How would we know

Modern power system monitoring, protection, automation, and control rely on communications and computing technology. Along with the benefits of these technologies come some risks of electronic or cyber attack. There are legitimate concerns about how inadequate information security (cyber security) is affecting electric power systems and other critical infrastructure. As a result of cyber security threats, both governments and industry are putting forth significant effort to improve critical infrastructure security. In the United States, for example, electric power utilities must now follow a set of cyber security standards. Security practices are evolving and improving, and new products and architectures are being developed and applied to counter the ever-increasing sophistication of attacker exploits that attempt to access, inspect, manipulate, and control critical infrastructure control systems. A fundamental question is “How would we know if our assets are being explored and exploited?” An attack strategy would likely include a number of initial probes, data collection, tests, and other activities as the adversary develops intelligence and capabilities against a target. To counter this strategy, asset owners need to detect the activities of the intruder. In part, this paper takes the perspective of an engineer investigating a FICTITIOUS incident, using the records and “fingerprints” an attacker would likely leave behind, which we can use to identify when our systems have been compromised. The paper explains how to answer the question using the many tools readily available in devices and systems in service today. These tools include access logs and syslogs, event reports, sequential events reports, information at adjacent stations, alarms, and precision timing. We also investigate some system design choices that make the process of answering the question easier. Finally, we make some recommendations that not only help answer the question “How would we know?” but also make an adversary's job much more difficult.