An attack graph is a beneficial tool to network defenders, demonstrating the routes that an attacker can utilize to acquire entry to a target network. Cyber-attacks endanger the security of smart grids as a result of the presence of vulnerabilities in the diversified structural units establishing it. This paper introduces a new tool built using Python language and Jupyter Notebook to enumerate an attack graph for a smart grid. The smart grid is formally presented and implemented, determining system design, links, weaknesses, resources, potential attack instances, and their pre- and post-conditions. The tool is utilized to automatically determine an attack sequence in the form of a counterexample. It constructs the counterexamples, encodes those for requirement loosening, and iterates up until all attack sequences are disclosed. Then, the attack graph causing disruption of the smart grid’s workflow is graphically visualized.

1. Introduction

Cyber-physical systems (CPSs) have physical processes which are observed and controlled in the cyber field by sophisticated computation and communication technologies [1]. A smart grid is known to be a CPS that encounters many technological demands. The European regulator’s group for electricity and gas (ERGEG) defines a smart grid as an electricity network that can efficiently integrate the behavior and actions of all users connected to it (generators, consumers, and those that do both) to ensure an economically efficient, sustainable power system with low losses and high levels of quality and security [2].

From a technical viewpoint, smart grids are susceptible to cyber-attacks due to the supple communication infrastructures, increased reliance on intelligent electronic devices (IEDs), sophisticated metering infrastructures, and distributed control centers. Such cyber infrastructure increases communications, connectivity, control, and automation. Smart grid also uses homogeneous information technologies, which regularly have documented vulnerabilities [3].

Many events were investigated, benefiting from those vulnerabilities. For instance, in January 2003, in Ohio, the Slammer worm disrupted the computerized safety monitoring system at the Davis–Besse nuclear power plant that was locked for mending at that time. The managers in charge of the plant thought that it was secure, because there was a firewall that separated the plant network from the outside network. The worm infiltrated into the plant network by a contractor’s contaminated computer that was connected via a telephone dial-up directly to the plant network, thus bypassing the firewall [4].

In March 2008, Georgia, Hatch Nuclear Power Plant near Baxley was enforced to an emergency shutdown for 48 hours, following a software update that was integrated on a single computer. Based on a document submitted by the Nuclear Regulatory Commission, the data were rearranged in the control system as soon as the updated computer rebooted, thus misleading security systems to wrongly interpret the lack of data as a drop in a water tank that cools the plant’s radioactive nuclear fuel rods. Accordingly, the automated secure systems at the plant activated a shutdown [5].

In July 2010, the Siemens SIMATIC WinCC supervisory control and data acquisition (SCADA) system was invaded by the Stuxnet worm. The worm used the vulnerabilities of the Microsoft Windows operating system. This invasion was the first malicious attack which harmed the industrial infrastructure immediately. As stated by Symantec’s statistics, around 45,000 networks all over the world have been attacked with this worm until now, and about 60% of the targeted networks are in Iran. The government of Iran has assured that the country’s Bushehr Nuclear Power Plant has been infected by Stuxnet [6]. The cyber security of the smart grid was further inspected by generating an attack graph that showed potential paths that an attacker can pursue to exploit the network and achieve definite target advantages. A set of initially satisfied advantages is given as an input, which introduces the relationships between various vulnerabilities that can be utilized by the attacker, and the advantages acquired by the attacker are the results of manipulating these vulnerabilities [7].

In our work, the smart grid system model is formalized. The formal description captures the architectural specifications of the system; its elements and its connectivity; the system’s behavior; its dynamic state variables; pre- and post-conditions of attack instances; and the security properties. A novel model-based automated attack graph tool is proposed alongside the automated implementation of all counterexamples. This necessitates loosening up the requirement of the encoding of the prior counterexamples, so a different counterexample is located in every iteration. The model is encoded with our new tool using Python 3.6.0 [8] and Jupyter Notebook [9] to automatically generate and visualize attack scenarios as a complete attack graph. The rest of this paper is assembled as follows. Section 1.1 revises the related work. Section 2 describes the smart grid system. Section 3 presents the workflow of the presented tool that was used to generate the attack scenarios. Section 4 represents the implementation of cyber-attack scenarios on the smart grid. Section 5 summarizes and presents some future directions.

1.1. Related Work

An attack graph is one of the bright methods that involves cyber-attack modeling and impact assessment to analyze the security of a network. For more than 20 years, researchers have been conducting studies associated with the implementation and analysis of attack graphs. An attack graph is a graph that displays all potential arrangements of the attackers’ activities that serve them to establish their goals.

The major disadvantage of this technique is its computational complexity. Constructing an entire attack graph for an attacker is a computationally complex issue and commonly requires a long time. For example, for a relatively small size network, the attack graph can be generated rapidly. However, when assembling a graph for a large network that consists of hundreds or even thousands of hosts and the outcome should be acquired in a finite time, the graph-based algorithms demand a greatly big number of computational assets. Furthermore, over time, the formation between hosts and links can be altered, and the attack graph will demand reorganization [10].

Attack graph can be divided into two types. The first one utilizes a model checker or logic system to create an attack graph. The second one produces attack graphs based on graph theory. For instance, the researchers in [11] used a model checker to investigate the network’s vulnerabilities. Nevertheless, this approach can only generate one attack scenario assuming that the target model cannot satisfy the selected security features. In [12], the model checker was improved, and it was able to generate all attack scenarios. The authors used this tool to automatically develop the attack graph for the target network. To analyze the vulnerabilities of Transmission Control Protocol (TCP), the authors in [13] used Content Security Policy (CSP). This approach can only analyze some simple security aspects and produce attack scenarios.

The researchers in [14] used model checking technology to artificially study the host’s vulnerabilities. They created a model that could demonstrate all possible system behaviors by characterizing each security-related element of the system and then used a model checker to discover the attack scenario. On this basis, they grasped a vulnerability analysis tool for Unix systems.

An approach was suggested by [15] that used an attack graph to study the network’s security. In the graph, nodes showed network states after being attacked. They utilized an attack template to represent the same attacks. The attack graph was backward generated from the target state by exploiting the attack’s templates. This method cannot automatically produce an attack graph, and it is also unable to satisfy the need of the large-scale network security analysis.

The generation method presented by [16] used a model checker and generated the attack graph based on graph theory. They introduced a monotonicity theory that attackers never have to fall back. The space and time complexities of this approach were better than the model checking method alone. Nonetheless, the logic-based methods were applied in [17] to implement attack graphs. Scanners were used to gather information about the network, and attack graphs were generated by using the reasoning engines. The used method could accurately boost the attack templates corresponding to the vulnerabilities’ characteristics.

Moreover, new techniques for implementing attack graphs were conducted in the last two years. For instance, [18] investigates 5G network vulnerability assessment and provides a dynamic method that combines the Technique for Order of Preference by Similarity to Ideal Solution (TOPSIS) with hexagonal fuzzy numbers to accurately analyze 5G network vulnerabilities. The suggested method takes into account both the vulnerability and 5G network dynamic characteristics such as latency and accessibility to identify potential attack graph paths in the network and calculates the attack cost and security level. Then, a 5G testbed is used to test and validate the suggested method, and compare it to the old TOPSIS and the well-known vulnerability scanner program, Nessus.

A strategy for assigning probability distributions to attack phases and defenses for Meta Attack Language (MAL)-based domain-specific languages (DSLs) is proposed in [19]. The proposed method consists of three sub-processes that fit within the Process for Attack Simulation and Threat Analysis (PASTA). The proposed method was shown by applying probability distributions to enterpriseLang, a MAL-based DSL. When two separate versions of enterpriseLang (binary relations and probability distributions) are used to simulate attacks on a system model instance, the one with probability distributions produces more realistic simulation results than the one with binary relations.

A new attack graph model is presented by [20] for thinking about speculative execution attacks. The authors characterize assaults as ordered dependency graphs and show that if a dependence edge between two nodes is absent, a race condition can occur. Then, between a resource access and its preceding authorization procedure, a new concept called “security dependence” is added. The model presents specific examples of how the attack graph simulates the Spectre and Meltdown attacks and generalizes it to all known attack types. This assault model can also be used to discover new attacks and generalize response tactics. Several protection techniques are identified by the authors, each with varying performance-security tradeoffs.

There are many other researches that were made to implement attack graph for network security analysis. Nonetheless, in this paper, we present a new tool for generating an attack graph for smart grid security analysis. It is based on representing the system, its network, sub-systems, vulnerabilities, and attack instances along with their pre- and post-conditions using matrices. Then, encode these matrices using Python and Jupyter Notebook to further study the possible attacks that can be executed on the grid. Ultimately, the tool can automatically generate the attack scenarios that constitute the attack graph.

2. Smart Grid Modeling

In this paper, the smart grid is modeled to demonstrate how exploiting its vulnerabilities can disrupt its functionality. The model includes system topology, vulnerabilities, potential attack instances, the system’s formal depiction, and matrix representation.

2.1. Smart Grid Topology

Figure 1 represents the smart grid architecture. It has the following processes:(i)Generation System (GS): It transforms bulk energy into electrical energy, directly links to the transmission system, and offers smart applications. Examples of power generators are coal-fired, gas, wind-powered turbines, and solar and nuclear power plants [21].(ii)Transmission System (TS): It conveys electrical energy for generation over further areas. TS is normally distantly coordinated and administered by the Transmission Control Center (TCC) [19].(iii)Distribution System (DS): It supplies the electrical energy to power consumers after being received from the transmission system. To decrease fault clearing time for faster fault identification, small transformer substations need to be automated. DS is normally distantly controlled and monitored by a Distribution Control Center (DCC) [22].(iv)Consumption (C): It signifies to power consumers (e.g., industries, which operate process automation to dominate and control manufacturing process and energy consumption or generation) [23].(v)Service Provider (SP): It creates agreements with consumers to deliver electricity to distinctive devices and cooperates with internal devices via messages conveyed by the smart meter. Moreover, users should record with the electric utility and acquire digital certificates for their identities and public keys. The certificates are then used to facilitate protected communication with users [24].(vi)Market System (MK): It circulates the market and value online and within a far shorter period to a larger one and to members in the system [22].(vii)Smart Meter (SM): It is a complete embedded system. SM includes a microcontroller that has nonvolatile and volatile memory, timers, analog/digital ports, real-time clock, and serial communication facilities. Smart meters register the power consumption periodically, transmit it to the utility server, connect or disconnect a client power, and provide and transmit alarms in case of abnormality [25].(viii)Control Center (CC): The main task of CC is to understand the intelligent warning ahead by means of observance the dominant transmission network in a period of time and analyzing its security through the corporation among many specialized teams. Hence, CC optimizes the transmission operation by means of assembling, integration, analyzing, and mining the operational data to support a higher cognitive process. It additionally ensures the safety, responsibleness, flexibility, coordination, economics, greenness, and potency of the electrical power network. Of these tasks, the square measure supports correct and adequate knowledge, and thus knowledge management may be a vital task for realizing intelligent dispatching [26].(ix)Access Point (AP): It exists for outer Internet networking. The attacker is considered to be present at this spot.

The market system (MK) and service provider (SP) domains constitute the management system (M) that is responsible for service provision, energy distribution management, and energy market management. The communication infrastructures of the smart grid are based on three types of networks [27]:(i)Home area network (HAN) is regulated within a limited area (tens of meters), commonly a small office or a house. The HAN has an approximately low transmission data rate of hundreds of bits per second (bps).(ii)Neighborhood area network (NAN) is deployed within an area of hundreds of meters which is actually a few urban buildings. Many HANs can be linked to one NAN, and they transmit the data of energy used by each house to the NAN.(iii)Wide area network (WAN) is operated within a large area of tens of kilometers, which consists of several NANs. Additionally, the communication of all smart grid’s components including control center, generation, transmission, and distribution systems is found in WAN.

2.2. Smart Grid Vulnerabilities

The following vulnerabilities were identified within the smart grid system:(i)Customer Security (CS): Smart meters independently gather large amounts of data and carry them to the market, consumer, and service providers. These data contain private consumer information that might be utilized to infer the consumer’s actions, devices being used, and times when the home is unoccupied [28].(ii)Greater Number Of Intelligent Devices (GNOID): A smart grid has various intelligent devices that are concerned with organizing both the electricity supply and network demand. These intelligent devices may act as attack access points into the network. Furthermore, the enormity of the smart grid network (100 to 1000 times larger than the Internet) makes network observing and management tremendously challenging [29].(iii)The Lifetime Of Power Systems (LOPS): As power systems co-occur with quite short-lived IT systems, it is predictable that outdated equipment is still in facility. This equipment might act as a fragile security node and might be unsuitable for the present power system devices [30].(iv)Zero-Day (ZD): It is a computer software vulnerability unidentified to those who should be concerned in its mitigation. Until the vulnerability is mitigated, attackers can harmfully exploit it to affect programs, data, and additional computers or network [31].(v)Firmware: It is susceptible to an extensive range of software errors. These errors include memory corruption flaws, application logic flaws, and command injection vulnerabilities [32].

The M system has CS, GNOID, and ZD vulnerabilities, while GS, CC, T, and D systems have both LOPS and firmware vulnerabilities.

2.3. Possible Attacks

The following attacks were investigated against the smart grid systems:(i)Malware Spreading (MS): An attacker can generate malware and distribute it to taint smart meters or company servers. MS can be used to substitute or add any function to a device or a system such as sharing delicate information [33].(ii)Eavesdropping (E): It is a form of passive attack in which the attacker overhears the messages between the nodes on the communication channel [34].(iii)Denial of Service (DoS): This attack targets the system’s approachability. It intends to delay, stop, or disturb data transmission in smart grids. Thus, it produces shutdowns, blackout, or denial of data exchange. The loss of control messages or approachability of the data stream can disturb the power distribution and the system [35].(iv)Zero-Day (ZDA): It is a cyber-attack abusing zero-day vulnerabilities that has not been revealed publicly. There is almost no protection against a zero-day attack, while the vulnerability rests unknown, the affected software cannot be repaired, and anti-virus products cannot spot the attack through signature-based scanning [36].(v)Bypass Security Mechanism (BSM): It can be applied within a firmware update to attack a specific hardware (PLC, RTU) to obtain an entrance and gain power over it. The PLC and RTU can be located in DCC, TCC, and CC [37].

2.4. Smart Grid Formal Depiction

The system is formally depicted as follows:(1)The attacker is expected to be located at AP and has a root privilege (static).(2)Generation system GS (static).(3)Set of transmission elements T; variable t ∈ {TS, TCC} (static).(4)Set of distribution elements D; variable d ∈ {DS, DCC} (static).(5)Set of management elements M; variable m ∈ {SP, MK} (static).(6)Consumption C (static).(7)Smart meter SM (static).(8)Control center CC (static).(9)System connectivity, N ⊆ GS × GS, GS × T, GS × CC, T × T, T × D, D × D, D × CC, D × C, T × CC, CC × CC, M × M, M × CC, CC × SM, SM × SM, SM × C, C × C, M × GS, M × T, M × D, M × SM; nij = 1 if element i is connected to element j (static).(10)System vulnerabilities V; Boolean vi = 1 if vulnerability v ∈ {CS, GNOID, LOPS, ZD, firmware} is placed on host i (static).(11)Set of possible attacks A; variable a ∈ {MS, E, DoS, ZDA, BSM} (static).(12)Attack instances, AI ⊆ A × (GS × T, GS × CC, T × D, D × D, D × CC, D × C, T × CC, CC × CC, M × M, M × CC, M × GS, M × T, M × D); labeled aij = attack a from source i to target j, a ∈ A (static).(13)Attacker level of privilege P on host i; variable pi ∈ {none, user, root} with a total order of privilege levels: root (2) > user (1) > none (0) (dynamic).(14)Data knowledge K; Boolean kj = 1 if the attacker gets knowledge about target j (dynamic).(15)Latency L from element i; Boolean li = 1 if the communication from i is delayed (dynamic).(16)Hardware control H on device i ∈ {D, CC, T, GS}; Boolean hi = 1 if the attacker gains control over the firmware of device i (dynamic).(17)Attack instances pre-conditions:(i)Pre (MSij) ≡ (nij = 1) ∧ (GNOIDj = 1) ∧ (∃y ∈ {M}: ki = 1).(ii)Pre (Eij) ≡ (nij = 1) ∧ ((CSj = 1) ∧ (GNOIDj = 1)).(iii)Pre (DoSij) ≡ (nij = 1) ∧ (pi = 2) ∧ ((LOPSj = 1) ∧ (firmwarej = 1)).(iv)Pre (BSMij) ≡ (nij = 1) ∧ (pi = 1) ∧ ((LOPSj = 1) ∧ (firmwarej = 1)) ∧ (∃y ∈ {D, CC}: kj = 1).(v)Pre (ZDAij) ≡ (nij = 1) ∧ (ZDj = 1).(18)Attack instances post-conditions:(i)Post (MSij) ≡ (pj = 2).(ii)Post (Eij) ≡ (kj = 1).(iii)Post (DoSij) ≡ (pj = 2) ∧ (lj = 1) ∧ (kj = 1).(iv)Post (ZDAij) ≡ (pj = 2).(v)Post (BSMij) ≡ (hj = 1).(19)Initial state: pAP = 2 ∧ (∀j ∈ {D, T, M, GS, CC}: (pj = lj = hj = kj = 0)). This means the attacker has a root privilege on the AP, and for all the sub-systems D, T, M, GS, CC, the attacker has no privilege, not caused a delay in the communication, no control over the firmware of the devices, and no knowledge about them.(20)Security property φ is that the attacker cannot disrupt the smart grid system by causing a delay in the distribution and having a root privilege over the distribution system, or having a root privilege over the control center, or gaining control over the distribution’s firmware. This property can then be expressed by computation tree logic as: φ ≡ AG ((l D = 0) ∨ (pD = 0)) ∧ (hD = 0) ∧ (pCC = 0) ≡ AG (¬ (((lD = 1) ∧ (pD = 2)) ∨ (pCC = 2) ∨ (hD = 1))).

