English

On Specification-based Cyber-Attack Detection in Smart Grids

Cryptography and Security 2022-09-12 v1

Abstract

The transformation of power grids into intelligent cyber-physical systems brings numerous benefits, but also significantly increases the surface for cyber-attacks, demanding appropriate countermeasures. However, the development, validation, and testing of data-driven countermeasures against cyber-attacks, such as machine learning-based detection approaches, lack important data from real-world cyber incidents. Unlike attack data from real-world cyber incidents, infrastructure knowledge and standards are accessible through expert and domain knowledge. Our proposed approach uses domain knowledge to define the behavior of a smart grid under non-attack conditions and detect attack patterns and anomalies. Using a graph-based specification formalism, we combine cross-domain knowledge that enables the generation of whitelisting rules not only for statically defined protocol fields but also for communication ows and technical operation boundaries. Finally, we evaluate our specification-based intrusion detection system against various attack scenarios and assess detection quality and performance. In particular, we investigate a data manipulation attack in a future-orientated use case of an IEC 60870-based SCADA system that controls distributed energy resources in the distribution grid. Our approach can detect severe data manipulation attacks with high accuracy in a timely and reliable manner.

Keywords

Cite

@article{arxiv.2209.04354,
  title  = {On Specification-based Cyber-Attack Detection in Smart Grids},
  author = {Ömer Sen Dennis van der Velde and Maik Lühman and Florian Sprünken and Immanuel Hacker and Andreas Ulbig and Michael Andres and Martin Henze},
  journal= {arXiv preprint arXiv:2209.04354},
  year   = {2022}
}
R2 v1 2026-06-28T01:01:21.147Z