Dinghua Wang,Dongqin Feng

DOI: https://doi.org/10.1109/iaeac.2018.8577543

2018-01-01

Abstract:Supervisory control and data acquisition system is an important part of the country's critical infrastructure, but its inherent network characteristics are vulnerable to attack by intruders. The vulnerability of supervisory control and data acquisition system was analyzed, combining common attacks such as information scanning, response injection, command injection and denial of service in industrial control systems, and proposed an intrusion detection model based on graphical features. The time series of message transmission were visualized, extracting the vertex coordinates and various graphic area features to constitute a new data set, and obtained classification model of intrusion detection through training. An intrusion detection experiment environment was built using tools such as MATLAB and power protocol testers. IEC 60870-5-104 protocol which is widely used in power systems had been taken as an example. The results of tests have good effectiveness.

Geng-hong LU,Dong-qin FENG

DOI: https://doi.org/10.13195/j.kzyjc.2016.0551

2017-01-01

Abstract:The attacks against the industrial control network have different types and various attack intensity. Under this circumstance, the traditional detection techniques cannot identify the multiple types of attacks effectively, and can not assess the security situations of the industrial control network comprehensively and accurately. Therefore, the industrial control network security situation awareness model is proposed. Firstly, the rule extraction can be done by applying the improved C-SVC algorithm to the multi-sensor data. Then with the application of decision fusion algorithm, the decision-level fusion is completed and the results of situation awareness are procured. The simulation experiment results show that the proposed model and algorithms can distinguish multiple types of attacks effectively, identify the attacks that are launched against the industrial control system accurately, and generate the results of situation awareness.

Genghong Lu,Dongqin Feng

DOI: https://doi.org/10.23919/icif.2018.8455208

2018-01-01

Abstract:Due to the wide implementation of communication networks, industrial control systems are vulnerable to malicious attacks, which could cause potentially devastating results. Adversaries launch integrity attacks by injecting false data into systems to create fake events or cover up the plan of damaging the systems. In addition, the complexity and nonlinearity of control systems make it more difficult to detect attacks and defense it. Therefore, a novel security situation awareness framework based on particle filtering, which has good ability in estimating state for nonlinear systems, is proposed to provide an accuracy understanding of system situation. First, a system state estimation based on particle filtering is presented to estimate nodes state. Then, a voting scheme is introduced into hazard situation detection to identify the malicious nodes and a local estimator is constructed to estimate the actual system state by removing the identified malicious nodes. Finally, based on the estimated actual state, the actual measurements of the compromised nodes are predicted by using the situation prediction algorithm. At the end of this paper, a simulation of a continuous stirred tank is conducted to verify the efficiency of the proposed framework and algorithms.

Sheng Xu,Yongxiang Xia,Hui-Liang Shen

DOI: https://doi.org/10.1109/tcsii.2020.2999875

2020-01-01

Abstract:In this brief, we analyze the damage caused by malware-induced cyber attacks in Cyber-Physical Power Systems (CPPSs). Incubation period and detection probability of the malware are considered in our analytical framework. From attacker's perspective, the trade-off between attack effectiveness and detection risk is studied to help choose the best attack timing and obtain the maximum payoff. Moreover, we conduct case studies in CPPSs formed by coupling IEEE 118-Bus System with scale-free communication networks. Simulation results reveal that the maximum expected payoff for the attacker is affected by the coupling pattern and the structure of communication network in CPPSs.

Sheng Xu,Yongxiang Xia,Hui-Liang Shen

DOI: https://doi.org/10.1109/jsyst.2022.3150576

IF: 4.802

2022-01-01

IEEE Systems Journal

Abstract:In this article, we study how to resist malware attacks in cyber-physical power systems (CPPSs) through cyber protection. A model that incorporates the power flow analysis, the cyber monitoring and control, and the factor of cyber protection is proposed to simulate malware attacks in CPPSs. Meanwhile, an evaluation method is also developed to estimate the effectiveness of different cyber protection strategies. Through simulations, we conduct case studies in a test CPPS generated by coupling the IEEE 118 Bus System with a scale-free communication network. The protection effects of three heuristic cyber protection strategies, namely, target protection, random protection, and acquaintance protection are compared and analyzed. Simulation results reveal that compared with the other two strategies, target protection can suppress malware propagation and resist malware attacks more effectively. Moreover, we also investigate the optimal cyber protection problem in CPPSs and formulate it as a zero-one integer programming problem. We solve the problem by genetic algorithm and find that some low-degree cyber nodes also play a significant role in resisting malware attacks in CPPSs, especially when the protection budget is tight.

