Caiming Yang,Jianmin Zhang,Kangyi Li,Jiayu Zhang,Naizheng Jin,Xijian Wang

DOI: https://doi.org/10.1109/ispec48194.2019.8975306

2019-11-01

Abstract:When abormalities, including equipment failure and/or cyber attacks, occur in the substation, it is essential to specify their difference in performance, e.g., process layer of digital substation will encounter stochastic messages and burst messages in normal operation, abnormal traffic caused by equipment fault, or denial-of-service (DoS) attacks by virus intrusion. In this reason, a novel cyber physical fusion based abnormal traffic detection approach has been proposed, a difference-sequence-variance based abnormal message traffic detection method and flowchart is proposed, including a new substation traffic anomaly membership function and its parameter estimation method. The simulation verification of the T1-1 type substation network is done by OPNET, which prove that the random and burst GOOSE messages as well as DoS attacks in the layer can be identified by proposed method.

Hang Mou,Jianmin Zhang,Caiming Yang,Kangyi Li,Naizheng Jin,Ji Xu

DOI: https://doi.org/10.1109/powercon53785.2021.9697745

2021-01-01

Abstract:According to the characteristics of the relationship between trip messages and fault components in the smart substation, a method for detecting the legality of the action message in the process layer of the smart substation is presented. The logical relationship between the protection information, the tripping message and the fault components is described, and then a cyber-physical fusion-based detection method is developed. The method has been verified by field test to detect abnormality and cyber-physical attack for circuit breaker action messages.

Ruochen Zhou,Zhiyun Wang,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ei250167.2020.9347104

2020-01-01

Abstract:Programmable logic controller (PLC) is one of the critical infrastructure in industrial control system, which is therefore vulnerable to a variety of cyber-attacks. To mitigate this issue, we design an anomaly detection system, a novel non-invasive intrusion detection method for PLC. Our system utilizes the magnetic side-channel information around the power supply module of PLC and analyzes the running status rely on the fact that different programs will result in various magnetic characteristic. We design a classification algorithm which can extract representational features from the raw signal, as well as avoid the interference of environmental noise. To validate the idea, we design 3 types of attacks and implement on the prototype of thermal power plant in laboratory. The evaluation shows our system is feasible to detect attacks and achieve an overall detection accuracy above 90%.

Ying Liu,Dongqin Feng

DOI: https://doi.org/10.1109/iccasit48058.2019.8973161

2019-01-01

Abstract:Computer network technology has been increasingly infiltrated into the industrial control system and made the security problems more complex and changeable. Network security situation awareness technology can perceive the real-time threats that the network faced, and provide reliable basis for decision-making. This paper mainly focuses on the situation assessment and introduces finite state machine and fuzzy logic theory. Finite state machine can intuitively show the internal state transition of the industrial control system and detect the malicious packet attack's type and severity. Fuzzy logic balances the semantic fuzziness and event uncertainty in the process of situation assessment, fuses the output data of the state machine and obtains the threat level which is helpful for decision analysis. Proved, the method proposed in this paper can give a reasonable and accurate security assessment of industrial control system.

Genghong Lu,Dongqin Feng

DOI: https://doi.org/10.23919/icif.2018.8455208

2018-01-01

Abstract:Due to the wide implementation of communication networks, industrial control systems are vulnerable to malicious attacks, which could cause potentially devastating results. Adversaries launch integrity attacks by injecting false data into systems to create fake events or cover up the plan of damaging the systems. In addition, the complexity and nonlinearity of control systems make it more difficult to detect attacks and defense it. Therefore, a novel security situation awareness framework based on particle filtering, which has good ability in estimating state for nonlinear systems, is proposed to provide an accuracy understanding of system situation. First, a system state estimation based on particle filtering is presented to estimate nodes state. Then, a voting scheme is introduced into hazard situation detection to identify the malicious nodes and a local estimator is constructed to estimate the actual system state by removing the identified malicious nodes. Finally, based on the estimated actual state, the actual measurements of the compromised nodes are predicted by using the situation prediction algorithm. At the end of this paper, a simulation of a continuous stirred tank is conducted to verify the efficiency of the proposed framework and algorithms.

Genghong Lu,Dongqin Feng,Biao Huang

DOI: https://doi.org/10.1109/tie.2020.2965467

IF: 7.7

2021-01-01

IEEE Transactions on Industrial Electronics

Abstract:The problem of attack detection for Stuxnet in the industrial control system is discussed in this article. Different operating modes (normal and hazard modes) may occur in the nominal process. In this article, we consider that the transition between different modes follows a Markov chain model with a certain transition probability. However, when the Stuxnet attack is launched, the attack signals with random multitude and frequency will be injected to trigger more hazard modes, and finally, hasten fatigue of control devices. Under this unpredictable attack, the transition between operating modes will not follow the regular transition probabilities. Therefore, a hidden Markov model with time-varying transition probabilities is utilized to describe the Stuxnet attack. The transition probabilities are estimated based on the measurements. By recognizing operating modes and predicting the number of the occurrence of hazard modes, the Stuxnet attack can be detected earlier if the predicted value exceeds the threshold. In the operating mode recognition, the expectation maximization algorithm is used to estimate the parameters considering random packet dropouts caused by the unreliable network. A simulation is conducted to verify the effectiveness of the proposed method.

Yi Chen,Jianmin Zhang,Qiguo Han,Chuangxin Guo,Qianzhi Zhang

DOI: https://doi.org/10.1109/cyber.2017.8446593

2017-01-01

Abstract:The message flow modeling of a digital substation plays a decisive role to model the normal communication, from which its abnormal and cyber attack scenario could be identified. Based on a review of present message flow modeling method and application analysis, network calculus and path flow model is selected as the modeling method for study; a much more simple and clear modeling processes are worked from source port message characteristic vector definition, to physical network, message transmission path, message flow distribution, finally a clear calculation flowchart is achieved. Result of case study proved the correctness of present calculation method.

Lianquan Hou,Jianmin Zhang,Naizheng Jin,Ma Zhu,Yong Li

DOI: https://doi.org/10.1109/ccdc.2016.7531789

2016-01-01

Abstract:Cyber security is a major issue and a hard work for digital substation who uses Ethernet communication network and open IEC 61850 communication protocol. Based on message type and data stream analysis of digital substation communication, the cyber security threats faced by digital substation have been classified and analyzed at first; knowing the performance of a cyber-attack is the first step for latter attack detection and defense, for which simulation is a better choice; in this paper, the most malicious and harmful SYN-Flood attack has been taken as a simulation case by OPNET platform, and from which the performance of SYN-Flood attack has been observed and analyzed for further attack detection and defense.

Hang Mu,Jianmin Zhang,Ji Xu,Yutao Qiu,Kangyi Li,Naizheng Jin

DOI: https://doi.org/10.1109/ei259745.2023.10512623

2023-01-01

Abstract:The covert channel is a dangerous cyber-attack threat to industry control networks; however, it is a lack of specific research for the network environment of smart substations. Existing studies merely explore the theoretical existence of covert channels in substation networks without building and verifying. In this paper, the process layer network environment of substations has been analyzed and potential information hiding schemes are proposed for covert channels. Furthermore, a laboratory simulation environment is developed to verify the efficacy of transmitting covert information. Results demonstrate that these covert channels can successfully transmit data while remaining undetectable by existing network detection equipment.

Xiaoyu Jiang,Zhiqiang Ge

DOI: https://doi.org/10.1109/tai.2022.3145335

2022-01-01

IEEE Transactions on Artificial Intelligence

Abstract:With the rapid development of information technology, intelligent upgrading of the manufacturing industry has broken the closed environment of traditional industrial control systems (ICS); thus, the information security of ICS has been seriously threatened. As part of ICS, the process monitoring system (PMS) is heavily subject to external risks. Data-driven PMSs have been widely used as initial lines of defense to ensure ICS safety. Once the PMS is under attack, the consequences on the whole ICS will be unimaginable. Unfortunately, the safety issues of the PMS have received inadequate attention. This article reveals PMS’s vulnerabilities through effective attacks. A novel method called subspace transfer network (STN) is proposed to conduct adversarial and poisoning attacks on the PMS simultaneously. Then the attack task flow is defined and explained to make online adversarial attacks and data poisoning on PMS. Meanwhile, aiming at two poisoning goals, targeted and untargeted attacks of STN are designed, respectively. Finally, the PMS’s fragility is verified in two industrial benchmarks.

Yu-jun Xiao,Wen-yuan Xu,Zhen-hua Jia,Zhuo-ran Ma,Dong-lian Qi

DOI: https://doi.org/10.1631/fitee.1601540

2017-01-01

Abstract:Industrial control systems (ICSs) are widely used in critical infrastructures, making them popular targets for attacks to cause catastrophic physical damage. As one of the most critical components in ICSs, the programmable logic controller (PLC) controls the actuators directly. A PLC executing a malicious program can cause significant property loss or even casualties. The number of attacks targeted at PLCs has increased noticeably over the last few years, exposing the vulnerability of the PLC and the importance of PLC protection. Unfortunately, PLCs cannot be protected by traditional intrusion detection systems or antivirus software. Thus, an effective method for PLC protection is yet to be designed. Motivated by these concerns, we propose a non-invasive powerbased anomaly detection scheme for PLCs. The basic idea is to detect malicious software execution in a PLC through analyzing its power consumption, which is measured by inserting a shunt resistor in series with the CPU in a PLC while it is executing instructions. To analyze the power measurements, we extract a discriminative feature set from the power trace, and then train a long short-term memory (LSTM) neural network with the features of normal samples to predict the next time step of a normal sample. Finally, an abnormal sample is identified through comparing the predicted sample and the actual sample. The advantages of our method are that it requires no software modification on the original system and is able to detect unknown attacks effectively. The method is evaluated on a lab testbed, and for a trojan attack whose difference from the normal program is around 0.63%, the detection accuracy reaches 99.83%.

Sungjin Kim,Wooyeon Jo,Hyunjin Kim,Seokmin Choi,Da-I Jung,Hyeonho Choi,Taeshik Shon

DOI: https://doi.org/10.3390/electronics13081520

IF: 2.9

2024-04-18

Electronics

Abstract:Several cases of Industrial Internet of Things (IIoT) attacks with zero-day vulnerabilities have been reported. To prevent these attacks, it is necessary to apply an abnormal behavior detection method; however, there are three main problems that make it hard. First, there are various industrial communication protocols. Instead of IT environments, many unstandardized protocols, which are usually defined by vendors, are used. Second, legacy devices are commonly used, not only EOS (End-of-service), but also EoL (End-of-Life). And last, the analysis of collected data is necessary for defining normal behavior. This behavior should be separately defined in each IIoT. Therefore, it is difficult to apply abnormal behavior detection in environments where economic and human investment is difficult. To solve these problems, we propose a deep learning based abnormal behavior detection technique that utilizes IIoT communication patterns. The proposed method uses a deep learning technique to train periodic data acquisition sequences, which is one of the common characteristics of IIoT. The trained model determined the sequence of packet is normal. The proposed technique can be applied without an additional analysis. The proposed method is expected to prevent security threats by proactively detecting cyberattacks. To verify the proposed method, a dataset was collected from the Korea Electric Power Control System. The model that defines normal behavior based on the application layer exhibits an accuracy of 79.6%. The other model, defining normal behavior based on the transport layer, has an accuracy of 80.9%. In these two models, most false positives and false negatives only occur when the abnormal packet is in a sequence.

engineering, electrical & electronic,computer science, information systems,physics, applied

Jianxin Xu,Dongqin Feng

DOI: https://doi.org/10.1155/2017/2430835

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:This paper discusses two aspects of major risks related to the cyber security of an industrial control system (ICS), including the exploitation of the vulnerabilities of legitimate communication parties and the features abused by unauthorized parties. We propose a novel framework for exposing the above two types of risks. A state fusion finite state machine (SF-FSM) model is defined to describe multiple request-response packet pair sequence signatures of various applications using the same protocol. An inverted index of keywords in an industrial protocol is also proposed to accomplish fast state sequence matching. Then we put forward the concept of scenario reconstruction, using state sequence matching based on SF-FSM, to present the known vulnerabilities corresponding to applications of a specific type and version by identifying the packet interaction characteristics from the data flow in the supervisory control layer network. We also implement an anomaly detection approach to identifying illegal access using state sequence matching based on SF-FSM. An anomaly is asserted if none of the state sequence signatures in the SF-FSM is matched with a packet flow. Ultimately, an example based on industrial protocols is demonstrated by a prototype system to validate the methods of scenario reconstruction and anomaly detection.

Jianmin Zhang,Hang Mu,Ji Xu,Yutao Qiu,Kangyi Li,Naizheng Jin

DOI: https://doi.org/10.1109/ei259745.2023.10512919

2023-01-01

Abstract:IEC 61850 provides an excellent physical-cyber-logic model for substation networked automation, to describe the data and logic relationships between atomic elements of physical power system as well as communication network and automation system. As a fact, cyber-attack and corresponding cyber security protection belong to information and communication technology whose behaviors are all automated, and targeting substation networked automation. Therefore, unified modeling of physical-cyber-logic-attack-protection for digital substation becomes necessary and possible. The existing cyber security protection system does not model functions according to 61850 logical nodes and logical devices, and IEC 61850 does not model function-based logical nodes for cyber security protection and attack behavior, which makes the security system not transparent. In this paper, the basic functions of cyber-attack and corresponding cyber security protection are decomposed into atomic scale, which are modeled as logical nodes to establish a unified 61850 logic space model for digital substations in the future.

Jianmin Zhang,Yi Chen,Naizheng Jin,Lianquan Hou,Qianzhi Zhang

DOI: https://doi.org/10.1109/pesgm.2017.8274254

2017-01-01

Abstract:Due to DoS (Denial of Service) as the most serious cyber attack for digital substation, a modeling of data flow with different properties as periodic, random, sudden response is firstly introduced, followed by a simulation modeling of DoS attack based on the SYN-Flood principle; the module design and simulation implementation scheme based on OPNET platform has been proposed in detail. The simulation scenario is selected as the star network where the station layer server is under the SYN_flood attack, and the case studies are made for wide-band of 10BaseT and 100BaseT data link. The simulation results give the performances of the station layer server before and after SYN_flood attack, and the attack consequences are long stay at a high CPU utilization, time delay increasing of TCP connection, and the increasing of link throughput to exhaust the link band, etc., in which the attempts of DoS are exposed to make the station layer server disable to response the normal business request, i.e., to deny the service.

Qianli Zhang,Xing Li

1999-01-01

Abstract:In order to present large-scale malicious attacks on an ISP network to maintain network services, we have designed a method to record key packets classified by sessions. Session is the service provided above the IP layer. We define a TCP connection a session, a UDP packet exchange a session, or echo and echo response of ICMP to be a session. The research of network attack/intrusion/information collection has shown that most of the illegal action performed would have something special ongoing in such sessions. For example, winnuke will send OOB packets to the 139 port of a host; most of the platform detection will use strange packets too. Not only the strange packets itself, but the sequence of such packets going through the network indicate the attack. For example, teardrop will transmit packets that have abnormal fragment offset in the second packet, then cause some platform to crash. Some patterns of sessions will be created by flood based attack/information collection. For example, the SYN flood will create a pile SYN-SYN ACK-RST packets in the network, and most of scan tools will create several kind of patterns in the network, all of these patterns indicate the failure of the connection, these include SYN-SYN ACK-RST and SYN-RST and SYNICMP Unreachable message. Based on this thought, we have designed the session-state transition analysis. We will define some packets as the indication of the session state. The happening of such packets causes the change of the session state. When comparing with the predefined rules, we will detect most of the DOS attacks. Another approach is to store these session states transition patterns into a database; thus we can calculate the happening rates of some specific patterns. Compared with the average level, abnormal high happening rates often indicate the possible attack or information collection. For example, we can collect a site’s all sessions' SYN-SYN ACK-RST pattern to decide whether a normal scan had happened. The implementation includes four parts. The first is the data collection part, which collects and unwraps packets passing through the network; the second part is the signature matching part, which will match the packet signature, to filter only the specified packets; the third part will cluster such pa ckets into sessions, and store the session specific signature chain and check whether a rule based match is satisfied; the fourth part will flush the session data into a database, and check whether a statistical based anomaly has happened. Using such kind of techniques has several basic advantages. The first is not to violate privacy, since we are interested in only packet header to know whether a state has changed, to inspect header only also make this implementation efficient and fit for a large scale network. The other advantage is to avoid the headache to set the threshold of a statistical approach. Most scan detection tools (For example, gabriel) will calculate the burst of connections. New scan technique has appeared to avoid burst of connections, for example, slow scan and stealthy scan. Set a proper threshold is much more difficult for a large-scale network. For rule based analysis, since we use the state transition to detect intrusion, we could predict the happening of some attacks in a premature stage. The future approach includes the content analysis based IDS, especially the remote buffer overflow detection. This part of research is underway.

Amit Kleinmann,Ori Amichay,Avishai Wool,David Tenenbaum,Ofer Bar,Leonid Lev

DOI: https://doi.org/10.48550/arXiv.1706.09303

2017-06-28

Abstract:SCADA protocols for Industrial Control Systems (ICS) are vulnerable to network attacks such as session hijacking. Hence, research focuses on network anomaly detection based on meta--data (message sizes, timing, command sequence), or on the state values of the physical process. In this work we present a class of semantic network-based attacks against SCADA systems that are undetectable by the above mentioned anomaly detection. After hijacking the communication channels between the Human Machine Interface (HMI) and Programmable Logic Controllers (PLCs), our attacks cause the HMI to present a fake view of the industrial process, deceiving the human operator into taking manual actions. Our most advanced attack also manipulates the messages generated by the operator's actions, reversing their semantic meaning while causing the HMI to present a view that is consistent with the attempted human actions. The attacks are totaly stealthy because the message sizes and timing, the command sequences, and the data values of the ICS's state all remain legitimate. We implemented and tested several attack scenarios in the test lab of our local electric company, against a real HMI and real PLCs, separated by a commercial-grade firewall. We developed a real-time security assessment tool, that can simultaneously manipulate the communication to multiple PLCs and cause the HMI to display a coherent system--wide fake view. Our tool is configured with message-manipulating rules written in an ICS Attack Markup Language (IAML) we designed, which may be of independent interest. Our semantic attacks all successfully fooled the operator and brought the system to states of blackout and possible equipment damage.

Cryptography and Security

Bin Wang,Jianye Zhang,Cheng Luo,Ling Yang,Jia Chen,Haibo Ma

DOI: https://doi.org/10.1109/itoec53115.2022.9734439

2022-03-04

Abstract:With the continuous and in-depth development of smart grid construction, the degree of automation of the power system is rapidly increasing, and the number of grid sensors, the scale of information network and the number of decision-making units have greatly increased. The network security of the power industry control system is facing severe challenges. This paper studies the in-depth analysis technology of real-time interactive protocols of power industrial control systems, captures data packets and analyzes the data packets layer by layer to obtain application layer field data streams, and realizes in-depth analysis of power industrial control system protocols such as IEC104 protocol and IEC61850 protocol. Research on anomaly detection technology of power industrial control system real-time interaction process based on feature matching, and realize the detection of abnormal behaviors of terminals, networks, and host devices through syntactic and semantic analysis and business command analysis, as well as the detection of regular network attack behaviors such as malicious code and virus Trojan horses.

Suman Sourav,Partha P. Biswas,Vyshnavi Mohanraj,Binbin Chen,Daisuke Mashima

DOI: https://doi.org/10.48550/arXiv.2302.05949

2023-02-12

Cryptography and Security

Abstract:Electrical substations are becoming more prone to cyber-attacks due to increasing digitalization. Prevailing defense measures based on cyber rules are often inadequate to detect attacks that use legitimate-looking measurements. In this work, we design and implement a bad data detection solution for electrical substations called ResiGate, that effectively combines a physics-based approach and a machine-learning-based approach to provide substantial speed-up in high-throughput substation communication scenarios, while still maintaining high detection accuracy and confidence. While many existing physics-based schemes are designed for deployment in control centers (due to their high computational requirement), ResiGate is designed as a security appliance that can be deployed on low-cost industrial computers at the edge of the smart grid so that it can detect local substation-level attacks in a timely manner. A key challenge for this is to continuously run the computationally demanding physics-based analysis to monitor the measurement data frequently transmitted in a typical substation. To provide high throughput without sacrificing accuracy, ResiGate uses machine learning to effectively filter out most of the non-suspicious (normal) data and thereby reducing the overall computational load, allowing efficient performance even with a high volume of network traffic. We implement ResiGate on a low-cost industrial computer and our experiments confirm that ResiGate can detect attacks with zero error while sustaining a high throughput.

Xuelei Wang,Colin Fidge,Ghavameddin Nourbakhsh,Ernest Foo,Zahra Jadidi,Calvin Li

DOI: https://doi.org/10.1109/access.2022.3142022

IF: 3.9

2022-01-01

IEEE Access

Abstract:In recent decades, cyber security issues in IEC 61850-compliant substation automation systems (SASs) have become growing concerns. Many researchers have developed various strategies to detect malicious behaviours of SASs during the system operational stage, such as anomaly-based detection. However, most existing anomaly-based detection methods identify an abnormal behaviour by checking every single network packet without any association. These traditional methods cannot effectively detect “stealthy” attacks which modify legitimate messages slightly while imitating patterns of benign behaviours. In this paper, we present feature selection and extraction methods to generalise and summarise critical features when detecting insider attacks triggering from untrusted control devices within SASs. By applying a sliding window-based sequential classification mechanism, our detection method can detect anomalies across multiple devices without the need to learn datasets collected from all devices. Firstly, to generalise critical features and summarise systems’ behaviours so that it is unnecessary to collect all datasets, we selected and extracted six critical network features from generic object-oriented substation events (GOOSE) messages and seven summarised physical features based on the general architecture of the primary plant of distribution substations. After that, to improve detection accuracy and reduce computational costs, we applied sliding window algorithms to divide datasets into different overlapped window-based snippets. Then we applied a sequential classification model based on Bidirectional Long Short-Term Memory networks to train and test those datasets. As a result, our method can detect insider attacks across multiple devices accurately with a false-negative rate of less than 1%.

computer science, information systems,telecommunications,engineering, electrical & electronic