Tamper-Event Detection Using Distributed SCADA Hardware

Activity Leads: 
Industry Collaborators: 

Schweitzer Engineering Laboratories, Inc.
Aruba Networks

Research Summary: 

Utilities collect and monitor data from a number of devices, such as recloser controls, that are distributed across their service areas. The devices are often mounted on utility poles in both remote and densely populated areas, and have little physical security other than the cabinets in which they are placed. However, the devices require a connection to the utility’s SCADA network, which means that an attacker could gain access to the network and begin injecting traffic just by defeating the physical security of the cabinet. Utilities would like to detect such tampering with their devices, but that goal is complicated by the need for devices (and their tamper detection equipment) to allow for “legitimate” tamper events, such as servicing by a technician; the potential need to leave the connection open in the event of a natural disaster, to simplify and expedite recovery effects; and the need to configure and deploy without placing an undue burden on grid operators. To meet those needs, this research activity developed TEDDI (Tamper Event Detection on Distributed Infrastructure, a distributed, sensor-based approach to tamper detection. TEDDI consists of three components: Tamper Information Points (TIPs), which live inside a utility’s cabinets, use their sensors to monitor the cabinets for possible intrusions, and send tamper signals upstream when they see an abnormal reading; Tamper Enforcement Points (TEPs), which act on tamper decisions that are made; and Tamper Decision Points (TDPs), which reside in a higher-security area of the network, collect information from the TIPs within the network, and send tamper event detection decisions to the TEPs in the network. To fuse together the sensor data and determine what events are occurring, TEDDI uses factor graphs made up of the indicators that denote the events we are looking for, which allows operators to configure our system quickly and efficiently. The activity also developed the TEDDI Generation Tool, which automatically generates the necessary TIP, TDP, and TEP files based on the operator’s input.

Presentation from 2014 Industry Workshop:

Tamper Event Detection on Distributed Infrastructure (TEDDI). Presented by Jason Reeves, Dartmouth College, at the 2014 TCIPG Industry Workshop held November 12-13, 2014 at the iHotel and Conference Center in Illinois. Slides for this presentation may be downloaded from the workshop archives.

More Information: