ABSTRACT
In the current generation of SCADA (Supervisory Control And Data Acquisition) systems used in power grids, a sophisticated attacker can exploit system vulnerabilities and use a legitimate maliciously crafted command to cause a wide range of system changes that traditional contingency analysis does not consider and remedial action schemes cannot handle. To detect such malicious commands, we propose a semantic analysis framework based on a distributed network of intrusion detection systems (IDSes). The framework combines system knowledge of both cyber and physical infrastructure in power grid to help IDS to estimate execution consequences of control commands, thus to reveal attacker's malicious intentions. We evaluated the approach on the IEEE 30-bus system. Our experiments demonstrate that: (i) by opening 3 transmission lines, an attacker can avoid detection by the traditional contingency analysis and instantly put the tested 30-bus system into an insecure state and (ii) the semantic analysis provides reliable detection of malicious commands with a small amount of analysis time.
- Electrical grid in U.S. penetrated by spies. The Wall Street Journal, p. A1, April 8, 2009.Google Scholar
- Glover, J. D., Sarma, M.S. and Overbye, T. 2011. Power System Analysis and Design, 5th ed., Cengage Learning.Google Scholar
- Lin, H., Slagell, A., Di Martino, C., Kalbarczyk, Z. and Iyer, R.K. Adapting Bro into SCADA: Building a specification-based intrusion detection system for the DNP3 protocol. In Proc. of 8th Annual Cyber Security and Information Intelligence Research Workshop, 2013). Google ScholarDigital Library
- Falliere, N., Murchu, L. and Chien, E. W32.Stuxnet dossier. Symantec Security Response, 2011.Google Scholar
- Monticelli, A. Electric power system state estimation. In Proceedings of the IEEE, Vol.88(2), 2000.Google Scholar
- Prais, M. and Bose, A. A topology processor that tracks network modifications. 1998. IEEE Transactions on Power Systems (August 1988), vol. 3, no.3, pp. 992--998.Google Scholar
- Liu, Y., Ning, P., and Reiter M. False data injection attacks against state estimation in electric power grids. In Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS'09, 2009. Google ScholarDigital Library
- Bobba, R., Rogers, K., Wang, Q., Khurana, H., Nahrstedt, K., and Overbye T. Detecting false data injection attacks on DC state estimation. In Preprints of the First Workshop on Secure Control Systems, SCS 2010.Google Scholar
- Open DNP3 Group. 2012. DNP3 -- Distributed Network Protocol 3.0 Google project hosting. Online. Available: http://code.google.com/p/dnp3/.Google Scholar
- Yang, T., Sun, H., and Bose, A. Transition to a two-level linear state estimator -- Part 1: architecture. 2011. IEEE Transactions on Power Systems, 26(1) 2011).Google ScholarCross Ref
- IEEE standard communication delivery time performance requirements for electric power sub-station automation. IEEE Std 1646--2004, 2005.Google Scholar
- Zimmerman, R. D., Murillo-Sánchez, C. E., and Thomas, R. J. MATPOWER: Steady-state operations, planning and analysis tools for power systems research and education. 2011. IEEE Transactions on Power Systems, 26(1), 2011).Google ScholarCross Ref
- Gutman, R., Marchenko, P., and Dunlop, R. Analytical development of loadability characteristics for EHV and UHV transmission lines. IEEE Transactions on Power Apparatus and Systems, PAS-98(2), 1979.Google ScholarCross Ref
- Midwest Independent Transmission System Operator, Inc. 2012. June 2012 Monthly Market Assessment Report.Google Scholar
- Lesieutre, B., Pinar, A., and Roy S. Power system extreme event detection: The vulnerability frontier. In Proceedings of 41st Annual Hawaii International Conference on System Sciences (January 2008). Google ScholarDigital Library
- Carcano, A., Fovino, I., Masera, M., and Trombetta, A. State-based network intrusion detection systems for SCADA protocols: a proof of concept. Critical Information Infrastructures Security, Lecture Notes in Computer Science, vol. 6027, 2010, pp. 138--150 Google ScholarDigital Library
Index Terms
- Semantic security analysis of SCADA networks to detect malicious control commands in power grids
Recommendations
Semantic Security Analysis of SCADA Networks to Detect Malicious Control Commands in Power Grids (Poster)
SIN '14: Proceedings of the 7th International Conference on Security of Information and NetworksIn this poster, we present a semantic analysis framework based on a collaborative network of intrusion detection systems (IDSes) that we proposed in [3] to detect control-related attacks in power systems. The framework combines system knowledge of both ...
Malicious SSL Certificate Detection: A Step Towards Advanced Persistent Threat Defence
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed SystemsAdvanced Persistent Threat (APT) is one of the most serious types of cyber attacks, which is a new and more complex version of multistep attack. Within the APT life cycle, continuous communication between infected hosts and Command and Control (C&C) ...
A smart IDS and response system for the internet malicious worm
In this paper, we proposed a behaviour-based intrusion detection and response system for the internet worm. The LAWS (Lambent Anti-Worm System) can detect the intruded services and influenced range automatically. Besides, it also can analyse the key ...
Comments