CC BY 4.0 UnportedSen, Ömervan der Velde, DennisLühman, MaikSprünken, FlorianHacker, ImmanuelUlbig, AndreasAndres, MichaelHenze, Martin2022-10-052022-10-052022https://oa.tib.eu/renate/handle/123456789/10215http://dx.doi.org/10.34657/9262The transformation of power grids into intelligent cyber-physical systems brings numerous benefits, but also significantly increases the surface for cyber-attacks, demanding appropriate countermeasures. However, the development, validation, and testing of data-driven countermeasures against cyber-attacks, such as machine learning-based detection approaches, lack important data from real-world cyber incidents. Unlike attack data from real-world cyber incidents, infrastructure knowledge and standards are accessible through expert and domain knowledge. Our proposed approach uses domain knowledge to define the behavior of a smart grid under non-attack conditions and detect attack patterns and anomalies. Using a graph-based specification formalism, we combine cross-domain knowledge that enables the generation of whitelisting rules not only for statically defined protocol fields but also for communication flows and technical operation boundaries. Finally, we evaluate our specification-based intrusion detection system against various attack scenarios and assess detection quality and performance. In particular, we investigate a data manipulation attack in a future-orientated use case of an IEC 60870-based SCADA system that controls distributed energy resources in the distribution grid. Our approach can detect severe data manipulation attacks with high accuracy in a timely and reliable manner.enghttp://creativecommons.org/licenses/by/4.0/004333.7Cyber securityCyber physical systemsIntrusion detection systemsArticle