Attack Models for Advanced Persistent Threats in Smart Grid Wide Area Monitoring

Wide Area Monitoring Systems (WAMSs) provide an essential building block for Smart Grid supervision and control. Distributed Phasor Measurement Units (PMUs) allow accurate clock-synchronized measurements of voltage and current phasors (amplitudes, phase angles) and frequencies. The sensor data from PMUs provide situational awareness in the grid, and are used as input for control decisions. A modification of sensor data can severely impact grid stability, overall power supply, and physical devices. Since power grids are critical infrastructures, WAMSs are tempting targets for all kinds of attackers, including well-organized and motivated adversaries such as terrorist groups or adversarial nation states. Such groups possess sufficient resources to launch sophisticated attacks. In this paper, we provide an in-depth analysis of attack possibilities on WAMSs. We model the dependencies and building blocks of Advanced Persistent Threats (APTs) on WAMSs using attack trees. We consider the whole WAMS infrastructure, including aggregation and data collection points, such as Phasor Data Concentrators (PDCs), classical IT components, and clock synchronization. Since Smart Grids are cyber-physical systems, we consider physical perturbations, in addition to cyber attacks in our models. The models provide valuable information about the chain of cyber or physical attack steps that can be combined to build a sophisticated attack for reaching a higher goal. They assist in the assessment of physical and cyber vulnerabilities, and provide strategic guidance for the deployment of suitable countermeasures.