Abstract
The computations and input/output values of intelligent electronic devices that monitor and operate an electrical substation depend strongly on the state of the power system. This chapter presents an approach that correlates the physical parameters of an electrical substation with the network traffic that intelligent electronic devices send over a substation automation network. Normal network traffic in a substation automation network is modeled as a directed, weighted graph, yielding what is referred to as a model graph. Similar graph modeling is performed on unknown network traffic. The research problem of determining whether or not unknown network traffic is normal involves a subgraph isomorphism search algorithm. Normal network packets in unknown network traffic form a graph that is a subgraph of the model graph. In contrast, malware-generated network packets present in unknown network traffic produce a graph that is not a subgraph of the model graph. Time series analysis of network traffic is performed to estimate the weights of the edges in the graphs. This analysis enables the subgraph isomorphism search algorithm to find structural matches with portions of the model graph as well matches with the timing characteristics of normal network traffic. The approach is validated using samples drawn from recent industrial control system malware campaigns.
Chapter PDF
Similar content being viewed by others
References
I. Ahmed, S. Obermeier, M. Naedele and G. Richard, SCADA systems: Challenges for forensic investigators, IEEE Computer, vol. 45(12), pp. 44–51, 2012.
K. Brand, C. Brunner and I. de Mesmaeker, How to use IEC 61850 in protection and automation, Electra, no. 222, pp. 11–21, 2005.
J. Lange, F. Iwanitz and T. Burke, OPC: From Data Access to Unified Architecture, VDE-Verlag, Berlin, Germany, 2010.
Y. Liang and R. Campbell, Understanding and Simulating the IEC 61850 Standard, Technical Report UIUCDCS-R-2008-2967, Department of Computer Science, University of Illinois at Urbana-Champaign, Urbana, Illinois, 2008.
M. Rahman and B. Jeyasurya, A state-of-the-art review of transformer protection algorithms, IEEE Transactions on Power Delivery, vol. 3(2), pp. 534–544, 1988.
A. Srivastav, C. Ortega, P. Ahuja, M. Christian and A. Cardenas, Exploratory analysis of Modbus and general IT network flows in a water SCADA system, presented at the Industrial Control System Security Workshop, 2015.
J. Ullman, An algorithm for subgraph isomorphism, Journal of the ACM, vol. 23(1), pp. 31–42, 1976.
T. Wu, J. Pagna Disso, K. Jones and A. Campos, Towards a SCADA forensics architecture, Proceedings of the First International Symposium on ICS and SCADA Cyber Security Research, pp. 12–21, 2013.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 IFIP International Federation for Information Processing
About this paper
Cite this paper
Leierzapf, M., Rrushi, J. (2017). NETWORK FORENSIC ANALYSIS OF ELECTRICAL SUBSTATION AUTOMATION TRAFFIC. In: Rice, M., Shenoi, S. (eds) Critical Infrastructure Protection XI. ICCIP 2017. IFIP Advances in Information and Communication Technology, vol 512. Springer, Cham. https://doi.org/10.1007/978-3-319-70395-4_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-70395-4_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-70394-7
Online ISBN: 978-3-319-70395-4
eBook Packages: Computer ScienceComputer Science (R0)