AUTOMATED SECURITY ASSESSMENT AND MANAGEMENT OF THE ELECTRIC POWER GRID

Similar documents
Cyber Threat Assessment and Mitigation for Power Grids Lloyd Wihl Director, Application Engineering Scalable Network Technologies

Semantic Security Analysis of SCADA Networks to Detect Malicious Control Commands in Power Grids

Toward Open Source Intrusion Tolerant SCADA. Trevor Aron JR Charles Akshay Srivatsan Mentor: Marco Platania

Virtualizing Industrial Control Systems Testbeds for Cybersecurity Research

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

Tools, Techniques, and Methodologies: A Survey of Digital Forensics for SCADA Systems

Dmitry Ishchenko/Reynaldo Nuqui/Steve Kunsman, September 21, 2016 Collaborative Defense of Transmission and Distribution Protection & Control Devices

Communication Pattern Anomaly Detection in Process Control Systems

Legacy-Compliant Data Authentication for Industrial Control System Traffic

PREEMPTIVE PREventivE Methodology and Tools to protect utilities

Automation Services and Solutions

Cyber Security of Power Grids

A. Carcano, I. Nai Fovino, M. Masera, A. Trombetta European Commission Joint Research Centre Critis 2008, Rome, October 15, 2008

Firewalls (IDS and IPS) MIS 5214 Week 6

SCADA Software. 3.1 SCADA communication architectures SCADA system

Cyber Security and Privacy Issues in Smart Grids

Failure Diagnosis and Cyber Intrusion Detection in Transmission Protection System Assets Using Synchrophasor Data

Indegy. Industrial Cyber Security. The Anatomy of an Industrial Cyber Attack

How AlienVault ICS SIEM Supports Compliance with CFATS

9 th Electricity Conference at CMU

Symantec Security Monitoring Services

Maxwell Dondo PhD PEng SMIEEE

A Rising Tide: Design Exploits in Industrial Control Systems

Introduction to ICS Security

Gamifying ICS Security Training and Research: Design, Implementation, and Results of S3

An Overview of ISA-99 & Cyber Security for the Water or Wastewater Specialist

Providing SCADA network data sets for intrusion detection research Antoine Lemay (ÉPM) José M. Fernandez (ÉPM) WORLD-CLASS ENGINEERING

Detection and Analysis of Threats to the Energy Sector (DATES)

Industrial Defender ASM. for Automation Systems Management

Formal Security Assessment of Modbus Protocol

A Probabilistic Approach to Autonomic Security Management

Substation. Communications. Power Utilities. Application Brochure. Typical users: Transmission & distribution power utilities

Connectivity 101 for Remote Monitoring Systems

Cyber Physical System Security

Using Defense in Depth to Safely Present SCADA Data for Read-Only and Corporate Reporting. Rick Bryson

An Anomaly-Based Intrusion Detection System for the Smart Grid Based on CART Decision Tree

The Future of Industrial Control Systems Security

SCADA Protocols. Overview of DNP3. By Michael LeMay

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

Cyber Moving Targets. Yashar Dehkan Asl

Activating Intrusion Prevention Service

Training Fees 4,250 US$ per participant for Public Training includes Materials/Handouts, tea/coffee breaks, refreshments & Buffet Lunch

CSE 565 Computer Security Fall 2018

ICS Security Monitoring

Intrusion Detection Using Data Mining Technique (Classification)

IDS: Signature Detection

PREEMPTIVE Preventive methodology and tools to protect utilities

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Training for the cyber professionals of tomorrow

Building a resilient ICS

The SCADA Connection: Moving Beyond Auto Dialers

Distributed Agent-Based Intrusion Detection for the Smart Grid

Job Sheet 1 The SCADA System Network

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis

Resilient Smart Grids

The GenCyber Program. By Chris Ralph

On Cyber Attacks and Signature Based Intrusion Detection for Modbus Based Industrial Control Systems

Data Sources for Cyber Security Research

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

Towards High-Interaction Virtual ICS Honeypots-in-a-Box DANIELE ANTONIOLI ANAND AGRAWAL N. O. TIPPENHAUER

REF IC012 PLC & SCADA Systems Feb $4,250 Abu Dhabi, UAE

Big Data Analytics for Host Misbehavior Detection

Authentication Protocol for Industrial Control Systems without Encryption

IE156: ICS410: ICS/SCADA Security Essentials

Introduction and Statement of the Problem

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

The Path to a Secure and Resilient Power Grid Infrastructure

TABLE OF CONTENTS. Section Description Page

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Security of cyber-physical systems: an old idea

An Intrusion Detection System for Critical Information Infrastructures Using Wireless Sensor Network Technologies

Chapter X Security Performance Metrics

Protecting Critical Infrastructure. SCADA Network Security Monitoring

Industrial Control Systems Providing Advanced Threat Detection

This shows a typical architecture that enterprises use to secure their networks: The network is divided into a number of segments Firewalls restrict

Are we breached? Deloitte's Cyber Threat Hunting

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Network Performance Analysis System. White Paper

A Specification-based Intrusion Detection Framework for Cyber-physical Environment in Electric Power System

The SCADA Connection: Moving Beyond Auto Dialers

INFORMATION ASSURANCE DIRECTORATE

Analysis of Malicious Traffic in Modbus/TCP Communication

Network Security: Firewall, VPN, IDS/IPS, SIEM

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Training Venue and Dates September, 2019 $4,000 Dubai, UAE PLC & SCADA Systems Trainings will be conducted in any of the 5 star hotels.