The parameters in the formal depiction are either assumed static (inherited in the system architecture such as connectivity and system vulnerabilities) that are required as part of the attacks pre-conditions or dynamic (i.e., their values change with attacks as specified by the attacks post-conditions such as the attacker privilege).

2.5. System Description Using Matrices

Once the formal description of the system is structured, three matrices are constructed constituting the state, pre-, and post-condition matrices, respectively, as follows:(i)State matrix: Shown in (1), the rows are the sub-systems {T, D, M, GS, CC, AP} and columns are the concatenation of vulnerabilities {CS, ZD, GNOID, LOPS, firmware} and dynamic variables {p, k, l, h}, respectively. This matrix reflects the evolving system’s state upon the execution of attacks.(ii)Pre-condition matrix: Shown in (2), the rows are the attacks {MS, E, DoS, BSM, ZDA}, and columns are the concatenation of vulnerabilities {CS, ZD, GNOID, LOPS, firmware} and dynamic variables {p, k, l, h}, respectively, whose values are reflected from the pre-conditions’ formal depiction.(iii)Post-condition matrix: It has the same elements as the pre-conditions’ matrix. However, its values are reflected from the post-conditions’ formal depiction.

3. Algorithm Description

In this section, we present our new tool that automatically generates and visualizes the cyber-attack scenarios using Python 3.6.0 and Jupyter Notebook. Algorithm 1 illustrates the applied scheme.

Input: State, pre-conditions, post-conditions;
Output: Attack scenario;
Start program;
While(State)Equal(Scenario Property)do
 if((State)Less Than Or Equal To(Pre-Conditions))then
  Store(Attack’s Name And Sub System)to(Attacks);
  The system cannot be compromised
Generate Attack Scenario;

Initially, the state, pre-, and post-condition matrices are constructed from the formal system depiction. Nonetheless, the elements of the state matrix are initially equal to the variables of the initial state, as shown in

The pre- and post-condition matrices are presented in (4) and (5), respectively:

For instance, the element  = 1 corresponds to the set of transmission elements T which has LOPS vulnerability. The element  = 1 corresponds to the MS attack which exploits the vulnerability. The element corresponds to MS attack’s post-condition of gaining a root privilege. The algorithm starts with a loop that compares the security property variables with their counterparts in the state matrix. While the variables are equal (i.e., no security property violation), all rows in the pre-conditions’ matrix will be compared to all rows in the state matrix, until the variables of one row in the pre-condition are equal or less than the variables of one row in the state matrix. When this statement is true, then an attack instance is executed and the algorithm will break the loop to make sure that only one attack instance is executed in each run. For instance, the elements of the second row of the pre-conditions’ matrix are less than or equal to their counterparts of the third row of the state matrix. This corresponds to the execution of the first attack E on M, exploiting the CS vulnerability. As a result, the second row of the post-conditions’ matrix is added to the third row of the state matrix. This indicates getting information about the M sub-system as a result of the execution of attack E, thus updating the state matrix as shown in

To make sure that the same attack instances will not be repeated and the algorithm will not execute a deadlock, a new array structure was created, called attacks. The first column of this array stores the attack instances that were executed (given by the row’s number of the pre-conditions’ matrix), and the second column stores the corresponding sub-systems that were attacked (given by the row’s number of the state matrix). For instance, the executed attack instance E against sub-system M is given in

Next, the algorithm will compare the updated state with the security property again. While the state is equal to the security property (i.e., no security property violation), the state matrix will be compared to the pre-conditions’ matrix again, but now excluding the second row of the pre-conditions’ matrix and the third row of the state’s matrix from the comparison (attack instance E against sub-system M). These steps will be repeated until the state is not equal to the security property (i.e., security property violation), indicating a first counterexample (CE) which is presented here as an attack scenario, a sequence of attack instances causing system compromise. Figure 2 illustrates the algorithm’s flowchart for generating a CE.

