Omer Sen,Bozhidar Ivanov,Christian Kloos,Christoph Zol_,Philipp Lutat,Martin Henze,Andreas Ulbig

DOI: https://doi.org/10.1016/j.ijcip.2024.100727

2024-12-09

Abstract:The power grid is a critical infrastructure essential for public safety and welfare. As its reliance on digital technologies grows, so do its vulnerabilities to sophisticated cyber threats, which could severely disrupt operations. Effective protective measures, such as intrusion detection and decision support systems, are essential to mitigate these risks. Machine learning offers significant potential in this field, yet its effectiveness is constrained by the limited availability of high-quality data due to confidentiality and access restrictions. To address this, we introduce a simulation environment that replicates the power grid's infrastructure and communication dynamics. This environment enables the modeling of complex, multi-stage cyber attacks and defensive responses, using attack trees to outline attacker strategies and game-theoretic approaches to model defender actions. The framework generates diverse, realistic attack data to train machine learning algorithms for detecting and mitigating cyber threats. It also provides a controlled, flexible platform to evaluate emerging security technologies, including advanced decision support systems. The environment is modular and scalable, facilitating the integration of new scenarios without dependence on external components. It supports scenario generation, data modeling, mapping, power flow simulation, and communication traffic analysis in a cohesive chain, capturing all relevant data for cyber security investigations under consistent conditions. Detailed modeling of communication protocols and grid operations offers insights into attack propagation, while datasets undergo validation in laboratory settings to ensure real-world applicability. These datasets are leveraged to train machine learning models for intrusion detection, focusing on their ability to identify complex attack patterns within power grid operations.

Cryptography and Security

Ömer Sen,Dennis van der Velde,Sebastian N. Peters,Martin Henze

DOI: https://doi.org/10.48550/arXiv.2110.02040

2021-10-05

Abstract:While the digitization of power distribution grids brings many benefits, it also introduces new vulnerabilities for cyber-attacks. To maintain secure operations in the emerging threat landscape, detecting and implementing countermeasures against cyber-attacks are paramount. However, due to the lack of publicly available attack data against Smart Grids (SGs) for countermeasure development, simulation-based data generation approaches offer the potential to provide the needed data foundation. Therefore, our proposed approach provides flexible and scalable replication of multi-staged cyber-attacks in an SG Co-Simulation Environment (COSE). The COSE consists of an energy grid simulator, simulators for Operation Technology (OT) devices, and a network emulator for realistic IT process networks. Focusing on defensive and offensive use cases in COSE, our simulated attacker can perform network scans, find vulnerabilities, exploit them, gain administrative privileges, and execute malicious commands on OT devices. As an exemplary countermeasure, we present a built-in Intrusion Detection System (IDS) that analyzes generated network traffic using anomaly detection with Machine Learning (ML) approaches. In this work, we provide an overview of the SG COSE, present a multi-stage attack model with the potential to disrupt grid operations, and show exemplary performance evaluations of the IDS in specific scenarios.

Cryptography and Security,Networking and Internet Architecture,Systems and Control

Ömer Sen,Philipp Malskorn,Simon Glomb,Immanuel Hacker,Martin Henze,Andreas Ulbig

DOI: https://doi.org/10.1109/PowerTech55446.2023.10202747

2023-12-21

Abstract:Power grids are becoming more digitized, resulting in new opportunities for the grid operation but also new challenges, such as new threats from the cyber-domain. To address these challenges, cybersecurity solutions are being considered in the form of preventive, detective, and reactive measures. Machine learning-based intrusion detection systems are used as part of detection efforts to detect and defend against cyberattacks. However, training and testing data for these systems are often not available or suitable for use in machine learning models for detecting multi-stage cyberattacks in smart grids. In this paper, we propose a method to generate synthetic data using a graph-based approach for training machine learning models in smart grids. We use an abstract form of multi-stage cyberattacks defined via graph formulations and simulate the propagation behavior of attacks in the network. Within the selected scenarios, we observed promising results, but a larger number of scenarios need to be studied to draw a more informed conclusion about the suitability of synthesized data.

