Delay Performance and Cybersecurity of Smart Grid Infrastructure

To address major challenges to conventional electric grids (e.g., generation diversification and optimal deployment of expensive assets), full visibility and pervasive control over utilities' assets and services are being realized through the integration of energy, information, and communication infrastructure that forms the smart grid. As an indispensable component of the smart grid infrastructure, Supervisory Control and Data Acquisition (SCADA) system interconnects fields devices and computer servers within a power substation and allows operators to remotely control these devices and equipment from the control center. In recent years, switched Ethernet gains growing popularity in power substations and an increasing number of control tasks are now carried out by SCADA hosts exchanging data and commands over Ethernet. This paradigm (i.e., network-based distributed control, interconnectivity between SCADA hosts and among different SCADA sites) has caused concerns over power system reliability and cyber-security: Network-induced delays experienced by SCADA network packets must be kept below task-specific upper bounds to ensure reliable system operation. In addition, SCADA hosts (e.g., protective relays, human-machine interface, and engineering workstations) must be protected from miscellaneous cyber attacks. To address these concerns, techniques for delay performance analysis as well as solutions against cyber attacks on SCADA systems are designed and developed in this dissertation.Specifically, this dissertation investigates the following research problems: (i) Worst-case delay performance analysis for networked cyber-physical systems (CPSs): We first study the worst-case delay performance of Ethernet-based substation communication networks (SCNs) through the combination of measurements and network-calculus-based modeling, which enables SCN architects to estimate the delay performance of an SCN design under different operational scenarios. The outcome of research task is a delay performance modeling and analysis framework helping SCN architects to verify whether stringent delay performance requirements of critical control operations (e.g., tripping a circuit breaker to isolate fault) are satisfied. Furthermore, we also analyze wireless Parallel Redundancy Protocol (PRP) infrastructure recently proposed for industrial control systems (ICSs) and obtain closed-form expressions for the network-induced worst-case delays under general, non-feedforward traffic patterns. (ii) Intrusion and botnet detection for SCADA networks: To protect SCADA systems from cyber attacks, we design network-based intrusion and botnet detection algorithms for SCADA systems. To detect SCADA hosts infected by peer-to-peer (P2P) botnets, we analyze traffic patterns and characteristics of different SCADA hosts and identify those performing command and control (C&C) communication with other bots or the bot master. Besides botnets, cyber attacks targeting SCADA network protocols (e.g., DNP3) are one of the primary ways for attackers to disrupt system operation and cause physical damages. A deep-learning-based algorithm is devised to detect these attacks by analyzing application-layer information of network packets. (iii): Payload attack detection for programmable logic controllers (PLCs): Widely used in SCADA systems, PLCs are susceptible to a special class of attacks (known as PLC payload attacks) where an attacker with PLC programming privilege injects malicious control logic into the PLC control program. To detect such attacks, we model the runtime behaviors of legitimate PLC control program and detect malicious control programs with abnormal runtime behaviors at PLC firmware. Evaluation results obtained in controlled lab environment and from hardware-in-the-loop cybersecurity test bed show that our approach effectively identifies modification attacks on PLC control logic with acceptably low runtime overheads, making it a viable firmware enhancement scheme for existing and future ICS field devices.