Design, implementation, and field-testing of distributed intrusion detection system for smart grid SCADA network
With the electric power sector facing a growing trend of cyber-attacks in the past few years, the need for securing the power grid has never been higher, given the impact, any breach in security could cause. This has motivated the need for robust cybersecurity solutions for the grid communication protocols covering major grid operations. Smart grid systems use SCADA communication protocols such as DNP3, IEC 61850, Modbus etc., to communicate between the control center and the substations within the utility. Existing Intrusion Detection Systems (IDS) are focused on Information Technology (IT) rules and few other smart grid protocol-specific Operational Technology (OT) rules, but lack when it comes to rules for DNP3 smart grid communication protocols tailored to the utility. This thesis focuses on developing utility-specific IDS for monitoring the intrusions and anomalies in the DNP3 smart grid communications protocol. The developed solutions have been deployed and tested in a smart grid testbed environment emulating the IEEE 39-bus smart grid network, using Security Onion, an open-source SIEM tool. The IDS solutions have also been field deployed in a local utility’s distribution grid environment where it has been tested against actual smart grid traffic from substations.
This thesis makes the following contributions: (i) designed a distributed IDS for DNP3, (ii) developed IDS snort rules for utility-specific functions covering the major grid operations, (iii) created DNP3 attack scripts to craft malicious DNP3 payloads which will be used to test the designed IDS solution, (iv) deployed the IDS solutions in a testbed and in a local utility’s distribution grid environment, to test the efficacy of the rules to detect intrusions and anomalies in the system. The test results showed that the IDS was able to detect all the attack cases for the test cases considered and it was observed that the designed IDS latency is within the acceptable communication time limits between the substation and control center.