PreprintPDF Available


Electric substations play an important role in the proper functioning of power grid systems. Recent incidents such as the Ukraine case have demonstrated the high risk of attacks against substations. A wealth of existing and emerging cyber defense mechanisms have been suggested for protecting substations, each with different defense objectives and using a variety of approaches that have their own strength and weakness. In this paper, we propose a pragmatic framework for reasoning about the different mechanisms by allowing critical comparisons of their features and the planning of their composition. The scope of our framework is general and can cover heterogeneous defense mechanisms, such as software integrity and physical zoning. We define specific criteria in our framework to compare those defense mechanisms in order to generate pragmatic deployment suggestions. We demonstrate the benefits of our framework by conducting a case study inspired by the Ukraine attack.
Tabulating Cybersecurity Solutions for Substations:
Towards Pragmatic Design and Planning
Heng Chuan Tan, Carmen Cheh, Binbin Chen, Daisuke Mashima
Advanced Digital Sciences Center, Singapore University of Illinois at Urbana Champaign, USA
Email: {hc.tan,Binbin.chen,Daisuke.m},
Abstract—Electric substations play an important role in the
proper functioning of power grid systems. Recent incidents
such as the Ukraine case have demonstrated the high risk of
attacks against substations. A wealth of existing and emerging
cyber defense mechanisms have been suggested for protecting
substations, each with different defense objectives and using a
variety of approaches that have their own strength and weakness.
In this paper, we propose a pragmatic framework for reasoning
about the different mechanisms by allowing critical comparisons
of their features and the planning of their composition. The scope
of our framework is general and can cover heterogeneous defense
mechanisms, such as software integrity and physical zoning.
We define specific criteria in our framework to compare those
defense mechanisms in order to generate pragmatic deployment
suggestions. We demonstrate the benefits of our framework by
conducting a case study inspired by the Ukraine attack.
The substation is an integral part of the Smart Grid (SG),
providing seamless power to the end-users. Its main function
is to regulate the voltage for transmission and distribution [1].
As the demand for electricity increases, multivendor devices
with proprietary protocols have become commonplace in
substations. To address the interoperability issues, the IEC
61850 standard has developed a common communication
profile for exchanging information across vendors, settings
and device types [2]. The result of this standardization is
the formulation of abstract data objects that can be mapped
to various protocols, such as the Manufacturing Message
Specification (MMS), the Generic Object Oriented Substation
Event (GOOSE), and the Sampled Measured Values (SMV).
Despite the increased connectivity, the use of IEC 61850
standard has also increased the attack surface of the substation.
Recent investigations into the power outage in Ukraine has
revealed that the cause of the disruption was actually due to
a malware called CrashOverride [3] that has the capability
to manipulate devices using the IEC 61850-based protocols.
Specifically, attackers can modify the status and sequence
numbers in the GOOSE message to cause the circuit breaker
to malfunction [4], [5], [6]. Attackers can also desynchronize
the networked measurements by attacking the Precision-Time
Protocol (PTP) [7]. In addition, implementation attacks such as
false injection attacks, hardware Trojans, and logic bombs [8]
can also compromise the Intelligent Electronic Device (IED)
and Programmable Logic Controller (PLC) at the substation
To counter those attacks, many defense solutions have been
developed and in some cases, adopted in the SG. These
solutions vary from standard IT technologies such as firewalls,
intrusion detection system (IDS), and encryption to more
sophisticated technology like deception mechanisms. While
these solutions are effective, there is no systematic approach to
reason about the different solutions and to suggest a strategic
combination of those solutions to a SG operator. To fill
this gap, we present a pragmatic framework that allows the
practitioners to conduct their own assessments and identify the
best combination of defense mechanisms that work seamlessly.
Specifically, our framework answers the following questions:
What are the strengths and weaknesses of the defense
mechanism from a business and operational perspective?
What types of assets and which attack phases can the
defense mechanism protect?
Given two defense mechanisms Aand B, do they com-
plement or oppose each other?
We believe that using our framework can facilitate the
decision-making process and allow practitioners to prioritize
defenses for quicker deployment.
Many frameworks have been proposed to guide the se-
lection of defense mechanisms. In [9], the authors proposed
two taxonomies for classifying distributed denial of service
(DDoS) attacks and their associated defenses to better un-
derstand the threats and the possible DDoS countermeasures.
In [10], the authors proposed a taxonomy for describing the
semantic attack landscape and used it to evaluate the defense
mechanisms to determine their suitability. In [11], the authors
applied the cost-benefit analysis to determine the trade-off
between the cost of detecting and the cost of responding to
intrusions to maximize the Return on Investment (ROI) for IDS
deployment. The work in [12] investigated the IDS design for
cyber-physical systems based on detection technique and data
preprocessing technique to gain insight into the effectiveness
of the various techniques. More recently, authors in [13]
proposed a new classification of attacks based on different
layers of the SG (i.e., systems layer, software layer, and
communication layer) to establish a common knowledge base
for designing effective countermeasures.
