SPECIFICATION-BASED IDS FOR THE DNP3 PROTOCOL NOVEMBER, 12TH, 2014 - - PowerPoint PPT Presentation

specification based ids for the dnp3 protocol
SMART_READER_LITE
LIVE PREVIEW

SPECIFICATION-BASED IDS FOR THE DNP3 PROTOCOL NOVEMBER, 12TH, 2014 - - PowerPoint PPT Presentation

Jan 25, 2023 426 likes •748 views

ANNUAL INDUSTRY WORKSHOP NOVEMBER 12-13, 2014 SPECIFICATION-BASED IDS FOR THE DNP3 PROTOCOL NOVEMBER, 12TH, 2014 HUI LIN UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.ORG 1

slide-1
SLIDE 1

ANNUAL INDUSTRY WORKSHOP NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.ORG

UNIVERSITY OF ILLINOIS | DARTMOUTH COLLEGE | UC DAVIS | WASHINGTON STATE UNIVERSITY

FUNDING SUPPORTPROVIDED BY DOE-OE AND DHS S&T

1

SPECIFICATION-BASED IDS FOR THE DNP3 PROTOCOL HUI LIN

UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN NOVEMBER, 12TH, 2014

slide-2
SLIDE 2

2

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

PROBLEM DEFINITION

  • Threat model: control commands, if maliciously

crafted, can directly change system’s physical state

slide-3
SLIDE 3

3

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

PROBLEM DEFINITION

  • Threat model: control commands, if maliciously

crafted, can directly change system’s physical state

  • Control-related attack: a sophisticated attacker

can exploit system vulnerabilities and use a few maliciously crafted commands to put the system into insecure electrical states

slide-4
SLIDE 4

4

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

PROBLEM DEFINITION

  • Threat model: control commands, if maliciously

crafted, can directly change system’s physical state

  • Control-related attacks: a sophisticated attacker

can exploit system vulnerabilities and use a few maliciously crafted commands to put the system into insecure electrical states

slide-5
SLIDE 5

5

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

PROBLEM DEFINITION

  • Threat model: control commands, if maliciously

crafted, can directly change system’s physical state

  • Control-related attacks: a sophisticated attacker

can exploit system vulnerabilities and use a few maliciously crafted commands to put the system into insecure electrical states

slide-6
SLIDE 6

6

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

PROBLEM DEFINITION

  • Threat model: control commands, if maliciously

crafted, can directly change system’s physical state

  • Control-related attacks: a sophisticated attacker

can exploit system vulnerabilities and use a few maliciously crafted commands to put the system into insecure electrical states

slide-7
SLIDE 7

7

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

PROBLEM DEFINITION

  • Threat model: control commands, if maliciously

crafted, can directly change system’s physical state

  • Control-related attacks: a sophisticated attacker

can exploit system vulnerabilities and use a few maliciously crafted commands to put the system into insecure electrical states

𝑄

𝑗 𝑕 − 𝑄𝑗 𝑚 = 𝑙 𝑊 𝑗𝑊 𝑙(𝐻𝑗𝑙 cos 𝜄𝑗 − 𝜄𝑙 + 𝐶𝑗𝑙sin(𝜄𝑗 − 𝜄𝑙))

𝑅𝑗

𝑕 − 𝑅𝑗 𝑚 = 𝑙 𝑊 𝑗𝑊 𝑙(𝐻𝑗𝑙 sin 𝜄𝑗 − 𝜄𝑙 − 𝐶𝑗𝑙cos(𝜄𝑗 − 𝜄𝑙))

slide-8
SLIDE 8

8

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

WHY DETECTION IS A CHALLENGE?

  • Hard to detect based solely on power systems’

electrical states

– Traditional contingency analysis considers low-order incidents, i.e., the “N-1” contingency – Traditional state estimation is performed periodically, detecting attacks after physical damage – Measurements may be compromised

slide-9
SLIDE 9

9

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

WHY DETECTION IS A CHALLENGE?

