1,196 research outputs found
Temporal Phase Shifts in SCADA Networks
In Industrial Control Systems (ICS/SCADA), machine to machine data traffic is
highly periodic. Previous work showed that in many cases, it is possible to
create an automata-based model of the traffic between each individual
Programmable Logic Controller (PLC) and the SCADA server, and to use the model
to detect anomalies in the traffic. When testing the validity of previous
models, we noticed that overall, the models have difficulty in dealing with
communication patterns that change over time. In this paper we show that in
many cases the traffic exhibits phases in time, where each phase has a unique
pattern, and the transition between the different phases is rather sharp. We
suggest a method to automatically detect traffic phase shifts, and a new
anomaly detection model that incorporates multiple phases of the traffic.
Furthermore we present a new sampling mechanism for training set assembly,
which enables the model to learn all phases during the training stage with
lower complexity. The model presented has similar accuracy and much less
permissiveness compared to the previous general DFA model. Moreover, the model
can provide the operator with information about the state of the controlled
process at any given time, as seen in the traffic phases.Comment: Full version of CPS-SPC'18 short pape
Granger Causality-based Information Fusion Applied to Electrical Measurements from Power Transformers.
In the immediate future, with the increasing presence of electrical vehicles and the large increase in the use of renewable energies, it will be crucial that distribution power networks are managed, supervised and exploited in a similar way as the transmission power systems were in previous decades. To achieve this, the underlying infrastructure requires automated monitoring and digitization, including smart-meters, wide-band communication systems, electronic device based-local controllers, and the Internet of Things. All of these technologies demand a huge amount of data to be curated, processed, interpreted and fused with the aim of real-time predictive control and supervision of medium/low voltage transformer substations. Wiener–Granger causality, a statistical notion of causal inference based on Information Fusion could help in the prediction of electrical behaviour arising from common causal dependencies. Originally developed in econometrics, it has successfully been applied to several fields of research such as the neurosciences and is applicable to time series data whereby cause precedes effect. In this paper, we demonstrate the potential of this methodology in the context of power measures for providing theoretical models of low/medium power transformers. Up to our knowledge, the proposed method in this context is the first attempt to build a data-driven power system model based on G-causality. In particular, we analysed directed functional connectivity of electrical measures providing a statistical description of observed responses, and identified the causal structure within data in an exploratory analysis. Pair-wise conditional G-causality of power transformers, their independent evolution in time, and the joint evolution in time and frequency are discussed and analysed in the experimental section.This work was partly supported by the MINECO/ FEDER under the RTI2018-
098913-B100 project. The authors would like to acknowledge the support of
370 CDTI (Centro para el Desarrollo Tecnologico Industrial, Ministerio de Cien cia, Innovacion y Universidades and FEDER, SPAIN) under the PASTORA
project (Ref.: ITC-20181102). and to thank the companies within the PAS TORA consortium: Endesa, Ayesa, Ormaz´abal and Ingelectus. We would like
to thank the reviewers for their thoughtful comments and efforts towards im 375 proving our manuscript. Finally, JM Gorriz would like to thank Dr G´omez Exp´osito for his helpful advice and comments
Recommended from our members
Granger causality-based information fusion applied to electrical measurements from power transformers
Improved Efficient Two-Stage Denoising Diffusion Power System Measurement Recovery Against False Data Injection Attacks and Data Losses
Measurement uncertainties, represented by cyber-attacks and data losses,
seriously degrade the quality of power system measurements. Fortunately, the
powerful generation ability of the denoising diffusion models can enable more
precise measurement generation for power system data recovery. However, the
controllable data generation and efficient computing methods of denoising
diffusion models for deterministic trajectory still need further investigation.
