Thomas Morris

WAMS Cyber-Physical Test Bed for Power System, Cybersecurity Study, and Data Mining

Researchers from various cross disciplinary fields such as power systems, data science, and cybersecurity face two distinct challenges. First, the lack of a comprehensive test bed that integrates industry standard hardware, software, and wide area measurement system (WAMS) components and protocols impedes the study of cybersecurity issues including vulnerabilities associated with WAMS components and the consequences of exploitation of vulnerabilities. Second, a lack of comprehensive labeled Synchrophasor data along with other system related information imposes challenges to the development and evaluation of data mining algorithms that can classify power system cyber-power events. In this paper, a WAMS cyber-physical test bed was developed using a real time digital simulator with hardware-in-the-loop simulation. Commercial control and monitoring devices, hardware, software, and industry standard communication networks and protocols were combined with custom MATLAB, Python, and AutoIt scripts to model realistic power system contingencies and cyber-attacks. An automated simulation and control engine was developed to randomize modeled cyber-power events including power system faults, contingencies, control actions, and cyber-attacks. Scripts were added to capture heterogenous sensor data and create ground truth labeled datasets. The WAMS cyber-physical test bed is capable of simulating various sized power systems and creating datasets without altering the hardware configuration. A WAMS architecture is presented to document the integration of various components. Finally, test bed applications, simulated cyber-power scenarios, the dataset development process, and selected results are presented.

Applying Hoeffding Adaptive Trees for Real-Time Cyber-Power Event and Intrusion Classification

Electricity transmission systems are networked cyber physical systems that are subject to many well-known control, weather, and equipment failure related contingencies which can disrupt power delivery. Cyber-attacks against electric transmission systems are another class of contingency which can disrupt power delivery. Wide area monitoring systems (WAMSs) enhanced with phasor measurement units provide high volume and high velocity power system sensor data which can be combined with traditional power system data sources and cyber data sources to enable real time detection of both types of contingencies. This paper describes research toward a cyber-power event and intrusion detection system (EIDS) which can be used for multiclass or binary-class classification of traditional power system contingencies and cyber-attacks. The continuous streams of high speed data from WAMS pose significant challenges in data storage, management, and handling. Data stream mining addresses the continuous data problem and can deal with very large data sizes. Hoeffding adaptive trees (HAT) augmented with the drift detection method (DDM) and adaptive windowing (ADWIN) can effectively be used to classify traditional and cyber contingencies in real time. Experiments performed for this paper demonstrate HAT + DDM + ADWIN provides classification accuracy of greater than 94% for multiclass and greater than 98% for binary class classification for a dataset with artifacts from 45 classes of cyber-power contingencies. Results also show that HAT + DDM + ADWIN has a small memory foot print and a fast evaluation time which enables real time EIDS.

Enhancing a Virtual SCADA Laboratory Using Simulink

This chapter describes a virtual supervisory control and data acquisition (SCADA) security laboratory and the improvements made using Simulink. The laboratory was initially constructed using virtual devices written in Python that simulate industrial processes, emulate control system ladder logic functionality and utilize control system communications protocols. However, given the limitations of Python programs with regard to modeling industrial processes, an improved model was constructed using the Simulink modeling environment. Custom and commercially-available human-machine interfaces used in real-world SCADA environments were deployed in the new laboratory. In addition, various attacks were developed and implemented against the virtual SCADA system. The behavior of the improved laboratory and its earlier version are compared against the physical system after which both were modeled.

Applying Non-Nested Generalized Exemplars Classification for Cyber-Power Event and Intrusion Detection

Non-nested generalized exemplars (NNGEs) is a state of the art data mining algorithm which uses distance between a new example and a set of exemplars for classification. The state extraction method (STEM) preprocesses power system wide area measurement system data to reduce data size while maintaining critical patterns. Together NNGE+STEM make an effective event and intrusion detection system which can effectively classify power system events and cyber-attacks in real time. This paper documents the results of two experiments in which NNGE+STEM was used to classify cyber power contingency, control action, and cyber-attack events. Experimental results show that NNGE+STEM achieved greater than 94 and 97% accuracy for multiclass and binary class classification. Additionally, the NNGE+STEM false positive rate was below 0.5%, the average classification time was 0.2 ms, and the classifier had low memory requirements.

Hardware-based Cyber Threats.

During the last decade, cyber-security experts have been trying to mitigate attacks against computer networks and software. After the internet, the proliferation of thousands of virus, worms and trojans became easier, which then required enhancements for Operating Systems, browsers and anti-virus software in order to keep their users safe. However, what happens when the threat comes from the hardware? The Operating System trusts entirely in the hardware to perform its operations. If the hardware has been taken, it becomes much harder to regain control of the system. This paper describes eight different approaches to hardware attacks against software. It also demonstrates how to perform an attack using a USB device patched to behave like a generic HID Input Device, in order to insert malicious code in the system.

Virtualization of SCADA testbeds for cybersecurity research: A modular approach

Abstract SCADA systems were made robust to sustain tough industrial environments, but little care was taken to raise defenses against potential cyber threats. With time, the threats started pouring in and eliciting major concerns in the research community. The extremely high cost and critical nature of SCADA Systems has made it nearly impossible for researchers to perform experiments with live cyber-attacks. Hence, replicating the behavior of these complicated systems by developing high-fidelity testbeds and testing the vulnerabilities on them provides researchers with the necessary workspace to combat the threats currently haunting these legacy systems. However, high-fidelity testbeds like Deter and NSTB are not portable and are hard to replicate. Even though it was possible to identify some portable testbeds, they all have poor support on the virtualization of the SCADA controller or use hardware-in-the-loop, which affects portability. In this research, a novel-modular framework is proposed to replicate complex SCADA Systems entirely on a virtual simulation, which makes them very low cost and portable. The process of virtualizing each major component is discussed. Finally, the success of this methodology is demonstrated by replicating real world critical infrastructures, which are presented as case studies as well as cyberattacks to demonstrate the use of the framework for cybersecurity research.

INSuRE: Collaborating Centers of Academic Excellence Engage Students in Cybersecurity Research

Since fall 2012, several National Centers of Academic Excellence in Cyber Defense Research have fielded a collaborative course—the Information Security Research and Education (INSuRE) program—to engage students in applied cybersecurity research. Recent experiences with INSuRE are discussed, including an overview of the project-based research course, student projects, and outcomes and lessons learned.