Security Analysis of Smart Grids

Ibrahim, Mariam; Elhafiz, Ruba

doi:https://doi.org/10.1155/2022/7199301

Security and Communication Networks

On this page

Abstract Introduction Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2022 | Article ID 7199301 | https://doi.org/10.1155/2022/7199301

Security Analysis of Smart Grids

Mariam Ibrahim¹and Ruba Elhafiz¹

Academic Editor: Yu Yao

Received12 Jan 2022

Revised12 May 2022

Accepted25 May 2022

Published10 Jun 2022

Abstract

An attack graph is a beneficial tool to network defenders, demonstrating the routes that an attacker can utilize to acquire entry to a target network. Cyber-attacks endanger the security of smart grids as a result of the presence of vulnerabilities in the diversified structural units establishing it. This paper introduces a new tool built using Python language and Jupyter Notebook to enumerate an attack graph for a smart grid. The smart grid is formally presented and implemented, determining system design, links, weaknesses, resources, potential attack instances, and their pre- and post-conditions. The tool is utilized to automatically determine an attack sequence in the form of a counterexample. It constructs the counterexamples, encodes those for requirement loosening, and iterates up until all attack sequences are disclosed. Then, the attack graph causing disruption of the smart grid’s workflow is graphically visualized.

1. Introduction

Cyber-physical systems (CPSs) have physical processes which are observed and controlled in the cyber field by sophisticated computation and communication technologies [1]. A smart grid is known to be a CPS that encounters many technological demands. The European regulator’s group for electricity and gas (ERGEG) defines a smart grid as an electricity network that can efficiently integrate the behavior and actions of all users connected to it (generators, consumers, and those that do both) to ensure an economically efficient, sustainable power system with low losses and high levels of quality and security [2].

From a technical viewpoint, smart grids are susceptible to cyber-attacks due to the supple communication infrastructures, increased reliance on intelligent electronic devices (IEDs), sophisticated metering infrastructures, and distributed control centers. Such cyber infrastructure increases communications, connectivity, control, and automation. Smart grid also uses homogeneous information technologies, which regularly have documented vulnerabilities [3].

Many events were investigated, benefiting from those vulnerabilities. For instance, in January 2003, in Ohio, the Slammer worm disrupted the computerized safety monitoring system at the Davis–Besse nuclear power plant that was locked for mending at that time. The managers in charge of the plant thought that it was secure, because there was a firewall that separated the plant network from the outside network. The worm infiltrated into the plant network by a contractor’s contaminated computer that was connected via a telephone dial-up directly to the plant network, thus bypassing the firewall [4].

In March 2008, Georgia, Hatch Nuclear Power Plant near Baxley was enforced to an emergency shutdown for 48 hours, following a software update that was integrated on a single computer. Based on a document submitted by the Nuclear Regulatory Commission, the data were rearranged in the control system as soon as the updated computer rebooted, thus misleading security systems to wrongly interpret the lack of data as a drop in a water tank that cools the plant’s radioactive nuclear fuel rods. Accordingly, the automated secure systems at the plant activated a shutdown [5].

In July 2010, the Siemens SIMATIC WinCC supervisory control and data acquisition (SCADA) system was invaded by the Stuxnet worm. The worm used the vulnerabilities of the Microsoft Windows operating system. This invasion was the first malicious attack which harmed the industrial infrastructure immediately. As stated by Symantec’s statistics, around 45,000 networks all over the world have been attacked with this worm until now, and about 60% of the targeted networks are in Iran. The government of Iran has assured that the country’s Bushehr Nuclear Power Plant has been infected by Stuxnet [6]. The cyber security of the smart grid was further inspected by generating an attack graph that showed potential paths that an attacker can pursue to exploit the network and achieve definite target advantages. A set of initially satisfied advantages is given as an input, which introduces the relationships between various vulnerabilities that can be utilized by the attacker, and the advantages acquired by the attacker are the results of manipulating these vulnerabilities [7].

In our work, the smart grid system model is formalized. The formal description captures the architectural specifications of the system; its elements and its connectivity; the system’s behavior; its dynamic state variables; pre- and post-conditions of attack instances; and the security properties. A novel model-based automated attack graph tool is proposed alongside the automated implementation of all counterexamples. This necessitates loosening up the requirement of the encoding of the prior counterexamples, so a different counterexample is located in every iteration. The model is encoded with our new tool using Python 3.6.0 [8] and Jupyter Notebook [9] to automatically generate and visualize attack scenarios as a complete attack graph. The rest of this paper is assembled as follows. Section 1.1 revises the related work. Section 2 describes the smart grid system. Section 3 presents the workflow of the presented tool that was used to generate the attack scenarios. Section 4 represents the implementation of cyber-attack scenarios on the smart grid. Section 5 summarizes and presents some future directions.

