Flow based monitoring of ICS communication in the smart grid

• http://www.sciencedirect.com/science/article/pii/S2214212619311329

IEC 104, smart grid, security monitoring, SCADA, probabilistic automata

A smart grid network is a part of critical infrastructure, and its interruption
or blackout may cause fatal consequences on energy production, distribution, and
eventually lives of people. Smart grid networks can be a target of cyber attacks
coming from the outside or the inside of the network. Traditional smart grid
protection includes firewalls and IDS/IPS devices that are usually deployed on
edges of the network where they inspect incoming and outgoing traffic. This
approach is adequate to cope with external threats. In case of internal threats
caused by, for instance, the malware infecting the control station, it is not
easy to detect malicious activity commonly masked as legitimate communication at
the network edge. For the successful identification of cyber security attacks,
two essential elements are necessary.

The first is the visibility of the Industrial Control System (ICS) communication,
which enables a smart grid operator to see real-time transmissions in the
network. The second important part is an anomaly detection system that analyzes
monitoring data and identifies possible cyber security attacks. This paper
presents a novel system for monitoring ICS/SCADA protocols based on IP flows
extended with application layer data obtained from ICS packet headers. The
monitoring system provides an in-depth insight into ICS communication. By
applying statistical-based methods or creating communication profiles using
probabilistic automata, common security attacks, as well as unknown threats, can
be identified. The proposed approach is demonstrated on IEC 60870-5-104
communication.

• pdf 1-s20-S2214212619311329-main.pdf 5 MB