To this end, this paper proposes an improved two-stage denoising diffusion
model (TSDM) to identify and reconstruct the measurements with various
measurement uncertainties. The first stage of the model comprises a
classifier-guided conditional anomaly detection component, while the second
stage involves diffusion-based measurement imputation component. Moreover, the
proposed TSDM adopts precise means and optimal variances to accelerate the
diffusion generation process with subsequence sampling. Extensive numerical
case studies demonstrate that the proposed TSDM can accurately recover power
system measurements despite strong randomness under renewable energy
integration and highly nonlinear dynamics under complex cyber-physical
contingencies. Additionally, the proposed TSDM has stronger robustness compared
to existing reconstruction networks and exhibits lower computational complexity
than general denoising diffusion models
Sequence-aware intrusion detection in industrial control systems
Nowadays, several threats endanger cyber-physical systems. Among these systems, industrial control systems (ICS) operating on critical infrastructures have been proven to be an attractive target for attackers. The case of Stuxnet has not only showed that ICSs are vulnerable to cyber-attacks, but also that some of these attacks rely on understanding the processes beyond the employed systems and using such knowledge to maximize the damage. This concept is commonly known as "semantic attack". Our paper discusses a specific type of semantic attack involving "sequences of events". Common network intrusion detection systems (NIDS) generally search for single, unusual or "not permitted" operations. In our case, rather than a malicious event, we show how a specific series of "permitted" operations can elude standard intrusion detection systems and still damage an infrastructure. Moreover, we present a possible approach to the development of a sequence-aware intrusion detection system (S-IDS). We propose a S-IDS reference architecture and we discuss all the steps through its implementations. Finally, we test the S-IDS on real ICS traffic samples captured from a water treatment and purification facility
Low delay network attributes randomization to proactively mitigate reconnaissance attacks in industrial control systems
Industrial Control Systems are used in a wide variety of industrial facilities, including critical infrastructures, becoming the main target of multiple security attacks. A malicious and successful attack against these infrastructures could cause serious economic and environmental consequences, including the loss of human lives. Static networks configurations and topologies, which characterize Industrial Control Systems, represent an advantage for attackers, allowing them to scan for vulnerable devices or services before carrying out the attack. Identifying active devices and services is often the first step for many attacks. This paper presents a proactive network reconnaissance defense mechanism based on the temporal randomization of network IP addresses, MAC addresses and port numbers. The obtained information distortion minimizes the knowledge acquired by the attackers, hindering any attack that relies on network addressing. The temporal randomization of network attributes is performed in an adaptive way, minimizing the overhead introduced in the network and avoiding any error and latency in communications. The implementation as well as the tests have been carried out in a laboratory with real industrial equipment, demonstrating the effectiveness of the presented solution
Topology Attacks on Power System Operation and Consequences Analysis
abstract: The large distributed electric power system is a hierarchical network involving the
transportation of power from the sources of power generation via an intermediate
densely connected transmission network to a large distribution network of end-users
at the lowest level of the hierarchy. At each level of the hierarchy (generation/ trans-
mission/ distribution), the system is managed and monitored with a combination of
(a) supervisory control and data acquisition (SCADA); and (b) energy management
systems (EMSs) that process the collected data and make control and actuation de-
cisions using the collected data. However, at all levels of the hierarchy, both SCADA
and EMSs are vulnerable to cyber attacks. Furthermore, given the criticality of the
electric power infrastructure, cyber attacks can have severe economic and social con-
sequences.
This thesis focuses on cyber attacks on SCADA and EMS at the transmission
level of the electric power system. The goal is to study the consequences of three
classes of cyber attacks that can change topology data. These classes include: (i)
unobservable state-preserving cyber attacks that only change the topology data; (ii)
unobservable state-and-topology cyber-physical attacks that change both states and
topology data to enable a coordinated physical and cyber attack; and (iii) topology-
targeted man-in-the-middle (MitM) communication attacks that alter topology data
shared during inter-EMS communication. Specically, attack class (i) and (ii) focus on
the unobservable attacks on single regional EMS while class (iii) focuses on the MitM
attacks on communication links between regional EMSs. For each class of attacks,
the theoretical attack model and the implementation of attacks are provided, and the
worst-case attack and its consequences are exhaustively studied. In particularly, for
class (ii), a two-stage optimization problem is introduced to study worst-case attacks
that can cause a physical line over
ow that is unobservable in the cyber layer. The long-term implication and the system anomalies are demonstrated via simulation.
For attack classes (i) and (ii), both mathematical and experimental analyses sug-
gest that these unobservable attacks can be limited or even detected with resiliency
mechanisms including load monitoring, anomalous re-dispatches checking, and his-
torical data comparison. For attack class (iii), countermeasures including anomalous
tie-line interchange verication, anomalous re-dispatch alarms, and external contin-
gency lists sharing are needed to thwart such attacks.Dissertation/ThesisMasters Thesis Electrical Engineering 201
Vulnerability Analysis of False Data Injection Attacks on Supervisory Control and Data Acquisition and Phasor Measurement Units
abstract: The electric power system is monitored via an extensive network of sensors in tandem with data processing algorithms, i.e., an intelligent cyber layer, that enables continual observation and control of the physical system to ensure reliable operations. This data collection and processing system is vulnerable to cyber-attacks that impact the system operation status and lead to serious physical consequences, including systematic problems and failures.