1.1. Related Work

An attack graph is one of the bright methods that involves cyber-attack modeling and impact assessment to analyze the security of a network. For more than 20 years, researchers have been conducting studies associated with the implementation and analysis of attack graphs. An attack graph is a graph that displays all potential arrangements of the attackers’ activities that serve them to establish their goals.

The major disadvantage of this technique is its computational complexity. Constructing an entire attack graph for an attacker is a computationally complex issue and commonly requires a long time. For example, for a relatively small size network, the attack graph can be generated rapidly. However, when assembling a graph for a large network that consists of hundreds or even thousands of hosts and the outcome should be acquired in a finite time, the graph-based algorithms demand a greatly big number of computational assets. Furthermore, over time, the formation between hosts and links can be altered, and the attack graph will demand reorganization [10].

Attack graph can be divided into two types. The first one utilizes a model checker or logic system to create an attack graph. The second one produces attack graphs based on graph theory. For instance, the researchers in [11] used a model checker to investigate the network’s vulnerabilities. Nevertheless, this approach can only generate one attack scenario assuming that the target model cannot satisfy the selected security features. In [12], the model checker was improved, and it was able to generate all attack scenarios. The authors used this tool to automatically develop the attack graph for the target network. To analyze the vulnerabilities of Transmission Control Protocol (TCP), the authors in [13] used Content Security Policy (CSP). This approach can only analyze some simple security aspects and produce attack scenarios.

The researchers in [14] used model checking technology to artificially study the host’s vulnerabilities. They created a model that could demonstrate all possible system behaviors by characterizing each security-related element of the system and then used a model checker to discover the attack scenario. On this basis, they grasped a vulnerability analysis tool for Unix systems.

An approach was suggested by [15] that used an attack graph to study the network’s security. In the graph, nodes showed network states after being attacked. They utilized an attack template to represent the same attacks. The attack graph was backward generated from the target state by exploiting the attack’s templates. This method cannot automatically produce an attack graph, and it is also unable to satisfy the need of the large-scale network security analysis.

The generation method presented by [16] used a model checker and generated the attack graph based on graph theory. They introduced a monotonicity theory that attackers never have to fall back. The space and time complexities of this approach were better than the model checking method alone. Nonetheless, the logic-based methods were applied in [17] to implement attack graphs. Scanners were used to gather information about the network, and attack graphs were generated by using the reasoning engines. The used method could accurately boost the attack templates corresponding to the vulnerabilities’ characteristics.

Moreover, new techniques for implementing attack graphs were conducted in the last two years. For instance, [18] investigates 5G network vulnerability assessment and provides a dynamic method that combines the Technique for Order of Preference by Similarity to Ideal Solution (TOPSIS) with hexagonal fuzzy numbers to accurately analyze 5G network vulnerabilities. The suggested method takes into account both the vulnerability and 5G network dynamic characteristics such as latency and accessibility to identify potential attack graph paths in the network and calculates the attack cost and security level. Then, a 5G testbed is used to test and validate the suggested method, and compare it to the old TOPSIS and the well-known vulnerability scanner program, Nessus.

A strategy for assigning probability distributions to attack phases and defenses for Meta Attack Language (MAL)-based domain-specific languages (DSLs) is proposed in [19]. The proposed method consists of three sub-processes that fit within the Process for Attack Simulation and Threat Analysis (PASTA). The proposed method was shown by applying probability distributions to enterpriseLang, a MAL-based DSL. When two separate versions of enterpriseLang (binary relations and probability distributions) are used to simulate attacks on a system model instance, the one with probability distributions produces more realistic simulation results than the one with binary relations.

A new attack graph model is presented by [20] for thinking about speculative execution attacks. The authors characterize assaults as ordered dependency graphs and show that if a dependence edge between two nodes is absent, a race condition can occur. Then, between a resource access and its preceding authorization procedure, a new concept called “security dependence” is added. The model presents specific examples of how the attack graph simulates the Spectre and Meltdown attacks and generalizes it to all known attack types. This assault model can also be used to discover new attacks and generalize response tactics. Several protection techniques are identified by the authors, each with varying performance-security tradeoffs.

There are many other researches that were made to implement attack graph for network security analysis. Nonetheless, in this paper, we present a new tool for generating an attack graph for smart grid security analysis. It is based on representing the system, its network, sub-systems, vulnerabilities, and attack instances along with their pre- and post-conditions using matrices. Then, encode these matrices using Python and Jupyter Notebook to further study the possible attacks that can be executed on the grid. Ultimately, the tool can automatically generate the attack scenarios that constitute the attack graph.

2. Smart Grid Modeling

In this paper, the smart grid is modeled to demonstrate how exploiting its vulnerabilities can disrupt its functionality. The model includes system topology, vulnerabilities, potential attack instances, the system’s formal depiction, and matrix representation.

