Conference PaperPDF Available

An Anomaly Detection Mechanism for IEC 60870-5-104

  • September 2020
DOI:10.1109/MOCAST49295.2020.9200285
  • Conference: 2020 9th International Conference on Modern Circuits and Systems Technologies (MOCAST)
  • At: Bremen, Germany, Germany
Authors:
Panagiotis Radoglou Grammatikis at University of Western Macedonia
Panagiotis Radoglou Grammatikis
Panagiotis G. Sarigiannidis at University of Western Macedonia
Panagiotis G. Sarigiannidis
Antonios Sarigiannidis at Aristotle University of Thessaloniki
Antonios Sarigiannidis
Dimitrios Margounakis at International Hellenic University
Dimitrios Margounakis
Show all 6 authorsHide
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

The transformation of the conventional electricity grid into a new paradigm called smart grid demands the appropriate cybersecurity solutions. In this paper, we focus on the security of the IEC 60870-5-104 (IEC-104) protocol which is commonly used by Supervisory Control and Data Acquisition (SCADA) systems in the energy domain. In particular, after investigating its security issues, we provide a multivariate Intrusion Detection System (IDS) which adopts both access control and outlier detection mechanisms in order to detect timely possible anomalies against IEC-104. The efficiency of the proposed IDS is reflected by the Accuracy and F1 metrics that reach 98% and 87%, respectively.
Figures - uploaded by Panagiotis Radoglou Grammatikis
Author content
All figure content in this area was uploaded by Panagiotis Radoglou Grammatikis
Content may be subject to copyright.
Content uploaded by Panagiotis Radoglou Grammatikis
Author content
All content in this area was uploaded by Panagiotis Radoglou Grammatikis on Sep 26, 2020
Content may be subject to copyright.
An Anomaly Detection Mechanism for IEC 60870-5-104
Panagiotis Radoglou Grammatikis, Panagiotis Sarigiannidis, Antonios Sarigiannidis, Dimitrios Margounakis,
Apostolos Tsiakalosand Georgios Efstathopoulos§
Abstract—The transformation of the conventional electricity
grid into a new paradigm called smart grid demands the
appropriate cybersecurity solutions. In this paper, we focus on
the security of the IEC 60870-5-104 (IEC-104) protocol which
is commonly used by Supervisory Control and Data Acquisition
(SCADA) systems in the energy domain. In particular, after inves-
tigating its security issues, we provide a multivariate Intrusion
Detection System (IDS) which adopts both access control and
outlier detection mechanisms in order to detect timely possible
anomalies against IEC-104. The efficiency of the proposed IDS
is reflected by the Accuracy and F1 metrics that reach 98% and
87%, respectively.
Index Terms—Anomaly Detection, Cybersecurity, IEC-60870-
5-104, Supervisory Control and Data Acquisition
I. INTRODUCTION
The Critical Infrastructures (CIs) and especially the electri-
cal grid constitute a frequent target of the Advanced Persistent
Threats (APTs). In particular, they are composed of legacy
technologies characterised by severe security flaws. Moreover,
although the rapid advance of the Internet of Things (IoT)
introduces new beneficial characteristics to CIs, it increases
in parallel the attack surface due to the insecure nature of
the Internet and specifically of the respective communication
protocols [1].
In this paper, we focus on the Transmission Control Protocol
(TCP)-based IEC 60870-5-104 (IEC-104) protocol, which is
commonly utilised by Supervisory Control and Data Acquisi-
tion (SCADA) systems in Europe. IEC-104 uses the 2404 TCP
port and does not include sufficient authorisation mechanisms,
thus allowing potential cybercriminals to violate the IEC-104
communications either via unauthorised IEC-104 commands
or Man in The Middle (MiTM) attacks [2]. Based on the
aforementioned security gaps of IEC-104, in this paper, we
provide a relevant Intrusion Detection System (IDS) which
relies on essential access control rules and machine learning-
based outlier detection mechanisms.
In particular, the rest of this paper is organised as follows.
Section II discusses previous works related to the security of
IEC-104. In section III, we provide a background about the
This project has received funding from the European Unions Horizon
2020 research and innovation programme under grant agreement No. 787011
(SPEAR).
P. Radoglou-Grammatikis and P. Sarigiannidis are with the
Department of Electrical and Computer Engineering, University
of Western Macedonia, Kozani 50100, Greece - E-Mail:
{pradoglou,psarigiannidis}@uowm.gr
A. Sarigiannidis, D. Margounakis and A. Tsiakalos are with
SIDROCO, Anaximandrou, 5A 3113, Limassol, Cyprus - E-Mail:
{asarigia,dmargoun, atsiakalos}@sidroco.com
§G. Efstathopoulos is with the 0INF, Imperial Offices, London, UK, E6
2JG - E-Mail: george@0inf.com
IEC-104 security and the various machine learning anomaly
detection methods. Section IV is devoted to the architecture
of the proposed IDS, while Section V evaluates its efficacy.
Finally, Section VI concludes this paper.
II. RE LATE D WORK
Many authors have investigated the security issues of IEC-
104. In particular, in [2], the authors provided a risk assess-
ment model regarding the IEC-104 communications, taking
into account a Coloured Petri Net (CPN)-based threat assess-
ment model as well as the risk assessment model of AlienVault
OSSIM [3]. In [4], P. Maynard et al. focused on the possible
MiTM and replay attacks against IEC-104, covering also the
corresponding injection commands. Accordingly, in [5] C.Lin
and S. Nadjm-Tehrani analysed IEC-104 traffic patterns, aim-
ing at discovering underlying timing patterns of spontaneous
events. In [6], E. Hodo et al. presented an anomaly-based IDS
for IEC-104, utilising classification machine learning methods,
such as J48, Naive Bayes, OneR and RandomTree. Finally, in
[7] Y. Yang et al. provided a set of IEC-104 signature rules,
while in [8], Y. Yang et al. introduced a relevant specification-
based IDS relying on a Finite State Machine (FSM).
III. BACKGRO UN D
A. IEC 60870-5-104 Security Issues
The functionality of IEC-104 relies on the TCP/IP, which
exhibits a number of cybersecurity issues. Although IEC
62351 [9] provides sufficient guidelines that can enhance the
security of IEC-104, the industrial nature of SCADA hinders
their immediate upgrade. A severe security issue of IEC-104
is the transmission of data without any encryption mechanism,
thus making it possible to execute traffic analysis and MiTM
attacks. In addition, many IEC-104 commands, such as reset
commands, interrogation commands, read commands do not
integrate authentication and authorisation procedures, thereby
allowing the unauthorised access. This vulnerability is crucial
since a cyberattacker is capable of controlling the field devices
and possibly, the overall operation of the infrastructure.
B. Machine Learning Algorithms Background
In this section, a short overview of the anomaly detection
methods based on machine learning solutions is provided.
A more comprehensive literature review can be found in
recent surveys [10], [11]. The machine learning methods for
anomaly detection can be separated to model, clustering,
reconstruction and proximity-based. Model-based approaches
include the Gaussian mixture models (GMM) [12] that fit the
This paper has been published in IEEE Xplore: https://ieeexplore.ieee.org/abstract/document/9200285
P. R. Grammatikis, P. Sarigiannidis, A. Sarigiannidis, D. Margounakis, A. Tsiakalos and G. Efstathopoulos, "An Anomaly Detection Mechanism for IEC
60870-5-104," 2020 9th International Conference on Modern Circuits and Systems Technologies (MOCAST), Bremen, Germany, 2020, pp. 1-4, doi:
10.1109/MOCAST49295.2020.9200285.
whole dataset to a mixed Gaussian distribution. The GMM pa-
rameters usually are estimated with Expectation-Maximization
solutions or deep estimation networks.
The attribute-based approaches for anomaly detection as-
sume that the features of normal examples can be predicted
by the rest or in the case of the Isolation Forest algorithm,
it finds anomalies by deliberately overfitting models that
memorise each data point. Particularly, in this case, outliers
have more empty space around them, and therefore they take
fewer steps to memorise. Many anomaly detection methods
are considered clustering-based detectors, assuming that the
normal data are located close to their closest cluster. The
methods Principal Component Analysis (PCA), Matrix Fac-
torization (MF), Stochastic Outlier Selection (SOS) and deep
Auto-encoders belong to the reconstruction-based approaches.
The concept behind these methods is to learn a mapping
from a higher to a lower-dimensional space through the
compression and decompression stages and identify points
with high reconstruction error as anomalies. Regarding SOS,
it is an unsupervised anomaly-selection algorithm that takes
as input either a feature matrix or a dissimilarity matrix and
outputs for each data point an anomaly probability. Intuitively,
a data point is considered to be an anomaly when the other
data points have an insufficient affinity with it. One-Class
Support Vector Machine (OC-SVM) aims to find a hyperplane
that can separate the vast majority of data from the origin
in the projected high dimensional space without making any
assumptions about their distribution. In particular, OC-SVM
separates all the data points from the origin (in feature space)
and maximises the distance from this hyperplane to the origin.
This results in a binary function, which captures regions in the
input space where the probability density of the data lives. The
idea of OC-SVM for anomaly detection is to find a function
that is positive for regions with a high density of points, and
negative for small densities.
Proximity-based methods do not require any training or
assumptions about the dataset. They consider the rarity of
a point, measuring, for example, the distance to K-Nearest
Neighbour (KNN) or the ratio of local reachability density.
IV. IEC-104 IDS
Fig. 1 illustrates the architecture of the proposed IDS, which
consists of two main components, namely a) Sensor and b)
Server. The Sensors consist of three modules, namely a)
Network Traffic Monitoring Module,b) Network Packet Access
Control and c) IEC-104 Flows Extraction Module responsible
respectively for monitoring and analysing the entire network
traffic generated in the infrastructure. On the other hand,
Server constitutes a centralised point where the anomaly
detection processes take place, and the security events are
stored. In particular, Server is composed of an Elasticsearch
database, the Anomaly Detection Module and the Response
Module. The following subsections analyse in detail each
module.
A. Network Traffic Monitoring Module
The Network Traffic Monitoring Module relies on the Scapy
library [13] and is responsible for monitoring and capturing
the overall network traffic based on a predefined frequency
which can be defined by the user.
B. Network Packet Access Control Module
This module receives the captured network traffic from the
previous module and utilises Scapy [13] in order to apply
some initial security controls. In particular, it adopts a whitelist
in which all legitimate, Medium Access Control (MAC) and
Internet Protocol (IP) addresses are stored. Therefore, if a
packet contains a MAC or an IP address which is not included
in the whitelist, then a security event is generated and stored
in the Elasticsearch database of Server. The legitimate MAC
and IP addresses should be defined by the system operator or
the security administrator. In addition, this whitelist defines
also the permitted TCP and UDP ports. Therefore, if a packet
includes a non-legitimate port, the corresponding security
event is generated.
C. IEC-14 Flows Extraction Module
This module receives the captured network packets and ex-
ports the corresponding bi-directional IEC-104 flows, utilising
the CICFlowMeter software [14]. In particular, CICFlowMeter
generates for each flow 83 features that are stored in a different
index of the Elasticsearch database. Also, it is noteworthy that
different flow-timeout thresholds can be used for extracting the
corresponding IEC-104 flows, thus affecting proportionally the
83 features [14].
D. Anomaly Detection Module
The Anomaly Detection Module constitutes the core of the
proposed IDS. First, it receives the captured IEC-104 flows
from the Elasticsearch database and applies outlier detection
models in order to detect which of them are anomalies. The
efficacy of these models is discussed in Section V. Finally, it
stores the corresponding security events (i.e., anomalous IEC-
104 flows) in a different index of the Elasticsearch database.
E. Response Module
The Response Module undertakes to inform the user about
the various security events via Kibana of the Elastic Stack.
Moreover, it provides statistic charts that assist the user in
understanding better the security status of the infrastructure.
Regarding the security events, the format of AlienVaut OSSIM
[3], [15] was utilised. In particular, the security events detected
by the proposed IDS are related to the controls of Network
Packet Access Control and Anomaly Detection Modules.
Accuracy =T P +T N
T P +T N +F P +F N (1)
F1 = 2·precision ·recall
precision +recall (2)
TPR =T P
T P +F N (3)
Network Traffic
Monitoring
Module
IEC-104 Flows
Extraction Module
Anomaly Detection
Module
Sensor
CICFlowmeter
Response
Module
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
R
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
s
s
s
s
s
s
s
s
s
s
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
p
o
o
o
o
o
o
o
o
o
o
o
o
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
s
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
M
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
du
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
e
Server
Security Events
Network Packet
Access Control
Module
Security Events
IEC-104 Flows
Response Module
Fig. 1: IEC-104 IDS Architecture
V. EVAL UATION ANA LYSI S
This section is devoted to the efficacy of the outlier detection
models of the Anomaly Detection Module. In particular, three
outlier detection algorithms were evaluated, namely a) OC-
SVM, b) Isolation forest and c) LOF to detect anomalous
IEC-104 flows under four different flow-timeout thresholds:
15, 30, 60 and 120 seconds. In order to train the corresponding
models, we combined normal IEC-104 data stemming from
a real substation as well as IEC-104 malicious data of [16].
Moreover, utilising the PCA method, we chose only seven fea-
tures from the 83 ones generated by CICFlowMeter, including
a) the total packets in the forward direction, b) the total size of
the packets in the backward direction, c) the standard deviation
size of the packets in the forward direction, d) the number of
the flow bytes per second, e) the maximum time between two
packets sent in the flow, f) the minimum length of a packet,
g) the average number of bytes in a sub-flow in the backward
direction and h) the maximum time where a flow was active
before becoming idle. It is worth mentioning that the previous
features are related only to the IEC-104 packets since Scapy
[13] and CICFlowMeter were configured to capture and extract
only IEC-104 flows, respectively.
Tables I-IV and Fig. 2 depict the efficacy of the aforemen-
tioned outlier detection algorithms under the different flow-
timeout values, in terms of Accuracy, F1 and True Positive
Rate (TPR). These metrics are defined by the Equations 1-
3 respectively. In particular, True Positives (TP) denotes
the number of the correct classifications that detected the
malicious flows as successfully. Accordingly, True Negatives
(TN) denotes the amount of the correct classifications that
recognized the normal flows as normal. On the other hand,
False Positives (FP) indicates those classifications that detected
the normal flows as anomalous, while False Negatives (FN)
defines the incorrect classifications that wrongfully recognized
the malicious flows as normal. According to the evaluation
results, when the flow-timeout value is equal to 120s, the
Isolation Forest method achieves the highest Accuracy, Pre-
cision, TPR and F1 that reach 0.982,0.990,0.777 and 0.875
respectively.
TABLE I: The Outlier Detection Evaluation Results for
flow-timeout 15s.
Model Accuracy Precision TPR F1
OS-SVM 0.519 0.509 0.993 0.673
LOF 0.65 0.98 0.30 0.46
Isolation Forest 0.536 0.519 0.992 0.6817
TABLE II: The Outlier Detection Evaluation results for
flow-timeout 30s.
Model Accuracy Precision TPR F1
OS-SVM 0.805 0.943 0.650 0.769
LOF 0.783 0.886 0.650 0.750
Isolation Forest 0.811 0.964 0.647 0.774
TABLE III: The Outlier Detection Evaluation for
flow-timeout 60s.
Model Accuracy Precision TPR F1
OS-SVM 0.811 0.964 0.647 0.774
LOF 0.790 0.941 0.620 0.747
Isolation Forest 0.812 0.964 0.647 0.775
TABLE IV: The Outlier Detection Evaluation results for
flow-timeout 120s.
Model Accuracy Precision TPR F1
OS-SVM-Linear 0.812 0.962 0.647 0.774
LOF 0.812 0.964 0.647 0.775
Isolation Forest 0.982 0.990 0.777 0.875
Fig. 2: The overall performance of the outlier detection methods with the different flow-timeout values.
VI. CONCLUSIONS
The continuous progression and involvement of IoT in
the industrial domain and especially in the electrical grid
requires the presence of appropriate cybersecurity measures.
In this paper, we focused our attention on the security of the
IEC-104 protocol, which is commonly utilised by SCADA
systems. In particular, after investigating IEC-104 security
issues, we provided a relevant IDS, which applies access
control and outlier detection mechanisms in order to detect
IEC-104 anomalies. The performance of the proposed IDS is
demonstrated through the evaluation analysis, where Accuracy
and F1 score reach 98% and 87%, respectively.
VII. ACKNOWLEDGEMENT
This project has received funding from the European Unions
Horizon 2020 research and innovation programme under grant
agreement No. 787011 (SPEAR).
REFERENCES
[1] P. I. R. Grammatikis, P. G. Sarigiannidis, and I. D. Moscholios,
“Securing the internet of things: Challenges, threats and solutions,”
Internet of Things, vol. 5, pp. 41 70, 2019. [Online]. Available:
http://www.sciencedirect.com/science/article/pii/S2542660518301161
[2] P. Radoglou-Grammatikis, P. Sarigiannidis, I. Giannoulakis, E. Kafet-
zakis, and E. Panaousis, “Attacking iec-60870-5-104 scada systems, in
2019 IEEE World Congress on Services (SERVICES), vol. 2642-939X,
July 2019, pp. 41–46.
[3] S. G. Zarzosa, “D2.1 in-depth analysis of siems extensibility, DiSIEM
Project, Tech. Rep. 1, 2017.
[4] P. Maynard, K. McLaughlin, and B. Haberler, “Towards understanding
man-in-the-middle attacks on iec 60870-5-104 scada networks,” in 2nd
International Symposium for ICS & SCADA Cyber Security Research
2014 (ICS-CSR 2014) 2, 2014, pp. 30–42.
[5] C.-Y. Lin and S. Nadjm-Tehrani, “Understanding iec-60870-5-104 traffic
patterns in scada networks,” in Proceedings of the 4th ACM Workshop
on Cyber-Physical System Security, 2018, pp. 51–60.
[6] E. Hodo, S. Grebeniuk, H. Ruotsalainen, and P. Tavolato, “Anomaly
detection for simulated iec-60870-5-104 trafiic,” in Proceedings of the
12th International Conference on Availability, Reliability and Security,
2017, pp. 1–7.
[7] Y. Yang, K. McLaughlin, T. Littler, S. Sezer, B. Pranggono, and
H. Wang, “Intrusion detection system for iec 60870-5-104 based scada
networks,” in 2013 IEEE power & energy society general meeting.
IEEE, 2013, pp. 1–5.
[8] Y. Yang, K. McLaughlin, S. Sezer, Y. Yuan, and W. Huang, “Stateful
intrusion detection for iec 60870-5-104 scada security, in 2014 IEEE
PES General Meeting— Conference & Exposition. IEEE, 2014, pp.
1–5.
[9] R. Schlegel, S. Obermeier, and J. Schneider, “A security evaluation of
iec 62351,” Journal of Information Security and Applications, vol. 34,
pp. 197 204, 2017.
[10] C. C. Aggarwal, An introduction to outlier analysis,” in Outlier anal-
ysis. Springer, 2017, pp. 1–34.
[11] M. Gupta, J. Gao, C. C. Aggarwal, and J. Han, “Outlier detection for
temporal data: A survey,” IEEE Transactions on Knowledge and Data
Engineering, vol. 26, no. 9, pp. 2250–2267, 2013.
[12] X. Yang, L. J. Latecki, and D. Pokrajac, “Outlier detection with
globally optimal exemplar-based gmm, in Proceedings of the 2009
SIAM International Conference on Data Mining. SIAM, 2009, pp.
145–154.
[13] R. R. S, R. R, M. Moharir, and S. G, “Scapy- a powerful interactive
packet manipulation program,” in 2018 International Conference on
Networking, Embedded and Wireless Systems (ICNEWS), 2018, pp. 1–5.
[14] A. H. Lashkari, G. Draper-Gil, M. S. I. Mamun, and A. A. Ghorbani,
“Characterization of tor traffic using time based features.” in ICISSP,
2017, pp. 253–262.
[15] Alienvault ossim security events. [Online]. Avail-
able: https://cybersecurity.att.com/documentation/usm-appliance/events/
event-details-fields.htm
[16] P. Maynard, K. McLaughlin, and S. Sezer, An open framework for
deploying experimental scada testbed networks, in 5th International
Symposium for ICS & SCADA Cyber Security Research 2018 5, 2018,
pp. 92–101.
... Large distances result in low-density regions for anomalous data instances as compared to normal data instances. LOF is also used in communication networks for identifying anomalous traffic packets [64] and in commercial and residential buildings [156,157]. Shylendra et al. use kernel density estimation (KDE) for detecting anomalous usage in power consumption data for wide sensor networks [178]. ...
... Isolated forest is an unsupervised technique based on the decision tree algorithm. It is used for detecting anomalies in communication networks [64,177], household power consumption [7,114], power grid parameters in SCADA systems [175], inverter sensors in solar power plants [82] PMU data [93] and micro-PMU data in distribution networks [50]. ...
... Though the performance of OC-SVM is similar to a binary class SVM, OC-SVM is preferred as it is trained only on normal data and detects anomalies from the new data by comparing it to the normal behavior [45]. It is used for identifying attacks in power consumption data of IoT devices [72,211], communication networks [64] and transmission lines [51,217]. ...
A survey of anomaly detection methods for power grids
Article
Full-text available
The power grid is a constant target for attacks as they have the potential to affect a large geographical location, thus affecting hundreds of thousands of customers. With the advent of wireless sensor networks in the smart grids, the distributed network has more vulnerabilities than before, giving numerous entry points for an attacker. The power grid operation is usually not hindered by small-scale attacks; it is popularly known to be self-healing and recovers from an attack as the neighboring areas can mitigate the loss and prevent cascading failures. However, the attackers could target users, admins and other control personnel, disabling access to their systems and causing a delay in the required action to be taken. Termed as the biggest machine in the world, the US power grid has only been having an increased risk of outages due to cyber attacks. This work focuses on structuring the attack detection literature in power grids and provides a systematic review and insights into the work done in the past decade in the area of anomaly or attack detection in the domain.
View
... In the power system, the communication protocols and standards include DNP3, IEC 61850, and IEC 60870. IEC 60870 is a widely used standard in SCADA systems, with connection to SCADA mostly achieved through IEC 60870-5-104 [32]. On the other hand, the communication protocol used in the SCADA of DHS is usually Modbus [33]. ...
... where (31) and (33) are the logical relation constraint of the attack vector; (32) and (34) are the attack resources constraints. ...
Coordinated Heat and Power Cyber-Attacks With Time Window Matching Strategy
Article
Full-text available
  • Jul 2023
The integration of information and communication infrastructures has dramatically increased the cyber vulnerability of integrated energy systems (IES). Due to the coupling among various energy systems, cyber-attacks on one sub-energy system may transmit to and affect other sub-energy systems, subsequently threatening the security of the whole IES. This paper develops a destructive coordinated heat and power cyber-attack for the first time, analyzes its risk on the heat and electric integrated energy systems, and reveals its potential consequences. In the developed coordinated attack, a bi-level attacker-operator model is formulated to identify the worst-case scenario caused by the coordinated attack. Two types of false data injection attacks are considered in this coordinated attack strategy: the improved load redistribution attack on the power system and the false heat load attack on the heating system. In order to accurately characterize the stealthiness and adverse effect of the coordinated attack, a time window matching strategy that handles the delay characteristics of the heating system and the latency property of the false heat load attack is proposed, along with the matching of attack parameters in different attacks. Simulation results show that the proposed coordinated attack significantly impacts the system in economic losses, load shedding, renewable power curtailment, and line overload.
View
... An IEC 104 intrusion detection approach similar to Udd et al. (2016) can be seen in a recent publication (Grammatikis et al. 2020). In the latest work, an access control mechanism is enforced initially to filter unknown ports, Internet Protocol, and Media Access Control addresses. ...
... Evaluations from Egger et al. (2020); Anwar et al. (2021); Grammatikis et al. (2020) reveal that for IEC 104 protocol communication, the Support Vector Machine method offers stable results for unsupervised anomaly detection. Accordingly, we focus on improving SVM unsupervised anomaly detection performance for IEC 104 SCADA protocol. ...
Improving anomaly detection in SCADA network communication with attribute extension
Article
Full-text available
  • Dec 2022
Network anomaly detection for critical infrastructure supervisory control and data acquisition (SCADA) systems is the first line of defense against cyber-attacks. Often hybrid methods, such as machine learning with signature-based intrusion detection methods, are employed to improve the detection results. Here an attempt is made to enhance the support vector-based outlier detection method by leveraging behavioural attribute extension of the network nodes. The network nodes are modeled as graph vertices to construct related attributes that enhance network characterisation and potentially improve unsupervised anomaly detection ability for SCADA network. IEC 104 SCADA protocol communication data with good domain fidelity is utilised for empirical testing. The results demonstrate that the proposed approach achieves significant improvements over the baseline approach (average $$F_{1}$$ F 1 score increased from 0.6 to 0.9, and Matthews correlation coefficient (MCC) from 0.3 to 0.8). The achieved outcome also surpasses the unsupervised scores of related literature. For critical networks, the identification of attacks is indispensable. The result shows an insignificant missed-alert rate ( $$0.3\%$$ 0.3 % on average), the lowest among related works. The gathered results show that the proposed approach can expose rouge SCADA nodes reasonably and assist in further pruning the identified unusual instances.
View
... In the related previous research [3], it was found that the Isolation Forest algorithm had the highest accuracy and F1 score, specifically at a flow-timeout threshold of 120s, with values of 98% and 87% respectively. However, the True Positives (TP) rate was not very high, reaching only 77%. ...
DATA MINING IMPLEMENTATION FOR DETECTION OF ANOMALIES IN NETWORK TRAFFIC PACKETS USING OUTLIER DETECTION APPROACH
Article
Full-text available
  • Aug 2023
The large number of data packet records of network traffic can be used to evaluate the quality of a network as well as to analyze the occurrence of anomalies in the network, both related to network security and network performance. Based on the data obtained, the occurrence of anomalies in computer networks can not be detected specifically on which traffic packets. Meanwhile, to monitor network traffic packets manually will require a lot of time and resources, making it difficult to detect potential anomaly events more specifically. This study analyzes network packet traffic data to see records that include anomalies with an outlier detection approach, using the Isolation Forest algorithm to detect outliers on network traffic packet data, with the result that minority data are of the outliers type of 1,643 records (4.86%), while inliers are 32,098 records (95.13%). Then check and filter the expert attributes that contain expert information. The outlier detection results were classified using 5 algorithms as comparison, namely Random Forest Classifier, Support Vector Machine, Decision Tree Classifier, K-Nearest Neighbor, and Bernoulli Naive Bayes. The Random Forest algorithm has the highest score for accuracy, macro average precision, and macro average f1-score, namely 0.9962067330488383; 0.78; and 0.82. The classification model can be used to classify samples with labels "inliers", "outliers", "Error", and "warning outliers". There are labels that have scores for precision, recall, and f1-scrore that are not too high, namely the labels “error” (0.50; 1.00; and 0.67) and “warning outlier” (0.64; 0 .70; 0.67). The resulting classification model is used for prototype development that facilitates the process of investigating potential network traffic packet anomalies more specifically.
View
... In that to include a forensics repository and a forensic readiness framework and mechanisms to support the reputation of each asset beyond the visualization capabilities of the cybersecurity incidents. The same team also suggested a multivariate Intrusion Detection System (IDS) by adopting both access control and outlier detection mechanisms [34]. They aimed to detect timely possible anomalies against IEC-104 as a set of standards that define systems used for remote control (SCADA) in electrical engineering and power system automation applications. ...
View
... In [9], the authors developed a multivariate Intrusion Detection System (IDS) capable of providing access control and outlier detection methods to detect anomalous behaviour in IEC-104. The IEC protocol is used in SCADA systems where there are no sufficient authorization mechanisms. ...
Intrusion Detection System for IoT Using Logical Analysis of Data and Information Gain Ratio
Article
Full-text available
  • Dec 2022
The rapidly increasing use of the internet has led to an increase in new devices and technologies; however, attack and security violations have grown exponentially as well. In order to detect and prevent attacks, an Intrusion Detection System (IDS) is proposed using Logical Analysis of Data (LAD). Logical Analysis of Data is a data analysis technique that classifies data as either normal or an attack based on patterns. A pattern generation approach is discussed using the concept of Boolean functions. The IDS model is trained and tested using the Bot-IoT dataset. The model achieves an accuracy of 99.98%, and is able to detect new attacks with good precision and recall.
