Communication in Power Grid Cyber Infrastructure to Mislead Cyber - - PowerPoint PPT Presentation

communication in power grid cyber
SMART_READER_LITE
LIVE PREVIEW

Communication in Power Grid Cyber Infrastructure to Mislead Cyber - - PowerPoint PPT Presentation

Aug 02, 2023 95 likes •312 views

RAINCOAT: Randomize Network Communication in Power Grid Cyber Infrastructure to Mislead Cyber Attackers Hui Lin, Zbigniew Kalbarczyk , Ravishankar Iyer University of Illinois at Urbana-Champaign UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN |

slide-1
SLIDE 1

RAINCOAT: Randomize Network Communication in Power Grid Cyber Infrastructure to Mislead Cyber Attackers

Hui Lin, Zbigniew Kalbarczyk, Ravishankar Iyer

University of Illinois at Urbana-Champaign

slide-2
SLIDE 2

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS

Motivation

Detection Rely on general purpose security measures, e.g., firewalls or IDSs Shortcomings:

  • Miss attacks that bypass

barriers between corporate and control networks

  • Hard to eliminate false

positives

Detection Combine knowledge on cyber and physical infrastructures Shortcomings:

  • Hard to avoid interruptions of

normal operations

  • Difficult to integrate with

responses mitigating a disruption of physical processes

Preparation: study physical process, to decide malicious operations Penetration: establish a foothold in a control network Execution: deliver malicious operations

slide-3
SLIDE 3

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS

Detecting Attacks at Preparation Stage

  • Attackers’ reconnaissance operations introduce little anomaly
  • Monitor measurements to prepare a strategy
  • Active monitoring
  • Use legitimate requests to obtain measurements
  • Passive monitoring
  • Observe measurements from existing data acquisitions

Substations Field Site

RTU End Device End Device Sensors/ Breakers

Control Center

HMI IP-based network Hardwired connection

WAN LAN

Sensors/ Breakers Edge network switches

slide-4
SLIDE 4

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS

Threat Model

  • In control networks, attackers can penetrate computing devices on any

communication path that connects the control center and end devices

  • e.g., establish footholds in HMI or RTU or laptops connected to WAN
  • In control center, we trust the integrity of state estimation software
  • In substations, we assume that attackers cannot physically access end devices,

sensors, and breakers

  • We trust the integrity of edge switches, which are used to manipulate network

traffic to disrupt and mislead attacks

Substations Field Site

RTU End Device End Device Sensors/ Breakers

Control Center

HMI IP-based network Hardwired connection

WAN LAN

Sensors/ Breakers Edge network switches

slide-5
SLIDE 5

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS

What Do We Propose - Raincoat

  • RAINCOAT: randomize network communication in power

grid cyber infrastructure to mislead cyber attackers

  • Disrupt attackers: increase unpredictability in networks
  • Mislead attackers: craft decoy measurements

Substations Field Site

RTU End Device End Device Sensors/ Breakers

Control Center

HMI IP-based network Hardwired connection

WAN LAN

Sensors/ Breakers Edge network switches

Trap!

slide-6
SLIDE 6

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS

Normal Periodic Data Acquisition

  • SCADA master issues data acquisition requests to all end

devices periodically

– T ranges from 1 to 10 seconds (based on IEEE Std 1646)

6

SCADA

Time

Edge Switch Edge Switch End Device T Control Center Substations

slide-7
SLIDE 7

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS

Randomize Data Acquisition

  • Objective of Raincoat:

– Obfuscate attackers with randomized device connectivity and the mix

  • f real and spoofed data

– Allow system operators collecting measurements from all devices with the same interval

SCADA

Time

Edge Switch Edge Switch End Device

⑤ responses with real and spoof data ④ responses with real data

T

① requests to all devices ⑥ responses with real and spoof data ② randomize requests ③ requests to online devices

Control Center Substations

slide-8
SLIDE 8

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS

Implementation with SDN

  • SDN controller:

– Randomize data acquisition request – Spoof measurements on behalf of off-line devices

  • Small changes on existing cyber-physical infrastructure

SCADA

Time

Edge Switch Edge Switch End Device

⑤ responses with real and spoof data ④ responses with real data

T

① requests to all devices ⑥ responses with real and spoof data ② randomized requests ③ requests to online devices

Control Center Substations

slide-9
SLIDE 9

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS

Craft Decoy Measurements to Mislead Attackers

  • Based on decoy measurements, adversaries will not design effective

attack strategies

– In false data injection attacks (FDIA), compromised measurements do not bypass the bad data detection in the state estimation – In control-related attacks (CRA), compromised control commands do not lead to physical damage

Type Preconditions Target FDIA 𝐶

𝑘𝑙, susceptance of all transmission

lines 𝑄

𝑘 𝐻 and 𝑄 𝑘 𝑀 of all substations; 𝑄 𝑘𝑙 of all

transmission lines CRA 𝑄

𝑘 𝐻, 𝑅𝑘 𝐻, 𝑄 𝑘 𝑀, 𝑅𝑘 𝑀 (active/reactive

power generation and consumptions) of all substations; 𝑄

𝑘𝑙, 𝑅𝑘𝑙 (active/reactive power

flows) of all transmission lines Control commands that can disconnect transmission lines or substations in a power grid

slide-10
SLIDE 10

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS

Procedure to Craft Decoy Measurements

  • Step 1: set initial misleading values

– Step 1.a: mislead FDIAs (false data injection attack)

