2022 |
Elisavet Grigoriou; Athanasios Liatifis; Panagiotis Radoglou Grammatikis; Thomas Lagkas; Ioannis Moscholios; Evangelos Markakis; Panagiotis Sarigiannidis , "Protecting IEC 60870-5-104 ICS/SCADA Systems with Honeypots", 2022 IEEE International Conference on Cyber Security and Resilience (CSR), 2022, ISBN: 978-1-6654-9952-1. Conference Abstract | BibTeX | Tags: Cybersecurity, Honeypots, ICS, SCADA | Links: @conference{9850329, title = {Protecting IEC 60870-5-104 ICS/SCADA Systems with Honeypots}, author = {Elisavet Grigoriou and Athanasios Liatifis and Panagiotis Radoglou Grammatikis and Thomas Lagkas and Ioannis Moscholios and Evangelos Markakis and Panagiotis Sarigiannidis}, url = {https://www.researchgate.net/publication/362744045_Protecting_IEC_60870-5-104_ICSSCADA_Systems_with_Honeypots}, doi = {10.1109/CSR54599.2022.9850329}, isbn = {978-1-6654-9952-1}, year = {2022}, date = {2022-07-27}, booktitle = {2022 IEEE International Conference on Cyber Security and Resilience (CSR)}, pages = {345-350}, abstract = {Both signature-based and anomaly-based Intrusion Detection and Prevention System (IDPS) have already demonstrated their efficiency towards recognising and mitigating various intrusions. However, the first category cannot detect zero-day attacks, while the second one lacks the presence of appropriate datasets. Therefore, the presence of additional cybersecurity mechanisms is necessary, especially in the area of the Industrial Internet of Things (IIoT), including critical infrastructures, such as the smart electrical grid. Thus, honeypots are used to hide and protect critical assets. IEC 60870-5-104 (IEC104) is a widely used telemetry protocol in Industrial Control Systems (ICS)/Supervisory Control and Data Acquisition (SCADA). However, IEC104 lacks critical security features, such as encryption, integrity protection and authentication. This work presents the IEC104 honeypot, which is capable of hiding the actual IEC104 assets and detecting potential intrusions and anomalies. The experimental results demonstrate the effectiveness of our work.}, keywords = {Cybersecurity, Honeypots, ICS, SCADA}, pubstate = {published}, tppubtype = {conference} } Both signature-based and anomaly-based Intrusion Detection and Prevention System (IDPS) have already demonstrated their efficiency towards recognising and mitigating various intrusions. However, the first category cannot detect zero-day attacks, while the second one lacks the presence of appropriate datasets. Therefore, the presence of additional cybersecurity mechanisms is necessary, especially in the area of the Industrial Internet of Things (IIoT), including critical infrastructures, such as the smart electrical grid. Thus, honeypots are used to hide and protect critical assets. IEC 60870-5-104 (IEC104) is a widely used telemetry protocol in Industrial Control Systems (ICS)/Supervisory Control and Data Acquisition (SCADA). However, IEC104 lacks critical security features, such as encryption, integrity protection and authentication. This work presents the IEC104 honeypot, which is capable of hiding the actual IEC104 assets and detecting potential intrusions and anomalies. The experimental results demonstrate the effectiveness of our work. |
Vasiliki Kelli; Panagiotis Radoglou-Grammatikis; Thomas Lagkas; Evangelos K Markakis; Panagiotis Sarigiannidis , "Risk Analysis of DNP3 Attacks", 2022 IEEE International Conference on Cyber Security and Resilience (CSR), 2022, ISBN: 978-1-6654-9952-1. Conference Abstract | BibTeX | Tags: cyberattacks, Cybersecurity, DNP3, SCADA | Links: @conference{9850291, title = {Risk Analysis of DNP3 Attacks}, author = {Vasiliki Kelli and Panagiotis Radoglou-Grammatikis and Thomas Lagkas and Evangelos K Markakis and Panagiotis Sarigiannidis}, url = {https://www.researchgate.net/publication/362741509_Risk_Analysis_of_DNP3_Attacks}, doi = {10.1109/CSR54599.2022.9850291}, isbn = {978-1-6654-9952-1}, year = {2022}, date = {2022-07-27}, booktitle = {2022 IEEE International Conference on Cyber Security and Resilience (CSR)}, pages = {351-356}, abstract = {The integration of intelligent devices in the industry allows the automation and control of industrial processes, in an efficient and effective manner. Such systems have contributed to the rapid evolution of production infrastructures, increasing the reliability, reducing production costs, and automating the entire manufacturing operations. However, the utilization of intelligent devices has led to an increased attack surface in critical infrastructures, threatening to compromise regular operations. Attacks against such environments can have disastrous