Anomaly detection in SCADA systems using machine learning

Fiah, Eric Kudjoe

12 May 2023

In this thesis, different Machine learning (ML) algorithms were used in the detection of anomalies using a dataset from a Gas pipeline SCADA system which was generated by Mississippi State University’s SCADA laboratory. This work was divided into two folds: Binary Classification and Categorized classification. In the binary classification, two attack types namely: Command injection and Response injection attacks were considered. Eight Machine Learning Classifiers were used and the results were compared. The Light GBM and Decision tree classifiers performed better than the other algorithms. In the categorical classification task, Seven (7) attack types in the dataset were analyzed using six different ML classifiers. The light gradient-boosting machine (LGBM) outperformed all the other classifiers in the detection of all the attack types. One other aspect of the categorized classification was the use of an autoencoder in improving the performance of all the classifiers used. The last part of this thesis was using SHAP plots to explain the features that accounted for each attack type in the dataset.

Anomaly

machine learning

Supervisory Control And Data Acquisition

autoencoders

A simulative analysis of the robustness of Smart Grid networks and a summary of the security aspects

Kubler, Sarah Marie

January 1900

Master of Science / Department of Electrical and Computer Engineering / Caterina M. Scoglio / The need for reliable and quick communication in the power grid is growing and becoming more critical. With the Smart Grid initiative, an increasing number of intelligent devices, such as smart meters and new sensors, are being added to the grid. The traffic demand on the communications network increases as these new devices are being added. This can cause issues such as longer delay, dropped packets, and equipment failure. The power grid relies on this data to function properly. The power grid will lose reliability and will not be able to provide customers with power unless it has correct and timely data. The current communications network architecture needs to be evaluated and improved. In this thesis, a simulator program is developed to study the communications network. The simulation model is written in C++ and models the components of the communications network. The simulation results provide insight on how to design the communications network in order for the system to be robust from failures. We are using the simulator to study different topologies of the communications network. The communications network often has a simular topology to the power grid. This is because of right-a-ways and ownership of equipment. Modifying the topology of the communications network slightly can improve the performance of the network. Security of the communications network is a very important aspect. There is a risk of successful attacks on the communications network without the implementation of security protocols. Attacks can come from malicious users of the communications network or from entities outside the network. These attacks may lead to damaged equipment, loss of power to consumers, network overload, loss of data, and loss of privacy. This thesis presents a short overview of the major issues related to the security of the communications network. The department of Electrical and Computer Engineering (ECE) at Kansas State University (K-State) is working on developing a Smart Grid lab. Burns and McDonnell has collaborated with the ECE department at K-State to develop the Smart Grid Lab. This lab will be located inside of the ECE department. The lab will consist of both power grid equipment and network communication equipment. This thesis describes similar labs. It then describes the initial plan for the lab, which is currently in the planning stage.

Network

Smart Grid

Topology

Security

Communication

Supervisory control and data acquisition

Computer Engineering (0464)

Design and Implementation of Downtime Management System for Assembly Production : Software specification and practical challenges / Design och Implementation av ett Störningsanalys System för Monteringsindustrin : Mjukvaruspecifikation och praktiska utmaningar

