Abstract:Highlights • An extended hybrid tracing (ExtHT) method for cyber-attacks in power industrial control systems (PICS) is proposed for the first time. • ExtHT extends the devices involved in tracing from routers to all the transmission devices working at the data link layer and upper layers to achieve more fine-grained attack tracing. • ExtHT can trace not only the cyber-attacks carried out by application layer messages using TCP/IP protocol, but also the cyber-attacks carried out by application layer messages that do not use TCP/IP protocol, such as GOOSE messages and SV messages. • To reduce the storage overhead on transmission devices, a log database optimization scheme is presented. This scheme can reduce the probability of error tracing for replay attacks and enhance the efficiency of attack source traceback. • A cyber-attack source tracing system and its deployment architecture for PICS are designed to illustrate the application of ExtHT in practice. • Two cyber-attack scenarios (i.e., IEC 104 malformed message attack and GOOSE malformed message attack) against PICS are constructed to verify the feasibility of ExtHT. The malformed message attacks have not been mentioned in the existing research. Such attacks need to be considered when studying intrusion detection algorithms for PICS. Tracing the sources of cyber-attacks in Power Industrial Control Systems (PICS) can help the defense systems to block the attacks, and support the decision of the grid control policies. However, there has been no work on the cyber-attack source traceback for PICS, and the methods for the Internet are not suitable for PICS in terms of fineness, real-time performance, and supporting communication protocols. Therefore, a method for tracing cyber-attacks in PICS is proposed. First, the communication network architecture of PICS and the cyber security threats to PICS are analyzed. Then, an extended hybrid tracing method (ExtHT) based on packet marking and packet logging is proposed. This method involves all the devices working at the data link layer and upper layers to achieve more fine-grained attack tracing. At the same time, taking the costs of attack tracing into consideration, a coarse-grained tracing mode is presented to improve the tracing speed. In addition, a log database optimization scheme is provided to reduce storage costs. To facilitate the application of this method in practice, a cyber-attack source tracing system and its deployment architecture are designed for PICS. Further, the applicability and limitations of ExtHT are analyzed, theory ratiocinations are given to justify our ExtHT, and the performance of our ExtHT is compared with that of existing mainstream methods. Finally, two cyber-attack scenarios against PICS are constructed and the feasibility of ExtHT is verified on them.

ExtHT: A hybrid tracing method for cyber-attacks in power industrial control systems

Threat Assessment for Power Industrial Control System Based on Descriptive Vulnerability Text

Towards a Framework for Cyber Attack Impact Analysis of Electric Cyber Physical Systems.

ICSTrace: A Malicious IP Traceback Model for Attacking Data of Industrial Control System

Attacks on Data-Driven Process Monitoring Systems: Subspace Transfer Networks

Research on Attack Mechanism of Network Intrusion in Industrial Control System

Multi-Objective False Data Injection Attacks of Cyber–Physical Power Systems

A Collaborative Characteristic Event Sequence Based Identification Method for Cyberattacks in Cyber-Physical System

An Analytics Framework for Heuristic Inference Attacks against Industrial Control Systems

Uncovering Vulnerable Industrial Control Systems from the Internet Core

From Exposed to Exploited: Drawing the Picture of Industrial Control Systems Security Status in the Internet Age.

A Hybrid Methodology to Assess Cyber Resilience of IoT in Energy Management and Connected Sites

Intrusion prevention with attack traceback and software-defined control plane for campus networks

Online Parallel Attack Detection Method for Industrial Control based on Multi-bandpass Filter

CPMTD: Cyber-physical moving target defense for hardening the security of power system against false data injected attack

APT Attack Detection of a New Power System Based on DPI-Transformer

Cyber Attacks in Cyber-Physical Power Systems: A Case Study with GPRS-based SCADA Systems

A Threat Hunting Framework for Industrial Control Systems

Information Hiding in Industrial Control Systems: An OPC UA based Supply Chain Attack and its Detection

Cyber Kill Chain-Based Hybrid Intrusion Detection System for Smart Grid

Cybersafety: A System-theoretic Approach to Identify Cyber-vulnerabilities & Mitigation Requirements in Industrial Control Systems