Cyberattack Defense With Cyber-Physical Alert and Control Logic in Industrial Controllers

Abstract

Power system substations have intelligent electronic devices (IEDs) that collect data and control other devices. As the bridge between the physical and cyber parts of the power system, IEDs capture some key system behaviors. Since adversaries can modify the system’s behavior, physical and cyber data can be used to infer characteristics about the adversary. In this article, we present alert and control logic for hardware-based power system defense using the physical data and communication status in substation IEDs for <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">cyber threat detection</i> , <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">cyber-physical contingency detection and response</i> , and <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">physical contingency identification and response</i> . The proposed alert and control logic routines are implemented in an industrial real-time automation controller using IEC 61131-3 in the resilient energy systems lab testbed. The goal is to help operators identify adversaries and protect the power grid in a cyber-physical environment. The effectiveness and accuracy of logic schemes are validated under different adversarial scenarios. Comparing the proposed schemes with an intrusion detection system, Snort, our results also suggest the benefits of using cyber and physical data to identify threats. The results also suggest the use of such hardware-based schemes with software algorithms in a next-generation cyber-physical energy management system, which can implement automatic control actions to protect power grids and its physical equipment against cyber threats.