Distributed Intrusion Detection System using Semantic-based Rules for SCADA in Smart Grid

TL;DR

This paper presents a distributed intrusion detection system for smart grid SCADA networks that uses semantic-based rules to detect cyberattacks in real-time, enhancing security and situational awareness across geographically distributed substations.

Contribution

It introduces an efficient algorithm for generating robust IDS rules integrated into a distributed framework for real-time anomaly detection in power grid SCADA systems.

Findings

Effective detection of intrusions in DNP3 traffic

Real-time anomaly detection across distributed substations

Successful deployment in power grid environments

Abstract

Cyber-physical system (CPS) security for the smart grid enables secure communication for the SCADA and wide-area measurement system data. Power utilities world-wide use various SCADA protocols, namely DNP3, Modbus, and IEC 61850, for the data exchanges across substation field devices, remote terminal units (RTUs), and control center applications. Adversaries may exploit compromised SCADA protocols for the reconnaissance, data exfiltration, vulnerability assessment, and injection of stealthy cyberattacks to affect power system operation. In this paper, we propose an efficient algorithm to generate robust rule sets. We integrate the rule sets into an intrusion detection system (IDS), which continuously monitors the DNP3 data traffic at a substation network and detects intrusions and anomalies in real-time. To enable CPS-aware wide-area situational awareness, we integrated the methodology into an open-source distributed-IDS (D-IDS) framework. The D-IDS facilitates central monitoring of the detected anomalies from the geographically distributed substations and to the control center. The proposed algorithm provides an optimal solution to detect network intrusions and abnormal behavior. Different types of IDS rules based on packet payload, packet flow, and time threshold are generated. Further, IDS testing and evaluation is performed with a set of rules in different sequences. The detection time is measured for different IDS rules, and the results are plotted. All the experiments are conducted at Power Cyber Lab, Iowa State University, for multiple power grid models. After successful testing and evaluation, knowledge and implementation are transferred to field deployment.