Showing papers by "Chen-Ching Liu published in 2012"

Intruders in the Grid

Abstract: A power grid is a critical infrastructure that relies on supervisory control and data acquisition (SCADA) systems for monitoring, control, and operation. On top of the power infrastructure reside layers of information and communications technology (ICT) that are interconnected with electric grids. The cyber and power infrastructures together constitute a large, complex cyberphysical system. ICTs on the power grids have evolved from isolated structures into open and networked environments based on TCP/IP and Ethernet. The technology is known to be vulnerable with respect to cyberintrusions. As ICTs of the power infrastructure have evolved into highly connected network environments, the use of firewalls has become a widely adopted access control method against intruders. Firewalls do not guarantee cybersecurity, however. The misconfiguration of company firewalls has been reported. Even if the configuration of a firewall is correct, it is still vulnerable because firewalls are not able to detect insider attacks and connections from the trusted side. Hence, solutions based solely on firewalls can be inadequate.

Financial Bilateral Contract Negotiation in Wholesale Electricity Markets Using Nash Bargaining Theory

Abstract: Bilateral contracts are important risk-hedging instruments constituting a major component in the portfolios held by many electric power market participants. However, bilateral contract negotiation is a complicated process as it involves risk management, strategic bargaining, and multi-market participation. This study analyzes a financial bilateral contract negotiation process between a generation company and a load-serving entity in a wholesale electric power market with congestion managed by locational marginal pricing. Nash bargaining theory is used to model a Pareto-efficient settlement point. The model predicts negotiation outcomes under various conditions and identifies circumstances in which the two parties might fail to reach an agreement. Both analysis and simulation are used to gain insight regarding how these negotiation outcomes systematically vary in response to changes in the participants' risk preferences and price biases.

Cyber-power system security in a smart grid environment

Abstract: Smart grid heavily relies on Information and Communications Technology (ICT) to manage the energy usage. The concept of smart grid implies the use of “smart” devices, such as smart meters or Remote Terminal Units (RTUs), that require extensive information to optimize the power grid. As the communication network is based on TCP/IP and Ethernet technology, new cyber vulnerabilities are introduced that can be exploited by malicious attackers. Cyber security has become a serious concern due to various intrusion incidents. Cyber attacks can make a significant impact on the grid, which will involve not only steady-state but also dynamic behaviors. A cyber-power system approach has been established that explicitly models the interaction between ICT and the power system. New technologies are under development to enhance the ICT vulnerability assessment and evaluate the impact of cyber attacks on system operation. This paper presents the cyber security issues in a smart grid environment and cyber attack/mitigation scenarios using a testbed at University College Dublin (UCD).

Evasion-resistant malware signature based on profiling kernel data structure objects

Abstract: Malware authors attempt in an endless effort to find new methods to evade the malware detection engines. A popular method is the use of obfuscation technologies that change the syntax of malicious code while preserving the execution semantics. This leads to the evasion of signatures that are built based on the code syntax. In this paper, we propose a novel approach to develop an evasion-resistant malware signature. This signature is based on the malware's execution profiles extracted from kernel data structure objects and neither uses malicious code syntax specific information code execution flow information. Thus, proposed signature is more resistant to obfuscation methods and resilient in detecting malicious code variants. To evaluate the effectiveness of the proposed approach, a prototype signature generation tool called SigGENE is developed. The effectiveness of signatures generated by SigGENE evaluated using an experimental root kit-simulation tool that employs techniques commonly found in rootkits. This simulationtool is obfuscated using several different methods. In further experiments, real-world malware samples that have different variants with the same behavior used to verify the real-world applicability of the approach. The experiments show that the proposed approach is effective, not only in generating a signature that detects the malware and its variants and defeats different obfuscation methods, but also, in producing an execution profiles that can be used to characterize different malicious attacks.

Risk Analysis of Coordinated Cyber Attacks on Power Grid

Abstract: The supervisory control and data acquisition (SCADA) network provides adversaries with an opportunity to perform coordinated cyber attacks on power system equipment as it presents an increased attack surface. Coordinated attacks, when smartly structured, can not only have severe physical impacts, but can also potentially nullify the effect of system redundancy and other defense mechanisms. This chapter proposes a vulnerability assessment framework to quantify risk due to intelligent coordinated attacks, where risk is defined as the product of probability of successful cyber intrusion and resulting power system impact. The cyber network is modeled using Stochastic Petri Nets and the steady-state probability of successful intrusion into a substation is obtained using this. The model employs a SCADA network with firewalls and password protection schemes. The impact on the power system is estimated by load unserved after a successful attack. The New England 39-bus system is used as a test model to run Optimal Power Flow (OPF) simulations to determine load unserved. We conduct experiments creating coordinated attacks from our attack template on the test system and evaluate the risk for every case. Our attack cases include combinations of generation units and transmission lines that form coordinated attack pairs. Our integrated risk evaluation studies provide a methodology to assess risk from different cyber network configurations and substation capabilities. Our studies identify scenarios, where generation capacity, cyber vulnerability, and the topology of the grid together could be used by attackers to cause significant power system impact.

