Xianjing Li,Dongqin Feng

DOI: https://doi.org/10.1109/iciscae48440.2019.221645

2019-01-01

Abstract:Currently, the industrial control systems (ICS) have faced many changeable and complexed attacks. Apart from normal attack, there are also many variations, which put ICS into a huge hidden danger. Under this circumstance, the traditional detection techniques cannot identify the special variation types of attacks, effectively, comprehensively nor accurately. Therefore, a detection method named principal component analysis (PCA) with cosine similarity and support vector machine (SVM) is proposed. Moreover, the method is applied to detect the square wave attack in ICS. The detection method is executed as follows. Firstly, the raw signals are classified, by selecting proper length. Secondly, PCA method are used to reduce the dimension. Based on the first normal signal, the cosine similarity coefficients between the first normal part and the rest are calculated. Hence, the attack-feature vectors are composed by similarity coefficients. Next, data after that is selected to serve as the SVM training sample, replenishing the attack features. As for simulation, the cascade control loop of a typical industrial control system is chosen. The results show that the method can detect the signals, timely and accurately, no matter periodic square wave attack or aperiodic. For system, the proposed method and model can judge the security state of ICS. Above all, this method provides accurate decision-making suggestions to security management personnel.

Wenting Wang,Dongqin Feng,Mingliang Chen,Shuxian Yang

DOI: https://doi.org/10.1109/ccdc62350.2024.10588015

2024-01-01

Abstract:This work investigates the problem of detecting and localizing attacks on a class of power cyber-physical systems (CPSs) in the presence of dynamic load alteration attacks (D-LAA). The power CPS is modeled as a discrete-time system with an unknown input, assuming that the sampling process is periodic and the D-LAA is bounded. This study delves into the investigation of attack detection and localization within a specific category of power cyber-physical systems (CPSs) when dealing with dynamic load alteration attacks (D-LAA). A novel Maximum Correntropy Robust Two-Stage Kalman Filter (MCRTSKF) is proposed so that the accurate state estimation for power CPS is achieved in spite of anomalous noise. Meanwhile, some essential parameters for the designed filter are obtained through the fixed-point iteration-stop parameter selection method. Furthermore, based on the state estimate value, the attack detection and localization procedure is presented. Finally, the validity and effectiveness of the proposed attack detection and localization schemes are illustrated by case studies on an IEEE 9-bus system.

A. Abu Nassar,W.G. Morsi

DOI: https://doi.org/10.1016/j.epsr.2024.110157

IF: 3.818

2024-04-01

Electric Power Systems Research

Abstract:Smart Digital Substations use communication networks to exchange the information among its components to perform monitoring and control, which makes such components prone to cyber-security threats. The presence of power quality disturbances may add complexity to the problem of detecting such cyberattacks as some of these power quality disturbances behave in a similar manner to some attacks. In this paper, a novel approach that detects cyberattacks from power quality disturbances and normal operation is developed. The proposed approach uses only three out of the twenty-nine features to detect such cyberattacks. The proposed approach uses the continuous wavelet transform to represent such features in the time-frequency scalograms, which are then fed to a convolution neural network for detecting cyber-attacks and power disturbances in IEC-61850 substation systems. The proposed approach has been tested on three datasets from substation test systems as well as in real-time using OPAL-RT. The results have shown that the proposed approach was effective in detecting the cyberattacks from power disturbance and normal operation with a detection accuracy of 100% in simulation environment and 99.45% in real-time using OPAL-RT.

engineering, electrical & electronic

Xuelei Wang,Colin Fidge,Ghavameddin Nourbakhsh,Ernest Foo,Zahra Jadidi,Calvin Li

DOI: https://doi.org/10.1109/access.2022.3142022

IF: 3.9

2022-01-01

IEEE Access

Abstract:In recent decades, cyber security issues in IEC 61850-compliant substation automation systems (SASs) have become growing concerns. Many researchers have developed various strategies to detect malicious behaviours of SASs during the system operational stage, such as anomaly-based detection. However, most existing anomaly-based detection methods identify an abnormal behaviour by checking every single network packet without any association. These traditional methods cannot effectively detect “stealthy” attacks which modify legitimate messages slightly while imitating patterns of benign behaviours. In this paper, we present feature selection and extraction methods to generalise and summarise critical features when detecting insider attacks triggering from untrusted control devices within SASs. By applying a sliding window-based sequential classification mechanism, our detection method can detect anomalies across multiple devices without the need to learn datasets collected from all devices. Firstly, to generalise critical features and summarise systems’ behaviours so that it is unnecessary to collect all datasets, we selected and extracted six critical network features from generic object-oriented substation events (GOOSE) messages and seven summarised physical features based on the general architecture of the primary plant of distribution substations. After that, to improve detection accuracy and reduce computational costs, we applied sliding window algorithms to divide datasets into different overlapped window-based snippets. Then we applied a sequential classification model based on Bidirectional Long Short-Term Memory networks to train and test those datasets. As a result, our method can detect insider attacks across multiple devices accurately with a false-negative rate of less than 1%.

computer science, information systems,telecommunications,engineering, electrical & electronic

Genghong Lu,Dongqin Feng

DOI: https://doi.org/10.23919/icif.2018.8455208

2018-01-01

Abstract:Due to the wide implementation of communication networks, industrial control systems are vulnerable to malicious attacks, which could cause potentially devastating results. Adversaries launch integrity attacks by injecting false data into systems to create fake events or cover up the plan of damaging the systems. In addition, the complexity and nonlinearity of control systems make it more difficult to detect attacks and defense it. Therefore, a novel security situation awareness framework based on particle filtering, which has good ability in estimating state for nonlinear systems, is proposed to provide an accuracy understanding of system situation. First, a system state estimation based on particle filtering is presented to estimate nodes state. Then, a voting scheme is introduced into hazard situation detection to identify the malicious nodes and a local estimator is constructed to estimate the actual system state by removing the identified malicious nodes. Finally, based on the estimated actual state, the actual measurements of the compromised nodes are predicted by using the situation prediction algorithm. At the end of this paper, a simulation of a continuous stirred tank is conducted to verify the efficiency of the proposed framework and algorithms.

Da-long LIU,Dong-qin FENG

DOI: https://doi.org/10.3785/j.issn.1008-973X.2018.09.014

2018-01-01

Abstract:As industrial control system is threatened by sinusoidal attack, the mathematical model was established using a typical loop of the control system; the Fourier transform and wavelet analysis was used to analyze its different characteristics in the aspect of attack ability and concealment. Then, an algorithm was developed against sinusoidal attack using multi-scale principal component analysis (MSPCA) with online implementation. Simulation of sinusoidal attack on Tenessee Eastman (TE) process show that sinusoidal attack not only causes physical damage, but also conceals the damage. When the frequency of sinusoidal attack is higher, the attack can not be detected by the traditional principal component analysis (PCA) method, meanwhile, our method can detect the attack quickly and accurately.

Yanru Chen,Shijia Liu,Zilin Wang,Dizhi Wu,Yang Li,Bin Xing,Bing Guo,Liangyin Chen

DOI: https://doi.org/10.1109/jiot.2023.3286433

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Unlike conventional IT systems, industrial control systems (ICS) requires tailored attack detection methods due to its unique communication protocols. Existing attack detection methods lack the ability to consider both detection accuracy and time performance, particularly for highly stealthy fake data injection attacks (FDIA). To address these challenges, this work proposes an online parallel attack detection method for ICS based on multi-bandpass filter. By building multiple adaptive filters based on energy equilibrium and time-frequency domain data transformation, we implement multi-frequency band data segmentation. Hierarchical temporal memory (HTM) models are employed to parallelly fit the segmented data and detect anomalies. Simulation experiments demonstrate that our method outperforms the state-of-the-art Numenta method, achieving a 9% higher detection accuracy while reducing detection time to just 1/14 of Numenta’s. These results highlight the significant advantages of our method in striking a balance between detection accuracy and time performance. Our proposed method fills the gap in ICS attack detection and offers substantial improvements over existing techniques.

computer science, information systems,telecommunications,engineering, electrical & electronic

Haitham Mahmoud,Wenyan Wu,Mohamed Medhat Gaber

DOI: https://doi.org/10.3390/en15030914

IF: 3.2

2022-01-27

Energies

Abstract:Water Distribution System (WDS) threats have significantly grown following the Maroochy shire incident, as evidenced by proofed attacks on water premises. As a result, in addition to traditional solutions (e.g., data encryption and authentication), attack detection is being proposed in WDS to reduce disruption cases. The attack detection system must meet two critical requirements: high accuracy and near real-time detection. This drives us to propose a two-stage detection system that uses self-supervised and unsupervised algorithms to detect Cyber-Physical (CP) attacks. Stage 1 uses heuristic adaptive self-supervised algorithms to achieve near real-time decision-making and detection sensitivity of 66% utilizing Boss. Stage 2 attempts to validate the detection of attacks using an unsupervised algorithm to maintain a detection accuracy of 94% utilizing Isolation Forest. Both stages are examined against time granularity and are empirically analyzed against a variety of performance evaluation indicators. Our findings demonstrate that the algorithms in stage 1 are less favored than those in the literature, but their existence enables near real-time decision-making and detection reliability. In stage 2, the isolation Forest algorithm, in contrast, gives excellent accuracy. As a result, both stages can collaborate to maximize accuracy in a near real-time attack detection system.

energy & fuels

Kuo Zhang,Zheng-Guang Wu

DOI: https://doi.org/10.1109/iccss53909.2021.9722027

2021-01-01

Abstract:False data injection attack(FDIA) is a traditional attack for the smart grid. There are many methods for the detection of the FDIA, but few of them can send the attack alarm successfully without an attack model. In this paper, we propose a reinforcement learning-based FDIA detection method for the distributed smart grid. The detection problem is formulated as a partially observable Markov decision process(POMDP) problem, and the observation of the POMDP can be obtained from the estimation of state and attack which come from the Kalman filter. By using the Sarsa algorithm, we can get a Q-table through online training. Finally, we use the IEEE-118 bus power system to evaluate the performance of our detector, and numerical results show the accurate response for the FDIA.

Mazen Azzam,Liliana Pasquale,Gregory Provan,Bashar Nuseibeh

DOI: https://doi.org/10.48550/arXiv.2106.02378

2021-06-04

Abstract:Attacks on Industrial Control Systems (ICS) can lead to significant physical damage. While offline safety and security assessments can provide insight into vulnerable system components, they may not account for stealthy attacks designed to evade anomaly detectors during long operational transients. In this paper, we propose a predictive online monitoring approach to check the safety of the system under potential stealthy attacks. Specifically, we adapt previous results in reachability analysis for attack impact assessment to provide an efficient algorithm for online safety monitoring for Linear Time-Invariant (LTI) systems. The proposed approach relies on an offline computation of symbolic reachable sets in terms of the estimated physical state of the system. These sets are then instantiated online, and safety checks are performed by leveraging ideas from ellipsoidal calculus. We illustrate and evaluate our approach using the Tennessee-Eastman process. We also compare our approach with the baseline monitoring approaches proposed in previous work and assess its efficiency and scalability. Our evaluation results demonstrate that our approach can predict in a timely manner if a false data injection attack will be able to cause damage, while remaining undetected. Thus, our approach can be used to provide operators with real-time early warnings about stealthy attacks.

Cryptography and Security,Systems and Control

Mohammed Masum Siraj Khan,Jairo A. Giraldo,Masood Parvania

DOI: https://doi.org/10.1109/tsg.2021.3128034

IF: 10.275

2022-03-01

IEEE Transactions on Smart Grid

Abstract:This paper develops a novel intrusion detection system for power distribution systems that utilizes a cyber-physical real-time reference model to accurately replicate the complex behavior of power distribution components for attack detection. The proposed intrusion detection system analyzes the consistency of the physical data from sensor readings and control commands in contrast with their digital counterpart obtained from the real-time reference model. Therefore, a residual-based online attack detection mechanism that utilizes the chi-square test is able to determine the presence of malicious data. The proposed mechanism is implemented on a hardware-in-the-loop simulation testbed on a test power distribution system with distributed energy resources and energy storage systems. The results show that the proposed solution is able to quickly detect multiple types of cyber attacks for different levels of accuracy of the real-time reference model. The simulations illustrate that the proposed approach outperforms conventional attack detection mechanisms such as one-class classifiers and residual-based approaches that utilize Kalman filters or neural networks.

engineering, electrical & electronic

Andrea Pinto,Luis-Carlos Herrera,Yezid Donoso,Jairo A. Gutierrez

DOI: https://doi.org/10.1007/s44196-024-00644-z

IF: 2.259

2024-09-11

International Journal of Computational Intelligence Systems

Abstract:Traditional security detection methods face challenges in identifying zero-day attacks in critical infrastructures (CIs) integrated with the industrial internet of things (IIoT). These attacks exploit unknown vulnerabilities and are difficult to detect due to their connection to physical systems. The integration of legacy ICS networks with modern computing and networking technologies has significantly expanded the attack surface, making these systems more susceptible to cyber-attacks. Despite existing security measures, attackers continually find ways to breach these operating networks. Anomaly detection systems are critical in protecting these CIs from current cyber threats. This study investigates the effectiveness of unsupervised anomaly detection models in detecting operational anomalies that could lead to cyber-attacks, thereby disrupting and negatively impacting quality of life. We preprocess the data with a focus on cybersecurity and chose the SWAT dataset because it accurately represents the types of attack vectors that critical infrastructures commonly encounter. We evaluated the performance of isolation forest (IF), local outlier factor (LOF), one-class SVM (OCSVM), and Autoencoder algorithms—trained exclusively on normal data—in enhancing cybersecurity within IIoT environments. Our comprehensive analysis includes an assessment of each model's detection capabilities. The findings highlight the VAE-LSTM model's potential to identify cyber-attacks within seconds in a high-frequency dataset, suggesting near real-time detection capability. The final model combines the reconstruction ability of the variational autoencoder (VAE) with regularization using the Kullback–Leibler divergence, reflecting the non-Gaussian nature of industrial system data. Our model successfully detected 23 out of 26 attack scenarios in the SWAT dataset, demonstrating its effectiveness in improving the security of IIoT-based CIs.

computer science, artificial intelligence, interdisciplinary applications

Irina Lukicheva,David Pozo,Alexander Kulikov

DOI: https://doi.org/10.48550/arXiv.1806.10812

2018-07-16

Abstract:Electric power grids are evolving towards intellectualization such as Smart Grids or active-adaptive networks. Intelligent power network implies usage of sensors, smart meters, electronic devices and sophisticated communication network. This leads to a strong dependence on information and communication networking that are prone to threats of cyberattacks, which challenges power system reliability and efficiency. Thus, significant attention should be paid to the Smart Grids security. Recently, it has been proven that False Data Injection Attacks (FDIA) could corrupt results of State Estimation (SE) without noticing, therefore, leading to a possible mis-operation of the whole power system. In this paper, we introduce an algorithm for detecting cyberattacks based on non-linear filtering by using cyber-physical information from Kirchhoff laws. The proposed algorithm only needs data from adjacent nodes, therefore can be locally and distributed implemented. Also, it requires very low computational effort so that it can be run online, and it is suitable for implementation in existing or new ad-hoc low-cost devices. The proposed algorithm could be helpful to increase power system awareness against FDIA complementing the current SE implementations. The efficiency of the proposed algorithm has been proved by mathematical simulations and computer modeling in PSCAD software. Our results show that the proposed methodology can detect cyberattacks to the SE in 99.9% of the cases with very little false alarms on the identification of spoiled measurements (4.6%).

Cryptography and Security,Optimization and Control,Applications

Amit Kleinmann,Ori Amichay,Avishai Wool,David Tenenbaum,Ofer Bar,Leonid Lev

DOI: https://doi.org/10.48550/arXiv.1706.09303

2017-06-28

Abstract:SCADA protocols for Industrial Control Systems (ICS) are vulnerable to network attacks such as session hijacking. Hence, research focuses on network anomaly detection based on meta--data (message sizes, timing, command sequence), or on the state values of the physical process. In this work we present a class of semantic network-based attacks against SCADA systems that are undetectable by the above mentioned anomaly detection. After hijacking the communication channels between the Human Machine Interface (HMI) and Programmable Logic Controllers (PLCs), our attacks cause the HMI to present a fake view of the industrial process, deceiving the human operator into taking manual actions. Our most advanced attack also manipulates the messages generated by the operator's actions, reversing their semantic meaning while causing the HMI to present a view that is consistent with the attempted human actions. The attacks are totaly stealthy because the message sizes and timing, the command sequences, and the data values of the ICS's state all remain legitimate. We implemented and tested several attack scenarios in the test lab of our local electric company, against a real HMI and real PLCs, separated by a commercial-grade firewall. We developed a real-time security assessment tool, that can simultaneously manipulate the communication to multiple PLCs and cause the HMI to display a coherent system--wide fake view. Our tool is configured with message-manipulating rules written in an ICS Attack Markup Language (IAML) we designed, which may be of independent interest. Our semantic attacks all successfully fooled the operator and brought the system to states of blackout and possible equipment damage.

Cryptography and Security

Hussam Tarazi,Sara Sutton,John Olinjyk,Benjamin Bond,Julian Rrushi

DOI: https://doi.org/10.1016/j.ijcip.2024.100660

IF: 3.683

2024-01-20

International Journal of Critical Infrastructure Protection

Abstract:The security of cyber–physical systems (CPS) presents new challenges stemming from computations that work primarily with live physics data. Although there is a body of previous research on detection of malware on CPS, more effective designs are needed to address limitations such mimicry attacks and other forms of evasive techniques. Relay algorithms in particular, such as differential and harmonic protection algorithms, are essential to protecting physical equipment such as power transformers from faults. Relay algorithms, though, are often disabled, altered, or otherwise suppressed by malware. In this paper, we first provide background on the main types of failures that may occur in an electrical power substation after relay algorithms are disabled by malware. We also provide some initial insights into malware methods that involve physics-informed data manipulations, which in turn may lead to power outages and physical damage to power transformers. We then describe the design of a watchdog algorithm that is continuously on the look out for anomalies in the execution time of relay algorithms along with their associated performance counters. We implemented the watchdog approach in Python, and evaluated it empirically on emulations of differential and harmonic protection algorithms on a computing machine.

engineering, multidisciplinary,computer science, information systems

Mariam Elnour,Mohammad Noorizadeh,Mohammad Shakerpour,Nader Meskin,Khaled Khan,Raj Jain

DOI: https://doi.org/10.1109/access.2023.3303015

IF: 3.9

2023-08-22

IEEE Access

Abstract:In light of the advancement of the technologies used in industrial control systems, securing their operation has become crucial, primarily since their activity is consistently associated with integral elements related to the environment, the safety and health of people, the economy, and many others. This work presents a distributed, machine learning based attack detection and mitigation framework for sensor false data injection cyber-physical attacks in industrial control systems. It is developed using the system's standard operational data and validated using a hybrid testbed of a reverse osmosis plant. A MATLAB/Simulink-based simulation model of the process validated with actual data from a local plant is used. The control system is implemented using Siemens S7-1200 programmable logic controllers with 200SP Distributed Input/Output modules. The proposed solution can be adopted in the existing industrial control systems and demonstrated effective performance in real-time detection and mitigation of actual cyber-physical attacks launched by compromising the communication links between the process and the programmable logic controllers.

computer science, information systems,telecommunications,engineering, electrical & electronic

N. Neha,S. Priyanga,Suresh Seshan,R. Senthilnathan,V. S. Shankar Sriram

DOI: https://doi.org/10.1007/978-981-15-0146-3_88

2020-01-01

Abstract:Supervisory control and data acquisition (SCADA) systems monitor and control the critical infrastructures (CI) such as power generation, smart grids, oil–gas pipelines, wastewater management, and nuclear power plant. Due to the drastic increase in cyber attacks, maintaining SCADA systems has become a complex task. Difficulty in securing the SCADA has gained the attention of researchers in designing a robust intrusion detection system (IDS). However, existing machine-learning and statistical approaches fail to detect the cyber physical attacks with high detection rate. This paper presents a sine-cosine optimization based recurrent neural network (SCO-RNN) to detect the cyber physical attacks against SCADA systems and the performance of the proposed SCO-RNN was validated using the Secure Water Treatment (SWaT) dataset in terms of accuracy and detection rate.

Wei Qiu,Chengcheng Li,Qiu Tang,Kaiqi Sun,Yilu Liu,Wenxuan Yao

DOI: https://doi.org/10.17775/cseejpes.2021.02780

IF: 6.014

2022-01-01

CSEE Journal of Power and Energy Systems

Abstract:Synchrophasor measurements are essential to real-time situational awareness of the smart grid but vulnerable to cyber-attacks during the process of transmission and invocation. To ensure data security and mitigate the impact of spoofed synchrophasor measurements, this work proposes a novel object detection method using a Weight-based One-dimensional Convolutional Segmentation Network (WOCSN) with the ability of attack behavior identification and time localization. In WOCSN, automatic data feature extraction can be achieved by one-dimensional convolution from the input signal, thereby reducing the impact of handcrafted features. A weight loss function is designed to distribute the contribution for normal and attack signals. Then, attack time is located via the proposed binary method based on pixel segmentation. Furthermore, the actual synchrophasor data collected from four locations are used for the performance evaluation of the WOCSN. Finally, combined with designed evaluation metrics, the time localization ability of WOCSN is validated in the scenarios of composite attacks with different spoofed intensities and time-sensitivities.

energy & fuels,engineering, electrical & electronic

Nikolaus Dräger,Yonghao Xu,Pedram Ghamisi

DOI: https://doi.org/10.1109/tgrs.2023.3289307

IF: 8.2

2023-07-07

IEEE Transactions on Geoscience and Remote Sensing

Abstract:Recent years have witnessed the great success of deep learning algorithms in the geoscience and remote sensing (RS) realm. Nevertheless, the security and robustness of deep learning models deserve special attention when addressing safety-critical RS tasks. In this article, we provide a systematic analysis of backdoor attacks for RS data, where both scene classification and semantic segmentation tasks are considered. While most of the existing backdoor attack algorithms rely on visible triggers such as squared patches with well-designed patterns, we propose a novel wavelet transform-based attack (WABA) method, which can achieve invisible attacks by injecting the trigger image into the poisoned image in the low-frequency domain. In this way, the high-frequency information in the trigger image can be filtered out in the attack, resulting in stealthy data poisoning. Despite its simplicity, the proposed method can significantly cheat the current state-of-the-art deep learning models with a high attack success rate. We further analyze how different trigger images and the hyperparameters in the wavelet transform would influence the performance of the proposed method. Extensive experiments on four benchmark RS datasets demonstrate the effectiveness of the proposed method for both scene classification and semantic segmentation tasks and thus highlight the importance of designing advanced backdoor defense algorithms to address this threat in RS scenarios. The code will be available online at https://github.com/ndraeger/waba.

imaging science & photographic technology,remote sensing,engineering, electrical & electronic,geochemistry & geophysics

Prashanth Krishnamurthy,Ali Rasteh,Ramesh Karri,Farshad Khorrami

2024-06-18

Abstract:Increased connectivity and remote reprogrammability/reconfigurability features of embedded devices in current-day power systems (including interconnections between information technology -- IT -- and operational technology -- OT -- networks) enable greater agility, reduced operator workload, and enhanced power system performance and capabilities. However, these features also expose a wider cyber-attack surface, underscoring need for robust real-time monitoring and anomaly detection in power systems, and more generally in Cyber-Physical Systems (CPS). The increasingly complex, diverse, and potentially untrustworthy software and hardware supply chains also make need for robust security tools more stringent. We propose a novel framework for real-time monitoring and anomaly detection in CPS, specifically smart grid substations and SCADA systems. The proposed method enables real-time signal temporal logic condition-based anomaly monitoring by processing raw captured packets from the communication network through a hierarchical semantic extraction and tag processing pipeline into time series of semantic events and observations, that are then evaluated against expected temporal properties to detect and localize anomalies. We demonstrate efficacy of our methodology on a hardware in the loop testbed, including multiple physical power equipment (real-time automation controllers and relays) and simulated devices (Phasor Measurement Units -- PMUs, relays, Phasor Data Concentrators -- PDCs), interfaced to a dynamic power system simulator. The performance and accuracy of the proposed system is evaluated on multiple attack scenarios on our testbed.

Systems and Control