Advanced Persistent Threat Detection and Correlation for Cyber-Physical Power Systems

Abstract

Power grids are undergoing a digital transformation through the integration of information and communication technologies such as the Internet of Things (IoT), big data, and artificial intelligence (AI). These technologies improve the efficiency and intelligence of power grid operations. However, this digitalization also introduces new vulnerabilities, making it critical to enhance cyber resilience to protect the stability and security of power grids against emerging threats. Real-world incidents, such as the Ukrainian power grid cyber attacks in 2015, 2016, and 2022, highlight the serious threat posed by cyber attackers using advanced persistent threats (APTs). Unlike traditional cyber attacks, APTs use more sophisticated techniques, including stealthy tactics, long-term persistence, and exploitation of unknown (zero-day) vulnerabilities. Due to these characteristics, traditional cybersecurity methods are often ineffective against APTs. This thesis focuses on detecting and correlating APTs within cyber-physical power systems.

The thesis begins by examining cybersecurity in power grids, which is essential for developing effective defense strategies. It offers a detailed analysis of the cyber threat landscape, system vulnerabilities, current mitigation techniques, and cyber attack modeling specific to cyber-physical power systems. Based on this foundation, the thesis proposes an advanced kill chain model for cyber-physical power systems that improves on existing frameworks for identifying stages of cyber attacks. The research focuses on APTs in power grids by addressing three core challenges: stealthiness, persistence, and zero-day vulnerabilities.

APT Stealthiness:
APTs are difficult to detect because they use advanced techniques to remain hidden. They often disguise their activity as legitimate traffic, making them hard to spot using traditional security systems like intrusion detection systems (IDS) and firewalls. Their behavior causes only minor anomalies that blend in with normal operations, creating the need for highly sensitive detection systems capable of identifying these subtle signs.

APT Persistence:
APTs are designed to stay undetected for extended periods, sometimes months or years. To detect such long-term threats, it is important to analyze and correlate anomalies over time. However, most current detection systems for cyber-physical power systems focus either on the cyber or physical aspect individually, and they typically detect isolated events rather than recognizing broader patterns or correlations across systems. This makes it difficult to track the lateral movement of an attacker over time. The main scientific challenge is to detect low-frequency, unpredictable, and subtle anomalies that often bypass traditional detection methods.

APT Zero-Day Attacks:
Attackers often use zero-day exploits, which take advantage of unknown vulnerabilities in software, hardware, or communication protocols. Traditional security systems, which rely on known attack patterns, cannot detect these unknown threats. To identify zero-day attacks, detection methods must be based on anomalies rather than known signatures. This requires analyzing deviations from normal system behavior without relying on prior knowledge of specific attack methods.

To address these challenges, the thesis proposes new hybrid deep learning models using graph-based and semi-supervised learning techniques. The main contributions of the research are:

Cyber-Physical Power System Model and Kill Chain Framework:
The thesis provides a thorough analysis of cybersecurity issues in power systems, focusing on evolving threats and vulnerabilities. It presents a cyber-physical power system model that includes a cyber range—a simulation environment that mimics attacks and defenses. It also introduces an advanced cyber-physical power system (ACPPS) kill chain, which identifies APT behaviors specific to power systems. This framework traces the entire attack process, from initial access to cascading failures and blackouts, enabling more effective defenses.

Attack Graph Model:
To detect stealthy APTs, the thesis introduces an attack graph model supported by Software-Defined Networking (SDN) for real-time awareness. It uses a hybrid deep learning model combining Graph Convolutional Long Short-Term Memory (GC-LSTM) and Convolutional Neural Networks (CNN) to classify operational technology (OT) network traffic as normal or anomalous. This model detects subtle traffic anomalies, reducing both false positives and negatives, and pinpoints the exact location of anomalies in near real-time.

APT Spatio-Temporal Correlation:
To address long-term persistence, the thesis proposes a method for correlating APT behavior over time and space using a Cyber-Physical System Interaction Matrix (CPSIM) and an Enhanced Graph-Convolutional LSTM (EGC-LSTM) model. The CPSIM shows how anomalies in the cyber and physical layers are connected, while the EGC-LSTM model predicts future anomalies by analyzing patterns across time and space. This approach improves the ability to detect and anticipate APT movement throughout the system.

Semi-Supervised Intrusion Detection System for Digital Substations:
To identify zero-day attacks, the thesis introduces a semi-supervised intrusion detection system tailored to digital substations. It analyzes both traffic payload and interarrival time, converting these features into vectors that represent OT traffic behavior. The method uses frequency analysis (Fast Fourier Transform) and statistical testing (Kolmogorov-Smirnov test) to improve classification between normal and abnormal traffic. A combination of Self-Organizing Maps (SOM) and Density-Based Spatial Clustering (DBSCAN) is used to classify data, enhancing the ability to detect unknown attacks and improving performance with imbalanced datasets.