Unfortunately, these taxonomies can only compare specific
classes of defense solutions. In contrast, our framework is able
to compare general classes of defense and provide suggestions
on the composition of solutions to build a defense-in-depth
Cost Intrus-
Protection Coverage
Deployment Operating Maintenance Assets types Attack phases
Low Low Low Low Easy Dependency Immature Physical devices Reconnaissance
Medium Medium Medium Medium Moderate Conflict Partial Network access Weaponization
High High High High Hard Neutral Fully Host data Delivery
Network data Exploitation
Command & Control
Action on Objective
Note: The values for the cost metric are defined as follows: Low (<USD10,000); Medium (between USD10,000 and USD50,000); High (>USD50,000)
Our goal is to design a common set of metrics to evaluate
the various defense mechanisms. A key aspect is that the
metrics should be flexible and adaptable for most classes of
defense solutions. To achieve this goal, we consider several
criteria. First, the metric must be easy to understand. Second,
the metric should meet our design objective, i.e., for evaluating
the suitability of a defense mechanism. Lastly, the metrics
should be generic enough to allow cross-comparison between
different defense mechanisms. Following these criteria, we
define six metrics namely, Cost, Intrusiveness, Protection
Coverage, Exploitability, Compatibility, and Maturity in terms
of technology and summarize their quantitative scales of mea-
surement in Table I.
Cost defines the amount of money an organization spends
on its defenses in relation to its deployment, operation,
and maintenance aspects.
Intrusiveness defines the level of interactivity between a
defense mechanism and a host system.
Protection coverage defines the scope of protection that
a defense mechanism is intended to provide, and can be
divided into two types: asset types and attack phase 1[14].
Exploitability measures the difficulty of circumventing
the defense mechanism.
Compatibility measures the degree of dependency, i.e.,
how much each defense mechanism supports one another
to achieve defense-in-depth protection.
Maturity of the defense mechanisms defines the readiness
level of the technology.
In this section, we use the framework to review the state-
of-art defense mechanisms and summarize their strengths and
weaknesses in Table III.
1Reconnaissance refers to the act of gathering information in order to
identify vulnerabilities in the target network. Weaponization refers to a process
of coupling a exploit with a backdoor to make a deliverable payload. Delivery
refers to the process of delivering the malicious payload into the system.
Exploitation refers to the process of triggering the payload to exploit the
vulnerability. Installation refers to the process of installing a backdoor that an
attacker can use. Command and control refers to the process of establishing
a control channel for persistant access to the system. Actions on objectives
refers to a successful completion of an attack on the system.
A. Zoning
Zoning divides the system into different protection zones to
isolate and prevent failures from propagating to other parts of
the system and can be classified into two types: (1) physical
zoning, and (2) network zoning. In physical zoning, the power
grid is divided into different physical zones (e.g., transformer
zone, busbar zone, feeder zone) where each zone is protected
by an overcurrent relay [15], [16]. In network zoning, the grid
is divided into different communication zones (e.g. control
zone, corporate zone, and demilitarized zone), each protected
by firewalls and data diodes [17], [18]. A firewall is a con-
figurable device that only allows authorized traffic to access
the protected network. A data diode is a hardware that limits
communication flow in only one direction to control the flow
of sensitive data in and out of an organization [19].
Discussion: Physical and network zoning has low deploy-
ment, operating, and maintenance costs. Zoning is relatively
easy to set up although in the case of firewalls, some cus-
tomization may be required to adapt commercial firewalls to
recognize substation protocol traffic. We also note that the
setup for data diodes is irreversible after installment. After
deployment, zoning does not interfere with system operation
and thus, has low intrusiveness. Physical zoning protects the
physical devices against the last attack phase actions on
objective whereas network zoning protects network access
from being compromised by the attacker in the delivery
and reconnaissance attack phase. Although both physical
and network zoning are fully mature, physical zoning can
be moderately subverted by attackers since it only protects
against the last attack phase. Network zoning is easy to subvert
if the firewall is compromised or if there are loopholes in the
firewall rules.
