Temporal Phase Shifts in SCADA Networks

In Industrial Control Systems (ICS/SCADA), machine to machine data traffic is highly periodic. Previous work showed that in many cases, it is possible to create an automata-based model of the traffic between each individual Programmable Logic Controller (PLC) and the SCADA server, and to use the model to detect anomalies in the traffic. When testing the validity of previous models, we noticed that overall, the models have difficulty in dealing with communication patterns that change over time. In this paper we show that in many cases the traffic exhibits phases in time, where each phase has a unique pattern, and the transition between the different phases is rather sharp. We suggest a method to automatically detect traffic phase shifts, and a new anomaly detection model that incorporates multiple phases of the traffic. Furthermore we present a new sampling mechanism for training set assembly, which enables the model to learn all phases during the training stage with lower complexity. The model presented has similar accuracy and much less permissiveness compared to the previous general DFA model. Moreover, the model can provide the operator with information about the state of the controlled process at any given time, as seen in the traffic phases.Comment: Full version of CPS-SPC'18 short pape

Granger Causality-based Information Fusion Applied to Electrical Measurements from Power Transformers.

In the immediate future, with the increasing presence of electrical vehicles and the large increase in the use of renewable energies, it will be crucial that distribution power networks are managed, supervised and exploited in a similar way as the transmission power systems were in previous decades. To achieve this, the underlying infrastructure requires automated monitoring and digitization, including smart-meters, wide-band communication systems, electronic device based-local controllers, and the Internet of Things. All of these technologies demand a huge amount of data to be curated, processed, interpreted and fused with the aim of real-time predictive control and supervision of medium/low voltage transformer substations. Wiener–Granger causality, a statistical notion of causal inference based on Information Fusion could help in the prediction of electrical behaviour arising from common causal dependencies. Originally developed in econometrics, it has successfully been applied to several fields of research such as the neurosciences and is applicable to time series data whereby cause precedes effect. In this paper, we demonstrate the potential of this methodology in the context of power measures for providing theoretical models of low/medium power transformers. Up to our knowledge, the proposed method in this context is the first attempt to build a data-driven power system model based on G-causality. In particular, we analysed directed functional connectivity of electrical measures providing a statistical description of observed responses, and identified the causal structure within data in an exploratory analysis. Pair-wise conditional G-causality of power transformers, their independent evolution in time, and the joint evolution in time and frequency are discussed and analysed in the experimental section.This work was partly supported by the MINECO/ FEDER under the RTI2018- 098913-B100 project. The authors would like to acknowledge the support of 370 CDTI (Centro para el Desarrollo Tecnologico Industrial, Ministerio de Cien cia, Innovacion y Universidades and FEDER, SPAIN) under the PASTORA project (Ref.: ITC-20181102). and to thank the companies within the PAS TORA consortium: Endesa, Ayesa, Ormaz´abal and Ingelectus. We would like to thank the reviewers for their thoughtful comments and efforts towards im 375 proving our manuscript. Finally, JM Gorriz would like to thank Dr G´omez Exp´osito for his helpful advice and comments

Improved Efficient Two-Stage Denoising Diffusion Power System Measurement Recovery Against False Data Injection Attacks and Data Losses

Measurement uncertainties, represented by cyber-attacks and data losses, seriously degrade the quality of power system measurements. Fortunately, the powerful generation ability of the denoising diffusion models can enable more precise measurement generation for power system data recovery. However, the controllable data generation and efficient computing methods of denoising diffusion models for deterministic trajectory still need further investigation. To this end, this paper proposes an improved two-stage denoising diffusion model (TSDM) to identify and reconstruct the measurements with various measurement uncertainties. The first stage of the model comprises a classifier-guided conditional anomaly detection component, while the second stage involves diffusion-based measurement imputation component. Moreover, the proposed TSDM adopts precise means and optimal variances to accelerate the diffusion generation process with subsequence sampling. Extensive numerical case studies demonstrate that the proposed TSDM can accurately recover power system measurements despite strong randomness under renewable energy integration and highly nonlinear dynamics under complex cyber-physical contingencies. Additionally, the proposed TSDM has stronger robustness compared to existing reconstruction networks and exhibits lower computational complexity than general denoising diffusion models

