Tracking Real-time Anomalies in Cyber-Physical Systems Through Dynamic Behavioral Analysis

TL;DR

This paper introduces a real-time anomaly detection framework for cyber-physical systems like smart grids, using semantic analysis of network packets and temporal logic to identify and localize cyber-attacks effectively.

Contribution

A novel real-time monitoring method combining semantic event extraction with temporal logic evaluation for anomaly detection in power system CPS.

Findings

Effective detection of cyber-attacks on power systems

High accuracy in anomaly localization

Validated on hardware-in-the-loop testbed

Abstract

Increased connectivity and remote reprogrammability/reconfigurability features of embedded devices in current-day power systems (including interconnections between information technology -- IT -- and operational technology -- OT -- networks) enable greater agility, reduced operator workload, and enhanced power system performance and capabilities. However, these features also expose a wider cyber-attack surface, underscoring need for robust real-time monitoring and anomaly detection in power systems, and more generally in Cyber-Physical Systems (CPS). The increasingly complex, diverse, and potentially untrustworthy software and hardware supply chains also make need for robust security tools more stringent. We propose a novel framework for real-time monitoring and anomaly detection in CPS, specifically smart grid substations and SCADA systems. The proposed method enables real-time signal temporal logic condition-based anomaly monitoring by processing raw captured packets from the communication network through a hierarchical semantic extraction and tag processing pipeline into time series of semantic events and observations, that are then evaluated against expected temporal properties to detect and localize anomalies. We demonstrate efficacy of our methodology on a hardware in the loop testbed, including multiple physical power equipment (real-time automation controllers and relays) and simulated devices (Phasor Measurement Units -- PMUs, relays, Phasor Data Concentrators -- PDCs), interfaced to a dynamic power system simulator. The performance and accuracy of the proposed system is evaluated on multiple attack scenarios on our testbed.