2.1. Smart Grid Topology

Figure 1 represents the smart grid architecture. It has the following processes:(i)Generation System (GS): It transforms bulk energy into electrical energy, directly links to the transmission system, and offers smart applications. Examples of power generators are coal-fired, gas, wind-powered turbines, and solar and nuclear power plants [21].(ii)Transmission System (TS): It conveys electrical energy for generation over further areas. TS is normally distantly coordinated and administered by the Transmission Control Center (TCC) [19].(iii)Distribution System (DS): It supplies the electrical energy to power consumers after being received from the transmission system. To decrease fault clearing time for faster fault identification, small transformer substations need to be automated. DS is normally distantly controlled and monitored by a Distribution Control Center (DCC) [22].(iv)Consumption (C): It signifies to power consumers (e.g., industries, which operate process automation to dominate and control manufacturing process and energy consumption or generation) [23].(v)Service Provider (SP): It creates agreements with consumers to deliver electricity to distinctive devices and cooperates with internal devices via messages conveyed by the smart meter. Moreover, users should record with the electric utility and acquire digital certificates for their identities and public keys. The certificates are then used to facilitate protected communication with users [24].(vi)Market System (MK): It circulates the market and value online and within a far shorter period to a larger one and to members in the system [22].(vii)Smart Meter (SM): It is a complete embedded system. SM includes a microcontroller that has nonvolatile and volatile memory, timers, analog/digital ports, real-time clock, and serial communication facilities. Smart meters register the power consumption periodically, transmit it to the utility server, connect or disconnect a client power, and provide and transmit alarms in case of abnormality [25].(viii)Control Center (CC): The main task of CC is to understand the intelligent warning ahead by means of observance the dominant transmission network in a period of time and analyzing its security through the corporation among many specialized teams. Hence, CC optimizes the transmission operation by means of assembling, integration, analyzing, and mining the operational data to support a higher cognitive process. It additionally ensures the safety, responsibleness, flexibility, coordination, economics, greenness, and potency of the electrical power network. Of these tasks, the square measure supports correct and adequate knowledge, and thus knowledge management may be a vital task for realizing intelligent dispatching [26].(ix)Access Point (AP): It exists for outer Internet networking. The attacker is considered to be present at this spot.

The market system (MK) and service provider (SP) domains constitute the management system (M) that is responsible for service provision, energy distribution management, and energy market management. The communication infrastructures of the smart grid are based on three types of networks [27]:(i)Home area network (HAN) is regulated within a limited area (tens of meters), commonly a small office or a house. The HAN has an approximately low transmission data rate of hundreds of bits per second (bps).(ii)Neighborhood area network (NAN) is deployed within an area of hundreds of meters which is actually a few urban buildings. Many HANs can be linked to one NAN, and they transmit the data of energy used by each house to the NAN.(iii)Wide area network (WAN) is operated within a large area of tens of kilometers, which consists of several NANs. Additionally, the communication of all smart grid’s components including control center, generation, transmission, and distribution systems is found in WAN.

2.2. Smart Grid Vulnerabilities

The following vulnerabilities were identified within the smart grid system:(i)Customer Security (CS): Smart meters independently gather large amounts of data and carry them to the market, consumer, and service providers. These data contain private consumer information that might be utilized to infer the consumer’s actions, devices being used, and times when the home is unoccupied [28].(ii)Greater Number Of Intelligent Devices (GNOID): A smart grid has various intelligent devices that are concerned with organizing both the electricity supply and network demand. These intelligent devices may act as attack access points into the network. Furthermore, the enormity of the smart grid network (100 to 1000 times larger than the Internet) makes network observing and management tremendously challenging [29].(iii)The Lifetime Of Power Systems (LOPS): As power systems co-occur with quite short-lived IT systems, it is predictable that outdated equipment is still in facility. This equipment might act as a fragile security node and might be unsuitable for the present power system devices [30].(iv)Zero-Day (ZD): It is a computer software vulnerability unidentified to those who should be concerned in its mitigation. Until the vulnerability is mitigated, attackers can harmfully exploit it to affect programs, data, and additional computers or network [31].(v)Firmware: It is susceptible to an extensive range of software errors. These errors include memory corruption flaws, application logic flaws, and command injection vulnerabilities [32].

The M system has CS, GNOID, and ZD vulnerabilities, while GS, CC, T, and D systems have both LOPS and firmware vulnerabilities.

2.3. Possible Attacks

The following attacks were investigated against the smart grid systems:(i)Malware Spreading (MS): An attacker can generate malware and distribute it to taint smart meters or company servers. MS can be used to substitute or add any function to a device or a system such as sharing delicate information [33].(ii)Eavesdropping (E): It is a form of passive attack in which the attacker overhears the messages between the nodes on the communication channel [34].(iii)Denial of Service (DoS): This attack targets the system’s approachability. It intends to delay, stop, or disturb data transmission in smart grids. Thus, it produces shutdowns, blackout, or denial of data exchange. The loss of control messages or approachability of the data stream can disturb the power distribution and the system [35].(iv)Zero-Day (ZDA): It is a cyber-attack abusing zero-day vulnerabilities that has not been revealed publicly. There is almost no protection against a zero-day attack, while the vulnerability rests unknown, the affected software cannot be repaired, and anti-virus products cannot spot the attack through signature-based scanning [36].(v)Bypass Security Mechanism (BSM): It can be applied within a firmware update to attack a specific hardware (PLC, RTU) to obtain an entrance and gain power over it. The PLC and RTU can be located in DCC, TCC, and CC [37].

