An End-to-End Infrastructure for Cyber-Physical Intrusion Detection - - PowerPoint PPT Presentation

an end to end infrastructure for cyber physical intrusion
SMART_READER_LITE
LIVE PREVIEW

An End-to-End Infrastructure for Cyber-Physical Intrusion Detection - - PowerPoint PPT Presentation

Dec 02, 2022 13 likes •124 views

An End-to-End Infrastructure for Cyber-Physical Intrusion Detection REINHARD GENTZ, MAHDI JAMEI, ANNA SCAGLIONE ARIZONA STATE UNIVERSITY, USA CREDC Workshop 2017 1 What is Cyber Physical Intrusion Detection CPS Cyber Physical System

slide-1
SLIDE 1

An End-to-End Infrastructure for Cyber-Physical Intrusion Detection

REINHARD GENTZ, MAHDI JAMEI, ANNA SCAGLIONE

ARIZONA STATE UNIVERSITY, USA

CREDC Workshop 2017

1

slide-2
SLIDE 2

What is Cyber Physical Intrusion Detection

CPS – Cyber Physical System In a system Cyber & Physical environment is connected

  • > Attacks affect both environments
  • > We should sense both environments for best attack

detection CPS-IDS goes beyond the traditional monitoring solutions adopted in EDS-operations. It requires new elements :

  • High resolution physical-sensing (PMUs)
  • Combined network traffic collection & filtering

Challenge: Big Data Problem

2

Cyber and Physical System

System Physical Properties (Physical) Control & Monitoring (Cyber)

slide-3
SLIDE 3

Hierarchical Architecture

We propose hierarchical architecture:

  • Reduced CPS-IDS network load
  • More resilient to network failure – Outages; Attacks
  • Distribute computational load – Scalability
  • Prioritize important messages (Attacks!) over status messages

3

Do as much of the processing locally and only ship what is necessary

Stage 2 Server Central Server Grid

μPMU DSCADA DSCADA μPMU

Stage 1 Server

slide-4
SLIDE 4

Stage 1

Stage I (Local Processor)

4

  • Gather Local Data:
  • Analyze it & based on the result
  • PMUs produce large quantities
  • f precise data
  • Prioritize the message
  • Reduce the message size

a uPMU with a BBB attached Analytics

Data Analytics

Hi Prio Queue Low Prio Queue

Sensor Data

Analytics Decide the Queue

Local Rules e.g.,:

  • Validity of I = Y V
  • Power Quality

Limits

Message

slide-5
SLIDE 5

Stage 1

Stage I (Local Processor)

5

The BBB minicomputer shields the sensor from the

  • utside world

One minicomputer system to maintain – Not one per sensor type Independence from sensor vendor security updates Modular Design The analytics systems are plug-in modules

  • Easy to update and replace
  • Analytics can be done by different

programmer (Only API knowledge needed)

a uPMU with a BBB attached

Local Rules e.g.,:

  • Validity of I = Y V
  • Power Quality

Limits

Analytics

Data Analytics

Hi Prio Queue Low Prio Queue

Sensor Data

Analytics Decide the Queue Message

slide-6
SLIDE 6

Stage 2

Stage II

6

Publisher Subscriber Messaging Database for Search

(Elasticsearch)

Database for Archiving

(Cassandra)

Aggregated Analytics Frontend Local Analytics and prioritization (BBB)

1 2 3 4 5 6 7 R1 8 9 10 11 12 13 14 15 16 17 18 19 R2 20 T1 23 24 34 33 32 31 30 25 21 22 26 27 28 29 Substation

Power Distribution Grid Cyber-Physical Security Architecture

Local Analytics and prioritization (BBB) Local Analytics and prioritization (BBB)

  • Aggregate Data from multiple sensors
  • & Fuse it with static information, (e.g. reference model for subnetwork)
  • Decrease false positive and false negatives

generate actionable alarms with low latency

  • Targeted request of input data with a publisher subscriber model
  • Stage can be repeated for scaling, wide area deployment

Messaging System Analytics Results Raw Data & Preprocessed Analytics Analytics 1 Analytics N From Downstream To Upstream

slide-7
SLIDE 7

Central Stage

Central Stage/Human Machine Interface

7

  • Archive the data & analytics results
  • Frontend to the user

Publisher Subscriber Messaging Database for Search

(Elasticsearch)

Database for Archiving

(Cassandra)

Aggregated Analytics Frontend Local Analytics and prioritization (BBB)

1 2 3 4 5 6 7 R1 8 9 10 11 12 13 14 15 16 17 18 19 R2 20 T1 23 24 34 33 32 31 30 25 21 22 26 27 28 29 Substation

Power Distribution Grid Cyber-Physical Security Architecture

Local Analytics and prioritization (BBB) Local Analytics and prioritization (BBB)

Search for properties? Elasticsearch Retrieve lots

  • f raw data?

Cassandra Different databases have different strengths

  • Especially for big data
slide-8
SLIDE 8

Example Analytics - Localizing Fault

8

No Alarm Voltage Sag BBB 1 BBB 2 BBB 3 Results found from data analysis. Priority for transmission No Alarm Stage 2’s View No Alarm No Alarm Voltage Sag => Fault localized downstream of uPMU 3 Threshold crossed

slide-9
SLIDE 9

Thank you

Questions?

9

slide-10
SLIDE 10

Stage II Validation

10

Sensor 1 2nd floor Sensor 2 Basement ServerRack

  • We see how the measurements are correlated
slide-11
SLIDE 11

Stage II Validation

11

Min/Max Sensor 1 2nd floor Min/Max Sensor 2 Basement ServerRack Voltage Dip in the whole building

  • We see how the measurements are correlated

Question: Is this pattern possible with the specific electrical grid in place? => Further validation