Testbed-based Evaluation of SIEM Tool for Cyber Kill Chain Model in Power Grid SCADA System

Singh, Vivek Kumar; Callupe, Steven Perez; Manimaran, G.

doi:10.1109/naps46351.2019.9000344

Cited by 13 publications

(14 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Although the centralized IDS is developed pertinent to the energy management system (EMS) applications like state estimation, automatic generation controller (AGC), etc., the multi-agents-based distributed IDS is also proposed in [12] to avoid a single point of failure while detecting anomalies in the decentralized protection scheme. Apart from the anomaly-based IDSs, several signature-based IDSs [13]- [16] are also proposed that perform deep packet inspection on the SCADA and synchrophasor communication protocols to detect cyber intrusions in real-time. Further, in [14], the authors show how two open-source IDS tools-Snort and BRO, can be utilized in detecting a data integrity attack using the timing information of two consecutive network packets and compared their performances in terms of accuracy and latency rates.…”

Section: Related Workmentioning

confidence: 99%

“…Several tools, tactics, and procedures (TTP) can be utilized in a sequence of steps as per the attack mechanism to perform successful stealthy cyber-attacks. The model consists of various processes or stages that are elaborated here, as discussed in [13]. 1.…”

Section: Cyber Kill Chain Mapping With Hidsmentioning

confidence: 99%

“…In this table, rule 1 and rule 2 belong to the reconnaissance (stage 1), rule 3 belongs to the access (stage 2), and rule 4 belongs to the launch stage (stage3). Note that we have utilized the Snort IDS tool to analyze the SCADA traffic through network interfaces and later develop these rules as discussed in [13].…”

Section: Signature-based Ids Componentmentioning

confidence: 99%

See 2 more Smart Citations

Cyber Kill Chain-Based Hybrid Intrusion Detection System for Smart Grid

Singh

Manimaran

2020

Power Systems

Self Cite

View full text Add to dashboard Cite

Today's electric power grid is a complex, automated, and interconnected cyber-physical system (CPS) that relies on supervisory control and data acquisition (SCADA)-based communication infrastructure for operating wide-area monitoring, protection, and control (WAMPAC) applications. With a push towards making the grid smarter, the critical SCADA infrastructure like power system is getting exposed to countless cyberattacks that necessitate the development of state-of-the-art intrusion detection systems (IDS) to provide comprehensive security solutions at different layers in the smart grid network. While considering the continuously evolving attack surfaces at physical, communication, and application layers, existing conventional IDS solutions are insufficient and incapable to resolve multi-dimensional cybersecurity threats because of their specific nature of the operation, either a data-centric or protocol-centric, to detect specific types of attacks. This chapter presents a hybrid intrusion detection system framework by integrating a network-based IDS, model-based IDS, and state-of-the-art machine learning-based IDS to detect unknown and stealthy cyberattacks targeting the SCADA networks. We have applied the cyber-kill model to develop and demonstrate attack vectors and their associated mechanisms. The hybrid IDS utilizes attack signatures in grid measurements and network packets as well as leverages secure phasor measurements to detect different stages of cyber-attacks while following the kill-chain process. As a proof of concept, we present the experimental case study in the context of centralized wide-area protection (CWAP) cybersecurity by utilizing resources of the PowerCyber testbed at Iowa State University (ISU). We also describe different classes of implemented cyber-attacks and generated heterogeneous datasets using the IEEE 39 bus system. Finally, the performance of the hybrid IDS is evaluated based in terms of detection rate in real-time cyber-physical environment.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Cyber Kill Chain Mapping With Hidsmentioning

confidence: 99%

See 1 more Smart Citation

Cyber Kill Chain-Based Hybrid Intrusion Detection System for Smart Grid

Singh

Manimaran

2020

Power Systems

Self Cite

View full text Add to dashboard Cite

show abstract

“…Detection (Defense) Module: It includes state-of-the-art detection and defense solutions, such as rule, model, and machine learning-based anomaly detection systems (ADSs), moving target defense (MTD), etc., as developed in earlier research efforts [41], [42], [44], which can be utilized to test, validate, and evaluate system performances with a detailed network analysis in this federated testbed environment.…”

Section: Discussionmentioning

confidence: 99%

“…1. IT-Based Attacks: IT-based attacks include traditional host and network-based attacksincluding scanning attacks (e.g., ping and Network Mapper (NMAP) scanning), DoS attacks, and spoofing attacks (e.g., IP spoofing, ARP poisoning)-that can be deployed in the SCADA environment to develop a blueprint of the network architecture and compromise power system devices [41].…”

Section: Cyber Eventsmentioning

confidence: 99%