2.4. Smart Grid Formal Depiction

The system is formally depicted as follows:(1)The attacker is expected to be located at AP and has a root privilege (static).(2)Generation system GS (static).(3)Set of transmission elements T; variable t ∈ {TS, TCC} (static).(4)Set of distribution elements D; variable d ∈ {DS, DCC} (static).(5)Set of management elements M; variable m ∈ {SP, MK} (static).(6)Consumption C (static).(7)Smart meter SM (static).(8)Control center CC (static).(9)System connectivity, N ⊆ GS × GS, GS × T, GS × CC, T × T, T × D, D × D, D × CC, D × C, T × CC, CC × CC, M × M, M × CC, CC × SM, SM × SM, SM × C, C × C, M × GS, M × T, M × D, M × SM; n_ij = 1 if element i is connected to element j (static).(10)System vulnerabilities V; Boolean v_i = 1 if vulnerability v ∈ {CS, GNOID, LOPS, ZD, firmware} is placed on host i (static).(11)Set of possible attacks A; variable a ∈ {MS, E, DoS, ZDA, BSM} (static).(12)Attack instances, AI ⊆ A × (GS × T, GS × CC, T × D, D × D, D × CC, D × C, T × CC, CC × CC, M × M, M × CC, M × GS, M × T, M × D); labeled a_ij = attack a from source i to target j, a ∈ A (static).(13)Attacker level of privilege P on host i; variable p_i ∈ {none, user, root} with a total order of privilege levels: root (2) > user (1) > none (0) (dynamic).(14)Data knowledge K; Boolean k_j = 1 if the attacker gets knowledge about target j (dynamic).(15)Latency L from element i; Boolean l_i = 1 if the communication from i is delayed (dynamic).(16)Hardware control H on device i ∈ {D, CC, T, GS}; Boolean h_i = 1 if the attacker gains control over the firmware of device i (dynamic).(17)Attack instances pre-conditions:(i)Pre (MS_ij) ≡ (n_ij = 1) ∧ (GNOID_j = 1) ∧ (∃y ∈ {M}: k_i = 1).(ii)Pre (E_ij) ≡ (n_ij = 1) ∧ ((CS_j = 1) ∧ (GNOID_j = 1)).(iii)Pre (DoS_ij) ≡ (n_ij = 1) ∧ (p_i = 2) ∧ ((LOPS_j = 1) ∧ (firmware_j = 1)).(iv)Pre (BSM_ij) ≡ (n_ij = 1) ∧ (p_i = 1) ∧ ((LOPS_j = 1) ∧ (firmware_j = 1)) ∧ (∃y ∈ {D, CC}: k_j = 1).(v)Pre (ZDA_ij) ≡ (n_ij = 1) ∧ (ZD_j = 1).(18)Attack instances post-conditions:(i)Post (MS_ij) ≡ (p_j = 2).(ii)Post (E_ij) ≡ (k_j = 1).(iii)Post (DoS_ij) ≡ (p_j = 2) ∧ (l_j = 1) ∧ (k_j = 1).(iv)Post (ZDA_ij) ≡ (p_j = 2).(v)Post (BSM_ij) ≡ (h_j = 1).(19)Initial state: p_AP = 2 ∧ (∀j ∈ {D, T, M, GS, CC}: (p_j = l_j = h_j = k_j = 0)). This means the attacker has a root privilege on the AP, and for all the sub-systems D, T, M, GS, CC, the attacker has no privilege, not caused a delay in the communication, no control over the firmware of the devices, and no knowledge about them.(20)Security property φ is that the attacker cannot disrupt the smart grid system by causing a delay in the distribution and having a root privilege over the distribution system, or having a root privilege over the control center, or gaining control over the distribution’s firmware. This property can then be expressed by computation tree logic as: φ ≡ AG ((l _D = 0) ∨ (p_D = 0)) ∧ (h_D = 0) ∧ (p_CC = 0) ≡ AG (¬ (((l_D = 1) ∧ (p_D = 2)) ∨ (p_CC = 2) ∨ (h_D = 1))).

The parameters in the formal depiction are either assumed static (inherited in the system architecture such as connectivity and system vulnerabilities) that are required as part of the attacks pre-conditions or dynamic (i.e., their values change with attacks as specified by the attacks post-conditions such as the attacker privilege).

