Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
AUTOMATED SECURITY ASSESSMENT AND
MANAGEMENT OF THE ELECTRIC POWER
GRID
Sherif Abdelwahed
Department of Electrical and Computer Engineering
Mississippi State University
Autonomic Security Management
Modern Power Grids are complex systems which aggregate vast quantities of information to manage extensive computation tasks in real-time. The variety of network protocols and network interfaces in such systems introduce the potential for illicit cyber penetration.
Objectives
Enable power systems to adapt efficiently to variations in their environment.
Enhance the availability and reliability of the system and the underlying services.
Facilitate automatic recovery from security attacks while minimizing the impact on performance.
• Autonomic security management is analogous
to Human autonomic nervous system
• ASM continuously monitors, analyzes, and
diagnoses the user-cyber behavior and then
takes proactive actions
Identify system and network parameters impacting system performance
Predict future system security state based on monitored parameters and operating conditions
Develop models to provide security assessment to measure system vulnerability continuously in real-time
Build a protection plan to secure the system and its data and maintain its availability
Model-based Security Management Cycle
Monitoring
Feature Selection
Aggregate and
Correlate
Anomaly Behavior Analysis
Risk and Impact
Analysis
Automated
Actions
Autonomic computing aims at self-
protecting systems from cyber
attacks with minimal human
intervention.
estimating upcoming attacks
and sending early warnings
detecting and classifying
attacks
Investigating causes and
impacts of zero-day attacks
autonomously or semi-
autonomously implementing
responses to eliminate cyber
attacks.
Outline of a Self-Protecting System
The monitor module collects real-time data of the
system performance and security performance.
For a power system, a set of selected feature will include:
Voltage, current, and phase measurments
For the security of a power system with wired and wirelessly
connected units, selected features include:
TCP/IP packet header
Protocol data units
TCP connection rates
The data processing module processes measurements
collected by the monitor module. The formatted and pre-
processed datasets are then forwarded to the intrusion
estimation and intrusion detection modules.
Monitor and Data Processing
The estimation module uses the historical observations of controlled
variables of a physical model and selected security
features of the system to determine future performance of
the system.
Intrusion Estimation
),1( rk
)),1(()(ˆ rkk k
),1( rk
)),1(()(ˆ rkk k
Predicted Value of Control
Variable (e.g. Water Level),
and Security Features (e.g.
TCP/IP packet rates and
TCP connection rates)
Historical
Datasets
))(ˆ),(ˆ),(()k(x̂ kkkxf Predicted Security State of
the SCADA System
Intrusion detection is the second line of defense
The intrusion detection system adopting anomaly and
signature detection techniques can detect known and
unknown attacks in real time
Live forensics analysis learning unknown attack patterns
without disrupting system operations is added to protect
against zero-day and evolving attacks
Monitoring and analyzing network traffic, system performance,
and auditing files using forensics tools (e.g., Wireshark) and
statistical theories (e.g., Naive Bayesian Network)
Updating detection algorithms of the IDS and active response
library so that the zero-day attacks can be prevented in the future
Intrusion Detection and Live Forensics Analysis
The intrusion response system selects a proper
response to recover the physical system behavior back
to normal.
The multi-criteria analysis controller (MAC) examines
predefined responses. The assessment of each
response takes into account four criteria:
Criterion 1: Enhancement of Security
Criterion 2: Operational Costs
Criterion 3: Maintenance of Normal Operations
Criterion 4: Impacts on Properties, Finance, and Human Safety
Intrusion Response
Fuzzy-logic Decision Making Method
3
1
,,
j
jijii CWS
The total Score for a
recommended
Response iR
Criterion j {1,2,3}
Weight of Criterion j for Response i
Value of Criterion j for Response i
e.g. Response: Replacement of Compromised Devices.
Weight values for each criterion is 1/3
Criterio
n One
Criterio
n Two
Criterion
Three
Criterion
Four
Total Score
0 0.5 0 0.5 1/3*0+1/3*0.5+1/3+0=0.17
(Auto or Semi-Auto)
Supervisory Control and Data Acquisition (SCADA) systems
are a type of industrial control system (ICS) that adopts
many aspects of Information and Communications
Technology to monitor and control cyber-physical
processes.
A SCADA system includes: sensors, actuators, programmable
logic controllers (PLCs), remote terminal units (RTUs), human
machine interfaces (HMIs), and master terminal units (MTUs).
Field devices such as PLCs and RTUs collect and convert sensor
sourced analog measurements to digital data. The digital data are
then sent back to MTUs via communication links (e.g., Internet,
radio, microwave, and satellite).
In near real-time this data is processed by MTUs and displayed on
HMIs to enable operators to make intervening control decisions.
Case Study: SCADA System
Vulnerabilities residing in:
Open and standardized protocols (e.g., Modbus,
ICCP, and DNP)
Internet-based cyber communications.
Security issues inherited from ICT/IT
systems:
Operating System
Commercial-off-the-shelf applications
Cyber Threats Facing SCADA Systems
A Self-Protecting SCADA System Architecture
Field Devices
Legal
Command
Response
Criteria Ranking
Unit
Intrusion
Estimation
MAC/Intrusion Response
Front VM
Legal
Replies
Switch Firewall
HMI
MTU
Front VM
Data
Processing
IDS/Forensics
Analysis
Protocol
Converter
TCP2RTU/RT
U2TCP
Firewall Switch Request
Communication
Link
Protocol
Converter PLC
Monitor
Communication
Link
Replies
Commands
Messages
from
Field
Devices
Legal
Replies
Legal
Replies
Commands
Commands
Control Network
Security
State Estimation
A storage tank is modeled by a laboratory-
scale control system in Mississippi State
University SCADA Security Laboratory.
The MTU is connected to a Human-Machine-
Interface (HMI) server via a RS-232 serial
port
The MTU connects to the RTU wirelessly
Virtual Testbed
We injected a malicious command that modified the register values
of the water storage tank alarm condition when the water storage
tank was set to the “Auto” control mode
Auto control mode:
The pump was turned on when the water level reached the low alarm
condition (represented by L); when the water level increased to the high
alarm condition (denoted by H), the pump was turned off automatically
The attack first evaded the authentication process
Then sent an illicit command to change L set-point from 50.00% to
40.00% ; altered H set-point from 60.00% to 70.00%.
HH (the high-high alarm) set-point was modified to 80. 00% from
70:00%; LL (the low-low alarm) was changed to 10.00% from 20.00%.
SCADA System Exploits
A linear physical system of the water storage tank was
modeled relying on the observations of the physical
system when it was automatically controlled
Physical Model of the Water Storage Tank
Bk k*A)(Water
Level
Coefficients
when 1 t 35: A = 0.256 and B =51.181
when 36 t 39: A = -1.976 and B =62.090
When 40 t 45: A = 0.032 and B =56.718
When 46 t 80: A = -0.202 and B =56.686
Samples
(k))λB),Akf(x(k),((k)x^
ˆˆ
Observations and Estimations of the Water
Level Without Self-Protection
Evaluation of Recommended Responses
The optimal response evaluated by the MAC to defend against
malicious command injection attack is ”Replacement of Compromised
Devices.”
It shows that at sample 94, the malicious command injection attack
modified alarm conditions
The water level was abnormally increased to 65.99%.
At sample 104 when “Replacement of Compromised Devices” was
implemented, a replica PLC containing original ladder-logic programs
replied to the MTU and sent commands to control water level of the
water storage tank.
The water level was returned back to normal rapidly and efficiently
with the application of autonomic computing technology
Experimental Results
Current Related Research at MSU
Test bed for vulnerabilities assessment and
impact study
Synchrophasor data generation
Simulation of wide range of power system
events and cyber-attacks
Datasets
Application of data in event and intrusion
detection for offline and online applications
Wide Area Measurement Systems - A CPS Test Bed Architecture
Physical, communication,
monitoring, and control layers
Power system scenarios
Faults, load change, generator
drop,
line loss
5 power system models : 3-
generator 4 bus, IEEE 9 Bus,
Kundur 2 area system, IEEE 14
Bus, IEEE 39 Bus
cyber-attack scenarios
Command injection
Man in the middle
HMI/UI attacks
Physical attacks
Denial of service attacks
Heterogeneous Data sets
CSV data format
All data time tagged
Data pertains to all
scenarios
45 scenarios
120 samples per second
4 PMUs
38.8 GB - 11,715
instances of 45 scenarios
randomly simulated for
nearly 40 hours
Data Mining Applications for Event and Intrusion
Detection Systems (EIDS) Datasets were used to
develop Intrusion Detections
Systems (IDS) using
Common Path Mining (CPM)
algorithm
Datasets were used to
develop Event and Intrusion
Detections Systems (EIDS)
for offline and real-time
applications
Non-nested Generalized
Exemplars (NNGE) for offline
EIDS
Hoeffding Adaptive Tree
(HAT) for real-time EIDS
PERFORMANCE COMPARISON BETWEEN
DIFFERENT DATA MINING ALGORITHM