consequences in case their goal is achieved, due to the critical nature of such infrastructures. Thus, the timely identification of vulnerable spots through high-quality risk assessment, is considered highly important for avoiding or mitigating potential risks. In this paper, we focus on Distributed Network Protocol 3 (DNP3), a protocol with high utility in smart grids. Specifically, we investigate, identify and describe the vulnerabilities-by-design of DNP3 through 8 DNP3-centered cyberattacks. In addition, we present a novel method for conducting risk assessment, stemming from the combination of two techniques, namely, Attack Defence Trees (ADTs) and Common Vulnerability Scoring System v3.1 (CVSS). Through our proposed technique, the risk of a cyberattack occurring is calculated, thus contributing in securing the critical infrastructure.}, keywords = {cyberattacks, Cybersecurity, DNP3, SCADA}, pubstate = {published}, tppubtype = {conference} } The integration of intelligent devices in the industry allows the automation and control of industrial processes, in an efficient and effective manner. Such systems have contributed to the rapid evolution of production infrastructures, increasing the reliability, reducing production costs, and automating the entire manufacturing operations. However, the utilization of intelligent devices has led to an increased attack surface in critical infrastructures, threatening to compromise regular operations. Attacks against such environments can have disastrous consequences in case their goal is achieved, due to the critical nature of such infrastructures. Thus, the timely identification of vulnerable spots through high-quality risk assessment, is considered highly important for avoiding or mitigating potential risks. In this paper, we focus on Distributed Network Protocol 3 (DNP3), a protocol with high utility in smart grids. Specifically, we investigate, identify and describe the vulnerabilities-by-design of DNP3 through 8 DNP3-centered cyberattacks. In addition, we present a novel method for conducting risk assessment, stemming from the combination of two techniques, namely, Attack Defence Trees (ADTs) and Common Vulnerability Scoring System v3.1 (CVSS). Through our proposed technique, the risk of a cyberattack occurring is calculated, thus contributing in securing the critical infrastructure. |
Vasiliki Kelli; Panagiotis Radoglou-Grammatikis; Achilleas Sesis; Thomas Lagkas; Eleftherios Fountoukidis; Emmanouil Kafetzakis; Ioannis Giannoulakis; Panagiotis Sarigiannidis , "Attacking and Defending DNP3 ICS/SCADA Systems", 2022 18th International Conference on Distributed Computing in Sensor Systems (DCOSS), 2022, ISBN: 978-1-6654-9512-7. Conference Abstract | BibTeX | Tags: cyberattack, DNP3, ICS, Intrusion detection, SCADA | Links: @conference{9881726, title = {Attacking and Defending DNP3 ICS/SCADA Systems}, author = {Vasiliki Kelli and Panagiotis Radoglou-Grammatikis and Achilleas Sesis and Thomas Lagkas and Eleftherios Fountoukidis and Emmanouil Kafetzakis and Ioannis Giannoulakis and Panagiotis Sarigiannidis}, doi = {10.1109/DCOSS54816.2022.00041}, isbn = {978-1-6654-9512-7}, year = {2022}, date = {2022-05-30}, booktitle = {2022 18th International Conference on Distributed Computing in Sensor Systems (DCOSS)}, pages = {183-190}, abstract = {The highly beneficial contribution of intelligent systems in the industrial domain is undeniable. Automation, supervision, remote control, and fault reduction are some of the various advantages new technologies offer. A protocol demonstrating high utility in industrial settings, and specifically, in smart grids, is Distributed Network Protocol 3 (DNP3), a multi-tier, application layer protocol. Notably, multiple industrial protocols are not as securely designed as expected, considering the highly critical operations occurring in their application domain. In this paper, we explore the internal vulnerabilities-by-design of DNP3, and proceed with the implementation of the attacks discovered, demonstrated through 8 DNP3 attack scenarios. Finally, we design and demonstrate a Deep Neural Network (DNN)-based, multi-model Intrusion Detection Systems (IDS), trained with our experimental network flow cyberattack dataset, and compare our solution with multiple machine learning algorithms used for classification. Our solution demonstrates a high efficiency in the classification of DNP3 cyberattacks, showing an accuracy of 99.0%.