Architecture and prototype implementation for process-aware intrusion detection in electrical grids

Robert Flosbach, Justyna Joanna Chromik, Anne Katharina Ingrid Remke

    Research output: Contribution to conferencePaperAcademicpeer-review

    Abstract

    Supervisory Control and Data Acquisition (SCADA) systems monitor and control electric power distribution. Recent history has shown that cyber-attacks pose a tremendous risk for the economy and safety of modern countries. This paper introduces an architecture and a prototype implementation for a process-aware, network-based Intrusion Detection System (IDS) to secure control networks in the domain of power distribution. Based on a recently proposed process model, the system continuously assesses the local physical process and all control commands with regard to consistency and safety of the underlying physical process. Its detection capabilities focus on process-based attacks like manipulated control commands, which appear legitimate to traditional IDS but might nevertheless have devastating effects on the power distribution. The architecture separates the evaluation part from the traffic processing, which ensures extensibility and scalability. The developed implementation has been successfully deployed at a Dutch power distribution substation. Its detection performance is characterized by a very low miss rate and high
    precision.
    Original languageEnglish
    Publication statusAccepted/In press - May 2019
    Event38th International Symposium on Reliable Distributed Systems 2019 - Bibliothèque Marie Curie of INSA-Lyon, Lyon, France
    Duration: 1 Oct 20194 Oct 2019
    Conference number: 38
    https://srds2019.projet.liris.cnrs.fr/

    Conference

    Conference38th International Symposium on Reliable Distributed Systems 2019
    Abbreviated titleSRDS 2019
    CountryFrance
    CityLyon
    Period1/10/194/10/19
    Internet address

    Fingerprint

    Intrusion detection
    SCADA systems
    Electric power distribution
    Scalability
    Processing

    Keywords

    • SCADA
    • Intrusion detection
    • power distribution
    • Zeek
    • process-aware

    Cite this

    Flosbach, R., Chromik, J. J., & Remke, A. K. I. (Accepted/In press). Architecture and prototype implementation for process-aware intrusion detection in electrical grids. Paper presented at 38th International Symposium on Reliable Distributed Systems 2019, Lyon, France.
    Flosbach, Robert ; Chromik, Justyna Joanna ; Remke, Anne Katharina Ingrid. / Architecture and prototype implementation for process-aware intrusion detection in electrical grids. Paper presented at 38th International Symposium on Reliable Distributed Systems 2019, Lyon, France.
    @conference{40a9cb6c452a4656a548340146036081,
    title = "Architecture and prototype implementation for process-aware intrusion detection in electrical grids",
    abstract = "Supervisory Control and Data Acquisition (SCADA) systems monitor and control electric power distribution. Recent history has shown that cyber-attacks pose a tremendous risk for the economy and safety of modern countries. This paper introduces an architecture and a prototype implementation for a process-aware, network-based Intrusion Detection System (IDS) to secure control networks in the domain of power distribution. Based on a recently proposed process model, the system continuously assesses the local physical process and all control commands with regard to consistency and safety of the underlying physical process. Its detection capabilities focus on process-based attacks like manipulated control commands, which appear legitimate to traditional IDS but might nevertheless have devastating effects on the power distribution. The architecture separates the evaluation part from the traffic processing, which ensures extensibility and scalability. The developed implementation has been successfully deployed at a Dutch power distribution substation. Its detection performance is characterized by a very low miss rate and highprecision.",
    keywords = "SCADA, Intrusion detection, power distribution, Zeek, process-aware",
    author = "Robert Flosbach and Chromik, {Justyna Joanna} and Remke, {Anne Katharina Ingrid}",
    year = "2019",
    month = "5",
    language = "English",
    note = "38th International Symposium on Reliable Distributed Systems 2019, SRDS 2019 ; Conference date: 01-10-2019 Through 04-10-2019",
    url = "https://srds2019.projet.liris.cnrs.fr/",

    }

    Flosbach, R, Chromik, JJ & Remke, AKI 2019, 'Architecture and prototype implementation for process-aware intrusion detection in electrical grids' Paper presented at 38th International Symposium on Reliable Distributed Systems 2019, Lyon, France, 1/10/19 - 4/10/19, .

    Architecture and prototype implementation for process-aware intrusion detection in electrical grids. / Flosbach, Robert; Chromik, Justyna Joanna; Remke, Anne Katharina Ingrid.

    2019. Paper presented at 38th International Symposium on Reliable Distributed Systems 2019, Lyon, France.

    Research output: Contribution to conferencePaperAcademicpeer-review

    TY - CONF

    T1 - Architecture and prototype implementation for process-aware intrusion detection in electrical grids

    AU - Flosbach, Robert

    AU - Chromik, Justyna Joanna

    AU - Remke, Anne Katharina Ingrid

    PY - 2019/5

    Y1 - 2019/5

    N2 - Supervisory Control and Data Acquisition (SCADA) systems monitor and control electric power distribution. Recent history has shown that cyber-attacks pose a tremendous risk for the economy and safety of modern countries. This paper introduces an architecture and a prototype implementation for a process-aware, network-based Intrusion Detection System (IDS) to secure control networks in the domain of power distribution. Based on a recently proposed process model, the system continuously assesses the local physical process and all control commands with regard to consistency and safety of the underlying physical process. Its detection capabilities focus on process-based attacks like manipulated control commands, which appear legitimate to traditional IDS but might nevertheless have devastating effects on the power distribution. The architecture separates the evaluation part from the traffic processing, which ensures extensibility and scalability. The developed implementation has been successfully deployed at a Dutch power distribution substation. Its detection performance is characterized by a very low miss rate and highprecision.

    AB - Supervisory Control and Data Acquisition (SCADA) systems monitor and control electric power distribution. Recent history has shown that cyber-attacks pose a tremendous risk for the economy and safety of modern countries. This paper introduces an architecture and a prototype implementation for a process-aware, network-based Intrusion Detection System (IDS) to secure control networks in the domain of power distribution. Based on a recently proposed process model, the system continuously assesses the local physical process and all control commands with regard to consistency and safety of the underlying physical process. Its detection capabilities focus on process-based attacks like manipulated control commands, which appear legitimate to traditional IDS but might nevertheless have devastating effects on the power distribution. The architecture separates the evaluation part from the traffic processing, which ensures extensibility and scalability. The developed implementation has been successfully deployed at a Dutch power distribution substation. Its detection performance is characterized by a very low miss rate and highprecision.

    KW - SCADA

    KW - Intrusion detection

    KW - power distribution

    KW - Zeek

    KW - process-aware

    M3 - Paper

    ER -

    Flosbach R, Chromik JJ, Remke AKI. Architecture and prototype implementation for process-aware intrusion detection in electrical grids. 2019. Paper presented at 38th International Symposium on Reliable Distributed Systems 2019, Lyon, France.