_{i=1}^{N_{\mathscr{M}}}x_{i}M_{ik}\left[\log{\left(1-\eta_{i,0}\right)}-\lambda f_{i}\right]$$

(11)

Let ${\boldsymbol{x}}$ be the $N_{\mathscr{M}}$-length vector constructed by stacking the $x_{i}$ for all mitigation measures. We define matrix $\boldsymbol{P}\in\mathbb{R}^{N_{\mathscr{M}}\times N_{\mathscr{T}}}$ with element $P_{ik}=M_{ik}\log\left(1-\eta_{i,0}\right)$ along the $i^{th}$ row and $k^{th}$ column. Note that $P_{ik}\leq 0$ for all $i,k$ since it is the logarithm of fractional values. The logarithm of the success rate of technique $t_{k}$ can therefore be computed as

$$\log\left(r_{k}\right)=\left[\boldsymbol{P}^{T}{\boldsymbol{x}}\right]_{k}-\lambda\left[\boldsymbol{M}^{T}\operatorname{diag}({\boldsymbol{f}}){\boldsymbol{x}}\right]_{k}$$

(12)

where $\left[{\boldsymbol{z}}\right]_{k}$ denotes the $k^{th}$ element of vector ${\boldsymbol{z}}$.

Next, we evaluate the success rate of an attack sequence. Recall that an attack sequence is a list of techniques. We define the attack sequence and technique relation matrix $\boldsymbol{S}\in\left\{0,1\right\}^{N_{{\mathrm{D}}}\times N_{\mathscr{T}}}$ where the entry $S_{lk}$ along the $l^{th}$ row and $k^{th}$ column is $1$ if the technique $t_{k}$ is present in the attack sequence $\mathscr{A}_{l}\in\mathscr{S}_{{\mathrm{D}}}$ and $0$ otherwise. The logarithm of success rate of an attack sequence can be computed as

$$\log\left(v_{l}\right)=\sum_{t_{k}\in\mathscr{A}_{l}}{\log{r_{k}}}=\sum_{k=1}^{N_{\mathscr{T}}}{S_{lk}\log{r_{k}}}$$

(13)

We can stack $\log\left(v_{l}\right)$ for all the attack sequences to an $N_{{\mathrm{D}}}$-length vector ${\boldsymbol{l}}$, which can be expressed as

$${\boldsymbol{l}}=\boldsymbol{S}\boldsymbol{P}^{T}{\boldsymbol{x}}-\lambda\boldsymbol{S}\boldsymbol{M}^{T}\operatorname{diag}({\boldsymbol{f}}){\boldsymbol{x}}$$

(14)

We can formulate Problem 2 as follows

	$\displaystyle\min_{{\boldsymbol{b}},{\boldsymbol{x}}}\quad$	$\displaystyle\operatorname{Vul}\left({\mathrm{D}},\mathscr{M}_{\operatorname{S}}\right)$		(15a)
	s.to	$\displaystyle{\boldsymbol{l}}=\boldsymbol{S}\boldsymbol{P}^{T}{\boldsymbol{x}}-\lambda\boldsymbol{S}\boldsymbol{M}^{T}\operatorname{diag}({\boldsymbol{f}}){\boldsymbol{x}}$		(15b)
		$\displaystyle{\boldsymbol{f}}=\operatorname{diag}\left(\boldsymbol{C}\boldsymbol{1}\right)^{-1}\boldsymbol{C}{\boldsymbol{b}}$		(15c)
		$\displaystyle\mathbf{1}^{T}{\boldsymbol{b}}=1,~{}~{}{\boldsymbol{b}}\geq 0$		(15d)

We use the database map** and the HAG generation frameworks (discussed in Section Preliminaries) to obtain the attack sequences for a component used in the CPES. In this section, we discuss the results obtained for the components - (i) substation automation controller, and (ii) smart inverter. For each component, we identify the set of MITRE ATT&CK adversary techniques which can be executed on it. Thereafter, we use the HAG generation framework to generate $100$ sample HAG s. These steps are accomplished using the frameworks described in Section Preliminaries. From these HAG s, we identify possible attack sequences which can be executed on the components. In our case, we identify $397$ sequences for substation automation controller and $364$ sequences for smart inverter. We select only those attack sequences which contains adversarial techniques included under the “Impact” tactic of the MITRE ATT&CK framework. Therefore, we shortlist the attack sequences which are meaningful in the context of creating an impact in the CPES.

