Conference PaperPDF Available

Abstract and Figures

The transformation of the conventional electricity grid into a new paradigm called smart grid demands the appropriate cybersecurity solutions. In this paper, we focus on the security of the IEC 60870-5-104 (IEC-104) protocol which is commonly used by Supervisory Control and Data Acquisition (SCADA) systems in the energy domain. In particular, after investigating its security issues, we provide a multivariate Intrusion Detection System (IDS) which adopts both access control and outlier detection mechanisms in order to detect timely possible anomalies against IEC-104. The efficiency of the proposed IDS is reflected by the Accuracy and F1 metrics that reach 98% and 87%, respectively.
Content may be subject to copyright.
An Anomaly Detection Mechanism for IEC 60870-5-104
Panagiotis Radoglou Grammatikis, Panagiotis Sarigiannidis, Antonios Sarigiannidis, Dimitrios Margounakis,
Apostolos Tsiakalosand Georgios Efstathopoulos§
Abstract—The transformation of the conventional electricity
grid into a new paradigm called smart grid demands the
appropriate cybersecurity solutions. In this paper, we focus on
the security of the IEC 60870-5-104 (IEC-104) protocol which
is commonly used by Supervisory Control and Data Acquisition
(SCADA) systems in the energy domain. In particular, after inves-
tigating its security issues, we provide a multivariate Intrusion
Detection System (IDS) which adopts both access control and
outlier detection mechanisms in order to detect timely possible
anomalies against IEC-104. The efficiency of the proposed IDS
is reflected by the Accuracy and F1 metrics that reach 98% and
87%, respectively.
Index Terms—Anomaly Detection, Cybersecurity, IEC-60870-
5-104, Supervisory Control and Data Acquisition
I. INTRODUCTION
The Critical Infrastructures (CIs) and especially the electri-
cal grid constitute a frequent target of the Advanced Persistent
Threats (APTs). In particular, they are composed of legacy
technologies characterised by severe security flaws. Moreover,
although the rapid advance of the Internet of Things (IoT)
introduces new beneficial characteristics to CIs, it increases
in parallel the attack surface due to the insecure nature of
the Internet and specifically of the respective communication
protocols [1].
In this paper, we focus on the Transmission Control Protocol
(TCP)-based IEC 60870-5-104 (IEC-104) protocol, which is
commonly utilised by Supervisory Control and Data Acquisi-
tion (SCADA) systems in Europe. IEC-104 uses the 2404 TCP
port and does not include sufficient authorisation mechanisms,
thus allowing potential cybercriminals to violate the IEC-104
communications either via unauthorised IEC-104 commands
or Man in The Middle (MiTM) attacks [2]. Based on the
aforementioned security gaps of IEC-104, in this paper, we
provide a relevant Intrusion Detection System (IDS) which
relies on essential access control rules and machine learning-
based outlier detection mechanisms.
In particular, the rest of this paper is organised as follows.
Section II discusses previous works related to the security of
IEC-104. In section III, we provide a background about the
This project has received funding from the European Unions Horizon
2020 research and innovation programme under grant agreement No. 787011
(SPEAR).
P. Radoglou-Grammatikis and P. Sarigiannidis are with the
Department of Electrical and Computer Engineering, University
of Western Macedonia, Kozani 50100, Greece - E-Mail:
{pradoglou,psarigiannidis}@uowm.gr
A. Sarigiannidis, D. Margounakis and A. Tsiakalos are with
SIDROCO, Anaximandrou, 5A 3113, Limassol, Cyprus - E-Mail:
{asarigia,dmargoun, atsiakalos}@sidroco.com
§G. Efstathopoulos is with the 0INF, Imperial Offices, London, UK, E6
2JG - E-Mail: george@0inf.com
IEC-104 security and the various machine learning anomaly
detection methods. Section IV is devoted to the architecture
of the proposed IDS, while Section V evaluates its efficacy.