2.5. System Description Using Matrices

Once the formal description of the system is structured, three matrices are constructed constituting the state, pre-, and post-condition matrices, respectively, as follows:(i)State matrix: Shown in (1), the rows are the sub-systems {T, D, M, GS, CC, AP} and columns are the concatenation of vulnerabilities {CS, ZD, GNOID, LOPS, firmware} and dynamic variables {p, k, l, h}, respectively. This matrix reflects the evolving system’s state upon the execution of attacks.(ii)Pre-condition matrix: Shown in (2), the rows are the attacks {MS, E, DoS, BSM, ZDA}, and columns are the concatenation of vulnerabilities {CS, ZD, GNOID, LOPS, firmware} and dynamic variables {p, k, l, h}, respectively, whose values are reflected from the pre-conditions’ formal depiction.(iii)Post-condition matrix: It has the same elements as the pre-conditions’ matrix. However, its values are reflected from the post-conditions’ formal depiction.

3. Algorithm Description

In this section, we present our new tool that automatically generates and visualizes the cyber-attack scenarios using Python 3.6.0 and Jupyter Notebook. Algorithm 1 illustrates the applied scheme.

	Input: State, pre-conditions, post-conditions;
	Output: Attack scenario;
	Start program;
	While(State)Equal(Scenario Property)do
	if((State)Less Than Or Equal To(Pre-Conditions))then
	Add(Post-Conditions)to(State);
	Store(Attack’s Name And Sub System)to(Attacks);
	else
	The system cannot be compromised
	end
	Generate Attack Scenario;

Initially, the state, pre-, and post-condition matrices are constructed from the formal system depiction. Nonetheless, the elements of the state matrix are initially equal to the variables of the initial state, as shown in

The pre- and post-condition matrices are presented in (4) and (5), respectively:

For instance, the element = 1 corresponds to the set of transmission elements T which has LOPS vulnerability. The element = 1 corresponds to the MS attack which exploits the vulnerability. The element corresponds to MS attack’s post-condition of gaining a root privilege. The algorithm starts with a loop that compares the security property variables with their counterparts in the state matrix. While the variables are equal (i.e., no security property violation), all rows in the pre-conditions’ matrix will be compared to all rows in the state matrix, until the variables of one row in the pre-condition are equal or less than the variables of one row in the state matrix. When this statement is true, then an attack instance is executed and the algorithm will break the loop to make sure that only one attack instance is executed in each run. For instance, the elements of the second row of the pre-conditions’ matrix are less than or equal to their counterparts of the third row of the state matrix. This corresponds to the execution of the first attack E on M, exploiting the CS vulnerability. As a result, the second row of the post-conditions’ matrix is added to the third row of the state matrix. This indicates getting information about the M sub-system as a result of the execution of attack E, thus updating the state matrix as shown in

To make sure that the same attack instances will not be repeated and the algorithm will not execute a deadlock, a new array structure was created, called attacks. The first column of this array stores the attack instances that were executed (given by the row’s number of the pre-conditions’ matrix), and the second column stores the corresponding sub-systems that were attacked (given by the row’s number of the state matrix). For instance, the executed attack instance E against sub-system M is given in

Next, the algorithm will compare the updated state with the security property again. While the state is equal to the security property (i.e., no security property violation), the state matrix will be compared to the pre-conditions’ matrix again, but now excluding the second row of the pre-conditions’ matrix and the third row of the state’s matrix from the comparison (attack instance E against sub-system M). These steps will be repeated until the state is not equal to the security property (i.e., security property violation), indicating a first counterexample (CE) which is presented here as an attack scenario, a sequence of attack instances causing system compromise. Figure 2 illustrates the algorithm’s flowchart for generating a CE.

After generating the first CE, the same steps are repeated to generate the rest of distinct CEs by comparing the new CE with the ones already discovered, hence preventing CE repetitions. Afterward, the generated CEs are fed to a class within the algorithm that encodes the result with DOT language [38] to visualize the attack graph.

4. Implementation of Cyber-Attack Scenarios

In view of the property φ, the attacker’s aim is to disrupt the smart grid system by causing latency and having a root privilege over the distribution system, or causing a blackout either by controlling the firmware of the distribution system or by gaining root privilege over the control center. The first counterexample that was generated is (CE1: E_APM ⟶ MS_APM ⟶ BSM_MD). This CE can be illustrated as follows. At the beginning, the attacker has a privilege on AP; an E_APM attack is executed on M to gain information (e.g., the type of smart devices and applications that M uses). Next, MS_APM attack is launched from AP to M profiting from GNOID vulnerability to gain privilege over M. Afterward, BSM_MD is executed on D exploiting LOPS vulnerability to gain control over the D’s firmware. This can lead to system blackout and ultimately affect the power consumption.