}, keywords = {cyberattack, DNP3, ICS, Intrusion detection, SCADA}, pubstate = {published}, tppubtype = {conference} } The highly beneficial contribution of intelligent systems in the industrial domain is undeniable. Automation, supervision, remote control, and fault reduction are some of the various advantages new technologies offer. A protocol demonstrating high utility in industrial settings, and specifically, in smart grids, is Distributed Network Protocol 3 (DNP3), a multi-tier, application layer protocol. Notably, multiple industrial protocols are not as securely designed as expected, considering the highly critical operations occurring in their application domain. In this paper, we explore the internal vulnerabilities-by-design of DNP3, and proceed with the implementation of the attacks discovered, demonstrated through 8 DNP3 attack scenarios. Finally, we design and demonstrate a Deep Neural Network (DNN)-based, multi-model Intrusion Detection Systems (IDS), trained with our experimental network flow cyberattack dataset, and compare our solution with multiple machine learning algorithms used for classification. Our solution demonstrates a high efficiency in the classification of DNP3 cyberattacks, showing an accuracy of 99.0%. |
Ilias Siniosoglou; Vasileios Argyriou; Thomas Lagkas; Apostolos Tsiakalos; Antonios Sarigiannidis; Panagiotis Sarigiannidis , "Covert Distributed Training of Deep Federated Industrial Honeypots", 2021 IEEE Globecom Workshops (GC Wkshps), 2022, ISBN: 978-1-6654-2391-5. Conference Abstract | BibTeX | Tags: Autoencoder, Data Generation, Deep Learning, Honeypots, Industrial Control System, SCADA | Links: @conference{9682162, title = {Covert Distributed Training of Deep Federated Industrial Honeypots}, author = { Ilias Siniosoglou and Vasileios Argyriou and Thomas Lagkas and Apostolos Tsiakalos and Antonios Sarigiannidis and Panagiotis Sarigiannidis}, url = {https://www.researchgate.net/publication/358085083_Covert_Distributed_Training_of_Deep_Federated_Industrial_Honeypots}, doi = {10.1109/GCWkshps52748.2021.9682162}, isbn = {978-1-6654-2391-5}, year = {2022}, date = {2022-01-24}, booktitle = {2021 IEEE Globecom Workshops (GC Wkshps)}, pages = {1-6}, abstract = {Since the introduction of automation technologies in the Industrial field and its subsequent scaling to horizontal and vertical extents, the need for interconnected industrial systems, supporting smart interoperability is ever higher. Due to this scaling, new and critical vulnerabilities have been created, notably in legacy systems, leaving Industrial infrastructures prone to cyber attacks, that can some times have catastrophic results. To tackle the need for extended security measures, this paper presents a Federated Industrial Honeypot that takes advantage of decentralized private Deep Training to produce models that accumulate and simulate real industrial devices. To enhance their camouflage, SCENT, a new custom and covert protocol is proposed, to fully immerse the Federated Honeypot to its industrial role, that handles the communication between the server and honeypot during the training, to hide any clues of operation of the honeypot other that its supposed objective to the eye of the attacker.}, keywords = {Autoencoder, Data Generation, Deep Learning, Honeypots, Industrial Control System, SCADA}, pubstate = {published}, tppubtype = {conference} } Since the introduction of automation technologies in the Industrial field and its subsequent scaling to horizontal and vertical extents, the need for interconnected industrial systems, supporting smart interoperability is ever higher. Due to this scaling, new and critical vulnerabilities have been created, notably in legacy systems, leaving Industrial infrastructures prone to cyber attacks, that can some times have catastrophic results. To tackle the need for extended security measures, this paper presents a Federated Industrial Honeypot that takes advantage of decentralized private Deep Training to produce models that accumulate and simulate real industrial devices. To enhance their camouflage, SCENT, a new custom and covert protocol is proposed, to fully immerse the Federated Honeypot to its industrial role, that handles the communication between the server and honeypot during the training, to hide any clues of operation of the honeypot other that its supposed objective to the eye of the attacker. |
2021 |