B. Secure Policies and Protocols (as covered in IEC 62351)
The IEC 62351 standard proposed by WG15 of TC57 is
the current standard for providing data and communication
security in the substations. Cryptography and key management
are two key aspects mentioned in this 13-part document. It
was developed to address the security issues of the TC57
protocols, specifically the IEC 60870-5 series, the IEC 60870-
6 series, the IEC 61850 series, IEC 61970 and the IEC 61968
series [20]. The first two parts of the standard introduce various
Description Mechanism C I Au A NR Az
Part 3 - Security for any TCP/IP-based profiles TLS 333 - - -
Part 4 - Security for MMS-based profiles Transport (T)-Profile - TLS 333 - - -
Application (A)-Profile - Peer authentication using certificate - - 3-3-
Part 5 - Security for IEC 60870-5 and derivatives
such as DNP-3
Serial version - Challenge-response protocol - 3 3 - - -
Networked version - TLS with encryption only 33- - - -
Part 6 - Security for IEC 61850 profiles GOOSE and SV - Digital signature - 3 3 - - -
MMS - TLS and Peer authentication using certificate 333 -3-
Part 8 - Access control in power systems Role-Based Access Control (RBAC) - - - - - 3
Part 9 - Key management for power systems Certificate-based PKI End-to-End Security
C=Confidentiality; I=Integrity; Au=Authentication; A=Availability; NR=Non-repudiation; Az=Authorization
MMS=Manufacturing Messaging Service; GOOSE=Generic Object Oriented Substation Events; SV=Sampled Value
aspects of security as applied to power system operations.
Parts 3-6 specify security requirements for the different TC57
communication profiles, while parts 7-13 provide guidelines
on the management of information systems, including access
control and key management. Table II summarizes the various
parts of the standard, focusing in part on the security goals.
Discussion: Enforcing IEC 62351 has high deployment,
operating, and maintenance costs due to the high management
costs of deploying a Public Key Infrastructure (PKI). IEC
62351 is highly intrusive to the system because the cryp-
tographic primitives operate on the operational data, but if
deployed correctly, the standard is able to protect the network
and host data from being read and modified during the
reconnaissance and delivery attack phases. The standard is
partially mature and it is very hard to be subverted by attack-
ers due to the strong mathematical assumptions. However, the
standard does not address implementation attacks (e.g., false
injection attacks, hardware Trojans, and logic bombs [8]) on
the embedded systems [15] such as IED and PLC.
C. Intrusion Detection System (IDS)
IDS is a hardware or software application that monitors
the system’s network and/or hosts to detect any malicious
activity by using: (1) signature-based methods where system
activity is checked against a database of known attack pat-
terns, or (2) anomaly-based methods where system activity is
checked against a "normal" baseline model for any deviations.
Anomaly-based methods can be divided into statistical-based,
machine-learning based, and physics-based.
Statistical-based IDS builds a baseline model of the system
by applying statistical analysis (e.g., mean, standard deviation)
to a small sample of system activity [21], [22], [23]. On
the other hand, machine-learning based IDS uses learning
algorithms that can autonomously integrate data to build a
baseline model of the system activity. One key difference
between the machine-learning based and statistical-based IDS
is that machine-learning is more focused on data analysis
that enables the IDS to self-learn and perform prediction. For
physics-based IDS, a model describing the physical properties
or physical state of the system is derived [24], [25], [26].
The sensor data collected in real time is then compared to the
model by performing a state estimation of the physical system
or utilized for power-flow simulation.
Discussion: All the IDSes have low intrusiveness to the sys-
tem because they passively collect data and only raise alarms
to the operator. Signature-based IDS has a low deployment
cost but a medium operating and maintenance cost because
of the need to update the signature database regularly, and as
the size of the database increases, the processing load also
increases. All the anomaly-based IDSes have low operating
cost because they do not need to be updated. Of the anomaly-
based IDSes, physics-based IDSes has the highest deployment
and maintenance costs, followed by machine-learning based
IDS with a medium deployment and maintenance cost, and
statistical-based IDS with a low deployment and mainte-
nance cost. That is because physics-based IDS requires expert
knowledge about the system and real-time operational data to
build the “physics” model of the system and manual tuning
after deployment to ensure its accuracy. Although machine-
learning approach requires a large number of training samples
to produce meaningful results [27], [28], it only needs to be
trained once during the deployment phase followed by periodic
retraining during the maintenance phase.
All the IDSes protect the network data and the physics-
based IDS additionally protects host data from being mod-
ified by comparing actual sensor measurements to predicted
ones produced by the state estimation. All the IDSes protect
against the reconnaissance, delivery, exploitation, installa-
tion, command and control, and actions on objective attack
phases. Signature-based and statistical-based IDS are easy to
be subverted. For instance, zero-day attacks are not captured
by signature-based IDS, whereas statistical-based IDS is prone
to data corruption due to the limited number of samples to
build its baseline model. Machine-learning based IDS is more
difficult (moderate) to be subverted but is susceptible to data
poisoning attacks during the learning phase. Physics-based
IDS is hard to be subverted since the attacker needs to ensure
the physical constraints of the system is fulfilled. In general,
anomaly-based IDSes suffer from a high false positive/negative
rate. Thus, anomaly-based IDSes are partially mature whereas
signature-based IDSes are fully mature.
