TY - GEN
T1 - Semantic security analysis of SCADA networks to detect malicious control commands in power grids
AU - Lin, Hui
AU - Slagell, Adam
AU - Kalbarczyk, Zbigniew
AU - Sauer, Peter W.
AU - Iyer, Ravishankar K.
PY - 2013/12/9
Y1 - 2013/12/9
N2 - In the current generation of SCADA (Supervisory Control And Data Acquisition) systems used in power grids, a sophisticated attacker can exploit system vulnerabilities and use a legitimate maliciously crafted command to cause a wide range of system changes that traditional contingency analysis does not consider and remedial action schemes cannot handle. To detect such malicious commands, we propose a semantic analysis framework based on a distributed network of intrusion detection systems (IDSes). The framework combines system knowledge of both cyber and physical infrastructure in power grid to help IDS to estimate execution consequences of control commands, thus to reveal attacker's malicious intentions. We evaluated the approach on the IEEE 30-bus system. Our experiments demonstrate that: (i) by opening 3 transmission lines, an attacker can avoid detection by the traditional contingency analysis and instantly put the tested 30-bus system into an insecure state and (ii) the semantic analysis provides reliable detection of malicious commands with a small amount of analysis time.
AB - In the current generation of SCADA (Supervisory Control And Data Acquisition) systems used in power grids, a sophisticated attacker can exploit system vulnerabilities and use a legitimate maliciously crafted command to cause a wide range of system changes that traditional contingency analysis does not consider and remedial action schemes cannot handle. To detect such malicious commands, we propose a semantic analysis framework based on a distributed network of intrusion detection systems (IDSes). The framework combines system knowledge of both cyber and physical infrastructure in power grid to help IDS to estimate execution consequences of control commands, thus to reveal attacker's malicious intentions. We evaluated the approach on the IEEE 30-bus system. Our experiments demonstrate that: (i) by opening 3 transmission lines, an attacker can avoid detection by the traditional contingency analysis and instantly put the tested 30-bus system into an insecure state and (ii) the semantic analysis provides reliable detection of malicious commands with a small amount of analysis time.
KW - contingency analysis
KW - intrusion detection system
KW - scada
KW - semantic analysis
UR - http://www.scopus.com/inward/record.url?scp=84889055399&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84889055399&partnerID=8YFLogxK
U2 - 10.1145/2516930.2516947
DO - 10.1145/2516930.2516947
M3 - Conference contribution
AN - SCOPUS:84889055399
SN - 9781450324922
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 29
EP - 34
BT - SEGS 2013 - Proceedings of the 2013 ACM Workshop on Smart Energy Grid Security, Co-located with CCS 2013
T2 - 2013 1st ACM Workshop on Smart Energy Grid Security, SEGS 2013, Held in Conjunction with the 20th ACM Conference on Computer and Communications Security, CCS 2013
Y2 - 8 November 2013 through 8 November 2013
ER -