Finally, Section VI concludes this paper.
II. RE LATE D WORK
Many authors have investigated the security issues of IEC-
104. In particular, in [2], the authors provided a risk assess-
ment model regarding the IEC-104 communications, taking
into account a Coloured Petri Net (CPN)-based threat assess-
ment model as well as the risk assessment model of AlienVault
OSSIM [3]. In [4], P. Maynard et al. focused on the possible
MiTM and replay attacks against IEC-104, covering also the
corresponding injection commands. Accordingly, in [5] C.Lin
and S. Nadjm-Tehrani analysed IEC-104 traffic patterns, aim-
ing at discovering underlying timing patterns of spontaneous
events. In [6], E. Hodo et al. presented an anomaly-based IDS
for IEC-104, utilising classification machine learning methods,
such as J48, Naive Bayes, OneR and RandomTree. Finally, in
[7] Y. Yang et al. provided a set of IEC-104 signature rules,
while in [8], Y. Yang et al. introduced a relevant specification-
based IDS relying on a Finite State Machine (FSM).
III. BACKGRO UN D
A. IEC 60870-5-104 Security Issues
The functionality of IEC-104 relies on the TCP/IP, which
exhibits a number of cybersecurity issues. Although IEC
62351 [9] provides sufficient guidelines that can enhance the
security of IEC-104, the industrial nature of SCADA hinders
their immediate upgrade. A severe security issue of IEC-104
is the transmission of data without any encryption mechanism,
thus making it possible to execute traffic analysis and MiTM
attacks. In addition, many IEC-104 commands, such as reset
commands, interrogation commands, read commands do not
integrate authentication and authorisation procedures, thereby
allowing the unauthorised access. This vulnerability is crucial
since a cyberattacker is capable of controlling the field devices
and possibly, the overall operation of the infrastructure.
B. Machine Learning Algorithms Background
In this section, a short overview of the anomaly detection
methods based on machine learning solutions is provided.
A more comprehensive literature review can be found in
recent surveys [10], [11]. The machine learning methods for
anomaly detection can be separated to model, clustering,
reconstruction and proximity-based. Model-based approaches
include the Gaussian mixture models (GMM) [12] that fit the
This paper has been published in IEEE Xplore: https://ieeexplore.ieee.org/abstract/document/9200285
P. R. Grammatikis, P. Sarigiannidis, A. Sarigiannidis, D. Margounakis, A. Tsiakalos and G. Efstathopoulos, "An Anomaly Detection Mechanism for IEC
60870-5-104," 2020 9th International Conference on Modern Circuits and Systems Technologies (MOCAST), Bremen, Germany, 2020, pp. 1-4, doi:
10.1109/MOCAST49295.2020.9200285.
whole dataset to a mixed Gaussian distribution. The GMM pa-
rameters usually are estimated with Expectation-Maximization
solutions or deep estimation networks.
The attribute-based approaches for anomaly detection as-
sume that the features of normal examples can be predicted
by the rest or in the case of the Isolation Forest algorithm,
it finds anomalies by deliberately overfitting models that
memorise each data point. Particularly, in this case, outliers
have more empty space around them, and therefore they take
fewer steps to memorise. Many anomaly detection methods
are considered clustering-based detectors, assuming that the
normal data are located close to their closest cluster. The
methods Principal Component Analysis (PCA), Matrix Fac-
torization (MF), Stochastic Outlier Selection (SOS) and deep
Auto-encoders belong to the reconstruction-based approaches.
The concept behind these methods is to learn a mapping
from a higher to a lower-dimensional space through the
compression and decompression stages and identify points
with high reconstruction error as anomalies. Regarding SOS,
it is an unsupervised anomaly-selection algorithm that takes
as input either a feature matrix or a dissimilarity matrix and
outputs for each data point an anomaly probability. Intuitively,
a data point is considered to be an anomaly when the other
data points have an insufficient affinity with it. One-Class
Support Vector Machine (OC-SVM) aims to find a hyperplane
that can separate the vast majority of data from the origin
in the projected high dimensional space without making any
assumptions about their distribution. In particular, OC-SVM
separates all the data points from the origin (in feature space)
and maximises the distance from this hyperplane to the origin.
