Runtime Semantic Security Analysis to Detect and Mitigate Control-Related Attacks in Power Grids

In this paper, we analyze control-related attacks in supervisory control and data acquisition systems for power grids. This class of attacks introduces a serious threat to power systems, because attackers can directly change the system’s physical configuration using malicious control commands crafted in a legitimate format. To detect such attacks, we propose a semantic analysis framework that integrates network intrusion detection systems with a power flow analysis capable of estimating the execution consequences of control commands. To balance detection accuracy and latency, the parameters of the power flow analysis algorithm are dynamically adapted according to real-time system dynamics. Our experiments on IEEE 24-bus, 30-bus, and 39-bus systems and a 2736-bus system demonstrate that by opening three transmission lines, an attacker can put the tested system into an insecure state, and the semantic analysis can complete detection in 200 ms for the large-scale 2736-bus system with about 0.78% false positives and 0.01% false negatives, which allow for timely responses to intrusions.