View
Hybrid Intrusion Detection System Using Autoencoders and Snort
Chapter
  • Sep 2023
Intrusion Detection Systems (IDS) are increasingly crucial in the modern digital environment due to security risks and cyberattacks. Cyberattacks are deliberate attempts to damage computers, steal data, or disrupt operations. These systems analyze network traffic to identify security threats and detect these attacks. IDS detects cyberattacks via signature-based and anomaly-based detection. Signature-based IDS detection uses predetermined patterns or signatures to identify known threats, while anomaly-based detection analyses network activity aberrations. This study proposes a hybrid intrusion detection system that uses signature-based detection to find known threats and anomaly-based detection to uncover new ones. Hybrid strategies try to maximize the benefits of several techniques while minimizing their downsides. In the following study, Anomaly IDS is built by preprocessing the CICID2017 dataset and reducing its dimensions using autoencoders, then training the classification model using Random Forest and Light GBM. Our second solution, Anomaly IDS using autoencoders where the autoencoder is trained only on regular packets to help detect anomalies by calculating anomaly threshold. This paper introduces the proposed Hybrid-IDS design by combining Snort3, Redis and Elastic Stack. Finally, Random Forest and Light GBM classification models and deep stacked autoencoder for anomaly detection are evaluated.
View
Breaching the Defense: Investigating FGSM and CTGAN Adversarial Attacks on IEC 60870-5-104 AI-enabled Intrusion Detection Systems
Conference Paper
Full-text available
  • Aug 2023
In the digital age of the hyper-connected Critical Infrastructures (CIs), the role of the smart electrical grid is crucial, providing several benefits, such as improved grid resilience, efficient energy distribution and smart load and response management. However, despite the several advantages, the rapid evolution of the heterogeneous technologies involved in the smart electrical grid increases the attack surface. In this paper, we focus first our attention on how Artificial Intelligence (AI) can be used to protect the smart electrical grid in terms of detecting efficiently potential cyberattacks and anomalies. Secondly, we investigate how AI can be used to trick AI-enabled detection services, thus resulting in false alarms. In particular, we emphasise on cyberattacks against IEC 60870-5-104, an industrial communication protocol which is widely used in the energy domain. Therefore, a relevant AI-powered Intrusion Detection System (IDS) is provided, utilising strong Machine Learning (ML)/Deep Learning (DL) methods, such as Decision Tree, Random Forest, XGBOOST and deep MultiLayer Perceptron (MLP). On the other hand, we investigate how adversarial attacks can affect the detection performance of the previous IDS. For this purpose, the Fast Gradient Signed Method (FGSM) is examined, and a Conditional Tabular Generative Adversarial Network (CTGAN) adversarial attack generator is implemented. The evaluation results demonstrate the efficiency of the proposed IDS and the aforementioned adversarial attacks.
View
SUSAN: A Deep Learning based anomaly detection framework for sustainable industry
Article
  • Jan 2023
Nowadays, sustainability is the core of green technologies, being a critical aspect in many industries concerned with reducing carbon emissions and energy consumption optimization. While this concern increases, the number of cyberattacks causing sustainability issues in industries also grows. These cyberattacks impact industrial systems that control and monitor the right functioning of processes and systems. Furthermore, they are very specialized, requiring knowledge about the target industrial processes, and being undetectable for traditional cybersecurity solutions. To overcome this challenge, we present SUSAN, a Deep Learning-based framework, to build anomaly detectors that expose cyberattacks affecting the sustainability of industrial systems. SUSAN follows a modular and flexible design that allows the ensembling of several detectors to achieve more precise detections. To demonstrate the feasibility of SUSAN, we implemented the framework in a water treatment plant using the SWaT testbed. The experiments performed achieved the best recall rate (0.910) and acceptable precision (0.633), resulting in an F1-score of 0.747. Regarding individual cyberattacks that impact the system’s sustainability, our implementation detected all of them, and, concerning the related work, it achieved the most balanced results, with 0.64 as the worst recall rate. Finally, a false-positive rate of 0.000388 makes our solution feasible in real scenarios.
View
NEURAL NETWORK MODELING OF RELAY PROTECTION WITH A TIME DELAY
Article
Full-text available
  • Sep 2022
Modern electric power facilities – stations and high-voltage substations – have become digital objects with the active use of high-speed local networks directly involved in the technological process. Management, analysis and control of information exchange in the digital substation of the power system require the development of new means and approaches. For these purposes, machine learning methods can be used, in particular the apparatus of artificial neural networks (ANN). The paper shows the possibilities of using direct propagation ANNs (multilayer perceptrons) for modeling and identifying anomalies in the operation modes of relay protection with a time delay. The results of training and testing of the ANN are presented on the example of analyzing the operation of the over current protection in the “sliding time window” mode in a three-phase electrical network. The proposed neuroalgorithm and configuration of the ANN can be used to control the modes and accuracy of relay and cybernetic defenses.