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Iowa State University

Network Intrusion Analysis (Hands on)

Monitoring and diagnostics of data infrastructure problems in power engineering. Jaroslav Stusak, Sales Director CEE, Flowmon Networks

Wireless Data Communications for SCADA Systems

SECURE SYSTEMS, NETWORKS AND DEVICES SAFEGUARDING CRITICAL INFRASTRUCTURE OPERATIONS

INDUSTRIAL CONTROL SYSTEM TRAFFIC DATA SETS FOR INTRUSION DETECTION RESEARCH

Intrusion Detection by Combining and Clustering Diverse Monitor Data

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

ICS Cybersecurity. SANS Top 20 Critical Controls for ICS. David Van Crout

Chapter X Security Performance Metrics

Network-Attack-Resilient Intrusion- Tolerant SCADA for the Power Grid

Application of Monitoring Standards for enhancing Energy System Security

Pramod Bide 1, Rajashree Shedge 2 1,2 Department of Computer Engg, Ramrao Adik Institute of technology/mumbai University, India

What is SCADA? What is Telemetry? What is Data Acquisition? Differences between SCADA and DCS? Components of SCADA. Field Instrumentation

Transcription:

AUTOMATED SECURITY ASSESSMENT AND MANAGEMENT OF THE ELECTRIC POWER GRID Sherif Abdelwahed Department of Electrical and Computer Engineering Mississippi State University

Autonomic Security Management Modern Power Grids are complex systems which aggregate vast quantities of information to manage extensive computation tasks in real-time. The variety of network protocols and network interfaces in such systems introduce the potential for illicit cyber penetration. Objectives Enable power systems to adapt efficiently to variations in their environment. Enhance the availability and reliability of the system and the underlying services. Facilitate automatic recovery from security attacks while minimizing the impact on performance. Autonomic security management is analogous to Human autonomic nervous system ASM continuously monitors, analyzes, and diagnoses the user-cyber behavior and then takes proactive actions

Model-based Security Management Cycle Identify system and network parameters impacting system performance Monitoring Predict future system security state based on monitored parameters and operating conditions Automated Actions Feature Selection Develop models to provide security assessment to measure system vulnerability continuously in real-time Build a protection plan to secure the system and its data and maintain its availability Risk and Impact Analysis Anomaly Behavior Analysis Aggregate and Correlate

Outline of a Self-Protecting System Autonomic computing aims at selfprotecting systems from cyber attacks with minimal human intervention. estimating upcoming attacks and sending early warnings detecting and classifying attacks Investigating causes and impacts of zero-day attacks autonomously or semiautonomously implementing responses to eliminate cyber attacks.

Monitor and Data Processing The monitor module collects real-time data of the system performance and security performance. For a power system, a set of selected feature will include: Voltage, current, and phase measurments For the security of a power system with wired and wirelessly connected units, selected features include: TCP/IP packet header Protocol data units TCP connection rates The data processing module processes measurements collected by the monitor module. The formatted and preprocessed datasets are then forwarded to the intrusion estimation and intrusion detection modules.

Intrusion Estimation The estimation module uses the historical observations of controlled variables of a physical model ( k 1, r) and selected security features of the system ( k 1, r) to determine future performance of the system. Predicted Value of Control Variable (e.g. Water Level), and Security Features (e.g. TCP/IP packet rates and TCP connection rates) ˆ ( k) k ( ( k 1, r)) ˆ ( k) k ( ( k 1, r)) Historical Datasets Predicted Security State of the SCADA System xˆ (k) f ( x( k), ˆ( k), ˆ( k))

Intrusion Detection and Live Forensics Analysis Intrusion detection is the second line of defense The intrusion detection system adopting anomaly and signature detection techniques can detect known and unknown attacks in real time Live forensics analysis learning unknown attack patterns without disrupting system operations is added to protect against zero-day and evolving attacks Monitoring and analyzing network traffic, system performance, and auditing files using forensics tools (e.g., Wireshark) and statistical theories (e.g., Naive Bayesian Network) Updating detection algorithms of the IDS and active response library so that the zero-day attacks can be prevented in the future

Intrusion Response The intrusion response system selects a proper response to recover the physical system behavior back to normal. The multi-criteria analysis controller (MAC) examines predefined responses. The assessment of each response takes into account four criteria: Criterion 1: Enhancement of Security Criterion 2: Operational Costs Criterion 3: Maintenance of Normal Operations Criterion 4: Impacts on Properties, Finance, and Human Safety