  • Hard to detect based solely on power systems’

electrical states

– Traditional contingency analysis considers low-order incidents, i.e., the “N-1” contingency – Traditional state estimation is performed periodically, detecting attacks after physical damage – Measurements may be compromised

  • Hard to detect based solely on the network

intrusion detection systems

– Commands can be encoded in correct syntax – Not detectable by traditional network intrusion detection systems (IDS)

slide-10
SLIDE 10

10

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

DETECTION DESIGN

  • Combine system knowledge of both cyber and

physical infrastructure in the power grid

– Integrate network monitoring with look-ahead power flow analysis

  • Detect malicious commands at their first

appearances, instead of identifying power system’s physical damage after the fact

slide-11
SLIDE 11

11

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

APPROACH

slide-12
SLIDE 12

12

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

APPROACH

Cyber Infrastructure

slide-13
SLIDE 13

13

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

APPROACH

Cyber Infrastructure

  • Adapt specification-based

IDS for SCADA systems

– Detect unexpected network activities based on predefined security specifications

slide-14
SLIDE 14

14

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

APPROACH

Cyber Infrastructure

  • Adapt specification-based

IDS for SCADA systems

– Detect unexpected network activities based on predefined security specifications

  • Adapt Bro to support

SCADA protocols

– Develop DNP3 & Modbus analyzers in Bro’s distribution – Collaborate with industry, i.e., Ameren, Abbot Lab

  • Use real network traffic from

substations in Ameren to test the developed tools

Bro IDS for SCADA

slide-15
SLIDE 15

15

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

APPROACH

Physical Infrastructure

  • Develop semantic

analysis framework

– Augment network IDS with power flow analysis

Bro IDS for SCADA

slide-16
SLIDE 16

16

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

APPROACH

Physical Infrastructure

  • Develop semantic

analysis framework

– Augment network IDS with power flow analysis – Monitor network payloads to identify control commands – Invoke look-ahead power flow analysis to evaluate the physical consequence

  • f a command’s execution

Bro IDS for SCADA Look-ahead Power Flow Analysis

slide-17
SLIDE 17

17

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

APPROACH

Physical Infrastructure

  • Develop semantic

analysis framework

– Augment network IDS with power flow analysis – Monitor network payloads to identify control commands – Invoke look-ahead power flow analysis to evaluate the physical consequence

  • f a command’s execution

– Monitor sensor measurements to identify corruptions

Bro IDS for SCADA Look-ahead Power Flow Analysis

slide-18
SLIDE 18

18

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

LOW LATENCY DETECTION

  • Classical AC power flow analysis calculates

accurate system states with long latency

slide-19
SLIDE 19

19

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

LOW LATENCY DETECTION

  • Classical AC power flow analysis calculates

accurate system states with long latency

  • DC power flow analysis introduces very little latency,

but calculates very inaccurate system states

slide-20
SLIDE 20

20

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

LOW LATENCY DETECTION

  • Classical AC power flow analysis calculates

accurate system states with long latency

  • DC power flow analysis introduces very little latency,

but calculates very inaccurate system states

  • Adapt AC power flow analysis to balance detection

latency and accuracy

– Allow timely responses before system-wide propagation of malicious damage

slide-21
SLIDE 21

21

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

LOW LATENCY DETECTION

  • Classical AC power flow analysis calculates

accurate system states with long latency

  • DC power flow analysis introduces very little latency,

but calculates very inaccurate system states

  • Adapt AC power flow analysis to balance detection

latency and accuracy

– Allow timely responses before system-wide propagation of malicious damage

  • Adapt Newton-Raphson algorithm

– Intelligently reduce the number of iteration for different control commands

  • Meet the trade-off between detection accuracy and latency
slide-22
SLIDE 22

22

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

EVALUATION: DETECTION ACCURACY

  • The test-bed configuration

– Use the case files of IEEE 24-bus, 30-bus, 39-bus, and a 2736- bus system in Matpower to evaluate the adapted power flow analysis algorithm – Malicious changes: line outage, generation and load modification

slide-23
SLIDE 23

23

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

EVALUATION: DETECTION ACCURACY

  • The test-bed configuration

– Use the case files of IEEE 24-bus, 30-bus, 39-bus, and a 2736- bus system in Matpower to evaluate the adapted power flow analysis algorithm – Malicious changes: line outage, generation and load modification