Dowling, Gustav

January 2022

The usage of information technology (IT) systems has become an integral part of assembly manufacturing. Supervisory control and data acquisition (SCADA) systems are widely used in order to control production cycles and monitor equipment such as conveyor belts. Other common IT systems are related to logistics, data analysis, or organizing of incoming and outgoing orders. In this thesis we create a model for the IT systems at the fuel pump and fuel injector manufacturer Scania XPI. One model is developed for the current state of the IT systems at Scania XPI, and one model is developed detailing the future state. The current state model consists of charts showing where in the production process that data is transmitted between which IT systems. This thesis utilizes the current state model in order to suggest improvements to the IT systems. These improvements are detailed in the model for the future state of IT systems at Scania XPI. Overall equipment efficiency (OEE) is a measurement of the performance of an industrial operation based on the percentage of up time running at full capacity compared to the available run time. Measurement of OEE requires that only downtimeduetointernal circumstances within the operation is taken into account, and that any potential quality deviations due to the operation are accounted for. Taking into account the variability of manufacturing processes, this thesis proposes solutions to issues in data processing required to measure the efficiency of operations in assembly manufacturing, such as identifying if process breakdowns are caused by external factors. The proposed solution is a system called "Process data analysis system" (PDAS), which uses the recorded machine statuses throughout operation in order to calculate process downtime and OEE. PDAS was implemented using the incremental waterfall model as a software development methodology. PDAS was evaluated by conducting four groups of experiments and a comparison to the PUS (processuppföljnings system) at Scania XPI. Automatically classifying downtime events as planned or unplanned allows PDAS to give an accurate view on the efficiency of the assembly production. The software can be used at Scania XPI and it’s functionality has been verified on assembly production running in ordinary conditions. We show that software can be developed to process industrial data in order to measure assembly line efficiency. Eventually, design and implementation of a downtime management system for assembly production is achieved as a final product of this thesis. / Användningen av informationsteknik (IT) system har blivit en viktig del av monteringstillverknings industrin. Supervisory control and data acquisition (SCADA) system är ofta implementerade i syfte att kontrollera produktionens takt och för att övervaka eller styra produktionens utrustning. Andra vanliga IT-system är relaterade till logistik, data analys, eller hantering av ingående och utgående beställningar. I detta examensarbete skapar vi en modell för IT-systemen på dieselpump och dieselinjektor tillverkaren Scania XPI. Denna modell visar både hur IT-systemen fungerar idag och hur de kan förbättras. Current state modellen består av diagram som visar var i produktionsprocessen som data skickas mellan IT-systemen. Vi använder oss av current state modellen i syfte att föreslå förbättringar till IT-systemen. Dessa förbättringar beskrivs i en modell för future stateäv IT-systemen hos Scania XPI. Overall equipment efficiency (OEE) är ett mått på prestandan på effektiviteten av industriell verksamhet baserat på procentandelen av drifttiden utan kvalitets avvikelser utan stopp jämfört med den totala drifttiden. Mätning av OEE kräver att driftstopp på grund av externa omständigheter ej tillräknas stopp tiden, och att kvalitets avvikelser kan mätas. Detta examensarbete föreslår lösningar på problem inom databehandling som krävs för att mäta produktionens effektivitet vid monteringstillverkning, exempelvis att identifiera om driftstopp som orsakas av externa omständigheter. Lösningen som presenteras är utveckling av Process Data Analysis System"(PDAS), som använder sig av automatiskt rapporterad maskinstatusdata för att beräkna stopp tid och OEE. PDAS implementerades med "incremental waterfall modelsom metodologi för mjukvaruutveckling. PDAS utvärderades genom att genomföra fyra grupper av experiment och med hjälp av en jämförelse med PUS (processuppföljnings system) hos Scania XPI. Genom att automatiskt klassificera planerad och oplanerad stopp tid ger PDAS en mer ackurat bild av effektiviteten för monterings produktionen. Mjukvaran kan användas av Scania XPI och funktionen av PDAS har verifierats för monteringstillverkningen under vanliga produktionsomständigheter. Vi visar att mjukvaran kan användas för att bearbeta industriell data i syfte att mäta effektiviteten av monterings tillverkningen. Slutligen uppnås design och implementation av ett system för stopptids hantering för monterings produktion som en produkt av denna uppsats.

Overall equipment efficiency

Assembly manufacturing

Automotive Industry

Supervisory Control and Data Acquisition

Information Systems

Downtime management

Overall Equipment Efficiency

Monterings produktion

Fordonsindustri

Supervisory Control and Data Acquisition

Information Systems

Stopptidshantering

Computer Sciences

Datavetenskap (datalogi)