Fuzzy-logic Decision Making Method The total Score for a recommended Response R i S i 3 j1 W Weight of Criterion j for Response i i, j C i, j Value of Criterion j for Response i Criterion j {1,2,3} e.g. Response: Replacement of Compromised Devices. Weight values for each criterion is 1/3 Criterio n One Criterio n Two Criterion Three Criterion Four Total Score 0 0.5 0 0.5 1/3*0+1/3*0.5+1/3+0=0.17 (Auto or Semi-Auto)

Case Study: SCADA System Supervisory Control and Data Acquisition (SCADA) systems are a type of industrial control system (ICS) that adopts many aspects of Information and Communications Technology to monitor and control cyber-physical processes. A SCADA system includes: sensors, actuators, programmable logic controllers (PLCs), remote terminal units (RTUs), human machine interfaces (HMIs), and master terminal units (MTUs). Field devices such as PLCs and RTUs collect and convert sensor sourced analog measurements to digital data. The digital data are then sent back to MTUs via communication links (e.g., Internet, radio, microwave, and satellite). In near real-time this data is processed by MTUs and displayed on HMIs to enable operators to make intervening control decisions.

Cyber Threats Facing SCADA Systems Vulnerabilities residing in: Open and standardized protocols (e.g., Modbus, ICCP, and DNP) Internet-based cyber communications. Security issues inherited from ICT/IT systems: Operating System Commercial-off-the-shelf applications

A Self-Protecting SCADA System Architecture Front VM HMI Firewall Messages from Field Devices Control Network Switch Ranking Unit Criteria Response MAC/Intrusion Response Security State IDS/Forensics Analysis Monitor Estimation Intrusion Estimation Data Processing Legal Replies Legal Replies MTU Legal Replies Commands Commands Protocol Converter TCP2RTU/RT U2TCP Commands Communication Link Communication Link PLC Field Devices Protocol Converter Replies Legal Command Front VM Request Switch Firewall

Virtual Testbed A storage tank is modeled by a laboratoryscale control system in Mississippi State University SCADA Security Laboratory. The MTU is connected to a Human-Machine- Interface (HMI) server via a RS-232 serial port The MTU connects to the RTU wirelessly

SCADA System Exploits We injected a malicious command that modified the register values of the water storage tank alarm condition when the water storage tank was set to the Auto control mode Auto control mode: The pump was turned on when the water level reached the low alarm condition (represented by L); when the water level increased to the high alarm condition (denoted by H), the pump was turned off automatically The attack first evaded the authentication process Then sent an illicit command to change L set-point from 50.00% to 40.00% ; altered H set-point from 60.00% to 70.00%. HH (the high-high alarm) set-point was modified to 80. 00% from 70:00%; LL (the low-low alarm) was changed to 10.00% from 20.00%.

Physical Model of the Water Storage Tank A linear physical system of the water storage tank was modeled relying on the observations of the physical system when it was automatically controlled Water Level Samples ( k) A* k B x(k) ˆ f(x(k),( ^ Ak B),λ(k)) ˆ Coefficients when 1 t 35: A = 0.256 and B =51.181 when 36 t 39: A = -1.976 and B =62.090 When 40 t 45: A = 0.032 and B =56.718 When 46 t 80: A = -0.202 and B =56.686 Observations and Estimations of the Water Level Without Self-Protection

Evaluation of Recommended Responses The optimal response evaluated by the MAC to defend against malicious command injection attack is Replacement of Compromised Devices.

Experimental Results It shows that at sample 94, the malicious command injection attack modified alarm conditions The water level was abnormally increased to 65.99%. At sample 104 when Replacement of Compromised Devices was implemented, a replica PLC containing original ladder-logic programs replied to the MTU and sent commands to control water level of the water storage tank. The water level was returned back to normal rapidly and efficiently with the application of autonomic computing technology

Current Related Research at MSU Test bed for vulnerabilities assessment and impact study Synchrophasor data generation Simulation of wide range of power system events and cyber-attacks Datasets Application of data in event and intrusion detection for offline and online applications

Wide Area Measurement Systems - A CPS Test Bed Architecture Physical, communication, monitoring, and control layers Power system scenarios Faults, load change, generator drop, line loss 5 power system models : 3- generator 4 bus, IEEE 9 Bus, Kundur 2 area system, IEEE 14 Bus, IEEE 39 Bus cyber-attack scenarios Command injection Man in the middle HMI/UI attacks Physical attacks Denial of service attacks

Heterogeneous Data sets CSV data format All data time tagged Data pertains to all scenarios 45 scenarios 120 samples per second 4 PMUs 38.8 GB - 11,715 instances of 45 scenarios randomly simulated for nearly 40 hours

Data Mining Applications for Event and Intrusion Detection Systems (EIDS) Datasets were used to develop Intrusion Detections Systems (IDS) using Common Path Mining (CPM) algorithm Datasets were used to develop Event and Intrusion Detections Systems (EIDS) for offline and real-time applications Non-nested Generalized Exemplars (NNGE) for offline EIDS Hoeffding Adaptive Tree (HAT) for real-time EIDS PERFORMANCE COMPARISON BETWEEN DIFFERENT DATA MINING ALGORITHM

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback