Intrusion Detection System of industrial control networks using network telemetry

Industrial Control Systems (ICSs) are designed, implemented, and deployed in most major spheres of production, business, and entertainment. ICSs are commonly split into two subsystems - Programmable Logic Controllers (PLCs) and Supervisory Control And Data Acquisition (SCADA) systems - to achieve high safety, allow engineers to observe states of an ICS, and perform various configuration updates. Before wide adoption of the Internet, ICSs used air-gap security measures, where the ICS network was isolated from other networks, including the Internet, by a physical disconnect [1]. This level of security allowed ICS protocol designers to concentrate on the availability and safety of operation of physical systems while decreasing the need for many cyber security implementations. As the price of networking devices fell, and the Internet received global adoption, many businesses became interested in the benefits of attaching ICSs to wide and global area networks. However, since ICS network protocols were originally designed for an air-gapped environment, it did not include any of the security measures needed for a proper operation of a critical protocol that exposes its packets to the Internet. This dissertation designs, implements, and evaluates a telemetry based Intrusion Detection System (IDS). The designed IDS utilizes aggregation and analysis of the traffic telemetry features to classify the incoming packets as malicious or benign. An IDS that uses network telemetry was created, and it achieved a high classification accuracy, protecting nodes from malicious traffic. Such an IDS is not vulnerable to address or encryption spoofings, as it does not utilize the content of the packets to differentiate between malicious and benign traffic. The IDS uses features of timing and network sessions to determine whether the machine that sent a particular packet and its software is, in fact, a combination that is benign, as well as whether or not it resides on a network that is benign. The results of the experiments conducted for this dissertation establish that such system is possible to create and use in an environment of ICS networks. Several features are recognized and selected as means for fingerprinting the hardware and software characteristics of the SCADA system that can be used in pair with machine learning algorithms to allow for a high accuracy detection of intrusions into the ICS network. The results showed a classification accuracy of at least 95% is possible, and as the differences between machines increase, the accuracy increases too

A knowledge discovery approach for the detection of power grid state variable attacks

As the level of sophistication in power system technologies increases, the amount of system state parameters being recorded also increases. This data not only provides an opportunity for monitoring and diagnostics of a power system, but it also creates an environment wherein security can be maintained. Being able to extract relevant information from this pool of data is one of the key challenges still yet to be obtained in the smart grid. The potential exists for the creation of innovative power grid cybersecurity applications, which harness the information gained from advanced analytics. Such analytics can be based on the extraction of key features from statistical measures of reported and contingency power system state parameters. These applications, once perfected, will be able to alert upon potential cyber intrusions providing a framework for the creation of power system intrusion detection schemes derived from the cyber-physical perspective. With the power grid having a growing cyber dependency, these systems are becoming increasingly the target of attacks. The current power grid is undergoing a state of transition where new monitoring and control devices are being constantly added. These newly connected devices, by means of the cyber infrastructure, are capable of executing remote control decisions along with reporting sensor data back to a centralized location. This dissertation is an examination of advanced data mining and data analytic techniques for the development of a framework for detecting malicious cyber activity in the power grid based solely on reported power system state parameters. Through this examination, results indicate the successful development of a cyber-event detection framework capable of detecting and localizing 92% of the simulated cyber-events. In focusing on specific types of intrusions, this work describes the utilization of machine learning techniques to examine key features of multiple power systems for the detection of said intrusions. System analysis is preformed using the Newton-Raphson method to solve the nonlinear power system partial differential power flow equations for a 5-Bus and 14-Bus power system. This examination offers the theory and simulated implementation examples behind a context specific detection approach for securing the current and next generation\u27s critical infrastructure power grid