Dealing with Advanced Persistent Threats in Smart Grid ICT Networks

With the increasing use of novel smart grid technologies, a comprehensive ICT network will be established in parallel to the electricity grid, which due to its large size, number of participants and access points will be exposed to similar threats as those seen on the current Internet. However, modern security systems that are applied in today's highly dynamic ICT networks, including malware scanners and intrusion detection systems, apply a kind of black-list approach, where they consider only actions and behavior that match to well-known attack patterns and signatures of malware traces. We argue that for the smart grid a more restrictive approach, that cannot be circumvented by customized malware, will increase the security level tremendously. Therefore, in this paper we present a smart white-list approach. Our anomaly detection technique keeps track of system events, their dependencies and occurrences, and thus learns the normal system behavior over time and reports all actions that differ from the created system model. The application of such a system is promising in a smart grid environment which mostly implements well-specified processes, resulting in rather predictable and static behavior. We demonstrate the application of the system in a small-scale pilot case of a real utility provider.