Cost Protection Coverage Mat-
Defense mechanism Deployment Operating Maint.
iveness Asset Type Attack Phase
Physical Low Low Low Low PD AoO Moderate Fully
Zoning Network Low Low Low Low NA R,D Easy Fully
Signature-based Low Medium Medium Low ND R,D,E,I,C&C,AoO Easy Fully
Statistical-based Low Low Low Low ND R,D,E,I,C&C,AoO Easy Partial
Machine-learning Medium Low Medium Low ND R,D,E,I,C&C,AoO Moderate Partial
Physics-based High Low High Low ND,HD R,D,E,I,C&C,AoO Hard Partial
Hardware-based High Low High High HD E,I Hard Partial
Attestation Software-based Medium Low Medium Medium HD E,I Moderate Partial
Honeypot Medium High High Low NA R,C&C Hard Immature
Deception In-network deception Medium Medium Medium Medium NA R,C&C Hard Immature
Incident Response High High Medium Low ALL AoO Moderate Fully
Secure Policies and Protocols High High High High ND,HD R,D Hard Partial
PD=Physical Device; NA=Network Access; HD=Host Data; ND=Network Data
R=Reconnaissance; W=Weaponization; D=Delivery; E=Exploitation; I=Installation; C&C=Command and Control; AoO=Actions on Objective
D. Remote Attestation
Software or firmware on embedded devices can be com-
promised by attackers through remote malware injection or
physical attacks on the network [8], [29]. Two general methods
have been proposed to provide attestation of the software:
(1) software-based and (2) hardware-based. In software-based
attestation, a prover must prove to the verifier that the check-
sum computed based on the content of its Random Access
Memory (RAM) footprint, including its current operating
status (e.g. program counter value) is correct [30]. Hardware-
based attestation uses a Trusted Platform Module (TPM) [31]
which runs a challenge-response protocol based on a public
key encryption scheme to verify the integrity of the software.
Discussion: Remote attestation has low operating cost.
Hardware-based attestation has high deployment and main-
tenance cost as compared to software-based attestation which
has medium cost. That is because every device requires a TPM
to conduct hardware-based attestation which is costly due to
the huge number of legacy devices in SG. Hardware-based
attestation is also highly intrusive as compared to software-
based attestation which is only mildly (medium) intrusive.
One reason is that hardware-based attestation requires the
installation of a TPM, which puts trust on the person who de-
signed it, while software-based attestation requires only minor
software upgrades. Remote attestation protects the host data
from the exploitation and installation attack phase, and is
partially mature due to cost constraints (hardware-based) and
latency constraints (software-based). In terms of exploitability,
software-based attestation is moderate given that some of
the vulnerabilities such as strict timing guarantees and proxy
attacks (i.e., the device under attestation can ask a more
powerful remote device to compute the checksum) have been
overcome by recent advances in technology. Hardware-based
attestation is hard to be subverted because the TPM self-
destructs when it detects tampering. However, this approach
cannot detect memory modifications during runtime.
E. Deception Technology
Deception technologies aim at fooling and confusing attack-
ers by means of well-crafted “decoy” systems or devices. A
typical deception mechanism is the honeypot. The honeypot
presents itself as a valuable, vulnerable target to the attacker,
misleads the attacker in a sandbox environment to slow down
attacks and collect threat intelligence. In the SG, the capa-
bilities of the honeypot has been extended beyond emulating
network topology and services to emulate the dynamic phys-
ical properties of the system (e.g., the device states of circuit
breakers [32], [33] including a honeypot network called a
honeynet [34]). While honeypots are usually isolated from the
real system, another approach involves deployment of virtual,
decoy devices inside the production network, which we call in-
network deception. For example, [35] utilizes software-defined
network (SDN) to dynamically change the connectivity of field
devices (i.e., shuffling online/offline devices) over time and
utilize offline devices as decoys to confuse attackers.
Discussion: Deception technologies are virtual, software-
based implementation, so their deployment cost is medium. In
terms of operating and maintenance costs, honeypot systems
has high costs compared to in-network deception approach
which has medium costs because the honeypot requires con-
tinuous monitoring to handle alarms and analyze collected
logs. On the other hand, in-network deception requires opera-
tors’ attention only when suspicious activities are detected, so
intensive monitoring is usually not required after deployment.
Honeypots have low intrusiveness because they are isolated
from the production system. By contrast, in-network deception
approaches are more intrusive (medium) because the virtual
devices run on the substation gateway or IDS appliances. De-
ception technologies protect network access by quarantining
the attacker in the reconnaissance and command and control
attack phase and are hard to subvert because the attacker is
unaware of the real system services and operation. However,
deception technology is an immature mechanism.
F. Incident Response
Once attacks are detected, it is important to implement
an incident response plan that guides the organization to
respond and recover quickly, so that damage caused by the
security incidents can be mitigated [17]. Several studies have
investigated how the response process can be automated using
SDN, Network Function Virtualization (NFV) [36], and game
theory [37]. This will greatly improve the response time,
allowing the Computer Security Incident Response (CSIR)
team to concentrate on more important tasks. Other works on
automating incident response include classifying incidents to
better assist the CSIR team to quickly forward the requests to
the appropriate team for corrective actions [38].
Discussion: Despite many efforts to automate the response
process, incident response still exhibit high deployment and
operating costs, but medium maintenance cost due to the need
to hire experienced personnel and the need to retrain them
on a regular basis. Incident response is lowly intrusive to
the system because it only acts when a security breach has
occurred. For the same reason, it can only protect against
actions on objective attack phase. In terms of protection
coverage, incident response protects all assets against future
attacks through patch management and policies. It is hard to
subvert because it is a fully mature technology that has been
implemented for a long time. Most issues have already been
G. Defense Compatibility
In this study, we designed a 6×6matrix in Table IV to de-
termine the compatibility of a defense mechanism. As shown
in Table IV, zoning mechanisms has no major dependency
that may conflict with other mechanisms being deployed. IDS
is usually deployed together with firewalls, so it depends on
network zoning mechanisms. IDS also depends on deception
technologies as the two need to interact to reduce the number
of potential false detections that may occur as a result of
their deployment. However, IDS is in conflict with secure
protocols, especially when the traffic is encrypted. Remote
attestation, in general, has two dependencies. First, software-
based attestation depends on zoning mechanisms such as
firewalls to prevent proxy attacks. Second, it is dependent
on secure protocols like cryptography for security. Deception
technologies depend on network zoning (if it is deployed on
the internal network) for greater security and secure proto-
cols to emulate services. Finally, incident response depends
on remote attestation, deception technology, and IDSes for
malicious reports to initiate recovery plans but may conflict
with standard use of secure protocols. For example, the CSIR
team may use Telnet instead of SSH for remote configurations.
In this section, we use our framework to analyze the security
of substations and propose a plan for the deployment of several
defense mechanisms that we discussed earlier. First, we verify
the rationale of existing security deployments in substations
Defense Mechanism (1) (2) (3) (4) (5) (6)
Zoning (1) N N N N N
IDS (2) D N D N C
Remote Attestation (3) D N N N D
Deception Technology (4) D N N N D
Incident Response (5) N D D D C
Secure policies and protocols (6) N C N N C
D=Dependency; N=Neutral; C=Conflict
using our framework. Substations need to comply with NERC
CIP (North American Electric Reliability Corporation critical
infrastructure protection) regulations which require enforce-
ment of cyber and physical security. Thus, substations have de-
ployed physical and network zoning, incident response teams,
secure policies and protocols, and signature-based IDSes [39].
From Table III, we note that most of those defense mechanisms
deployed by the substations have low intrusiveness and focus
primarily on protecting network access and data.
However, as the Ukraine incident has shown, it is inadequate
to focus security solutions on protecting network data alone.
We suggest a short-term and long-term deployment strategy for
substations using our framework. A short-term solution would
be to extend the protection coverage of the system to host data
and physical devices in the system using defense mechanisms
that have low cost and intrusiveness. We suggest deploying
remote attestation to protect against malicious CrashOverride
Malware [3] as was performed in the Ukraine incident. As
a long-term solution, defense mechanisms that are harder to
exploit can be deployed to protect the system against more
sophisticated attacks such as those in the Ukraine incident.
We suggest the deployment of more complex IDSes such as
physics-based IDSes, and deception technologies. Although
those defense mechanisms’ cost is high, they provide addi-
tional layers of defense. For example, physics-based IDSes
monitor the physical processes and would be alerted by the
attacker’s action of opening circuit breakers in the Ukraine
incident. Deception technologies are also an emerging solution
to delay the attacker while learning about the attacker’s inten-
tions. Thus, our framework allows us to analyze the security
posture of a substation and suggest defense mechanisms based
on our study of existing high-profile attacks.
In this paper, we provide a comprehensive review of the de-
fense mechanisms in SG from a defense-in-depth perspective.
We proposed a pragmatic framework for comparing the various
defense mechanisms. Comparative and compatibility analyses
were performed using the metrics defined by our framework to
determine their strengths, weaknesses, and interdependencies.
Using the Ukraine incident as a case study, we conclude that
there is no "one-size-fits-all" solution. The best strategy is
to adopt the defense-in-depth approach by employing many
layers of defense to include security of host data and software
on physical devices. In this regard, remote attestation and
honeypots are two viable options worth considering.
This research is supported in part by the National Research
Foundation, Prime Minister’s Office, Singapore under the
Energy Programme and administrated by the Energy Market
Authority (EP Award No.NRF2017EWT-EP003-047), and in
part by the National Research Foundation, Prime Minister’s
Office, Singapore under its Campus for Research Excellence
and Technological Enterprise (CREATE) programme.
[1] G. Kunz, J. Machado, E. Perondi, and V. Vyatkin, “A formal method-
ology for accomplishing IEC 61850 real-time communication require-
ments,” IEEE Trans. Ind. Electron., vol. 64, no. 8, pp. 6582–6590, 2017.