P. Radoglou-Grammatikis; P. Sarigiannidis; E. Iturbe; E. Rios; S. Martinez; A. Sarigiannidis; G. Eftathopoulos; I. Spyridis; A. Sesis; N. Vakakis; D. Tzovaras; E. Kafetzakis; I. Giannoulakis; M. Tzifas; A. Giannakoulias; M. Angelopoulos; F. Ramos , "SPEAR SIEM: A Security Information and Event Management system for the Smart Grid", Computer Networks, pp. 108008, 2021. Journal Article Abstract | BibTeX | Tags: Anomaly Detection, Cybersecurity, Deep Learning, Intrusion detection, machine learning, SCADA, Security Information and Event Management, Smart Grid | Links: @article{RadoglouGrammatikis2021, title = {SPEAR SIEM: A Security Information and Event Management system for the Smart Grid}, author = { P. Radoglou-Grammatikis and P. Sarigiannidis and E. Iturbe and E. Rios and S. Martinez and A. Sarigiannidis and G. Eftathopoulos and I. Spyridis and A. Sesis and N. Vakakis and D. Tzovaras and E. Kafetzakis and I. Giannoulakis and M. Tzifas and A. Giannakoulias and M. Angelopoulos and F. Ramos}, url = {https://www.researchgate.net/publication/350287201_SPEAR_SIEM_A_Security_Information_and_Event_Management_system_for_the_Smart_Grid}, doi = {10.1016/j.comnet.2021.108008}, year = {2021}, date = {2021-04-01}, journal = {Computer Networks}, pages = {108008}, publisher = {Elsevier BV}, abstract = {The technological leap of smart technologies has brought the conventional electrical grid in a new digital era called Smart Grid (SG), providing multiple benefits, such as two-way communication, pervasive control and self-healing. However, this new reality generates significant cybersecurity risks due to the heterogeneous and insecure nature of SG. In particular, SG relies on legacy communication protocols that have not been implemented having cybersecurity in mind. Moreover, the advent of the Internet of Things (IoT) creates severe cybersecurity challenges. The Security Information and Event Management (SIEM) systems constitute an emerging technology in the cybersecurity area, having the capability to detect, normalise and correlate a vast amount of security events. They can orchestrate the entire security of a smart ecosystem, such as SG. Nevertheless, the current SIEM systems do not take into account the unique SG peculiarities and characteristics like the legacy communication protocols. In this paper, we present the Secure and PrivatE smArt gRid (SPEAR) SIEM, which focuses on SG. The main contribution of our work is the design and implementation of a SIEM system capable of detecting, normalising and correlating cyberattacks and anomalies against a plethora of SG application-layer protocols. It is noteworthy that the detection performance of the SPEAR SIEM is demonstrated with real data originating from four real SG use case (a) hydropower plant, (b) substation, (c) power plant and (d) smart home.}, keywords = {Anomaly Detection, Cybersecurity, Deep Learning, Intrusion detection, machine learning, SCADA, Security Information and Event Management, Smart Grid}, pubstate = {published}, tppubtype = {article} } The technological leap of smart technologies has brought the conventional electrical grid in a new digital era called Smart Grid (SG), providing multiple benefits, such as two-way communication, pervasive control and self-healing. However, this new reality generates significant cybersecurity risks due to the heterogeneous and insecure nature of SG. In particular, SG relies on legacy communication protocols that have not been implemented having cybersecurity in mind. Moreover, the advent of the Internet of Things (IoT) creates severe cybersecurity challenges. The Security Information and Event Management (SIEM) systems constitute an emerging technology in the cybersecurity area, having the capability to detect, normalise and correlate a vast amount of security events. They can orchestrate the entire security of a smart ecosystem, such as SG. Nevertheless, the current SIEM systems do not take into account the unique SG peculiarities and characteristics like the legacy communication protocols. In this paper, we present the Secure and PrivatE smArt gRid (SPEAR) SIEM, which focuses on SG. The main contribution of our work is the design and implementation of a SIEM system capable of detecting, normalising and correlating cyberattacks and anomalies against a plethora of SG application-layer protocols. It is noteworthy that the detection performance of the SPEAR SIEM is demonstrated with real data originating from four real SG use case (a) hydropower plant, (b) substation, (c) power plant and (d) smart home. |
2020 |
