A Novel Trust Model In Detecting Final-Phase Attacks in Substations

Abstract

A substation’s security is paramount because it is an integral part of the Smart Grid for the transmission and distribution of electricity. Advanced persistent threats (APTs) have become the bane of the substation because they can remain undetected for a period until final attacks are launched. A lot of existing techniques may not be real-time enough to detect these final attacks. Trust, even though less investigated, can be used to tackle these attacks. In this paper, we present a trust model designed specifically for the Modbus communication protocol that can detect final attacks from APTs when a substation is compromised. This model is formed from the perspective of the substation device and was successfully tested on two publicly available Modbus datasets under three testing scenarios. The external test, the internal test, and the internal test with IP-MAC blacklisting. The first test assumes attackers’ IP, and MAC addresses are not part of the substation network, and the other two assume otherwise. Our model detected the attacks within each dataset and also revealed the attack behaviour within the two datasets. Our model can also be extended to other protocols, and this has been marked for future work.