Periodic Reporting for period 1 - COCOON (COoperative Cyber prOtectiON for modern power grids)
Okres sprawozdawczy: 2023-09-18 do 2025-03-17
COCOON (COoperative Cyber PrOtectiON for modern power grids) is a Horizon Europe Innovation Action (IA) project aiming to deliver a practical cyber-physical protection framework for converged Electrical Power and Energy Systems (EPES), targeting Technology Readiness Level (TRL) 7 and thus be evaluated against real operational setups. COCOON’s goal is to confront the on-going and evolving large-scale and stealthy threat vectors targeting the resilience of operational and mission-critical intra and inter-connected power grid deployments serving EU citizens. Hence, it aims to deliver a practical and unified systems solution to EPES operators by bridging secure networked systems research with software development and innovation with power systems engineering. Via an inter-disciplinary approach COCOON will address requirements of the recently released EU Agency for the Cooperation of Energy Regulators (ACER) Network Code for Cyber Security (NCCS) and the Smart Grid Architecture Model (SGAM) reference framework. The unified COCOON solution will be evaluated in real operational setups in Greece, Spain and the Netherlands and will benefit: (i) energy communities interacting with a Distribution System Operator (DSO), (ii) EU Regional Coordination Centres (RCC) interacting with multiple country-level Transmission System Operators, (iii) DSO substations, and (iv) Distributed Renewable Energy Sources (DRES) aggregators interacting with a DSO.
COCOON is built around five key objectives. First, it seeks to increase trustworthy information exchange between TSOs, DSOs, aggregators, and DRES deployments. This includes the development of secure, reliable communication protocols that ensure the integrity and confidentiality of inter-domain data. Second, it aims to implement a practical Early Warning System (EWS) that provides real-time threat detection and operator training capabilities, allowing EPES stakeholders to act proactively in mitigating cyber risks. Third, the project focuses on enabling real-time cyber-physical protection and grid stability by integrating OT-specific control and monitoring features with known IT vulnerabilities, offering a unified, cyber-aware operational perspective. Fourth, COCOON targets data-driven detection of both known and unseen zero-day threats in converged IT/OT environments using advanced analytics, machine learning, and OSINT-based threat intelligence. Fifth, it aims to strengthen the resilience of grid stability processes by improving coordination among EPES entities involved in Ancillary Services (AS)-based grid balancing operations, ensuring seamless operations even under cyber or system stress.
COCOON is built around five key objectives. First, it seeks to increase trustworthy information exchange between TSOs, DSOs, aggregators, and DRES deployments. This includes the development of secure, reliable communication protocols that ensure the integrity and confidentiality of inter-domain data. Second, it aims to implement a practical Early Warning System (EWS) that provides real-time threat detection and operator training capabilities, allowing EPES stakeholders to act proactively in mitigating cyber risks. Third, the project focuses on enabling real-time cyber-physical protection and grid stability by integrating OT-specific control and monitoring features with known IT vulnerabilities, offering a unified, cyber-aware operational perspective. Fourth, COCOON targets data-driven detection of both known and unseen zero-day threats in converged IT/OT environments using advanced analytics, machine learning, and OSINT-based threat intelligence. Fifth, it aims to strengthen the resilience of grid stability processes by improving coordination among EPES entities involved in Ancillary Services (AS)-based grid balancing operations, ensuring seamless operations even under cyber or system stress.
So far, the COCOON project has made significant progress toward all five of its objectives by designing and implementing key components of a cyber-physical protection framework tailored to the needs of modern EPES. Scientific activities have primarily focused on building a practical, modular architecture of the COCOON Programmable Node (CPN) aligned with the requirements of real-world, industry-led demonstrators. Core components, such as the Control Measurement and Monitoring Layer (COMML) and the Instrumentation and Orchestration Layer (IOL) have been developed to underpin secure and efficient communication between IT and OT systems, incorporating technologies like Software Defined Networking (SDN), Network Function Virtualization (NFV), and accelerated packet processing via Programmable Data Planes (PDPs). These innovations enable functions for secure data exchange while accommodating OT protocols such as Modbus, IEC61850, and IEC 60870-5-104.
