Biblio

The application of network technology and high-tech equipment in power systems has increased the degree of grid intelligence, and malicious attacks on smart grids have also increased year by year. The wrong data injection attack launched by the attacker will destroy the integrity of the data by changing the data of the sensor and controller, which will lead to the wrong decision of the control system and even paralyze the power transmission network. This paper uses the measured values of smart grid sensors as samples, analyzes the attack vectors maliciously injected by attackers and the statistical characteristics of system data, and proposes a false data injection attack detection strategy. It is considered that the measured values of sensors have spatial distribution characteristics, the Gaussian mixture model of grid node feature vectors is obtained by training sample values, the test measurement values are input into the Gaussian mixture model, and the knowledge of clustering is used to detect whether the power grid is malicious data attacks. The power supplies of IEEE-18 and IEEE-30 simulation systems was tested, and the influence of the system statistical measurement characteristics on the detection accuracy was analyzed. The results show that the proposed strategy has better detection performance than the support vector machine method.

Phasor measurement unit (PMU) networks are increasingly deployed to offer timely and high-precision measurement of today's highly interconnected electric power systems. To enhance the cyber-resilience of PMU networks against malicious attacks and system errors, we develop an optimization-based network management scheme based on the software-defined networking (SDN) communication infrastructure to recovery PMU network connectivity and restore power system observability. The scheme enables fast network recovery by optimizing the path generation and installation process, and moreover, compressing the SDN rules to be installed on the switches. We develop a prototype system and perform system evaluation in terms of power system observability, recovery speed, and rule compression using the IEEE 30-bus system and IEEE 118-bus system.

State estimation is of considerable significance for the power system operation and control. However, well-designed false data injection attacks can utilize blind spots in conventional residual-based bad data detection methods to manipulate measurements in a coordinated manner and thus affect the secure operation and economic dispatch of grids. In this paper, we propose a detection approach based on an autoencoder neural network. By training the network on the dependencies intrinsic in `normal' operation data, it effectively overcomes the challenge of unbalanced training data that is inherent in power system attack detection. To evaluate the detection performance of the proposed mechanism, we conduct a series of experiments on the IEEE 118-bus power system. The experiments demonstrate that the proposed autoencoder detector displays robust detection performance under a variety of attack scenarios.

With the advancement of communication technology, the interoperability of the power grid operation has improved significantly, but due to its dependence on the communication system, it is extremely vulnerable to network attacks. Among them, the false data injection attack utilizes the loophole of bad data detection in the system and attacks the state estimation system, resulting in frequent occurrence of abnormal data in the system, which brings great harm to the power grid. In view of the fact that false data injection attacks are easy to avoid traditional bad data detection methods, this paper analyzes the different situations of false data injection attacks based on the characteristics of the power grid. Firstly, it proposes to apply the distortion index method to false data injection attack detection. Experiments prove that the detection results are good and can be complementary to traditional detection methods. Then, combined with the traditional normalized residual method, this paper proposes the improved distortion index method based on the distortion index, which is good at detecting abnormal data. The use of improved distortion index method to detect false data injection attacks can make up for the defect of the lack of universality of traditional detection methods, and meet the requirements of anomaly detection efficiency. Finally, based on the MATLAB power simulation test system, experimental simulation is carried out to verify the effectiveness and universality of the proposed method for false data injection attack detection.

The state estimation technology is utilized to estimate the grid state based on the data of the meter and grid topology structure. The false data injection attack (FDIA) is an information attack method to disturb the security of the power system based on the meter measurement. Current FDIA detection researches pay attention on detecting its presence. The location information of FDIA is also important for power system security. In this paper, locating the FDIA of the meter is regarded as a multi-label classification problem. Each label represents the state of the corresponding meter. The ensemble model, the multi-label decision tree algorithm, is utilized as the classifier to detect the exact location of the FDIA. This method does not need the information of the power topology and statistical knowledge assumption. The numerical experiments based on the IEEE-14 bus system validates the performance of the proposed method.