This results in a binary function, which captures regions in the
input space where the probability density of the data lives. The
idea of OC-SVM for anomaly detection is to find a function
that is positive for regions with a high density of points, and
negative for small densities.
Proximity-based methods do not require any training or
assumptions about the dataset. They consider the rarity of
a point, measuring, for example, the distance to K-Nearest
Neighbour (KNN) or the ratio of local reachability density.
IV. IEC-104 IDS
Fig. 1 illustrates the architecture of the proposed IDS, which
consists of two main components, namely a) Sensor and b)
Server. The Sensors consist of three modules, namely a)
Network Traffic Monitoring Module,b) Network Packet Access
Control and c) IEC-104 Flows Extraction Module responsible
respectively for monitoring and analysing the entire network
traffic generated in the infrastructure. On the other hand,
Server constitutes a centralised point where the anomaly
detection processes take place, and the security events are
stored. In particular, Server is composed of an Elasticsearch
database, the Anomaly Detection Module and the Response
Module. The following subsections analyse in detail each
module.
A. Network Traffic Monitoring Module
The Network Traffic Monitoring Module relies on the Scapy
library [13] and is responsible for monitoring and capturing
the overall network traffic based on a predefined frequency
which can be defined by the user.
B. Network Packet Access Control Module
This module receives the captured network traffic from the
previous module and utilises Scapy [13] in order to apply
some initial security controls. In particular, it adopts a whitelist
in which all legitimate, Medium Access Control (MAC) and
Internet Protocol (IP) addresses are stored. Therefore, if a
packet contains a MAC or an IP address which is not included
in the whitelist, then a security event is generated and stored
in the Elasticsearch database of Server. The legitimate MAC
and IP addresses should be defined by the system operator or
the security administrator. In addition, this whitelist defines
also the permitted TCP and UDP ports. Therefore, if a packet
includes a non-legitimate port, the corresponding security
event is generated.
C. IEC-14 Flows Extraction Module
This module receives the captured network packets and ex-
ports the corresponding bi-directional IEC-104 flows, utilising
the CICFlowMeter software [14]. In particular, CICFlowMeter
generates for each flow 83 features that are stored in a different
index of the Elasticsearch database. Also, it is noteworthy that
different flow-timeout thresholds can be used for extracting the
corresponding IEC-104 flows, thus affecting proportionally the
83 features [14].
D. Anomaly Detection Module
The Anomaly Detection Module constitutes the core of the
proposed IDS. First, it receives the captured IEC-104 flows
from the Elasticsearch database and applies outlier detection
models in order to detect which of them are anomalies. The
efficacy of these models is discussed in Section V. Finally, it
stores the corresponding security events (i.e., anomalous IEC-
104 flows) in a different index of the Elasticsearch database.
E. Response Module
The Response Module undertakes to inform the user about
the various security events via Kibana of the Elastic Stack.
Moreover, it provides statistic charts that assist the user in
understanding better the security status of the infrastructure.
Regarding the security events, the format of AlienVaut OSSIM
[3], [15] was utilised. In particular, the security events detected
by the proposed IDS are related to the controls of Network
Packet Access Control and Anomaly Detection Modules.
