Architecture and prototype implementation for process-aware intrusion detection in electrical grids

Robert Flosbach, Justyna Joanna Chromik, Anne Katharina Ingrid Remke

Research output: Contribution to conferencePaperAcademicpeer-review

Abstract

Supervisory Control and Data Acquisition (SCADA) systems monitor and control electric power distribution. Recent history has shown that cyber-attacks pose a tremendous risk for the economy and safety of modern countries. This paper introduces an architecture and a prototype implementation for a process-aware, network-based Intrusion Detection System (IDS) to secure control networks in the domain of power distribution. Based on a recently proposed process model, the system continuously assesses the local physical process and all control commands with regard to consistency and safety of the underlying physical process. Its detection capabilities focus on process-based attacks like manipulated control commands, which appear legitimate to traditional IDS but might nevertheless have devastating effects on the power distribution. The architecture separates the evaluation part from the traffic processing, which ensures extensibility and scalability. The developed implementation has been successfully deployed at a Dutch power distribution substation. Its detection performance is characterized by a very low miss rate and high
precision.
Original languageEnglish
Publication statusAccepted/In press - May 2019
Event38th International Symposium on Reliable Distributed Systems 2019 - Bibliothèque Marie Curie of INSA-Lyon, Lyon, France
Duration: 1 Oct 20194 Oct 2019
Conference number: 38
https://srds2019.projet.liris.cnrs.fr/

Conference

Conference38th International Symposium on Reliable Distributed Systems 2019
Abbreviated titleSRDS 2019
CountryFrance
CityLyon
Period1/10/194/10/19
Internet address

Fingerprint

Intrusion detection
SCADA systems
Electric power distribution
Scalability
Processing

Keywords

  • SCADA
  • Intrusion detection
  • power distribution
  • Zeek
  • process-aware

Cite this

Flosbach, R., Chromik, J. J., & Remke, A. K. I. (Accepted/In press). Architecture and prototype implementation for process-aware intrusion detection in electrical grids. Paper presented at 38th International Symposium on Reliable Distributed Systems 2019, Lyon, France.
Flosbach, Robert ; Chromik, Justyna Joanna ; Remke, Anne Katharina Ingrid. / Architecture and prototype implementation for process-aware intrusion detection in electrical grids. Paper presented at 38th International Symposium on Reliable Distributed Systems 2019, Lyon, France.
@conference{40a9cb6c452a4656a548340146036081,
title = "Architecture and prototype implementation for process-aware intrusion detection in electrical grids",
abstract = "Supervisory Control and Data Acquisition (SCADA) systems monitor and control electric power distribution. Recent history has shown that cyber-attacks pose a tremendous risk for the economy and safety of modern countries. This paper introduces an architecture and a prototype implementation for a process-aware, network-based Intrusion Detection System (IDS) to secure control networks in the domain of power distribution. Based on a recently proposed process model, the system continuously assesses the local physical process and all control commands with regard to consistency and safety of the underlying physical process. Its detection capabilities focus on process-based attacks like manipulated control commands, which appear legitimate to traditional IDS but might nevertheless have devastating effects on the power distribution. The architecture separates the evaluation part from the traffic processing, which ensures extensibility and scalability. The developed implementation has been successfully deployed at a Dutch power distribution substation. Its detection performance is characterized by a very low miss rate and highprecision.",
keywords = "SCADA, Intrusion detection, power distribution, Zeek, process-aware",
author = "Robert Flosbach and Chromik, {Justyna Joanna} and Remke, {Anne Katharina Ingrid}",
year = "2019",
month = "5",
language = "English",
note = "38th International Symposium on Reliable Distributed Systems 2019, SRDS 2019 ; Conference date: 01-10-2019 Through 04-10-2019",
url = "https://srds2019.projet.liris.cnrs.fr/",

}

Flosbach, R, Chromik, JJ & Remke, AKI 2019, 'Architecture and prototype implementation for process-aware intrusion detection in electrical grids' Paper presented at 38th International Symposium on Reliable Distributed Systems 2019, Lyon, France, 1/10/19 - 4/10/19, .

Architecture and prototype implementation for process-aware intrusion detection in electrical grids. / Flosbach, Robert; Chromik, Justyna Joanna; Remke, Anne Katharina Ingrid.

2019. Paper presented at 38th International Symposium on Reliable Distributed Systems 2019, Lyon, France.

Research output: Contribution to conferencePaperAcademicpeer-review

TY - CONF

T1 - Architecture and prototype implementation for process-aware intrusion detection in electrical grids

AU - Flosbach, Robert

AU - Chromik, Justyna Joanna

AU - Remke, Anne Katharina Ingrid

PY - 2019/5

Y1 - 2019/5

N2 - Supervisory Control and Data Acquisition (SCADA) systems monitor and control electric power distribution. Recent history has shown that cyber-attacks pose a tremendous risk for the economy and safety of modern countries. This paper introduces an architecture and a prototype implementation for a process-aware, network-based Intrusion Detection System (IDS) to secure control networks in the domain of power distribution. Based on a recently proposed process model, the system continuously assesses the local physical process and all control commands with regard to consistency and safety of the underlying physical process. Its detection capabilities focus on process-based attacks like manipulated control commands, which appear legitimate to traditional IDS but might nevertheless have devastating effects on the power distribution. The architecture separates the evaluation part from the traffic processing, which ensures extensibility and scalability. The developed implementation has been successfully deployed at a Dutch power distribution substation. Its detection performance is characterized by a very low miss rate and highprecision.

AB - Supervisory Control and Data Acquisition (SCADA) systems monitor and control electric power distribution. Recent history has shown that cyber-attacks pose a tremendous risk for the economy and safety of modern countries. This paper introduces an architecture and a prototype implementation for a process-aware, network-based Intrusion Detection System (IDS) to secure control networks in the domain of power distribution. Based on a recently proposed process model, the system continuously assesses the local physical process and all control commands with regard to consistency and safety of the underlying physical process. Its detection capabilities focus on process-based attacks like manipulated control commands, which appear legitimate to traditional IDS but might nevertheless have devastating effects on the power distribution. The architecture separates the evaluation part from the traffic processing, which ensures extensibility and scalability. The developed implementation has been successfully deployed at a Dutch power distribution substation. Its detection performance is characterized by a very low miss rate and highprecision.

KW - SCADA

KW - Intrusion detection

KW - power distribution

KW - Zeek

KW - process-aware

M3 - Paper

ER -

Flosbach R, Chromik JJ, Remke AKI. Architecture and prototype implementation for process-aware intrusion detection in electrical grids. 2019. Paper presented at 38th International Symposium on Reliable Distributed Systems 2019, Lyon, France.