Cryptography and Security,Systems and Control

Ömer Sen,Bozhidar Ivanov,Martin Henze,Andreas Ulbig

DOI: https://doi.org/10.1109/SEST57387.2023.10257329

2023-12-21

Abstract:The power grid is a critical infrastructure that plays a vital role in modern society. Its availability is of utmost importance, as a loss can endanger human lives. However, with the increasing digitalization of the power grid, it also becomes vulnerable to new cyberattacks that can compromise its availability. To counter these threats, intrusion detection systems are developed and deployed to detect cyberattacks targeting the power grid. Among intrusion detection systems, anomaly detection models based on machine learning have shown potential in detecting unknown attack vectors. However, the scarcity of data for training these models remains a challenge due to confidentiality concerns. To overcome this challenge, this study proposes a model for generating synthetic data of multi-stage cyber attacks in the power grid, using attack trees to model the attacker's sequence of steps and a game-theoretic approach to incorporate the defender's actions. This model aims to create diverse attack data on which machine learning algorithms can be trained.

Cryptography and Security,Systems and Control

Omer Sen,Nathalie Bleser,Martin Henze,Andreas Ulbig

DOI: https://doi.org/10.1049/icp.2023.0614

2024-12-06

Abstract:The integration of information and communication technology in distribution grids presents opportunities for active grid operation management, but also increases the need for security against power outages and cyberattacks. This paper examines the impact of cyberattacks on smart grids by replicating the power grid in a secure laboratory environment as a cyber-physical digital twin. A simulation is used to study communication infrastructures for secure operation of smart grids. The cyber-physical digital twin approach combines communication network emulation and power grid simulation in a common modular environment, and is demonstrated through laboratory tests and attack replications.

Cryptography and Security

Benedikt Klaer,Ömer Sen,Dennis van der Velde,Immanuel Hacker,Michael Andres,Martin Henze

DOI: https://doi.org/10.48550/arXiv.2009.00273

2020-09-01

Software Engineering

Abstract:The rising use of information and communication technology in smart grids likewise increases the risk of failures that endanger the security of power supply, e.g., due to errors in the communication configuration, faulty control algorithms, or cyber-attacks. Co-simulations can be used to investigate such effects, but require precise modeling of the energy, communication, and information domain within an integrated smart grid infrastructure model. Given the complexity and lack of detailed publicly available communication network models for smart grid scenarios, there is a need for an automated and systematic approach to creating such coupled models. In this paper, we present an approach to automatically generate smart grid infrastructure models based on an arbitrary electrical distribution grid model using a generic architectural template. We demonstrate the applicability and unique features of our approach alongside examples concerning network planning, co-simulation setup, and specification of domain-specific intrusion detection systems.

Xinyu Yang,Xiaofei He,Jie Lin,Wei Yu,Qingyu Yang

DOI: https://doi.org/10.1109/trustcom.2016.0094

2016-01-01

Abstract:The diverse cyber attacks, that make operation of the smart grid challenging, must be addressed before wide adoption of smart grids can be fully realized. Although a number of research efforts have been devoted to defending against these threats, a majority of existing schemes focus on the design of a specific defensive strategy to deal with a specific threat. In this paper we address the issue of coalitional attacks that can be launched by multiple adversaries cooperatively in the smart grid. We propose a game-theoretic based model to capture the interaction among multiple adversaries and quantify the capacity of the defender based on the extended Iterated Public Goods Game (IPGG) model. In the formalized game model, each participant can either cooperate by participating in the coalitional attack, or defect by standing aside in each round of the attack. We consider the generic defensive strategy that has a probability to detect the coalitional attack. When the coalitional attack is detected, all the participating adversaries are penalized. The expected payoff of each participant is derived through the zero-determinant strategy that provides the participants competitive benefits. Via a combination of theoretical analysis and experiments, our results show that our formalized game model can enable the defender to greatly reduce the maximum value of the expected average payoff to the adversaries via provisioning sufficient defensive resources, which is reflected by setting a proper penalty factor against the adversaries.

Saeed Ahmadian,Xiao Tang,Heidar A. Malki,Zhu Han

DOI: https://doi.org/10.1109/access.2019.2899293

IF: 3.9

2019-01-01

IEEE Access

Abstract:With the development of communication infrastructure in smart grids, cyber security reinforcement has become one of the most challenging issues for power system operators. In this paper, an attacker is considered a participant in the virtual bidding procedure in the day-ahead (DA) and real-time (RT) electricity markets to maximize its profit. The cyber attacker attempts to identify the optimal power system measurements to attack along with the false data injected into measurement devices. Towards the maximum profit, the attacker needs to specify the relation between manipulated meters, virtual power traded in the markets, and electricity prices. Meanwhile, to avoid being detected by the system operator, the attacker considers the physical power system constraints existing in the DA and RT markets. Then, a bi-level optimization model is presented which combines the real electricity market state variables with the attacker decision-variables. Using the mathematical problem with equilibrium constraints, the presented bi-level model is converted into a single level optimization problem and the optimal decision variables for the attacker are obtained. Finally, simulation results are provided to demonstrate the performance of the attacker, which also provides insights for security improvement.