Accuracy =T P +T N
T P +T N +F P +F N (1)
F1 = 2·precision ·recall
precision +recall (2)
TPR =T P
T P +F N (3)
Network Traffic
Monitoring
Module
IEC-104 Flows
Extraction Module
Anomaly Detection
Module
Sensor
CICFlowmeter
Response
Module
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
s
s
s
s
s
s
s
s
s
s
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
o
o
o
o
o
o
o
o
o
o
o
o
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
du
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
e
Server
Security Events
Network Packet
Access Control
Module
Security Events
IEC-104 Flows
Response Module
Fig. 1: IEC-104 IDS Architecture
V. EVAL UATION ANA LYSI S
This section is devoted to the efficacy of the outlier detection
models of the Anomaly Detection Module. In particular, three
outlier detection algorithms were evaluated, namely a) OC-
SVM, b) Isolation forest and c) LOF to detect anomalous
IEC-104 flows under four different flow-timeout thresholds:
15, 30, 60 and 120 seconds. In order to train the corresponding
models, we combined normal IEC-104 data stemming from
a real substation as well as IEC-104 malicious data of [16].
Moreover, utilising the PCA method, we chose only seven fea-
tures from the 83 ones generated by CICFlowMeter, including
a) the total packets in the forward direction, b) the total size of
the packets in the backward direction, c) the standard deviation
size of the packets in the forward direction, d) the number of
the flow bytes per second, e) the maximum time between two
packets sent in the flow, f) the minimum length of a packet,
g) the average number of bytes in a sub-flow in the backward
direction and h) the maximum time where a flow was active
before becoming idle. It is worth mentioning that the previous
features are related only to the IEC-104 packets since Scapy
[13] and CICFlowMeter were configured to capture and extract
only IEC-104 flows, respectively.
Tables I-IV and Fig. 2 depict the efficacy of the aforemen-
tioned outlier detection algorithms under the different flow-
timeout values, in terms of Accuracy, F1 and True Positive
Rate (TPR). These metrics are defined by the Equations 1-
3 respectively. In particular, True Positives (TP) denotes
the number of the correct classifications that detected the
malicious flows as successfully. Accordingly, True Negatives
(TN) denotes the amount of the correct classifications that
recognized the normal flows as normal. On the other hand,
False Positives (FP) indicates those classifications that detected
the normal flows as anomalous, while False Negatives (FN)
defines the incorrect classifications that wrongfully recognized
the malicious flows as normal. According to the evaluation
results, when the flow-timeout value is equal to 120s, the
Isolation Forest method achieves the highest Accuracy, Pre-
cision, TPR and F1 that reach 0.982,0.990,0.777 and 0.875
respectively.
TABLE I: The Outlier Detection Evaluation Results for
flow-timeout 15s.
Model Accuracy Precision TPR F1
OS-SVM 0.519 0.509 0.993 0.673
LOF 0.65 0.98 0.30 0.46
Isolation Forest 0.536 0.519 0.992 0.6817
TABLE II: The Outlier Detection Evaluation results for
flow-timeout 30s.
Model Accuracy Precision TPR F1
OS-SVM 0.805 0.943 0.650 0.769
LOF 0.783 0.886 0.650 0.750
Isolation Forest 0.811 0.964 0.647 0.774
TABLE III: The Outlier Detection Evaluation for
flow-timeout 60s.
Model Accuracy Precision TPR F1
OS-SVM 0.811 0.964 0.647 0.774
LOF 0.790 0.941 0.620 0.747
Isolation Forest 0.812 0.964 0.647 0.775
TABLE IV: The Outlier Detection Evaluation results for
flow-timeout 120s.
Model Accuracy Precision TPR F1
OS-SVM-Linear 0.812 0.962 0.647 0.774
LOF 0.812 0.964 0.647 0.775
Isolation Forest 0.982 0.990 0.777 0.875
Fig. 2: The overall performance of the outlier detection methods with the different flow-timeout values.
VI. CONCLUSIONS
The continuous progression and involvement of IoT in
the industrial domain and especially in the electrical grid
requires the presence of appropriate cybersecurity measures.
In this paper, we focused our attention on the security of the
IEC-104 protocol, which is commonly utilised by SCADA
systems. In particular, after investigating IEC-104 security
issues, we provided a relevant IDS, which applies access
control and outlier detection mechanisms in order to detect
IEC-104 anomalies. The performance of the proposed IDS is
demonstrated through the evaluation analysis, where Accuracy
and F1 score reach 98% and 87%, respectively.
