AI based anomaly detection for decentralised Electrical Power and Energy Systems
On Novemeber 10th 2022, SDN-microSENSE project held Virtual Open Event where the latest results and outcomes of SDN-microSENSE have been presented. Project has some of the most ambitious and convincing scenarios that I have seen in EU projects, demonstrating cybersecurity solutions for decentralised Electrical Power and Energy Systems (EPES). You can read about some of these scenarios, as well as parts of the solution in the project blog.
In this project Atos developed Lightweight Anomaly Detection System that employs an advanced in-house network flow extractor based on the community version of CICFlowMeter but customized and enhanced to cover network flow statistics for selected SCADA protocols in scope of SDN-microSENSE pilots, such as Modbus and IEC-104 protocols, commonly used in Electrical Power and Energy Systems (EPES).
The man in the middle (MITM) false data injection (FDI) Attack for IEC-104 proved to be the most difficult to detect when using the traffic flow statistics generated from improved version of CICFlowMeter (CFM). Attacker needs access to a software defined network (SDN) switch to perform false packets injection to a Supervisory Control and Data Acquisition (SCADA) server. Attacker does not control the channel, but just needs access to a subnet (switch level access) to listen and send spoofed IEC-104 packets to the SCADA server using existing TCP session.
This attack leaves very small footprint in the network traffic, given the duration of time out of flows for analysis. It had 6 to 8 well-crafted spoofed packets injected into a valid TCP session in the direction from a remote terminal unit (RTU) to a SCADA server. Our anomaly detector was not able to detect the MITM FDI attack, as the two packets the original from RTU and the spoofed one were almost identical both in the IP and TCP headers. However, the malicious packet contained false values in the payload. This attack represents a type of activities that can persist over a long period of time undetected, such advanced persistent threats (APTs).
For his reason Atos team ( Alejandro García Bedoya , Hristo Koshutanski) went further in the problem and decided to extend collection and statistics of CFM traffic flow, by using deep packet inspection on TCP packets between an RTU and SCADA.
领英推荐
Due to confidentiality reasons, we did not look at the values of the payload, but at the type of IEC-104 packet used, so called header of IEC-104 packets. In this way, we achieved a non-sensitive data processing at anomaly detector level.
The accuracy is the most common metric used in anomaly detection, known as the ratio between the correct predictions divided by the total number of predictions. While for all other attacks scenario (different variations of MITM or denial of service – DoS attacks) accuracy was around 99%, for these types of attacks we were able to detect 37% of all malicious flows which was a representative result. Future work will focus on improving the detection rate for this type of attacks, and analysis of others such as malware-based APT attacks targeting ICS/SCADA [1][2].
[1] https://www.cisa.gov/uscert/ncas/alerts/aa22-103a
[2] https://www.tripwire.com/state-of-security/us-government-warns-new-malware-attacks-ics-scada-systems