A hybrid network IDS for protective digital relays in the power transmission grid

Abstract: In this paper, we propose a novel use of network intrusion detection systems (NIDSs) tailored to detect attacks against networks that support hybrid controllers that implement power grid protection schemes. In our approach, we implement specification-based intrusion detection signatures based on the execution of the hybrid automata that specify the communication rules and physical limits that the system should obey. To validate our idea, we developed an experimental framework consisting of a simulation of the … Show more

“…Specifically, our testbed enables the "re-creation" of common architectures of CPSs in order to conduct a series of experiments and test the efficiency of NIDS against cyber-physical attacks or anomalies. We note that details about the implementation and conceptual ideas of the NIDS used in this work, called "HC-NIDS," are presented elsewhere [11,22,18], and are beyond the scope of the work presented in this paper. We occasionally refer to this specific NIDS, because, based on the fact that disruptive cyber-physical attack-based experiments on simulation/emulation testbeds can lead to non-realistic results, it is the component responsible for detecting such types of attacks.…”

“…In real-time, we apply an intrusion detection system to the network traffic, and, in cases where it is required by the NIDS, we cross-check the observable traffic with the physical data reported to the data historian by the controllers. In this paper, we focus on the validation framework and extension of the emulation environment to include network taps, data management capabilities, and visualization, whereas the previously published work [11,22,18] discusses the derivation of effective NIDS rules. Finally, we show how our system could provide cyber-physical analytics to the operators that merge the view of the physical and cyberdomains and indicate anomalies of the CPS state.…”

“…In their work, they made use of the Snort IDS in order to detect suspicious network activities. In our work, we integrated with the data historian, a novel hybrid control NIDS, named HC-NIDS [11,22,18]. More specifically, HC-NIDS cross-checks network traffic exchanged between the various controllers and physical data generated by the physical system, and includes both signature-based and anomalybased rules by taking physics of the system into account.…”

“…The top level of our testbed environment includes a NIDS that implements a "hybrid" set of specification-based and anomaly-based IDS rules by blending common network communication policies with physical laws and limits that designate the expected operation of the physical system. However, the implementation of the hybrid control NIDS, in-cluding development of the cyber-physical security rules included in the NIDS, and its performance, is out of scope of this paper and is described further elsewhere [11,22,18].…”

A Real-Time Testbed Environment for Cyber-Physical Security on the Power Grid

“…Specifically, our testbed enables the "re-creation" of common architectures of CPSs in order to conduct a series of experiments and test the efficiency of NIDS against cyber-physical attacks or anomalies. We note that details about the implementation and conceptual ideas of the NIDS used in this work, called "HC-NIDS," are presented elsewhere [11,22,18], and are beyond the scope of the work presented in this paper. We occasionally refer to this specific NIDS, because, based on the fact that disruptive cyber-physical attack-based experiments on simulation/emulation testbeds can lead to non-realistic results, it is the component responsible for detecting such types of attacks.…”

“…In real-time, we apply an intrusion detection system to the network traffic, and, in cases where it is required by the NIDS, we cross-check the observable traffic with the physical data reported to the data historian by the controllers. In this paper, we focus on the validation framework and extension of the emulation environment to include network taps, data management capabilities, and visualization, whereas the previously published work [11,22,18] discusses the derivation of effective NIDS rules. Finally, we show how our system could provide cyber-physical analytics to the operators that merge the view of the physical and cyberdomains and indicate anomalies of the CPS state.…”

“…In their work, they made use of the Snort IDS in order to detect suspicious network activities. In our work, we integrated with the data historian, a novel hybrid control NIDS, named HC-NIDS [11,22,18]. More specifically, HC-NIDS cross-checks network traffic exchanged between the various controllers and physical data generated by the physical system, and includes both signature-based and anomalybased rules by taking physics of the system into account.…”

“…The top level of our testbed environment includes a NIDS that implements a "hybrid" set of specification-based and anomaly-based IDS rules by blending common network communication policies with physical laws and limits that designate the expected operation of the physical system. However, the implementation of the hybrid control NIDS, in-cluding development of the cyber-physical security rules included in the NIDS, and its performance, is out of scope of this paper and is described further elsewhere [11,22,18].…”

A Real-Time Testbed Environment for Cyber-Physical Security on the Power Grid

“…12 A differential protection scheme compares the phase values at two points in the line, and a difference in the phase values implies a fault in the line. We used two relays connected to circuit breakers to measure the phase difference, which signifies an internal fault where the circuit breakers isolate the transmission line from the transmission system.…”

Monitoring Security of Networked Control Systems: It's the Physics

Detecting Data Manipulation Attacks on the Substation Interlocking Function Using Direct Power Feedback