We assume a base case with the HAG presented in Fig. 2, where no mitigation measures are implemented. Therefore, all adversary techniques in the HAG have a success rate of $100\%$. Fig. 5 shows the optimal mitigation profile (top plot) and success rates of the techniques after implementing the optimal mitigation measures through a heat map on the HAG (bottom plot). It is evident from the mitigation profile that only particular set of mitigation measures are selected. The heat map shows impact of implementing the optimal mitigation strategy in reducing the success rate of adversary techniques in the HAG. We note that the optimal strategy identifies the mitigation measures which reduces the success rate of techniques such that maximum number of attack sequences are affected. This observation can be validated from the fact that the techniques with the highest out-degree are the most influential nodes in the HAG. These are the techniques with the lowest success rates after the mitigation measures are implemented.

Next, we use the proposed optimization framework to partition allocated budget into various organizational sectors. We choose $7$ sectors and identify set of mitigation measures in each of the sectors as described in (Georgiadou, Mouzakitis, and Askounis 2021) – (i) assets includes hardware and software asset management, network infrastructure management, improving data security and privacy, (ii) continuity sector consists of preventive strategies to continue business operations in the event of a data breach, (iii) access & trust deals with policies and practices for account and access management, (iv) operations sector involves performing system risk assessment through Threat Intelligence programs, (v) defense sector includes mitigation measures associated with firewall implementation, (vi) governance sector covers tasks related to audit log management and (vii) individual category involves practices making employees aware about cybersecurity risks through training programs and performing frequent security skill evaluation.

Fig. 6 shows the results of optimal budget allocation for two components - (i) substation automation controller and (ii) smart inverter. We perform multiple experiments for different skill level of the defender - thereby solving an optimization problem for each skill level. Recall that parameter $\lambda$ denotes the skill level. Each bar shows the partitions of the budget for a particular defender skill level. Note that the partitions sum up to $100\%$. Further, we denote the vulnerability of the component to the HAG sequences under the optimal mitigation policy with the red dot on each bar. This is computed using (2) after computing the optimal value of the objective function as follows.

$$\operatorname{Vul}\left({\mathrm{D}},\mathscr{M}_{\operatorname{S}},\delta\right)=\frac{N_{{\mathrm{D}}}\left(\mathscr{M}_{\operatorname{S}},\delta\right)}{N_{{\mathrm{D}}}}=\frac{\mathbf{1}^{T}{\boldsymbol{y}}^{\star}}{N_{D}}$$

(20)

where ${\boldsymbol{y}}^{\star}$ denotes the optimal value of ${\boldsymbol{y}}$ in (Proposed Optimization Framework).

We note that with increases in defender skill level, the vulnerability of the component to HAG sequences reduces. However, we notice that the budget allocation for each sector do not follow any particular trend. This is because sectors overlap in their coverage of mitigation measures. In the case of “substation automation controller”, we observe that for an unskilled defender, the proposed optimization framework recommends the budget be allocated mostly towards the “access” sector which comprises of mitigation measures related to access management, account management and password robustness. With a skilled defender, we observe that budget allocation gets divided to other sectors such as “assets” and “defense”. We note similar observation for “smart inverter”—however, the budget gets divided to the “assets” and “access” sectors for more skilled defenders.

We propose a generalized framework which performs an optimal partitioning of a limited cybersecurity budget into various organizational sectors in order to improve the cybersecurity of a smart device or component in the CPES. The framework identifies the adversarial threats and possible attack sequences which can be performed to exploit cyber vulnerabilities of the component. Thereafter, we formulate an MILP optimization problem which aims to evaluate the optimal budget partitions in order to minimize the number of highly likely attack sequences. Though we provide results for using the framework in CPES, the proposed methodology can be extended for any cyber-physical system. Such a framework equips managers in an organization to formulate cybersecurity policies, allocate staff budgets in order to improve the overall security and reduce risk of APTs.

In practice, a significant portion of cybersecurity budget allocation is aimed at improving software and hardware tools to prevent APTs along with hiring skilled cybersecurity personnel. In our paper, we combine aspects of cybersecurity tools and personnel skill through the parameters of efficacy and defender skill in our simplified analytic expressions. We plan to identify dedicated parameters which quantify these aspects in order to infuse realism in our model as part of our future work.