Anomaly detection in substation networks

https://doi.org/10.1016/j.jisa.2020.102527Get rights and content

Abstract

Fundamental components of the distribution systems of electric energy are primary and secondary substation networks. Considering the incorporation of legacy communication infrastructure in these systems, they often have in- herent cybersecurity vulnerabilities. Moreover, traditional intrusion defence strategies for IT systems are often not applicable. With the aim to improve cybersecurity in substation networks, in this paper we present two methods for monitoring SCADA system: the first one exploiting neural networks, while the second one is based on formal methods. To evaluate the effective- ness of the proposed methods, we conducted experiments on a real test bed representing the substation domain as close to real-world as possible. From this test bed we collect data during normal operation and during situations where the system is under attack. To this end several different types of attack are conducted. The data collected is used to test two versions of the mon- itoring system: one based on machine learning with a neural network and one using a model-checking approach. Moreover, the two proposed models are tested with new data to evaluate their performance. The experiments demonstrate that both methods obtain an accuracy greater than 90%. In particular, the methodology based on formal methods achieves better per- formance if compared to the one based on neural networks.

Introduction

The implementation of smart grid concepts requires the integration of information and communication technologies into the systems of production, distribution, and usage of electric energy. This makes cybersecurity a really crucial new topic, considering the increasing number of potential attack points of the distribution network for electrical energy that come along with this integration. Local attacks are no more restricted to the actual attack point but can spread over the whole network. In the past but also in recent times, strongly networked systems in critical infrastructures [1], especially in connection with the electrical power system [2], have been affected by cyberattacks. Many real-world attacks are depicted in the reports of the US ICS-CERT – Industrial Control Systems Cyber Emergency Response Teams.1 Such infrastructures are rewarding targets for groups with criminal or terroristic intentions [3]. In fact, as a confirmation, several popular pieces of malware have enjoyed success against SCADA system. Since Stuxnet was first observed, more and more malware attacking SCADA systems appeared in the wild, mostly able to gather information and, worse, to take over the control of the entire system [4]. Important components of the electric energy distribution systems are primary and secondary substations. Within these substations implementing the smart grid leads to a high degree of automation which results in increased use of data processing technologies and hence, opens up a huge number of hitherto unknown security problems. Especially secondary substations are hot spots of cybersecurity as they are distributed all over the country in various unsupervised places. The main reason for this is the integration of modern communication technologies such as microprocessor-based intelligent electronic devices (IEDs), the use of standard protocols like TCP/IP, Ethernet, and connections to WANs by Internet technologies. Remote access to IEDs or to the internal user interface of the communication infrastructure, for purposes of (remote) maintenance, are quite common nowadays. Using insecure standard protocols opens up a dangerous potential for attacks having serious consequences for the whole infrastructure. So far, these secondary substations were not really vulnerable, but now gateways are incorporated in all those little sheds. Common security solutions are typically limited to regulating the access to the components as a whole (for instance firewalls, encryption and other ways of perimeter security); they are used in substations, too. But their efficiency is limited in this application area because they were originally designed for conventional IT systems and are not suited for the special requirements of the hardware and software architectures of substations. Hence, they are not sufficient: we urgently need a second line of defence when an attacker conquers this first line of perimeter security. Security solutions for substations are still in a preliminary state as argued in [5].

In this paper we propose two methodologies aimed to continuously monitor the behaviour of the network. The first one is based on machine learning while the second one makes use of model checking techniques. The rationale behind this paper is to evaluate the two approaches in the context of substation networks and to evaluate their performances with respect to anomaly detection. In fact, for both the methodologies, a model of the normal behaviour of the network traffic in a substation is constructed and subsequently used during operation to detect anomalous behaviour.

The remaining of the paper is organised as follows. Section 2 gives an overview of related work. In Section 3 we describe the characteristics of substations. Section 4 describes the neural network based monitoring system, while Section 5 presents the approach based on formal methods. Section 6 compares and discusses the two approaches and, finally, Section 7 concludes the paper.

