Cyber-attack research for integrated energy systems by the correlated matrix based object-oriented modeling method

The rise of an integrated energy system requires the integration of multiple sources of energy to be embraced and transited over the power grid; that means the information and communication systems of traditional power systems will be extended, and their complexity will be increased. As the information and communication systems play a more important role in the infrastructure of the power system, a cyber-attack on them may have an impact on the power system and cause a serious threat to the integrated energy system. To analyze the threat to the complex and integrated system, some researchers provide some modeling methods to study the impact of cyber-attacks on the information and communication systems, such as the Attack Tree Model, Attack Graph Model, Petri Net Model for cyber-attack, Attack Description Language Model, State Transition Graph Model, etc. However, these modeling methods have some shortcomings. For example, they cannot describe the systematical cyber-attack and show the secure status during the cyber-attack; it is hard for them to analyze the larger and more complicated information and communication systems. To overcome the shortages, in this paper, a correlated matrix-based object-oriented model is proposed for cyber-attack modeling. With this model, the relationship between the attacker and victim can be directly built; the cyber-attack path and packets from the attacker can be tracked; and the status of the nodes and links can be shown during a cyber-attack. There are two steps to build the cyber-attack model. Firstly, the procedure and approach of the cyber-attack will be modeled by an object-oriented method; then, a correlated matrix model will be built for network topology, attack path, and attack procedure. By combining these two models, the whole cyber-attack model is created. Finally, to demonstrate the modeling method and its benefits, we use the MITM (Man-in-the-middle Attack) attack on measurement data of an AVC (Automation Voltage Control) system as examples, and build a hardware-in-the-loop (HIL) co-simulation platform to verify the model.

1 Introduction

The increasing usage of multiple sources of energy, such as renewable energy and distributed energy, leads to the instability of energy utilization and energy supply (Li et al., 2021), which puts forward higher requirements for data acquisition and control systems. Due to the measurement and control mechanisms increasingly depending on the information and communication systems (Zhao et al., 2011; Liu et al., 2012), the tight interdependence between communication and the integrated energy system makes it more vulnerable to cyber-attacks (Tong and Ni, 2019), especially for the power system. Hackers’ attacks on communication and information systems can directly or indirectly affect the measurement and control of power systems, further affect the safe and stable operation of power systems, and even lead to large-scale power outages.

Therefore, the security of networks and information systems has attracted more and more attention all over the world. Facing endless cyber-attack cases, it is difficult for administrators to analyze and predict the impact of endless cyber-attacks on the network only by the research of individual cyber-attack behavior. Thus, it is necessary to model the overall situation and attack process on the network, predict the possible path and probability of cyber-attack, and realize the security assessment of the network state to provide a reference for safety measures. At present, many modeling methods for cyber-attacks have been proposed, including attack language, attack tree, attack graph, state transition graph, etc., and these methods have their respective advantages and disadvantages as following:

(1) Attack tree model: A tree structure is used to describe the attack on the system. The total target of the attack is regarded as the root node of the tree, and the subtarget of the total target is regarded as the sub node. Each path from the root node to the leaf node represents a complete attack process to achieve the attack target. For example, the paper (Lu et al., 2003) proposes to build an attack tree model in a recursive or progressive way to directly show the attack steps of attackers. In the reference (Ding et al., 2018), the attack tree modeling method is used to analyze the impact of SCADA-oriented network attacks on power systems. However, the attack tree is limited to description and formal analysis, which is too subjective, and its scale problem makes it unsuitable for large-scale network environments.

(2) Attack graph model: It is composed of a set of attack plans that attackers can use to destroy the network system by simulating attacks on existing security vulnerabilities and finding all attack paths that can reach the target (Wang et al., 2009). Compared with attack trees and Petri nets, attack graphs are more powerful in describing network attack processes. Through the attack graph, we can show how an attacker attempts to invade the communication or information system from the initial state to the target state. A complete attack graph is a possible operation sequence to reach the target. For example, in reference (Wang et al., 2016), based on the improved attack graph algorithm, the cross-space cascading fault assessment of power information physical systems is realized; in reference (Luo et al., 2020), a dynamic risk assessment model is proposed based on the Bayesian attack graph with the atomic attack probability calculation; and in reference (Li et al., 2022), the forward risk probability update algorithm and the forward-backward combined risk probability update algorithm are introduced to improve the attack graph model to reflect real-time network attack events. There are two kinds of typical attack graph generation method: one is state transition, which can generate a complete attack graph by an algorithm, but it often causes “state space explosion” in large-scale commercial networks; the other is host centric, which can be used in large-scale networks, but its disadvantage is that it can’t list all attack paths.

(3) Attack network model based on Petri Net: It is composed of location, transition, arc, and token. The location corresponds to the nodes in the attack network, and the attack behavior is described by the transition of tokens between locations. This method is preferable to represent the state, the action, and the progress of the attack (Schneider et al., 2006). For example, Steffan comprehensively uses graph theory, Petri Net, and other technologies to describe network attacks and expounds the correlation of cyber-attacks (Steffan and Schumachar, 2002). In reference (Lin et al., 2007), Petri Net is used to model and analyze the network penetration attack testing process. In the reference (Li et al., 2018a), the stochastic Petri net based model is used to analyze the topology attacks on the power system. In reference (Sinha et al., 2021), a novel Cyber Physical Defense Framework is proposed to analyze and deal with the cyber-attack on the smart grid by the hierarchical Petri Net model and recovery method. However, due to the limitation of scale, it is difficult to analyze the communication and information system with large scale and complex network topology.

(4) Network Attack Language: It is the earliest modeling method to describe network attack. It describes network attack through a formal description language, including NASL (Nessus Attack Scripting Language), STATL (State/Transition-based Attack Description Language), and object-oriented language modeling, etc., which directly describes one or a category of attack behavior. For example, in reference (Eckmann et al., 2002), STATL language is used to describe the attack behavior by state and state transition; in reference (Vigna and Kemmerer, 1999), STATL language is used to provide intrusion feature library for network intrusion detection system; and in reference (Zhu et al., 2004), object-oriented method and AKDL (Attack Knowledge Description Language) language is used to realize attack knowledge modeling for security defense system. The method of network attack language is suitable for engineering applications, but it is not suitable for describing staged attack behavior, nor can it show the security situation of the whole communication and information system.

(5) State transition graph modeling: This modeling method is based on the finite state machine model to represent the attack process. The intrusion process of attackers can be regarded as the procedure of improving their operational authority by taking advantage of the vulnerabilities and misconfigurations in communication and information systems. For example, in references (Ma and Wang, 2013), an attack graph construction method based on intelligent state transition and authority improvement is proposed to realize the analysis of large-scale complex network attacks; in reference (Prabha and Anitha, 2010) and (Zhou et al., 2005), the author provides a Hidden Markov Model based model (HMM-based) to detect distributed denial of service (DDoS) attacks. However, this model only describes the state transition in the specific node, but the whole network is ignored. Moreover, the state in this model is only a symbol, and its meaning is not clear (Wang et al., 2009).

As more and more distributed energy resources from different energy networks are integrated through the power system, a large number of distributed sensors and controllers for the distributed energy resources will be introduced, which rapidly increases the diversity and complexity of the communication network (Huang et al., 2022). To analyze the cyber-attacks and security situation for this complex network, the network topology, attack path, and attack behavior should be considered in the cyber-attack model. However, the traditional modeling methods mentioned above show a lack of description of network topology and the attack path, which makes it difficult to find out the potential security problems in a network or estimate the security situation of the network when a cyber-attack occurs. Thus, this paper provides a new method of the correlated matrix based object-oriented modeling method to solve this drawback. The main features and contributions of this modeling method are as follows:

1) By applying the object-oriented analysis method, we can directly display the relationship between the attacker and the attacked object and show the possible attack path.

2) The topology of communication and information networks can be described by the correlated matrix, which provides an effective way of analyzing the transmission path of attack packets.

3) The status of the nodes and links during a cyber-attack can be displayed, which helps us evaluate the impact of a cyber-attack.

To introduce the modeling method, this paper is organized as follows. Firstly, the background and traditional modeling methods are introduced; then, the definition and modeling process of the correlated matrix based object-oriented modeling method are provided; after that, a scenario of the MITM (Man in the Middle Attack) attack is applied to demonstrate how to use the modeling method; to validate the MITM attack model, we build a hardware-in-the-loop (HIL) co-simulation platform to emulate the MITM attack on the real route and study the impact on the power system; finally, we conclude this paper.

2 Object-oriented modeling for cyber-attack

The model of cyber-attack is an abstract description of the security problems existing in the network, the process of attack behavior, and the attack rules and approaches applied by the attacker. It describes the premise, target, consequence, and other characteristics of the attack process; identifies the relationship among the vulnerabilities from the perspective of attack; describes the attack path of the attacker; and provides a reference for the formulation of system protection measures.

The object-oriented method is a way to understand and describe the objective world. The characteristic of this method is that the attributes describing the static characteristics of things and the operations representing their dynamic behaviors are put together as a whole, and an objective world model can be established with limited steps (Rumbaugh et al., 2004). It plays an important role in the fields of computer science and information technology because its characteristics are consistent with the thinking methods of human habits (Rumbaugh et al., 2004).

Due to the characteristics of network attack behavior, the model constructed by object-oriented can clearly describe the method and process of network attack. At the same time, it can also show the system vulnerability intuitively to a network security administrator and trace the steps of the attacker successfully attacking the system. It provides an effective method for network security administrators to discover attack behavior and improve system security.

2.1 Basic concepts

When using an object-oriented method to model the attack of a communication information system, it is necessary to abstract the real system and define some basic concepts.

Definition 1. Network object (N): The instance of a communication link or information node is encapsulated as a network object, which can be a communication node in the communication and information system, such as router, switch, SDH (Synchronous Digital Hierarchy) equipment, etc., or a communication link between communication nodes, such as an optical fiber link, wireless communication link, etc., or a substation or data center as a system level abstraction.

Definition 2. Attribute of a network object, or network attribute (A): Network attribute is the representation of the state characteristics of the object being attacked, including service, vulnerability, bandwidth, hardware resources, system version, etc. Attribute of a network object can be identified by <N, V > tuple, where N is the name of the attribute, V is the specific value for the attribute, which is identified by 0, 1, and −1. 0 means that the object has no corresponding attribute, 1 indicates that the attribute of the component is not exploited by the attacker, −1 indicates that the attribute of the component has been exploited by the attacker.

Definition 3. Method of network object, or network method (M): Network method is defined as the method for a network object to process the received packet or user operation request, and it can also be defined as the processing method of attack behavior, such as refusal reply for port scanning behavior, packet filtering, etc.; Network method can be represented by <N, V > tuple, in which N represents the name of the method, V represents the specific value of N by 0, 1, and −1, where 0 means that the method does not exist, 1 means that the method is valid, and −1 means that the method has been used by an attacker.

Definition 4. Attack behavior object (ON): By encapsulating the attack instance into an attack behavior object, it can be represented as a single attack or a compound attack. A successful attack behavior will change the attributes of one or more network objects.

Definition 5. Attack Attribute (OA): Attack attribute defines the operation of an attack behavior object. As the precondition, when one or more attack attributes are fully satisfied, the attack action will be triggered. The attack attribute can be identified by <N, V > tuple, where N is the name of the attribute, V is the specific value for the attribute, which is identified by 0 and −1, where 0 means that the attribute of attack behavior is ineffective and −1 means that the attribute of attack behavior is effective.

Definition 6. Attack method (OM): Attack method is the description of the attack action of the attack behavior object. When the premise of meeting the attack behavior attribute, one or more attributes of the network object will be modified by attack method to complete the attack action. Attack method can be identified by <N, V > tuple, where N is the name of the method, V is the specific value of the method, which is identified by 0 and −1, where 0 means the method is ineffective and −1 means the attack method is effective.

Definition 7. Class (C): A class is a collection of similar objects with the same name, relationship, attribute, and method. According to different objects, they can be divided into communication link classes, communication node classes, communication and information node classes, attack behavior classes, attack (transit) path classes, etc.

2.2 Representation of the model

When the object-oriented method is used to model the attack on communication and information systems, the attack process can be abstracted as the object of communication and information system changing from its initial state to the target state after the operation performed by the attack behavior object. And the attack behavior can also be regarded as the operation process on the network object for changing its attributes.

The attack behavior is encapsulated in the attack object, whose attribute OA is used to describe the target and the operations on the attacked object. The target of the attack is a set of state changes, which indicates the possibility that the attribute A of the network object may be changed after the attack. For example, the buffer overflow attack can enable the attacker to obtain privileges from the network object, or implant Trojans in the network object, or maybe not cause any consequences.

The operation process of the attack behavior is identified by the attack method OM, such as scanning the port and vulnerability of the network object to determine whether the attack can be launched. On the other hand, the network method M defines the protection method for the network object, such as packet filtering, preventing packets from the specific port, etc.

2.3 Instance of modeling

Take an attack on a router as an example: the attacker discovers a router by scanning, and remotely attacks it with open remote login permission, brutally breaks the login password of the router by using the password guessing attack method, and then remotely launches the router and modifies the routing table configuration to complete the attack on the router. The object-oriented method for cyber-attack modeling is shown in Figure 1.

FIGURE 1

FIGURE 1. The diagram of object-oriented method for the cyber-attack modeling.

As shown in Figure 1, router N₁ contains attributes A₁⁰ of remote login, and A₂⁰ of routing table, and attack behavior ON₁ contains attack methods OM₁ of remote login password guessing attack, and OM₂ of modifying the routing table. I the prerequisite of the attribute A₁⁰ matching the method OM₁, the attacker will change the attribute A₁⁰ to the attribute A₁¹ of the attacker’s login; due to the prerequisite of the attribute A₁¹, the attacker tries to change the attribute A₂⁰ by the method OM₂. If the attribute A₂⁰ matches the attack method OM₂, the routing table will be modified, and the attribute A₂⁰ will be changed to the attribute A₂¹.

3 Matrix modeling of network attack

Object-oriented network attack modeling methods can be described by a formal specification language or a knowledge description language (/knowledge base). Although these methods can effectively show the attack means, the system weaknesses, and the consequences of the attack, they have some limitations in describing the network attack on a complex communication and information system, such as the transmission path of the attacker’s packets in the network, the role of each intermediate node in the attack process, and the impact of topology on the attack effect. Therefore, designing a network attack model that can describe the topology of communication information systems is an important extension of the existing attack model.

This paper proposes a correlated matrix-based object-oriented modeling method for cyber-attack modeling and analysis, which extends the object-oriented modeling method for network attack and effectively describes the evolution process of a communication and information network from the initial state to the state after several different attacks.

The modeling process for cyber-attack is as follows: first, communication and information networks are modelled in a matrix; then, considering the topology of communication and information networks, the cyber-attack is modeled in a matrix; based on that, by iterated logical matching between the matrix of communication and information networks and the matrix of cyber-attack, the network attack process will be represented, and the final status matrix of communication and information networks is generated.

Take a communication and information system with eight communication and information nodes and nine full-duplex communication links as an example to illustrate the modeling process for a cyber-attack. The topology of the communication information network is shown in Figure 2.

FIGURE 2

FIGURE 2. The topology of communication network.

3.1 Matrix modeling of communication information network

Definition 8. Matrix of communication network object: The attributes and methods of the network object N and can be identified by the matrix [A M]. A is the vector set of network attributes, which may contain link bandwidth, CPU performance, memory, remote login and services, etc.; M is the vector set of object methods, which may contain password protection for remote login, specific data filtering, virus protection, etc.Based on the node and link model, a communication network object correlated matrix N (Network) with 26 communication information object elements is established to describe the topology and characteristics of the communication system. The matrix N is a large sparse matrix whose structure is shown in Eq. 1.The 8 × 8 matrix N can describe the state of each object element in the whole communication network. Where: N_ij = [A M], if i = j, then N_ij represents a communication or information node in the communication network; if i ≠ j, N_ij is a unidirectional link from node N_ii to N_jj in the communication network; if there is no link connecting node N_ii to N_jj, the corresponding N_ij and N_ji in the matrix are represented by 0 (Li et al., 2018b). The state of the elements in the N matrix is represented by the superscript of the elements. For example, N₁₁⁰ represents the initial state of the object element N₁₁.

$\mathbf{N}=\left(\begin{array}{ccc}{{\mathit{N}}_{\mathbf{11}}}^{\mathbf{0}}& \cdots & {{\mathit{N}}_{\mathbf{i1}}}^{\mathbf{0}}\\ ⋮& \ddots & ⋮\\ {{\mathit{N}}_{\mathbf{1j}}}^{\mathbf{0}}& \cdots & {{\mathit{N}}_{\mathbf{ij}}}^{\mathbf{0}}\end{array}\right)(1)$

3.2 Matrix modeling of attack (behavior) object

Definition 9. Matrix of attack behavior object: the attributes and methods of attack behavior object ON can be identified by the matrix [OA OM]. OA is the vector set of attack attributes, which may contain an attacking port number, an attacking IP address, a number of attack packets, etc. OM is the vector set of attack methods, which may include consumption of link bandwidth, consumption of system resources, modification of configuration information, planting of Trojans, etc.Similar to the matrix modeling of communication and information networks, the matrix modeling of cyber-attack can be established for the attack behavior on the communication and information networks with eight communication or information nodes and nine communication links through the matrix modeling, and the attack path, attack method, and attack process can be described by the attack object correlated matrix ON (Operating Network). In the ON matrix, the attack sequence is represented by the superscript of the attack object ON. For example, ON₃₃⁰ represents the first attack on the N₃₃ object element. The structure of the attack object matrix is shown in Eq. 2.

$\mathbf{ON}=\left(\begin{array}{ccc}\mathit{O}{{\mathit{N}}_{\mathbf{11}}}^{\mathbf{0}}& \cdots & \mathit{O}{{\mathit{N}}_{\mathbf{i1}}}^{\mathbf{0}}\\ ⋮& \ddots & ⋮\\ \mathit{O}{{\mathit{N}}_{\mathbf{1j}}}^{\mathbf{0}}& \cdots & \mathit{O}{{\mathit{N}}_{\mathbf{ij}}}^{\mathbf{0}}\end{array}\right)(2)$

The ON matrix is also 8 × 8. The elements in the matrix can describe the path and method of the attacker attacking the target object through the nodes and links of the communication network. Where: ON_ij = [OA OM], if i = j, ON_ij represents an attack on a communication information node in the communication network or the attack packet passing through; If the attack object ON_ij does not exist, or the attack packet does not pass through the object, the corresponding ON_ij in the matrix is represented by 0 (Li et al., 2018a). If i ≠ j, ON_ij represents that the attacker attacks a unidirectional link from N_ii to N_jj in the communication network or uses this link to transit attack packets to the target object; if the attacker neither attacks nor uses the link from N_ii to N_jj, the corresponding ON_ij and ON_ji in the matrix are represented by 0 (Li et al., 2018b).

3.3 Matrix modeling and analysis of the attack process

In Sections 3.1, 3.2, the communication and information system network model and the cyber-attack model are established. Based on this, the attack process correlated matrix model is established. Through the model, the process and path of network attack and the probability of attack success are described; at the same time, it can also describe the state changes of communication and information nodes after network attacks and provide the corresponding association model for the analysis and modeling of network attacks. The modeling framework and analysis process for the network attack can be represented in Figure 3.

FIGURE 3

FIGURE 3. The diagram of cyber-attack model.

In the diagram, the occurrence and duration of the cyber-attack can be represented by a pure delay component e^−T1S1, where T1 represents the time when the network attack occurs and S1 represents the duration of the attack. Considering that the cyber-attack on the target system is step-by-step, multiple interactions between the communication information network matrix model and the attack matrix model are designed for the modeling. The logical relationship of the interaction is mainly represented in the algorithm, which is represented as “⊗” in Figure 3.

Definition 10. Logical relation (⊗): It describes the logical operation between the elements of an attack behavior object and a network object, including the logical matching between the attribute of attack behavior and the method of the network object, and the logical matching between the method of attack behavior and the attribute of the network object.A simple attack case can illustrate how the logical relation (⊗) works. When the attacker finds the remote router through remote scanning and logs into its configuration interface by cracking the login password of the router, he can modify the router’s routing table, configure a packet forwarding route for the specific IP address and port number, so that the relevant packets will be forwarded to the attacker; then the attacker tampers the packets and sends them back to the corresponding router; and the router forwards the tampered packets to the target communication information node, so as to complete the MITM attack process. The matrix modeling of the attack process is shown in Eq. 3. The logic matching rules for each vector in the matrix model are as follows:

1. When matching the attack behavior object ON_ij and the network object N_ij, a logical match between the OA of the object ON_ij and the M of the object N_ij is performed first. If a method M_i matches an attack attribute OA_i, the attack behavior will be filtered; on the contrary, the attack behavior will be effective.

2. If the attack behavior is effective, a logical match between the OM of the object ON_ij and A of the object N_ij will be performed, which means that the attack method operates on the attribute of the network object. If it is effective, the attribute A of the object N_ij will be modified, and the attack will be successful; on the contrary, the attribute A of the object N_ij is not modified, and the attack fails or the attack can utilize the attribute.

$\begin{array}{c}{\mathbf{N}}^2=\left(\begin{array}{cccccccc}{{\mathit{N}}_{\mathrm{11}}}^{\mathrm{0}}& {{\mathit{N}}_{\mathrm{12}}}^{\mathrm{0}}& 0& 0& 0& 0& 0& 0\\ {{\mathit{N}}_{\mathrm{21}}}^{\mathrm{0}}& {{\mathit{N}}_{\mathrm{22}}}^{\mathrm{0}}& {{\mathit{N}}_{\mathrm{23}}}^{\mathrm{0}}& {{\mathit{N}}_{\mathrm{24}}}^{\mathrm{0}}& 0& {{\mathit{N}}_{\mathrm{26}}}^{\mathrm{0}}& 0& 0\\ 0& {{\mathit{N}}_{\mathrm{32}}}^{\mathrm{0}}& {{\mathit{N}}_{\mathrm{33}}}^{\mathrm{0}}& 0& 0& 0& 0& 0\\ 0& {{\mathit{N}}_{\mathrm{42}}}^{\mathrm{0}}& 0& {{\mathit{N}}_{\mathrm{44}}}^{\mathrm{0}}& {{\mathit{N}}_{\mathrm{45}}}^{\mathrm{0}}& 0& 0& 0\\ 0& 0& 0& {{\mathit{N}}_{\mathrm{54}}}^{\mathrm{0}}& {{\mathit{N}}_{\mathrm{55}}}^{\mathrm{0}}& 0& {{\mathit{N}}_{\mathrm{57}}}^{\mathrm{0}}& {{\mathit{N}}_{\mathrm{58}}}^{\mathrm{0}}\\ 0& {{\mathit{N}}_{\mathrm{62}}}^{\mathrm{0}}& 0& 0& 0& {{\mathit{N}}_{\mathrm{66}}}^{\mathrm{0}}& {{\mathit{N}}_{\mathrm{67}}}^{\mathrm{0}}& 0\\ 0& 0& 0& 0& {{\mathit{N}}_{\mathrm{75}}}^{\mathrm{0}}& {{\mathit{N}}_{\mathrm{76}}}^{\mathrm{0}}& {{\mathit{N}}_{\mathrm{77}}}^{\mathrm{0}}& {{\mathit{N}}_{\mathrm{78}}}^{\mathrm{0}}\\ 0& 0& 0& 0& {{\mathit{N}}_{\mathrm{85}}}^{\mathrm{0}}& 0& {{\mathit{N}}_{\mathrm{87}}}^{\mathrm{0}}& {{\mathit{N}}_{\mathrm{88}}}^{\mathrm{0}}\end{array}\right)\otimes \left(\begin{array}{cccccccc}0& 0& 0& 0& 0& 0& 0& 0\\ 0& \mathit{O}{{\mathit{N}}_{\mathrm{22}}}^{\mathrm{0}}& 0& 0& 0& 0& 0& 0\\ 0& \mathit{O}{{\mathit{N}}_{\mathrm{32}}}^{\mathrm{0}}& \mathit{O}{{\mathit{N}}_{\mathrm{33}}}^{\mathrm{0}}& 0& 0& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 0\end{array}\right)\cdot {\mathit{e}}^{-\mathrm{S}0\cdot \mathrm{T}0}\\ \otimes \left(\begin{array}{cccccccc}0& 0& 0& 0& 0& 0& 0& 0\\ 0& \mathit{O}{{\mathit{N}}_{\mathrm{22}}}^{\mathrm{1}}& 0& \mathit{O}{{\mathit{N}}_{\mathrm{24}}}^{\mathrm{1}}& 0& 0& 0& 0\\ 0& \mathit{O}{{\mathit{N}}_{\mathrm{32}}}^{\mathrm{1}}& \mathit{O}{{\mathit{N}}_{\mathrm{33}}}^{\mathrm{1}}& 0& 0& 0& 0& 0\\ 0& 0& 0& \mathit{O}{{\mathit{N}}_{\mathrm{44}}}^{\mathrm{1}}& \mathit{O}{{\mathit{N}}_{\mathrm{45}}}^{\mathrm{1}}& 0& 0& 0\\ 0& 0& 0& 0& \mathit{O}{{\mathit{N}}_{\mathrm{55}}}^{\mathrm{1}}& 0& 0& \mathit{O}{{\mathit{N}}_{\mathrm{58}}}^{\mathrm{1}}\\ 0& 0& 0& 0& 0& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& \mathit{O}{{\mathit{N}}_{\mathrm{88}}}^{\mathrm{1}}\end{array}\right)\cdot {\mathit{e}}^{-\mathrm{S}1\cdot \mathrm{T}1}\end{array}(3)$

4 Modeling examples

4.1 Scenario of the MITM attack on AVC measurement

The AVC control runs on the power dispatching data network. Based on the communication network topology in Figure 2, a simple AVC control communication network is shown to illustrate the modeling process in Figure 4. The dotted line represents the normal data path for the measured data and the AVC control command. The red dotted line represents the process of modifying the routing table after the attacker invades the router, so that the measured data returns to the normal routing path via the tampered routing path. In this case, the attacker only modifies the upstream data for measurement and does not modify the downstream data for AVC control command.

FIGURE 4

FIGURE 4. The topology of communication network for AVC control.

When the communication network is normal, the AVC control center collects the power measurement information from the power measurement node every 5 s. By calculation, the AVC control center sends the corresponding voltage regulation value to the corresponding generator unit through the communication special line. Generally, the transmission path of the measurement information starts from the power measurement node via the CE (Customer Edge) router to connect to the core network of power dispatching via the PE (Provider Edge) router, and then connects to the AVC control center through the opposite end router. After receiving the measurement data, the AVC control center will send the voltage regulation to each generator unit through a private communication line. If the attacker successfully costs S1 minutes to intrude into the PE router at T1 time, modifies the routing configuration, establishes a bypass routing transmission path filtered based on the IP address and port number of the packet, and forwards the voltage measurement data of the power measurement node to the attacker, the attacker tampers with the normal measurement data by MITM (false data injection) attack at T2 time (T2 > T1 + S1). The duration of data tampering is S2 minutes (S2 > 5 s in order to achieve the corresponding attack effect), and the tampered data are returned to the intruded PE router. Then the intruded PE router sends the tampered data to the AVC control center through the normal path. After receiving the tampered data, the AVC control center will make a wrong judgment and result in the AVC deficient control or over control while the AVC control channel has not been attacked.

4.2 Modeling for the MITM attack on AVC measurement

The procedure of modeling for the above network attacks is as follows:

1. Establish the initialization matrix of the communication information network according to the topology of the communication information system;

2. Establish the matrix of attack behavior objects according to the attack target and mode. If the attacker launches attacks on different targets in different time slots, it is necessary to establish a different matrix of attack behavior objects according to the different attack targets and time slots, and match them with the matrix of communication network objects separately according to the time sequence;

3. Based on the communication information network matrix and the attack object matrix, the final state matrix of the communication information network is obtained by using multiple iterative logical matching.

The cyber-attack can be simplified into two processes: the attack on the router and the attack on the transmitted data. In the model, we can simplify the matrix by assuming the power measurement node as a part of object N₁₁ and the AVC control center as a part of object N₈₈, and the MITM attack model can be represented as Eq. 3.

Among them, the router’s attack object ON₂₂⁰ (the sequence of attack behavior is represented by a superscript, ON₂₂⁰ represents the first attack on an N₂₂ network object, and the sequence number is 0) contains two vectors: the elements of the attack behavior attribute vector OA⁰ include: OA₁⁰ < remote login, −1>, OA₂⁰ < web port login, −1>, OA₃⁰ < forged routing table, −1>, etc.; the elements of the attack behavior method vector OM⁰ include: OM₁⁰ < login password cracking, −1>, OM₂⁰ < web password cracking, −1>, OM₃⁰ < modify routing table, −1>, and the values of these elements are −1. Since the attack methods and attributes will not change in the attack path, the values of ON₃₃⁰, ON₃₂⁰, and ON₂₂⁰ are the same. The router object N₂₂⁰ contains two vectors: The elements of the network object attribute vector A⁰ include: A₁⁰ < open remote login, 1>, A₂⁰ < web login not supported, 0>, A₃⁰ < routing table, 1>, etc.; the elements of the network object method vector M⁰ include: M₁⁰ < remote login unprotected, 0>, M₂⁰ < prohibit web login, 1>, M₃⁰ < unprotected routing table, 0>, etc. The values of OA⁰ and OM⁰ constitute the attack state matrix of ON₂₂⁰, and the values of A⁰ and M⁰ constitute the network object state matrix of N₂₂⁰. By logical matching of ON₂₂⁰ and N₂₂⁰, the new state of the network object N₂₂¹ is obtained, which is shown in Eq. 4.

${{\mathrm{N}}_{\mathbf{22}}}^{\mathbf{0}}\otimes \mathrm{O}{{\mathrm{N}}_{\mathbf{22}}}^{\mathbf{0}}=\left(\begin{array}{cc}{{\mathit{A}}_{\mathbf{1}}}^{\mathbf{0}}& {{\mathit{M}}_{\mathbf{1}}}^{\mathbf{0}}\\ {{\mathit{A}}_{\mathbf{2}}}^{\mathbf{0}}& {{\mathit{M}}_{\mathbf{2}}}^{\mathbf{0}}\\ {{\mathit{A}}_{\mathbf{3}}}^{\mathbf{0}}& {{\mathit{M}}_{\mathbf{3}}}^{\mathbf{0}}\end{array}\right)\otimes \left(\begin{array}{cc}\mathit{O}{{\mathit{A}}_{\mathbf{1}}}^{\mathbf{0}}& \mathit{O}{{\mathit{M}}_{\mathbf{1}}}^{\mathbf{0}}\\ \mathit{O}{{\mathit{A}}_{\mathbf{2}}}^{\mathbf{0}}& \mathit{O}{{\mathit{M}}_{\mathbf{2}}}^{\mathbf{0}}\\ \mathit{O}{{\mathit{A}}_{\mathbf{3}}}^{\mathbf{0}}& \mathit{O}{{\mathit{M}}_{\mathbf{3}}}^{\mathbf{0}}\end{array}\right)=\left(\begin{array}{cc}{{\mathit{A}}_{\mathbf{1}}}^{\mathbf{1}}& {{\mathit{M}}_{\mathbf{1}}}^{\mathbf{1}}\\ {{\mathit{A}}_{\mathbf{2}}}^{\mathbf{0}}& {{\mathit{M}}_{\mathbf{2}}}^{\mathbf{0}}\\ {{\mathit{A}}_{\mathbf{3}}}^{\mathbf{1}}& {{\mathit{M}}_{\mathbf{3}}}^{\mathbf{1}}\end{array}\right)={{\mathrm{N}}_{\mathbf{22}}}^{\mathbf{1}}(4)$

The logical matching process and method of the network object N₂₂⁰ and the attack behavior object ON₂₂⁰ are shown in Figure 5.

FIGURE 5

FIGURE 5. The diagram of logical matching method for the matrix of N₂₂⁰ and ON₂₂⁰.

According to the matching logic diagram, the attack will change the attribute A₃ of N₂₂ (the routing table is modified), and the state of attribute A₃ will change from A₃⁰ to A₃¹. Similarly, by establishing corresponding logical matches for other elements in the model, the final result of attack modeling on the router can be obtained, which is represented in the modified routing table, which belongs to the attribute A₃ of network object N₂₂.

The attack on the transmission data starts from ON₃₃¹ (ON₃₃¹ represents an attack with an attack order of 1 against N₃₃ elements), which contains two vectors: the element of the attack behavior attribute vector OA¹ includes: OA₁¹ < tampering with measurement data, −1>; the element of the attack behavior method vector OM¹ includes: OM₁¹ < normal receiving and sending data, 1>. The router object N₃₃⁰ contains two vectors: the elements of the network object attribute vector A⁰ include: A₁⁰ < measurement data transmission, 1>, etc.; the elements of the network object method vector M⁰ include: M₁⁰ < data transmission, 1>, etc. The values of OA¹ and OM¹ constitute the attack state matrix of ON₃₃¹, and the values of A⁰ and M⁰ constitute the network object state matrix of N₃₃⁰. By logical matching of N₃₃⁰ and ON₃₃¹, the new state of the network object N₃₃² is obtained, which is shown in Eq. 5. Since the attributes and methods of other network objects in Eq. 3, such as N₂₂¹, N₄₄⁰, N₅₅⁰, and N₆₆⁰, are the same as those of N₃₃⁰, and since the attributes and methods of the attack behavior object are the same as those of object ON₃₃¹, the logical matching of the above network objects and attack behavior objects can be represented in Eq. 5.

${{\mathrm{N}}_{\mathbf{33}}}^{\mathbf{0}}\otimes \mathrm{O}{{\mathrm{N}}_{\mathbf{33}}}^{\mathbf{1}}=\left(\begin{array}{cc}{{\mathit{A}}_{\mathbf{1}}}^{\mathbf{0}}& {{\mathit{M}}_{\mathbf{1}}}^{\mathbf{0}}\end{array}\right)\otimes \left(\begin{array}{cc}\mathit{O}{{\mathit{A}}_{\mathbf{1}}}^{\mathbf{1}}& \mathit{O}{{\mathit{M}}_{\mathbf{1}}}^{\mathbf{1}}\end{array}\right)=\left(\begin{array}{cc}{{\mathit{A}}_{\mathbf{1}}}^{\mathbf{2}}& {{\mathit{M}}_{\mathbf{1}}}^{\mathbf{2}}\end{array}\right)={{\mathrm{N}}_{\mathbf{33}}}^{\mathbf{2}}(5)$

The logical matching process and method of the network object N₃₃⁰ and the attack behavior object ON₃₃¹ are shown in Figure 6:

FIGURE 6

FIGURE 6. The diagram of logical matching method for the matrix of N₃₃⁰ and ON₃₃¹ .

According to the matching logic diagram, the attack will cause the change of attribute A₁ of N₃₃ (tampering of measurement data), and the state of attribute A₁ will change from A₁⁰ to A₁². Similarly, by establishing corresponding logical matches for other elements in the model, the final result of attack modeling on transmitted data can be obtained, which indicates that the attack does not modify the attributes A₁ of the measurement data.

By analysis and calculation of Eqs 4, 5, it can be seen that in this case of MITM network attack, the attributes of object N₂₂ and object N₃₃ are modified by the attacker, while the attributes of other nodes and terminal nodes in the communication information network of the AVC control system are not changed, and the terminal data transmission of measurement and AVC control system is not affected. By analyzing the network attack model, it can be seen that the attack behavior can only be found by analyzing the attributes of each router in the transmission path, but it is hard to find the attack behavior by analyzing the status of the terminal equipment and detecting packets.

4.3 HIL co-simulation for the MITM attack model

To verify the cyber-attack process and the impact, we built a HIL co-simulation platform to emulate the real cyber-attack on a virtual AVC control system.

4.3.1 Implementation of the MITM attack

As shown in Figure 7, the HIL co-simulation platform consists of a power simulator, a communication simulator, a power control center, an attacker, and routers which work as both the communication equipment and the HIL interface to connect the attacker and simulators. The DIgSILENT Power Factory is used as a power simulator, where the IEEE 39-bus model (as shown in Figure 8) is used as a physical power system to simulate AVC function; the AVC control function is coded in C++, which collects the power system status, calculates the control values, and sends the control signals to the related power nodes in the power simulator every 5 s; the communication simulation software QualNet is used to build and simulate a virtual communication network, which runs in real time and provides the interface for external devices, by which the real-life packets can be caught and forwarded in the virtual network; the attacker is a program running on another computer, which can change the contents of communication packets; as the HIL interface, routers work as a bridge to connect power simulator, communication simulator, power control center, and attacker together, and the attack strategy and process can be emulated on them.

FIGURE 7

FIGURE 7. The architecture of co-simulation system for the MITM attack.

FIGURE 8

FIGURE 8. Topology of IEEE 39-bus system.

In the platform, the network objects N₁₁, N₂₂, and N₃₃ are separately related to Router1, Router2, and Router3, and the other network objects are modeled in the communication simulator, as shown in Figure 7. Router1 and Router2 work as hardware interfaces to forward the packets from the power simulator to the communication simulator QualNet; Router3 works as the interface for emulating attack processes by configuring the router’s access control list (ACL), which blocks the regular data transmission and forwards data to the attacker. When HIL co-simulation begins, it will show the attacker how to exploit the weakness and attack the virtual AVC control system.

During the co-simulation, the DIgSILENT sends the power status data to the AVC control center; the control center sends voltage adjustment commands to generators G₃ and G₄ via the routers and virtual network. The regular path for measuring data forwarding to the AVC control center is from Router1 via Router2 to the virtual network built in QualNet. However, in the scenario of the MITM attack, after the attacker attacked the Router2 via the Router3, changed the routing rules, and created the by-pass traffic focusing on the specific power node measurement data to fudge the measurement data; after the packets of fudged measurement data passing through the virtual network, they are transmitted to the AVC control center; then, the AVC control center makes a wrong control decision based on the fake measurement data, and sends the control packets to the communication simulator; passing through the virtual network and router, the control packets are forwarded to the power simulator to continue the power simulation.

4.3.2 Result of simulation

Case 1. Normal operation. Case 1 is the normal operating scenario. After a power system failure happens, AVC adjusts the voltage magnitudes of every generator with a time interval of 5 s. The voltage adjustment command is sent out to generators G₃ and G₄. If the status of Router1 and Router2 is normal, the measurement data for the voltage of bus 19 can be correctly transmitted, and the voltage adjustment can be properly executed. The simulation result of the voltage magnitude of bus 19 is the green curve shown in Figure 9.

FIGURE 9

FIGURE 9. Result of simulation.

Case 2. Impact of MITM attack. Case 2 is an MITM attack scenario. When the attacker changes the routing path of the Router2 and creates a by-pass traffic focusing on the measurement data of voltage on bus 19, the attacker can intercept the measurement data, buffer it, and resend it in the next measurement data transmission cycle. As a result, the AVC control gives false control, and the voltage adjustment in G₃ and G₄ cannot be executed properly. The simulation result of the voltage magnitude of bus 19 is the red curve shown in Figure 9.

4.3.3 Discussion

With the HIL co-simulation platform, the MITM attack can be emulated. The attack process and the status change of real network equipment will be displayed, as well. By analyzing the attack process, it can be found that since the attacker does not directly attack the measurement equipment and control center but attacks the equipment in the communication link with relatively weak security, the attack behavior is relatively stealthy, and it is difficult to find the attack through the security defense equipment installed in the terminal of the communication system. Therefore, when modeling the cyber-attack, the network topology should be considered, and each node in the communication system should be modeled.

5 Conclusion

This paper presents a correlated matrix based object-oriented modeling method for network attack analysis, which realizes the modeling of network attack method, attack path, attack steps, and the propagation path of attack behavior in communication and information network. In addition, this method benefits computers by building models fast and efficiently for large and complex communication networks and network attacks. The comparison of the mentioned modeling methods is shown in Supplementary Table S1. Based on this modeling method, an attack case of MITM attack on the measurement data of the AVC control system is analyzed, which indicates the usage and advantages of this modeling method. Finally, we built a HIL co-simulation platform to emulate the MITM attack process and study the impact on the power system. As the method proposed in this paper has good scalability, it also has some deficiencies, as follows.

1) Through the correlated matrix, it is difficult to directly display the attack behavior and its impact;

2) The structure of correlated matrix is relatively large, and its construction is not well-regulated and universal;

3) This modeling method just shows the cyber-attack model, but the probability of attack discovery and defense is not represented.

And we plan to follow the following aspects to further improve the method:

1) Further research for finding the potential attack behavior or evaluating the weak link of the system according to the attack model;

2) Further improvement for the construction method and operation rules of matrix model to make it more expressive and universal;

3) Further research on the “premise and consequence” method to design a matrix model of multiple preconditions;

4) Further research for the representation method of “time and probability” to realize the modeling and calculation for the probability of attack discovery.

Data availability statement

The original contributions presented in the study are included in the article/Supplementary Material; further inquiries can be directed to the corresponding author.

Author contributions

HT was responsible for proposing the modeling method and the specific work in this paper. JX, XL, and LZ carried out some of the calculation work.

Funding

The authors declare that this study received funding from National Natural Science Foundation of China-State Grid Corporation of China Joint Fund Project. The funder was not involved in the study design, collection, analysis, interpretation of data, the writing of this article or the decision to submit it for publication.

Conflict of interest

HT, JX, XL, and LZ were employed by State Grid Electric Power Research Institute, NARI Group Corporation, and NARI Technology Co., Ltd.

Publisher’s note

All claims expressed in this article are solely those of the authors and do not necessarily represent those of their affiliated organizations, or those of the publisher, the editors, and the reviewers. Any product that may be evaluated in this article, or claim that may be made by its manufacturer, is not guaranteed or endorsed by the publisher.

Supplementary material

The Supplementary Material for this article can be found online at: https://www.frontiersin.org/articles/10.3389/fenrg.2022.774645/full#supplementary-material

References

Ding, M., Li, X., and Zhang, J. (2018). Effect of scada-oriented cyber attack on power system reliability. Power Syst. Prot. Control 46 (11), 37–45. doi:10.7667/PSPC170784

CrossRef Full Text | Google Scholar

Eckmann, S. T., Vigna, Giovanni, Kemmerer, R. A., et al. (2002). Statl: an Attack Language for state-based intrusion detection. J. Comput. Secur. 10 (1), 71–103. doi:10.3233/jcs-2002-101-204

CrossRef Full Text | Google Scholar

Huang, B., Li, Y., Zhan, F., Sun, Q., and Zhang, H. (2022). A distributed robust economic dispatch strategy for integrated energy system considering cyber-attacks. IEEE Trans. Ind. Inf. 18 (2), 880–890. doi:10.1109/TII.2021.3077509

CrossRef Full Text | Google Scholar

Li, B., Lu, R., Choo, K. K. R., Wang, W., and Luo, S. (2018a). On reliability analysis of smart grids under topology attacks: a stochastic petri net approach. ACM Trans. Cyber-Phys. Syst. 3 (1)–25. doi:10.1145/3127021

CrossRef Full Text | Google Scholar

Li, J., Ling, X., Li, C., Li, Z., Yang, J., Zhang, L., et al. (2022). Dynamic network security analysis based on Bayesian attack graphs. Comput. Sci. 49 (3), 62–69. doi:10.11896/jsjkx.210800107

CrossRef Full Text | Google Scholar

Li, M., Ni, M., Xue, Y., Chen, X., and Ding, W. (2018b). “Hybrid calculation architecture of cyber physical power system based on correlative characteristic matrix model,” in IEEE 8th Annual International Conference on CYBER Technology in Automation, Control, and Intelligent Systems (CYBER), Tianjin, China, 19-23 July 2018. doi:10.1109/CYBER.2018.8688204

CrossRef Full Text | Google Scholar

Li, X., Wang, W., and Wang, H. (2021). A novel bi-level robust game model to optimize a regionally integrated energy System with large-Scale centralized renewable-energy Sources in Western China. Energy 228 (10), 120513. doi:10.1016/j.energy.2021.120513

CrossRef Full Text | Google Scholar

Lin, Z. Z., Wen, F. S., Yung, C. C., and Po, W. K. (2007). Applications of petri nets in power systems. Proc. Chin. Soc. Univ. Electr. Power Syst. Automation 19 (5), 57–66. doi:10.3969/j.issn.1003-8930.2007.05.003

CrossRef Full Text | Google Scholar

Liu, C. C., Stefanov, A., Hong, J., and Panciatici, P. (2012). Intruders in the grid. IEEE Power Energy Mag. 10 (1), 58–66. doi:10.1109/MPE.2011.943114

CrossRef Full Text | Google Scholar

Lu, J., Huang, L., and Wu, S. (2003). An attack tree approach for network attack modeling. Comput. Eng. Appl. 39 (27), 160–163. doi:10.3321/j.issn:1002-8331.2003.27.051

CrossRef Full Text | Google Scholar

Luo, Z., Yang, X., Liu, J., and Xu, R. (2020). Network intrusion intention analysis model based on Bayesian attack graph. J. Commun. 41 (9), 160–169. doi:10.11959/j.issn.1000-436x.2020172

CrossRef Full Text | Google Scholar

Ma, Y., and Wang, L. G. (2013). Attack graph construction method based on intelligent state transition and permission improvement. Comput. Sci. 40 (9), 156–158.

Google Scholar

Prabha, S., and Anitha, R. (2010). Mitigation of application traffic DDoS attacks with trust and AM based HMM models. Int. J. Comput. Appl. 6 (9), 26–34. doi:10.5120/1101-1443

CrossRef Full Text | Google Scholar

Rumbaugh, B. J., Blaha, M. R., Lorensen, W., Eddy, F., and Premerlani, W. (2004). Object-oriented modeling and design. Upper Saddle River: Prentice-Hall. ISBN: 0136298419.

Google Scholar

Schneider, K., Liu, C. C., and Paul, J. P. (2006). Assessment of interactions between power and telecommunications infrastructures. IEEE Trans. Power Syst. 21 (3), 1123–1130. doi:10.1109/TPWRS.2006.876692

CrossRef Full Text | Google Scholar

Sinha, A., Mohandas, M., Pandey, P., and Vyas, O. P. (2021). Cyber physical defense framework for distributed smart grid applications. Front. Energy Res. 8, 621650. doi:10.3389/fenrg.2020.621650

CrossRef Full Text | Google Scholar

Steffan, J., and Schumachar, M. (2002). “Collaborative attack modeling,” in Conf. 2002 Acm Symposium on Applied Computing, Madrid, Spain, March 11 - 14, 2002. doi:10.1145/508791.508986

CrossRef Full Text | Google Scholar

Tong, H., Ni, M., Zhao, L., and Li, M. (2019). Flexible hardware-in-the-loop testbed for cyber physical power system simulation. IET Cyber-phys. Syst. 4 (4), 374–381. doi:10.1049/iet-cps.2019.0001

CrossRef Full Text | Google Scholar

Vigan, G., and Kemmerer, R. A. (1999). Netstat: a network-based intrusion detection system. J. Comput. Secur. 7 (1), 37–71. doi:10.3233/jcs-1999-7103

CrossRef Full Text | Google Scholar

Wang, G. Y., Wang, H. M., Chen, Z. J., and Xian, M. (2009). Research on computer network attack modeling based on attack graph. J. Natl. Univ. Def. Technol. 31 (4), 74–80. doi:10.1360/972009-1549

CrossRef Full Text | Google Scholar

Wang, Y., Gao, K., Zhao, T., and Qiu, J. (2016). Assessing the harmfulness of cascading failures across space in electric cyber-physical system based on improved attack graph. Proc. CSEE 36 (6), 1490–1499. doi:10.13334/j.0258-8013.pcsee.2016.06.004

CrossRef Full Text | Google Scholar

Zhao, J., Wen, F., Xue, Y., et al. (2011). Modeling analysis and control research framework of cyber physical power systems. Automation Electr. Power Syst. 35 (16), 1–8. doi:10.1016/B978-0-444-53599-3.10005-8

CrossRef Full Text | Google Scholar

Zhou, D., Zhang, H., Zhang, S., and Hu, X. (2005). A DDoS attack detection method based on hidden Markov model. J. Comput. Res. Dev. 42 (9), 1594. doi:10.1360/crad20050921

CrossRef Full Text | Google Scholar

Zhu, J., Xu, H., and Pan, A. (2004). An attack knowledge model based on object-oriented technology. J. Comput. Res. Dev. 41 (7), 1110–1116. doi:10.1016/S0305-0548(02)00154-5

CrossRef Full Text | Google Scholar