CE1 is provided in disjunction with φ, (φ ∨ CE1). A different counterexample acts in accordance with ¬ (φ ∨ CE1) = ¬ φ ∧ ¬ CE1. This issues a second counterexample (CE2: ZDA_APM ⟶ DoS_MCC). By repeating this operation, sixteen CEs were generated, composing all attack scenarios (i.e., the attack graph) as shown in Figure 3.

The attack graph has sixteen sequences that end in an accessible state where the system can be fully controlled and jeopardized by the attacker. Generally, the smart grid contains many vulnerabilities. Thus, an attacker can compromise the system by executing only two sequential attacks at least as shown in the graph. In the resulting graph, it can be also noticed that the DoS and BSM attack instances can massively affect the smart grid as a result of LOPS and firmware vulnerabilities. In [30], several solutions were discussed to protect the smart grid and enhance its security, such as the implementation of a robust authentication protocol, annual element vulnerability evaluation, and adapting virtual private network (VPN) architectures for secure communication.

5. Verification and Validation

A verification method can be either domain dependent (testing if there are anomalies in the tool using meta-knowledge on what is common in the domain) or domain independent (searching for general anomalies and mistakes in the implementation) [39].

In this work, domain-independent verification was performed through the inspection of the tool’s output. The inspection ensured that all attack paths that should be created by the model appeared in the output, and that the model did not accommodate repetitious attack paths.

Validity tests can be executed on a component level or on a system level to validate the full system against the proposed criterion. Our tool was validated on a system level by comparing the system’s output to the model-based schemes of [40–42] and [43], respectively. These schemes used Architecture Analysis and Design Language (AADL) [44] to formally model the system and later implemented JKind model checker tool [45] to check the model against the security properties. The generated counterexamples (given by large size excel sheets) were incorporated with visualization tools such as Graphviz [46] to represent the attack graph. Although these schemes can generate all possible scenarios, the code should be modified after generating each scenario to make sure that the JKind will not generate repeated scenarios. Nonetheless, these schemes consume a lot of time for generating the scenarios and for checking the generated Excel sheets, encoding them to a language (DOT language) that Graphviz can understand, and then compiling them in order to have a complete graph. This process may take between 3–5 hours.

Figure 4 shows one of the generated CEs as a spreadsheet (CE: E_APM ⟶ MS_APM ⟶ DoS_MT ⟶ DoS_TD) using their framework. This CE can also be seen in our generated attack graph along with the same changes in the dynamic variables. Our proposed scheme is scalable and is fully automated. It is based on a matrix representation of the formal system depiction, and it does not require a model checker or any other visualization tool. The execution time for our scheme is less than an hour, on a standard computer processor: 2.3 GHz 8-Core Intel Core i9; memory: 16 GB, 2667 MHz DDR4, running macOS Big Sur.

6. Conclusions

In this paper, a model-based attack graph implementation was illustrated for the smart grid using an algorithm that was built using Python language and Jupyter Notebook. The algorithm can automatically generate all scenarios and visualize the potential attack sequences with their terminating state and post-conditions. The generated attack graph can aid system’s designers to select the best adjustment of countermeasures, preventing the occurrence of such attacks. For the upcoming work, we intend to boost the algorithm to automatically display the associated resilience levels of the smart grid system.

Data Availability

The attack graph data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

The authors would like to acknowledge Deanship of Graduation Studies and Scientific Research at the German Jordanian University for the Seed fund SATS 03/2020.

