A Case Study in Power Substation Network Dynamics

FormbyDavid,; WalidAnwar,; BeyahRaheem,

doi:10.1145/3084456

Cited by 14 publications

(10 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The datasets shown in the paper were taken from four medium-voltage distribution substations non-consecutively over the course of two-and-a-half years. Formby, et al [20], also investigated TCP characteristics based on the real traffic captured from real power grid networks. Their observations mainly focused on the TCP behaviors of the DNP3 devices that could be distinguished from those in the traditional network.…”

Section: Traffic Characterizationmentioning

confidence: 99%

“…In this study, we focused on possible attacks by interlopers able to manipulate the function codes of the message. We generated DNP3 application traffic, and formulated various datasets that reflected the traffic characteristics of DNP3 application messages, which were observed in real-life substations for a long time period [19][20][21]. Based on the datasets generated in this way, we used the occurrences of each function code per TCP connection as input features.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Anomaly Detection for SCADA System Security Based on Unsupervised Learning and Function Codes Analysis in the DNP3 Protocol

Altaha

Hong

2022

Electronics

View full text Add to dashboard Cite

An Intrusion Detection System (IDS) is a tool used primarily for security monitoring, which is one of the security strategies for Supervisory Control and Data Acquisition (SCADA) systems. Distributed Network Protocol version 3 (DNP3) is the predominant SCADA protocol in the energy sector. In this paper, we have developed an effective and flexible IDS for DNP3 networks, observing that most critical operations in DNP3 systems are utilized based on the function codes in DNP3 application messages, and that exploitation of those function codes enables attackers to manipulate the system operation. Our proposed anomaly-detection method deals with possible attacks that can bypass any rule-based deep packet inspection once attackers take over servers in the system. First, we generated datasets that reflected DNP3 traffic characteristics observed in real-world power grid substations for a reasonably long time. Next, we extracted input features that consisted of the occurrences of function codes per TCP connection, along with TCP characteristics. We then used an unsupervised deep learning model (Autoencoder) to learn the normal behavior of DNP3 traffic based on function code patterns. We called our approach FC-AE-IDS (Function Code Autoencoder IDS). The evaluation of the proposed method was carried out on three different datasets, to prove its accuracy and effectiveness. To evaluate the effectiveness of our proposed method, we performed various experiments that resulted in more than 95% detection accuracy for all considered attack scenarios that are mentioned in this study. We compared our approach to an IDS that is based on traditional features, to show the effectiveness of our approach.

show abstract

Section: Traffic Characterizationmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Anomaly Detection for SCADA System Security Based on Unsupervised Learning and Function Codes Analysis in the DNP3 Protocol

Altaha

Hong

2022

Electronics

View full text Add to dashboard Cite

show abstract

“…In addition to this, research was published in 2014 that provided a high-level look at power substation traffic [21]. Then in 2017, an in-depth study was published that provided a more detailed characterization [15] of behavior across multiple substations and discussed methods to improve TCP for ICS networks.…”

Section: Related Workmentioning

confidence: 99%

If I Knew Then What I Know Now

Irvene

Shekari

Formby

et al. 2019

Proceedings of the Fifth Annual Industrial Control System Security (ICSS) Workshop

Self Cite

View full text Add to dashboard Cite

In the modern world, the reliable and continuous operation of cyberphysical systems (CPSs) have become increasingly crucial factors of our daily life. As a result, the networking protocols of CPSs have been developed to achieve availability without serious consideration for security. Security flaws in these protocols could lead to system misconfigurations or malicious network penetrations which would severely impact the operation of critical infrastructure and control devices on a CPS network. To combat this some researchers have made efforts to design effective intrusion detection and prevention systems (IDSs/IPSs) for providing security in CPS networks. Most of the past and ongoing work in this space explores security from virtual testbeds or simulated systems, many of which make simplifying assumptions. These artificial platforms generally rely on the expectation that CPS networks are behaviorally very similar to traditional information technology (IT) networks and this does not always hold true in practice. In this paper, we investigate and discuss the feasibility and efficacy of previously proposed DNP3 application layer attacks and their mitigation techniques on network traffic captured from four real-world power grid substations. Based on this and a traffic characterization of the captured data we suggest a set of lightweight, but effective mechanisms to help enhance the security of power substations utilizing the DNP3 protocol. This work primarily focuses on DNP3 since it is the most widely used protocol in power substations which form the backbone of the electricity grid. CCS CONCEPTS• Networks → Cyber-physical networks; Network measurement; • Security and privacy → Intrusion detection systems; Network security; • Computer systems organization → Embedded and cyber-physical systems.

show abstract

“…Kleinman and Wool also applied the DFA approach to S7 protocol [12]. In 2017, Formby et al [9] characterized the power grid traffic. This work focused on DNP3 protocol and examined some common assumptions about the SCADA network such as stable traffic volume, regularity of DNP3 poll time, and long availability of SCADA devices.…”

Section: Related Workmentioning

confidence: 99%

Understanding IEC-60870-5-104 Traffic Patterns in SCADA Networks

Lin

Nadjm‐Tehrani

2018

Proceedings of the 4th ACM Workshop on Cyber-Physical System Security

View full text Add to dashboard Cite

The IEC-60870-5-104 (IEC-104) protocol is commonly used in Supervisory Control and Data Acquisition (SCADA) networks to operate critical infrastructures, such as power stations. As the importance of SCADA security is growing, characterization and modeling of SCADA traffic for developing defense mechanisms based on the regularity of the polling mechanism used in SCADA systems has been studied, whereas the characterization of traffic caused by nonpolling mechanisms, such as spontaneous events, has not been well-studied. This paper provides a first look at how the traffic flowing between SCADA components changes over time. It proposes a method built upon Probabilistic Suffix Tree (PST) to discover the underlying timing patterns of spontaneous events. In 11 out of 14 tested data sequences, we see evidence of existence of underlying patterns. Next, the prediction capability of the approach, useful for devising anomaly detection mechanisms, is studied. While some data patterns enable an 80% prediction possibility, more work is needed to tune the method for higher accuracy.

show abstract

A Case Study in Power Substation Network Dynamics

Cited by 14 publications

References 16 publications

Anomaly Detection for SCADA System Security Based on Unsupervised Learning and Function Codes Analysis in the DNP3 Protocol

Anomaly Detection for SCADA System Security Based on Unsupervised Learning and Function Codes Analysis in the DNP3 Protocol

If I Knew Then What I Know Now

Understanding IEC-60870-5-104 Traffic Patterns in SCADA Networks

Contact Info

Product

Resources

About