VII. ACKNOWLEDGEMENT
This project has received funding from the European Unions
Horizon 2020 research and innovation programme under grant
agreement No. 787011 (SPEAR).
REFERENCES
[1] P. I. R. Grammatikis, P. G. Sarigiannidis, and I. D. Moscholios,
“Securing the internet of things: Challenges, threats and solutions,”
Internet of Things, vol. 5, pp. 41 – 70, 2019. [Online]. Available:
http://www.sciencedirect.com/science/article/pii/S2542660518301161
[2] P. Radoglou-Grammatikis, P. Sarigiannidis, I. Giannoulakis, E. Kafet-
zakis, and E. Panaousis, “Attacking iec-60870-5-104 scada systems,” in
2019 IEEE World Congress on Services (SERVICES), vol. 2642-939X,
July 2019, pp. 41–46.
[3] S. G. Zarzosa, “D2.1 in-depth analysis of siems extensibility,” DiSIEM
Project, Tech. Rep. 1, 2017.
[4] P. Maynard, K. McLaughlin, and B. Haberler, “Towards understanding
man-in-the-middle attacks on iec 60870-5-104 scada networks,” in 2nd
International Symposium for ICS & SCADA Cyber Security Research
2014 (ICS-CSR 2014) 2, 2014, pp. 30–42.
[5] C.-Y. Lin and S. Nadjm-Tehrani, “Understanding iec-60870-5-104 traffic
patterns in scada networks,” in Proceedings of the 4th ACM Workshop
on Cyber-Physical System Security, 2018, pp. 51–60.
[6] E. Hodo, S. Grebeniuk, H. Ruotsalainen, and P. Tavolato, “Anomaly
detection for simulated iec-60870-5-104 trafiic,” in Proceedings of the
12th International Conference on Availability, Reliability and Security,
2017, pp. 1–7.
[7] Y. Yang, K. McLaughlin, T. Littler, S. Sezer, B. Pranggono, and
H. Wang, “Intrusion detection system for iec 60870-5-104 based scada
networks,” in 2013 IEEE power & energy society general meeting.
IEEE, 2013, pp. 1–5.
[8] Y. Yang, K. McLaughlin, S. Sezer, Y. Yuan, and W. Huang, “Stateful
intrusion detection for iec 60870-5-104 scada security,” in 2014 IEEE
PES General Meeting— Conference & Exposition. IEEE, 2014, pp.
1–5.
[9] R. Schlegel, S. Obermeier, and J. Schneider, “A security evaluation of
iec 62351,” Journal of Information Security and Applications, vol. 34,
pp. 197 – 204, 2017.
[10] C. C. Aggarwal, “An introduction to outlier analysis,” in Outlier anal-
ysis. Springer, 2017, pp. 1–34.
[11] M. Gupta, J. Gao, C. C. Aggarwal, and J. Han, “Outlier detection for
temporal data: A survey,” IEEE Transactions on Knowledge and Data
Engineering, vol. 26, no. 9, pp. 2250–2267, 2013.
[12] X. Yang, L. J. Latecki, and D. Pokrajac, “Outlier detection with
globally optimal exemplar-based gmm,” in Proceedings of the 2009
SIAM International Conference on Data Mining. SIAM, 2009, pp.
145–154.
[13] R. R. S, R. R, M. Moharir, and S. G, “Scapy- a powerful interactive
packet manipulation program,” in 2018 International Conference on
Networking, Embedded and Wireless Systems (ICNEWS), 2018, pp. 1–5.
[14] A. H. Lashkari, G. Draper-Gil, M. S. I. Mamun, and A. A. Ghorbani,
“Characterization of tor traffic using time based features.” in ICISSP,
2017, pp. 253–262.
