Smart Grid Security: Threats, Challenges, and Solutions

The cyber-physical nature of the smart grid has rendered it vulnerable to a multitude of attacks that can occur at its communication, networking, and physical entry points. Such cyber-physical attacks can have detrimental effects on the operation of the grid as exemplified by the recent attack which caused a blackout of the Ukranian power grid. Thus, to properly secure the smart grid, it is of utmost importance to: a) understand its underlying vulnerabilities and associated threats, b) quantify their effects, and c) devise appropriate security solutions. In this paper, the key threats targeting the smart grid are first exposed while assessing their effects on the operation and stability of the grid. Then, the challenges involved in understanding these attacks and devising defense strategies against them are identified. Potential solution approaches that can help mitigate these threats are then discussed. Last, a number of mathematical tools that can help in analyzing and implementing security solutions are introduced. As such, this paper will provide the first comprehensive overview on smart grid security

Characterization of cyber attacks through variable length Markov models

The increase in bandwidth, the emergence of wireless technologies, and the spread of the Internet throughout the world have created new forms of communication with effects on areas such as business, entertainment, and education. This pervasion of computer networks into human activity has amplified the importance of cyber security. Network security relies heavily on Intrusion Detection Systems (IDS), whose objective is to detect malicious network traffic and computer usage. IDS data can be correlated into cyber attack tracks, which consist of ordered collections of alerts triggered during a single multi-stage attack. The objective of this research is to enhance the current knowledge of attack behavior by developing a model that captures the sequential properties of attack tracks. Two sequence characterization models are discussed: Variable Length Markov Models (VLMMs), which are a type of finite-context models, and Hidden Markov Models (HMMs), which are also known as finite-state models. A VLMM is implemented based on attack sequences s = {x1, x2, ...xn} where xi 2 and is a set of possible values of one or more fields in an alert message. This work shows how the proposed model can be used to predict future attack actions (xj+1) belonging to a newly observed and unfolding attack sequence s = {x1, x2, ..., xj}. It also presents a metric that measures the variability in attack actions based on information entropy and a method for classifying attack tracks as sophisticated or simple based on average log-loss. In addition, insights into the analysis of attack target machines are discussed

Developing Network Situational Awareness through Visualization of Fused Intrusion Detection System Alerts

With networks increasing in physical size, bandwidth, traffic volume, and malicious activity, network analysts are experiencing greater difficulty in developing network situational awareness. Traditionally, network analysts have used Intrusion Detection Systems to gain awareness but this method is outdated when analysts are unable to process the alerts at the rate they are being generated. Analysts are unwittingly placing the computer assets they are charged to protect at risk when they are unable to detect these network attacks. This research effort examines the theory, application, and results of using visualizations of fused alert data to develop network situational awareness. The fused alerts offer analysts fewer false-positives, less redundancy and alert quantity due to the pre-processing. Visualization offers the analyst quicker visual processing and potential pattern recognition. This research utilized the Visual Information Management toolkit created by Stanfield Systems Inc. to generate meaningful visualizations of the fused alert data. The fused alert data was combined with other network data such as IP address information, network topology and network traffic in the form of tcpdump data. The process of building Situational Awareness is an active process between the toolkit and the analyst. The analyst loads the necessary data into the visualization(s), he or she configures the visualization properties and filters the visualization(s). Results from generating visualizations of the network attack scenarios were positive. The analyst gained more awareness through the process of defining visualization properties. The analyst was able to filter the network data sources effectively to focus on the important alerts. Ultimately, the analyst was able to follow the attacker through the entry point in the network to the victims. The analyst was able to determine that the victims were compromised by the attacker. The analyst wasn\u27t able to definitively label the attack specifically yet the analyst was able to follow the attack effectively leading to Situational Awareness

Fused Classification For Differential Face Morphing Detection

Face morphing, a sophisticated presentation attack technique, poses significant security risks to face recognition systems. Traditional methods struggle to detect morphing attacks, which involve blending multiple face images to create a synthetic image that can match different individuals. In this paper, we focus on the differential detection of face morphing and propose an extended approach based on fused classification method for no-reference scenario. We introduce a public face morphing detection benchmark for the differential scenario and utilize a specific data mining technique to enhance the performance of our approach. Experimental results demonstrate the effectiveness of our method in detecting morphing attacks.Comment: 8 pages, 3 figures, 2 table

A Multi Agent System for Flow-Based Intrusion Detection Using Reputation and Evolutionary Computation

The rising sophistication of cyber threats as well as the improvement of physical computer network properties present increasing challenges to contemporary Intrusion Detection (ID) techniques. To respond to these challenges, a multi agent system (MAS) coupled with flow-based ID techniques may effectively complement traditional ID systems. This paper develops: 1) a scalable software architecture for a new, self-organized, multi agent, flow-based ID system; and 2) a network simulation environment suitable for evaluating implementations of this MAS architecture and for other research purposes. Self-organization is achieved via 1) a reputation system that influences agent mobility in the search for effective vantage points in the network; and 2) multi objective evolutionary algorithms that seek effective operational parameter values. This paper illustrates, through quantitative and qualitative evaluation, 1) the conditions for which the reputation system provides a significant benefit; and 2) essential functionality of a complex network simulation environment supporting a broad range of malicious activity scenarios. These results establish an optimistic outlook for further research in flow-based multi agent systems for ID in computer networks