[2] H. Yoo and T. Shon, “Challenges and research directions for hetero-
geneous cyber-physical system based on IEC 61850: Vulnerabilities,
security requirements, and security architecture,” Futur. Gener. Comput.
Syst, vol. 61, pp. 128–136, 2016.
[3] I. Dragos, “Crashoverride: Analysis of the threat to electric grid opera-
tions,” Online]: https://dragos. com/blog/crashoverride/CrashOverride-
01. pdf, 2017.
[4] M. Strobel, N. Wiedermann, and C. Eckert, “Novel weaknesses in IEC
62351 protected smart grid control systems,” in IEEE Int. Conf. on
SmartGridComm, Nov 2016, pp. 266–270.
[5] J. Hoyos, M. Dehus, and T. X. Brown, “Exploiting the GOOSE
protocol: A practical attack on cyber-infrastructure,” in IEEE Globecom
Workshops, Dec 2012, pp. 1508–1513.
[6] N. Kush, E. Ahmed, M. Branagan, and E. Foo, “Poisoned GOOSE:
Exploiting the GOOSE protocol,” in Proc. 12th Australasian Inform.
Security Conf., 2014, pp. 17–22.
[7] B. Moussa, M. Debbabi, and C. Assi, “A detection and mitigation model
for PTP delay attack in an IEC 61850 substation,” IEEE Trans. Smart
Grid, vol. 9, no. 5, pp. 3954–3965, 2018.
[8] N. Govil, A. Agrawal, and N. O. Tippenhauer, “On ladder logic bombs
in industrial control systems,” in Comput. Security. Springer, 2017, pp.
[9] J. Mirkovic and P. Reiher, “A taxonomy of DDoS attack and DDoS
defense mechanisms,” ACM SIGCOMM Comput. Commun. Rev., vol. 34,
no. 2, pp. 39–53, 2004.
[10] R. Heartfield and G. Loukas, “A taxonomy of attacks and a survey
of defence mechanisms for semantic social engineering attacks,” ACM
Comput. Surveys, vol. 48, no. 3, p. 37, 2016.
[11] C. Iheagwara, A. Blyth, and M. Singhal, “Cost effective manage-
ment frameworks for intrusion detection systems,J. Comput. Security,
vol. 12, no. 5, pp. 777–798, 2004.
[12] R. Mitchell and I.-R. Chen, “A survey of intrusion detection techniques
for cyber-physical systems,ACM Comput. Surveys, vol. 46, no. 4, pp.
1–29, March 2014.
[13] G. Elbez, H. B. Keller, and V. Hagenmeyer, “A New Classification of
Attacks against the Cyber-Physical Security of Smart Grids,” in Proc.
13th Int. Conf. Availability, Rel. and Security. ACM, 2018, p. 63.
[14] L. Martin, “The Cyber Kill Chain R
.” [Online]. Avail-
[15] A. Chattopadhyay, A. Ukil, D. Jap, and S. Bhasin, “Toward Threat of
Implementation Attacks on Substation Security: Case Study on Fault
Detection and Isolation,” IEEE Trans. Ind. Electron., vol. 14, no. 6, pp.
2442–2451, 2018.
[16] P. T. Manditereza and R. C. Bansal, “Introducing A New Type of Pro-
tection Zone for the Smart Grid Incorporating Distributed Generation,”
in IEEE ISGT Asia. IEEE, 2018, pp. 86–90.
[17] D. Kuipers and M. Fabro, Control systems cyber security: Defense in
depth strategies. United States. Department of Energy, 2006.
[18] “IEEE Standard Cybersecurity Requirements for Substation Automation,
Protection, and Control Systems,” pp. 1–38, 2015.
[19] S. Manson and D. Anderson, “Practical cybersecurity for protection and
control system communications networks,” in Petroleum and Chemical
Ind. Tech. Conf. (PCIC), 2017. IEEE, 2017, pp. 195–204.
[20] R. Schlegel, S. Obermeier, and J. Schneider, “Assessing the security of
IEC 62351,” in Proc. 3rd Int. Symp. for ICS & SCADA Cyber Security
Res., 2015, pp. 11–19.
[21] R. Udd, M. Asplund, S. Nadjm-Tehrani, M. Kazemtabrizi, and M. Ek-
stedt, “Exploiting bro for intrusion detection in a SCADA system,” in
Proc. 2nd ACM Int. Workshop on Cyber-Physical Syst. Security. ACM,
2016, pp. 44–51.
[22] J. Zhang, S. Gan, X. Liu, and P. Zhu, “Intrusion detection in SCADA
systems by traffic periodicity and telemetry analysis,” in Comput. and
Commun. (ISCC), 2016 IEEE Symp. on. IEEE, 2016, pp. 318–325.
[23] W. Ren, T. Yardley, and K. Nahrstedt, “EDMAND: Edge-Based Multi-
Level Anomaly Detection for SCADA Networks,” in IEEE Int. Conf.