A central achievement has also been the design and partial development of the EWS service, placed within the COCOON Cyber-security Services Layer (CSL) and offered as a web-based application to EPES operators through the COCOON Toolset Dashboard (CTD). The design and development of the EWS is aligned with the DevOps software development methodology and algorithmic functionalities embedded within EWS enable real-time threat detection, risk profiling, and incident reporting for operator support. The EWS deployment is tailored to industrially graded setups in-line with the project’s demonstrators. COCOON has also advanced cyber-physical risk assessment and quantification achieved through the correlation of IT/OT data to map vulnerabilities and detect zero-day exploits. Complementary to this, a novel False Data Injection Identification (FDII) framework has been developed and is validated over simulations and partial emulations of large-scale Photo Voltaic plants (PV) and installations serving energy communities. Furthermore, COCOON has developed real and practical EPES-oriented attack vectors (AVs) and Hardware-in-the-Loop (HiL) emulations to develop the envisaged demonstrators using industry practices. In parallel, Deep Learning (DL)-based anomaly detection has been developed and evaluated within simulations and pragmatic emulations of DSO substations. In addition, a novel cryptographic hash-based scheme for message authentication has been developed specifically for DSO substations operating under the IEC61850 suite of protocols.
A central achievement has also been the design and partial development of the EWS service, placed within the COCOON Cyber-security Services Layer (CSL) and offered as a web-based application to EPES operators through the COCOON Toolset Dashboard (CTD). The design and development of the EWS is aligned with the DevOps software development methodology and algorithmic functionalities embedded within EWS enable real-time threat detection, risk profiling, and incident reporting for operator support. The EWS deployment is tailored to industrially graded setups in-line with the project’s demonstrators. COCOON has also advanced cyber-physical risk assessment and quantification achieved through the correlation of IT/OT data to map vulnerabilities and detect zero-day exploits. Complementary to this, a novel False Data Injection Identification (FDII) framework has been developed and is validated over simulations and partial emulations of large-scale Photo Voltaic plants (PV) and installations serving energy communities. Furthermore, COCOON has developed real and practical EPES-oriented attack vectors (AVs) and Hardware-in-the-Loop (HiL) emulations to develop the envisaged demonstrators using industry practices. In parallel, Deep Learning (DL)-based anomaly detection has been developed and evaluated within simulations and pragmatic emulations of DSO substations. In addition, a novel cryptographic hash-based scheme for message authentication has been developed specifically for DSO substations operating under the IEC61850 suite of protocols.
In its first phase, the COCOON project has introduced innovations that go beyond the current state of the art in both academic research and industrial cybersecurity for EPES. So far, most mechanisms have been partially evaluated over simulations as well as small-scale emulations achieving desired performance indicators. COCOON has developed a programmable, multi-layered architecture for real-time cyber-physical protection tailored to EPES that looks specifically at converged IT/OT setups coming in contrast to purely IT-oriented solutions currently in the market. Central to this is the CPN, that can be configured and orchestrated in low-cost networked computing devices. This allows for cost-effective, “in-situ” and “in-network” threat mitigation in both provisioned and resource-constrained setups —well beyond the capabilities of conventional solutions.
One key advancement is the FDII framework, designed to integrate physical properties of DRES-based AS provisioning to accurately distinguish between malicious data manipulation and benign faults in a cyber-physical fashion. It is embedded within COCOON’s EWS, which also provides dynamic risk profiling by correlating local IT/OT device and network scans with global cyber threat intelligence. This addresses a major industry gap where current risk assessment tools lack operational context and are focused primarily on IT.
In addition, a novel lightweight cryptographic hash mechanism for message authentication has been developed achieving sub-3ms latency as strictly required by industry standards specifically for IEC61850 substations. Moreover, a high-fidelity training demonstrator employing blue/red team exercises with real operational scenarios is being designed with input from DSO partners to improve operator readiness.
One key advancement is the FDII framework, designed to integrate physical properties of DRES-based AS provisioning to accurately distinguish between malicious data manipulation and benign faults in a cyber-physical fashion. It is embedded within COCOON’s EWS, which also provides dynamic risk profiling by correlating local IT/OT device and network scans with global cyber threat intelligence. This addresses a major industry gap where current risk assessment tools lack operational context and are focused primarily on IT.
In addition, a novel lightweight cryptographic hash mechanism for message authentication has been developed achieving sub-3ms latency as strictly required by industry standards specifically for IEC61850 substations. Moreover, a high-fidelity training demonstrator employing blue/red team exercises with real operational scenarios is being designed with input from DSO partners to improve operator readiness.