On-Load Tap Changing transformers are a widely used voltage regulation device. In the context of modern or smart grids, the control signals, i.e., the tap change commands are sent through SCADA channels. It is well known that the power system SCADA networks are prone to attacks involving injection of false data or commands. While false data injection is well explored in existing literature, attacks involving malicious control signals/commands are relatively unexplored. In this paper, an algorithm is developed to detect a stealthily introduced malicious tap change command through a compromised SCADA channel. This algorithm is based on the observation that a stealthily introduced false data or command masks the true estimation of only a few state variables. This leaves the rest of the state variables to show signs of a change in system state brought about by the attack. Using this observation, an index is formulated based on the ratios of injection or branch currents to voltages of the terminal nodes of the tap changers. This index shows a significant increase when there is a false tap command injection, resulting in easy classification from normal scenarios where there is no attack. The algorithm is computationally light, easy to implement and reliable when tested extensively on several tap changers placed in an IEEE 118-bus system.

The chances of cyber-attacks have been increased because of incorporation of communication networks and information technology in power system. Main objective of the paper is to prove that attacker can launch the attack vector without the knowledge of complete network information and the injected false data can't be detected by power system operator. This paper also deals with analyzing the impact of multi-attacking strategy on the power system. This false data attacks incurs lot of damage to power system, as it misguides the power system operator. Here, we demonstrate the construction of attack vector and later we have demonstrated multiple attacking regions in IEEE 14 bus system. Impact of attack vector on the power system can be observed and it is proved that the attack cannot be detected by power system operator with the help of residue check method.

Modern cyber-physical systems are increasingly complex and vulnerable to attacks like false data injection aimed at destabilizing and confusing the systems. We develop and evaluate an attack-detection framework aimed at learning a dynamic invariant network, data-driven temporal causal relationships between components of cyber-physical systems. We evaluate the relative performance in attack detection of the proposed model relative to traditional anomaly detection approaches. In this paper, we introduce Granger Causality based Kalman Filter with Adaptive Robust Thresholding (G-KART) as a framework for anomaly detection based on data-driven functional relationships between components in cyber-physical systems. In particular, we select power systems as a critical infrastructure with complex cyber-physical systems whose protection is an essential facet of national security. The system presented is capable of learning with or without network topology the task of detection of false data injection attacks in power systems. Kalman filters are used to learn and update the dynamic state of each component in the power system and in-turn monitor the component for malicious activity. The ego network for each node in the invariant graph is treated as an ensemble model of Kalman filters, each of which captures a subset of the node's interactions with other parts of the network. We finally also introduce an alerting mechanism to surface alerts about compromised nodes.

In industrial internet of things, various devices are connected to external internet. For the connected devices, the authentication is very important in the viewpoint of security; therefore, physical unclonable functions (PUFs) have attracted attention as authentication techniques. On the other hand, the risk of modeling attacks on PUFs, which clone the function of PUFs mathematically, is pointed out. Therefore, a resistant-PUF such as a lightweight PUF has been proposed. However, new analytical methods (side-channel attacks: SCAs), which use side-channel information such as power or electromagnetic waves, have been proposed. The countermeasure method has also been proposed; however, an evaluation using actual devices has not been studied. Since PUFs use small production variations, the implementation evaluation is very important. Therefore, this study proposes a SCA countermeasure of the lightweight PUF. The proposed method is based on the previous studies, and maintains power consumption consistency during the generation of response. In experiments using a field programmable gate array, the measured power consumption was constant regardless of output values of the PUF could be confirmed. Then, experimental results showed that the predicted rate of the response was about 50 %, and the proposed method had a tamper resistance against SCAs.

Security and consistency of smart grids is one of the main issues in the design and maintenance of highly controlled and monitored new power grids. Bad data injection attack could lead to disasters such as power system outage, or huge economical losses. In many attack scenarios, the attacker can come up with new attack strategies that couldn't be detected by the traditional bad data detection methods. Adaptive Partitioning State Estimation (APSE) method [3] has been proposed recently to combat such attacks. In this work, we evaluate and compare with a traditional method. The main idea of APSE is to increase the sensitivity of the chi-square test by partitioning the large grids into small ones and apply the test on each partition individually and repeat this procedure until the faulty node is located. Our simulation findings using MATPOWER program show that the method is not consistent where it is sensitive the systems size and the location of faulty nodes as well.