This dissertation studies the physical consequences of unobservable false data injection (FDI) attacks wherein the attacker maliciously changes supervisory control and data acquisition (SCADA) or phasor measurement unit (PMU) measurements, on the electric power system. In this context, the dissertation is divided into three parts, in which the first two parts focus on FDI attacks on SCADA and the last part focuses on FDI attacks on PMUs.
The first part studies the physical consequences of FDI attacks on SCADA measurements designed with limited system information. The attacker is assumed to have perfect knowledge inside a sub-network of the entire system. Two classes of attacks with different assumptions on the attacker's knowledge outside of the sub-network are introduced. In particular, for the second class of attacks, the attacker is assumed to have no information outside of the attack sub-network, but can perform multiple linear regression to learn the relationship between the external network and the attack sub-network with historical data. To determine the worst possible consequences of both classes of attacks, a bi-level optimization problem wherein the first level models the attacker's goal and the second level models the system response is introduced.
The second part of the dissertation concentrates on analyzing the vulnerability of systems to FDI attacks from the perspective of the system. To this end, an off-line vulnerability analysis framework is proposed to identify the subsets of the test system that are more prone to FDI attacks.
The third part studies the vulnerability of PMUs to FDI attacks. Two classes of more sophisticated FDI attacks that capture the temporal correlation of PMU data are introduced. Such attacks are designed with a convex optimization problem and can always bypass both the bad data detector and the low-rank decomposition (LD) detector.Dissertation/ThesisDoctoral Dissertation Electrical Engineering 201
Undetectable GPS-Spoofing Attack on Time Series Phasor Measurement Unit Data
The Phasor Measurement Unit (PMU) is an important metering device for smart
grid. Like any other Intelligent Electronic Device (IED), PMUs are prone to
various types of cyberattacks. However, one form of attack is unique to the
PMU, the GPS-spoofing attack, where the time and /or the one second pulse (1
PPS) that enables time synchronization are modified and the measurements are
computed using the modified time reference. This article exploits the
vulnerability of PMUs in their GPS time synchronization signal. At first, the
paper proposes an undetectable gradual GPS-spoofing attack with small
incremental angle deviation over time. The angle deviation changes power flow
calculation through the branches of the grids, without alerting the System
Operator (SO) during off-peak hour. The attacker keeps instigating slow
incremental variation in power flow calculation caused by GPS-spoofing
relentlessly over a long period of time, with a goal of causing the power flow
calculation breach the MVA limit of the branch at peak-hour. The attack is
applied by solving a convex optimization criterion at regular time interval, so
that after a specific time period the attack vector incurs a significant change
in the angle measurements transmitted by the PMU. Secondly, while the attack
modifies the angle measurements with GPS-spoofing attack, it ensures the
undetectibility of phase angle variation by keeping the attack vector less than
attack detection threshold. The proposed attack model is tested with Weighted
Least Squared Error (WLSE), Kalman Filtering, and Hankel-matrix based
GPS-spoofing attack detection models. Finally, we have proposed a gradient of
low-rank approximation of Hankel-matrix based detection method to detect such
relentless small incremental GPS-spoofing attack
Using SCADA data for wind turbine condition monitoring - a review
The ever increasing size of wind turbines and the move to build them offshore have accelerated the need for optimised maintenance strategies in order to reduce operating costs. Predictive maintenance requires detailed information on the condition of turbines. Due to the high costs of dedicated condition monitoring systems based on mainly vibration measurements, the use of data from the turbine Supervisory Control And Data Acquisition (SCADA) system is appealing. This review discusses recent research using SCADA data for failure detection and condition monitoring, focussing on approaches which have already proved their ability to detect anomalies in data from real turbines. Approaches are categorised as (i) trending, (ii) clustering, (iii) normal behaviour modelling, (iv) damage modelling and (v) assessment of alarms and expert systems. Potential for future research on the use of SCADA data for advanced turbine condition monitoring is discussed
- …