  • Decide susceptance of all transmission lines

– Step 1.b: mislead CRAs (control-related attacks)

  • Decide power flows of transmission lines
  • Step 2: refine the values based on physical model

– Iteratively use the results/errors from state estimation to:

  • adjust initial values
  • determine remaining measurements
slide-11
SLIDE 11

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS

Step 1: Mislead Control-Related Attacks

  • Attack objective:

– Use commands to disconnect multiple transmission lines to cause overloading lines

  • Attack prerequisite:

– Identify critical transmission lines, which deliver heavy power flows

  • Protection

– Craft decoy measurements such that attackers always target transmission lines that deliver light power flows 100MW 5MW 10MW

A B C

Real Measurements

5MW 100MW 10MW

A B C

Decoy Measurements

slide-12
SLIDE 12

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS

Step 2: Refine Measurements

  • Adjust measurements based on

errors from state estimation

  • Repeat until errors become small

enough

– Bypass the bad data detection

12

100MW 5MW 10MW 5MW 100MW 10MW 12MW 96MW 10MW

slide-13
SLIDE 13

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS

Evaluation Setup

  • Use Geni testbed

(including SDN hardware switches) to construct control networks

– Control center collects measurements or issues commands to end devices

Use Matpower to simulate power systems

Estimate state after a command is executed

Use power measurements to build network traffic Execute (attack) command transmitted in real networks

slide-14
SLIDE 14

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS

Security Evaluation

  • Performed by numerical simulation

in Matpower

  • IEEE 24 bus, 30 bus, RTS-96, 286-

bus, 405-bus, and 1153-bus systems

  • Evaluation of control-related attacks
  • Issue malicious commands that

disconnect transmission lines

  • measure the probability of

successful attacks

  • With Raincoat, the probability of

successful attacks is reduced from 70% to 5% (for 1153-buses system)

  • smaller than the probability
  • bserved in random attacks
  • Evaluation of false-data injection

attacks

– Compromise measurements – Measure the probability of successful attacks, which bypass the bad data detection

  • With Raincoat, all these

evaluated attacks are detected

slide-15
SLIDE 15

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS

Evaluation of Control-Related Attacks

  • Implement malicious commands that disconnect multiple

transmission lines; measure the probability of attacks that cause overloading remaining lines

– Targeted attack

  • Attackers identify critical (e.g., heavy loaded) transmission lines
  • Randomly disconnect critical transmission lines

– Raincoat

  • Attackers identify critical transmission lines from decoy

measurements

  • Randomly disconnect false critical transmission lines

– Random attack (baseline)

  • Attackers have no (or little) knowledge of power system topology

and state

  • Randomly disconnect transmission lines
slide-16
SLIDE 16

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS

Evaluation of Control-Related Attacks

RTS-96; IEEE Reliability Test System, including 73 buses and 120 transmission lines)

  • Probability of successful attacks reduced from 90% (for targeted attack)

to below 20% (when using Raincoat)

  • less than for random attacks (attackers have no system knowledge)
  • Attack introduces little disturbance even if the malicious command is executed
slide-17
SLIDE 17

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS

Performance Evaluation

  • Performed in constructed control networks of six

different topologies

  • Measure the delay of communication caused by

Raincoat:

– Latency between edge switches and SDN controllers – Latency of SDN controllers constructing spoofed measurements

slide-18
SLIDE 18

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS

Performance Results

  • Raincoat introduces less than 6% overhead (on

average) as compared with SDN Forward flow control mechanisms

  • When using Raincoat, the control network still meets the

requirement of communication latency (in IEEE Std 1646)

slide-19
SLIDE 19

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS

Conclusions

  • RAINCOAT: randomizes network communication in power

grid cyber infrastructure to mislead cyber attackers

– Randomize network connectivity of end devices

  • Disrupt adversaries’ knowledge to prepare attacks
  • Expose an attacker presence in the system

– Craft decoy measurements

  • Mislead adversaries’ into designing ineffective attacks
  • Decoy measurements to mislead attackers into designing:

– False data injection attacks that cannot pass the state estimation – Control-related attacks whose probability of generating physical damage is reduced to less than 5%

slide-20
SLIDE 20

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS

Future Direction

Integrated Intrusion Detection Framework for SCADA (based on Bro)

Network analyzer for SCADA protocols (DNP3) Fast state estimation to detect and mitigate control-related attacks

  • combine network monitoring with fast

state estimation to predict consequence of malicious commands RAINCOAT, an SDN-based approach to randomize network communication in Power Grid cyber infrastructure to mislead attackers

  • randomize (using SDN) network

connectivity of devices in substations to

  • bfuscate system state
  • mislead an attacker into designing

ineffective attack strategies

  • expose an attacker presence in the system

Architecture of an SDN-enabled grid

Research Goals

Experimental validation of the framework

  • use cyber-physical co-simulation testbed
  • injection of faults and malicious attacks