I. Siniosoglou; G. Efstathopoulos; D. Pliatsios; I.D. Moscholios; A. Sarigiannidis; G. Sakellari; G. Loukas; P. Sarigiannidis , "NeuralPot: An Industrial Honeypot Implementation Based On Deep Neural Networks", 2020 IEEE Symposium on Computers and Communications (ISCC), IEEE, 2020. Conference Abstract | BibTeX | Tags: Autoencoder Network, Data Generation, GAN Network, Honeypots, Industrial Control System, SCADA | Links: @conference{Siniosoglou2020, title = {NeuralPot: An Industrial Honeypot Implementation Based On Deep Neural Networks}, author = { I. Siniosoglou and G. Efstathopoulos and D. Pliatsios and I.D. Moscholios and A. Sarigiannidis and G. Sakellari and G. Loukas and P. Sarigiannidis}, editor = { 2020 {IEEE} Symposium on Computers and Communications ({ISCC})}, url = {https://www.researchgate.net/publication/347267819_NeuralPot_An_Industrial_Honeypot_Implementation_Based_On_Deep_Neural_Networks}, doi = {10.1109/ISCC50000.2020.9219712}, year = {2020}, date = {2020-07-01}, booktitle = {2020 IEEE Symposium on Computers and Communications (ISCC)}, journal = {Proceedings - IEEE Symposium on Computers and Communications}, publisher = {IEEE}, abstract = {Honeypots are powerful security tools, developed to shield commercial and industrial networks from malicious activity. Honeypots act as passive and interactive decoys in a network attracting malicious activity and securing the rest of the network entities. Since an increase in intrusions has been observed lately, more advanced security systems are necessary. In this paper a new method of adapting a honeypot system in a modern industrial network, employing the Modbus protocol, is introduced. In the presented NeuralPot honeypot, two distinct deep neural network implementations are utilized to adapt to network Modbus entities and clone them, actively confusing the intruders. The proposed deep neural networks and their generated data are then compared. © 2020 IEEE.}, keywords = {Autoencoder Network, Data Generation, GAN Network, Honeypots, Industrial Control System, SCADA}, pubstate = {published}, tppubtype = {conference} } Honeypots are powerful security tools, developed to shield commercial and industrial networks from malicious activity. Honeypots act as passive and interactive decoys in a network attracting malicious activity and securing the rest of the network entities. Since an increase in intrusions has been observed lately, more advanced security systems are necessary. In this paper a new method of adapting a honeypot system in a modern industrial network, employing the Modbus protocol, is introduced. In the presented NeuralPot honeypot, two distinct deep neural network implementations are utilized to adapt to network Modbus entities and clone them, actively confusing the intruders. The proposed deep neural networks and their generated data are then compared. © 2020 IEEE. |
P. Radoglou-Grammatikis; P. Sarigiannidis; G. Efstathopoulos; P.-A. Karypidis; A. Sarigiannidis , "DIDEROT: An intrusion detection and prevention system for DNP3-based SCADA systems", 2020. Conference Abstract | BibTeX | Tags: Anomaly Detection, Autonencoder, Intrusion detection, machine learning, SCADA, SDN, Smart Grid | Links: @conference{Radoglou-Grammatikis2020b, title = {DIDEROT: An intrusion detection and prevention system for DNP3-based SCADA systems}, author = { P. Radoglou-Grammatikis and P. Sarigiannidis and G. Efstathopoulos and P.-A. Karypidis and A. Sarigiannidis}, url = {https://www.researchgate.net/publication/343853580_DIDEROT_an_intrusion_detection_and_prevention_system_for_DNP3-based_SCADA_systems}, doi = {10.1145/3407023.3409314}, year = {2020}, date = {2020-01-01}, journal = {ACM International Conference Proceeding Series}, abstract = {In this paper, an Intrusion Detection and Prevention System (IDPS) for the Distributed Network Protocol 3 (DNP3) Supervisory Control and Data Acquisition (SCADA) systems is presented. The proposed IDPS is called DIDEROT (Dnp3 Intrusion DetEction pReventiOn sysTem) and relies on both supervised Machine Learning (ML) and unsupervised/outlier ML detection models capable of discriminating whether a DNP3 network flow is related to a particular DNP3 cyberattack or anomaly. First, the supervised ML detection model is applied, trying to identify whether a DNP3 network flow is related to a specific DNP3 cyberattack. If the corresponding network flow is detected as normal, then the unsupervised/outlier ML anomaly detection model is activated, seeking to recognise the presence of a possible anomaly. Based on the DIDEROT detection results, the Software Defined Networking (SDN) technology is adopted in order to mitigate timely the corresponding DNP3 cyberattacks and anomalies. The performance of DIDEROT is demonstrated using real data originating from a substation environment. © 2020 ACM.}, keywords = {Anomaly Detection, Autonencoder, Intrusion detection, machine learning, SCADA, SDN, Smart Grid}, pubstate = {published}, tppubtype = {conference} } In this paper, an Intrusion Detection and Prevention System (IDPS) for the Distributed Network Protocol 3 (DNP3) Supervisory Control and Data Acquisition (SCADA) systems is presented. The proposed IDPS is called DIDEROT (Dnp3 Intrusion DetEction pReventiOn sysTem) and relies on both supervised Machine Learning (ML) and unsupervised/outlier ML detection models capable of discriminating whether a DNP3 network flow is related to a particular DNP3 cyberattack or anomaly. First, the supervised ML detection model is applied, trying to identify whether a DNP3 network flow is related to a specific DNP3 cyberattack. If the corresponding network flow is detected as normal, then the unsupervised/outlier ML anomaly detection model is activated, seeking to recognise the presence of a possible anomaly. Based on the DIDEROT detection results, the Software Defined Networking (SDN) technology is adopted in order to mitigate timely the corresponding DNP3 cyberattacks and anomalies. The performance of DIDEROT is demonstrated using real data originating from a substation environment. © 2020 ACM. |
D. Pliatsios; P. Sarigiannidis; T. Lagkas; A.G. Sarigiannidis , "A Survey on SCADA Systems: Secure Protocols, Incidents, Threats and Tactics", IEEE Communications Surveys and Tutorials, 22 (3), pp. 1942-1976, 2020. Journal Article Abstract | BibTeX | Tags: Cybersecurity, protocols, SCADA, security, Smart Grid, trends | Links: @article{Pliatsios20201942, title = {A Survey on SCADA Systems: Secure Protocols, Incidents, Threats and Tactics}, author = { D. Pliatsios and P. Sarigiannidis and T. Lagkas and A.G. Sarigiannidis}, url = {https://www.researchgate.net/publication/340453361_A_Survey_on_SCADA_Systems_Secure_Protocols_Incidents_Threats_and_Tactics}, doi = {10.1109/COMST.2020.2987688}, year = {2020}, date = {2020-01-01}, journal = {IEEE Communications Surveys and Tutorials}, volume = {22}, number = {3}, pages = {1942-1976}, abstract = {Supervisory Control and Data Acquisition (SCADA) systems are the underlying monitoring and control components of critical infrastructures, such as power, telecommunication, transportation, pipelines, chemicals and manufacturing plants. Legacy SCADA systems operated on isolated networks, that made them less exposed to Internet threats. However, the increasing connection of SCADA systems to the Internet, as well as corporate networks, introduces severe security issues. Security considerations for SCADA systems are gaining higher attention, as the number of security incidents against these critical infrastructures is increasing. In this survey, we provide an overview of the general SCADA architecture, along with a detailed description of the SCADA communication protocols. Additionally, we discuss certain high-impact security incidents, objectives, and threats. Furthermore, we carry out an extensive review of the security proposals and tactics that aim to secure SCADA systems. We also discuss the state of SCADA system security. Finally, we present the current research trends and future advancements of SCADA security. © 1998-2012 IEEE.}, keywords = {Cybersecurity, protocols, SCADA, security, Smart Grid, trends}, pubstate = {published}, tppubtype = {article} } Supervisory Control and Data Acquisition (SCADA) systems are the underlying monitoring and control components of critical infrastructures, such as power, telecommunication, transportation, pipelines, chemicals and manufacturing plants. Legacy SCADA systems operated on isolated networks, that made them less exposed to Internet threats. However, the increasing connection of SCADA systems to the Internet, as well as corporate networks, introduces severe security issues. Security considerations for SCADA systems are gaining higher attention, as the number of security incidents against these critical infrastructures is increasing. In this survey, we provide an overview of the general SCADA architecture, along with a detailed description of the SCADA communication protocols. Additionally, we discuss certain high-impact security incidents, objectives, and threats. Furthermore, we carry out an extensive review of the security proposals and tactics that aim to secure SCADA systems. We also discuss the state of SCADA system security. Finally, we present the current research trends and future advancements of SCADA security. © 1998-2012 IEEE. |
