Anomaly detection in substation networks

Abstract Fundamental components of the distribution systems of electric energy are primary and secondary substation networks. Considering the incorporation of legacy communication infrastructure in these systems, they often have in- herent cybersecurity vulnerabilities. Moreover, traditional intrusion defence strategies for IT systems are often not applicable. With the aim to improve cybersecurity in substation networks, in this paper we present two methods for monitoring SCADA system: the first one exploiting neural networks, while the second one is based on formal methods. To evaluate the effective- ness of the proposed methods, we conducted experiments on a real test bed representing the substation domain as close to real-world as possible. From this test bed we collect data during normal operation and during situations where the system is under attack. To this end several different types of attack are conducted. The data collected is used to test two versions of the mon- itoring system: one based on machine learning with a neural network and one using a model-checking approach. Moreover, the two proposed models are tested with new data to evaluate their performance. The experiments demonstrate that both methods obtain an accuracy greater than 90%. In particular, the methodology based on formal methods achieves better per- formance if compared to the one based on neural networks.

[1]  Ron Kohavi,et al.  Supervised and Unsupervised Discretization of Continuous Features , 1995, ICML.

[2]  G. Manimaran,et al.  Model-based intrustion detection for the smart grid (MINDS) , 2013, CSIIRW '13.

[3]  Chen-Ching Liu,et al.  Cyber-physical security in a substation , 2012, 2012 IEEE Power and Energy Society General Meeting.

[4]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[5]  Teodor Sommestad,et al.  SCADA system cyber security — A comparison of standards , 2010, IEEE PES General Meeting.

[6]  Christof Störmann,et al.  Cyber-Critical Infrastructure Protection Using Real-Time Payload-Based Anomaly Detection , 2009, CRITIS.

[7]  Stefano Marrone,et al.  A Petri Net Pattern-Oriented Approach for the Design of Physical Protection Systems , 2014, SAFECOMP.

[8]  Youssef Laarouchi,et al.  A Model Based Approach For SCADA Safety And Security Joint Modelling: S-Cube , 2015 .

[9]  G.M. Coates,et al.  A Trust System Architecture for SCADA Network Security , 2010, IEEE Transactions on Power Delivery.

[10]  Antonella Santone,et al.  Neural Networks for Lung Cancer Detection through Radiomic Features , 2019, 2019 International Joint Conference on Neural Networks (IJCNN).

[11]  Aiko Pras,et al.  Intrusion Detection in SCADA Networks , 2010, AIMS.

[12]  David Cooper,et al.  SafSec: Commonalities Between Safety and Security Assurance , 2005, SSS.

[13]  Antonella Santone,et al.  Real-Time SCADA Attack Detection by Means of Formal Methods , 2019, 2019 IEEE 28th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE).

[14]  Huy Kang Kim,et al.  Behavior Analysis and Anomaly Detection for a Digital Substation on Cyber-Physical System , 2019, Electronics.

[15]  Kevin Jones,et al.  A review of cyber security risk assessment methods for SCADA systems , 2016, Comput. Secur..

[16]  Martin Mozina,et al.  Orange: data mining toolbox in python , 2013, J. Mach. Learn. Res..

[17]  J. Samarabandu,et al.  Evidence Theory based Decision Fusion for Masquerade Detection in IEC61850 Automated Substations , 2008, 2008 4th International Conference on Information and Automation for Sustainability.

[18]  Chen-Ching Liu,et al.  Anomaly Detection for Cybersecurity of the Substations , 2011, IEEE Transactions on Smart Grid.

[19]  David Lorge Parnas The real risks of artificial intelligence , 2017, Commun. ACM.

[20]  Ludovic Piètre-Cambacédès,et al.  A survey of approaches combining safety and security for industrial control systems , 2015, Reliab. Eng. Syst. Saf..

[21]  Julio J. Melero,et al.  Using high-frequency SCADA data for wind turbine performance monitoring: A sensitivity study , 2019, Renewable Energy.

[22]  Vinay M. Igure,et al.  Security issues in SCADA networks , 2006, Comput. Secur..

[23]  Roslan Ismail,et al.  A review of security attacks on IEC61850 substation automation system network , 2014, Proceedings of the 6th International Conference on Information Technology and Multimedia.

[24]  Andrew J. Kornecki,et al.  Studying interrelationships of safety and security for software assurance in cyber-physical systems: Approach based on bayesian belief networks , 2013, 2013 Federated Conference on Computer Science and Information Systems.

[25]  David Lorge Parnas,et al.  Why Engineers Should Not Use Artificial Intelligence , 1988 .

[26]  Taeshik Shon,et al.  Novel Approach for Detecting Network Anomalies for Substation Automation based on IEC 61850 , 2014, Multimedia Tools and Applications.

[27]  Jun’e LI,et al.  A security scheme for intelligent substation communications considering real-time performance , 2019, Journal of Modern Power Systems and Clean Energy.

[28]  Deborah A. Frincke,et al.  CONCERNS ABOUT INTRUSIONS INTO REMOTELY ACCESSIBLE SUBSTATION CONTROLLERS AND SCADA SYSTEMS , 2000 .

[29]  Antonella Santone,et al.  Abstract reduction in directed model checking CCS processes , 2012, Acta Informatica.

[30]  Franco Turini,et al.  A Survey of Methods for Explaining Black Box Models , 2018, ACM Comput. Surv..

[31]  Antonella Santone,et al.  An ensemble learning approach for brain cancer detection exploiting radiomic features , 2020, Comput. Methods Programs Biomed..

[32]  Aiko Pras,et al.  Towards periodicity based anomaly detection in SCADA networks , 2012, Proceedings of 2012 IEEE 17th International Conference on Emerging Technologies & Factory Automation (ETFA 2012).

[33]  Horia Andrei,et al.  Intrusion Detection on ICS and SCADA Networks , 2020 .

[34]  Ludovic Piètre-Cambacédès,et al.  Safety and Security Interactions Modeling Using the BDMP Formalism: Case Study of a Pipeline , 2014, SAFECOMP.

[35]  Henry V. Nickens,et al.  Gas Well Deliquification , 2003 .

[36]  Srinivas Sampalli,et al.  SCADA (Supervisory Control and Data Acquisition) systems: Vulnerability assessment and security recommendations , 2020, Comput. Secur..

[37]  Thomas P. von Hoff,et al.  Security for Industrial Communication Systems , 2005, Proceedings of the IEEE.

[38]  Rajeev Alur,et al.  A Theory of Timed Automata , 1994, Theor. Comput. Sci..

[39]  Igor Nai Fovino,et al.  Integrating cyber attacks within fault trees , 2009, Reliab. Eng. Syst. Saf..

[40]  Ulf Lindqvist,et al.  Using Model-based Intrusion Detection for SCADA Networks , 2006 .

[41]  Antonella Santone,et al.  Heuristic search for equivalence checking , 2014, Software & Systems Modeling.

[42]  Chen-Ching Liu,et al.  Detecting cyber intrusions in SCADA networks using multi-agent collaboration , 2011, 2011 16th International Conference on Intelligent System Applications to Power Systems.

[43]  Y. B. Yuan,et al.  Stateful intrusion detection for IEC 60870-5-104 SCADA security , 2014, 2014 IEEE PES General Meeting | Conference & Exposition.

[44]  Patricia Bouyer,et al.  Model-checking Timed Temporal Logics , 2009, M4M.

[45]  Jagath Samarabandu,et al.  Security Analysis and Auditing of IEC61850-Based Automated Substations , 2010, IEEE Transactions on Power Delivery.