Team for Research in
Ubiquitous Secure Technology

Citation
Julian L. Rrushi, Roy H. Campbell. "Detecting Attacks in Power Plant Interfacing Substations through Probabilistic Validation of Attack-Effect Bindings". Proceedings of the SCADA Security Scientific Symposium 2008, Dale Peterson (ed.), 24, January, 2008.

Abstract
In this paper we provide a mathematical approach to detection of attacks on relays in electrical substations speaking IEC 61850, i.e. an abstract industrial protocol devised by the technical committee 57 of the International Electrotechnical Commission as a standard for substation communications. Our contribution regards those electrical transmission substations which interface with the generators of a power plant through stepup transformers. In this paper we take as an instance power plants which use nuclear reactors as a source of energy. The basis of the proposed approach is formed by structural equations which semantically model the relations between operational variables of substation and nuclear power plant components as monitored by the respective control systems. Causality relations investigated via structural equations are reflected on Bayesian Belief Networks to probabilistically characterize the legitimacy and abnormality of IEC 61850 traffic. We then employ the Stochastic Activity Network formalism to construct composed models of substation operation from which we derive intrusion detection rules.

Electronic downloads

• iec61850-intrusion-detection.pdf · application/x-unknown-application-x-unknown-application-x-unknow · 856 kbytes

• HTML

  Julian L. Rrushi, Roy H. Campbell. <a
  href="http://www.truststc.org/pubs/313.html"
  >Detecting Attacks in Power Plant Interfacing Substations
  through Probabilistic Validation of Attack-Effect
  Bindings</a>, Proceedings of the SCADA Security
  Scientific Symposium 2008, Dale Peterson (ed.), 24, January,
  2008.

• Plain text

  Julian L. Rrushi, Roy H. Campbell. "Detecting Attacks
  in Power Plant Interfacing Substations through Probabilistic
  Validation of Attack-Effect Bindings". Proceedings of
  the SCADA Security Scientific Symposium 2008, Dale Peterson
  (ed.), 24, January, 2008.

• BibTeX

  @inproceedings{RrushiCampbell08_DetectingAttacksInPowerPlantInterfacingSubstationsThrough,
      author = {Julian L. Rrushi and Roy H. Campbell},
      title = {Detecting Attacks in Power Plant Interfacing
                Substations through Probabilistic Validation of
                Attack-Effect Bindings},
      booktitle = {Proceedings of the SCADA Security Scientific
                Symposium 2008},
      editor = {Dale Peterson},
      pages = {24},
      month = {January},
      year = {2008},
      abstract = {In this paper we provide a mathematical approach
                to detection of attacks on relays in electrical
                substations speaking IEC 61850, i.e. an abstract
                industrial protocol devised by the technical
                committee 57 of the International Electrotechnical
                Commission as a standard for substation
                communications. Our contribution regards those
                electrical transmission substations which
                interface with the generators of a power plant
                through stepup transformers. In this paper we take
                as an instance power plants which use nuclear
                reactors as a source of energy. The basis of the
                proposed approach is formed by structural
                equations which semantically model the relations
                between operational variables of substation and
                nuclear power plant components as monitored by the
                respective control systems. Causality relations
                investigated via structural equations are
                reflected on Bayesian Belief Networks to
                probabilistically characterize the legitimacy and
                abnormality of IEC 61850 traffic. We then employ
                the Stochastic Activity Network formalism to
                construct composed models of substation operation
                from which we derive intrusion detection rules. },
      URL = {http://www.truststc.org/pubs/313.html}
  }
  

Posted by Julian L. Rrushi on 30 Jan 2008.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.