Detecting Cyber Attacks On Nuclear Power Plants

  • Julian Rrushi
  • Roy Campbell
Conference paper
Part of the The International Federation for Information Processing book series (IFIPAICT, volume 290)

This paper proposes an unconventional anomaly detection approach that provides digital instrumentation and control (I&C) systems in a nuclear power plant (NPP) with the capability to probabilistically discern between legitimate protocol frames and attack frames. The stochastic activity network (SAN) formalism is used to model the fusion of protocol activity in each digital I&C system and the operation of physical components of an NPP. SAN models are employed to analyze links between protocol frames as streams of bytes, their semantics in terms of NPP operations, control data as stored in the memory of I&C systems, the operations of I&C systems on NPP components, and NPP processes. Reward rates and impulse rewards are defined in the SAN models based on the activity-marking reward structure to estimate NPP operation profiles. These profiles are then used to probabilistically estimate the legitimacy of the semantics and payloads of protocol frames received by I&C systems.


Nuclear plants intrusion detection stochastic activity networks 


  1. 1.
    C. Bellettini and J. Rrushi, Vulnerability analysis of SCADA protocol binaries through detection of memory access taintedness, Proceedings of the IEEE SMC Information Assurance and Security Workshop, pp. 341– 348, 2007.Google Scholar
  2. 2.
    D. Deavours, G. Clark, T. Courtney, D. Daly, S. Derisavi, J. Doyle, W. Sanders and P. Webster, The Möbius framework and its implementation, IEEE Transactions of Software Engineering, vol. 20(10), pp. 956– 969, 2002.CrossRefGoogle Scholar
  3. 3.
    R. Krutz, Securing SCADA Systems, Wiley, Indianapolis, Indiana, 2006.Google Scholar
  4. 4.
    J. McCalley, Y. Jiang, V. Honavar, J. Pathak, M. Kezunovic, S. Natti, C. Singh and J. Panida, Automated Integration of Condition Monitoring with an Optimized Maintenance Scheduler for Circuit Breakers and Power Transformers, Final Project Report, Department of Computer Science, Iowa State University, Ames, Iowa, 2006.Google Scholar
  5. 5.
    J. Meyer, A. Movaghar and W. Sanders, Stochastic activity networks: Structure, behavior and application, Proceedings of the International Conference on Timed Petri Nets, pp. 106– 115, 1985.Google Scholar
  6. 6.
    J. Meyer and W. Sanders, Specification and construction of performability models, Proceedings of the Second International Workshop on Performa-bility Modeling of Computer and Communication Systems, 1993.Google Scholar
  7. 7.
    Microsoft Research, MSBNx: Bayesian Network Editor and Tool Kit, Microsoft Corporation, Redmond, Washington ( Scholar
  8. 8.
    Modbus IDA, MODBUS Application Protocol Specification v1.1a, North Grafton, Massachusetts (, 2004.Google Scholar
  9. 9.
    J. Pathak, Y. Jiang, V. Honavar and J. McCalley, Condition data aggregation with application to failure rate calculation of power transformers, Proceedings of the Thirty-Ninth Annual Hawaii International Conference on System Sciences, p. 241a, 2005.Google Scholar
  10. 10.
    J. Pearl, Bayesian networks: A model of self-activated memory for evidential reasoning, Proceedings of the Seventh Conference of the Cognitive Science Society, pp. 329– 334, 1985.Google Scholar
  11. 11.
    W. Sanders, Construction and Solution of Performability Models Based on Stochastic Activity Networks, Ph.D. Dissertation, Department of Electrical Engineering and Computer Science, University of Michigan, Ann Arbor, Michigan, 1988.Google Scholar
  12. 12.
    W. Sanders, Integrated frameworks for multi-level and multi-formalism modeling, Proceedings of the Eighth International Workshop on Petri Nets and Performance Models, pp. 2– 9, 1999.Google Scholar
  13. 13.
    W. Sanders and J. Meyer, A unified approach for specifying measures of performance, dependability and performability, in Dependable Computing for Critical Applications, A. Avizienis and J. Laprie (Eds.), Springer-Verlag, Berlin-Heidelberg, Germany, pp. 215– 237, 1991.CrossRefGoogle Scholar
  14. 14.
    W. Sanders and J. Meyer, Stochastic activity networks: Formal definitions and concepts, in Lecture Notes in Computer Science, Volume 2090, Springer, Berlin-Heidelberg, Germany, pp. 315– 343, 2001.Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2008

Authors and Affiliations

  • Julian Rrushi
    • 1
  • Roy Campbell
    • 1
  1. 1.University of IllinoisChicagoUSA

Personalised recommendations