P. Radoglou Grammatikis; P. Sarigiannidis; G. Efstathopoulos; E. Panaousis , "ARIES: A Novel Multivariate Intrusion Detection System for Smart Grid", Sensors (Basel, Switzerland), 20 (18), 2020. Journal Article Abstract | BibTeX | Tags: Cybersecurity, intrusion detection system, machine learning, Modbus, SCADA, Smart Grid | Links: @article{RadoglouGrammatikis2020, title = {ARIES: A Novel Multivariate Intrusion Detection System for Smart Grid}, author = { P. Radoglou Grammatikis and P. Sarigiannidis and G. Efstathopoulos and E. Panaousis}, url = {https://www.researchgate.net/publication/344176314_ARIES_A_Novel_Multivariate_Intrusion_Detection_System_for_Smart_Grid}, doi = {10.3390/s20185305}, year = {2020}, date = {2020-01-01}, journal = {Sensors (Basel, Switzerland)}, volume = {20}, number = {18}, abstract = {The advent of the Smart Grid (SG) raises severe cybersecurity risks that can lead to devastating consequences. In this paper, we present a novel anomaly-based Intrusion Detection System (IDS), called ARIES (smArt gRid Intrusion dEtection System), which is capable of protecting efficiently SG communications. ARIES combines three detection layers that are devoted to recognising possible cyberattacks and anomalies against (a) network flows, (b) Modbus/Transmission Control Protocol (TCP) packets and (c) operational data. Each detection layer relies on a Machine Learning (ML) model trained using data originating from a power plant. In particular, the first layer (network flow-based detection) performs a supervised multiclass classification, recognising Denial of Service (DoS), brute force attacks, port scanning attacks and bots. The second layer (packet-based detection) detects possible anomalies related to the Modbus packets, while the third layer (operational data based detection) monitors and identifies anomalies upon operational data (i.e., time series electricity measurements). By emphasising on the third layer, the ARIES Generative Adversarial Network (ARIES GAN) with novel error minimisation functions was developed, considering mainly the reconstruction difference. Moreover, a novel reformed conditional input was suggested, consisting of random noise and the signal features at any given time instance. Based on the evaluation analysis, the proposed GAN network overcomes the efficacy of conventional ML methods in terms of Accuracy and the F1 score.}, keywords = {Cybersecurity, intrusion detection system, machine learning, Modbus, SCADA, Smart Grid}, pubstate = {published}, tppubtype = {article} } The advent of the Smart Grid (SG) raises severe cybersecurity risks that can lead to devastating consequences. In this paper, we present a novel anomaly-based Intrusion Detection System (IDS), called ARIES (smArt gRid Intrusion dEtection System), which is capable of protecting efficiently SG communications. ARIES combines three detection layers that are devoted to recognising possible cyberattacks and anomalies against (a) network flows, (b) Modbus/Transmission Control Protocol (TCP) packets and (c) operational data. Each detection layer relies on a Machine Learning (ML) model trained using data originating from a power plant. In particular, the first layer (network flow-based detection) performs a supervised multiclass classification, recognising Denial of Service (DoS), brute force attacks, port scanning attacks and bots. The second layer (packet-based detection) detects possible anomalies related to the Modbus packets, while the third layer (operational data based detection) monitors and identifies anomalies upon operational data (i.e., time series electricity measurements). By emphasising on the third layer, the ARIES Generative Adversarial Network (ARIES GAN) with novel error minimisation functions was developed, considering mainly the reconstruction difference. Moreover, a novel reformed conditional input was suggested, consisting of random noise and the signal features at any given time instance. Based on the evaluation analysis, the proposed GAN network overcomes the efficacy of conventional ML methods in terms of Accuracy and the F1 score. |
2019 |
P.I. Radoglou-Grammatikis; P.G. Sarigiannidis , "Securing the Smart Grid: A Comprehensive Compilation of Intrusion Detection and Prevention Systems", IEEE Access, 7 , pp. 46595-46620, 2019. Journal Article Abstract | BibTeX | Tags: Advanced Metering Infrastructure, cyberattacks, intrusion detection system, Intrusion prevention system, SCADA, security, Smart Grid, substation, Synchrophasor | Links: @article{Radoglou-Grammatikis201946595, title = {Securing the Smart Grid: A Comprehensive Compilation of Intrusion Detection and Prevention Systems}, author = { P.I. Radoglou-Grammatikis and P.G. Sarigiannidis}, url = {https://www.researchgate.net/publication/332188706_Securing_the_Smart_Grid_A_Comprehensive_Compilation_of_Intrusion_Detection_and_Prevention_Systems}, doi = {10.1109/ACCESS.2019.2909807}, year = {2019}, date = {2019-01-01}, journal = {IEEE Access}, volume = {7}, pages = {46595-46620}, abstract = {The smart grid (SG) paradigm is the next technological leap of the conventional