Menu Close


Towards Enabling Secure and Real-time Exchange of CTI data for EPES Infrastructures

Pablo de Juan Fidalgo Atos Research and Innovation, Spain

Hristo Koshutanski Atos Research and Innovation, Spain

According to the European Commission, critical infrastructures (CI) are all those physical or digital systems that provide essential functions and services to support the most basic social, economic, environmental, and political systems. Sectors such as health, transport or energy are examples of CI.

Regarding the energy sector, an attack can have a great impact in the society due to the dependency that we have in this sector. Some decades ago, the energy sector was characterized by its isolation from the rest of the economic components. With digitalization and the inclusion of Information and Communication Technology (ICT) in the different processes of Electrical Power and Energy Systems (EPES), together with the development of smart-cities and Industry 4.0, a new era has begun. We all agree that technology is designed to facilitate all aspects of our lives but sometimes it brings some problems with it.

Over the years we have observed that this modernization of EPES has increased the attack surface and malicious actors are continuously developing new threats against systems’ vulnerabilities[1],[2],[3].

As we have mentioned before, the energy sector is key in our society and an attack can trigger devastating consequences. Unfortunately, we have already experienced the negative impact of this kind of attacks. A great example is BlackEnergy, which targeted Ukrainian power plants in 2015 causing the disruption of electricity in half of the homes in the Ivano-Frankivsk region [4]. This kind of attacks are performed by a selected group of attackers that are enrolled in nation-sponsored groups called Advanced Persistent Threats (APT) [5]. They stand out for being stealthy and for targeting critical infrastructures that can cause high damage in their victims.

In a circular economy, everything that affects another entity will, sooner or later, affect you. That’s why it is critical to share cyber threat intelligence (CTI) information among different partners. Some of the benefits that can be listed are the obtention of refined intelligence on security incidents like feedback from other organizations, the evaluation of security measures and its effectiveness, and the mapping of threats through statistical analysis with telemetry. Refer for instance to the EU Cyber Information and Intelligence Sharing Initiative (CIISI-EU) [6] for collaborative information sharing of TI across CI sectors.

However, one of the barriers nowadays is that organizations are still reluctant to share data among other entities due to its sensitiveness, especially operators of highly sensitive infrastructures, such as EPES. They still face limitations or unwillingness to share CTI data either due to the price to use CTI platforms or due to security and privacy concerns in the open-source solutions [7], or due to the limited fine-grained control offered on what is shared and with whom.

It is important to note that any information leakage would be very risky, that’s why a carefully management of the data is unnegotiable, always in compliance with the data protection regulations, particularly the General Data Protection Regulation (GDPR) [8]. To overcome that, ELECTRON has designed a SharePoint platform (E-SP) that will be described in the following section.

The ELECTRON SharePoint Approach

The ELECTRON SharePoint (E-SP) is based on Malware Information Sharing Platform (MISP) [9] technology, offering additional features such as CTI data enrichment, finer-grained encryption and anonymization of the information published. It allows EPES end-users to communicate in a decentralized and anonymous manner. Figure 1 shows a view of the E-SP communications between different ELECTRON framework instances (per EPES operator). It allows stakeholders to share sensitive data with trusted entities by configuring privacy policies.

Figure 1: The ELECTRON SharePoint Communications View
This platform is designed to improve the security of its participants by providing them with real-time information on threats to their industry. The information comes from the ELECTRON Threat Explorer (E-TE) which filters threats relevant to the domain of ELECTRON. Apart from that, each entity is able to share CTI information with other partners in a secure and decentralised way through the E-SP. When dealing with sensitive information, privacy is a must. ELECTRON SharePoint takes that into account and offers the possibility to design privacy policies with high granularity. EPES entities can decide with whom they share the information (users, partners, circles of trust, roles within the platform) and for how long, making the information expire after a period, through a sharing agreement. Only authenticated and authorised members are able to consume that information. We want to highlight that this platform is aligned with the Network Code for Cybersecurity aspects of Cross-border Electricity Flows (NCCS) [10], which sets common cybersecurity rules in the energy sector domain, like establishing flows for the collection and sharing of essential information in relation to cross-border electricity flows or the creation of effective processes to identify, classify and respond to cross-border cybersecurity incidents
Figure 2: The ELECTRON SharePoint Architecture High-level View

Figure 2 shows a high-level architecture view of the E-SP including the main functional components. The central component is the Orchestrator that governs the communication flow between each unit in the architecture. It works in both directions, publishing new events with protected data after calling the encryption and anonymisation modules, and receiving events from the MISP instance to perform CTI-enrichment and publishing them back. The Orchestrator has several endpoints that are accessible either via an API or through a Web GUI. The Web GUI offers a friendly interface to EPES operators to configure required CTI security and privacy settings of the E-SP, as well as interchange CTI data with other EPES stakeholders. The Orchestrator has an internal database to store any configuration and policies for its operation.

There are three main functional blocks:

  • Encryption and key-management in charge of offering encryption and key management functionalities (through dedicated API) used to achieve confidential sharing of CTI between EPES stakeholders, with the possibility of fine-grained attribute-level encryption.
  • Anonymisation in charge of offering data anonymisation functionality (through API) according to different privacy models of preference to an EPES operator (k-anonymity, generalisation, suppression, etc.). Anonymisation can be applied on selected attributes of CTI objects through a flexible and scalable privacy policy configuration.
  • A Threat Intelligence Engine (TIE) in charge of producing a score for every event that is published in the MISP instance. This score is individual to each EPES entity as it uses the EPES operator’s infrastructure assets to calculate the risk and how relevant the event is to the assets depending on different heuristics. This process is done by ingesting indicators of compromise (IoCs), and it produces enriched CTI information.

The E-SP is part of the CYPER framework of the ELECTRON architecture. It integrates with the ELECTRON collaborative risk assessment providing information of relevant threats and vulnerabilities as shown in Figure 2. The E-SP will be evaluated under several ELECTRON use case scenarios. Some relevant KPIs for the E-SP are: i) Availability as a percentage of uptime (>= 95%), and ii) Improved automation of vulnerability and threat assessment (>=60%).


[1] Z. Mrabet, et al. »Cyber-security in smart grid: Survey and challenges« Computers & Electrical Engineering vol.67, 2018. DOI



[4] “BlackEnergy trojan strikes again: Attacks Ukrainian electric power industry” – 2016, available at ESET

[5] Ivo Friedberg, Florian Skopik, Giuseppe Settanni, and Roman Fiedler. Combating advanced persistent threats: From network event correlation to incident detection. Computers & Security 48 (2015), 35–57.


[7] T. Wagner, K. Mahbub, E. Palomar and A. Abdallah, “Cyber threat intelligence sharing: Survey and research directions,” Computers & Security, vol. 87, p. 101589, 2019.

[8] Vladimirova-Kryukova, A.; “The Impact of GDPR on Cybersecurity Managers,” ISACA Now, 16 November 2018, 2018/the-impact-of-gdpr-on-cybersecurity-managers


[10] Network Code for Cybersecurity aspects of cross-border electricity flows, 14 January 2022 [Online]. Available at: