Conference Paper

DecIED: Scalable k-Anonymous Deception for IEC61850-Compliant Smart Grid Systems

To read the full-text of this research, you can request a copy directly from the authors.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... On the other hand, in-network deception technologies are blended in the real system infrastructure to monitor activities of persistent attackers in the infrastructure while misleading and/or confusing them with fake system topology and status information to mitigate or slow down the attacks. Technology of this sort for smart grid systems is still rare even in the academia, except for DecIED [11] and DefRec [12]. The latter requires deep integration of softwaredefined networking and, thus, requires major upgrades in the existing smart grid network architecture. ...
... Section 2 elaborates modernized power grid systems based on IEC 61850 international standards. We then provide a summary of design and implementation of the deception technology for IEC 61850 compliant smart grid systems, called DecIED [11], in Section 3. Discussions on real-world deployment of deception technologies for smart grid systems as well as its effectiveness against high-profile, real-world incidents are made in Section 4. Finally, we conclude the paper in Section 5. ...
... IEC 61850 is the international standard for substation automation and monitoring and is widely adapted by many power grid operators. In this section, because DecIED [11] relies on the characteristics and specification of IEC 61850 standards, we provide an overview of devices that are deployed in the IEC 61850 based smart power grid system. We then discuss communication protocols defined in IEC 61850, namely MMS (Manufacturing Messaging Specification), GOOSE (Generic Object Oriented Substation Event), and SV (Sampled Values). ...
Full-text available
In recent years, cyber attacks against critical infrastructure have been increasing and are becoming stealthy and persistent. Attackers or malware may be hiding in the system after penetration to collect system information. They would further make lateral and vertical movement to seek target devices under the radar of existing cybersecurity measures. In order to counter such emerging attack vectors, in-network deception technology is attracting attention. In-network deception technology utilizes an apparently real but dummy (often virtual) devices deployed throughout the infrastructure to capture the attackers’ reconnaissance activities. In this paper, we pick one concrete design and implementation of in-network deception technology for IEC 61850 standard compliant smart substation systems in smart grid, named DecIED, and discuss its effectiveness in countering high-profile attacks that were recently witnessed in the real world. The evaluation is conducted based on the MITRE ATT&CK Matrix for industrial control systems, which tabulates phases and tactics of cyberattack against industrial control systems.
Conference Paper
Internet of Things (IoT) networks securityis one of the most crucial issue what informationtechnology (IT) community faces. As IoT ecosystem continues to accelerate, so do the cyber security threats associated with connected devices. Any IOT device compromised becomes a backdoor into the organization network. IOT devices are new exploitable agents due to its weaknesses such as less secured firmware, missing with high-grade authentication. Hence, intruders can take advantage of weaker level of security and management of the devices is much labour intensive and are considered as soft targets. Deception which is an amalgamation of analytics and Machine Learning can act as a silver harpoon and adds extra layer of security of IOT device where deception platform is introduced into set of devices deceiving attackers into thinking they are authentic. This paper describes the limitations of Internet of Things End Points and how Deception Technology can be used to create a layer of confusion against intruder. We have done experiments on raw logs to interpret IOT and NON-IOT devices, Type of IOT device, device anomalous behaviour and what type of anomaly device is facing by using multiple machine learning algorithms and predicting possible attacks by performing effective feature selection and classification. Our results showed comparison statistics of multiple models based on various metrics and derive deceptive strategy the defender adopt to keep attackers success rate low.
Conference Paper
Full-text available
This work proposes a moving target defense (MTD) strategy to detect coordinated cyber-physical attacks (CCPAs) against power grids. A CCPA consists of a physical attack, such as disconnecting a transmission line, followed by a coordinated cyber attack that injects false data into the sensor measurements to mask the effects of the physical attack. Such attacks can lead to undetectable line outages and cause significant damage to the grid. The main idea of the proposed approach is to invalidate the knowledge that the attackers use to mask the effects of the physical attack by actively perturbing the grid's transmission line reactances using distributed flexible AC transmission system (D-FACTS) devices. We identify the MTD design criteria in this context to thwart CCPAs. The proposed MTD design consists of two parts. First, we identify the subset of links for D-FACTS device deployment that enables the defender to detect CCPAs against any link in the system. Then, in order to minimize the defense cost during the system's operational time, we use a game-theoretic approach to identify the best subset of links (within the D-FACTS deployment set) to perturb which will provide adequate protection. Extensive simulations performed using the MATPOWER simulator on IEEE bus systems verify the effectiveness of our approach in detecting CCPAs and reducing the operator's defense cost.
Full-text available
Cyber security is a growing concern in power systems. To achieve security requirements such as authentication and integrity for Generic Object-Oriented Substation Event (GOOSE) messages, IEC 62351-6 standard recommends using digital signatures. Furthermore, it explicitly specifies to use RSASSA-PSS (Probabilistic Signature Scheme) digital signature algorithm based on RFC 3447. Power systems run in real-time and implemented cybersecurity measures have to strictly meet timing requirements. Therefore, it is very important to study performances of such methods and contrast them with the timing requirements stipulated by grid operations, e.g. power system protection enforces a maximum delay of 3 msec. In this fashion, it can be analyzed whether a recommended cyber security mechanism is fit for use in power systems. In previous works, only RSA digital signatures were studied and its performance evaluation in terms of computational times for securing GOOSE messages have been studied. This paper analyses the timing performance of RSASSA-PSS digital signature algorithm for securing the GOOSE messages. This is important to assess its feasibility for IEC 61850-based networks as specified by the IEC 62351-6 standard. RSASSA-PSS digital signature algorithm is implemented in Python and verification times are calculated. The results show that RSASSA-PKCS1-v1_5 1024 key digital signatures provide improved performance compared to other RSA digital signature schemes. That being said, none of the algorithms is fast enough to be implemented for time-critical operations such as protection coordination.
Full-text available
A hackfest named SWaT Security Showdown (S 3) has been organized consecutively for two years. S 3 has enabled researchers and practitioners to assess the effectiveness of methods and products aimed at detecting cyber attacks launched in real-time on an operational water treatment plant, namely, Secure Water Treatment (SWaT). In S 3 independent attack teams design and launch attacks on SWaT while defence teams protect the plant passively and raise alarms upon attack detection. Attack teams are scored according to how successful they are in performing attacks based on specific intents while the defense teams are scored based on the effectiveness of their methods to detect the attacks. This paper focuses on the first two instances of S 3 and summarizes the benefits of hackfest and the performance of an attack detection mechanism, named Water Defense, that was exposed to attackers during S 3 .
Full-text available
IEC 61850 is the standard for substation automation which enables substation equipment called Intelligent Electronic Devices (IEDs) to communicate with each other. The communication protocol used by the IEDs to communicate is called GOOSE. Unfortunately, there are security researchers who have identified a number of vulnerabilities in the GOOSE protocol and have demonstrated that these vulnerabilities can be exploited to perform security attacks on the IEC 61850 network. By itself, the IEC 61850 standard does not address security requirements needed in a critical infrastructure. Therefore, a security mechanism to better protect the IEC 61850 network needs to be implemented. In their paper, Coates et al. has proposed a Trust System for securing the TCP/IP communication of SCADA network. However, due to the focus on TCP/IP communication, the Trust System by Coates et al. cannot be directly utilized for the IEC 61850 network because the IEDs are using GOOSE protocol to communicate. This paper proposed a Trust System for securing GOOSE communication between IEDs in IEC 61850 network. The proposed Trust System contains the modules for firewall, format and pattern validation, priority level assignment, alerting, blocking, and event logging.
Full-text available
In order to implement an IEC 61850 communication system, there needs to be a complete understanding of the methods, tools and technologies associated with the communication net-work, protocol and messaging underpinning the services. The IEC 61850 standard allows for communication between devices within a substation where a peer-to-peer model for Generic Substation Events (GSE) services is used for fast and reliable communication between In-telligent Electronic Devices (IEDs). One of the messages associated with the GSE services is the Generic Object Oriented Substation Event (GOOSE) message. A detailed analysis of the structure for the GOOSE message is required for fault diagnosis, or when developing hardware that is compliant with the IEC 61850 standard. This is one of the stated objectives of the Centre for Substation Automation and Energy Management Systems (CSAEMS) in the training of prospective specialists and engineers. A case study is presented where the structure of the GOOSE message as described in IEC 61850-8-1 is confirmed using firstly sim-ulation, then experimentation with actual IEDs. In the first instance the message structure is confirmed by simulation of the GOOSE message and capturing it using network protocol analyzer software, after which analysis of the packet frame is performed. Data encoding of the GOOSE Protocol Data Unit (PDU) is analyzed with emphasis on the Abstract Syntax Notation (ASN. 1) Basic Encoding Rules (BER). The second part of the case study is con-ducted through experimentation with IEDs which are used to generate a GOOSE message and network protocol analyzer software is used to analyze the structure. Both the simulation and practical experimentation with actual devices confirm the GOOSE message structure as specified in part 8-1 of the IEC 61850 standard.
Conference Paper
Full-text available
The work presented in this paper is targeted at the first phase of the test and measurements product life cycle, namely standardisation. During this initial phase of any product, the emphasis is on the development of standards that support new technologies while leaving the scope of implementations as open as possible. To allow the engineer to freely create and invent tools that can quickly help him simulate or emulate his ideas are paramount. Within this scope, a traffic generation system has been developed for IEC 61850 Sampled Values which will help in the evaluation of the data models, data acquisition, data fusion, data integration and data distribution between the various devices and components that use this complex set of evolving standards in Smart Grid systems.
Evaluating the security of Cyber-Physical Systems (CPS) is challenging, mainly because it brings risks that are not acceptable in mission-critical systems like Industrial Control Systems (ICS). Model-based approaches help to address such challenges by keeping the risk associated with testing low. This paper presents a novel modelling framework and methodology that can easily be adapted to different CPS. Based on our experiments, HybLearner takes less than 140 s to build a model from historical data of a real-world water treatment testbed, and HybTester can simulate accurately about 60 min ahead of normal behaviour of the system including transitions of control strategies. We also introduce a security metrics (time-to-critical-state) that gives a measurement of how fast the system might reach a critical state, which is one of the use cases of the proposed framework to build a model-based attack detection mechanism.
Cyber deception is a key proactive cyber resilience technique to reverse the current asymmetry that favors adversaries in cyber warfare by creating a significant confusion in discovering and targeting cyber assets. One of the key objectives for cyber deception is to hide the true identity of the cyber assets in order to effectively deflect adversaries away from critical targets, and detect their activities early in the kill chain.
Though attackers aim to introduce different physical perturbations on power grids, they need to rely on periodic data acquisitions performed by control centers to estimate the physical state of the grid and thus to prepare for destructive activities. In this paper, we present Raincoat, which randomizes data acquisitions to disrupt and mislead attackers’ preparations. We transform one data acquisition into multiple rounds. In each round, we dynamically manipulate network flows in the control networks so that randomly selected “online” devices respond with real measurements. Meanwhile, we intelligently spoof measurements for other “offline” devices to mislead attackers into designing ineffective strategies. Based on experiments using large-scale power systems and six real wide area networks, Raincoat is effective against false data injection and control-related attacks with small overhead. The probability of successful attacks can be reduced from 70% to 1%; attacks introduce little damage even if they are executed. Network latency of data acquisition increases on average by less than 6%.
Conference Paper
Industrial control system networks in real world usually require a complex composition of many different devices, protocols, and services. Unfortunately, such practical setups are rarely documented publicly in sufficient technical detail to allow third parties to use the system as reference for their research. As a result, security researchers often have to work with abstract and simplified system assumptions, which might not translate well to practice. In this work, we provide a comprehensive overview of the network services provided by industrial devices found in the EPIC (Electric Power and Intelligent Control) system at SUTD. We provide a detailed network topology of the different network segments, enumerate hosts, models, protocols, and services provided. We argue that such a detailed system description can serve as an enabler for more practical security research. In particular, we discuss how the reported information can be used for emulating a diverse set of important threat scenarios in the smart grid domain. In addition, the provided details allow other researchers to build more detailed models or simulations.
Conference Paper
For industrial control systems, ensuring the software integrity of their devices is a key security requirement. A pure software-based attestation solution is highly desirable for protecting legacy field devices that lack hardware root of trust (e.g., Trusted Platform Module). However, for the large population of field devices with ARM processors, existing software-based attestation schemes either incur long attestation time or are insecure. In this paper, we design a novel memory stride technique that significantly reduces the attestation time while remaining secure against known attacks and their advanced variants on ARM platform. We analyze the scheme's security and performance based on the formal framework proposed by Armknecht et al. [7] (with a necessary change to ensure its applicability in practical settings). We also implement memory stride on two models of real-world power grid devices that are widely deployed today, and demonstrate its superior performance.
Electrical substations play a crucial role in power grids. A number of international standards, such as IEC 60870 and 61850, have emerged to modernize substations for efficient and timely control. However, owing to insufficient security consideration and implementation, the digitization of a large number of connected substations could dramatically increase the scale of damage on power grids caused by cyber attacks. In this paper, we discuss the practical design, implementation, and deployment of active command mediation defense (A*CMD), a distributed cybersecurity solution to counter attacks injecting malicious remote control commands. A*CMD takes advantage of artificial command-delaying to realize an additional layer of security for each substation in an autonomous, decentralized manner. In particular, for grid operators to make appropriate delay configuration, the procedure to find tolerable delay for a power grid model of interest is formulated and demonstrated with multiple power grid models of different sizes. We further show practical deployment options of A*CMD along with proof-of-concept implementations, whose performance and stability are evaluated with a software-based smart-grid testbed.
Conference Paper
In this work, we address the problem of designing and implementing honeypots for Industrial Control Systems (ICS). Honeypots are vulnerable systems that are set up with the intent to be probed and compromised by attackers. Analysis of those attacks then allows the defender to learn about novel attacks and general strategy of the attacker. Honeypots for ICS systems need to satisfy both traditional ICT requirements, such as cost and maintainability, and more specific ICS requirements, such as time and determinism. We propose the design of a virtual, high-interaction and server-based ICS honeypot to satisfy the requirements, and the deployment of a realistic, cost-effective, and maintainable ICS honeypot. An attacker model is introduced to complete the problem statement and requirements. Based on our design and the MiniCPS framework, we implemented a honeypot mimicking a water treatment testbed. To the best of our knowledge, the presented honeypot implementation is the first academic work targeting Ethernet/IP based ICS honeypots, the first ICS virtual honeypot that is high-interactive without the use of full virtualization technologies (such as a network of virtual machines), and the first ICS honeypot that can be managed with a Software-Defined Network (SDN) controller.
Conference Paper
Today, large numbers of smart interconnected devices provide safety and security critical services for energy grids, industrial control systems, gas and oil search robots, home/office automation, transportation, and critical infrastructure. These devices often operate in swarms -- large, dynamic, and self-organizing networks. Software integrity verification of device swarms is necessary to ensure their correct and safe operation as well as to protect them against attacks. However, current device attestation schemes assume a single prover device and do not scale to swarms. We present SEDA, the first attestation scheme for device swarms. We introduce a formal security model for swarm attestation and show security of our approach in this model. We demonstrate two proof-of-concept implementations based on two recent (remote) attestation architectures for embedded systems, including an Intel research platform. We assess performance of SEDA based on these implementations and simulations of large swarms. SEDA can efficiently attest swarms with dynamic and static topologies common in automotive, avionic, industrial control and critical infrastructures settings.
Conference Paper
Supervisory control and data acquisition (SCADA) systems that run our critical infrastructure are increasingly run with Internet-based protocols and devices for remote monitoring. The embedded nature of the components involved, and the legacy aspects makes adding new security mechanisms in an efficient manner far from trivial. In this paper we study an anomaly detection based approach that enables detecting zero-day malicious threats and benign malconfigurations and mishaps. The approach builds on an existing platform (Bro) that lends itself to modular addition of new protocol parsers and event handling mechanisms. As an example we have shown an application of the technique to the IEC-60870-5-104 protocol and tested the anomaly detector with mixed results. The detection accuracy and false positive rate, as well as real-time response was adequate for 3 of our 4 created attacks. We also discovered some additional work that needs to be done to an existing protocol parser to extend its reach.
Conference Paper
Smart grids consist of suppliers, consumers, and other parts. The main suppliers are normally supervised by industrial control systems. These systems rely on programmable logic controllers (PLCs) to control industrial processes and communicate with the supervisory system. Until recently, industrial operators relied on the assumption that these PLCs are isolated from the online world and hence cannot be the target of attacks. Recent events, such as the infamous Stuxnet attack [15] directed the attention of the security and control system community to the vulnerabilities of control system elements, such as PLCs. In this paper, we design and implement the Crysys PLC honeypot (CryPLH) system to detect targeted attacks against industrial control systems. This PLC honeypot can be implemented as part of a larger security monitoring system. Our honeypot implementation improves upon existing solutions in several aspects: most importantly in level of interaction and ease of configuration. Results of an evaluation show that our honeypot is largely indistinguishable from a real device from the attacker’s perspective. As a collateral of our analysis, we were able to identify some security issues in the real PLC device we tested and implemented specific firewall rules to protect the device from targeted attacks.
Conference Paper
Current SCADA honeypot technologies present attackers with static or pseudo-random data, and are unlikely to entice attackers to use high value or zero-day attacks. This chapter presents a symbolic cyberphysical honeynet framework that addresses the problem, enhances the screening and coalescence of attack events for analysis, provides attack introspection down to the physics level of a SCADA system and enables forensic replays of attacks. The work extends honeynet methodologies with integrated physics simulation and anomaly detection utilizing a symbolic data flow model of system physics. Attacks that trigger anomalies in the physics of a system are captured and organized via a coalescing algorithm for efficient analysis. Experimental results are presented to demonstrate the effectiveness of the approach.
Supervisory Control and Data Acquisition (SCADA) systems play a crucial role in national critical infrastructures, and any failure may result in severe damages. Initially SCADA networks were separated from other networks and used proprietary communications protocols that were well known only to the device manufacturers. At that time such isolation and obscurity ensured an acceptable security level. Nowadays, modern SCADA systems usually have direct or indirect Internet connection, use open protocols and commercial-off-the-shelf hardware and software. This trend is also noticeable in the power industry. Present substation automation systems (SASs) go beyond traditional SCADA and employ many solutions derived from Information and Communications Technology (ICT). As a result electric power substations have become more vulnerable for cybersecurity attacks and they need ICT security mechanisms adaptation. This paper shows the SCADA honeypot that allows detecting unauthorized or illicit traffic in SAS which cumunication architecture is de ned according to the IEC 61850 standard.
Conference Paper
When SCADA systems are exposed to public networks, attackers can more easily penetrate the control systems that operate electrical power grids, water plants, and other critical infrastructures. To detect such attacks, SCADA systems require an intrusion detection technique that can understand the information carried by their usually proprietary network protocols. To achieve that goal, we propose to attach to SCADA systems a specification-based intrusion detection framework based on Bro [7][8], a runtime network traffic analyzer. We have built a parser in Bro to support DNP3, a network protocol widely used in SCADA systems that operate electrical power grids. This built-in parser provides a clear view of all network events related to SCADA systems. Consequently, security policies to analyze SCADA-specific semantics related to the network events can be accurately defined. As a proof of concept, we specify a protocol validation policy to verify that the semantics of the data extracted from network packets conform to protocol definitions. We performed an experimental evaluation to study the processing capabilities of the proposed intrusion detection framework.
Conference Paper
A new standard, defining protocols has been evolving since 1997, called IEC61850. This standard enables several industrial benefits when using an Ethernet network, such as high speed device-to-device communications (i.e. peer-to-peer communications both digital and analog values) within cycles and between different vendors, high-speed processing of analog signals and a common database naming format and structure. This paper will review the fundamentals of IEC61850 protocol including network requirements. It will also discuss three practical applications of IEC61850 protocol such as zone interlocking protection scheme, main-tie-main bus transfer scheme and load shedding scheme. Bus zone interlocking scheme, is an efficient application of IEC61850 GOOSE messaging. In this scheme, the main relay will use definite time overcurrent element and the feeder relay will use time overcurrent element. The main relay selectively is allowed to trip or block depending on location of faults as identified from feeder relays. Main-Tie-Main bus transfer is a common application in industrial facilities. Voltage Main-Tie-Main bus transfer is a very common transfer scheme within industrial facilities. Main-tie-main automatic bus transfer can be applied using two protective relays and IEC61850 GOOSE messaging. A fast load shedding (FLS) scheme rapidly sheds load in a large industrial facility in response to loss of one or more incoming sources in order to avoid complete system collapse while maintaining supply to as much of the process as practical. Unlike undervoltage, underfrequency, or rate of frequency decay load shedding schemes, the fast load shedding scheme can initiate load shedding before the system frequency/voltage declines, which in many cases is essential for maintaining system stability. The fast load shed scheme uses IEC61850 GOOSE communications to collect load and incoming source power information from a very large number of end units at very high speed.
