Tracking Real-time Anomalies in Cyber-Physical Systems Through Dynamic Behavioral Analysis

TL;DR

This paper tackles real-time anomaly detection in cyber-physical power systems by introducing TRAPS, a unified framework that converts heterogeneous network traffic into semantic tag time series and evaluates them against signal temporal logic properties. The approach spans network-focused, controller-focused, system-focused, and cross-domain monitoring, enabling rapid anomaly localization and operator visualization. Demonstrated on a hardware-in-the-loop smart grid testbed with diverse attacks (FDI, FCI, MITM, DoS), TRAPS achieves low processing latency and scalable throughput, validating its practicality for industrial CPS security. The work advances CPS security by providing a flexible, end-to-end monitoring and visualization platform that can incorporate future time-series learning for enhanced robustness and adaptability.

Abstract

Increased connectivity and remote reprogrammability/reconfigurability features of embedded devices in current-day power systems (including interconnections between information technology -- IT -- and operational technology -- OT -- networks) enable greater agility, reduced operator workload, and enhanced power system performance and capabilities. However, these features also expose a wider cyber-attack surface, underscoring need for robust real-time monitoring and anomaly detection in power systems, and more generally in Cyber-Physical Systems (CPS). The increasingly complex, diverse, and potentially untrustworthy software and hardware supply chains also make need for robust security tools more stringent. We propose a novel framework for real-time monitoring and anomaly detection in CPS, specifically smart grid substations and SCADA systems. The proposed method enables real-time signal temporal logic condition-based anomaly monitoring by processing raw captured packets from the communication network through a hierarchical semantic extraction and tag processing pipeline into time series of semantic events and observations, that are then evaluated against expected temporal properties to detect and localize anomalies. We demonstrate efficacy of our methodology on a hardware in the loop testbed, including multiple physical power equipment (real-time automation controllers and relays) and simulated devices (Phasor Measurement Units -- PMUs, relays, Phasor Data Concentrators -- PDCs), interfaced to a dynamic power system simulator. The performance and accuracy of the proposed system is evaluated on multiple attack scenarios on our testbed.

Figures (11)

• Figure 1: Proposed TRAPS multi-domain monitoring approach with a unified framework for network-focused anomaly monitoring (NFAM), controller-focused anomaly monitoring (CFAM), system-focused anomaly monitoring (SFAM), and cross-domain anomaly monitoring (CDAM).
• Figure 2: Overall structure of the proposed method.
• Figure 3: Sample screenshot of automatically generated nodes and edges graph in our Grafana-based GUI dashboard.
• Figure 4: Our HIL experimental testbed.
• Figure 5: Architecture of HIL testbed.