Preemptive Security Solution to Disrupt Attackers’ Reconnaissance on Cyber-Physical Systems

Motivation
Targeted cyberattacks on industrial control systems (ICS) — such as those seen in real-world power grid incidents — often begin with stealthy reconnaissance, where adversaries collect detailed knowledge of physical infrastructure. Traditional intrusion detection systems act reactively and fail to prevent adversaries from gathering such intelligence. Our work is motivated by the need to proactively disrupt the reconnaissance phase, which is crucial for enabling damage-free and misleading defense strategies in smart grid security.

Innovation
We introduce Physical Function Virtualization (PFV) — a novel concept that uses real physical devices to build lightweight virtual nodes. These nodes mimic the actual behavior of network stacks, physical dynamics, and system invariants of real grid devices. Based on PFV, we propose DefRec, a new defense mechanism that randomizes communication patterns and crafts decoy data, significantly misleading and delaying adversaries. This approach moves beyond traditional honeypots and mimicry techniques by grounding virtual node behavior in real device profiles and measurements.

Technical Advancements

  • Virtual Node Construction: Build virtual nodes by using Software-defined networking (SDN) to hook network traffic from a few “seed” devices, allowing virtual nodes to exhibit authentic runtime behavior without modifying the power grid.
  • Communication Randomization: Implement a disruption policy that adds random interactions with virtual nodes to obscure real device identity, signficantly delaying adversaries’ network mapping with a small number of virtual nodes.
  • Decoy Data Crafting: Generate synthetic measurements that conform to power grid physical laws to disrupt attackers’ knowledge on power grids’ physical infrastructures.
  • Scalable and Lightweight: Implement on an ONOS SDN controller and evaluated using real IEDs and power grid simulations, introducing less than small overhead with strong security guarantees.