Tracing the sources of cyber-attacks in Power Industrial Control Systems (PICS) can help the defense systems to block the attacks, and support the decision of the grid control policies. However, there has been no work on the cyber-attack source traceback for PICS, and the methods for the Internet are not suitable for PICS in terms of fineness, real-time performance, and supporting communication protocols. Therefore, a method for tracing cyber-attacks in PICS is proposed. First, the communication network architecture of PICS and the cyber security threats to PICS are analyzed. Then, an extended hybrid tracing method (ExtHT) based on packet marking and packet logging is proposed. This method involves all the devices working at the data link layer and upper layers to achieve more fine-grained attack tracing. At the same time, taking the costs of attack tracing into consideration, a coarse-grained tracing mode is presented to improve the tracing speed. In addition, a log database optimization scheme is provided to reduce storage costs. To facilitate the application of this method in practice, a cyber-attack source tracing system and its deployment architecture are designed for PICS. Further, the applicability and limitations of ExtHT are analyzed, theory ratiocinations are given to justify our ExtHT, and the performance of our ExtHT is compared with that of existing mainstream methods. Finally, two cyber-attack scenarios against PICS are constructed and the feasibility of ExtHT is verified on them.
Keywords: Cyber-attack source tracing; Data link layer; Packet logging; Packet marking; Power industrial control system.
Copyright © 2022 ISA. Published by Elsevier Ltd. All rights reserved.