Sequence-aware intrusion detection in industrial control systems

Nowadays, several threats endanger cyber-physical systems. Among these systems, industrial control systems (ICS) operating on critical infrastructures have been proven to be an attractive target for attackers. The case of Stuxnet has not only showed that ICSs are vulnerable to cyber-attacks, but also that some of these attacks rely on understanding the processes beyond the employed systems and using such knowledge to maximize the damage. This concept is commonly known as "semantic attack". Our paper discusses a specific type of semantic attack involving "sequences of events". Common network intrusion detection systems (NIDS) generally search for single, unusual or "not permitted" operations. In our case, rather than a malicious event, we show how a specific series of "permitted" operations can elude standard intrusion detection systems and still damage an infrastructure. Moreover, we present a possible approach to the development of a sequence-aware intrusion detection system (S-IDS). We propose a S-IDS reference architecture and we discuss all the steps through its implementations. Finally, we test the S-IDS on real ICS traffic samples captured from a water treatment and purification facility

Low delay network attributes randomization to proactively mitigate reconnaissance attacks in industrial control systems

Industrial Control Systems are used in a wide variety of industrial facilities, including critical infrastructures, becoming the main target of multiple security attacks. A malicious and successful attack against these infrastructures could cause serious economic and environmental consequences, including the loss of human lives. Static networks configurations and topologies, which characterize Industrial Control Systems, represent an advantage for attackers, allowing them to scan for vulnerable devices or services before carrying out the attack. Identifying active devices and services is often the first step for many attacks. This paper presents a proactive network reconnaissance defense mechanism based on the temporal randomization of network IP addresses, MAC addresses and port numbers. The obtained information distortion minimizes the knowledge acquired by the attackers, hindering any attack that relies on network addressing. The temporal randomization of network attributes is performed in an adaptive way, minimizing the overhead introduced in the network and avoiding any error and latency in communications. The implementation as well as the tests have been carried out in a laboratory with real industrial equipment, demonstrating the effectiveness of the presented solution

Topology Attacks on Power System Operation and Consequences Analysis

abstract: The large distributed electric power system is a hierarchical network involving the transportation of power from the sources of power generation via an intermediate densely connected transmission network to a large distribution network of end-users at the lowest level of the hierarchy. At each level of the hierarchy (generation/ trans- mission/ distribution), the system is managed and monitored with a combination of (a) supervisory control and data acquisition (SCADA); and (b) energy management systems (EMSs) that process the collected data and make control and actuation de- cisions using the collected data. However, at all levels of the hierarchy, both SCADA and EMSs are vulnerable to cyber attacks. Furthermore, given the criticality of the electric power infrastructure, cyber attacks can have severe economic and social con- sequences. This thesis focuses on cyber attacks on SCADA and EMS at the transmission level of the electric power system. The goal is to study the consequences of three classes of cyber attacks that can change topology data. These classes include: (i) unobservable state-preserving cyber attacks that only change the topology data; (ii) unobservable state-and-topology cyber-physical attacks that change both states and topology data to enable a coordinated physical and cyber attack; and (iii) topology- targeted man-in-the-middle (MitM) communication attacks that alter topology data shared during inter-EMS communication. Specically, attack class (i) and (ii) focus on the unobservable attacks on single regional EMS while class (iii) focuses on the MitM attacks on communication links between regional EMSs. For each class of attacks, the theoretical attack model and the implementation of attacks are provided, and the worst-case attack and its consequences are exhaustively studied. In particularly, for class (ii), a two-stage optimization problem is introduced to study worst-case attacks that can cause a physical line over ow that is unobservable in the cyber layer. The long-term implication and the system anomalies are demonstrated via simulation. For attack classes (i) and (ii), both mathematical and experimental analyses sug- gest that these unobservable attacks can be limited or even detected with resiliency mechanisms including load monitoring, anomalous re-dispatches checking, and his- torical data comparison. For attack class (iii), countermeasures including anomalous tie-line interchange verication, anomalous re-dispatch alarms, and external contin- gency lists sharing are needed to thwart such attacks.Dissertation/ThesisMasters Thesis Electrical Engineering 201