Jiang Jiang,Yongxiang Xia,Sheng Xu,Hui-Liang Shen,Jiajing Wu

DOI: https://doi.org/10.1063/1.5139254

2020-01-01

Abstract:Cyber-physical systems (CPSs) are integrations of information technology and physical systems, which are more and more significant in society. As a typical example of CPSs, smart grids integrate many advanced devices and information technologies to form a safer and more efficient power system. However, interconnection with the cyber network makes the system more complex, so that the robustness assessment of CPSs becomes more difficult. This paper proposes a new CPS model from a complex network perspective. We try to consider the real dynamics of cyber and physical parts and the asymmetric interdependency between them. Simulation results show that coupling with the communication network makes better robustness of power system. But since the influences between the power and communication networks are asymmetric, the system parameters play an important role to determine the robustness of the whole system.

Kuan‐Chu Lu,I‐Hsien Liu,Zong‐Chao Liu,Jung‐Shian Li

DOI: https://doi.org/10.1049/ntw2.12127

2024-06-08

IET Networks

Abstract:SCADA systems are increasingly used to manage the operations of dams and reservoirs. Thus, to ensure the safety and efficiency of the water distribution system, it is essential to develop effective mechanisms for detecting and thwarting attacks to dam SCADA systems. Supervisory control and data acquisition (SCADA) systems are vital in monitoring and controlling industrial processes through the web. However, while such systems result in lower costs, greater utilisation efficiency, and improved reliability, they are vulnerable to cyberattacks, with consequences ranging from the inconvenience and minor disruption to severe physical damage and even loss of life. The authors evaluate the security of the Dam system in the form of Common Criteria, develop safety goals to improve this safety, and focus on threats and risks to the dam SCADA system. Finally proposes an anomaly‐based machine‐learning framework for detecting malicious network attacks in the SCADA system of a dam. Three unsupervised classification algorithms are considered: hierarchical clustering, local outlier factor, and isolation forest. It is shown that the hierarchical clustering algorithm achieves the highest precision and F‐score of the three algorithms. Overall, the results confirm the effectiveness of anomaly‐based detection algorithms in enhancing the robustness of SCADA systems toward malicious attacks. At the same time, it complies with the security objectives of Common Criteria, achieving the safety and protection of the dam.

Kang-Di Lu,Zheng-Guang Wu

DOI: https://doi.org/10.1109/icarm54641.2022.9959185

2022-01-01

Abstract:The cyber-physical power system (CPPS) is evolved from the traditional power system by the deployment of information networks with control systems, computational units, and communication networks. However, their integration into CPPS introduces new challenges in maintaining security. Various malicious cyber-attacks are drawn much attention recently after the discovery of the impact on CPPS state estimation. Thus, it is of great significance for operators to detect cyber-attacks and identify the types of attacks in CPPS to make decisions appropriately. This problem can be viewed as a multi-class classification problem from the perspective of machine learning. Accordingly, this paper proposes an ensemble learning-based cyber-attacks detection model for CPPS state estimation. In the proposed model, we use the subspace features and then send the data to the classifier for ensemble, where decision trees and random vector functional link networks are introduced as the basic classifier. The proposed model is validated by employing simulated data on IEEE 14-bus and 30-bus systems. Simulation results demonstrate the performance of the proposed cyber-attacks detection model.