We introduce the area of remote physical device fingerprinting, or fingerprinting a physical device, as opposed to an operating system or class of devices, remotely, and without the fingerprinted device's known cooperation. We accomplish this goal by exploiting small, microscopic deviations in device hardware: clock skews. Our techniques do not require any modification to the fingerprinted devices. Our techniques report consistent measurements when the measurer is thousands of miles, multiple hops, and tens of milliseconds away from the fingerprinted device and when the fingerprinted device is connected to the Internet from different locations and via different access technologies. Further, one can apply our passive and semipassive techniques when the fingerprinted device is behind a NAT or firewall, and. also when the device's system time is maintained via NTP or SNTP. One can use our techniques to obtain information about whether two devices on the Internet, possibly shifted in time or IP addresses, are actually the same physical device. Example applications include: computer forensics; tracking, with some probability, a physical device as it connects to the Internet from different public access points; counting the number of devices behind a NAT even when the devices use constant or random IP IDs; remotely probing a block of addresses to determine if the addresses correspond to virtual hosts, e.g., as part of a virtual honeynet; and unanonymizing anonymized network traces.
Kaspersky Labshacked-Deception technology could help-TrapX Security
  • Yuval Malachi
  • Malachi Yuval
High-level design documentation and deployment architecture for Multi-Attribute SCADA Intrusion Detection System
  • Kieran Mclaughlin
Deception as a security strategy
  • Boyd Brown
  • Brown Boyd
Subhash Lakshminarayana E Veronica Belmega and H Vincent Poor. 2019. Moving-Target Defense for Detecting Coordinated Cyber-Physical Attacks in Power Grids
  • Subhash Lakshminarayana
  • E Veronica Belmega
  • H Vincent Poor
Russian hackers penetrate US power stations
  • Bbc News
  • News BBC
Andy Greenberg. 2019. The Highly Dangerous 'Triton' Hackers Have Probed the US Grid
  • Andy Greenberg
  • Greenberg Andy
IEEE Power and Energy Society. 2005. IEEE Standard Communication Delivery Time Performance Requirements for Electric Power Substation Automation
  • Ieee Power
  • Energy Society
Kapuge Kariyawasam Mudalige and Sachintha Kariyawasam. 2016. Implementation of an IEC 61850 Sampled Values Based Line Protection IED with a New Transients-Based Hybrid Protection Algorithm
  • Sachintha Kapuge Kariyawasam Mudalige
  • Kariyawasam
IEC 61850-Based Smart Substations: Principles , Testing, Operation and Maintenance
  • Yubo Yuan
  • Yi Yang
  • Yuan Yubo
Inside the Cunning , Unprecedented Hack of Ukraine's Power Grid
  • Kim Zetter
  • Zetter Kim
PAtt: Physics-based Attestation of Control Systems
  • Matthew Hamid Reza Ghaeini
  • Raad Chan
  • Ferdinand Bahmani
  • Brasser
  • Jianying Luisgarcia
  • Ahmad-Reza Zhou
  • Nils Ole Sadeghi
  • Samanzonouz Tippenhauer
  • Ghaeini Hamid Reza
On Design and Enhancement of Smart Grid Honeypot System for Practical Collection of Threat Intelligence
  • Daisuke Mashima
  • Derek Kok
  • Wei Lin
  • Muhammad Hazwan
  • Alvin Cheng
  • Mashima Daisuke
Prototyping of Substation Automation System Testbeds for Cyber Security Evaluation
  • Noriyuki Ueda
  • Ueda Noriyuki