After generating the first CE, the same steps are repeated to generate the rest of distinct CEs by comparing the new CE with the ones already discovered, hence preventing CE repetitions. Afterward, the generated CEs are fed to a class within the algorithm that encodes the result with DOT language [38] to visualize the attack graph.

4. Implementation of Cyber-Attack Scenarios

In view of the property φ, the attacker’s aim is to disrupt the smart grid system by causing latency and having a root privilege over the distribution system, or causing a blackout either by controlling the firmware of the distribution system or by gaining root privilege over the control center. The first counterexample that was generated is (CE1: E_APM ⟶ MS_APM ⟶ BSM_MD). This CE can be illustrated as follows. At the beginning, the attacker has a privilege on AP; an E_APM attack is executed on M to gain information (e.g., the type of smart devices and applications that M uses). Next, MS_APM attack is launched from AP to M profiting from GNOID vulnerability to gain privilege over M. Afterward, BSM_MD is executed on D exploiting LOPS vulnerability to gain control over the D’s firmware. This can lead to system blackout and ultimately affect the power consumption.

CE1 is provided in disjunction with φ, (φ ∨ CE1). A different counterexample acts in accordance with ¬ (φ ∨ CE1) = ¬ φ ∧ ¬ CE1. This issues a second counterexample (CE2: ZDA_APM ⟶ DoS_MCC). By repeating this operation, sixteen CEs were generated, composing all attack scenarios (i.e., the attack graph) as shown in Figure 3.

The attack graph has sixteen sequences that end in an accessible state where the system can be fully controlled and jeopardized by the attacker. Generally, the smart grid contains many vulnerabilities. Thus, an attacker can compromise the system by executing only two sequential attacks at least as shown in the graph. In the resulting graph, it can be also noticed that the DoS and BSM attack instances can massively affect the smart grid as a result of LOPS and firmware vulnerabilities. In [30], several solutions were discussed to protect the smart grid and enhance its security, such as the implementation of a robust authentication protocol, annual element vulnerability evaluation, and adapting virtual private network (VPN) architectures for secure communication.

5. Verification and Validation

A verification method can be either domain dependent (testing if there are anomalies in the tool using meta-knowledge on what is common in the domain) or domain independent (searching for general anomalies and mistakes in the implementation) [39].

In this work, domain-independent verification was performed through the inspection of the tool’s output. The inspection ensured that all attack paths that should be created by the model appeared in the output, and that the model did not accommodate repetitious attack paths.

Validity tests can be executed on a component level or on a system level to validate the full system against the proposed criterion. Our tool was validated on a system level by comparing the system’s output to the model-based schemes of [4042] and [43], respectively. These schemes used Architecture Analysis and Design Language (AADL) [44] to formally model the system and later implemented JKind model checker tool [45] to check the model against the security properties. The generated counterexamples (given by large size excel sheets) were incorporated with visualization tools such as Graphviz [46] to represent the attack graph. Although these schemes can generate all possible scenarios, the code should be modified after generating each scenario to make sure that the JKind will not generate repeated scenarios. Nonetheless, these schemes consume a lot of time for generating the scenarios and for checking the generated Excel sheets, encoding them to a language (DOT language) that Graphviz can understand, and then compiling them in order to have a complete graph. This process may take between 3–5 hours.

Figure 4 shows one of the generated CEs as a spreadsheet (CE: E_APM ⟶ MS_APM ⟶ DoS_MT ⟶  DoS_TD) using their framework. This CE can also be seen in our generated attack graph along with the same changes in the dynamic variables. Our proposed scheme is scalable and is fully automated. It is based on a matrix representation of the formal system depiction, and it does not require a model checker or any other visualization tool. The execution time for our scheme is less than an hour, on a standard computer processor: 2.3 GHz 8-Core Intel Core i9; memory: 16 GB, 2667 MHz DDR4, running macOS Big Sur.

6. Conclusions

In this paper, a model-based attack graph implementation was illustrated for the smart grid using an algorithm that was built using Python language and Jupyter Notebook. The algorithm can automatically generate all scenarios and visualize the potential attack sequences with their terminating state and post-conditions. The generated attack graph can aid system’s designers to select the best adjustment of countermeasures, preventing the occurrence of such attacks. For the upcoming work, we intend to boost the algorithm to automatically display the associated resilience levels of the smart grid system.

Data Availability

The attack graph data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.


The authors would like to acknowledge Deanship of Graduation Studies and Scientific Research at the German Jordanian University for the Seed fund SATS 03/2020.