SmartGridComm. IEEE, 2018, pp. 1–7.
[24] J. Giraldo, D. Urbina, A. Cardenas, J. Valente, M. Faisal, J. Ruths, N. O.
Tippenhauer, H. Sandberg, and R. Candell, “A survey of physics-based
attack detection in cyber-physical systems,ACM Comput. Surveys,
vol. 51, no. 4, pp. 1–36, July 2018.
[25] D. I. Urbina, J. A. Giraldo, A. A. Cardenas, N. O. Tippenhauer,
J. Valente, M. Faisal, J. Ruths, R. Candell, and H. Sandberg, “Limiting
the impact of stealthy attacks on industrial control systems,” in Proc.
2016 ACM SIGSAC Conf. Comput. and Commun. Security. ACM, 2016,
pp. 1092–1105.
[26] D. Mashima, B. Chen, T. Zhou, R. Rajendran, and B. Sikdar, “Securing
substations through command authentication using on-the-fly simulation
of power system dynamics,” in IEEE Int. Conf. SmartGridComm 2018.
IEEE, 2018, pp. 1–7.
[27] H. Lahza, K. Radke, and E. Foo, “Applying domain-specific knowledge
to construct features for detecting distributed denial-of-service attacks
on the GOOSE and MMS protocols,” Int. J. of Crit. Infr. Prot., vol. 20,
pp. 48–67, 2018.
[28] P. Schneider and K. Böttinger, “High-Performance Unsupervised
Anomaly Detection for Cyber-Physical System Networks,” in Proc.
Workshop CPS-SPC. ACM, 2018, pp. 1–12.
[29] L. Garcia, F. Brasser, M. H. Cintuglu, A.-R. Sadeghi, O. A. Mohammed,
and S. A. Zonouz, “Hey, My Malware Knows Physics! Attacking PLCs
with Physical Model Aware Rootkit.” in NDSS, 2017.
[30] B. Chen, X. Dong, G. Bai, S. Jauhar, and Y. Cheng, “Secure and
efficient software-based attestation for industrial control devices with
arm processors,” in Proc. 33rd Annu. Comput. Security Appl. Conf.
ACM, 2017, pp. 425–436.
[31] N. Asokan, F. Brasser, A. Ibrahim, A.-R. Sadeghi, M. Schunter,
G. Tsudik, and C. Wachsmann, “Seda: Scalable embedded device
attestation,” in Proc. 22nd ACM SIGSAC Conf. Comput. and Commun.
Security. ACM, 2015, pp. 964–975.
[32] K. Koltys and R. Gajewski, “SHaPe: A honeypot for electric power
substation,” pp. 37–43, 01 2015.
[33] D. Antonioli, A. Agrawal, and N. O. Tippenhauer, “Towards high-
interaction virtual ics honeypots-in-a-box,” in Proc. 2nd ACM Workshop
Cyber-Physical Syst. Security and Privacy. ACM, 2016, pp. 13–22.
[34] D. Mashima, B. Chen, P. Gunathilaka, and E. L. Tjiong, “Towards a grid-
wide, high-fidelity electrical substation honeynet,” in IEEE Int. Conf.
SmartGridCommun, Oct 2017, pp. 89–95.
[35] H. Lin, Z. Kalbarczyk, and R. K. Iyer, “Raincoat: Randomization of
network communication in power grid cyber infrastructure to mislead
attackers,” IEEE Trans. SmartGrid, pp. 1–14, 2018.
[36] A. F. M. Piedrahita, V. Gaur, J. Giraldo, A. A. Cardenas, and S. J.
Rueda, “Leveraging software-defined networking for incident response
in industrial control systems,” IEEE Softw., vol. 35, no. 1, pp. 44–50,
[37] S. A. Zonouz, H. Khurana, W. H. Sanders, and T. M. Yardley, “RRE:
A game-theoretic intrusion response and recovery engine,IEEE Trans.
Parallel Distrib. Syst, vol. 25, no. 2, pp. 395–406, 2014.
[38] R. de Jesus Martins, L. A. D. Knob, E. G. da Silva, J. A. Wickboldt,
A. Schaeffer-Filho, and L. Z. Granville, “Specialized CSIRT for Incident
Response Management in Smart Grids,” J. Netw. Syst. Manag., vol. 27,
no. 1, pp. 269–285, 2019.
[39] J. Hallenstein, “Review of cyber and physical security protection of
utility substations and control centers,” The Florida Public Service Com-
mission Office of Auditing and Performance Analysis. [Online]. Avail-
ResearchGate has not been able to resolve any citations for this publication.
Full-text available
Monitoring the “physics” of cyber-physical systems to detect attacks is a growing area of research. In its basic form, a security monitor creates time-series models of sensor readings for an industrial control system and identifies anomalies in these measurements to identify potentially false control commands or false sensor readings. In this article, we review previous work on physics-based anomaly detection based on a unified taxonomy that allows us to identify limitations and unexplored challenges and to propose new solutions.
