research-article

DecIED: Scalable k-Anonymous Deception for IEC61850-Compliant Smart Grid Systems

Authors:

Daisuke Mashima,

Jianying ZhouAuthors Info & Claims

CPSS '20: Proceedings of the 6th ACM on Cyber-Physical System Security Workshop

Pages 54 - 65

https://doi.org/10.1145/3384941.3409592

Published: 06 October 2020 Publication History

Abstract

As demonstrated by the past real-world incidents, sophisticated attackers targeting our critical infrastructure may be hiding in the system, perhaps at this moment, in order to collect information and prepare for massive attacks. If an attacker is mostly passive and monitoring SCADA communication traffic or is clever enough to act under the radar of intrusion/anomaly detection systems, it is challenging to counter them. In this direction, deception technology is an effective cybersecurity tool, by deploying a large number of dummy and decoy devices throughout the system infrastructure to be protected, for capturing probing attempts and lateral movement of persistent attackers and malware. In this paper, we discuss the practical design and implementation of high-fidelity deception devices for smart power grid systems, named DecIED. DecIED imitates the device characteristics and communication models of IEC 61850-compliant IEDs (intelligent electronic devices) and thus realize k-anonymous smokescreen, which virtually shows k-1 indistinguishable decoy devices, to protect our critical infrastructure. Based on our prototype implementation, a single industry PC can host over 200 deception devices, which demonstrates DecIED's scalability and feasibility of integration into the existing systems.

References

[1]

2003. International Standard IEC 61850--7--2 Communication networks and systems in substations - Part 7--2: Basic communication structure for substation and feeder equipment - Abstract communication service interface (ACSI).

[2]

2003. International Standard IEC 61850--7--4 Communication networks and systems in substations - Part 7--4: Basic communication structure for substation and feeder equipment - Compatible logical node classes and data classes.

[3]

2010. International Standard IEC 61850--7--3 Communication networks and systems for power utility automation - Part 7--3: Basic communication structure -Common data classes.

[4]

2011. IEC 61850 Communication protocol manual. https://www.naic.edu/~phil/hardware/sitePower/evd4/1MRK511242-UEN_-_en_Communication_protocol_manual__IEC_61850__650_series__IEC.pdf.

[5]

2018. IEC 62351:2018 SER Series. https://webstore.iec.ch/publication/6912

[6]

2018. Electric Power and Intelligent Control (EPIC) Testbed. [Online].Available: https://itrust.sutd.edu.sg/wp-content/uploads/sites/3/2019/02/EPIC_technical_details-231018-v1.2.pdf. (Date last accessed on Feb. 12, 2019).

[7]

2019. IEC 61850 - Communication Networks and Systems in Substations. https://webstore.iec.ch/

[8]

2019. libIEC61850: open source libraries for IEC 61850. https://libiec61850.com/libiec61850/new-version-1--3--3-of-libiec61850/.

[9]

2019. Revolutionary Deception Technologies. https://cybertrap.com/.

[10]

2020. CONPOT ICS/SCADA Honeypot. http://conpot.org.

[11]

2020. 'Crash Override': The Malware That Took Down a Power Grid. [Online].Available: https://www.wired.com/story/crash-override-malware/.

[12]

2020. Digital Bond. http://www.digitalbond.com/tools/scada-honeynet.

[13]

2020. Matied. https://directory.fsf.org/wiki/Matiec.

[14]

2020. Mininet. http://mininet.org/.

[15]

2020. Nmap: the Network Mapper. https://nmap.org/.

[16]

2020. Shodan. https://www.shodan.io/.

[17]

2020. Threat Defend Platform. https://attivonetworks.com/product/deception-technology/.

[18]

2020. What is Stuxnet? https://www.mcafee.com/enterprise/en-sg/security-awareness/ransomware/what-is-stuxnet.html.

[19]

2020. Wireshark. https://www.wireshark.org/.

[20]

Sridhar Adepu and Aditya Mathur. 2018. Assessing the effectiveness of attack detection at a hackfest on industrial control systems. IEEE Transactions on Sustainable Computing (2018).