ICT modeling for integrated simulation of cyber-physical power systems

Abstract: A cyber-physical system is a large and complex infrastructure. Due to the increasing connectivity, the power and cyber systems become more interdependent. Models of the interactions are needed between the power devices and information and communication technology (ICT). A broad range of cyber attacks has become a serious concern. Cyber attacks must be simulated to analyze the consequences on the power grid. Thus, the cyber system must be modeled explicitly and integrated with the power grid model. This paper describes the development and simulation of a novel co-simulation framework that integrates both the cyber and power systems. The objective is to implement the ICT model for real-time interactions with both the power grid and transmission operator. Different industrial grade environments have been developed to simulate the cyber-power interactions. ICT events that may affect the stability of the grid, e.g., cyber attacks, are simulated at the cyber system layer, and their impact analysis is conducted at the power system layer. The proposed co-simulation framework is validated with the IEEE 39-bus system.

Cyber-physical security in a substation

Abstract: New technologies including microprocessor-based Intelligent Electronic Devices (IEDs) and standardized protocol and TCP/IP over wide area networks (WAN) are well-adopted in the substations. Remote access to IEDs or user interfaces in a substation for maintenance purposes is a common practice. However, there are potential cyber-physical system vulnerabilities in a substation, e.g., unsecured standard protocols, remote controllable IEDs, and unauthorized remote access to substation IEDs. In addition, some substation IEDs and user interfaces have a web server and hence it may provide a remote configuration change and control with default passwords. Even if firewalls and cryptography schemes are used for cyber security, weak security key management cryptography and mis-configured firewalls are still exposed to intruders. From IT point of view, cyber security issues are well known and new security technologies are available. However, security research on the integration of IT and physical power systems for critical infrastructures is still an emerging area. Intruders behaviors will generate logs across all substation-level networks, e.g., IEDs, firewalls and user interfaces. For instance, the steps of Stuxnet attack are based on: (1) intrusion attempts, (2) change of the file system, (3) change of target systems setting, and (4) change of target systems status. Therefore, anomaly detection is performed based on logs of intruders foot prints. Temporal anomaly can be determined from discrepancies between event logs from two different time periods. In the proposed anomaly index, a value of 0 implies no difference, whereas 1 indicates the maximal discrepancy [1]. In order to identify the impact of substation cyber intrusion to the power grid, cyber intrusion scenarios have been conducted on the substation IT network using a SCADA testbed at University College Dublin (UCD). The first intrusion scenario involves compromised substation gateway. A false signal is generated and an open circuit breaker (CB) command is sent to substation CBs. The second scenario is to generate forged CB status at the gateway. As a result of this attack, control center operators will observe fake data about the CB status. However, the actual substation CBs status has not changed. The third scenario is to generate fabricated analogue values to a control center using a man-in-the-middle attack. Once an intruder successfully compromises the substation LAN, (s)he is able to monitor and capture all measured data which comes from power grids. If attackers send fabricated data to the control center and the data travel through the state estimation filter, control center operators will observe an operational emergency. As a result, the operators may take emergency control actions such as reducing the generation voltage or reactive power while the power system is actually in a normal condition. There is a possibility these (logical) actions based on fabricated data will drive the system into a sequence of cascading events, leading to a power outage. Mitigation actions are conducted on substation IT and power grid. For IT mitigation, intrusion detection system (IDS) which uses anomaly detection algorithm based on temporal event construction has been used in a substation network. An Optimal Power Flow (OPF) algorithm with an objective function that minimizes load shedding in the grid is used for power system mitigation. The proposed collaboration scheme between IDS and the firewall is able to disconnect intruders in the substation network. Emergency control actions are taken to mitigate the effects of cyber intrusions as an attempt to restore a system back to a normal condition.

Towards automated forensic event reconstruction of malicious code (poster abstract)

Abstract: A call for formalizing digital forensic investigations has been proposed by academics and practitioners alike [1, 2]. Many currently proposed methods of malware analysis for forensic investigation purposes, however, are derived based on the investigators' practical experience. This paper presents a formal approach for reconstructing the activities of a malicious executable found in a victim's system during a post-mortem analysis. The behavior of a suspect executable is modeled as a finite state automaton where each state represents behavior that results in an observable modification to the victim's system. The derived model of the malicious code allows for accurate reasoning and deduction of the occurrence of malicious activities even when anti-forensic methods are employed to disrupt the investigation process.

Towards Automated Malware Behavioral Analysis and Profiling for Digital Forensic Investigation Purposes

Abstract: Digital forensic investigators commonly use dynamic malware analysis methods to analyze a suspect executable found during a post-mortem analysis of the victim’s computer. Unfortunately, currently proposed dynamic malware analysis methods and sandbox solutions have a number of limitations that may lead the investigators to ambiguous conclusions. In this research, the limitations of the use of current dynamic malware analysis methods in digital forensic investigations are highlighted. In addition, a method to profile dynamic kernel memory to complement currently proposed dynamic profiling techniques is, then, proposed. The proposed method will allow investigators to automate the identification of malicious kernel objects during a post-mortem analysis of the victim’s acquired memory. The method is implemented in a prototype malware analysis environment to automate the process of profiling malicious kernel objects and assist malware forensic investigation. Finally, a case study is given to demonstrate the efficacy of the proposed approach.