References

R. Baheti and H. Gill, “Cyber-physical systems,” The impact of control technology, vol. 12, no. 1, pp. 161–166, 2011.
View at: Google Scholar
European Regulators Group for Electricity and Gas, Position paper on smart grids no. e09-eqs-30-04, Berlin, 2010.
D. Kundur, X. Feng, S. Mashayekh, S. Liu, T. Zourntos, and K. B. Purry, “Towards modelling the impact of cyber attacks on a smart grid,” International Journal of Security and Networks, vol. 6, no. 1, pp. 2–13, 2011.
View at: Publisher Site | Google Scholar
Y. Yang, T. Littler, S. Sezer, K. McLaughlin, and H. F. Wang, “December. Impact of cyber-security issues on smart grid,” in Proceedings of the 2011 2nd IEEE PES International Conference and Exhibition on Innovative Smart Grid Technologies, pp. 1–7, IEEE, Manchester, UK, 5-7 Dec. 2011.
View at: Google Scholar
B. Krebs, “Cyber incident blamed for nuclear power plant shutdown,” Washington Post, vol. 5, p. 5, 2008.
View at: Google Scholar
Y. Yang, B. Pranggono, T. Littler et al., “Man-in-the-middle attack test-bed investigating cyber-security vulnerabilities in smart grid SCADA systems,” in Proceedings of the International Conference on Sustainable Power Generation and Supply (SUPERGEN 2012), Hangzhou, 8-9 Sept. 2012.
View at: Publisher Site | Google Scholar
K. Kaynar and F. Sivrikaya, “Distributed attack graph generation,” IEEE Transactions on Dependable and Secure Computing, vol. 13, no. 5, pp. 519–532, 2016.
View at: Publisher Site | Google Scholar
Python 360, 2021, https://www.python.org/downloads/release/python-360/.
Jupyter Notebook, 2021, https://jupyter.org.
I. Kotenko and A. Chechulin, “A cyber attack modeling and impact assessment framework,” in Proceedings of the 2013 5th International Conference on Cyber Conflict (CYCON 2013), pp. 1–24, IEEE, Tallinn, Estonia, 4-7 June 2013.
View at: Google Scholar
R. W. Ritchey and P. Ammann, “Using model checking to analyze network vulnerabilities,” in Proceedings of the 2000 IEEE Symposium on Security and Privacy. S&P 2000, pp. 156–165, IEEE, Berkeley, CA, USA, 14-17 May 2000.
View at: Google Scholar
O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing, “Automated generation and analysis of attack graphs,” in Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 273–284, IEEE, Berkeley, CA, USA, 12-15 May 2002.
View at: Google Scholar
H. R. Shahriari and R. Jalili, “Using CSP to model and analyze transmission control protocol vulnerabilities within the broadcast network,” in Proceedings of the 2004 International Networking and Communication Conference, pp. 42–47, IEEE, Lahore, Pakistan, 11-13 June 2004.
View at: Google Scholar
C. R. Ramakrishnan and R. Sekar, “Model-based analysis of configuration vulnerabilities1,” Journal of Computer Security, vol. 10, no. 1-2, pp. 189–209, 2002.
View at: Publisher Site | Google Scholar
C. Phillips and L. P. Swiler, “A graph-based system for network-vulnerability analysis,” in Proceedings of the 1998 Workshop on New Security Paradigms, pp. 71–79, Charlottesville Virginia USA, September 22 - 26, 1998.
View at: Google Scholar
P. Ammann, D. Wijesekera, and S. Kaushik, “Scalable, graph-based network vulnerability analysis,” in Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 217–224, Heidelberg, Germany, June 2018.
View at: Google Scholar
X. Ou, S. Govindavajhala, and M.V. A. L. Appel, “A logic-based network security analyzer,” in Proceedings of the 14th USENIX Security Symposium, Baltimore,MD, USA, August2005.
View at: Google Scholar
H. A. Kholidy, “Multi-layer attack graph analysis in the 5G edge network using a dynamic hexagonal fuzzy method,” Sensors, vol. 22, no. 1, p. 9, 2021.
View at: Publisher Site | Google Scholar
W. Xiong, S. Hacks, S. Hacks, and R. Lagerström, “A method for assigning probability distributions in attack simulation languages,” Complex Systems Informatics and Modeling Quarterly, no. 26, pp. 55–77, 2021.
View at: Publisher Site | Google Scholar
Z. He, G. Hu, and R. Lee, “New models for understanding and reasoning about speculative execution attacks,” in Proceedings of the 2021 IEEE International Symposium on High-Performance Computer Architecture (HPCA), pp. 40–53, IEEE, Seoul, Korea (South), 2021, February.
View at: Google Scholar
X. Fang, S. Misra, G. Xue, and D. Yang, “Smart grid - the new and improved power grid: a survey,” IEEE communications surveys & tutorials, vol. 14, no. 4, pp. 944–980, 2012.
View at: Publisher Site | Google Scholar
Y. Cunjiang, Z. Huaxun, and Z. Lei, “Architecture design for smart grid,” Energy Procedia, vol. 17, pp. 1524–1528, 2012.
View at: Publisher Site | Google Scholar
Y. Yan, Y. Qian, H. Sharif, and D. Tipper, “A survey on smart grid communication infrastructures: motivations, requirements and challenges,” IEEE communications surveys & tutorials, vol. 15, no. 1, pp. 5–20, 2013.
View at: Publisher Site | Google Scholar
J. Naruchitparames, M. H. Güneş, and C. Y. Evrenosoglu, “Secure communications in the smart grid,” in Proceedings of the 2011 IEEE Consumer Communications and Networking Conference (CCNC), pp. 1171–1175, IEEE, Las Vegas, NV, USA, 9-12 Jan. 2011.
