Towards Establishing Principles for Designing Cybersecurity Simulations of Cyber-Physical Artefacts in Real-Time Simulation

Our modern world is dependent on cyber-physical artefacts (e.g., smart grids, cars, mobile phones). Those artefacts are being attacked by cyber-criminals entailing substantial harm to individuals, organizations, and governments. Those artefacts need to be designed properly to prevent and recover from inevitable cyberattacks. We offer a solution based on a RealTime Simulator (RTS). Our solution is meta-principles for using RTS when designing simulations in Cyber-Physical artefacts. Our solution considers both social and technical layers of cyber-physical artefacts

Towards Establishing Principles for Designing Cybersecurity Simulations of Cyber-Physical Artefacts in Real-Time Simulation

Our modern world is dependent on cyber-physical artefacts (e.g., smart grids, cars, mobile phones). Those artefacts are being attacked by cyber-criminals entailing substantial harm to individuals, organizations, and governments. Those artefacts need to be designed properly to prevent and recover from inevitable cyberattacks. We offer a solution based on a RealTime Simulator (RTS). Our solution is meta-principles for using RTS when designing simulations in Cyber-Physical artefacts. Our solution considers both social and technical layers of cyber-physical artefacts.©2021 the Authors.fi=vertaisarvioitu|en=peerReviewed

Time sensitive networking security: issues of precision time protocol and its implementation

Time Sensitive Networking (TSN) will be an integral component of industrial networking. Time synchronization in TSN is provided by the IEEE-1588, Precision Time Protocol (PTP) protocol. The standard, dating back to 2008, marginally addresses security aspects, notably not encompassing the frames designed for management purposes (Type Length Values or TLVs). In this work we show that the TLVs can be abused by an attacker to reconfigure, manipulate, or shut down time synchronization. The effects of such an attack can be serious, ranging from interruption of operations to actual unintended behavior of industrial devices, possibly resulting in physical damages or even harm to operators. The paper analyzes the root causes of this vulnerability, and provides concrete examples of attacks leveraging it to de-synchronize the clocks, showing that they can succeed with limited resources, realistically available to a malicious actor

A SECURITY-CENTRIC APPLICATION OF PRECISION TIME PROTOCOL WITHIN ICS/SCADA SYSTEMS

Industrial Control System and Supervisory Control and Data Acquisition (ICS/SCADA) systems are key pieces of larger infrastructure that are responsible for safely operating transportation, industrial operations, and military equipment, among many other applications. ICS/SCADA systems rely on precise timing and clear communication paths between control elements and sensors. Because ICS/SCADA system designs place a premium on timeliness and availability of data, security ended up as an afterthought, stacked on top of existing (insecure) protocols. As precise timing is already resident and inherent in most ICS/SCADA systems, a unique opportunity is presented to leverage existing technology to potentially enhance the security of these systems. This research seeks to evaluate the utility of timing as a mechanism to mitigate certain types of malicious cyber-based operations such as a man-on-the-side (MotS) attack. By building a functioning ICS/SCADA system and communication loop that incorporates precise timing strategies in the reporting and control loop, specifically the precision time protocol (PTP), it was shown that certain kinds of MotS attacks can be mitigated by leveraging precise timing.Navy Cyber Warfare Development Group, Suitland, MDLieutenant, United States NavyApproved for public release. Distribution is unlimited

Detection and Mitigation of Cyber Attacks on Time Synchronization Protocols for the Smart Grid

The current electric grid is considered as one of the greatest engineering achievements of the twentieth century. It has been successful in delivering power to consumers for decades. Nevertheless, the electric grid has recently experienced several blackouts that raised several concerns related to its availability and reliability. The aspiration to provide reliable and efficient energy, and contribute to environment protection through the increasing utilization of renewable energies are driving the need to deploy the grid of the future, the smart grid. It is expected that this grid will be self-healing from power disturbance events, operating resiliently against physical and cyber attack, operating efficiently, and enabling new products and services. All these call for a grid with more Information and Communication Technologies (ICT). As such, power grids are increasingly absorbing ICT technologies to provide efficient, secure and reliable two-way communication to better manage, operate, maintain and control electric grid components. On the other hand, the successful deployment of the smart grid is predicated on the ability to secure its operations. Such a requirement is of paramount importance especially in the presence of recent cyber security incidents. Furthermore, those incidents are subject to an augment with the increasing integration of ICT technologies and the vulnerabilities they introduce to the grid. The exploitation of these vulnerabilities might lead to attacks that can, for instance, mask the system observability and initiate cascading failures resulting in undesirable and severe consequences. In this thesis, we explore the security aspects of a key enabling technology in the smart grid, accurate time synchronization. Time synchronization is an immense requirement across the domains of the grid, from generation to transmission, distribution, and consumer premises. We focus on the substation, a basic block of the smart grid system, along with its recommended time synchronization mechanism - the Precision Time Protocol (PTP) - in order to address threats associated with PTP, and propose practical and efficient detection, prevention, mitigation techniques and methodologies that will harden and enhance the security and usability of PTP in a substation. In this respect, we start this thesis with a security assessment of PTP that identifies PTP security concerns, and then address those concerns in the subsequent chapters. We tackle the following main threats associated with PTP: 1) PTP vulnerability to fake timestamp injection through a compromised component 2) PTP vulnerability to the delay attack and 3) The lack of a mechanism that secures the PTP network. Next, and as a direct consequence of the importance of time synchronization in the smart grid, we consider the wide area system to demonstrate the vulnerability of relative data alignment in Phasor Data Concentrators to time synchronization attacks. These problems will be extensively studied throughout this thesis, followed by discussions that highlight open research directions worth further investigations

