Visible to the public D-IDS for Cyber-Physical DER Modbus System - Architecture, Modeling, Testbed-based Evaluation

TitleD-IDS for Cyber-Physical DER Modbus System - Architecture, Modeling, Testbed-based Evaluation
Publication TypeConference Paper
Year of Publication2020
AuthorsRavikumar, G., Singh, A., Babu, J. R., A, A. Moataz, Govindarasu, M.
Conference Name2020 Resilience Week (RWS)
Keywordsanalog data points, composability, Computational modeling, Computer architecture, computer network security, cps security, cyber-physical DER Modbus devices, D-IDS, data integrity, Data models, data-integrity attacks, Denial of Service attacks, DER, DER inverters, DER Modbus communication, discrete data points, distributed energy resources, distributed intrusion detection system, distribution networks, DoS packets, DoS type attacks, Hardware-in-the-Loop, hardware-in-the-loop CPS DER, IDS, IDS detection accuracy, IDS detection rate, IEEE 13-bus distribution grid, Modbus, Modbus-specific IDS rule sets, model-based approach, native clear-text packet, open- source IDS rule syntax formats, physics-based threshold bands, Protocols, pubcrawl, resilience, Resiliency, Smart grid, standard protocols, Standards, Syntactics, testbed-based evaluation, time 0.25 ms, Timing, transaction-based threshold bands
AbstractIncreasing penetration of distributed energy resources (DERs) in distribution networks expands the cyberattack surface. Moreover, the widely used standard protocols for communicating DER inverters such as Modbus is more vulnerable to data-integrity attacks and denial of service (DoS) attacks because of its native clear-text packet format. This paper proposes a distributed intrusion detection system (D-IDS) architecture and algorithms for detecting anomalies on the DER Modbus communication. We devised a model-based approach to define physics-based threshold bands for analog data points and transaction-based threshold bands for both the analog and discrete data points. The proposed IDS algorithm uses the model- based approach to develop Modbus-specific IDS rule sets, which can enhance the detection accuracy of the anomalies either by data-integrity attacks or maloperation on cyber-physical DER Modbus devices. Further, the IDS algorithm autogenerates the Modbus-specific IDS rulesets in compliance with various open- source IDS rule syntax formats, such as Snort and Suricata, for seamless integration and mitigation of semantic/syntax errors in the development and production environment. We considered the IEEE 13-bus distribution grid, including DERs, as a case study. We conducted various DoS type attacks and data-integrity attacks on the hardware-in-the-loop (HIL) CPS DER testbed at ISU to evaluate the proposed D-IDS. Consequently, we computed the performance metrics such as IDS detection accuracy, IDS detection rate, and end-to-end latency. The results demonstrated that 100% detection accuracy, 100% detection rate for 60k DoS packets, 99.96% detection rate for 80k DoS packets, and 0.25 ms end-to-end latency between DERs to Control Center.
Citation Keyravikumar_d-ids_2020