TY - GEN
T1 - SecMonS
T2 - 21st International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2024
AU - Duman, Onur
AU - Zhang, Mengyuan
AU - Wang, Lingyu
AU - Debbabi, Mourad
N1 - Publisher Copyright:
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2024.
PY - 2024
Y1 - 2024
N2 - Substations are critical components of the smart grid since compromising them can lead to significant consequences, such as blackouts. Threat modeling aims to model different ways critical networks, such as substations, can be attacked. Attack graphs are commonly used for modeling threats and there is a huge literature on attack graphs. However, attack graph generation is still an open problem, and attack graphs are usually generated based on static configurations. To overcome those challenges, this paper provides an attack graph-based threat modeling and Markov Decision Process (MDP)-based monitoring framework for substations, named SecMonS. Specifically, we first generate static attack graphs based on substation configuration language (SCL) descriptions of intelligent electronic devices (IED). Second, we generate automaton models for modeling the behaviors of IEDs directly from log files that contain Generic Object Oriented Substation Event (GOOSE) protocol parameter values. Third, we enhance static attack graphs with automaton models to ensure that those threat models contain updated information based on real-world attacks. Fourth, we tackle the state space explosion faced by MDP models which are utilized for identifying potential physical consequences of attacks to integrate physical aspects of attacks into the threat modeling. Lastly, we evaluate the practicality of SecMonS through simulations using data both from a public data set and randomly generated events for different types of attacks.
AB - Substations are critical components of the smart grid since compromising them can lead to significant consequences, such as blackouts. Threat modeling aims to model different ways critical networks, such as substations, can be attacked. Attack graphs are commonly used for modeling threats and there is a huge literature on attack graphs. However, attack graph generation is still an open problem, and attack graphs are usually generated based on static configurations. To overcome those challenges, this paper provides an attack graph-based threat modeling and Markov Decision Process (MDP)-based monitoring framework for substations, named SecMonS. Specifically, we first generate static attack graphs based on substation configuration language (SCL) descriptions of intelligent electronic devices (IED). Second, we generate automaton models for modeling the behaviors of IEDs directly from log files that contain Generic Object Oriented Substation Event (GOOSE) protocol parameter values. Third, we enhance static attack graphs with automaton models to ensure that those threat models contain updated information based on real-world attacks. Fourth, we tackle the state space explosion faced by MDP models which are utilized for identifying potential physical consequences of attacks to integrate physical aspects of attacks into the threat modeling. Lastly, we evaluate the practicality of SecMonS through simulations using data both from a public data set and randomly generated events for different types of attacks.
KW - attack graph
KW - log
KW - SCL
KW - smart grid
KW - substations
UR - http://www.scopus.com/inward/record.url?scp=85200688350&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85200688350&partnerID=8YFLogxK
U2 - 10.1007/978-3-031-64171-8_25
DO - 10.1007/978-3-031-64171-8_25
M3 - Conference contribution
AN - SCOPUS:85200688350
SN - 9783031641701
T3 - Lecture Notes in Computer Science
SP - 483
EP - 502
BT - Detection of Intrusions and Malware, and Vulnerability Assessment
A2 - Maggi, Federico
A2 - Egele, Manuel
A2 - Payer, Mathias
A2 - Carminati, Michele
PB - Springer Science and Business Media Deutschland GmbH
Y2 - 17 July 2024 through 19 July 2024
ER -