While digitization of distribution grids through information and communications technology brings numerous benefits, it also increases the grid's vulnerability to serious cyber attacks. Unlike conventional systems, attacks on many industrial control systems such as power grids often occur in multiple stages, with the attacker taking several steps at once to achieve its goal. Detection mechanisms with situational awareness are needed to detect orchestrated attack steps as part of a coherent attack campaign. To provide a foundation for detection and prevention of such attacks, this paper addresses the detection of multi-stage cyber attacks with the aid of a graph-based cyber intelligence database and alert correlation approach. Specifically, we propose an approach to detect multi-stage attacks by leveraging heterogeneous data to form a knowledge base and employ a model-based correlation approach on the generated alerts to identify multi-stage cyber attack sequences taking place in the network. We investigate the detection quality of the proposed approach by using a case study of a multi-stage cyber attack campaign in a future-orientated power grid pilot.
While the increasing penetration of information and communication technology into distribution grid brings numerous benefits, it also opens up a new threat landscape, particularly through cyberattacks. To provide a basis for countermeasures against such threats, this paper addresses the investigation of the impact and manifestations of cyberattacks on smart grids by replicating the power grid in a secure, isolated, and controlled laboratory environment as a cyber-physical twin. Currently, detecting intrusions by unauthorized third parties into the central monitoring and control system of grid operators, especially attacks within the grid perimeter, is a major challenge. The development and validation of methods to detect and prevent coordinated and timed attacks on electric power systems depends not only on the availability and quality of data from such attack scenarios, but also on suitable realistic investigation environments. However, to create a comprehensive investigation environment, a realistic representation of the study object is required to thoroughly investigate critical cyberattacks on grid operations and evaluate their impact on the power grid using real data. In this paper, we demonstrate our cyber-physical twin approach using a microgrid in the context of a cyberattack case study.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.