[21]

Ehab Al-Shaer, Jinpeng Wei, Kevin W. Hamlen, and Cliff Wang. 2019.CONCEAL: A Strategy Composition for Resilient Cyber Deception: Framework, Metrics, and Deployment. Springer International Publishing, Cham, 101--124. https://doi.org/10.1007/978--3-030-02110--8_6

[22]

Daniele Antonioli, Anand Agrawal, and Nils Ole Tippenhauer. 2016. Towards high-interaction virtual ICS honeypots-in-a-box. In Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy. ACM, 13--22.

Digital Library

[23]

Nadarajah Asokan, Ferdinand Brasser, Ahmad Ibrahim, Ahmad-Reza Sadeghi, Matthias Schunter, Gene Tsudik, and Christian Wachsmann. 2015. Seda: Scalable embedded device attestation. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 964--975.

Digital Library

[24]

BBC News. 2018. Russian hackers penetrate US power stations. https://www.bbc.com/news/technology-44937787 (Date last accessed on Sep. 22, 2019).

[25]

Partha P Biswas, Heng Chuan Tan, Qingbo Zhu, Yuan Li, Daisuke Mashima, and Binbin Chen. 2019. A Synthesized Dataset for Cybersecurity Study of IEC 61850 based Substation. In 2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids(SmartGridComm). IEEE,1--7.

[26]

Boyd Brown. 2020. Deception as a security strategy. https://trapx.com/whitepapers A whitepaper by TrapX Security, Inc.

[27]

Dániel István Buza, Ferenc Juhász, György Miru, Márk Félegyházi, and Tamás Holczer. 2014. CryPLH: Protecting smart energy systems from targeted attacks witha PLC honeypot. In International Workshop on Smart Grid Security. Springer, 181--192.

[28]

John Henry Castellanos and Jianying Zhou. 2019. A Modular Hybrid Learning Approach for Black-Box Security Testing of CPS. In Applied Cryptography and Network Security, Robert H. Deng, Valérie Gauthier-Umaña, Martín Ochoa, and Moti Yung (Eds.). Springer International Publishing, Cham, 196--216.

[29]

Binbin Chen, Xinshu Dong, Guangdong Bai, Sumeet Jauhar, and Yueqiang Cheng. 2017. Secure and efficient software-based attestation for industrial control devices with arm processors. In Proceedings of the 33rd Annual Computer Security Applications Conference. ACM, 425--436.

Digital Library

[30]

Shaik Mullapathi Farooq, SM Suhail Hussain, and Taha Selim Ustun. 2019. Performance Evaluation and Analysis of IEC 62351--6 Probabilistic Signature Scheme for Securing GOOSE Messages. IEEE Access 7 (2019), 32343--32351.

[31]

David Formby, Preethi Srinivasan, Andrew M. Leonard, Jonathan D. Rogers, and Raheem A. Beyah. 2016. Who's in Control of Your Control System? Device Fingerprinting for Cyber-Physical Systems. In 23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA,February 21--24, 2016. The Internet Society. https://pdfs.semanticscholar.org/d160/c46512ebc12c172d26f150797b42592a9095.pdf

[32]

Hamid Reza Ghaeini, Matthew Chan, Raad Bahmani, Ferdinand Brasser, LuisGarcia, Jianying Zhou, Ahmad-Reza Sadeghi, Nils Ole Tippenhauer, and SamanZonouz. 2019. PAtt: Physics-based Attestation of Control Systems. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses(RAID2019). USENIX Association, Chaoyang District, Beijing, 165--180. https://www.usenix.org/conference/raid2019/presentation/ghaeini

[33]

Andy Greenberg. 2019. The Highly Dangerous 'Triton' Hackers Have Probed the US Grid. https://www.wired.com/story/triton-hackers-scan-us-power-grid/(Date last accessed on Sep. 22, 2019).

[34]

IEC TC57. 2015. IEC 61850--90--2 TR: Communication networks and systems for power utility automation -- Part 90--2: Using IEC 61850 for the communication between substations and control centres. International Electrotechnical Commission Std (2015).

[35]

IEEE Power and Energy Society. 2005. IEEE Standard Communication Delivery Time Performance Requirements for Electric Power Substation Automation.(2005).

[36]

Tadayoshi Kohno, Andre Broido, and Kimberly C Claffy. 2005. Remote physical device fingerprinting. IEEE Transactions on Dependable and Secure Computing 2, 2 (2005), 93--108.

Digital Library

[37]

Kamil Koltys and Robert Gajewski. 2015. Shape: A honeypot for electric power substation. Journal of Telecommunications and Information Technology 4 (2015),37--43.

[38]

Jakub W Konka, Colin M Arthur, Francisco J Garcia, and Robert C Atkinson. 2011. Traffic generation of IEC 61850 sampled values. In 2011 IEEE First International Workshop on Smart Grid Modeling and Simulation(SGMS). IEEE, 43--48.

[39]

Carl Kriger, Shaheen Behardien, and John-Charly Retonda-Modiya. 2013. Adetailed analysis of the GOOSE message structure in an IEC 61850 standard-based substation automation system. International Journal of Computers Communications & Control 8, 5 (2013), 708--721.

[40]

Subhash Lakshminarayana, E Veronica Belmega, and H Vincent Poor. 2019. Moving-Target Defense for Detecting Coordinated Cyber-Physical Attacks in Power Grids. arXiv preprint arXiv:1908.02392 (2019).

[41]

Hui Lin, Zbigniew Kalbarczyk, and Ravishankar K Iyer. 2018. RAINCOAT: Randomization of Network Communication in Power Grid Cyber INfrastructure to Mislead Attackers. IEEE Transactions on Smart Grid (2018).

[42]

Hui Lin, Adam Slagell, Catello Di Martino, Zbigniew Kalbarczyk, and Ravishankar K Iyer. 2013. Adapting bro into scada: building a specification-based intrusion detection system for the dnp3 protocol. In Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop. ACM, 5.

Digital Library

[43]

Hui Lin, Jianing Zhuang, Yih-Chun Hu, and Huayu Zhou. 2020. DefRec: Establishing Physical Function Virtualization to Disrupt Reconnaissance of Power-Grids' Cyber-Physical Infrastructures. In The Proceedings of 2020 Network and Distributed System Security Symposium(NDSS).

[44]

Ralph E Mackiewicz. 2006. Overview of IEC 61850 and Benefits. In 2006 IEEE Power Engineering Society General Meeting. IEEE, 8--pp.

[45]

Yuval Malachi. 2020. Kaspersky Labshacked-Deception technology could help-TrapX Security. https://trapx.com/kaspersky-labs-hacked-deception-technology-could-help Posted by Yuval Malachi, CTO of TrapX Security, Inc.

[46]

Daisuke Mashima, Binbin Chen, Prageeth Gunathilaka, and Edwin Lesmana Tjiong. 2017. Towards a grid-wide, high-fidelity electrical substation honeynet. In 2017 IEEE International Conference on Smart Grid Communications(Smart Grid Comm). IEEE, 89--95.

[47]

Daisuke Mashima, Prageeth Gunathilaka, and Binbin Chen. 2019. Artificial Command Delaying for Secure Substation Remote Control: Design and Implementation. https://doi.org/10.1109/TSG.2017.2744802., 471--482 pages.

[48]

Daisuke Mashima, Derek Kok, Wei Lin, Muhammad Hazwan, and Alvin Cheng. 2020. On Design and Enhancement of Smart Grid Honeypot System for Practical Collection of Threat Intelligence. In 13th USENIX Workshopon Cyber Security Experimentation and Test.

[49]

Daisuke Mashima, Ramkumar Rajendran, Toby Zhou, Binbin Chen, and Biplab Sikdar. 2019. On Optimization of Command-Delaying for Advanced Command Authentication in Smart Grid Systems. In Proc. of IEEE PESISGT Asia 2019. IEEE.