Yilin Mo,Rohan Chabukswar,Bruno Sinopoli

DOI: https://doi.org/10.3182/20110828-6-it-1002.03712

IF: 4.8

2013-01-01

IEEE Transactions on Control Systems Technology

Abstract:Ensuring security of systems based on supervisory control and data acquisition is a major challenge. The goal of this paper is to develop the model-based techniques capable of detecting integrity attacks on the sensors of a control system. In this paper, the effect of integrity attacks on the control systems is analyzed and countermeasures capable of exposing such attacks are proposed. The main contributions of this paper, beyond the novelty of the problem formulation, lies in enumerating the conditions of the feasibility of the replay attack, and suggesting countermeasures that optimize the probability of detection by conceding control performance. The methodologies are shown and the theoretical results are validated using several sets of simulations.

Leandros A. Maglaras,Jianmin Jiang,Tiago J. Cruz

DOI: https://doi.org/10.1016/j.jisa.2016.04.002

IF: 4.96

2016-10-01

Journal of Information Security and Applications

Abstract:Modern Supervisory Control and Data Acquisition (SCADA) systems used by the electric utility industry to monitor and control electric power generation, transmission and distribution are recognized today as critical components of the electric power delivery infrastructure. SCADA systems are large, complex and incorporate increasing numbers of widely distributed components. The presence of a real time intrusion detection mechanism, which can cope with different types of attacks, is of great importance in order to defend a system against cyber attacks. This defense mechanism must be distributed, cheap and above all accurate, since false positive alarms or mistakes regarding the origin of the intrusion mean severe costs for the system. Recently an integrated detection mechanism, namely IT-OCSVM, was proposed, which is distributed in a SCADA network as a part of a distributed intrusion detection system (DIDS), providing accurate data about the origin and the time of an intrusion. In this paper we also analyze the architecture of the integrated detection mechanism and we perform extensive simulations based on real cyber attacks in a small SCADA testbed in order to evaluate the performance of the proposed mechanism.

computer science, information systems

Weijie Hao,Qiang Yang,Zhiyi Li,Shiyan Hu,Bo Liu,Wei Ruan

DOI: https://doi.org/10.1109/jiot.2022.3210946

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Substation communication network (SCN) provides real-time, high-speed, and reliable data transmissions for the advanced monitoring and control functionalities, which are facing increasing cyberspace threats and attacks. Efficient threat perception and cyber situational awareness are essential to enhance secure and reliable SCN operations. This article explores multiscale SCN traffic pattern characteristics with holistic network traffic, separated network traffic for included devices (especially IoT devices) and separated network traffic of certain types of protocol. The proposed online traffic-oriented SCN traffic anomaly detection and cyber situational awareness models are designed for the network anomalies and cyber-attacks that could cause network traffic pattern variations. We leverage a fractional autoregressive integration moving average (FARIMA)-based dynamic threshold model to detect abnormal traffic patterns without sophisticated computations or deep packet inspection. The SCN real-time operation conditions are timely quantified through the statistical methods with the alliance of SCN topology and protocols. The cyber situational awareness model is further carried out to evaluate the most affected protocol and security risks of various devices in SCN using Grubbs' test. The experiment results are carried out based on a real 110-kV intelligent power substation. The numerical results confirm the comparative low mean square error (MSE) and low complexity of the online traffic characterization when forecasting holistic network traffic and separated network traffics. Furthermore, the timely and quantified cybersecurity risk analysis is conducted based on the SCN traffic with varying scales to detect cyberspace threats and identify the high-risk SCN devices and the most affected protocol.

Xueqin Gao,Tao Shang,Da Li,Jianwei Liu

DOI: https://doi.org/10.1109/pst55820.2022.9851965

2022-01-01

Abstract:SCADA systems are one of the critical infrastructures and face many security threats. Attackers can control SCADA systems through network attacks, destroying the normal operation of the power system. It is important to conduct a risk assessment of security threats on SCADA systems. However, existing models for risk assessment using attack trees mainly focus on describing possible intrusions rather than the interaction between threats and defenses. In this paper, we comprehensively consider intrusion likelihood and defense capability and propose a quantitative risk assessment model of security threats based on attack countermeasure tree (ACT). Each leaf node in ACT contains two attributes: exploitable vulnerabilities and defense countermeasures. An attack scenario can be constructed by means of traversing the leaf nodes. We set up six indicators to evaluate the impact of security threats in attack scenarios according to NISTIR 7628 standard. Experimental results show the attack probability of security threats and high-risk attack scenarios in SCADA systems. We can improve defense countermeasures to protect against security threats corresponding to high-risk scenarios. In addition, the model can continually update risk assessments based on the implementation of the system’s defensive countermeasures.