Application-Based Measures for Developing Cyber-Resilient Control and Protection Schemes in Power Networks

Electric power systems are a part of the most-crucial infrastructure on which societies depend. In order to operate efficiently and reliably, the physical layer in large electric power networks is coupled with a cyber system of information and communication technologies, which includes compound devices and schemes, such as SCADA systems and IEDs. These communication-base schemes and components are mainly a part of protection and control systems, which are known as the backbones of power networks, since the former detects abnormal conditions and returns the system to its normal state by initiating a quick corrective action, and the latter preserves the integrity of the system and stabilizes it following physical disturbances. This dissertation concentrates on the cyber-security of protection and control systems in power networks by unveiling a vulnerable protective relay, i.e., the LCDR, and a susceptible controller, i.e., the AGC system, and proposing application-based measures for making them resilient against cyber threats. LCDRs are a group of protective relays that are highly dependent on communication systems, since they require time-synchronized remote measurements from all terminals of the line they are protecting. In AC systems, this type of relay is widely used for protecting major transmission lines, particularly higher voltage ones carrying giga-watts of power. On the other hand, due to the limitations of other protection schemes, LCDRs has been identified as a reliable protection for medium-voltage lines in DC systems. Therefore, the cyber-security of LCDRs is of great importance. On this basis, this dissertation first shows the problem in both AC and DC systems and reveals the consequences and destructiveness of cyber-attacks against LCDRs through case studies. Then, it presents three solutions to address his problem, two for AC networks and one for DC grids. For AC systems, this dissertation presents two methods, one that can be used for SV-based LCDRs, and another one that works for both SV-based and phasor-based relays. Both methods are initiated after LCDRs pickup, to confirm the occurrence of faults and differentiate them from cyber-attacks. To detect attacks, the first method compares the estimated and locally-measured voltages at LCDR's local terminal during faults for both PS and NS. To estimate the local voltage for each sequence, the proposed technique uses an UIO, the state-space model of the faulty line, and remote and local measurements, all associated with that sequence. The difference between the measured and estimated local voltages for each sequence remains close to zero during real internal faults because, in this condition, the state-space model based on which the UIO operates correctly represents the line. Nevertheless, the state-space model mismatch during attacks leads to a large difference between measured and estimated values in both sequences. The second proposed method for an AC LCDR detects attacks by comparing the calculated and locally-measured superimposed voltages in each sequence after the relay picks up. A large difference between the calculated and measured superimposed voltages in any sequence reveals that the remote current measurements are not authentic. Given that local measurements cannot be manipulated by cyber-attacks, any difference between the calculated and measured superimposed voltages is due to the inauthenticity of remote current measurements. The proposed method for DC LCDRs is comprised of POCs installed in series with each converter. During faults, the resultant RLC circuit causes the POCs to resonate and generate a damped sinusoidal component with a specific frequency. However, this specific frequency is not generated during cyber-attacks or other events. Thus, LCDRs' pickup without detecting this specific frequency denotes a cyber-attack. Given that the frequency extraction process is carried out locally by each LCDR, the proposed approach cannot be targeted by cyber-attacks. On the other hand, an AGC system, which is the secondary controller of the LFC system, is a communication-dependent vulnerable controller that maintains tie-lines' power at their scheduled values and regulates grid frequency by adjusting the set-points of a power plant's governors. This dissertation proves the destructiveness of cyber-attacks against AGC systems by proposing a SHA that disrupts the normal operation of the AGC system quickly and undetectably. Afterwards, two methods are proposed for detecting and identifying intrusions against AGC systems and making them attack-resilient. Both methods work without requiring load data in the system, in contrast to other methods presented in the literature. To detect attacks, the first method estimates the LFC system's states using a UIO, and calculates the UIO's RF, defined as the difference between the estimated and measured states. In normal conditions, the estimated and measured values for LFC states are ideally the same. Therefore, an increase in the UIO's RF over a predefined threshold signifies an attack. This method also identifies attacks, i.e., determines which system parameter(s) is (are) targeted, by designing a number of identification UIOs. The general idea behind the second proposed method for detecting and identifying attacks against AGC systems is similar to the first one; yet, the second one takes into account the effect of noise as well. Therefore, instead of a UIO, the second method utilizes a SUIE for estimating the states of the LFC system and minimizing the effect of noise on the estimated states. Similarly, increasing the SUIE's RF over a predefined threshold indicates the occurrence of an attack