Conference Paper
While the ever-increasing connectivity of cyber-physical systems enlarges their attack surface, existing anomaly detection frameworks often do not incorporate the rising heterogeneity of involved systems. Existing frameworks focus on a single fieldbus protocol or require more detailed knowledge of the cyber-physical system itself. Thus, we introduce a uniform method and framework for applying anomaly detection to a variety of fieldbus protocols. We use stacked denoising autoencoders to derive a feature learning and packet classification method in one step. As the approach is based on the raw byte stream of the network traffic, neither specific protocols nor detailed knowledge of the application is needed. Additionally, we pay attention on creating an efficient framework which can also handle the increased amount of communication in cyber-physical systems. Our evaluation on a Secure Water Treatment dataset using EtherNet/IP and a Modbus dataset shows that we can acquire network packets up to 100 times faster than packet parsing based methods. However, we still achieve precision and recall metrics for longer lasting attacks of over 99%.
Conference Paper
Modern critical infrastructures such as Smart Grids (SGs) rely heavily on Information and Communication Technology (ICT) systems to monitor and control operations and states within large-scale facilities. The potential offered by SGs includes an effective integration of renewables, a demand-response action and a dynamic pricing system. The increasing use of ICT for the communication infrastructure of modern power systems offers advantages but can give rise to cyber attacks that compromise the security of the SG. To deal efficiently with the security concerns of SGs, a survey of the different attacks that consider the physical as well as the cyber characteristics of modern power grids is required. In the present paper, first the specific differences between SGs with respect to both Information Technology (IT) systems and conventional energy grids are discussed. Thereafter, the specific security requirements of SGs are presented in order to raise awareness of the new security challenges. Finally, a new classification of cyber attacks, based on the architecture of the SG, is proposed and details for each category are provided. The new classification is distinguished by its focus on the cyber-physical security of the SG in particular, which gives a comprehensive overview of the different threats. Thus, this new classification forms the necessary knowledge-basis for the design of respective countermeasures.
Though attackers aim to introduce different physical perturbations on power grids, they need to rely on periodic data acquisitions performed by control centers to estimate the physical state of the grid and thus to prepare for destructive activities. In this paper, we present Raincoat, which randomizes data acquisitions to disrupt and mislead attackers’ preparations. We transform one data acquisition into multiple rounds. In each round, we dynamically manipulate network flows in the control networks so that randomly selected “online” devices respond with real measurements. Meanwhile, we intelligently spoof measurements for other “offline” devices to mislead attackers into designing ineffective strategies. Based on experiments using large-scale power systems and six real wide area networks, Raincoat is effective against false data injection and control-related attacks with small overhead. The probability of successful attacks can be reduced from 70% to 1%; attacks introduce little damage even if they are executed. Network latency of data acquisition increases on average by less than 6%.
Power grids are undergoing a major modernization process, which is transforming them into Smart Grids. In such cyber-physical systems, a security incident may cause catastrophic consequences. Unfortunately, the number of reported incidents in power grids has been increasing in the last years. In this article we advocate that the adoption of Computer Security Incident Response Teams (CSIRTs) is necessary for the proper management of security incidents in Smart Grids. CSIRTs for Smart Grids must cover different parts of the grid, thus consisting of specialized response teams for handling incidents not only on the physical infrastructure, but also on the Smart Grid equipment and on the IT infrastructure. We thus propose an incident classification to assist the implementation of CSIRTs for Smart Grids, considering the specific concerns of the different response teams. We evaluate attack classifications available in the literature and review a well-known database of Smart Grid security incidents.
Electric substation automation systems based on the IEC 61850 standard predominantly employ the GOOSE and MMS protocols. Because GOOSE and MMS messages are not encrypted, an attacker can observe packet header information in protocol messages and inject large numbers of spoofed messages that can flood a substation automation system. Sophisticated machine-learning-based intrusion detection systems are required to detect these types of distributed denial-of-service attacks. However, the performance of machine-learning-based classifiers is hindered by the relative lack of features that express GOOSE and MMS protocol behavior. This paper evaluates a number of features described in the literature that may be used to detect distributed denial-of-service attacks on the GOOSE and MMS protocols. However, these features do not include advanced features that capture the periodic transmission behavior of SCADA protocols. Three SCADA-protocol-specific steps are specified for constructing new GOOSE and MMS advanced features by leveraging domain knowledge and adopting a time-window-based feature construction method. The resulting feature set, which comprises seventeen new GOOSE and MMS advanced features, outperforms the feature sets described in previous research when used with the popular decision tree, neural network and support vector machine classifiers. The evaluations also reveal that the decision tree classifier is superior to the neural network and support vector machine classifiers. A key contribution of this research is the application of SCADA-protocol-based domain knowledge to develop high-performance intrusion detection systems that require reduced training and testing times.