  • Compare the detection accuracy in terms of false positive

(FP) and false negative (FN) detection

– Adapted algorithm (“Adapted”) and DC power flow analysis (“DC”)

24-bus 30-bus 39-bus 2736-bus Adapted FP 0.0005% 0.78% FN 0.01% 0.01% 0.01% 0.0005% DC FP 7.6% 2.6% 6.7% 5.3% FN 1.3% 20% 0.3% 1.9%

slide-24
SLIDE 24

24

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

EVALUATION: DETECTION ACCURACY

  • The test-bed configuration

– Use the case files of IEEE 24-bus, 30-bus, 39-bus, and a 2736- bus system in Matpower to evaluate the adapted power flow analysis algorithm – Malicious changes: line outage, generation and load modification

  • Compare the detection accuracy in terms of false positive

(FP) and false negative (FN) detection

– Adapted algorithm (“Adapted”) and DC power flow analysis (“DC”)

24-bus 30-bus 39-bus 2736-bus Adapted FP FN 0.01% DC FP FN 20%

slide-25
SLIDE 25

25

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

EVALUATION: DETECTION ACCURACY

  • The test-bed configuration

– Use the case files of IEEE 24-bus, 30-bus, 39-bus, and a 2736- bus system in Matpower to evaluate the adapted power flow analysis algorithm – Malicious changes: line outage, generation and load modification

  • Compare the detection accuracy in terms of false positive

(FP) and false negative (FN) detection

– Adapted algorithm (“Adapted”) and DC power flow analysis (“DC”)

24-bus 30-bus 39-bus 2736-bus Adapted FP 0.78% FN DC FP 2.6% FN

slide-26
SLIDE 26

26

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

EVALUATION: DETECTION LATENCY

  • Compare detection latency

– Classical AC power flow analysis (“AC”), the adapted algorithm (“Adapted”), and the DC power flow analysis (“DC”) – Reduce the detection latency by up to 60% as compared with AC power flow analysis

slide-27
SLIDE 27

27

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

CONCLUSION

  • Combine system knowledge of both cyber and

physical infrastructure in power grid to detect control-related attacks

slide-28
SLIDE 28

28

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

CONCLUSION

  • Combine system knowledge of both cyber and

physical infrastructure in power grid to detect control-related attacks

  • Develop network IDS for proprietary protocols used

in power grid

slide-29
SLIDE 29

29

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

CONCLUSION

  • Combine system knowledge of both cyber and

physical infrastructure in power grid to detect control-related attacks

  • Develop network IDS for proprietary protocols used

in power grid

  • Augment network IDS with semantic analysis to

estimate the physical consequence of command’s execution

slide-30
SLIDE 30

30

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

CONCLUSION

  • Combine system knowledge of both cyber and

physical infrastructure in power grid to detect control-related attacks

  • Develop network IDS for proprietary protocols used

in power grid

  • Augment network IDS with semantic analysis to

estimate the physical consequence of command’s execution

  • Adapt AC power flow analysis algorithm specifically

used for the semantic analysis

– Balance the detection latency and accuracy

slide-31
SLIDE 31

31

ANNUAL INDUSTRY WORKSHOP – NOVEMBER 12-13, 2014

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G

THANKS

  • The DNP3 and Modbus analyzer are included in

Bro’s standard distribution (bro.org/download)

  • Contacts:

– Hui Lin: hlin33@illinois.edu – Zbigniew Kalbarczyk, kalbarcz@illinois.edu – Ravishankar Iyer, rkiyer@illinois.edu – Adam Slagell, slagell@illinois.edu

  • For further discussion, please stop at our poster

“Specification-based IDS for the DNP3 Protocol”