Focus: Implementing security event correlation, conducting risk assessment, and amplifying risk awareness in modern energy systems.

The results of the risk assessment are crucial, since the process enhances the understanding of risk sources and their nature. In this context, the present research area focuses on establishing context, identifying risks, analyzing them, and evaluating them in risk assessment. SIEM (Security Information and Event Management) systems are widely used to detect, analyze, and respond to cybersecurity threats across IT and OT environments.  The aim is to integrate the developed security event correlation method into a SIEM system to enhance its risk analysis capabilities.

Topic 4.1 – Hybrid Risk Assessment: Developing a hybrid risk assessment method to support the investigation of which parts of the grid are at risk and the associated risk levels.

Topic 4.2 – Event Correlation: In any control center, a major challenge is the overwhelming volume of alerts, which can obscure critical alarms. The aim is to develop a security event correlation method that maps observed adversary behaviors to frameworks such as MITRE ATT&CK, thereby enhancing risk awareness, improving understanding of risk sources, reducing alert volumes for engineers and operators, and supporting risk mitigation in later stages.

Topic 4.3 – Security Information and Event Management: Conducting security monitoring using a SIEM system in an IEC 61850 substation. Realistic scenarios representing both normal operation and feasible attack scenarios are executed to generate representative system behavior. The resulting events from various devices and levels are processed within the SIEM system, enabling comprehensive monitoring and analysis.