Study of Adaptive Fault Diagnosis and Power Quality Detection for Power System

Lin, Chia-Hung

30 June 2004

Power system protection is important for service reliability and quality assurance. Various faults may occur due to natural and artificial calamity. To reduce the outage duration and promptly restore power services, fault section estimate has to be done effectively and accurately with fault alarms. Dispatchers study the changed statuses of protection devices from the Supervisory Control and Data Acquisition (SCADA) system to identify the fault. Single and multiple faults could coexist with the failed operation of relays and circuit breakers, or with the erroneous data communication. It needs a long time to process a large number of alarms under various conditions involving multiple faults and many uncertainties. To cope with the problem, an effective tool is helpful for the fault section estimation and alarm processing. Besides, power transformer plays a major role in a power system. For a better service quality, it is important to be routinely examined for detecting incipient faults inside transformers. Preventive techniques for early detection can find out the incipient faults and avoid outages. Power quality is another issue to considerable attentions from utilities and customers due to the popular uses of many sensitive electronic equipment. Harmonics, voltage swell, voltage sag, and, power interruption could downgrade the service quality. To ensure the power quality, detecting harmonic and voltage disturbances becomes important. A detection method with classification capability will be helpful for detecting disturbances. This dissertation developed various algorithm for detection including fault section detection, alarm processing, transformer fault diagnosis, and power quality detection. For a well-dispatched power system, the adaptive detection idea will be used, and the existing SCADA/EMS will be integrated without extra devices.

Fault Section Detection

Power Quality Detection

Transformer Fault Diagnosis

Alarm Processing

SMART GRID COMMUNICATIONS

Asbery, Christopher W

01 January 2012

Smart grid technologies are starting to be the future of electric power systems. These systems are giving the utilities detailed information about their systems in real time. One of the most challenging things of implementing smart grid applications is employing the communications into the systems. Understanding the available communications can help ease the transition to these smart grid applications. Many of the utility personnel are spending too much time trying to figure out which communication is better for their application or applications. So this thesis presents the different communication types available with discussing the different attributes in which these communication types are going to offer to the utility. Then these communication types are looked such that utilities can quickly understand how to approach the difficult task of obtaining the information from the different smart grid applications by the use of different communication options.

Smart Grid Technologies

Communications

Automatic Metering Infrastructure

Supervisory Control and Data Acquisition

Communication Reliability

Power and Energy

Systems and Communications

An intrusion detection system for supervisory control and data acquisition systems

Hansen, Sinclair D.

January 2008

Despite increased awareness of threats against Critical Infrastructure (CI), securing of Supervisory Control and Data Acquisition (SCADA) systems remains incomplete. The majority of research focuses on preventative measures such as improving communication protocols and implementing security policies. New attempts are being made to use commercial Intrusion Detection System (IDS) software to protect SCADA systems. These have limited effectiveness because the ability to detect specific threats requires the context of the SCADA system. SCADA context is defined as any information that can be used to characterise the current status and function of the SCADA system. In this thesis the standard IDS model will be used with the varying SCADA data sources to provide SCADA context to a signature and anomaly detection engine. A novel addition to enhance the IDS model will be to use the SCADA data sources to simulate the remote SCADA site. The data resulting from the simulation is used by the IDS to make behavioural comparison between the real and simulated SCADA site. To evaluate the enhanced IDS model the specific context of a water and wastewater system is used to develop a prototype. Using this context it was found that the inflow between sites has similar diurnal characteristic to network traffic. This introduced the idea of using inflow data to detect abnormal behaviour for a remote wastewater site. Several experiments are proposed to validate the prototype using data from a real SCADA site. Initial results show good promise for detecting abnormal behaviour and specific threats against water and wastewater SCADA systems.

Information security

intrusion detection system (IDS)

remote telemetry device (RTU)

anomaly detection

signature detection

Διαχείριση και έλεγχος Programmable Logic Controller (PLC) μέσω Ethernet/Internet

Χριστόπουλος, Κωνσταντίνος

20 September 2010

Ο στόχος της παρούσας διπλωματικής εργασίας είναι ο έλεγχος και αποκατάσταση της θερμοκρασίας και της υγρασίας από απόσταση σε ένα χώρο ο οποίος απαιτεί συγκεκριμένες τιμές των δύο παραπάνω μεγεθών. Ένας τέτοιος χώρος μπορεί να είναι μια αίθουσα χειρουργείου ή μια μονάδα εντατικής θεραπείας. Ανάλογα με τις επιθυμητές θερμοκρασίες που έχουν τεθεί, ενεργοποιούνται οι βάνες του θερμαντικού ή του ψυκτικού στοιχείου. Όταν η υγρασία του χώρου είναι κατώτερη της επιθυμητής, ενεργοποιείται η τρίοδος βάνα ατμού. Όταν η υγρασία του χώρου είναι υψηλότερη της επιθυμητής ενεργοποιείται η τρίοδος βάνα του ψυκτικού στοιχείου για επιπλέον ψύξη (αφύγρανση) και παράλληλα, αν χρειαστεί ενεργοποιεί και την τρίοδο βάνα του θερμαντικού στοιχείου για να διατηρήσει τη θερμοκρασία του χώρου στα επιθυμητά επίπεδα. Όλα αυτά υλοποιούνται με τη βοήθεια του PLC S7 300 όσο αφορά το λειτουργικό μέρος, της μονάδας CP 343-1 Lean για την επικοινωνία της εγκατάστασης από απόσταση μέσω ethernet, το LabVIEW 9.0 για την υλοποίηση του SCADA(Supervisory Control and Data Acquisition) και τέλος ο OPC SERVER της National instrument για την επικοινωνία του PLC S7 300 με το LabVIEW 9.0. / The scope of this thesis is the control and restoration of temperature and humidity from distance in environments which demand precise values of these two measurements. Such an environment can be an Operating Room or an Intensive Care Unit. The valves of the heating or the cooling element are activated according to the desired temperature. When room humidity is below the desired one, the dew three-port valve is activated. On the other hand when humidity is above the desired level the three-port valve of the cooling element is activated for further cooling (dehydration) and at the same time, if needed, it activates the three-port valve of the heating element to maintain the room temperature at the desired level. This is possible with the use of PLC S7 300, when it comes to the functional part, the CP 343-1 Lean unit for the distant communication of the installation through the use of Ethernet, the LabVIEW 9.0 for the implementation of the SCADA(Supervisory Control and Data Acquisition) and the OPC SERVER of the National Instrument for the communication of the PLC S7 300 with LabVIEW 9.0.

Έλεγχος θερμοκρασίας

Υγρασία

629.895

Programmable Logic Controller (PLC)

NI OPC Server

Temperature control

Humidity

Proposta de arquitetura orientada a recursos para SCADA na Web

Polônia, Pablo Valério

January 2011

Dissertação (mestrado) - Universidade Federal de Santa Catarina, Centro Tecnológico, Programa de Pós-Graduação em Engenharia de Automação e Sistemas, Florianópolis, 2011 / Made available in DSpace on 2012-10-26T04:49:05Z (GMT). No. of bitstreams: 1 299173.pdf: 2790960 bytes, checksum: 3a2ce4ee4fd5dc7d5f239e8d7350372c (MD5) / Esta dissertação descreve uma proposta de arquitetura de software para aplicações típicas de Sistemas de Supervisão e Aquisição de Dados (SCADA), utilizando a World Wide Web como plataforma. O objetivo é mostrar como os requisitos característicos de aplicações SCADA podem ser incorporados em uma arquitetura condizente com os princípios arquiteturais que fundamentam a Web, dado que as arquiteturas comumente propostas para SCADA, baseadas em Chamadas Remota de Procedimento (RPC, na sigla em inglês), apresentam problemas de forte acoplamento, manutenção de estado e interfaces especializadas, que dificultam uma integração plena com a Web. Para isto é projetada uma Arquitetura Orientada a Recursos (ROA, na sigla em inglês), que utiliza as tecnologias da Web (HTTP, URI e tipos de mídia) de acordo com seus princípios de arquitetura. A arquitetura é projetada utilizando como cenário uma Célula Flexível de Manufatura (CFM), ambiente característico de um SCADA. As funcionalidades típicas de SCADA são projetadas como recursos e expostas para clientes que podem exibir sinóticos em uma IHM, esperar pelo disparo de alarmes, controlar o processo, configurar dispositivos e abastecer com dados sistemas de MES/ERP. Uma implementação é realizada, para demonstrar como se dá a interação entre aplicações na arquitetura. Nesta implementação um aplicativo SCADA (Mango M2M) teve sua arquitetura de software estudada e modificada para se adaptar as necessidades da arquitetura proposta. Como resultado, obtém-se uma arquitetura que cobre os requisitos típicos de aplicações SCADA, integrando-se à Web de forma condizente com seus princípios arquiteturais. Posteriormente a arquitetura projetada é comparada com uma arquitetura baseada em Web Services RPC e as diferenças em termos de integração com a Web e no cumprimento dos requisitos típicos de SCADA são analisadas