This paper focuses on the secure integration of distributed energy resources (DERs), especially pluggable electric vehicles (EVs), with the power grid. We consider the vehicle-to-grid (V2G) system where EVs are connected to the power grid through an `aggregator' In this paper, we propose a novel Cyber-Physical Anomaly Detection Engine that monitors system behavior and detects anomalies almost instantaneously (worst case inspection time for a packet is 0.165 seconds1). This detection engine ensures that the critical power grid component (viz., aggregator) remains secure by monitoring (a) cyber messages for various state changes and data constraints along with (b) power data on the V2G cyber network using power measurements from sensors on the physical/power distribution network. Since the V2G system is time-sensitive, the anomaly detection engine also monitors the timing requirements of the protocol messages to enhance the safety of the aggregator. To the best of our knowledge, this is the first piece of work that combines (a) the EV charging/discharging protocols, the (b) cyber network and (c) power measurements from physical network to detect intrusions in the EV to power grid system.1Minimum latency on V2G network is 2 seconds.

False data injection is an on-going concern facing power system state estimation. In this work, a neural network is trained to detect the existence of false data in measurements. The proposed approach can make use of historical data, if available, by using them in the training sets of the proposed neural network model. However, the inputs of perceptron model in this work are the residual elements from the state estimation, which are highly correlated. Therefore, their dimension could be reduced by preserving the most informative features from the inputs. To this end, principal component analysis is used (i.e., a data preprocessing technique). This technique is especially efficient for highly correlated data sets, which is the case in power system measurements. The results of different perceptron models that are proposed for detection, are compared to a simple perceptron that produces identical result to the outlier detection scheme. For generating the training sets, state estimation was run for different false data on different measurements in 13-bus IEEE test system, and the residuals are saved as inputs of training sets. The testing results of the trained network show its good performance in detection of false data in measurements.

The normal operation of key measurement and control equipment in power grid (KMCEPG) is of great significance for safe and stable operation of power grid. Firstly, this paper gives a systematic overview of KMCEPG. Secondly, the cyber security risks of KMCEPG on the main station / sub-station side, channel side and terminal side are analyzed and the related vulnerabilities are discovered. Thirdly, according to the risk analysis results, the attack process construction technology of KMCEPG is proposed, which provides the test process and attack ideas for the subsequent KMCEPG-related attack penetration. Fourthly, the simulation penetration test environment is built, and a series of attack tests are carried out on the terminal key control equipment by using the attack flow construction technology proposed in this paper. The correctness of the risk analysis and the effectiveness of the attack process construction technology are verified. Finally, the attack test results are analyzed, and the attack test cases of terminal critical control devices are constructed, which provide the basis for the subsequent attack test. The attack flow construction technology and attack test cases proposed in this paper improve the network security defense capability of key equipment of power grid, ensure the safe and stable operation of power grid, and have strong engineering application value.

Technological developments in the energy sector while offering new business insights, also produces complex data. In this study, the relationship between smart grid and big data approaches have been investigated. After analyzing where the big data techniques and technologies are used in which areas of smart grid systems, the big data technologies used to detect attacks on smart grids have been focused on. Big data analytics produces efficient solutions, but it is more critical to choose which algorithm and metric. For this reason, an application prototype has been proposed using big data approaches to detect attacks on smart grids. The algorithms with high accuracy were determined as 92% with Random Forest and 87% with Decision Tree.

We propose POWERALERT, an efficient external integrity checker for untrusted hosts. Current attestation systems suffer from shortcomings, including requiring a complete checksum of the code segment, from being static, use of timing information sourced from the untrusted machine, or using imprecise timing information such as network round-trip time. We address those shortcomings by (1) using power measurements from the host to ensure that the checking code is executed and (2) checking a subset of the kernel space over an extended period. We compare the power measurement against a learned power model of the execution of the machine and validate that the execution was not tampered. Finally, POWERALERT randomizes the integrity checking program to prevent the attacker from adapting. We model the interaction between POWERALERT and an attacker as a time-continuous game. The Nash equilibrium strategy of the game shows that POWERALERT has two optimal strategy choices: (1) aggressive checking that forces the attacker into hiding, or (2) slow checking that minimizes cost. We implement a prototype of POWERALERT using Raspberry Pi and evaluate the performance of the integrity checking program generation.