Xiao Chun Yin,Zeng Guang Liu,Lewis Nkenyereye,Bruce Ndibanje

DOI: https://doi.org/10.3390/s19224952

2019-11-14

Abstract:We present an innovative approach for a Cybersecurity Solution based on the Intrusion Detection System to detect malicious activity targeting the Distributed Network Protocol (DNP3) layers in the Supervisory Control and Data Acquisition (SCADA) systems. As Information and Communication Technology is connected to the grid, it is subjected to both physical and cyber-attacks because of the interaction between industrial control systems and the outside Internet environment using IoT technology. Often, cyber-attacks lead to multiple risks that affect infrastructure and business continuity; furthermore, in some cases, human beings are also affected. Because of the traditional peculiarities of process systems, such as insecure real-time protocols, end-to-end general-purpose ICT security mechanisms are not able to fully secure communication in SCADA systems. In this paper, we present a novel method based on the DNP3 vulnerability assessment and attack model in different layers, with feature selection using Machine Learning from parsed DNP3 protocol with additional data including malware samples. Moreover, we developed a cyber-attack algorithm that included a classification and visualization process. Finally, the results of the experimental implementation show that our proposed Cybersecurity Solution based on IDS was able to detect attacks in real time in an IoT-based Smart Grid communication environment.

Hao Wang,Nathan Lau,Ryan M Gerdes

DOI: https://doi.org/10.1177/0018720818769250

Abstract:Objective: The aim of this study was to apply work domain analysis for cybersecurity assessment and design of supervisory control and data acquisition (SCADA) systems. Background: Adoption of information and communication technology in cyberphysical systems (CPSs) for critical infrastructures enables automated and distributed control but introduces cybersecurity risk. Many CPSs employ SCADA industrial control systems that have become the target of cyberattacks, which inflict physical damage without use of force. Given that absolute security is not feasible for complex systems, cyberintrusions that introduce unanticipated events will occur; a proper response will in turn require human adaptive ability. Therefore, analysis techniques that can support security assessment and human factors engineering are invaluable for defending CPSs. Method: We conducted work domain analysis using the abstraction hierarchy (AH) to model a generic SCADA implementation to identify the functional structures and means-ends relations. We then adopted a case study approach examining the Stuxnet cyberattack by developing and integrating AHs for the uranium enrichment process, SCADA implementation, and malware to investigate the interactions between the three aspects of cybersecurity in CPSs. Results: The AHs for modeling a generic SCADA implementation and studying the Stuxnet cyberattack are useful for mapping attack vectors, identifying deficiencies in security processes and features, and evaluating proposed security solutions with respect to system objectives. Conclusion: Work domain analysis is an effective analytical method for studying cybersecurity of CPSs for critical infrastructures in a psychologically relevant manner. Application: Work domain analysis should be applied to assess cybersecurity risk and inform engineering and user interface design.

Jinping Liu,Wuxia Zhang,Tianyu Ma,Zhaohui Tang,Yongfang Xie,Weihua Gui,Jean Paul Niyoyita

