Energy Informatics (Sep 2022)

On specification-based cyber-attack detection in smart grids

  • Ömer Sen,
  • Dennis van der Velde,
  • Maik Lühman,
  • Florian Sprünken,
  • Immanuel Hacker,
  • Andreas Ulbig,
  • Michael Andres,
  • Martin Henze

DOI
https://doi.org/10.1186/s42162-022-00206-7
Journal volume & issue
Vol. 5, no. S1
pp. 1 – 21

Abstract

Read online

Abstract The transformation of power grids into intelligent cyber-physical systems brings numerous benefits, but also significantly increases the surface for cyber-attacks, demanding appropriate countermeasures. However, the development, validation, and testing of data-driven countermeasures against cyber-attacks, such as machine learning-based detection approaches, lack important data from real-world cyber incidents. Unlike attack data from real-world cyber incidents, infrastructure knowledge and standards are accessible through expert and domain knowledge. Our proposed approach uses domain knowledge to define the behavior of a smart grid under non-attack conditions and detect attack patterns and anomalies. Using a graph-based specification formalism, we combine cross-domain knowledge that enables the generation of whitelisting rules not only for statically defined protocol fields but also for communication flows and technical operation boundaries. Finally, we evaluate our specification-based intrusion detection system against various attack scenarios and assess detection quality and performance. In particular, we investigate a data manipulation attack in a future-orientated use case of an IEC 60870-based SCADA system that controls distributed energy resources in the distribution grid. Our approach can detect severe data manipulation attacks with high accuracy in a timely and reliable manner.

Keywords