Timing attack detection on BACnet via a machine learning approach

Building Automation Systems (BAS), alternatively known as Building Management Systems (BMS), which centralise the management of building services, are often connected to corporate networks and are routinely accessed remotely for operational management and emergency purposes. The protocols used in BAS, in particular BACnet, were not designed with security as a primary requirement, thus the majority of systems operate with sub-standard or non-existent security implementations. As intrusion is thus likely easy to achieve, intrusion detection systems should be put in place to ensure they can be detected and mitigated. Existing intrusion detection systems typically deal only with known threats (signature-based approaches) or suffer from a high false positive rate (anomaly-based approaches). In this paper we present an overview of the problem space with respect to BAS, and suggest that state aware machine learning techniques could be used to discover threats that comprise a collection of legitimate commands. We provide a first step showing that the concept can be used to detect an attack where legitimate write commands being sent in rapid succession may cause system failure. We capture the state as a ‘time since last write’ event and use a basic artificial neural network classifier to detect attacks

Cyber-Critical Infrastructure Protection Using Real-time Payload-based Anomaly Detection

With an increasing demand of inter-connectivity and protocol standardization modern cyber-critical infrastructures are exposed to a multitude of serious threats that may give rise to severe damage for life and assets without the implementation of proper safeguards. Thus, we propose a method that is capable to reliably detect unknown, exploit-based attacks on cyber-critical infrastructures carried out over the network. We illustrate the effectiveness of the proposed method by conducting experiments on network traffic that can be found in modern industrial control systems. Moreover, we provide results of a throughput measuring which demonstrate the real-time capabilities of our system

Cyber risk modeling and attack-resilient control for power grid

The electric power grid is a cyber-physical system (CPS) that forms the lifeline of modern society. Sophisticated control applications that constantly monitor critical power system variables, such as voltage and frequency, enable system operators to deliver reliable and high-quality power. The advanced devices and communication infrastructure of the Supervisory Control and Data Acquisition (SCADA) system enable control applications ranging from substation-level voltage control schemes to system-wide automatic generation control (AGC). However, inherent cyber security vulnerabilities in the infrastructure put system operation at risk by providing an attack surface to cyber threat actors. A smart attacker, that is, a cyber threat actor with expertise in physical power system operation could cause severe damage to the power grid infrastructure and its reliability by stealthily manipulating SCADA operation. This dissertation explores such impacts to power grid operation from cyber attacks and more importantly, introduces novel mitigation schemes to minimize or negate the impacts. It has two primary components - risk modeling of coordinated cyber attacks and attack resilient control. The first component of this thesis focuses on coordinated cyber attacks, that is, attacks target multiple power system components simultaneously. The notion of spatial and temporal coordinated cyber attacks and their impact on power system transmission infrastructure is introduced. The impact from these attacks was captured in terms of traditional power system stability metrics. The results reveal that these extreme events demand a rethink of both power system planning and operations methods by way of including cyber-originated contingencies within the scope. To this end, a systematic risk modeling framework is proposed as mitigation to be used in power systems planning. The risk for a substation is modeled as the product of the vulnerability of its SCADA infrastructure and the impact from its compromise. The vulnerability is obtained by modeling the SCADA network using Stochastic Petri Nets. Impact to system reliability is quantified in terms of transmission line overloads and the resulting forced load shedding. The methodology is applied to a test power system and the attack vectors are ranked according to risk. This methodology could therefore employed by system planners to evaluate infrastructural upgrade requirements and identify security enhancements. An enhancement to the contingency analysis application is proposed as mitigation during online operation. The proposed algorithm efficiently captures impactful coordinated vectors by significantly reducing the number of cases to be evaluated. Results reveal the algorithm\u27s ability to identify almost all impactful attack vectors for a line under review without the need for a complete study. The second component of the thesis explores the impact of data integrity attacks on power system control applications. Specifically, the impact of data integrity attacks on Automatic Generation Control (AGC) is examined and Attack-Resilient Control (ARC) is proposed as mitigation. ARC for AGC proposes the use of physical system information to design algorithms for detect and mitigation of cyber attacks. Specifically, model-based anomaly detection and attack mitigation algorithm was developed for AGC using short-term load forecast data. The performance of AGC was tested on a standard test system with and without ARC. The results show that ARC for AGC is able to detect data integrity attacks, maintain system within stability margins and enhance overall system security by providing defense-in-depth. Future work includes expanding the risk analysis framework to include different types of coordinated attacks and to compare impact expressed in different power system metrics. Mitigation of temporal coordinated attacks and transient stability analysis of spatial and temporal attacks are also a part of future work. Finally, the attack resilient control framework should be enhanced to differentiate abnormal measurements due to cyber attacks from legitimate aberrations due to power system contingencies