View at: Google Scholar
M. K. Arefin, WiMAX Implementation of Smart Grid Wide Area Distributed Generation and Demand Side Load Protection Model in MATLAB/SIMULINK, Doctoral dissertation, Department of Electrical and Electronic Engineering, BRAC University0, China, 2016.
J. Liu, X. Li, D. Liu, H. Liu, and P. Mao, “Study on data management of fundamental model in control center for smart grid operation,” IEEE Transactions on Smart Grid, vol. 2, no. 4, pp. 573–579, 2011.
View at: Publisher Site | Google Scholar
R. Yu, Y. Zhang, S. Gjessing, C. Yuen, S. Xie, and M. Guizani, “Cognitive radio based hierarchical communications infrastructure for smart grid,” IEEE network, vol. 25, no. 5, pp. 6–14, 2011.
View at: Publisher Site | Google Scholar
T. Bhatt, C. Kotwal, and N. Chaubey, “Survey on smart grid: threats vulnerabilities and security protocol,” International Journal of Electrical, Electronics and Computer Systems, vol. 6, no. 9, pp. 340–348, 2017.
View at: Google Scholar
F. Al-Turjman and M. Abujubbeh, “IoT-enabled smart grid via SM: an overview,” Future Generation Computer Systems, vol. 96, pp. 579–590, 2019.
View at: Publisher Site | Google Scholar
F. Aloul, A. R. Al-Ali, R. Al-Dalky, M. Al-Mardini, and W. El-Hajj, “Smart grid security: threats, vulnerabilities and solutions,” International Journal of Smart Grid and Clean Energy, vol. 1, no. 1, pp. 1–6, 2012.
View at: Publisher Site | Google Scholar
L. Ablon and A. Bogart, “Zero days, thousands of nights: the life and times of zero-day vulnerabilities and their exploits,” Rand Corporation, Santa Monic, 2017, https://www.rand.org/pubs/research_reports/RR1751.html Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits.
View at: Publisher Site | Google Scholar
Y. Shoshitaishvili, R. Wang, C. Hauser, C. Kruegel, and G. Vigna, “February. Firmalice-automatic detection of authentication Bypass vulnerabilities in binary firmware,” NDSS, vol. 1, p. 1, 2015.
View at: Google Scholar
Y. Mo, T. H. J. Kim, K. Brancik et al., “Cyber–physical security of a smart grid infrastructure,” Proceedings of the IEEE, vol. 100, no. 1, pp. 195–209, 2011.
View at: Google Scholar
A. Boukerche, K. El-Khatib, L. Xu, and L. Korba, “An efficient secure distributed anonymous routing protocol for mobile and wireless ad hoc networks,” Computer Communications, vol. 28, no. 10, pp. 1193–1203, 2005.
View at: Publisher Site | Google Scholar
M. Z. Gunduz and R. Das, “Analysis of cyber-attacks on smart grid applications,” in Proceedings of the 2018 International Conference on Artificial Intelligence and Data Processing (IDAP), pp. 1–5, IEEE, Malatya, Turkey, 28-30 Sept. 2018.
View at: Google Scholar
L. Bilge and T. Dumitraş, “Before we knew it: an empirical study of zero-day attacks in the real world,” in Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 833–844, Raleigh, USA, 16 October 2012.
View at: Google Scholar
S. T. King, J. Tucek, A. Cozzie, C. Grier, W. Jiang, and Y. Zhou, “Designing and implementing malicious hardware,” Leet, vol. 8, pp. 1–8, 2008.
View at: Google Scholar
DOT language, 2021, https://graphviz.org/doc/info/lang.html.
R. M. O'Keefe and D. E. O'Leary, “Expert system verification and validation: a survey and tutorial,” Artificial Intelligence Review, vol. 7, no. 1, pp. 3–42, 1993.
View at: Publisher Site | Google Scholar
M. Ibrahim, Q. Al-Hindawi, R. Elhafiz, A. Alsheikh, and O. Alquq, “Attack graph implementation and visualization for cyber physical systems,” Processes, vol. 8, no. 1, p. 12, 2019.
View at: Publisher Site | Google Scholar
A. T. Al Ghazo and R. Kumar, “Identification of critical-attacks set in an attack-graph,” in Proceedings of the 2019 IEEE 10th Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON), IEEE, Málaga, Spain, October 6-8, 2008.
View at: Google Scholar
M. Ibrahim, A. Alsheikh, and Q. Al-Hindawi, “Automatic attack graph generation for industrial controlled systems,” Recent Developments on Industrial Control Systems Resilience, Springer, Cham, pp. 99–116, 2020.
View at: Publisher Site | Google Scholar
A. T. Al Ghazo, M. Ibrahim, H. Ren, and R. Kumar, “A2G2V: automated attack graph generator and visualizer,” Security, and Privacy, vol. 50, pp. 1–6, 2018.
View at: Google Scholar
Carnegie-Mellon-University, Open Source Aadl Tool Environment for the SAE Architecture, 2018, http://osate.github.io/index.html.
M. Sheeran, S. Singh, and G. Stålmarck, “Checking safety properties using induction and a SAT-solver,” Formal Methods in Computer-Aided Design International Conference on Formal Methods in Computer-Aided Design, Springer, Berlin/Heidelberg, Germany, pp. 127–144, 2000.
View at: Publisher Site | Google Scholar
Graphviz—Graph Visualization Software, 2021, https://www.graphviz.org/download/.

Copyright

Copyright © 2022 Mariam Ibrahim and Ruba Elhafiz. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

389

Downloads

335

Citations