Causal Event Graphs Cyber-physical System Intrusion Detection System Shengyi Pan, Thomas H. Morris † , Uttam Adhikari Mississippi State University Mississippi State, MS, 39762 † morris@ece.msstate.edu Vahid Madani Pacific Gas and Electric Company San Francisco, CA 94105 vxm6@pge.com ABSTRACT This paper proposes to model the causal relationship between devices in a cyber-physical system using a Bayesian Networks and a new Bayesian Network expansion called causal event graphs. Unique paths through causal event graphs are used to model deterministic signatures which can be used by an intrusion detection system to classify events. A case study is provided to demonstrate the effectiveness of the method for classifying cyber and physical events in an electric transmission system. Bulk electric transmission systems are dynamic cyber-physical systems. Cyber monitoring and control systems are used to remotely operate the power system and to detect and react to physical disturbances. The communication layer associated with this monitoring and control functionality also enables cyber attacks against transmission systems. Existing regulations require utilities to use monitoring techniques such as intrusion detection systems to monitor cyber activity at electronic security perimeter boundaries. Recent attacks demonstrate that monitoring restricted to boundaries is insufficient to detect all attack threats. The methodology described in this paper provides a means to develop a model based defense in depth solution for electric transmission system intrusion detection. Categories and Subject Descriptors C.3 [Special-Purpose and Application-Based Systems] – process control systems General Terms Measurement, Experimentation, Security Keywords Smart Grid, Cybersecurity 1. INTRODUCTION This paper introduces causal event graphs (CEG) as a tool for deriving deterministic intrusion detection system (IDS) signatures for classification of cyber-physical system behaviors. Member nodes in the CEG are observable events. Edges in CEG are allowed transitions between nodes. Cyber attacks and normal operation scenarios are mapped to a CEG. If each scenario of interest follows a unique path through the graph then deterministic signatures based upon these unique paths can be derived to classify each scenario in real time. In practice the graph is expanded with additional nodes until a unique path exists for each scenario of interest. The body of this paper includes an introduction to CEG. This section contains a review of Bayesian networks and details on converting a Bayesian network to a CEG. Examples Bayesian networks and CEG are provided as well as a brief mathematical description of each. A case study is offered to demonstrate the effectiveness of using CEG to create IDS signatures for classifying cyber attacks and normal power system disturbances in an electric transmission system substation. A single disturbance in an electric in an electric power system can lead to cascading failures across an interconnection. Because electric power systems are cyber physical systems they are also subject to cyber attacks which may lead to similar cascading failures if undetected and unmitigated. Modern electric power systems are currently being upgraded with synchrophasor technologies to provide improved wide area monitoring accuracy by measuring voltage and current phasors at sampling rates of up to 120 samples per second. Wide Area Monitoring Systems (WAMS) will provide improved state estimation accuracy [1] and support new disturbance classification techniques such as stream data mining [2], small signal oscillation detection [3], phase angle separation detection among many others proposed techniques. WAMS will allow operators to detect and react to power system disturbances faster than with existing methods. The data from Wide Area Monitoring Systems can be used as a redundant source of information which enables model based intrusion detection derived from causal event graphs. Networked appliances in power systems including protection relays, phasor measurement units (PMU), phasor data concentrators (PDC), substation personal computers (PC), and control center PCs are subject to denial of service, data injection attacks, and control injection attacks. Denial of Service (DOS) attacks attempt to disrupt the communication link between networked devices in a control system to prevent physical process monitoring and control. Data injection attacks inject false sensor measurement data into a feedback control loop of a control system. Control injection attacks inject falsified invalid control actions to force a physical system to misoperate. The included case study models the following scenarios with a CEG; a control injection attack to remotely trip a protection relay, valid remote tripping of a relay by an operator in a control room, data injection attack which alters synchrophasor data to simulate an open breaker by zeroing current values, data injection attack which simulates an over current fault by increasing current values above the over current thresholds, a relay tripping due to a valid fault, and relay tripping due a command entered at the relay faceplate. An IDS is built to detect and classify each scenario. The IDS signatures for each scenario were derived from the CEG and validated by implementing the aforementioned scenarios in a hardware-in-the-loop test bed. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. CSIIRW’12, October 30- November 2, 2012, Oak Ridge, TN, USA. Copyright 2012 ACM 1-58113-000-0/00/0010…$15.00.