SecMonS: A Security Monitoring Framework for IEC 61850 Substations Based on Configuration Files and Logs

Onur Duman*, Mengyuan Zhang, Lingyu Wang, Mourad Debbabi

*Corresponding author for this work

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

Substations are critical components of the smart grid since compromising them can lead to significant consequences, such as blackouts. Threat modeling aims to model different ways critical networks, such as substations, can be attacked. Attack graphs are commonly used for modeling threats and there is a huge literature on attack graphs. However, attack graph generation is still an open problem, and attack graphs are usually generated based on static configurations. To overcome those challenges, this paper provides an attack graph-based threat modeling and Markov Decision Process (MDP)-based monitoring framework for substations, named SecMonS. Specifically, we first generate static attack graphs based on substation configuration language (SCL) descriptions of intelligent electronic devices (IED). Second, we generate automaton models for modeling the behaviors of IEDs directly from log files that contain Generic Object Oriented Substation Event (GOOSE) protocol parameter values. Third, we enhance static attack graphs with automaton models to ensure that those threat models contain updated information based on real-world attacks. Fourth, we tackle the state space explosion faced by MDP models which are utilized for identifying potential physical consequences of attacks to integrate physical aspects of attacks into the threat modeling. Lastly, we evaluate the practicality of SecMonS through simulations using data both from a public data set and randomly generated events for different types of attacks.

Original languageEnglish
Title of host publicationDetection of Intrusions and Malware, and Vulnerability Assessment
Subtitle of host publication21st International Conference, DIMVA 2024, Lausanne, Switzerland, July 17–19, 2024, Proceedings
EditorsFederico Maggi, Manuel Egele, Mathias Payer, Michele Carminati
PublisherSpringer Science and Business Media Deutschland GmbH
Pages483-502
Number of pages20
ISBN (Electronic)9783031641718
ISBN (Print)9783031641701
DOIs
Publication statusPublished - 2024
Event21st International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2024 - Lausanne, Switzerland
Duration: 17 Jul 202419 Jul 2024

Publication series

NameLecture Notes in Computer Science
Volume14828 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349
NameDIMVA: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
PublisherSpringer
Volume2024

Conference

Conference21st International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2024
Country/TerritorySwitzerland
CityLausanne
Period17/07/2419/07/24

Bibliographical note

Publisher Copyright:
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2024.

Funding

FundersFunder number
Natural Sciences and Engineering Research Council of Canada
Hydro-Québec Thales Research ChairN01035

    Keywords

    • attack graph
    • log
    • SCL
    • smart grid
    • substations

    Fingerprint

    Dive into the research topics of 'SecMonS: A Security Monitoring Framework for IEC 61850 Substations Based on Configuration Files and Logs'. Together they form a unique fingerprint.

    Cite this