Embedded electronic devices and sensors such as smartphones, smart watches, medical implants, and Wireless Sensor Nodes (WSN) are making the “Internet of Things” (IoT) a reality. Such devices often require cryptographic services such as authentication, integrity and non-repudiation, which are provided by Public-Key Cryptography (PKC). As these devices are severely resource-constrained, choosing a suitable cryptographic system is challenging. Pairing Based Cryptography (PBC) is among the best candidates to implement PKC in lightweight devices. In this research, we present a fast and energy efficient implementation of PBC based on Barreto-Naehrig (BN) curves and optimal Ate pairing using hardware/software co-design. Our solution consists of a hardware-based Montgomery multiplier, and pairing software running on an ARM Cortex A9 processor in a Zynq-7020 System-on-Chip (SoC). The multiplier is protected against simple power analysis (SPA) and differential power analysis (DPA), and can be instantiated with a variable number of processing elements (PE). Our solution improves performance (in terms of latency) over an open-source software PBC implementation by factors of 2.34 and 2.02, for 256- and 160-bit field sizes, respectively, as measured in the Zynq-7020 SoC.

Online Dynamic Security Assessment (DSA) is a dynamical system widely used for assessing and analyzing an electrical power system. The outcomes of DSA are used in many aspects of the operation of power system, from monitoring the system to determining remedial action schemes (e.g. the amount of generators to be shed at the event of a fault). Measurement from supervisory control and data acquisition (SCADA) and state estimation (SE) results are the inputs for online-DSA, however, the SE error, caused by sudden change in power flow or low convergence rate, could be unnoticed and skew the outcome. Therefore, generator shedding scheme cannot achieve optimum but must have some margin because we don't know how SE error caused by these problems will impact power system stability control. As a method for solving the problem, we developed SE error detection system (EDS), which is enabled by detecting the SE error that will impact power system transient stability. The method is comparing a threshold value and an index calculated by the difference between SE results and PMU observation data, using the distance from the fault point and the power flow value. Using the index, the reliability of the SE results can be verified. As a result, online-DSA can use the SE results while avoiding the bad SE results, assuring the outcome of the DSA assessment and analysis, such as the amount of generator shedding in order to prevent the power system's instability.

High detection sensitivity in the presence of process variation is a key challenge for hardware Trojan detection through side channel analysis. In this work, we present an efficient Trojan detection approach in the presence of elevated process variations. The detection sensitivity is sharpened by 1) comparing power levels from neighboring regions within the same chip so that the two measured values exhibit a common trend in terms of process variation, and 2) generating test patterns that toggle each cell multiple times to increase Trojan activation probability. Detection sensitivity is analyzed and its effectiveness demonstrated by means of RPD (relative power difference). We evaluate our approach on ISCAS'89 and ITC'99 benchmarks and the AES-128 circuit for both combinational and sequential type Trojans. High detection sensitivity is demonstrated by analysis on RPD under a variety of process variation levels and experiments for Trojan inserted circuits.

Robust Trojans are inserted in outsourced products resulting in security vulnerabilities. Post-silicon testing is done mandatorily to detect such malicious inclusions. Logic testing becomes obsolete for larger circuits with sequential Trojans. For such cases, side channel analysis is an effective approach. The major challenge with the side channel analysis is reduction in hardware Trojan detection sensitivity due to process variation (process variation could lead to false positives and false negatives and it is unavoidable during a manufacturing stage). In this paper Self Referencing method is proposed that measures leakage power of the circuit at four different time windows that hammers the Trojan into triggering and also help to identify/eliminate false positives/false negatives due to process variation.

As smart grid systems become increasingly reliant on networks of control devices, attacks on their inherent security vulnerabilities could lead to catastrophic system failures. Network Intrusion Detection Systems(NIDS) detect such attacks by learning traffic patterns and finding anomalies in them. However, availability of data for robust training and evaluation of NIDS is rare due to associated operational and security risks of sharing such data. Consequently, we present Melody, a scalable framework for synthesizing such datasets. Melody models both, the cyber and physical components of the smart grid by integrating a simulated physical network with an emulated cyber network while using virtual time for high temporal fidelity. We present a systematic approach to generate traffic representing multi-stage attacks, where each stage is either emulated or recreated with a mechanism to replay arbitrary packet traces. We describe and evaluate the suitability of Melodys datasets for intrusion detection, by analyzing the extent to which temporal accuracy of pertinent features is maintained.

Intrusion detection has been an active field of research for more than 35 years. Numerous systems had been built based on the two fundamental detection principles, knowledge-based and behavior-based detection. Anyway, having a look at day-to-day news about data breaches and successful attacks, detection effectiveness is still limited. Even more, heavy-weight intrusion detection systems cannot be installed in every endangered environment. For example, Industrial Control Systems are typically utilized for decades, charging off huge investments of companies. Thus, some of these systems have been in operation for years, but were designed afore without security in mind. Even worse, as systems often have connections to other networks and even the Internet nowadays, an adequate protection is mandatory, but integrating intrusion detection can be extremely difficult - or even impossible to date. We propose a new lightweight current-based IDS which is using a difficult to manipulate measurement base and verifiable ground truth. Focus of our system is providing intrusion detection for ICS and SCADA on a low-priced base, easy to integrate. Dr. WATTson, a prototype implemented based on our concept provides high detection and low false alarm rates.

Small embedded devices such as microcontrollers have been widely used for identification, authentication, securing and storing confidential information. In all these applications, the security and privacy of the microcontrollers are of crucial importance. To provide strong security to protect data, these devices depend on cryptographic algorithms to ensure confidentiality and integrity of data. Moreover, many algorithms have been proposed, with each one having its strength and weaknesses. This paper presents a Differential Power Analysis(DPA) attack on hardware implementations of Advanced Encryption Standard(AES) running inside a PIC18F2420 microcontroller.

Side Channel Attacks (SCA) using power measurements are a known method of breaking cryptographic algorithms such as AES. Published research into attacks on AES frequently target only AES-128, and often target only the core Electronic Code-Book (ECB) algorithm, without discussing surrounding issues such as triggering, along with breaking the initialization vector. This paper demonstrates a complete attack on a secure bootloader, where the firmware files have been encrypted with AES-256-CBC. A classic Correlation Power Analysis (CPA) attack is performed on AES-256 to recover the complete 32-byte key, and a CPA attack is also used to attempt recovery of the initialization vector (IV).

The use of side-channel measurements and fingerprinting, in conjunction with statistical analysis, has proven to be the most effective method for accurately detecting hardware Trojans in fabricated integrated circuits. However, these post-fabrication trust evaluation methods overlook the capabilities of advanced design skills that attackers can use in designing sophisticated Trojans. To this end, we have designed a Trojan using power-gating techniques and demonstrate that it can be masked from advanced side-channel fingerprinting detection while dormant. We then propose a real-time trust evaluation framework that continuously monitors the on-board global power consumption to monitor chip trustworthiness. The measurements obtained corroborate our frameworks effectiveness for detecting Trojans. Finally, the results presented are experimentally verified by performing measurements on fabricated Trojan-free and Trojan-infected variants of a reconfigurable linear feedback shift register (LFSR) array.

To protect complex power-grid control networks, power operators need efficient security assessment techniques that take into account both cyber side and the power side of the cyber-physical critical infrastructures. In this paper, we present CPINDEX, a security-oriented stochastic risk management technique that calculates cyber-physical security indices to measure the security level of the underlying cyber-physical setting. CPINDEX installs appropriate cyber-side instrumentation probes on individual host systems to dynamically capture and profile low-level system activities such as interprocess communications among operating system assets. CPINDEX uses the generated logs along with the topological information about the power network configuration to build stochastic Bayesian network models of the whole cyber-physical infrastructure and update them dynamically based on the current state of the underlying power system. Finally, CPINDEX implements belief propagation algorithms on the created stochastic models combined with a novel graph-theoretic power system indexing algorithm to calculate the cyber-physical index, i.e., to measure the security-level of the system's current cyber-physical state. The results of our experiments with actual attacks against a real-world power control network shows that CPINDEX, within few seconds, can efficiently compute the numerical indices during the attack that indicate the progressing malicious attack correctly.