Inferring adversarial behaviour in cyber-physical power systems using a Bayesian attack graph approach

Highly connected smart power systems are subject to increasing vulnerabilities and adversarial threats. Defenders need to proactively identify and defend new high-risk access paths of cyber intruders that target grid resilience. However, cyber-physical risk analysis and defense in power systems often requires making assumptions on adversary behaviour, and these assumptions can be wrong. Thus, this work examines the problem of inferring adversary behaviour in power systems to improve risk-based defense and detection. To achieve this, a Bayesian approach for inference of the Cyber-Adversarial Power System (Bayes-CAPS) is proposed that uses Bayesian networks (BNs) to define and solve the inference problem of adversarial movement in the grid infrastructure towards targets of physical impact. Specifically, BNs are used to compute conditional probabilities to queries, such as the probability of observing an event given a set of alerts. Bayes-CAPS builds initial Bayesian attack graphs for realistic power system cyber-physical models. These models are adaptable using collected data from the system under study. Then, Bayes-CAPS computes the posterior probabilities of the occurrence of a security breach event in power systems. Experiments are conducted that evaluate algorithms based on time complexity, accuracy and impact of evidence for different scales and densities of network. The performance is evaluated and compared for five realistic cyber-physical power system models of increasing size and complexities ranging from 8 to 300 substations based on computation and accuracy impacts.