View
View
Attacking IEC-60870-5-104 SCADA Systems
Conference Paper
Full-text available
  • Jun 2019
The rapid evolution of the Information and Communications Technology (ICT) services transforms the conventional electrical grid into a new paradigm called Smart Grid (SG). Even though SG brings significant improvements, such as increased reliability and better energy management, it also introduces multiple security challenges. One of the main reasons for this is that SG combines a wide range of heterogeneous technologies, including Internet of Things (IoT) devices as well as Supervisory Control and Data Acquisition (SCADA) systems. The latter are responsible for monitoring and controlling the automatic procedures of energy transmission and distribution. Nevertheless, the presence of these systems introduces multiple vulnerabilities because their protocols do not implement essential security mechanisms such as authentication and access control. In this paper, we focus our attention on the security issues of the IEC 60870-5-104 (IEC-104) protocol, which is widely utilized in the European energy sector. In particular, we provide a SCADA threat model based on a Coloured Petri Net (CPN) and emulate four different types of cyber attacks against IEC-104. Last, we used AlienVault's risk assessment model to evaluate the risk level that each of these cyber attacks introduces to our system to confirm our intuition about their severity.
View
Securing the Internet of Things: Challenges, Threats and Solutions
Article
Full-text available
  • Nov 2018
The Internet of Things (IoT) is the next technological leap that will introduce significant improvements to various aspects of the human environment, such as among others health, commerce, and transport. However, despite the fact that it may bring beneficial economic and social changes, the implementation of such a system poses many challenges and risks that need to be addressed. In particular, the security and privacy protection concerns remain the most crucial challenge that affects the development of this field. In this context, the research community anticipating the security issues in IoT, has developed appropriate countermeasures; however, these solutions are characterized by important constraints. This study aims to present a comprehensive analysis of the security issues in the IoT domain, by examining the security requirements and the possible threats, assessing the existing solutions, identifying their limitations and providing directions for future research work. More precisely, our work concentrates mainly on security threats in a four layer communication architecture and evaluates the security mechanisms of the IoT protocols and mechanisms.
View
View
View
A security evaluation of IEC 62351
Article
Full-text available
  • Jun 2016
IEC 62351 is an industry standard aimed at improving security in automation systems in the power system domain. It contains provisions to ensure the integrity, authenticity and confidentiality for different protocols used in power systems. In this article we look at the different parts of IEC 62351 and assess to what extent the standard manages to improve security in automation systems. We also point out some incongruities in the algorithms or parameters chosen in parts of the standard. Overall, we conclude that the standard can significantly improve security in power systems if applied comprehensively, but we also note that the need to preserve (partial) backwards-compatibility has led to some design choices that provide less security than could have been achieved with a more ambitious approach.
View
View
Understanding IEC-60870-5-104 Traffic Patterns in SCADA Networks
Conference Paper
  • May 2018
The IEC-60870-5-104 (IEC-104) protocol is commonly used in Supervisory Control and Data Acquisition (SCADA) networks to operate critical infrastructures, such as power stations. As the importance of SCADA security is growing, characterization and modeling of SCADA traffic for developing defense mechanisms based on the regularity of the polling mechanism used in SCADA systems has been studied, whereas the characterization of traffic caused by non-polling mechanisms, such as spontaneous events, has not yet been studied. This paper provides a first look at how the traffic flowing between SCADA components changes over time. It proposes a method built upon Probabilistic Suffix Tree (PST) to discover the underlying timing patterns of spontaneous events. In 11 out of 14 tested data sequences, we see evidence of existence of underlying patterns. Next, the prediction capability of the approach, useful for devising anomaly detection mechanisms, was studied. While some data patterns enable an 80% prediction possibility, more work is needed to tune the method for higher accuracy.
View
Anomaly Detection for Simulated IEC-60870-5-104 Traffic
Conference Paper
  • Aug 2017
Substation security plays an important role in the delivery system of electrical energy. During the past years, there has been an increase in the number of attacks on automation systems. In spite of that, there has not been enough focus dedicated to the protection of such networks. In this paper, we introduce a novel machine learning based intrusion detection system targeted at automation networks of substations based on the IEC 60780-5-104 protocol. The novelty of our approach opposed to the state-of-the-art is the monitoring of several features on multiple protocol layers, which enables the identification of multiple types of attacks. Firstly, we simulate the communication between the substation slave and the server based on data gained from real substations and we simulate the systems behaviour under attack, too. Secondly, we observe the system's normal behavior and its behavior under the attack, in order to extract features needed for building an anomaly detection system. Lastly, based on these features we suggest an anomaly detection system for the asynchronous IEC 60870-5-104 protocol. We designed the anomaly detection model by using machine learning from the IEC 60870-5-104 protocol data acquired. The classifier with the highest performance was chosen by comparing 7 different classification algorithms: the Rule Learner classifier algorithm turned out to be the best.
View
An Introduction to Outlier Analysis
Chapter
  • Dec 2017
Outliers are also referred to as abnormalities, discordants, deviants, or anomalies in the data mining and statistics literature. In most applications, the data is created by one or more generating processes, which could either reflect activity in the system or observations collected about entities. When the generating process behaves unusually, it results in the creation of outliers. Therefore, an outlier often contains useful information about abnormal characteristics of the systems and entities that impact the data generation process. The recognition of such unusual characteristics provides useful application-specific insights.
View