Engenharia de sistemas

Serviços da Web

Software

Arquitetura

A one-class NIDS for SDN-based SCADA systems / Um NIDS baseado em OCC para sistemas SCADA baseados em SDN

Silva, Eduardo Germano da

January 2007

Sistemas elétricos possuem grande influência no desenvolvimento econômico mundial. Dada a importância da energia elétrica para nossa sociedade, os sistemas elétricos frequentemente são alvos de intrusões pela rede causadas pelas mais diversas motivações. Para minimizar ou até mesmo mitigar os efeitos de intrusões pela rede, estão sendo propostos mecanismos que aumentam o nível de segurança dos sistemas elétricos, como novos protocolos de comunicação e normas de padronização. Além disso, os sistemas elétricos estão passando por um intenso processo de modernização, tornando-os altamente dependentes de sistemas de rede responsáveis por monitorar e gerenciar componentes elétricos. Estes, então denominados Smart Grids, compreendem subsistemas de geração, transmissão, e distribuição elétrica, que são monitorados e gerenciados por sistemas de controle e aquisição de dados (SCADA). Nesta dissertação de mestrado, investigamos e discutimos a aplicabilidade e os benefícios da adoção de Redes Definidas por Software (SDN) para auxiliar o desenvolvimento da próxima geração de sistemas SCADA. Propomos também um sistema de detecção de intrusões (IDS) que utiliza técnicas específicas de classificação de tráfego e se beneficia de características das redes SCADA e do paradigma SDN/OpenFlow. Nossa proposta utiliza SDN para coletar periodicamente estatísticas de rede dos equipamentos SCADA, que são posteriormente processados por algoritmos de classificação baseados em exemplares de uma única classe (OCC). Dado que informações sobre ataques direcionados à sistemas SCADA são escassos e pouco divulgados publicamente por seus mantenedores, a principal vantagem ao utilizar algoritmos OCC é de que estes não dependem de assinaturas de ataques para detectar possíveis tráfegos maliciosos. Como prova de conceito, desenvolvemos um protótipo de nossa proposta. Por fim, em nossa avaliação experimental, observamos a performance e a acurácia de nosso protótipo utilizando dois tipos de algoritmos OCC, e considerando eventos anômalos na rede SCADA, como um ataque de negação de serviço (DoS), e a falha de diversos dispositivos de campo. / Power grids have great influence on the development of the world economy. Given the importance of the electrical energy to our society, power grids are often target of network intrusion motivated by several causes. To minimize or even to mitigate the aftereffects of network intrusions, more secure protocols and standardization norms to enhance the security of power grids have been proposed. In addition, power grids are undergoing an intense process of modernization, and becoming highly dependent on networked systems used to monitor and manage power components. These so-called Smart Grids comprise energy generation, transmission, and distribution subsystems, which are monitored and managed by Supervisory Control and Data Acquisition (SCADA) systems. In this Masters dissertation, we investigate and discuss the applicability and benefits of using Software-Defined Networking (SDN) to assist in the deployment of next generation SCADA systems. We also propose an Intrusion Detection System (IDS) that relies on specific techniques of traffic classification and takes advantage of the characteristics of SCADA networks and of the adoption of SDN/OpenFlow. Our proposal relies on SDN to periodically gather statistics from network devices, which are then processed by One- Class Classification (OCC) algorithms. Given that attack traces in SCADA networks are scarce and not publicly disclosed by utility companies, the main advantage of using OCC algorithms is that they do not depend on known attack signatures to detect possible malicious traffic. As a proof-of-concept, we developed a prototype of our proposal. Finally, in our experimental evaluation, we observed the performance and accuracy of our prototype using two OCC-based Machine Learning (ML) algorithms, and considering anomalous events in the SCADA network, such as a Denial-of-Service (DoS), and the failure of several SCADA field devices.

Redes : Computadores

Seguranca : Redes : Computadores

Supervisory control and data acquisition

Software-defined networking

Smart grids

Network-based intrusion detection system

One-class classification

A one-class NIDS for SDN-based SCADA systems / Um NIDS baseado em OCC para sistemas SCADA baseados em SDN

Silva, Eduardo Germano da

January 2007

Sistemas elétricos possuem grande influência no desenvolvimento econômico mundial. Dada a importância da energia elétrica para nossa sociedade, os sistemas elétricos frequentemente são alvos de intrusões pela rede causadas pelas mais diversas motivações. Para minimizar ou até mesmo mitigar os efeitos de intrusões pela rede, estão sendo propostos mecanismos que aumentam o nível de segurança dos sistemas elétricos, como novos protocolos de comunicação e normas de padronização. Além disso, os sistemas elétricos estão passando por um intenso processo de modernização, tornando-os altamente dependentes de sistemas de rede responsáveis por monitorar e gerenciar componentes elétricos. Estes, então denominados Smart Grids, compreendem subsistemas de geração, transmissão, e distribuição elétrica, que são monitorados e gerenciados por sistemas de controle e aquisição de dados (SCADA). Nesta dissertação de mestrado, investigamos e discutimos a aplicabilidade e os benefícios da adoção de Redes Definidas por Software (SDN) para auxiliar o desenvolvimento da próxima geração de sistemas SCADA. Propomos também um sistema de detecção de intrusões (IDS) que utiliza técnicas específicas de classificação de tráfego e se beneficia de características das redes SCADA e do paradigma SDN/OpenFlow. Nossa proposta utiliza SDN para coletar periodicamente estatísticas de rede dos equipamentos SCADA, que são posteriormente processados por algoritmos de classificação baseados em exemplares de uma única classe (OCC). Dado que informações sobre ataques direcionados à sistemas SCADA são escassos e pouco divulgados publicamente por seus mantenedores, a principal vantagem ao utilizar algoritmos OCC é de que estes não dependem de assinaturas de ataques para detectar possíveis tráfegos maliciosos. Como prova de conceito, desenvolvemos um protótipo de nossa proposta. Por fim, em nossa avaliação experimental, observamos a performance e a acurácia de nosso protótipo utilizando dois tipos de algoritmos OCC, e considerando eventos anômalos na rede SCADA, como um ataque de negação de serviço (DoS), e a falha de diversos dispositivos de campo. / Power grids have great influence on the development of the world economy. Given the importance of the electrical energy to our society, power grids are often target of network intrusion motivated by several causes. To minimize or even to mitigate the aftereffects of network intrusions, more secure protocols and standardization norms to enhance the security of power grids have been proposed. In addition, power grids are undergoing an intense process of modernization, and becoming highly dependent on networked systems used to monitor and manage power components. These so-called Smart Grids comprise energy generation, transmission, and distribution subsystems, which are monitored and managed by Supervisory Control and Data Acquisition (SCADA) systems. In this Masters dissertation, we investigate and discuss the applicability and benefits of using Software-Defined Networking (SDN) to assist in the deployment of next generation SCADA systems. We also propose an Intrusion Detection System (IDS) that relies on specific techniques of traffic classification and takes advantage of the characteristics of SCADA networks and of the adoption of SDN/OpenFlow. Our proposal relies on SDN to periodically gather statistics from network devices, which are then processed by One- Class Classification (OCC) algorithms. Given that attack traces in SCADA networks are scarce and not publicly disclosed by utility companies, the main advantage of using OCC algorithms is that they do not depend on known attack signatures to detect possible malicious traffic. As a proof-of-concept, we developed a prototype of our proposal. Finally, in our experimental evaluation, we observed the performance and accuracy of our prototype using two OCC-based Machine Learning (ML) algorithms, and considering anomalous events in the SCADA network, such as a Denial-of-Service (DoS), and the failure of several SCADA field devices.

Redes : Computadores

Seguranca : Redes : Computadores

Supervisory control and data acquisition

Software-defined networking

Smart grids

Network-based intrusion detection system

One-class classification