Visually Explainable and Actionable Alert System in SCADA Networks

Summary Statement

The objective is to develop and deploy an actionable alert system that comprehends multi-level (network, operational, and data content) alerts obtained from monitoring EDS OT systems and networks. Multi-level alerts will be aggregated into meta-alerts and ranked as to operational relevance and visualized in real time. We will explore causal reasoning, attack polytrees, and probabilistic belief approaches to visually explain likely root causes of alerts, meta-alerts, and security events. This visualization will also present recommended remedial actions to the operator. Aggregation and ranking deal with alert volume, while agile streaming will cope with velocity. The heterogeneity of data sources introduces variety which will be addressed by multi-level aggregation approaches. We will develop confidence coefficients and a methodology to propagate these to confidence coefficients from raw alerts to meta-alerts to address veracity.

We will deploy components of NREL’s Cyber Range Platform which is a novel emulation platform for achieving real-time visualization of large-scale EDS environments with large numbers of cyber-physical devices. It allows the environment to include real, physical hardware, along with emulated devices communicating with each other as part of the same system. The Cyber Range Platform is also capable of streaming, collecting, storing, transporting, and visualizing all data within the emulated environment. At present, we are using the IEC 61850 standard and, the Generic Object-Oriented Substation Event (GOOSE) message protocol.

Energy Delivery System (EDS) Gap Analysis

EDS SCADA systems increasingly employ routable network protocols, software-defined infrastructures, and devices for measurement and control with sophisticated cyber capability. This results in the need for “big data” capabilities to deal with volume, velocity, variety, and veracity of operational as well as security event traffic. It is also the case that this introduces an ever-growing number of attack points. Previous and ongoing research by this team and others into anomaly detection at the transport, operational, and content level results in a huge number of alerts that are difficult for an operator to understand. The lack of systems to intelligently deal with the volume, velocity, veracity, and variety of these data is a significant gap in securing EDS OT.

More Information

We have finished the generation of simulated anomalies and alerts on GOOSE data. The result is a developed simulated alert system for GOOSE protocol data with alert generator, alert aggregator, and alert visualizer. The simulated alert generation was based on errors/faults/attacks that happened in GOOSE messages. We also tested the generation rate of alerts and the aggregation rate since if the generation of alerts is too high, the operator will not pay attention to it. We have experimented with timing issues when doing alert aggregation (e.g., how many alerts do we include per aggregate, how fast do we aggregate, how much delay do we introduce if we aggregate). We have experimented with aggregation queues and their corresponding buffering schemes such as RED (Random Early Drop) to deal with overflows in aggregation. 

 

The contributions of this project are (1) the software development of the simulated alert system for GOOSE data; (2) development of algorithms for the alert system which allows flexibility, i.e., flexibility of our alert generation system allows to model arbitrary GOOSE network and testing of different aggregation rates, aggregation thresholds and packet drop rates; (3) the software development of the visualization of alerts via Graphana software tool as the front end of the alert system; (4) the development of the end-to-end GOOSE traffic simulation.

Software Contributions: The code of this project is stored in github: : https://github.com/judebattista/gooseAlertTrafficAnalysis. For further access to the github, the contact person is the research assistant Jude Battista (judeb2@illinois.edu).