Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Physical Attack Detection

Published byLewis Gallagher Modified over 6 years ago

Similar presentations

Presentation on theme: "Cyber Physical Attack Detection"— Presentation transcript:

1 Cyber Physical Attack Detection
Erik M. Ferragut Jason Laska Project supported by Transition to Practice program Science & Technology Directorate Department of Homeland Security

2 “In the current environment, the U. S
“In the current environment, the U.S. grid faces imminent danger from cyber attacks.” Department of Energy, Quadrennial Energy Review, 2017

3 Recent Attacks on Critical Infrastructure
Metcalf California substation attack (2013) Ukrainian power grid attack (2016) Metcalf: The attackers severed six underground fiber-optic lines before firing more than 100 rounds of ammunition at the substation's transformers, causing more than $15 million in damage. Ukraine: This focus differentiates from just cyber or just physical attacks (for new breed of cyber physical attacks) Both of these attacks manipulated sensors to directly blind and disrupt control centers

4 Need to Protect Sensor Data
Corrupted Data Replay Spoofing Injections Damaging Decisions Black outs Brown outs Power surges Control room: System operators need to detect corrupted data in real time

5 Approach Discover corruption in streaming data: Rely on corroboration from distributed sensors 14A 8A 9A 15A = Image from Wikipedia page on Kirchhoff's laws. 26A 18A Automatically infer constraints and correlations Find physically unrealizable states in data streams

6 Data Simulated data on IEEE-30 power grid standard
Real ORNL distribution power grid data Standard images… Ornl image: Power grid includes 600+ measurements every 30s over months, but with many missing values. A dense subset of over 700k records of 160+ measurements.

7 Approach: Operational Architecture
Data Corruption Attacks Data Matrix {(time, sensor, values)} Streaming Alerts Learned Classifier Operational Use What about missing data? After pre-processing, data attacks are synthesized A classifier is trained on synthesized attacks Ongoing streaming data is then classified Is there an attack? On which bus?

8 Approach: Machine Learning
Neural Networks are used to build classifiers Larger hidden layers => learn more patterns More hidden layers => more non-linearity in detection But trade-off: slower and could overtrain if not enough data A neural network with a hidden 4-node layer

9 CPAD models can perform 30+ times better than single-sensor models
Results IEEE-30 Simulations ORNL Power Data Model Architecture Accuracy Single-sensor Z-score 3.2% Logistic regression 8% Hidden 20-node layer 97% Hidden 60-node layer 99% Model Architecture Accuracy Single-sensor Z-score 2.5% Logistic regression 8% Hidden 60-node layer 81% Hidden 120-node layer 87% Hidden 180-node layer Single sensor = 1/41 = 0.244 CPAD models can perform 30+ times better than single-sensor models

10 Additional Similar Applications
Power Transmission & Distribution Smart Traffic Control Power Generation Plants Automobiles, Aircrafts, Ships Works because: distributed corroborating sensors describing states subject to laws of physics Other, similar applications include… Power: Car: Vehicle control system:

11 Competitive Advantages
Other Solutions CPAD PFP Alert on power use deviations Barricade Alert on deviations in behavior Both PFP and Barricade Identify attacks by looking at each sensor individually Based on laboratory tests of sensors Exploits correlations across multiple sensors Leverages increases in system instrumentation Train it on collected data Trains directly from data Currently collected data generally suffices No laboratory testing required No hardware or system specification needed Train it on already collected sensor data No new data collection required No interactive component testing required Only sensor data is needed No need for hardware specifications

12 Real-time data corruption detection Benefits of CPAD
Complements sensor protections (defense-in-depth) Also can identify sensor failures

13 Looking for Pilot Opportunities
Our next phase is to pilot CPAD on more systems One-to-six month pilot on your system & data From you: Access to your data streams or historical data For you: Stream of alerts Greater situational awareness on your system These pilots will allow us to ensure our technology truly meets diverse customer needs

14 CPAD Demo

15 For more information, contact ST.TTP@hq.dhs.gov
THANK YOU! CPAD: Real-Time Cyber-Physical Attack Detection Erik M. Ferragut | ORNL | This technology has been brought to you by the DHS S&T Cyber Security Division Transition to Practice (TTP) Program. For more information, contact

Download ppt "Cyber Physical Attack Detection"

Similar presentations

VSE Corporation Proprietary Information

VSE Corporation Proprietary Information
Copyright © 2012, SAS Institute Inc. All rights reserved. Cyber Security threats to Open Government Data Vishal Marria April 2014.

Copyright © 2012, SAS Institute Inc. All rights reserved. Cyber Security threats to Open Government Data Vishal Marria April 2014.
Integrating Multiple Microgrids into an Active Network Management System Presented By:Colin Gault, Smarter Grid Solutions Co-Authors:Joe Schatz, Southern.

Integrating Multiple Microgrids into an Active Network Management System Presented By:Colin Gault, Smarter Grid Solutions Co-Authors:Joe Schatz, Southern.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
By Lauren Felton. The electric grid delivers electricity from points of generation to consumers, and the electricity delivery network functions via two.

By Lauren Felton. The electric grid delivers electricity from points of generation to consumers, and the electricity delivery network functions via two.
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Kick-off meeting 3 October 2012 Patras. Research Team B Communication Networks Laboratory (CNL), Computer Engineering & Informatics Department (CEID),

Kick-off meeting 3 October 2012 Patras. Research Team B Communication Networks Laboratory (CNL), Computer Engineering & Informatics Department (CEID),
LLNL-PRES-671957 This work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344.

LLNL-PRES This work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344.
The LOGIIC Consortium Zachary Tudor, CISSP, CISM, CCP Program Director SRI International.

The LOGIIC Consortium Zachary Tudor, CISSP, CISM, CCP Program Director SRI International.
Applying the Distribution System in Grid Restoration/NERC CIP-014 Risk Assessment Srijib Mukherjee, Ph.D., P.E. UC Synergetic.

Applying the Distribution System in Grid Restoration/NERC CIP-014 Risk Assessment Srijib Mukherjee, Ph.D., P.E. UC Synergetic.
Javier Gil Arenales Data, a critical resource for Smarter cities.

Javier Gil Arenales Data, a critical resource for Smarter cities.
Shane Cherry Midge Simpson Critical Infrastructure Protection / Resilience Simulator May 29, 2009 Stuart Walsh:208.526.4246

Shane Cherry Midge Simpson Critical Infrastructure Protection / Resilience Simulator May 29, 2009 Stuart Walsh:
FirstEnergy / Jersey Central Power & Light Integrated Distributed Energy Resources (IDER) Joseph Waligorski FirstEnergy Grid-InterOp 2009 Denver, CO November.

FirstEnergy / Jersey Central Power & Light Integrated Distributed Energy Resources (IDER) Joseph Waligorski FirstEnergy Grid-InterOp 2009 Denver, CO November.
1 Panda Malware Radar Discovering hidden threats Channel Presentation Name Date.

1 Panda Malware Radar Discovering hidden threats Channel Presentation Name Date.
Vermont Electric Power Company, Inc Vermont’s eEnergy Smart Grid Initiative Kerrick Johnson Vice President for External Affairs.

Vermont Electric Power Company, Inc Vermont’s eEnergy Smart Grid Initiative Kerrick Johnson Vice President for External Affairs.
Millions of points of measurement Dense spatial and temporal data Need visual analytic tools as conventional analyses are too inefficient Visualization.

Millions of points of measurement Dense spatial and temporal data Need visual analytic tools as conventional analyses are too inefficient Visualization.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
Computer Science and Engineering 1 Information Assurance Research Department of Computer Science and Engineering University of South Carolina, Columbia.

Computer Science and Engineering 1 Information Assurance Research Department of Computer Science and Engineering University of South Carolina, Columbia.
Secure Sensor Data/Information Management and Mining Bhavani Thuraisingham The University of Texas at Dallas October 2005.

Secure Sensor Data/Information Management and Mining Bhavani Thuraisingham The University of Texas at Dallas October 2005.

Similar presentations

Ads by Google