To address the problem of protecting cyber-physical systems such as power grids, we propose methods to offer proactive protection from persistent threats, and methods for real-time validation of controls executed in the system. Remote attacks against power grids can be crafted not to introduce anomalies perceivable at the system level. For instance, attackers can manipulate measurement data in a coordinated way to hide malicious actions. In such a scenario, physical damage can propagate at the speed of light, requiring preemptive detection to avoid unsafe operational conditions.
To detect malicious operations, we use an interdisciplinary approach that combines network intrusion detection systems with adaptive power flow analysis. Power systems include a control structure (Figure 3) that system administrators use to collect measurements related to physical processes, and to issue control commands. We use this source of information to determine whether remote insider attackers are crafting packets in legitimate formats. Our approach to cyber-security protection acts in three stages of the attack timeline:
- Detection of attack execution. We have developed the first IDS that fully supports network protocols used in CPSes (e.g., DNP3), and extends the IDS with a newly designed power flow analysis algorithm.
- Response to remedy attacks’ consequences. We have designed a self-healing network infrastructure that, under the constraints of both cyber and physical infrastructures, simultaneously (i) reduces the overhead to reconnect compromised devices to networks, and (ii) increases the service availability.
- Preemption of disruption, and sabotage of attack preparation. We have designed a moving target defense (MTD) mechanism that (i) collects measurements from randomly selected devices, instead of from all devices, and (ii) obfuscates measurements from physical operations to provide misleading information, based on which attackers will design their malicious operations.