Omer Sen,Yanico Aust,Simon Glomb,Andreas Ulbig

2024-12-06

Abstract:This study delves into the role of process awareness in enhancing intrusion detection within Smart Grids, considering the increasing fusion of ICT in power systems and the associated emerging threats. The research harnesses a co-simulation environment, encapsulating IT, OT, and ET layers, to model multi-stage cyberattacks and evaluate machine learning-based IDS strategies. The key observation is that process-aware IDS demonstrate superior detection capabilities, especially in scenarios closely tied to operational processes, as opposed to IT-only IDS. This improvement is notable in distinguishing complex cyber threats from regular IT activities. The findings underscore the significance of further developing sophisticated IDS benchmarks and digital twin datasets in Smart Grid environments, paving the way for more resilient cybersecurity infrastructures.

Cryptography and Security

Immanuel Hacker,Ömer Sen,Dennis van der Velde,Florian Schmidtke,Andreas Ulbig

2024-10-14

Abstract:The increased integration of information and communications technology at the distribution grid level offers broader opportunities for active operational management concepts. At the same time, requirements for resilience against internal and external threats to the power supply, such as outages or cyberattacks, are increasing. The emerging threat landscape needs to be investigated to ensure the security of supply of future distribution grids. This extended abstract presents a co-simulation environment to study communication infrastructures for the resilient operation of distribution grids. For this purpose, a communication network emulation and a power grid simulation are combined in a common modular environment. This will provide the basis for cybersecurity investigations and testing of new active operation management concepts for smart grids. Exemplary laboratory tests and attack replications will be used to demonstrate the diverse use cases of our co-simulation approach.

Systems and Control

Zengji Liu,Qi Wang,Yi Tang,Ming Ni

DOI: https://doi.org/10.1109/isgt-asia.2018.8467880

2018-01-01

Abstract:With the development of information and communication technology (ICT), the observability and controllability of smart grid have been greatly enhanced. The smart grid is gradually evolving into cyber-physical-power systems (CPPS). The influence of communication network and control device on power system stability becomes more obvious. Thus, it is essential to set up the real-time co-simulation platform with hardware-in-loop to reflect cyber-attack process. In this paper, a co-simulation platform is designed based on RT-LAB, OPNET and real security and stability control device. The modeling and implementation methods of man-in-the-middle (MITM) attack in the communication network are elaborated. The simulation results validate the capability of the co-simulation platform.

Oscar Famous Darteh,Qi Liu,Xiaodong Liu,Ibrahima Bah,Francis Mawuli Nakoty,Amevi Acakpovi

DOI: https://doi.org/10.1109/dasc/picom/cbdcom/cy55231.2022.9927892

2022-01-01

Abstract:The transition of the conventional power grid into the Smart Grid (SG), a widely distributed energy delivery network characterized by a two-way flow of electricity and information, is key for energy sector stakeholders. Despite the SG’s clear improvements, there are still certain network vulnerabilities in the power distribution and communication systems. Therefore, research into cyber security frameworks is essential to handle these security issues adequately. This paper first discussed SG’s architecture, possible vulnerability, and information networking. Finally, the emerging simulation frameworks for analyzing smart grid cyberattacks were discussed, including the SG Hardware-In-the-Loop co-simulation framework (2018), GridAttackSim (2020), and GridAttackAnalyzer (2021).

Kang-Di Lu,Zheng-Guang Wu

DOI: https://doi.org/10.1109/tii.2021.3129487

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:As the next-generation power grids, smart grids are integrated with advanced information and communication technology (ICT) to make the grid more efficient and stable than conventional power systems. Given the mounting cyber-attack threats, these critical ICT systems create great security issues for smart grids. Additionally, the clever attackers have the ability to not only access and monitor the smart grid, but also hack it by launching well-established cyber-attacks. Thus, this article is devoted to understanding the potential stealthy cyber-attack and its countermeasure. First, this article proposes a stealthy sparse cyber-attack model in an ac smart grid by considering both the residual test-based detector and the interval-state-estimation-based detector, which is not considered in previous studies. The design model is formulated as a constrained optimization problem by minimizing the number of contaminated meters, where the characteristics of two types of detector are considered simultaneously as the constraints for the first time. A constrained differential evolution (CDE) is proposed as the solver because the optimization problem is NP-hard. Then, a generalized-cumulative-sum-based detector is developed to detect the proposed cyber-attacks, where a fractional-order state transition matrix is originally introduced into the estimator to describe the dynamics of the power system. Numerical studies illustrate the feasibility of CDE-based stealthy sparse cyber-attacks and the effectiveness of the proposed countermeasure.

Daisuke Mashima,Muhammad M. Roomi,Bennet Ng,Zbigniew Kalbarczyk,S.M. Suhail Hussain,Ee-chien Chang

2024-04-01

Abstract:Assurance of cybersecurity is crucial to ensure dependability and resilience of smart power grid systems. In order to evaluate the impact of potential cyber attacks, to assess deployability and effectiveness of cybersecurity measures, and to enable hands-on exercise and training of personals, an interactive, virtual environment that emulates the behaviour of a smart grid system, namely smart grid cyber range, has been demanded by industry players as well as academia. A smart grid cyber range is typically implemented as a combination of cyber system emulation, which allows interactivity, and physical system (i.e., power grid) simulation that are tightly coupled for consistent cyber and physical behaviours. However, its design and implementation require intensive expertise and efforts in cyber and physical aspects of smart power systems as well as software/system engineering. While many industry players, including power grid operators, device vendors, research and education sectors are interested, availability of the smart grid cyber range is limited to a small number of research labs. To address this challenge, we have developed a framework for modelling a smart grid cyber range using an XML-based language, called SG-ML, and for "compiling" the model into an operational cyber range with minimal engineering efforts. The modelling language includes standardized schema from IEC 61850 and IEC 61131, which allows industry players to utilize their existing configurations. The SG-ML framework aims at making a smart grid cyber range available to broader user bases to facilitate cybersecurity R\&D and hands-on exercises.

Cryptography and Security

Kaikai Pan,Andre Teixeira,Claudio David Lopez,Peter Palensky

DOI: https://doi.org/10.1109/smartgridcomm.2017.8340668

2017-10-01

Abstract:It is challenging to assess the vulnerability of a cyber-physical power system to data attacks. In order to support vulnerability assessment, with the exception of analytic methods, a suitable platform for security tests needs to be developed. In this paper we analyze the cyber security of energy management system (EMS) against data attacks. First we extend our analytic framework that characterizes data attacks as optimization problems with the objectives specified as security metrics and constraints corresponding to the communication network properties. Second, we build a platform in the form of co-simulation - coupling the power system simulator DIgSILENT PowerFactory with communication network simulator OMNeT++, and Matlab for EMS applications (state estimation, optimal power flow). Then the framework is used to conduct attack simulations on the cosimulation based platform for a power grid test case. The results indicate how vulnerable of EMS to data attacks and how cosimulation can help assess vulnerability.

Denise Tellbach,Yan-Fu Li

DOI: https://doi.org/10.3390/en11020316

IF: 3.2

2018-01-01

Energies

Abstract:The subject of cyber-security and therefore cyber-attacks on smart grid (SG) has become subject of many publications in the last years, emphasizing its importance in research, as well as in practice. One especially vulnerable part of SG are smart meters (SMs). The major contribution of simulating a variety of cyber-attacks on SMs that have not been done in previous studies is the identification and quantification of the possible impacts on the security of SG. In this study, a simulation model of a nanogrid, including a complete household with an SM, was developed. Different cyber-attacks were injected into the SM to simulate their effects on household nanogrid. The analysis of the impacts of different cyber-attacks showed that the effects of cyber-attacks can be sorted into various categories. Integrity and confidentiality attacks cause monetary effects on the grid. While, availability attacks have monetary effects on the grid as well, they are mainly aimed at compromising the SM communication by either delaying or stopping it completely.