Section snippets

Related work

The security topics of SCADA-based automation networks in substations are discussed in several papers at high level, for instance in [6], [7], [8], [9], [10], [11]. So far, mainly security measures known from conventional information and communications systems, such as Intrusion Detection and Prevention Systems (IDS and IPS), have been transferred to SCADA environments in distribution systems for electrical energy. Below we discuss the state-of-the-art in anomaly detection in this area by

Substation networks

The architecture of a substation shows a local network connected to the (potentially not secure) outside WAN by a router; this router is usually secured by conventional means of perimeter security. The local network is subdivided in two parts: the guard net containing the IEDs to safeguard the energy distribution net against defective electrical issues like short-circuit faults or ground faults; and the automation network connecting the IEDs and the RTUs (remote terminal units) and providing

Anomaly detection using neural networks

In this section we describe the machine learning approach exploiting neural networks for anomaly detection in substation networks.

Anomaly detection using model checking techniques

In this section we present a second technique we propose for anomaly detection in substation networks. The idea is to provide an abstract expression of network communication (abstracting the communication profile for sending basic messages) by a network of timed automata. This technique is based on formal methods from logic and, in this section, we briefly recall some preliminaries about such methods. Subsequently we describe the designed method and we present the results of the experimental

Comparison between the two approaches and discussion

As shown by the experimental results on the same data, we obtained an average accuracy equal to 91% using the neural networks based method, while an average accuracy of 99% is reached by the formal methods approach.

An interesting advantage of the machine learning is that to build the model the researcher does not need domain knowledge: this is one of the factors that led to a great spread of machine learning techniques in both academic and scientific contexts. On the other side, formal methods

Conclusion and future work

In dealing with security challenges in substations, we propose two methodologies, the first one based on machine learning while the second one based on formal methods, to propose a monitoring system as a second line of defence. To demonstrate the viability of anomaly detection in substation networks, all experiments were conducted on a test bed with substation components representing a realistic implementation as well as a real network environment.

In the machine learning approach, first

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgements

This research was funded by the Austrian Climate and Energy Fund, grant number 853660, and supported by our project partners Siemens AG Austria and Wels Strom GmbH.

References (53)

  • J. Hong et al.

    Cyber-physical security in a substation

  • U. Premaratne et al.

    Security analysis and auditing of IEC61850-based automated substations

    IEEE Trans Power Delivery

    (2010)
  • J. Zhang et al.

    A security scheme for intelligent substation communications considering realtime performance

    J. Mod. Power Syst. Clean Energy

    (2019)
  • M.T.A. Rashid et al.

    A review of security attacks on IEC61850 substation automation system network

  • P. Oman et al.

    Concerns about intrusions into remotely accessible substation controllers and SCADA systems

  • D. Dzung et al.

    Security for industrial communication systems

    Proc IEEE

    (2005)
  • Y. Kwon et al.

    Behavior analysis and anomaly detection for a digital substation on cyber-physical system

    Electronics (Basel)

    (2019)
  • Y. Yang et al.

    Stateful intrusion detection for IEC 60870-5-104 SCADA security

  • Y. Yang, K. McLaughlin, T. Littler, S. Sezer, H. Wang, Rule-based intrusion detection system for SCADA networks...
  • P. Dussel et al.

    Cyber-critical infrastructure protection using real-time payload-based anomaly detection

  • H. Yoo et al.

    Novel approach for detecting network anomalies for substation automation based on IEC 61850

    Multimed Tools Appl

    (2015)
  • D. Yang et al.

    Anomaly-based intrusion detection for SCADA systems

  • U. Premaratne et al.

    Evidence theory based decision fusion for masquerade detection in IEC61850 automated substations

  • C.-W. Ten et al.

    Anomaly detection for cybersecurity of the substations

    IEEE Trans Smart Grid

    (2011)
  • R.R.R. Barbosa et al.

    Intrusion detection in SCADA networks

  • A.F. Shosha et al.

    Detecting cyber intrusions in SCADA networks using multi-agent collaboration

  • Cited by (19)

    • A novel machine learning pipeline to detect malicious anomalies for the Internet of Things

      2022, Internet of Things (Netherlands)
      Citation Excerpt :

      The evolution of the Internet of Things (IoT) has led to the big data era where automatic detection of anomalies is an important problem that needs to be investigated [1]. Detecting anomalies can be useful to many IoT applications as they assist in making accurate optimal decisions [2]. In a smart city-based system, anomalies can be used in making an intelligent decision based on surrounding environmental conditions.

    • A Method for Intrusion Detection in Smart Grid

      2022, Procedia Computer Science
    View all citing articles on Scopus
    View full text