DOI: https://doi.org/10.1016/j.eswa.2020.113578

IF: 8.5

2020-11-01

Expert Systems with Applications

Abstract:<p>Industrial Cyber-physical systems (ICPSs), integrating communication, computation and control of industrial processes are referred to as a core technology to approach the <em>Industry 4.0</em>. Ensuring the ICPS security is of paramount importance in smart manufacturing. Considering the characteristics of large-scale, geographically-dispersed and multi-dimensional heterogeneous, federated and life-critical natures of ICPSs, this paper investigates a hierarchically distributed intrusion detection scheme that seeks to achieve the all-round safety protection of ICPSs according to the system structure and attacking types of each ICPS layer. For physical system-relevant perceptual executive layer, potential and covert attacks are detected by the clustered sensory system state residual anomaly monitoring based on a process noise and measurement noise-adaptive Kalman filter (PNMN-AKF). PNMN-AKF can perform a joint recursive estimation of dynamic system states, time-varying process and measurement noise covariance matrices by the variational Bayes approximation framework. In cyberspace, potential cyber-attacks are detected by the anomaly monitoring of the statistical distribution of the network transmission characteristics of data transmission layer by introducing a forgetting factor-induced recursive Gaussian mixture model (FF-RGMM). In the application control layer, a regularized sparse deep belief network model is introduced to characterize the misuse behavior for detecting potential attacks. Extensive validation and comparative experiments have been conducted on a numerical simulation system and a comprehensive ICPS simulation platform by using OPNET and a commonly-used benchmark simplified Tennessee Eastman process (STEP) based on Matlab/Simulink. Experimental results demonstrate that the proposed hierarchically distributed intrusion detection method can efficiently recognize potential and covert cyber-attacks in each ICPSs link with low false alarm rate and missing detection rate, which lays a foundation for the overall security monitoring of ICPSs.</p>

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Li Yang,Junlin Liu,Yun Zhang

DOI: https://doi.org/10.1142/S021800142059003X

IF: 1.261

2019-10-07

International Journal of Pattern Recognition and Artificial Intelligence

Abstract:Supervisory Control and Data Acquisition (SCADA) system in the modern industrial automation control network is facing an increasing number of serious security threats. In order to meet the security defense requirements of oil and gas SCADA system, an intelligent security defense model based on multi-agent was designed by analyzing the security risks in oil and gas SCADA system and combining the advantages of multi-agent technology in distributed intrusion detection system. First, the whole structure of this model was divided into three layers: monitoring layer, decision layer and control layer. Then, the defense model was verified by C4.5 decision tree algorithm, and obtained a good result. Finally, the security defense prototype system of large-scale oil and gas SCADA system based on this model was realized. Results demonstrate that the application of multi-agent technology in the security defense of oil and gas SCADA system can achieve more comprehensive defense, more accurate detection, which can handle large-scale distributed attacks and improve the robustness and stability of security defenses. This study makes full use of the multi-agent architecture and has the advantage of accurate detection, high detection efficiency and timely response.

computer science, artificial intelligence

N. Neha,S. Priyanga,Suresh Seshan,R. Senthilnathan,V. S. Shankar Sriram

DOI: https://doi.org/10.1007/978-981-15-0146-3_88

2020-01-01

Abstract:Supervisory control and data acquisition (SCADA) systems monitor and control the critical infrastructures (CI) such as power generation, smart grids, oil–gas pipelines, wastewater management, and nuclear power plant. Due to the drastic increase in cyber attacks, maintaining SCADA systems has become a complex task. Difficulty in securing the SCADA has gained the attention of researchers in designing a robust intrusion detection system (IDS). However, existing machine-learning and statistical approaches fail to detect the cyber physical attacks with high detection rate. This paper presents a sine-cosine optimization based recurrent neural network (SCO-RNN) to detect the cyber physical attacks against SCADA systems and the performance of the proposed SCO-RNN was validated using the Secure Water Treatment (SWaT) dataset in terms of accuracy and detection rate.

Nils Müller,Charalampos Ziras,Kai Heussen

DOI: https://doi.org/10.48550/arXiv.2202.09352

2022-02-18

Cryptography and Security

Abstract:The increasing interaction of industrial control systems (ICSs) with public networks and digital devices introduces new cyber threats to power systems and other critical infrastructure. Recent cyber-physical attacks such as Stuxnet and Irongate revealed unexpected ICS vulnerabilities and a need for improved security measures. Intrusion detection systems constitute a key security technology, which typically monitors cyber network data for detecting malicious activities. However, a central characteristic of modern ICSs is the increasing interdependency of physical and cyber network processes. Thus, the integration of network and physical process data is seen as a promising approach to improve predictability in real-time intrusion detection for ICSs by accounting for physical constraints and underlying process patterns. This work systematically assesses machine learning-based cyber-physical intrusion detection and multi-class classification through a comparison to its purely network data-based counterpart and evaluation of misclassifications and detection delay. Multiple supervised detection and classification pipelines are applied on a recent cyber-physical dataset, which describes various cyber attacks and physical faults on a generic ICS. A key finding is that the integration of physical process data improves detection and classification of all considered attack types. In addition, it enables simultaneous processing of attacks and faults, paving the way for holistic cross-domain root cause identification.

