Towards an Approach to Contextual Detection of Multi-Stage Cyber Attacks in Smart Grids

Sen, Ömer; Velde, Dennis van der; Wehrmeister, Katharina A.; Hacker, Immanuel; Henze, Martin; Andres, Michael

doi:10.1109/sest50973.2021.9543359

Cited by 5 publications

(3 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the context of situational awareness for intrusion detection, our SIDS can act as a low-level sensor that provides domain-specific indicators of multi-staged cyber-attacks. Alerts can be centrally processed with other indicators from other IDS sensors through a correlation system based on Security Information and Event Management (SIEM) to reconstruct the attack sequence [47,48].…”

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

On specification-based cyber-attack detection in smart grids

et al. 2022

Self Cite

View full text Add to dashboard Cite

The transformation of power grids into intelligent cyber-physical systems brings numerous benefits, but also significantly increases the surface for cyber-attacks, demanding appropriate countermeasures. However, the development, validation, and testing of data-driven countermeasures against cyber-attacks, such as machine learning-based detection approaches, lack important data from real-world cyber incidents. Unlike attack data from real-world cyber incidents, infrastructure knowledge and standards are accessible through expert and domain knowledge. Our proposed approach uses domain knowledge to define the behavior of a smart grid under non-attack conditions and detect attack patterns and anomalies. Using a graph-based specification formalism, we combine cross-domain knowledge that enables the generation of whitelisting rules not only for statically defined protocol fields but also for communication flows and technical operation boundaries. Finally, we evaluate our specification-based intrusion detection system against various attack scenarios and assess detection quality and performance. In particular, we investigate a data manipulation attack in a future-orientated use case of an IEC 60870-based SCADA system that controls distributed energy resources in the distribution grid. Our approach can detect severe data manipulation attacks with high accuracy in a timely and reliable manner.

show abstract

Section: Discussionmentioning

confidence: 99%

“…Alert generation is triggered by various components for different reasons. The cyber threat information database represents the collection of alerts combined with the specification of the infrastructure, which is part of a higher-level correlation as presented in our previous work [47,48].…”

Section: Framework Overviewmentioning

confidence: 99%

On specification-based cyber-attack detection in smart grids

et al. 2022

Self Cite

View full text Add to dashboard Cite

show abstract

“…A common way of modeling a multi-stage attacks is by creating its attack graph representation. It enables extraction of contextual information via correlation and reasoning over the attackrelated data to classify or infer characteristics and relations between entities involved in the attack [20].…”

Section: B Contextual Detection Of Cyber Attacksmentioning

confidence: 99%

On Holistic Multi-Step Cyberattack Detection via a Graph-based Correlation Approach

Sen

Eze

Ulbig

et al. 2022

2022 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm)

Self Cite

View full text Add to dashboard Cite

While digitization of distribution grids through information and communications technology brings numerous benefits, it also increases the grid's vulnerability to serious cyber attacks. Unlike conventional systems, attacks on many industrial control systems such as power grids often occur in multiple stages, with the attacker taking several steps at once to achieve its goal. Detection mechanisms with situational awareness are needed to detect orchestrated attack steps as part of a coherent attack campaign. To provide a foundation for detection and prevention of such attacks, this paper addresses the detection of multi-stage cyber attacks with the aid of a graph-based cyber intelligence database and alert correlation approach. Specifically, we propose an approach to detect multi-stage attacks by leveraging heterogeneous data to form a knowledge base and employ a model-based correlation approach on the generated alerts to identify multi-stage cyber attack sequences taking place in the network. We investigate the detection quality of the proposed approach by using a case study of a multi-stage cyber attack campaign in a future-orientated power grid pilot.

show abstract