Cyber Security for Power System operators
Cyber Security for Power System operators
Samenvatting
Industrial control systems are essential for the functioning of our society since they control our electricity, water, agriculture, health, communication, transportation, emergency service and financial service. In the digital age of big data and data analytics these so-called critical infrastructures are also digitalizing, to keep up with the customer demand of data analytics and reliability. For the digitalisation of the electrical power grid, the increasing implementation of renewables also plays a role. The implementation causes the energy flows to become bidirectional. To manage and control these bidirectional power flows, more intelligent electronic devices must be implemented. All these field devices are connected to a centralized control centre, which contains the Supervisory Control and Data Acquisition (SCADA) servers. These servers collect the data and provide it to the operators to manage the electrical power grid and keep the energy supply stable and reliable. These systems are managed and controlled by utilities. They also use the data for data analytics, forecasting and further development of their infrastructure.
The digitalization provides a lot of benefits in terms of management and control for the electrical power grid. However, with the digitalization and increasing cases of cyber-attacks the threat of cyber-attacks becomes more and more relevant. This is obvious from the first known successful cyber-attack on the Ukrainian electrical power grid. Whereby an adversary was able to control the electrical power grid from a remote location causing power outage to a large number of customers. In addition, the increasing appearance of malware specially designed to target industrial control system. Therefore, our critical infrastructures and society are at risk.
The research question for this thesis is formulated as: How to detect a high-risk cyber-attack
intrusion? Several sub-questions have been formulated to be able to answer the main research question.
Firstly, the configuration of an electrical power grid control system is researched. The electrical power grid control system can be separated into 3 categories: Power substations, telecommunication network and SCADA network. A comprehensive overview is presented for each of these infrastructures, explaining their function and evolution through their implementation.
Thereafter, to understand the methods adversaries use for cyber-attacks, two historical cyber-attack cases on industrial control systems are researched and evaluated. This results in an understanding of how cyber-attacks unfold and provides a lesson learned. To further expand understanding of methods adversaries might use, research into attack vectors or methods for adversaries to infiltrate into the network are evaluated. Measures against several of the attack vectors are researched and evaluated. With the first three chapters a detailed electrical power grid control system (shown in Figure 2.1 and attached as Appendix C) is created whereby modern cyber security solutions are implemented.
This detailed electrical power grid control system is the basis whereupon cyber-attack scenarios are researched. 12 cyber-attack scenarios are presented and categorised in malware, compromised vendor and compromised remote location. A risk assessment evaluates each of the 12 cyber-attack scenarios. Concluding that a sniffing & replay cyber-attack is the highest risk cyber-attack scenario. The sniffing & replay attack is simulated on a local private network to see the ease and the result of such a cyberattack. A simulation also provides insight into a possible detection method. The results show, assuming that the adversary is able to infiltrate himself into the network that the detection method should focus on the process of the monitoring and control of the electrical power grid. The simulation also provides process data to understand the communication between devices.
To answer the main research question, an algorithm method is created and presented, this algorithm detects abnormal process data from normal process data by comparing the interactive real time data against a certified data set, the benchmark. The biggest conclusion however is that an intrusion detection system is not necessarily the best solution against a sniffing & replay attack, since the attack already happened. Proactive or preventive cyber security measures prevent the cyber-attack from happening. Encryption or authentication implemented within network traffic would be solid solution for preventing any cyber-attack related to manipulating network traffic. The intrusion detection algorithm should be used as a last resort, when the proactive measures fail. When intrusion is detected, further spread can be prevented if acted adequately to the alarms provide by the intrusion detection system. Reactive measures are not discussed in this thesis but are essential as well. This shows that just one category of measures is insufficient, the combination of measures is essential for a cyber resilience system.
Organisatie | De Haagse Hogeschool |
Opleiding | TIS Elektrotechniek |
Afdeling | Faculteit Technologie, Innovatie & Samenleving |
Partner | DNV GL Singapore PTE. LTD. |
Jaar | 2019 |
Type | Bachelor |
Taal | Engels |