Abstract

In this paper, we analyze control-related attacks in supervisory control and data acquisition systems for power grids. This class of attacks introduces a serious threat to power systems, because attackers can directly change the system's physical configuration using malicious control commands crafted in a legitimate format. To detect such attacks, we propose a semantic analysis framework that integrates network intrusion detection systems with a power flow analysis capable of estimating the execution consequences of control commands. To balance detection accuracy and latency, the parameters of the power flow analysis algorithm are dynamically adapted according to real-time system dynamics. Our experiments on IEEE 24-bus, 30-bus, and 39-bus systems and a 2736-bus system demonstrate that by opening three transmission lines, an attacker can put the tested system into an insecure state, and the semantic analysis can complete detection in 200 ms for the large-scale 2736-bus system with about 0.78% false positives and 0.01% false negatives, which allow for timely responses to intrusions.

Original languageEnglish (US)
Pages (from-to)163-178
Number of pages16
JournalIEEE Transactions on Smart Grid
Volume9
Issue number1
DOIs
StatePublished - Jan 2018

Fingerprint

Semantics
SCADA systems
Intrusion detection
Real time systems
Electric lines
Experiments

Keywords

  • Adaptive power flow analysis
  • Bro
  • Intrusion detection system
  • Semantic analysis
  • Supervisory control and data acquisition (SCADA)

ASJC Scopus subject areas

  • Computer Science(all)

Cite this

@article{1c7016cb5541443e82eeb98a4d70e844,
title = "Runtime semantic security analysis to detect and mitigate control-related attacks in power grids",
abstract = "In this paper, we analyze control-related attacks in supervisory control and data acquisition systems for power grids. This class of attacks introduces a serious threat to power systems, because attackers can directly change the system's physical configuration using malicious control commands crafted in a legitimate format. To detect such attacks, we propose a semantic analysis framework that integrates network intrusion detection systems with a power flow analysis capable of estimating the execution consequences of control commands. To balance detection accuracy and latency, the parameters of the power flow analysis algorithm are dynamically adapted according to real-time system dynamics. Our experiments on IEEE 24-bus, 30-bus, and 39-bus systems and a 2736-bus system demonstrate that by opening three transmission lines, an attacker can put the tested system into an insecure state, and the semantic analysis can complete detection in 200 ms for the large-scale 2736-bus system with about 0.78{\%} false positives and 0.01{\%} false negatives, which allow for timely responses to intrusions.",
keywords = "Adaptive power flow analysis, Bro, Intrusion detection system, Semantic analysis, Supervisory control and data acquisition (SCADA)",
author = "Hui Lin and Slagell, {Adam J} and Kalbarczyk, {Zbigniew T} and Sauer, {Peter W} and Iyer, {Ravishankar K}",
year = "2018",
month = "1",
doi = "10.1109/TSG.2016.2547742",
language = "English (US)",
volume = "9",
pages = "163--178",
journal = "IEEE Transactions on Smart Grid",
issn = "1949-3053",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
number = "1",

}

TY - JOUR

T1 - Runtime semantic security analysis to detect and mitigate control-related attacks in power grids

AU - Lin, Hui

AU - Slagell, Adam J

AU - Kalbarczyk, Zbigniew T

AU - Sauer, Peter W

AU - Iyer, Ravishankar K

PY - 2018/1

Y1 - 2018/1

N2 - In this paper, we analyze control-related attacks in supervisory control and data acquisition systems for power grids. This class of attacks introduces a serious threat to power systems, because attackers can directly change the system's physical configuration using malicious control commands crafted in a legitimate format. To detect such attacks, we propose a semantic analysis framework that integrates network intrusion detection systems with a power flow analysis capable of estimating the execution consequences of control commands. To balance detection accuracy and latency, the parameters of the power flow analysis algorithm are dynamically adapted according to real-time system dynamics. Our experiments on IEEE 24-bus, 30-bus, and 39-bus systems and a 2736-bus system demonstrate that by opening three transmission lines, an attacker can put the tested system into an insecure state, and the semantic analysis can complete detection in 200 ms for the large-scale 2736-bus system with about 0.78% false positives and 0.01% false negatives, which allow for timely responses to intrusions.

AB - In this paper, we analyze control-related attacks in supervisory control and data acquisition systems for power grids. This class of attacks introduces a serious threat to power systems, because attackers can directly change the system's physical configuration using malicious control commands crafted in a legitimate format. To detect such attacks, we propose a semantic analysis framework that integrates network intrusion detection systems with a power flow analysis capable of estimating the execution consequences of control commands. To balance detection accuracy and latency, the parameters of the power flow analysis algorithm are dynamically adapted according to real-time system dynamics. Our experiments on IEEE 24-bus, 30-bus, and 39-bus systems and a 2736-bus system demonstrate that by opening three transmission lines, an attacker can put the tested system into an insecure state, and the semantic analysis can complete detection in 200 ms for the large-scale 2736-bus system with about 0.78% false positives and 0.01% false negatives, which allow for timely responses to intrusions.

KW - Adaptive power flow analysis

KW - Bro

KW - Intrusion detection system

KW - Semantic analysis

KW - Supervisory control and data acquisition (SCADA)

UR - http://www.scopus.com/inward/record.url?scp=85042011782&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85042011782&partnerID=8YFLogxK

U2 - 10.1109/TSG.2016.2547742

DO - 10.1109/TSG.2016.2547742

M3 - Article

AN - SCOPUS:85042011782

VL - 9

SP - 163

EP - 178

JO - IEEE Transactions on Smart Grid

JF - IEEE Transactions on Smart Grid

SN - 1949-3053

IS - 1

ER -