ExtHT: A hybrid tracing method for cyber-attacks in power industrial control systems

Tracing the sources of cyber-attacks in Power Industrial Control Systems (PICS) can help the defense systems to block the attacks, and support the decision of the grid control policies. However, there has been no work on the cyber-attack source traceback for PICS, and the methods for the Internet ar...

Full description

Saved in:
Bibliographic Details
Published in:ISA transactions 2023-05, Vol.136, p.1-15
Main Authors: Chen, Yang-Rong, Wang, Yu, Huang, Gui-Rong, Li, Jun-E
Format: Article
Language:English
Subjects:
Cyber-attack source tracing
Data link layer
Packet logging
Packet marking
Power industrial control system
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Tracing the sources of cyber-attacks in Power Industrial Control Systems (PICS) can help the defense systems to block the attacks, and support the decision of the grid control policies. However, there has been no work on the cyber-attack source traceback for PICS, and the methods for the Internet are not suitable for PICS in terms of fineness, real-time performance, and supporting communication protocols. Therefore, a method for tracing cyber-attacks in PICS is proposed. First, the communication network architecture of PICS and the cyber security threats to PICS are analyzed. Then, an extended hybrid tracing method (ExtHT) based on packet marking and packet logging is proposed. This method involves all the devices working at the data link layer and upper layers to achieve more fine-grained attack tracing. At the same time, taking the costs of attack tracing into consideration, a coarse-grained tracing mode is presented to improve the tracing speed. In addition, a log database optimization scheme is provided to reduce storage costs. To facilitate the application of this method in practice, a cyber-attack source tracing system and its deployment architecture are designed for PICS. Further, the applicability and limitations of ExtHT are analyzed, theory ratiocinations are given to justify our ExtHT, and the performance of our ExtHT is compared with that of existing mainstream methods. Finally, two cyber-attack scenarios against PICS are constructed and the feasibility of ExtHT is verified on them. •An extended hybrid tracing (ExtHT) method for cyber-attacks in power industrial control systems (PICS) is proposed for the first time.•ExtHT extends the devices involved in tracing from routers to all the transmission devices working at the data link layer and upper layers to achieve more fine-grained attack tracing.•ExtHT can trace not only the cyber-attacks carried out by application layer messages using TCP/IP protocol, but also the cyber-attacks carried out by application layer messages that do not use TCP/IP protocol, such as GOOSE messages and SV messages.•To reduce the storage overhead on transmission devices, a log database optimization scheme is presented. This scheme can reduce the probability of error tracing for replay attacks and enhance the efficiency of attack source traceback.•A cyber-attack source tracing system and its deployment architecture for PICS are designed to illustrate the application of ExtHT in practice.•Two cyber-attack scenarios (i.e.
ISSN:0019-0578
1879-2022
DOI:10.1016/j.isatra.2022.10.024