[50]

Kieran McLaughlin. 2015. High-level design documentation and deployment architecture for Multi-Attribute SCADA Intrusion Detection System. https://project-sparks.eu/wp-content/uploads/2014/04/SPARKS_D4_1_Multi-Attribute_SCADA_Intrusion_Detection_System.pdf (Date last accessed on Jun. 7, 2017).

[51]

Ariana Mirian, Zane Ma, David Adrian, Matthew Tischer, Thasphon Chuenchujit, Tim Yardley, Robin Berthier, Joshua Mason, Zakir Durumeric, J Alex Halderman, et al. 2016. An Internet-Wide View of ICS Devices. In 14th IEEE Privacy, Security, and Trust Conference(PST'16).

[52]

Kapuge Kariyawasam Mudalige and Sachintha Kariyawasam. 2016. Implementation of an IEC 61850 Sampled Values Based Line Protection IED with a New Transients-Based Hybrid Protection Algorithm. http://hdl.handle.net/1993/31306.(2016).

[53]

Venkat Pothamsetty and Matthew Franz. 2005. SCADA HoneyNet Project: Building Honeypots for Industrial Networks. http://scadahoneynet.sourceforge.net/.

[54]

Niels Provos. 2003. Honeyd-a virtual honeypot daemon. In 10th DFN-CERT Workshop, Hamburg, Germany, Vol. 2. 4.

[55]

Muhammad Talha Abdul Rashid, Salman Yussof, and Yunus Yusoff. 2016. Trust system architecture for securing GOOSE communication in IEC 61850 substation network. https://doi.org/10.14257/ijsia.2016.10.4.27. International Journal of Security and Its Applications 10, 4 (2016), 289--302.

[56]

Owen Redwood, Joshua Lawrence, and Mike Burmester. 2015. A symbolic honey net framework for scada system threat intelligence. In International Conference on Critical Infrastructure Protection. Springer, 103--118.

[57]

Wenyu Ren, Timothy Yardley, and Klara Nahrstedt. 2018. EDMAND: Edge-Based Multi-Level Anomaly Detection for SCADA Networks. In 2018 IEEE International Conference on Communications, Control, and Computing Technologies for SmartGrids (Smart Grid Comm). IEEE, 1--7.

[58]

Electricity Information Sharing and Analysis Center (E-ISAC). 2016. Analysis of the cyber attack on the Ukrainian power grid. (2016).

[59]

Ahnaf Siddiqi, Nils Ole Tippenhauer, Daisuke Mashima, and Binbin Chen. 2018. On Practical Threat Scenario Testing in an Electric Power ICS Testbed. In Proceedings of the Cyber-Physical System Security Workshop(CPSS), co-located with ASIA CCS. https://doi.org/10.1145/3198458.3198461

Digital Library

[60]

Jianhua Sun and Kun Sun. 2016. DESIR: Decoy-enhanced seamless IP randomization. In IEEE INFOCOM 2016-The 35th Annual IEEE International Conference on Computer Communications. IEEE, 1--9.

[61]

Heng Chuan Tan, Carmen Cheh, Binbin Chen, and Daisuke Mashima. 2019. Tabulating Cybersecurity Solutions for Substations: Towards Pragmatic Design and Planning. In Proceedings of IEEE PESISGT Asia 2019. IEEE.

[62]

Robert Udd, Mikael Asplund, Simin Nadjm-Tehrani, Mehrdad Kazemtabrizi, and Mathias Ekstedt. 2016. Exploiting bro for intrusion detection in a SCADA system. In Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security. ACM, 44--51.

Digital Library

[63]

Noriyuki Ueda. 2019. Prototyping of Substation Automation System Testbeds for Cyber Security Evaluation. In CIGRE 2019. 103--118.

[64]

Craig Wester, Mark Adamiak, and J Vico. 2011. Practical Applications of IEC 61850 Protocol in Industrial Facilities. IAS, Orlando,FL (2011), 1--2.

