The transformation of power grids into intelligent cyber-physical systems brings numerous benefits, but also significantly increases the surface for cyber-attacks, demanding appropriate countermeasures. However, the development, validation, and testing of data-driven countermeasures against cyber-attacks, such as machine learning-based detection approaches, lack important data from real-world cyber incidents. Unlike attack data from real-world cyber incidents, infrastructure knowledge and standards are accessible through expert and domain knowledge. Our proposed approach uses domain knowledge to define the behavior of a smart grid under non-attack conditions and detect attack patterns and anomalies. Using a graph-based specification formalism, we combine cross-domain knowledge that enables the generation of whitelisting rules not only for statically defined protocol fields but also for communication ows and technical operation boundaries. Finally, we evaluate our specification-based intrusion detection system against various attack scenarios and assess detection quality and performance. In particular, we investigate a data manipulation attack in a future-orientated use case of an IEC 60870-based SCADA system that controls distributed energy resources in the distribution grid. Our approach can detect severe data manipulation attacks with high accuracy in a timely and reliable manner.
翻译:将电网转换成智能网络物理系统带来许多好处,但也大大增加了网络攻击的表面,要求采取适当的对策。然而,开发、验证和测试数据驱动的反网络攻击的对策,例如机器学习式的探测方法,缺乏来自现实世界网络事件的重要数据。与现实世界网络事件的攻击数据不同,基础设施知识和标准可以通过专家和领域知识获得。我们提议的方法利用域知识界定智能网络在非攻击条件下的行为,并发现攻击模式和异常。我们采用基于图表的规格格式主义,将跨域知识结合起来,不仅能够为静态界定的规程领域,而且能够为通信系统和技术操作界限制定白名单规则。最后,我们根据各种攻击情景评估基于规格的入侵探测系统,并评估探测质量和性能。我们特别在以未来为导向使用IEC 60870系统控制分配网内的能源分配系统时,对数据操纵攻击进行调查。我们的方法可以及时可靠地发现严重的数据操纵攻击。