Vulnerability Analysis of False Data Injection Attacks on Supervisory Control and Data Acquisition and Phasor Measurement Units

abstract: The electric power system is monitored via an extensive network of sensors in tandem with data processing algorithms, i.e., an intelligent cyber layer, that enables continual observation and control of the physical system to ensure reliable operations. This data collection and processing system is vulnerable to cyber-attacks that impact the system operation status and lead to serious physical consequences, including systematic problems and failures. This dissertation studies the physical consequences of unobservable false data injection (FDI) attacks wherein the attacker maliciously changes supervisory control and data acquisition (SCADA) or phasor measurement unit (PMU) measurements, on the electric power system. In this context, the dissertation is divided into three parts, in which the first two parts focus on FDI attacks on SCADA and the last part focuses on FDI attacks on PMUs. The first part studies the physical consequences of FDI attacks on SCADA measurements designed with limited system information. The attacker is assumed to have perfect knowledge inside a sub-network of the entire system. Two classes of attacks with different assumptions on the attacker's knowledge outside of the sub-network are introduced. In particular, for the second class of attacks, the attacker is assumed to have no information outside of the attack sub-network, but can perform multiple linear regression to learn the relationship between the external network and the attack sub-network with historical data. To determine the worst possible consequences of both classes of attacks, a bi-level optimization problem wherein the first level models the attacker's goal and the second level models the system response is introduced. The second part of the dissertation concentrates on analyzing the vulnerability of systems to FDI attacks from the perspective of the system. To this end, an off-line vulnerability analysis framework is proposed to identify the subsets of the test system that are more prone to FDI attacks. The third part studies the vulnerability of PMUs to FDI attacks. Two classes of more sophisticated FDI attacks that capture the temporal correlation of PMU data are introduced. Such attacks are designed with a convex optimization problem and can always bypass both the bad data detector and the low-rank decomposition (LD) detector.Dissertation/ThesisDoctoral Dissertation Electrical Engineering 201

Undetectable GPS-Spoofing Attack on Time Series Phasor Measurement Unit Data

The Phasor Measurement Unit (PMU) is an important metering device for smart grid. Like any other Intelligent Electronic Device (IED), PMUs are prone to various types of cyberattacks. However, one form of attack is unique to the PMU, the GPS-spoofing attack, where the time and /or the one second pulse (1 PPS) that enables time synchronization are modified and the measurements are computed using the modified time reference. This article exploits the vulnerability of PMUs in their GPS time synchronization signal. At first, the paper proposes an undetectable gradual GPS-spoofing attack with small incremental angle deviation over time. The angle deviation changes power flow calculation through the branches of the grids, without alerting the System Operator (SO) during off-peak hour. The attacker keeps instigating slow incremental variation in power flow calculation caused by GPS-spoofing relentlessly over a long period of time, with a goal of causing the power flow calculation breach the MVA limit of the branch at peak-hour. The attack is applied by solving a convex optimization criterion at regular time interval, so that after a specific time period the attack vector incurs a significant change in the angle measurements transmitted by the PMU. Secondly, while the attack modifies the angle measurements with GPS-spoofing attack, it ensures the undetectibility of phase angle variation by keeping the attack vector less than attack detection threshold. The proposed attack model is tested with Weighted Least Squared Error (WLSE), Kalman Filtering, and Hankel-matrix based GPS-spoofing attack detection models. Finally, we have proposed a gradient of low-rank approximation of Hankel-matrix based detection method to detect such relentless small incremental GPS-spoofing attack

Using SCADA data for wind turbine condition monitoring - a review

The ever increasing size of wind turbines and the move to build them offshore have accelerated the need for optimised maintenance strategies in order to reduce operating costs. Predictive maintenance requires detailed information on the condition of turbines. Due to the high costs of dedicated condition monitoring systems based on mainly vibration measurements, the use of data from the turbine Supervisory Control And Data Acquisition (SCADA) system is appealing. This review discusses recent research using SCADA data for failure detection and condition monitoring, focussing on approaches which have already proved their ability to detect anomalies in data from real turbines. Approaches are categorised as (i) trending, (ii) clustering, (iii) normal behaviour modelling, (iv) damage modelling and (v) assessment of alarms and expert systems. Potential for future research on the use of SCADA data for advanced turbine condition monitoring is discussed