On Process Awareness in Detecting Multi-stage Cyberattacks in Smart Grids
Omer Sen, Yanico Aust, Simon Glomb, Andreas Ulbig
TL;DR
This work addresses the rising cybersecurity risks in smart grids caused by extensive ICT integration by advocating for process-aware intrusion detection systems (IDS) that leverage domain knowledge of grid operations. It presents a co-simulation framework spanning IT, OT, and ET layers to evaluate ML-based IDS against multi-stage cyberattacks, using MITRE ATT&CK for ICS as the attack taxonomy and SHAP for explainability. The study demonstrates that process-aware IDS outperform IT-only approaches in detecting process-centric threats, such as IEC 104 manipulations, by fusing indicators across IT, OT, and ET and employing an ensemble meta-learning architecture. The findings highlight the need for richer IDS benchmarks and digital twin datasets in smart grid environments to improve resilience and enable practical deployment of explainable, robust anomaly detection.
Abstract
This study delves into the role of process awareness in enhancing intrusion detection within Smart Grids, considering the increasing fusion of ICT in power systems and the associated emerging threats. The research harnesses a co-simulation environment, encapsulating IT, OT, and ET layers, to model multi-stage cyberattacks and evaluate machine learning-based IDS strategies. The key observation is that process-aware IDS demonstrate superior detection capabilities, especially in scenarios closely tied to operational processes, as opposed to IT-only IDS. This improvement is notable in distinguishing complex cyber threats from regular IT activities. The findings underscore the significance of further developing sophisticated IDS benchmarks and digital twin datasets in Smart Grid environments, paving the way for more resilient cybersecurity infrastructures.