CORDIS - EU research results

Electrical Power System’s Shield against complex incidents and extensive cyber and privacy attacks

Periodic Reporting for period 2 - PHOENIX (Electrical Power System’s Shield against complex incidents and extensive cyber and privacy attacks)

Reporting period: 2021-05-01 to 2022-09-30

The strong interconnection of utilities’ IT and OT networks, as well as the high complexity of Electrical Power and Energy System (EPES) systems, being widely dispersed and diverse and the increased penetration of digital services, has extended the attack surface of EPES, rendering them vulnerable. Moreover, consumers’ and prosumers’ ability to gain direct access to the EPES not only increases the risk of cyberattacks but may also incur potential privacy infringements. PHOENIX aims to cyber-secure European EPES infrastructure enabling cooperative attack detection of large scale, guarantee the continuity of operations and minimize cascading effects against the infrastructure itself, the environment and the end-users, at reasonable cost.

PHOENIX will realise 3 strategic goals:

(1) Strengthen EPES cybersecurity preparedness by employing security a) “by design” via novel protective concepts for resilience, survivability, self-healing and accountability, and b) “by innovation” via adapting, upgrading and integrating a number of tools and validating them in real-live large scale pilots (LSPs);
(2) Coordinate European EPES cyber incident discovery, response and recovery, contributing to the implementation of the NIS Directive by developing and validating at national Member States and pan-European level, a fully decentralized inter-DLT-based (Distributed Ledger Technologies), near real-time synchronized cybersecurity information awareness platform, among authorized EPES stakeholders, utilities, CSIRTs, ISACs, CERTs, NRAs and the strategic NIS cooperation group;
(3) Accelerate research and innovation in EPES cybersecurity by offering relevant tools and services including a secure gateway, privacy preserving federated Machine Learning algorithms and establishment of certification methodologies and procedures through a Cybersecurity Certification Centre.
PHOENIX performed identification, analysis and modelling of EPES’ cyber threats, deriving threat scenarios and attack trees related to PHOENIX LSPs. Categorization of assets and systems into secure tiers has been assisted by a risk assessment methodology and an automation tool for calculating the combined Risk Rate per LSP.

The Secure and Persistent Communications (SPC) Layer supports secure communication and persistence of CTI data based on STIX and TAXII, offering security over legacy protocols as well as data persistence and non-repudiation through the inter-Ledger component. PHOENIX has delivered two variants (TRL7) of the Universal Secure Gateway (USG), as a secure network edge device, directly connected with existing/legacy EPES assets.

Active cybersecurity in PHOENIX relies on AI-based Situation Awareness, Perception and Comprehension (SAPC) and Incidents Mitigation and Enforcement Countermeasures (IMEC). These include privacy-preserving federated learning for uncovering anomalies on time series, a multi-step threat detection co-simulator to detect threats and incidents, as well as and their integration with TRT’s Myriad-based Decision Support System and mitigations’ assessment by LSPs. Demonstrations have been conducted in the context of LSPs, calibrating impact assessment of attacks and mitigations.

The Pan-European EPES Incidents’ Information Sharing Platform (I2SP) targets coordinated/cascading attack detection at pan-European level. CTI sharing policies have been implemented, supporting pan-European collaboration and communication between CERTs and Utilities, in line with the NIS Directive.

The privacy requirements of PHOENIX have been covered into PRIMULA, which enables consent-driven management of personal and confidential data and auditing functionalities and reputation mechanisms to assess party’s reputation based on behavior perception, leveraging on smart contracts and advanced consent information among parties.

At the level of integration, the PHOENIX DevSecOps lifecycle includes automated Static/Dynamic application security testing in the Continuous Integration and Continuous Delivery processes. The final PHOENIX framework released based on standardized communication protocols and patterns. PHOENIX adopts cloud-native approach, following the service mesh networking paradigm, and automates deployment to the extent possible, through a simple and fast configuration and installation script.

The PHOENIX framework has been piloted in the 5 LSPs against a wide and representative set of attack scenarios. For all LSPs, PHOENIX has conducted detailed Risk impact assessment and certified penetration testing. The PHOENIX framework capability in managing attack scenarios, as well as the attack detection potential by means of ML techniques and CMS operation, have been exhaustively validated. PHOENIX replication guidelines have been released on how to install the platform in different pilot environments.

The project has been active in impact creation activities, publishing 11 scientific papers and co-organizing or participating in reputable events, such as ENLIT Europe, Cyber4Energy, etc., and has organized a highly attended final PHOENIX workshop. PHOENIX has co-organized two “Standardisation and Dissemination” events and has been presented to stakeholders associations such as CIPRE and ESMIG. PHOENIX is part of BRIDGE and has led the establishment of the Cybersecurity Innovation Cluster for EPES, among four H2020 projects.
PHOENIX has also a notable online presence via its website ( and social media accounts. Furthermore, the project exploitation strategy has been defined, referring to both joint and individual exploitation of the identified Key Exploitable Assets (KEA) by the PHOENIX Consortium through well-defined business models.
PHOENIX is expected to deliver a framework to ensure the security of EPES, achieving secure integration of OT and IT processes. PHOENIX will add resilience-, survivability-, self-healing, and privacy-by design features to EPES infrastructures, while delivering tools that will cater for EPES network and data security, AI-based cooperative attack detection and mitigation as well as preservation of end-users' data privacy. At pan-European level, PHOENIX is expected to fill in the communication and cooperation gaps among EPES stakeholders, utilities, CSIRTs, ISACs, CERTs, NRAs and the strategic NIS cooperation group by enabling controlled CTI sharing, as well as coordinated/cascading threat/attack detection and mitigation.
The European society will benefit from more secure EPES operation, in turn increasing grid stability and security of supply and ensuring the desired availability not only of energy, but also, other critical infrastructures.
PHOENIX leverages significant reduction of cybersecurity related expenses for the EPES operators and is expected to nurture new business models related to AI-driven solutions in EPES cybersecurity.
PHOENIX can accelerate the adoption of the EU Cybersecurity strategy and the NIS Directive, while it aligns with the European goals for the Digital Decade, especially towards secure and sustainable digital infrastructures and digitalization.
European citizens will enjoy smooth interaction with demand side management applications and the smart grid in general, which will be less prone to cyberattacks and more privacy-preserving.