Behind Closed Doors: Process-Level Rootkit Attacks in Cyber-Physical Microgrid Systems

Suman  Rath; Ioannis  Zografopoulos; Pedro P. Vergara; Vassilis C.  Nikolaidis; Charalambos  Konstantinou

doi:10.1109/PESGM48719.2022.9916907

Behind Closed Doors: Process-Level Rootkit Attacks in Cyber-Physical Microgrid Systems

Suman Rath, Ioannis Zografopoulos, Pedro P. Vergara , Vassilis C. Nikolaidis, Charalambos Konstantinou

Intelligent Electrical Power Grids

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

12 Downloads (Pure)

Abstract

Embedded controllers, sensors, actuators, advanced metering infrastructure, etc. are cornerstone components of cyber-physical energy systems such as microgrids (MGs). Harnessing their monitoring and control functionalities, sophisticated schemes enhancing MG stability can be deployed. However, the deployment of ‘smart’ assets increases the threat surface. Power systems possess mechanisms capable of detecting abnormal operations. Furthermore, the lack of sophistication in attack strategies can render them detectable since they blindly violate power system semantics. On the other hand, the recent increase of process-aware rootkits that can attain persistence and compromise operations in undetectable ways requires special attention. In this work, we investigate the steps followed by stealthy rootkits at the process level of control systems pre- and post-compromise. We investigate the rootkits' precompromise stage involving the deployment to multiple system locations and aggregation of system-specific information to build a neural network-based virtual data-driven model (VDDM) of the system. Then, during the weaponization phase, we demonstrate how the VDDM measurement predictions are paramount, first to orchestrate crippling attacks from multiple system standpoints, maximizing the impact, and second, impede detection blinding system operator situational awareness.

Original language	English
Title of host publication	Proceedings of the 2022 IEEE Power & Energy Society General Meeting (PESGM)
Publisher	IEEE
Pages	1-10
Number of pages	10
ISBN (Electronic)	978-1-6654-0823-3
ISBN (Print)	978-1-6654-0824-0
DOIs	https://doi.org/10.1109/PESGM48719.2022.9916907
Publication status	Published - 2022
Event	2022 IEEE Power & Energy Society General Meeting (PESGM) - Denver, United States Duration: 17 Jul 2022 → 21 Jul 2022

Conference

Conference	2022 IEEE Power & Energy Society General Meeting (PESGM)
Country/Territory	United States
City	Denver
Period	17/07/22 → 21/07/22

Bibliographical note

Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care
Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.

Keywords

Rootkit
cyber-physical microgrid
intelligent malware
data-driven prediction
virtual twin

Access to Document

10.1109/PESGM48719.2022.9916907

Behind_Closed_Doors_Process-Level_Rootkit_Attacks_in_Cyber-Physical_Microgrid_SystemsFinal published version, 1.17 MB

Cite this

@inproceedings{7842327636b84db09eea5facac8851ed,

title = "Behind Closed Doors: Process-Level Rootkit Attacks in Cyber-Physical Microgrid Systems",

abstract = "Embedded controllers, sensors, actuators, advanced metering infrastructure, etc. are cornerstone components of cyber-physical energy systems such as microgrids (MGs). Harnessing their monitoring and control functionalities, sophisticated schemes enhancing MG stability can be deployed. However, the deployment of {\textquoteleft}smart{\textquoteright} assets increases the threat surface. Power systems possess mechanisms capable of detecting abnormal operations. Furthermore, the lack of sophistication in attack strategies can render them detectable since they blindly violate power system semantics. On the other hand, the recent increase of process-aware rootkits that can attain persistence and compromise operations in undetectable ways requires special attention. In this work, we investigate the steps followed by stealthy rootkits at the process level of control systems pre- and post-compromise. We investigate the rootkits' precompromise stage involving the deployment to multiple system locations and aggregation of system-specific information to build a neural network-based virtual data-driven model (VDDM) of the system. Then, during the weaponization phase, we demonstrate how the VDDM measurement predictions are paramount, first to orchestrate crippling attacks from multiple system standpoints, maximizing the impact, and second, impede detection blinding system operator situational awareness.",

keywords = "Rootkit, cyber-physical microgrid, intelligent malware, data-driven prediction, virtual twin",

author = "Suman Rath and Ioannis Zografopoulos and Vergara, {Pedro P.} and Nikolaidis, {Vassilis C.} and Charalambos Konstantinou",

note = "Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.; 2022 IEEE Power & Energy Society General Meeting (PESGM) ; Conference date: 17-07-2022 Through 21-07-2022",

year = "2022",

doi = "10.1109/PESGM48719.2022.9916907",

language = "English",

isbn = "978-1-6654-0824-0",

pages = "1--10",

booktitle = "Proceedings of the 2022 IEEE Power & Energy Society General Meeting (PESGM)",

publisher = "IEEE",

address = "United States",

}

Rath, S, Zografopoulos, I, Vergara , PP, Nikolaidis, VC & Konstantinou, C 2022, Behind Closed Doors: Process-Level Rootkit Attacks in Cyber-Physical Microgrid Systems. in Proceedings of the 2022 IEEE Power & Energy Society General Meeting (PESGM). IEEE, pp. 1-10, 2022 IEEE Power & Energy Society General Meeting (PESGM), Denver, United States, 17/07/22. https://doi.org/10.1109/PESGM48719.2022.9916907

Behind Closed Doors: Process-Level Rootkit Attacks in Cyber-Physical Microgrid Systems. / Rath, Suman ; Zografopoulos, Ioannis ; Vergara , Pedro P. et al.
Proceedings of the 2022 IEEE Power & Energy Society General Meeting (PESGM). IEEE, 2022. p. 1-10.

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

TY - GEN

T1 - Behind Closed Doors

T2 - 2022 IEEE Power & Energy Society General Meeting (PESGM)

AU - Rath, Suman

AU - Zografopoulos, Ioannis

AU - Vergara , Pedro P.

AU - Nikolaidis, Vassilis C.

AU - Konstantinou, Charalambos

N1 - Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.

PY - 2022

Y1 - 2022

N2 - Embedded controllers, sensors, actuators, advanced metering infrastructure, etc. are cornerstone components of cyber-physical energy systems such as microgrids (MGs). Harnessing their monitoring and control functionalities, sophisticated schemes enhancing MG stability can be deployed. However, the deployment of ‘smart’ assets increases the threat surface. Power systems possess mechanisms capable of detecting abnormal operations. Furthermore, the lack of sophistication in attack strategies can render them detectable since they blindly violate power system semantics. On the other hand, the recent increase of process-aware rootkits that can attain persistence and compromise operations in undetectable ways requires special attention. In this work, we investigate the steps followed by stealthy rootkits at the process level of control systems pre- and post-compromise. We investigate the rootkits' precompromise stage involving the deployment to multiple system locations and aggregation of system-specific information to build a neural network-based virtual data-driven model (VDDM) of the system. Then, during the weaponization phase, we demonstrate how the VDDM measurement predictions are paramount, first to orchestrate crippling attacks from multiple system standpoints, maximizing the impact, and second, impede detection blinding system operator situational awareness.

AB - Embedded controllers, sensors, actuators, advanced metering infrastructure, etc. are cornerstone components of cyber-physical energy systems such as microgrids (MGs). Harnessing their monitoring and control functionalities, sophisticated schemes enhancing MG stability can be deployed. However, the deployment of ‘smart’ assets increases the threat surface. Power systems possess mechanisms capable of detecting abnormal operations. Furthermore, the lack of sophistication in attack strategies can render them detectable since they blindly violate power system semantics. On the other hand, the recent increase of process-aware rootkits that can attain persistence and compromise operations in undetectable ways requires special attention. In this work, we investigate the steps followed by stealthy rootkits at the process level of control systems pre- and post-compromise. We investigate the rootkits' precompromise stage involving the deployment to multiple system locations and aggregation of system-specific information to build a neural network-based virtual data-driven model (VDDM) of the system. Then, during the weaponization phase, we demonstrate how the VDDM measurement predictions are paramount, first to orchestrate crippling attacks from multiple system standpoints, maximizing the impact, and second, impede detection blinding system operator situational awareness.

KW - Rootkit

KW - cyber-physical microgrid

KW - intelligent malware

KW - data-driven prediction

KW - virtual twin

UR - http://www.scopus.com/inward/record.url?scp=85134480411&partnerID=8YFLogxK

U2 - 10.1109/PESGM48719.2022.9916907

DO - 10.1109/PESGM48719.2022.9916907

M3 - Conference contribution

SN - 978-1-6654-0824-0

SP - 1

EP - 10

BT - Proceedings of the 2022 IEEE Power & Energy Society General Meeting (PESGM)

PB - IEEE

Y2 - 17 July 2022 through 21 July 2022

ER -

Behind Closed Doors: Process-Level Rootkit Attacks in Cyber-Physical Microgrid Systems

Abstract

Conference

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this