Abstract

The Operation and Information Technology support personnel at utility command and control centers constantly detect suspicious events and/or extreme conditions across the smart grid. Already overwhelmed by routine mandatory tasks like guidelines compliance and patching that if ignored could incur penalties, they have little time to understand the large volumes of event logs generated by intrusion detection systems, firewalls, and other security tools. The cognitive gap between these powerful automated tools and the human mind reduces the situation awareness, thereby increasing the likelihood of sub-optimal decisions that could be advantageous to well-evolved attackers. This paper proposes a tri-modular framework which shifts low-performance processing speed and data contextualization to intelligent learning algorithms that provide humans only with actionable information, thereby bridging the cognitive gap. The framework has three modules including Data Module (DM): Kafka, Spark, and R to ingest streams of heterogeneous data; Classification Module (CM): a Long Short-Term Memory (LSTM) model to classify processed data; and Action Module (AM): naturalistic and rational models for time-critical and non-time-critical decision-making, respectively. This paper focuses on the design and development of the modules, and demonstrates proof-of-concept of DM using partially synthesized streams of real smart grid network security data.