Moses Ike,Kandy Phan,Keaton Sadoski,Romuald Valme,Wenke Lee

DOI: https://doi.org/10.48550/arXiv.2211.14642

2022-11-27

Abstract:Modern Industrial Control Systems (ICS) attacks evade existing tools by using knowledge of ICS processes to blend their activities with benign Supervisory Control and Data Acquisition (SCADA) operation, causing physical world damages. We present SCAPHY to detect ICS attacks in SCADA by leveraging the unique execution phases of SCADA to identify the limited set of legitimate behaviors to control the physical world in different phases, which differentiates from attackers activities. For example, it is typical for SCADA to setup ICS device objects during initialization, but anomalous during processcontrol. To extract unique behaviors of SCADA execution phases, SCAPHY first leverages open ICS conventions to generate a novel physical process dependency and impact graph (PDIG) to identify disruptive physical states. SCAPHY then uses PDIG to inform a physical process-aware dynamic analysis, whereby code paths of SCADA process-control execution is induced to reveal API call behaviors unique to legitimate process-control phases. Using this established behavior, SCAPHY selectively monitors attackers physical world-targeted activities that violates legitimate processcontrol behaviors. We evaluated SCAPHY at a U.S. national lab ICS testbed environment. Using diverse ICS deployment scenarios and attacks across 4 ICS industries, SCAPHY achieved 95% accuracy & 3.5% false positives (FP), compared to 47.5% accuracy and 25% FP of existing work. We analyze SCAPHYs resilience to futuristic attacks where attacker knows our approach.

Cryptography and Security

Ali Alzahrani,Theyazn H. H. Aldhyani

DOI: https://doi.org/10.3390/su15108076

IF: 3.9

2023-05-17

Sustainability

Abstract:Online food security and industrial environments and sustainability-related industries are highly confidential and in urgent need for network traffic analysis to attain proper security information to avoid attacks from anywhere in the world. The integration of cutting-edge technology such as the Internet of things (IoT) has resulted in a gradual increase in the number of vulnerabilities that may be exploited in supervisory control and data acquisition (SCADA) systems. In this research, we present a network intrusion detection system for SCADA networks that is based on deep learning. The goal of this system is to defend ICSs against network-based assaults that are both conventional and SCADA-specific. An empirical evaluation of a number of classification techniques including k-nearest neighbors (KNN), linear discriminant analysis (LDA), random forest (RF), convolution neural network (CNN), and integrated gated recurrent unit (GRU) is reported in this paper. The suggested algorithms were tested on a genuine industrial control system (SCADA), which was known as the WUSTL-IIoT-2018 and WUSTL-IIoT-20121 datasets. SCADA system operators are now able to augment proposed machine learning and deep learning models with site-specific network attack traces as a result of our invention of a re-training method to handle previously unforeseen instances of network attacks. The empirical results, using realistic SCADA traffic datasets, show that the proposed machine learning and deep-learning-based approach is well-suited for network intrusion detection in SCADA systems, achieving high detection accuracy and providing the capability to handle newly emerging threats. The accuracy performance attained by the KNN and RF algorithms was superior and achieved a near-perfect score of 99.99%, whereas the CNN-GRU model scored an accuracy of 99.98% using WUSTL-IIoT-2018. The Rf and GRU algorithms achieved >99.75% using the WUSTL-IIoT-20121 dataset. In addition, a statistical analysis method was developed in order to anticipate the error that exists between the target values and the prediction values. According to the findings of the statistical analysis, the KNN, RF, and CNN-GRU approaches were successful in achieving an R2 > 99%. This was demonstrated by the fact that the approach was able to handle previously unknown threats in the industrial control systems (ICSs) environment.

environmental sciences,environmental studies,green & sustainable science & technology