Machine Learning Based Detection of False Data Injection Attacks in Wide Area Monitoring Systems

The Smart Grid (SG) is an upgraded, intelligent, and a more reliable version of the traditional Power Grid due to the integration of information and communication technologies. The operation of the SG requires a dense communication network to link all its components. But such a network renders it prone to cyber attacks jeopardizing the integrity and security of the communicated data between the physical electric grid and the control centers. One of the most prominent components of the SG are Wide Area Monitoring Systems (WAMS). WAMS are a modern platform for grid-wide information, communication, and coordination that play a major role in maintaining the stability of the grid against major disturbances. In this thesis, an anomaly detection framework is proposed to identify False Data Injection (FDI) attacks in WAMS using different Machine Learning (ML) and Deep Learning (DL) techniques, i.e., Deep Autoencoders (DAE), Long-Short Term Memory (LSTM), and One-Class Support Vector Machine (OC-SVM). These algorithms leverage diverse, complex, and high-volume power measurements coming from communications between different components of the grid to detect intelligent FDI attacks. The injected false data is assumed to target several major WAMS monitoring applications, such as Voltage Stability Monitoring (VSM), and Phase Angle Monitoring (PAM). The attack vector is considered to be smartly crafted based on the power system data, so that it can pass the conventional bad data detection schemes and remain stealthy. Due to the lack of realistic attack data, machine learning-based anomaly detection techniques are used to detect FDI attacks. To demonstrate the impact of attacks on the realistic WAMS traffic and to show the effectiveness of the proposed detection framework, a Hardware-In-the-Loop (HIL) co-simulation testbed is developed. The performance of the implemented techniques is compared on the testbed data using different metrics: Accuracy, F1 score, and False Positive Rate (FPR) and False Negative Rate (FNR). The IEEE 9-bus and IEEE 39-bus systems are used as benchmarks to investigate the framework scalability. The experimental results prove the effectiveness of the proposed models in detecting FDI attacks in WAMS

On Ladder Logic Bombs in Industrial Control Systems

In industrial control systems, devices such as Programmable Logic Controllers (PLCs) are commonly used to directly interact with sensors and actuators, and perform local automatic control. PLCs run software on two different layers: a) firmware (i.e. the OS) and b) control logic (processing sensor readings to determine control actions). In this work, we discuss ladder logic bombs, i.e. malware written in ladder logic (or one of the other IEC 61131-3-compatible languages). Such malware would be inserted by an attacker into existing control logic on a PLC, and either persistently change the behavior, or wait for specific trigger signals to activate malicious behaviour. For example, the LLB could replace legitimate sensor readings with manipulated values. We see the concept of LLBs as a generalization of attacks such as the Stuxnet attack. We introduce LLBs on an abstract level, and then demonstrate several designs based on real PLC devices in our lab. In particular, we also focus on stealthy LLBs, i.e. LLBs that are hard to detect by human operators manually validating the program running in PLCs. In addition to introducing vulnerabilities on the logic layer, we also discuss countermeasures and we propose two detection techniques.Comment: 11 pages, 14 figures, 2 tables, 1 algorith

Assessing and augmenting SCADA cyber security: a survey of techniques

SCADA systems monitor and control critical infrastructures of national importance such as power generation and distribution, water supply, transportation networks, and manufacturing facilities. The pervasiveness, miniaturisations and declining costs of internet connectivity have transformed these systems from strictly isolated to highly interconnected networks. The connectivity provides immense benefits such as reliability, scalability and remote connectivity, but at the same time exposes an otherwise isolated and secure system, to global cyber security threats. This inevitable transformation to highly connected systems thus necessitates effective security safeguards to be in place as any compromise or downtime of SCADA systems can have severe economic, safety and security ramifications. One way to ensure vital asset protection is to adopt a viewpoint similar to an attacker to determine weaknesses and loopholes in defences. Such mind sets help to identify and fix potential breaches before their exploitation. This paper surveys tools and techniques to uncover SCADA system vulnerabilities. A comprehensive review of the selected approaches is provided along with their applicability

Preliminary Analysis of Cyberterrorism Threats to Internet of Things (IoT) Applications

The era of Internet of Things (IoT) being a combination of various networking and computing technologies already in a state of growth that introduces a new age of data aggregation mechanism and ubiquitous connectivity among physical objects. However, the most of the cyber threats still remain unsolved and may create huge impact on our lives. One of the possible major changes in impact landscape is the imminent physical results of cyber threats as IoT technologies enable closer interactions between humans and information systems. Although the cyber threats to critical infrastructures have been highly considered by the cyber security community, the cases with catastrophic physical impacts are rare which means the impact posture has not exactly shifted from information centric impacts to physical ones. However, widespread usage of IoT technologies have the potential to accelerate this shift which may bring the threat of cyber terrorism into the picture. This paper provides a preliminary comparison of a typical IoT application in health area with an industrial control system (ICS) in order to show that IoT applications are required to be deeply assessed as terrorists may attack them with easy-to implement cyberattacks for the purpose of creating physical harm

Emergent behaviors in the Internet of things: The ultimate ultra-large-scale system

To reach its potential, the Internet of Things (IoT) must break down the silos that limit applications' interoperability and hinder their manageability. Doing so leads to the building of ultra-large-scale systems (ULSS) in several areas, including autonomous vehicles, smart cities, and smart grids. The scope of ULSS is both large and complex. Thus, the authors propose Hierarchical Emergent Behaviors (HEB), a paradigm that builds on the concepts of emergent behavior and hierarchical organization. Rather than explicitly programming all possible decisions in the vast space of ULSS scenarios, HEB relies on the emergent behaviors induced by local rules at each level of the hierarchy. The authors discuss the modifications to classical IoT architectures required by HEB, as well as the new challenges. They also illustrate the HEB concepts in reference to autonomous vehicles. This use case paves the way to the discussion of new lines of research.Damian Roca work was supported by a Doctoral Scholarship provided by Fundación La Caixa. This work has been supported by the Spanish Government (Severo Ochoa grants SEV2015-0493) and by the Spanish Ministry of Science and Innovation (contracts TIN2015-65316-P).Peer ReviewedPostprint (author's final draft