electrical grid, contributing to the protection of the physical environment and providing multiple advantages such as increased reliability, better service quality, and the efficient utilization of the existing infrastructure and the renewable energy resources. However, despite the fact that it brings beneficial environmental, economic, and social changes, the existence of such a system possesses important security and privacy challenges, since it includes a combination of heterogeneous, co-existing smart, and legacy technologies. Based on the rapid evolution of the cyber-physical systems (CPS), both academia and industry have developed appropriate measures for enhancing the security surface of the SG paradigm using, for example, integrating efficient, lightweight encryption and authorization mechanisms. Nevertheless, these mechanisms may not prevent various security threats, such as denial of service (DoS) attacks that target on the availability of the underlying systems. An efficient countermeasure against several cyberattacks is the intrusion detection and prevention system (IDPS). In this paper, we examine the contribution of the IDPSs in the SG paradigm, providing an analysis of 37 cases. More detailed, these systems can be considered as a secondary defense mechanism, which enhances the cryptographic processes, by timely detecting or/and preventing potential security violations. For instance, if a cyberattack bypasses the essential encryption and authorization mechanisms, then the IDPS systems can act as a secondary protection service, informing the system operator for the presence of the specific attack or enabling appropriate preventive countermeasures. The cases we study focused on the advanced metering infrastructure (AMI), supervisory control and data acquisition (SCADA) systems, substations, and synchrophasors. Based on our comparative analysis, the limitations and the shortcomings of the current IDPS systems are identified, whereas appropriate recommendations are provided for future research efforts. © 2013 IEEE.}, keywords = {Advanced Metering Infrastructure, cyberattacks, intrusion detection system, Intrusion prevention system, SCADA, security, Smart Grid, substation, Synchrophasor}, pubstate = {published}, tppubtype = {article} } The smart grid (SG) paradigm is the next technological leap of the conventional electrical grid, contributing to the protection of the physical environment and providing multiple advantages such as increased reliability, better service quality, and the efficient utilization of the existing infrastructure and the renewable energy resources. However, despite the fact that it brings beneficial environmental, economic, and social changes, the existence of such a system possesses important security and privacy challenges, since it includes a combination of heterogeneous, co-existing smart, and legacy technologies. Based on the rapid evolution of the cyber-physical systems (CPS), both academia and industry have developed appropriate measures for enhancing the security surface of the SG paradigm using, for example, integrating efficient, lightweight encryption and authorization mechanisms. Nevertheless, these mechanisms may not prevent various security threats, such as denial of service (DoS) attacks that target on the availability of the underlying systems. An efficient countermeasure against several cyberattacks is the intrusion detection and prevention system (IDPS). In this paper, we examine the contribution of the IDPSs in the SG paradigm, providing an analysis of 37 cases. More detailed, these systems can be considered as a secondary defense mechanism, which enhances the cryptographic processes, by timely detecting or/and preventing potential security violations. For instance, if a cyberattack bypasses the essential encryption and authorization mechanisms, then the IDPS systems can act as a secondary protection service, informing the system operator for the presence of the specific attack or enabling appropriate preventive countermeasures. The cases we study focused on the advanced metering infrastructure (AMI), supervisory control and data acquisition (SCADA) systems, substations, and synchrophasors. Based on our comparative analysis, the limitations and the shortcomings of the current IDPS systems are identified, whereas appropriate recommendations are provided for future research efforts. © 2013 IEEE. |
Address
Internet of Things and Applications Lab
Department of Electrical and Computer Engineering
University of Western Macedonia Campus
ZEP Area, Kozani 50100
Greece
Contact Information
tel: +30 2461 056527
Email: ithaca@uowm.gr