[15] Alienvault ossim security events. [Online]. Avail-
able: https://cybersecurity.att.com/documentation/usm-appliance/events/
event-details-fields.htm
[16] P. Maynard, K. McLaughlin, and S. Sezer, “An open framework for
deploying experimental scada testbed networks,” in 5th International
Symposium for ICS & SCADA Cyber Security Research 2018 5, 2018,
pp. 92–101.
... The authors in [21] provide an anomaly-based IDS for the IEC 60870-5-104 protocol, which relies on essential access control and outlier detection. The proposed IDS consists of two main components: (a) Sensor and (b) server. ...
Article
Full-text available
The technological leap of smart technologies and the Internet of Things has advanced the conventional model of the electrical power and energy systems into a new digital era, widely known as the Smart Grid. The advent of Smart Grids provides multiple benefits, such as self-monitoring, self-healing and pervasive control. However, it also raises crucial cybersecurity and privacy concerns that can lead to devastating consequences, including cascading effects with other critical infrastructures or even fatal accidents. This paper introduces a novel architecture, which will increase the Smart Grid resiliency, taking full advantage of the Software-Defined Networking (SDN) technology. The proposed architecture called SDN-microSENSE architecture consists of three main tiers: (a) Risk assessment, (b) intrusion detection and correlation and (c) self-healing. The first tier is responsible for evaluating dynamically the risk level of each Smart Grid asset. The second tier undertakes to detect and correlate security events and, finally, the last tier mitigates the potential threats, ensuring in parallel the normal operation of the Smart Grid. It is noteworthy that all tiers of the SDN-microSENSE architecture interact with the SDN controller either for detecting or mitigating intrusions.
... If the cost of s i is the minimum 0 Otherwise(6) ...
Article
Full-text available
The rise of the Internet of Medical Things (IoMT) introduces the healthcare ecosystem in a new digital era withmultiple benefits, such as remote medical assistance, real-time monitoring and pervasive control. However, despite the valuable healthcare services, this progression raises significant cybersecurity and privacy concerns. In this paper, we focus our attention on the IEC 60870-5-104 protocol, which is widely adopted in industrial healthcare systems. First, we investigate and assess the severity of the IEC 60870-5-104 cyberattacks by providing a quantitative threat model, which relies on Attack Defence Trees (ADTs) and Common Vulnerability Scoring System (CVSS) v3.1. Next, we introduce an Intrusion Detection and Prevention System (IDPS), which is capable of discriminating and mitigating automatically the IEC 60870-5-104 cyberattacks. The proposed IDPS takes full advantage of the Machine Learning (ML) and Software Defined Networking (SDN) technologies. ML is used to detect the IEC 60870-5-104 cyberattacks, utilising (a) Transmission Control Protocol (TCP) / Internet Protocol (IP) networkflow statistics and (b) IEC 60870-5-104 payload flow statistics. On the other side, the automated mitigation is transformed into a Multi-Armed Bandit (MAB) problem, which is solved through a Reinforcement Learning (RL) method called Thomson Sampling (TS) and SDN. The evaluation analysis demonstrates the efficiency of the proposed IDPS in terms of intrusion detection accuracy and automated mitigation performance. The detection accuracy and the F1 score of the proposed IDPS reach 0.831 and 0.8258, while the mitigation accuracy is calculated at 0.923.
... For this purpose, CICFlowMeter is utilised. CICFlowMeter is a TCP/IP network flow generator that extracts bidirectional network flow statistics on a predefined flow timeout [54]. Subsequently, the MENSA anomaly detection and classification is applied, as analysed in section IV. ...
