Fraunhofer-Institut für Angewandte Informationstechnik FIT

Filters

4
Reset filters

Settings
Now showing 1 - 4 of 4
  • Publication
    An Approach to Abstract Multi-stage Cyberattack Data Generation for ML-Based IDS in Smart Grids
    ( 2023)
    Sen, Ömer
    ;
    Malskorn, Philipp
    ;
    Glomb, Simon
    ;
    Hacker, Immanuel
    ;
    Henze, Martin
    ;
    Ulbig, Andreas
    Power grids are becoming more digitized, resulting in new opportunities for the grid operation but also new chal-lenges, such as new threats from the cyber-domain. To address these challenges, cybersecurity solutions are being considered in the form of preventive, detective, and reactive measures. Machine learning-based intrusion detection systems are used as part of detection efforts to detect and defend against cyberattacks. However, training and testing data for these systems are often not available or suitable for use in machine learning models for detecting multi-stage cyberattacks in smart grids. In this paper, we propose a method to generate synthetic data using a graph-based approach for training machine learning models in smart grids. We use an abstract form of multi-stage cyberattacks defined via graph formulations and simulate the propagation behavior of attacks in the network. Within the selected scenarios, we observed promising results, but a larger number of scenarios need to be studied to draw a more informed conclusion about the suitability of synthesized data.
  • Publication
    On specification-based cyber-attack detection in smart grids
    ( 2022)
    Sen, Ömer
    ;
    Velde, Dennis van der
    ;
    Lühman, Maik
    ;
    Sprünken, Florian
    ;
    Hacker, Immanuel
    ;
    Ulbig, Andreas
    ;
    Andres, Michael
    ;
    Henze, Martin
    The transformation of power grids into intelligent cyber-physical systems brings numerous benefits, but also significantly increases the surface for cyber-attacks, demanding appropriate countermeasures. However, the development, validation, and testing of data-driven countermeasures against cyber-attacks, such as machine learning-based detection approaches, lack important data from real-world cyber incidents. Unlike attack data from real-world cyber incidents, infrastructure knowledge and standards are accessible through expert and domain knowledge. Our proposed approach uses domain knowledge to define the behavior of a smart grid under non-attack conditions and detect attack patterns and anomalies. Using a graph-based specification formalism, we combine cross-domain knowledge that enables the generation of whitelisting rules not only for statically defined protocol fields but also for communication flows and technical operation boundaries. Finally, we evaluate our specification-based intrusion detection system against various attack scenarios and assess detection quality and performance. In particular, we investigate a data manipulation attack in a future-orientated use case of an IEC 60870-based SCADA system that controls distributed energy resources in the distribution grid. Our approach can detect severe data manipulation attacks with high accuracy in a timely and reliable manner.
  • Publication
    PowerDuck: A GOOSE Data Set of Cyberattacks in Substations
    ( 2022)
    Zemanek, Sven
    ;
    Hacker, Immanuel
    ;
    Wolsing, Konrad
    ;
    Wagner, Eric
    ;
    Henze, Martin
    ;
    Serror, Martin
    Power grids worldwide are increasingly victims of cyberattacks, where attackers can cause immense damage to critical infrastructure. The growing digitalization and networking in power grids combined with insufficient protection against cyberattacks further exacerbate this trend. Hence, security engineers and researchers must counter these new risks by continuously improving security measures. Data sets of real network traffic during cyberattacks play a decisive role in analyzing and understanding such attacks. Therefore, this paper presents PowerDuck, a publicly available security data set containing network traces of GOOSE communication in a physical substation testbed. The data set includes recordings of various scenarios with and without the presence of attacks. Furthermore, all network packets originating from the attacker are clearly labeled to facilitate their identification. We thus envision PowerDuck improving and complementing existing data sets of substations, which are often generated synthetically, thus enhancing the security of power grids.
  • Publication
    Investigating Man-in-the-Middle-based False Data Injection in a Smart Grid Laboratory Environment
    ( 2021)
    Sen, Ömer
    ;
    Veldc, Dennis van der
    ;
    Linnartz, Philipp
    ;
    Hacker, Immanuel
    ;
    Henze, Martin
    ;
    Andres, Michael
    ;
    Ulbig, Andreas
    With the increasing use of information and communication technology in electrical power grids, the security of energy supply is increasingly threatened by cyber-attacks. Traditional cyber-security measures, such as firewalls or intrusion detection/prevention systems, can be used as mitigation and prevention measures, but their effective use requires a deep understanding of the potential threat landscape and complex attack processes in energy information systems. Given the complexity and lack of detailed knowledge of coordinated, timed attacks in smart grid applications, we need information and insight into realistic attack scenarios in an appropriate and practical setting. In this paper, we present a man-in-the-middle-based attack scenario that intercepts process communication between control systems and field devices, employs false data injection techniques, and performs data corruption such as sending false commands to field devices. We demonstrate the applicability of the presented attack scenario in a physical smart grid laboratory environment and analyze the generated data under normal and attack conditions to extract domain-specific knowledge for detection mechanisms.