an end to end infrastructure for cyber physical intrusion
play

An End-to-End Infrastructure for Cyber-Physical Intrusion Detection - PowerPoint PPT Presentation

An End-to-End Infrastructure for Cyber-Physical Intrusion Detection REINHARD GENTZ, MAHDI JAMEI, ANNA SCAGLIONE ARIZONA STATE UNIVERSITY, USA CREDC Workshop 2017 1 What is Cyber Physical Intrusion Detection CPS Cyber Physical System


  1. An End-to-End Infrastructure for Cyber-Physical Intrusion Detection REINHARD GENTZ, MAHDI JAMEI, ANNA SCAGLIONE ARIZONA STATE UNIVERSITY, USA CREDC Workshop 2017 1

  2. What is Cyber Physical Intrusion Detection CPS – Cyber Physical System System In a system Cyber & Physical environment is connected Physical -> Attacks affect both environments Properties (Physical) -> We should sense both environments for best attack detection Control & Monitoring (Cyber) CPS-IDS goes beyond the traditional monitoring solutions adopted in EDS-operations. It requires new elements : ◦ High resolution physical-sensing (PMUs) Cyber ◦ Combined network traffic collection & filtering and Physical Challenge: Big Data Problem System 2

  3. Hierarchical Architecture We propose hierarchical architecture: Do as much of the processing locally and only ship what is necessary  Reduced CPS-IDS network load  More resilient to network failure – Outages; Attacks  Distribute computational load – Scalability  Prioritize important messages (Attacks!) over status messages Stage 1 Server Stage 2 Server Central Server μ PMU DSCADA Grid μ PMU DSCADA 3

  4. Stage I (Local Processor) Sensor Data Local Rules e.g.,: - Validity of I = Y V Analytics - Power Quality Limits Message Stage 1 Data Analytics Hi Prio Queue Analytics Decide the Queue Low Prio Queue  Gather Local Data:  Analyze it & based on the result  PMUs produce large quantities of precise data  Prioritize the message  Reduce the message size a uPMU with a BBB attached 4

  5. Stage I (Local Processor) Sensor Data Local Rules e.g.,: - Validity of I = Y V Analytics - Power Quality Limits Message Stage 1 Data Analytics Hi Prio Queue Analytics Decide the Queue Low Prio Queue The BBB minicomputer shields the sensor from the Modular Design outside world The analytics systems are plug-in modules One minicomputer system to maintain - Easy to update and replace – Not one per sensor type - Analytics can be done by different programmer (Only API knowledge needed) Independence from sensor vendor security updates a uPMU with a BBB attached 5

  6. Stage II Power Distribution Grid 29 28 12 27 11 22 26 10 R1 1 2 3 4 6 7 8 13 14 30 31 32 21 25 Messaging System 9 20 Substation 33 23 24 5 T1 R2 34 From Downstream To Upstream Analytics Results 19 15 16 17 18 Raw Data & Preprocessed Analytics Local Local Local Analytics and Analytics and Analytics and Analytics 1 prioritization prioritization prioritization (BBB) (BBB) (BBB) Aggregated Analytics N Stage 2 Publisher Subscriber Messaging Analytics Database for Database for  Aggregate Data from multiple sensors Search Archiving (Elasticsearch) (Cassandra)  & Fuse it with static information, (e.g. reference model for subnetwork)  Decrease false positive and false negatives Frontend generate actionable alarms with low latency Cyber-Physical Security Architecture  Targeted request of input data with a publisher subscriber model  Stage can be repeated for scaling, wide area deployment 6

  7. Central Stage/Human Machine Interface Power Distribution Grid 29 28 12 27 11 22 26 10 R1 1 2 3 4 6 7 8 13 14 30 31 32 21 25 9 20 Substation 33 Different databases have 23 24 5 T1 R2 34 19 different strengths 15 16 17 18 - Especially for big data Local Local Local Analytics and Analytics and Analytics and prioritization prioritization prioritization (BBB) (BBB) (BBB) Search for Retrieve lots Aggregated properties? of raw data? Publisher Subscriber Messaging Analytics Elasticsearch Cassandra Database for Search Database for Archiving (Elasticsearch) (Cassandra) Central Stage Frontend Cyber-Physical Security Architecture  Archive the data & analytics results  Frontend to the user 7

  8. Example Analytics - Localizing Fault BBB 2 BBB 1 No Alarm No Alarm BBB 3 Stage 2’s View No Alarm No Alarm Voltage Sag Voltage Sag => Threshold crossed Fault localized downstream of Results found from data analysis. uPMU 3 Priority for transmission 8

  9. Thank you Questions? 9

  10. Stage II Validation - We see how the measurements are correlated Sensor 1 2 nd floor Sensor 2 Basement ServerRack 10

  11. Stage II Validation Voltage Dip in the whole building - We see how the measurements are correlated Min/Max Sensor 1 2 nd floor Min/Max Sensor 2 Basement ServerRack Question: Is this pattern possible with the specific electrical grid in place? => Further validation 11

Recommend


More recommend