Article
Full-text available
The interconnected and heterogeneous nature of the next-generation Electrical Grid (EG), widely known as Smart Grid (SG), bring severe cybersecurity and privacy risks that can also raise domino effects against other Critical Infrastructures (CIs). In this paper, we present an Intrusion Detection System (IDS) specially designed for the SG environments that use Modbus/Transmission Control Protocol (TCP) and Distributed Network Protocol 3 (DNP3) protocols. The proposed IDS called MENSA (anoMaly dEtection aNd claSsificAtion) adopts a novel Autoencoder-Generative Adversarial Network (GAN) architecture for (a) detecting operational anomalies and (b) classifying Modbus/TCP and DNP3 cyberattacks. In particular, MENSA combines the aforementioned Deep Neural Networks (DNNs) in a common architecture, taking into account the adversarial loss and the reconstruction difference. The proposed IDS is validated in four real SG evaluation environments, namely (a) SG lab, (b) substation, (c) hydropower plant and (d) power plant, solving successfully an outlier detection (i.e., anomaly detection) problem as well as a challenging multiclass classification problem consisting of 14 classes (13 Modbus/TCP cyberattacks and normal instances). Furthermore, MENSA can discriminate five cyberattacks against DNP3. The evaluation results demonstrate the efficiency of MENSA compared to other Machine Learning (ML) and Deep Learning (DL) methods in terms of Accuracy, False Positive Rate (FPR), True Positive Rate (TPR) and the F1 score.
Chapter
This paper describes two methods of emulation of digital secondary substations and their communication to the control center via the IEC 60870-5-104 protocol. The first method describes use of Mininet network emulator, which omits certain minor networking features, but can create the topology very efficiently. The second method describes use of virtual machines, which can be interconnected to achieve the full functionality including router devices and VPN connections. An open source library libIEC60870-5 is used for communication between substations and the control center. The library is analyzed and compared to real traffic provided by Norwegian National Smart Grid Laboratory. Based on found differences, the paper provides information of how to modify the library in order to create messages identical to the real traffic. These messages can be used to verify the substation behavior, or for security penetration testing by creating messages with spoofed temperature or multimeter sensor values.
Article
Full-text available
Modern electric power facilities-stations and high-voltage substations have become digital objects with the active use of high-speed local networks directly involved in the technological process. Management, analysis and control of information exchange in the digital substation of the power system require the development of new tools and approaches. For these purposes, machine learning methods can be used, in particular, the artificial neural networks. The paper presents the results of neural network modeling of the operation of the overcurrent protection – as a variant of the information exchange analysis. An elementary perceptron is used as a neural network with the simplest structure. The optimized structure of the neural network and estimates of the accuracy of the neural network algorithm are given, depending on the size of the training sample (from 1000 to 50000 records), the number of training epochs. It is shown that the analysis of the neural network algorithm errors encountered during testing of the neural network enables to estimate the threshold (the setting value) current protection depending on the size of the training sample. It is found that the recognition of the protection trigger threshold in neural network modeling is violated only when the all three phase currents in electrical mains are close to the threshold. The possibilities of improving the proposed approach and its use for detecting anomalies in the information exchange and operation of secondary equipment of digital substations of the power system are discussed.
Conference Paper
Full-text available
The rapid evolution of the Information and Communications Technology (ICT) services transforms the conventional electrical grid into a new paradigm called Smart Grid (SG). Even though SG brings significant improvements, such as increased reliability and better energy management, it also introduces multiple security challenges. One of the main reasons for this is that SG combines a wide range of heterogeneous technologies, including Internet of Things (IoT) devices as well as Supervisory Control and Data Acquisition (SCADA) systems. The latter are responsible for monitoring and controlling the automatic procedures of energy transmission and distribution. Nevertheless, the presence of these systems introduces multiple vulnerabilities because their protocols do not implement essential security mechanisms such as authentication and access control. In this paper, we focus our attention on the security issues of the IEC 60870-5-104 (IEC-104) protocol, which is widely utilized in the European energy sector. In particular, we provide a SCADA threat model based on a Coloured Petri Net (CPN) and emulate four different types of cyber attacks against IEC-104. Last, we used AlienVault's risk assessment model to evaluate the risk level that each of these cyber attacks introduces to our system to confirm our intuition about their severity.
