Behind Closed Doors: Process-Level Rootkit Attacks in Cyber-Physical Microgrid Systems

Suman Rath, Pedro P. Vergara, Vassilis C. Nikolaidis, Charalambos Konstantinou

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Embedded controllers, sensors, actuators, advanced metering infrastructure, etc. are cornerstone components of cyber-physical energy systems such as microgrids (MGs). Harnessing their monitoring and control functionalities, sophisticated schemes enhancing MG stability can be deployed. However, the deployment of ‘smart’ assets increases the threat surface. Power systems possess mechanisms capable of detecting abnormal operations. Furthermore, the lack of sophistication in attack strategies can render them detectable since they blindly violate power system semantics. On the other hand, the recent increase of process-aware rootkits that can attain persistence and compromise operations in undetectable ways requires special attention. In this work, we investigate the steps followed by stealthy rootkits at the process level of control systems pre- and post-compromise. We investigate the rootkits’ precompromise stage involving the deployment to multiple system locations and aggregation of system-specific information to build a neural network-based virtual data-driven model (VDDM) of the system. Then, during the weaponization phase, we demonstrate how the VDDM measurement predictions are paramount, first to orchestrate crippling attacks from multiple system standpoints, maximizing the impact, and second, impede detection blinding system operator situational awareness.
Original languageEnglish (US)
Title of host publicationIEEE Power & Energy Society General Meeting (PESGM) 2022
PublisherIEEE
StatePublished - 2022

Bibliographical note

KAUST Repository Item: Exported on 2022-04-26

Fingerprint

Dive into the research topics of 'Behind Closed Doors: Process-Level Rootkit Attacks in Cyber-Physical Microgrid Systems'. Together they form a unique fingerprint.

Cite this