Distributed Intrusion Detection System using Semantic-based Rules for SCADA in Smart Grid

Sathya Narayana Mohan,Gelli Ravikumar,Manimaran Govindarasu
DOI: https://doi.org/10.1109/TD39804.2020.9299960
2024-12-11
Abstract:Cyber-physical system (CPS) security for the smart grid enables secure communication for the SCADA and wide-area measurement system data. Power utilities world-wide use various SCADA protocols, namely DNP3, Modbus, and IEC 61850, for the data exchanges across substation field devices, remote terminal units (RTUs), and control center applications. Adversaries may exploit compromised SCADA protocols for the reconnaissance, data exfiltration, vulnerability assessment, and injection of stealthy cyberattacks to affect power system operation. In this paper, we propose an efficient algorithm to generate robust rule sets. We integrate the rule sets into an intrusion detection system (IDS), which continuously monitors the DNP3 data traffic at a substation network and detects intrusions and anomalies in real-time. To enable CPS-aware wide-area situational awareness, we integrated the methodology into an open-source distributed-IDS (D-IDS) framework. The D-IDS facilitates central monitoring of the detected anomalies from the geographically distributed substations and to the control center. The proposed algorithm provides an optimal solution to detect network intrusions and abnormal behavior. Different types of IDS rules based on packet payload, packet flow, and time threshold are generated. Further, IDS testing and evaluation is performed with a set of rules in different sequences. The detection time is measured for different IDS rules, and the results are plotted. All the experiments are conducted at Power Cyber Lab, Iowa State University, for multiple power grid models. After successful testing and evaluation, knowledge and implementation are transferred to field deployment.
Systems and Control,Cryptography and Security
What problem does this paper attempt to address?
This paper attempts to solve the cybersecurity problems faced by the SCADA system in the smart grid, especially the design and implementation of the Distributed Intrusion Detection System (D - IDS). Specifically, the paper aims to generate a robust rule set and integrate it into D - IDS to achieve real - time monitoring and detection of intrusions and abnormal behaviors in the SCADA network. The following are the main problems and solutions in the paper: ### 1. **Research Background and Problems** The smart grid relies on the SCADA system for real - time data exchange. Commonly used communication protocols include DNP3, Modbus, and IEC 61850. These protocols need to ensure high availability, integrity, and confidentiality when transmitting critical control data. However, attackers may exploit the vulnerabilities of these protocols for reconnaissance, data leakage, vulnerability assessment, and injection of covert cyber - attacks, thus affecting the normal operation of the power system. ### 2. **Proposed Method** To address the above challenges, the paper proposes an efficient algorithm to generate a robust rule set and integrate it into the Distributed Intrusion Detection System (D - IDS). This system can monitor DNP3 data traffic in the SCADA network in real - time and detect intrusions and abnormal behaviors. The specific methods are as follows: - **Rule Generation Algorithm**: Generate multiple types of IDS rules according to different traffic patterns (such as packet load, packet flow, time threshold, etc.). These rules can detect different types of cyber - attacks. - **Distributed Architecture**: Construct a distributed D - IDS framework containing a master node and multiple sensors, which can centrally monitor abnormal situations from geographically distributed substations and transmit information to the control center. - **Real - Time Detection and Response**: By analyzing network traffic patterns, design multiple rules based on content, packet flow, time threshold, etc., to quickly detect and respond to potential security threats. ### 3. **Experimental Verification** The paper conducted multiple experiments in the Power Cyber Lab (Iowa State University) to test the impact of different sequences of IDS rules on detection time. The results show that placing key rules at the top of the rule base can significantly reduce the detection time. In addition, the paper also explored different types of cyber - attacks (such as DNP3 select - operate attacks, direct - operate attacks, broadcast - request attacks, etc.) and designed corresponding IDS rules for each attack. ### 4. **Practical Deployment** The successful results of this research were transferred to a local power company in Iowa (the name is not disclosed for security reasons). The D - IDS system was deployed in two phases. In the first phase, the master node and client 1 were deployed, and in the second phase, client 2 was deployed. The results show that the distributed IDS system and customized IDS rules perform well in practical applications. ### 5. **Conclusion** The paper emphasizes the importance of protecting industrial communication networks and proposes an effective distributed intrusion detection and prevention system. By generating a robust rule set and optimizing the rule order, rapid and accurate intrusion detection can be achieved in the SCADA system of the smart grid. Future work will further introduce data analysis and machine - learning techniques to develop more advanced detection methods. ### Summary The core problem of this paper is to improve the cybersecurity of the SCADA system in the smart grid, especially by designing and implementing an efficient distributed intrusion detection system to deal with potential cyber - attacks.