With the advancement of distributed computing, IoT device networks and smart grids have been widely adopted for automating industrial control, modern power systems, and other critical infrastructures. These systems rely on sensors and actuators that generate and forward sensory data through multiple nodes. While such systems offer numerous features to support various industries, they are also susceptible to cyberattacks. False data injection attacks (FDIA) are one form of data attack orchestrated when adversaries can alter/modify the original measurements supplied by these sensors, affecting the control center’s computational capability.
This article discusses what an FDIA attack is, common forms of such attacks, and prevention strategies.
What is a False Data Injection Attack?
False Data Injection encompasses a class of malicious data attacks that target critical infrastructures controlled by Cyber-Physical Information Systems. FDIA strategies involve the attacker compromising sensor readings, so undetected corrupt data is included in calculating values and variables used to define the system state.
The proliferation of the internet and complex adaptive systems in modern power systems, healthcare applications, and other financial operations makes IoT sensors key attack vectors for FDIA exploits. False Data Injection Attack strategies leverage wireless IoT device communication network vulnerabilities to manipulate sensor data. By manipulating sensor data and computations, adversaries can mislead the power distribution network and the control center.
False Data Injection Attacks – Severity Level
Attacks in power systems running on smart grids result in the loss of management for control devices, resulting in operational overheads and severe power outages. Successful, false data injection attacks also result in the corruption of transactions on power systems, leading to revenue loss. By acquiring knowledge of the circuit fault condition, FDIA attacks also lead to load distribution dysfunction that causes intermittent faults and power imbalance between demand and supply.
Wireless IoT device communication has found favorable adoption in major industries, such as air travel, autonomous vehicles, and healthcare. In such instances, false data injection vulnerabilities introduce the risk of privacy leakage, as these devices mostly process sensitive, personally identifying information. Successful data injection into these systems often results in computational overhead as unknown elements complicate the mathematical model used in decision-making based on IoT sensor input.
Attackers also target injection vulnerabilities in communication networks to alter data transmitted within the control device to hybrid IoT networks. A successful attack’s severity depends on the injection attack type, the target system, and the deviation between original measurements and the altered data set.
Common Types and Examples of FDIA Attacks
False Data Injection Attacks are categorized according to the subsystem affected and the level of access the attacker can obtain. The following section highlights the common forms of FDIA attacks and recently orchestrated real-world exploits as examples.
Types of FDIA Attacks
Depending on the level of access adversaries possess to the power systems, FDIA attacks can be classified into:
Internal attacks
This form of FDIA attack is carried out by those adversaries who possess precise knowledge of the system’s bilinear pairing operations. An attacker also accurately understands the power system’s network topology, capacity, cost function, and standard measurements of the target system. In most cases, the adversary is an internal threat, such as a disgruntled employee or a malicious actor. He can access the power system’s historical load data and control devices.
External attacks
Adversaries carry out this False Data Injection attack with incomplete information about the power network. As a result, the attacker relies on weaknesses in the physical network’s security model to eavesdrop, replay and inject false data into the smart grid. One common approach to effecting such attacks is to target vulnerabilities in input validation and transport layer security for delivering false data through techniques such as code injection and cross-site request forgery.
Examples of FDIA Attacks
Cyber attacks targeting IoT device communication networks that support modern power systems, patient monitoring devices, defense systems, and other smart grid systems have risen with the changing threat landscape.
Some successfully orchestrated FDIA cyber attacks from the recent past include:
December 2015 Ukraine Blackout
This is one of the first publicly acknowledged cyber attacks on power system automation software. On 23rd December 2015, attackers were able to hack Ukraine’s power grid system and use spear-phishing techniques to install malware that led to a blackout affecting over 200,000 consumers. The malware bypassed a bad data detection mechanism and remotely connected with employees’ machines to disconnect 30 substations for over three hours. The adversaries also blocked telephone device communication networks that prevented residents from reporting the outage to concerned officials.
Stuxnet Worm on Iranian Nuclear Power Stations
Stuxnet is a computer worm that targets programmable logic controllers used to automate industrial processes and power systems. The worm has been under development since the mid-2000s and usually targets computers that use Windows OS and run the Siemens Step 7 real-time data transmission software. As part of the planned attack, attackers planted the worm on Iranian critical infrastructure management centers, collecting real-time data from industrial systems. They also caused the uranium gas centrifuges to spin out of control and cause maximum damage to the entire power grid.
Maroochy Water System Attack
Considered one of the most infamous internal attacks, this attack was carried out by a disgruntled employee of a radio-controlled sewage equipment installation company. After a strained relationship between the company and a worker, the disgruntled worker issued false data to the sewage equipment through radio commands. This injection resulted in the spillage of 800,000 liters of raw sewage into parks, rivers, and close residential areas, severely impacting marine and human life.
2010 Stuxnet Attack on WinCC SCADA Software in Germany
The Stuxnet virus was detected in fifteen power, chemical, and industrial control plants in Germany that use SCADA and Siemens software. The virus targeted the PCS 7 and Simatic WinCC software but was discovered and patched before the trojan could have affected any economic or real-time data aggregation operation.