[65]

Yubo Yuan and Yi Yang. 2019. IEC 61850-Based Smart Substations: Principles, Testing, Operation and Maintenance. Elsevier Science. https://books.google.com.sg/books?id=ji6dDwAAQBAJ

[66]

Kim Zetter. 2016. Inside the Cunning, Unprecedented Hack of Ukraine's Power Grid. [Online]. Available: http://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/. (Date last accessed on Jun. 7, 2017).

Cited By

Liu MTeng FZhang ZGe PSun MDeng RCheng PChen J(2024)Enhancing Cyber-Resiliency of DER-Based Smart Grid: A SurveyIEEE Transactions on Smart Grid10.1109/TSG.2024.337300815:5(4998-5030)Online publication date: Sep-2024
https://doi.org/10.1109/TSG.2024.3373008
Wang YZong GWei Q(2023)Research on the Application of Deception Defense Technology in Smart Grid2023 3rd International Conference on Intelligent Power and Systems (ICIPS)10.1109/ICIPS59254.2023.10404573(272-277)Online publication date: 20-Oct-2023
https://doi.org/10.1109/ICIPS59254.2023.10404573
Mashima D(2022)MITRE ATT&CK Based Evaluation on In-Network Deception Technology for Modernized Electrical Substation SystemsSustainability10.3390/su1403125614:3(1256)Online publication date: 23-Jan-2022
https://doi.org/10.3390/su14031256

Index Terms

DecIED: Scalable k-Anonymous Deception for IEC61850-Compliant Smart Grid Systems

Recommendations

Survey Cyber security in the Smart Grid: Survey and challenges

The Smart Grid, generally referred to as the next-generation power system, is considered as a revolutionary and evolutionary regime of existing power grids. More importantly, with the integration of advanced computing and communication technologies, the ...
Data-centric threats and their impacts to real-time communications in smart grid

One of the most distinguished challenges in studying the aftermath of cyber attacks in smart grid lies in data-centric threats, which refer to cyber attacks aimed at gaining advantage or sabotage the infrastructure by manipulating the data exchanged in ...
Honeypot Type Selection Games for Smart Grid Networks
Decision and Game Theory for Security
Abstract
In this paper, we define a cyber deception game between the Advanced Metering Infrastructure (AMI) network administrator (henceforth, defender) and attacker. The defender decides to install between a low-interaction honeypot, high-interaction ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CPSS '20: Proceedings of the 6th ACM on Cyber-Physical System Security Workshop

October 2020

72 pages

ISBN:9781450376082

DOI:10.1145/3384941

Program Chairs:
Sokratis Katsikas
Norwegian University of Science & Technology - NTNU, Norway
,
Cristina Alcaraz
University of Malaga, Spain

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 October 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

ASIA CCS '20

Sponsor:

SIGSAC

ASIA CCS '20: The 15th ACM Asia Conference on Computer and Communications Security

October 6, 2020

Taipei, Taiwan

Acceptance Rates

Overall Acceptance Rate 43 of 135 submissions, 32%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
223
Total Downloads

Downloads (Last 12 months)31
Downloads (Last 6 weeks)6

Reflects downloads up to 06 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Liu MTeng FZhang ZGe PSun MDeng RCheng PChen J(2024)Enhancing Cyber-Resiliency of DER-Based Smart Grid: A SurveyIEEE Transactions on Smart Grid10.1109/TSG.2024.337300815:5(4998-5030)Online publication date: Sep-2024
https://doi.org/10.1109/TSG.2024.3373008
Wang YZong GWei Q(2023)Research on the Application of Deception Defense Technology in Smart Grid2023 3rd International Conference on Intelligent Power and Systems (ICIPS)10.1109/ICIPS59254.2023.10404573(272-277)Online publication date: 20-Oct-2023
https://doi.org/10.1109/ICIPS59254.2023.10404573
Mashima D(2022)MITRE ATT&CK Based Evaluation on In-Network Deception Technology for Modernized Electrical Substation SystemsSustainability10.3390/su1403125614:3(1256)Online publication date: 23-Jan-2022
https://doi.org/10.3390/su14031256

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents