Randomization-Based Intrusion Detection System for Advanced Metering Infrastructure*

Smart grid deployment initiatives have been witnessed in recent years. Smart grids provide bidirectional communication between meters and head-end systems through Advanced Metering Infrastructure (AMI). Recent studies highlight the threats targeting AMI. Despite the need for tailored Intrusion Detection Systems (IDSs) for smart grids, very limited progress has been made in this area. Unlike traditional networks, smart grids have their own unique challenges, such as limited computational power devices and potentially high deployment cost, that restrict the deployment options of intrusion detectors. We show that smart grids exhibit deterministic and predictable behavior that can be accurately modeled to detect intrusion. However, it can also be leveraged by the attackers to launch evasion attacks. To this end, in this article, we present a robust mutation-based intrusion detection system that makes the behavior unpredictable for the attacker while keeping it deterministic for the system. We model the AMI behavior using event logs collected at smart collectors, which in turn can be verified using the invariant specifications generated from the AMI behavior and mutable configuration. Event logs are modeled using fourth-order Markov chain and specifications are written in Linear Temporal Logic (LTL). To counter evasion and mimicry attacks, we propose a configuration randomization module. The approach provides robustness against evasion and mimicry attacks; however, we discuss that it still can be evaded to a certain extent. We validate our approach on a real-world dataset of thousands of meters collected at the AMI of a leading utility provider.