Detecting and Preventing False Data Injection Attacks
Successful False Data Injection attacks result in considerable damage to both private and public entities, including:
Incorrect healthcare diagnosis
Doctored insurance claims
Erratic credit analysis
Failure of electric power grids
Although countermeasures differ based on use cases, mitigation approaches fall into two key domains:
Protection-based defense – Mechanisms built to harden IoT device networks and power systems against vulnerability exploits. This security model emphasizes vulnerability identification and risk management to prevent malicious attacks. The protection-based defense approach is more straightforward and ensures that attackers do not gain initial access to the system’s physical data identification or cyber layer.
Detection-based defense – These are measures directed toward bad data detection and FDIA attack identification. Apart from being a reactive countermeasure, the sparsity of attack vectors makes protection-based defense mechanisms insufficient. This necessitates the development of a security model that combines the traditional scheme of static security assessment with runtime monitoring, alerts, and remediation.
FDIA Attack Countermeasures
Some fundamental models/methods used to prevent FDIA attacks include:
Deep Learning Techniques
Deep learning algorithms can be used to profile normal application behavior using both real-time data and historical context. The deep belief network is a detection-based defense mechanism that helps identify active FDIA exploits by applying AI and deep learning techniques to explore temporal behaviors.
Kullback-Leibler Distance
This method applies a computational comparison between original and false data based on attackable measurements. A more considerable Kullback-Leibler Distance shows a greater possibility of measurement noises and variations from historical data.
Sparse Optimization
Sparse optimization is an experimental scheme that implements bad data detection using a combination of low-rank matrix factorization and nuclear norm minimization. The nuclear norm minimization technique is used to approximate the ranking of a Jacobian Matrix by shrinking each singular value equally. This reduces the system’s computation costs as decomposing singular values would increase the size of the data sets. The low-rank matrix factorization strategy helps improve scalability when detecting malicious attacks against wireless IoT device communication networks.
Use of Colored Gaussian Noise
This countermeasure involves using Colored Gaussian Noise to create an autoregressive process model. This mathematical model estimates the state of transmission networks for the correlation of power data. This estimation can be used to develop a generalized likelihood ratio test to diagnose malicious attacks.
Spatio-Temporal Correlations
This detection-based protection method prioritizes the correlation of power data and system state to identify FDIA attacks in real time. Trust-Based Voting among sensor nodes and Spatio-Temporal Correlation among IoT network components are given priority while evaluating the probity of state estimations.
Hop-by-hop Authentication
In instances where the hacker has already compromised one or more IoT nodes, the traditional one-to-one authentication method is considered inefficient for sensor networks. Hop-by-hop Authentication ensures that the control center can identify injected data packets when the number of compromised nodes reaches a detection threshold. This authentication scheme provides an optimized approach to identity and prevents FDIA exploits for modern sensor networks.
Use of the Blockchain
The blockchain has recently seen favorable adoption as it enforces data authenticity. The decentralized nature and cryptographic authentication mechanisms of the blockchain security model provide a better safeguard against FDIA attacks. Implementing this model helps prevent false image injection attacks in healthcare and reduce forgery attacks for transactions on power systems.
Public key cryptography
Cryptographic operations and algorithms can guard the integrity of IoT network measurements. Public key cryptographic algorithms, such as the McEliece public key system, are ideal for identifying and nullifying data supplied through FDIA attack strategies. It is also recommended that the cryptographic algorithm is chosen carefully as complex ones bring up computational overhead.
False Data Injection FAQs
What is the difference between false data injection, OS command injection, and SQL injection?
All three attacks involve the attacker injecting malicious code into the target system. While OS command injection and SQL injection attacks target web systems, FDIA is a class of cyber attacks that targets smart grids such as sensor networks, cyber-physical power systems, and IoT device communication networks.
What are the top evaluation metrics for FDIA countermeasures?
The effectiveness of FDIA countermeasures is evaluated based on three aspects:
Vulnerability identification – Efficiency of the countermeasure to identify all vulnerabilities attackers can exploit to compromise legitimate hybrid IoT devices
Impact identification – Reflects the capability of the security model to estimate the effects of malicious attacks with the highest degree of accuracy possible.
Data imputation – Ability of countermeasures to replace the false data with original measurements
Conclusion
Adversaries typically orchestrate an FDIA attack by intruding on the physical security of control devices, bypassing inefficient data detection mechanisms of the system, and introducing measurement noises. While adopting best practices and prevention strategies may differ with use cases, vulnerability identification sits at the core of FDIA attack mitigation.
Crashtest Security Suite automates vulnerability scanning to help administer comprehensive security for web applications and APIs.
To know more about how Crashtest Security can help simplify vulnerability scanning and protect complex adaptive systems with a single click, try a 14-day free trial here.
This article has already been published on crashtest-security.com/false-data-injection.. and has been authorized by Crashtest Security for a republish.