Distributed intrusion detection/prevention system design and implementation for secure SCADA communication in smart grid
Cybersecurity, one of the expanding research area has tremendous importance towards critical infrastructures. Organizations like power, oil, and gas use SCADA communication to manage and control their outstations across a wide area. Some of the standard SCADA protocols used are DNP3, Modbus, IEC 61850 to control, share, and exchange real-time information. The communication involves both cyber-physical system processes and requires high availability and integrity of the data. DNP3, a TCP based protocol, is widely used in these infrastructures. With the involvement of the cyber, the systems are susceptible to network-based intrusions and cyber attacks. Since the communication is between the control center and its vast network of outstations, it becomes a challenge to monitor and control the network activity of the whole system. It creates a demand in the visualization of different network areas and a need to monitor their network activity from a single console. This work presents a framework to bring the distributed setup of the Intrusion detection system and provide an optimal solution to detect network intrusions and abnormal behavior. The main focus of the work is to provide a single dashboard view to monitor the network activities of different outstations.
Further, the design and implementation of the distributed setup are explained in various architectures. Different types of IDS rules based on packet payload, packet flow, and time threshold are generated to show how an attack surface of the system can be reduced and detect different types of cyber attacks. Then IDS testing and evaluation is performed with a set of rules in different sequences. The detection time is measured for different IDS rules, and the results are plotted. All the experiments are conducted in Power Cyber Lab, ISU using two-area and 39-Bus power model and presented in CPS and Grid-Ex based training. After successful testing and evaluation, the knowledge and implementation are transferred to field deployment. In the last section, the conclusion of the work is summarized, a possible extension of future work is discussed.