Towards A Stateful Analysis Framework for Smart Grid Network Intrusion Detection

Cybersecurity is a primary issue in the development of smarter grid systems. Smart grid systems utilize a number of application protocols in order to implement their devices and services, and the information in the application protocols is useful for intrusion detection which is one of major security solutions. Stateful analysis based intrusion detection monitors network and system behaviours and keeps tracks of the behaviours in order to make detection decisions. In smart grid systems, monitoring these behaviours requires expert knowledge and tailoring for particular application protocols. In this paper, we present a framework for smart grid intrusion detection allowing stateful analysis methods to define its stateful rules that can be run on an open source network intrusion detection system, Suricata, in order to process their stateful analysis. A stateful rule defines a particular state of smart grid devices and will be examined with incoming network traffic in order to find any match. We also develop an application for IEC 61850 stateful analysis to show how the proposed framework can be implemented and work.

Content

Author and article information

Contributors

BooJoong Kang

Kieran McLaughlin

Sakir Sezer

Conference

Publication date: August 2016

Publication date (Print): August 2016

Pages: 124-131

Affiliations

[0001]Centre for Secure Information Technologies, Queen’s University Belfast

Belfast Northern Ireland, United Kingdom

Article

DOI: 10.14236/ewic/ICS2016.14

SO-VID: d69262cd-a860-40c5-96e8-9e374d7ce338

License:

This work is licensed under a Creative Commons Attribution 4.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/

Conference name: 4th International Symposium for ICS & SCADA Cyber Security Research 2016

Conference acronym: ICS-CSR

Conference number: 4

Conference location: Queen’s Belfast University, UK

Conference date: 23 - 25 August 2016

Conference sponsor: Electronic Workshops in Computing (eWiC)

Conference theme: Cyber Security Research

History

Product

1477-9358 BCS Learning & Development

Self URI (article page): https://www.scienceopen.com/hosted-document?doi=10.14236/ewic/ICS2016.14

Self URI (journal page): https://ewic.bcs.org/

REFERENCES

P. Garcia-Teodoro et al 2009 Anomaly-based network intrusion detection: Techniques systems and challenges Computers & Security 28 1 18 28
W. ParkS. Ahn 2016 Performance comparison and detection analysis in Snort and Suricata environment Wireless Personal Communications 1 12
B. CaswellJ. BealeA. Baker 2007 Snort IDS and IPS toolkit New York Syngress
Suricata Suricata user guide ext-link-type="uri" xlink: href="https://redmine.openinfosecfoundation.org/projec">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_User_Guide Accessed 17 05 2016
D. Kushner 2013 The real story of Stuxnet IEEE Spectrum 50 48 53
M. J. Assante 2016 Confirmation of a coordinated attack on the Ukrainian power grid > ext-link-type="uri" xlink: href="https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid">https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid 17 05 2016
IEC 2007 Power systems management and associated information exchange - data and communications security IEC Standard 62351
F. Cleveland 2005 IEC TC57 security standards for the power system’s information infrastructure - beyond simple encryption Proc. of the IEEE PES Transmission and Distribution Conference and Exhibition 1079 1087
S. CheungB. DutertreM. FongU. LindqvistK. SkinnerA. Valdes 2007 Using model-based intrusion detection for SCADA networks Proc. of the SCADA Security Scientific Symposium 127 134
B. GengeD. A. RusuP. Haller 2014 A connection pattern-based approach to detect network traffic anomalies in critical infrastructures Proc. of the 7th European Workshop on System Security 1 6
R. C. B. HinkJ. M. BeaverM. A. BucknerT. MorrisU. AdhikariS. Pan 2014 Machine learning for power system disturbance and cyber-attack discrimination Proc. of the 7th International Symposium on Resilient Control Systems 1 8
H. YooT. Shon 2014 Novel approach for detecting network anomalies for substation automation based on IEC 61850 Multimedia Tools and Applications 1 16
A. AlmalawiX. YuZ. TariA. FahadI. Khalil 2014 An unsupervised anomaly-based detection approach for integrity attacks on SCADA systems Computers & Security 46 94 110
U. K. PremaratneJ. SamarabanduT. S. SidhuR. BereshJ. Tan 2010 An intrusion detection system for IEC 61850 automated substations IEEE Transactions on Power Delivery 25 4 2376 2383
M. CaselliE. ZambonF. Kargl 2015 Sequence-aware intrusion detection in industrial control systems Proc. of the 1st ACM Workshop on Cyber-Physical System Security 13 24
J. HongC. LiuM. Govindarasu 2014 Detection of cyber intrusions using network-based messages for substation automation Proc. of the IEEE PES Innovative Smart Grid Technologies Conference 1 5
S. PanT. MorrisU. Adhikari 2015 Developing a hybrid intrusion detection system using data mining for power systems IEEE Transactions on Smart Grid 6 6 3104 3113
Digital Bond, Quickdraw SCADA IDS >https ://www.digitalbond.com/tools/quickdraw/ Accessed 17 05 2016
B. Kang et al 2015 Investigating cyber-physical attacks against IEC 61850 photovoltaic inverter installations Proc. of 20th IEEE International Conference on Emerging Technologies and Factory Automation 1 8
R. E. Mackiewicz 2006 Overview of IEC 61850 and benefits Proc. of IEE Power Systems Conference and Exposition (PSCE) 623 630
R. Bründlinger et al 2015 Lab tests: verifying that smart grid power converters are truly smart IEEE Power and Energy Magazine 13 2 30 42

Comments

Comment on this article

[1] P. Garcia-Teodoro et al 2009 Anomaly-based network intrusion detection: Techniques systems and challenges Computers & Security 28 1 18 28

[2] W. ParkS. Ahn 2016 Performance comparison and detection analysis in Snort and Suricata environment Wireless Personal Communications 1 12

[3] B. CaswellJ. BealeA. Baker 2007 Snort IDS and IPS toolkit New York Syngress

[4] Suricata Suricata user guide ext-link-type="uri" xlink: href="https://redmine.openinfosecfoundation.org/projec">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_User_Guide Accessed 17 05 2016

[5] D. Kushner 2013 The real story of Stuxnet IEEE Spectrum 50 48 53

[6] M. J. Assante 2016 Confirmation of a coordinated attack on the Ukrainian power grid > ext-link-type="uri" xlink: href="https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid">https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid 17 05 2016

[7] IEC 2007 Power systems management and associated information exchange - data and communications security IEC Standard 62351

[8] F. Cleveland 2005 IEC TC57 security standards for the power system’s information infrastructure - beyond simple encryption Proc. of the IEEE PES Transmission and Distribution Conference and Exhibition 1079 1087

[9] S. CheungB. DutertreM. FongU. LindqvistK. SkinnerA. Valdes 2007 Using model-based intrusion detection for SCADA networks Proc. of the SCADA Security Scientific Symposium 127 134

[10] B. GengeD. A. RusuP. Haller 2014 A connection pattern-based approach to detect network traffic anomalies in critical infrastructures Proc. of the 7th European Workshop on System Security 1 6

[11] R. C. B. HinkJ. M. BeaverM. A. BucknerT. MorrisU. AdhikariS. Pan 2014 Machine learning for power system disturbance and cyber-attack discrimination Proc. of the 7th International Symposium on Resilient Control Systems 1 8

[12] H. YooT. Shon 2014 Novel approach for detecting network anomalies for substation automation based on IEC 61850 Multimedia Tools and Applications 1 16

[13] A. AlmalawiX. YuZ. TariA. FahadI. Khalil 2014 An unsupervised anomaly-based detection approach for integrity attacks on SCADA systems Computers & Security 46 94 110

[14] U. K. PremaratneJ. SamarabanduT. S. SidhuR. BereshJ. Tan 2010 An intrusion detection system for IEC 61850 automated substations IEEE Transactions on Power Delivery 25 4 2376 2383

[15] M. CaselliE. ZambonF. Kargl 2015 Sequence-aware intrusion detection in industrial control systems Proc. of the 1st ACM Workshop on Cyber-Physical System Security 13 24

[16] J. HongC. LiuM. Govindarasu 2014 Detection of cyber intrusions using network-based messages for substation automation Proc. of the IEEE PES Innovative Smart Grid Technologies Conference 1 5

[17] S. PanT. MorrisU. Adhikari 2015 Developing a hybrid intrusion detection system using data mining for power systems IEEE Transactions on Smart Grid 6 6 3104 3113

[18] Digital Bond, Quickdraw SCADA IDS >https ://www.digitalbond.com/tools/quickdraw/ Accessed 17 05 2016

[19] B. Kang et al 2015 Investigating cyber-physical attacks against IEC 61850 photovoltaic inverter installations Proc. of 20th IEEE International Conference on Emerging Technologies and Factory Automation 1 8

[20] R. E. Mackiewicz 2006 Overview of IEC 61850 and benefits Proc. of IEE Power Systems Conference and Exposition (PSCE) 623 630

[21] R. Bründlinger et al 2015 Lab tests: verifying that smart grid power converters are truly smart IEEE Power and Energy Magazine 13 2 30 42

Celebrating 65 years of The Computer Journal - free-to-read perspectives - bcs.org/tcj65