Online, Context-aware, Intelligent Anomaly Detection, Causality and Consequence Analysis, and Response Suggestion for Supervisory Control and Data Acquisition (SCADA) Systems in Energy Distribution Systems

Summary Statement

SCADA systems are widely used in EDS to gather measurement data from field devices and send control commands to them. However, the legacy end devices and industrial control protocols, used in the SCADA system, make it vulnerable to various cyberattacks. There are existing solutions to provide intrusion detection for networks. However, most of them only focus on monitoring and event detection of network state at the transport layer and perform flow-level analysis, which is not enough to detect and reason about semantic attacks hidden in the application layer. Even for those solutions which parse the application protocol, they usually can detect the event only, but fail to provide any causes and consequences of the event. Therefore, it is hard or impossible for the operator to quickly digest the event and react to it. If any of the attacks are undetected or not resolved promptly, the entire system could suffer.

In this activity, we concentrate on developing an online, context-aware, intelligent framework for anomaly detection, anomalous data analysis, causal reasoning, consequence indication and response suggestion for SCADA networks. This is a large research space since the framework requires an integration of approaches in feature selection, machine learning, predictive reasoning, context-aware analysis and alert aggregation, to name a few. Our framework analyzes the network traffic and parses not only transport-layer but also application-layer information. Features are selected, transformed and reduced and feature vectors are constructed. Three scopes of features are considered to offer different granularity of analysis: (a) flow-level information such as addresses, ports of source and destination, delays and jitters; (b) control-protocol-level information such as function codes and parameters; (c) content-level information such as values to be written and results from reads. Machine learning techniques are then used upon feature vectors to perform anomaly detection. Those three levels of anomaly detection serve as the building blocks of our framework and trigger various alarms. Beyond those building blocks, we build a causality-based analyzer to aggregate and analyze the generated alarms. Domain knowledge and causal reasoning are considered and cyber-physical models of the system are built or utilized to aid the detection, causality and consequence analysis of anomalies. Potential responses are then analyzed and provided to the operator based on the analysis results and current states of the system from the cyber-physical models.

We notice that intrusion detection for critical infrastructure has been done many times in TCIPG and CREDC. However, most of the existing works [1-6] focus on detection only and utilize cyber information only. [7-8] also leverage physical models but still limit themselves to detection. [9] proposed a response and recovery engine to provide automated response after intrusion but all the analysis happens in the cyber domain. [10] combines the knowledge of both cyber and physical domains for attacks analysis, detection and mitigation. But it only focuses a specific type of attacks in cyber-physical systems. What we aim for, on the contrary, is to utilize cyber and physical domain knowledge to provide not only more general anomaly detection, but also causality and consequence analysis as well as feasible response suggestion for SCADA systems. We believe that, the cyber and physical domains, their event detections, causal analysis and responses, when considered jointly instead of independently, can yield much better performance and provide more reliable and comprehensive security protection for SCADA systems.

NOTE: A list of bibliographic references are in the fact sheet (PDF)

Energy Delivery System (EDS) Gap Analysis

Due to the lack of security protection of various end devices and legacy control protocols used in SCADA systems, it is crucial to build a framework or the SCADA network to monitor and detect any abnormal events and determine their impact. Although there are many works focusing on anomaly detection in SCADA systems, causality and consequence analysis of the anomalies and response suggestion for the operators are not addressed as much. This activity fills that gap by designing an online, context-aware, intelligent framework to detect and analyze anomalies in SCADA networks. The framework monitors the network traffic in SCADA networks, detects anomalous events in real time, and provides context-aware information for those anomalies to guide reasoning and consequences of anomalous events, which lead to operational resilience and recovery.

Reference the research activity fact sheet (PDF) for an extended gap analysis and bibliography.

How does this research activity address the Roadmap to Achieve Energy Delivery Systems Cybersecurity?
This activity addresses the Roadmap by performing cyber monitoring, provenance tracking, event detection, and causal reasoning of abnormal events. Our activity monitors the network traffic in SCADA networks, detects anomalous events in real time, and provides context-aware information for those anomalies to guide reasoning and consequences of anomalous events, which lead to operational resilience and recovery.