Graph-Theoretic Approach for Manufacturing Cybersecurity Risk Modeling and Assessment

Identifying, analyzing, and evaluating cybersecurity risks are essential to assess the vulnerabilities of modern manufacturing infrastructures and to devise effective decision-making strategies to secure critical manufacturing against potential cyberattacks. In response, this work proposes a graph-theoretic approach for risk modeling and assessment to address the lack of quantitative cybersecurity risk assessment frameworks for smart manufacturing systems. In doing so, first, threat attributes are represented using an attack graphical model derived from manufacturing cyberattack taxonomies. Attack taxonomies offer consistent structures to categorize threat attributes, and the graphical approach helps model their interdependence. Second, the graphs are analyzed to explore how threat events can propagate through the manufacturing value chain and identify the manufacturing assets that threat actors can access and compromise during a threat event. Third, the proposed method identifies the attack path that maximizes the likelihood of success and minimizes the attack detection probability, and then computes the associated cybersecurity risk. Finally, the proposed risk modeling and assessment framework is demonstrated via an interconnected smart manufacturing system illustrative example. Using the proposed approach, practitioners can identify critical connections and manufacturing assets requiring prioritized security controls and develop and deploy appropriate defense measures accordingly.Comment: 25 pages, 10 figure

Novel ultrasound features for the identification of the vulnerable carotid plaque

Background: The identification of the vulnerable carotid plaque is of paramount importance in order to prevent the significant stroke-related mortality and morbidity. Currently the clinical decision-making around this condition is based on the traditional ultrasound evaluation of the degree of stenosis. However, there is emerging evidence supporting that this is not sufficient for all patients. Aim of this thesis: The evaluation of novel carotid plaque features for the characterisation of plaque composition, volume and motion using 2 and 3 dimensional ultrasound technology. The ultimate goal is to identify novel sensitive imaging markers for carotid plaque characterisation and stroke-risk stratification. Methods: The Asymptomatic Carotid Stenosis and Risk of Stroke (ACSRS) Study was a large prospective multicentre trial that was recently completed. A post-hoc analysis of the sonographic and clinical data from this study was performed in order to evaluate the effectiveness of novel ultrasound texture features, such as second order statics, on stroke-risk prediction. In addition, the change of specific texture features and degree of stenosis during the ACSRS follow-up time (8 years) and their importance for stroke prediction was evaluated. In order to assess the potential of 3D ultrasound carotid imaging we also developed a special methodology using a 3D broadband, linear array probe and the Q-lab software. This methodology was then applied in a clinical, cross-sectional study of patients with symptomatic and asymptomatic carotid disease. Finally we developed a carotid plaque motion analysis methodology that we tested on a feasibility study. Results: The post-hoc analysis of more than 1, 000 patients from the ACSRS database showed that there are novel ultrasound features of plaque homogeneity that can contribute to plaque characterisation and improve stroke-risk prediction. Similarly our results suggest that the change of degree of stenosis or plaque’s composition through time might have significant predictive value when combined with the above novel features. The study in 3D ultrasound prospectively assessed more than 80 people with symptomatic and asymptomatic carotid disease with both 2 and 3D carotid ultrasound without, though, revealing any significant benefit from the use of 3D imaging in terms of stroke-risk prediction. Finally, our feasibility study on plaque motion analysis showed that it is possible to objectively characterise plaque motion, using ultrasound and dedicated software without complicated reconstructions. Conclusion: The use of novel 2D ultrasound texture features in combination with traditional ones can improve the stroke-risk stratification. 3D ultrasound is a promising new approach, however, the current technology does not appear to offer a significant benefit in comparison to cheaper traditional 2D ultrasound for carotid plaque evaluation. Further research is warranted on this issue.Open Acces

Impact of the Shodan Computer Search Engine on Internet-facing Industrial Control System Devices

The Shodan computer search engine crawls the Internet attempting to identify any connected device. Using Shodan, researchers identified thousands of Internet-facing devices associated with industrial controls systems (ICS). This research examines the impact of Shodan on ICS security, evaluating Shodan\u27s ability to identify Internet-connected ICS devices and assess if targeted attacks occur as a result of Shodan identification. In addition, this research evaluates the ability to limit device exposure to Shodan through service banner manipulation. Shodan\u27s impact was evaluated by deploying four high-interaction, unsolicited honeypots over a 55 day period, each configured to represent Allen-Bradley programmable logic controllers (PLC). All four honeypots were successfully indexed and identifiable via the Shodan web interface in less than 19 days. Despite being indexed, there was no increased network activity or targeted ICS attacks. Although results indicate Shodan is an effective reconnaissance tool, results contrast claims of its use to broadly identify and target Internet-facing ICS devices. Additionally, the service banner for two PLCs were modified to evaluate the impact on Shodan indexing capabilities. Findings demonstrated service banner manipulation successfully limited device exposure from Shodan queries