Article
Full-text available
The Internet of Things (IoT) is the next technological leap that will introduce significant improvements to various aspects of the human environment, such as among others health, commerce, and transport. However, despite the fact that it may bring beneficial economic and social changes, the implementation of such a system poses many challenges and risks that need to be addressed. In particular, the security and privacy protection concerns remain the most crucial challenge that affects the development of this field. In this context, the research community anticipating the security issues in IoT, has developed appropriate countermeasures; however, these solutions are characterized by important constraints. This study aims to present a comprehensive analysis of the security issues in the IoT domain, by examining the security requirements and the possible threats, assessing the existing solutions, identifying their limitations and providing directions for future research work. More precisely, our work concentrates mainly on security threats in a four layer communication architecture and evaluates the security mechanisms of the IoT protocols and mechanisms.
Article
Full-text available
IEC 62351 is an industry standard aimed at improving security in automation systems in the power system domain. It contains provisions to ensure the integrity, authenticity and confidentiality for different protocols used in power systems. In this article we look at the different parts of IEC 62351 and assess to what extent the standard manages to improve security in automation systems. We also point out some incongruities in the algorithms or parameters chosen in parts of the standard. Overall, we conclude that the standard can significantly improve security in power systems if applied comprehensively, but we also note that the need to preserve (partial) backwards-compatibility has led to some design choices that provide less security than could have been achieved with a more ambitious approach.
Conference Paper
The IEC-60870-5-104 (IEC-104) protocol is commonly used in Supervisory Control and Data Acquisition (SCADA) networks to operate critical infrastructures, such as power stations. As the importance of SCADA security is growing, characterization and modeling of SCADA traffic for developing defense mechanisms based on the regularity of the polling mechanism used in SCADA systems has been studied, whereas the characterization of traffic caused by non-polling mechanisms, such as spontaneous events, has not yet been studied. This paper provides a first look at how the traffic flowing between SCADA components changes over time. It proposes a method built upon Probabilistic Suffix Tree (PST) to discover the underlying timing patterns of spontaneous events. In 11 out of 14 tested data sequences, we see evidence of existence of underlying patterns. Next, the prediction capability of the approach, useful for devising anomaly detection mechanisms, was studied. While some data patterns enable an 80% prediction possibility, more work is needed to tune the method for higher accuracy.
Conference Paper
Substation security plays an important role in the delivery system of electrical energy. During the past years, there has been an increase in the number of attacks on automation systems. In spite of that, there has not been enough focus dedicated to the protection of such networks. In this paper, we introduce a novel machine learning based intrusion detection system targeted at automation networks of substations based on the IEC 60780-5-104 protocol. The novelty of our approach opposed to the state-of-the-art is the monitoring of several features on multiple protocol layers, which enables the identification of multiple types of attacks. Firstly, we simulate the communication between the substation slave and the server based on data gained from real substations and we simulate the systems behaviour under attack, too. Secondly, we observe the system's normal behavior and its behavior under the attack, in order to extract features needed for building an anomaly detection system. Lastly, based on these features we suggest an anomaly detection system for the asynchronous IEC 60870-5-104 protocol. We designed the anomaly detection model by using machine learning from the IEC 60870-5-104 protocol data acquired. The classifier with the highest performance was chosen by comparing 7 different classification algorithms: the Rule Learner classifier algorithm turned out to be the best.
Chapter
Outliers are also referred to as abnormalities, discordants, deviants, or anomalies in the data mining and statistics literature. In most applications, the data is created by one or more generating processes, which could either reflect activity in the system or observations collected about entities. When the generating process behaves unusually, it results in the creation of outliers. Therefore, an outlier often contains useful information about abnormal characteristics of the systems and entities that impact the data generation process. The recognition of such unusual characteristics provides useful application-specific insights.