Luca Arnaboldi,Ricardo M. Czekster,Roberto Metere,Charles Morisset

DOI: https://doi.org/10.48550/arXiv.1911.12757

2019-12-17

Abstract:Cyber-Physical Systems (CPS) are present in many settings addressing a myriad of purposes. Examples are Internet-of-Things (IoT) or sensing software embedded in appliances or even specialised meters that measure and respond to electricity demands in smart grids. Due to their pervasive nature, they are usually chosen as recipients for larger scope cyber-security attacks. Those promote system-wide disruptions and are directed towards one key aspect such as confidentiality, integrity, availability or a combination of those characteristics. Our paper focuses on a particular and distressing attack where coordinated malware infected IoT units are maliciously employed to synchronously turn on or off high-wattage appliances, affecting the grid's primary control management. Our model could be extended to larger (smart) grids, Active Buildings as well as similar infrastructures. Our approach models Coordinated Load-Changing Attacks (CLCA) also referred as GridLock or BlackIoT, against a theoretical power grid, containing various types of power plants. It employs Continuous-Time Markov Chains where elements such as Power Plants and Botnets are modelled under normal or attack situations to evaluate the effect of CLCA in power reliant infrastructures. We showcase our modelling approach in the scenario of a power supplier (e.g. power plant) being targeted by a botnet. We demonstrate how our modelling approach can quantify the impact of a botnet attack and be abstracted for any CPS system involving power load management in a smart grid. Our results show that by prioritising the type of power-plants, the impact of the attack may change: in particular, we find the most impacting attack times and show how different strategies impact their success. We also find the best power generator to use depending on the current demand and strength of attack.

Systems and Control,Cryptography and Security

Ruilong Deng,Peng Zhuang,Hao Liang

DOI: https://doi.org/10.1109/TSG.2017.2702125

IF: 10.275

2017-01-01

IEEE Transactions on Smart Grid

Abstract:Smart grid, as one of the most critical infrastructures, is vulnerable to a wide variety of cyber and/or physical attacks. Recently, a new category of threats to smart grid, named coordinated cyber-physical attacks (CCPAs), are emerging. A key feature of CCPAs is to leverage cyber attacks to mask physical attacks which can cause power outages and potentially trigger cascading failures. In this pap...

Zijiao Zhou,Haowei Yang,Huibo Li,Jihao Zhang,Siqi Li,Xiang Gao,Peng Gong

DOI: https://doi.org/10.23919/icact53585.2022.9728779

2022-01-01

Abstract:Cyber-attacks on the power grid happen frequently nowadays which results in a high incidence of power fault, like power blackouts. The current cyber-physical co-simulation technology for power grid vulnerability researches still adopt script simulation rather than dynamic simulation, making the dynamic analysis unavailable. In this paper, a real-time hardware-in-the-loop simulation platform integrated by QualNet and Real-time Digital Simulator (RTDS) is investigated. On this platform, a dynamic cyber-attack approach, i.e., DoS attack and data tampering attack, is proposed, where users can dynamically conFigure the cyber-attack situations of power grid via a designed panel during the simulation process, to estimate and analyse the impact of cyber-attacks on the power grid system. Experiment results verify the operability and effectiveness of the proposed approach.

Ömer Sen Dennis van der Velde,Maik Lühman,Florian Sprünken,Immanuel Hacker,Andreas Ulbig,Michael Andres,Martin Henze

DOI: https://doi.org/10.1186/s42162-022-00206-7

2022-09-09

Abstract:The transformation of power grids into intelligent cyber-physical systems brings numerous benefits, but also significantly increases the surface for cyber-attacks, demanding appropriate countermeasures. However, the development, validation, and testing of data-driven countermeasures against cyber-attacks, such as machine learning-based detection approaches, lack important data from real-world cyber incidents. Unlike attack data from real-world cyber incidents, infrastructure knowledge and standards are accessible through expert and domain knowledge. Our proposed approach uses domain knowledge to define the behavior of a smart grid under non-attack conditions and detect attack patterns and anomalies. Using a graph-based specification formalism, we combine cross-domain knowledge that enables the generation of whitelisting rules not only for statically defined protocol fields but also for communication ows and technical operation boundaries. Finally, we evaluate our specification-based intrusion detection system against various attack scenarios and assess detection quality and performance. In particular, we investigate a data manipulation attack in a future-orientated use case of an IEC 60870-based SCADA system that controls distributed energy resources in the distribution grid. Our approach can detect severe data manipulation attacks with high accuracy in a timely and reliable manner.

Cryptography and Security