Smart Grids will enable a direct communication between supplier and consumer. The supply networks will be controlled and managed centrally by digital technologies, which will balance supply and demand in the distribution system and will facilitate feeding-in of renewable energies. To ensure trouble-free operation of this future power supply, the system must be protected from unauthorized access.

If for instance an electricity consumer moves out of the flat, the power supply is switched off by remote shutdown via Smart Meter. The remote shutdown, however, bears an increased target for hackers, which may aim for extensive interruption of the power supply.

Potential hacker attacks can be sounded out by modeling such events as processes, including definition of procedure steps and sequences. For this purpose, Günther Eibl, Sebastian Burkhart and Cornelia Ferner from the Josef Ressel Center investigate the processes of Smart Grid within the research project PROMISE.
In “Exploration of the Potential of Process Mining for Intrusion detection in Smart Energy Grids” the team built a process model, modeled an attack tree and evaluated the detectability of any possible attack by common as well as new methods of process analysis.
The results of this research project were recently presented by Günther Eibl at the Third International Conference on Information Systems Security and Privacy (ICISSP 2017) in Porto, Portugal.

Concerning the example of energy remote shutdown the researchers found out that current analysis methods like conformance checking mainly recognize new, modified or repeatedly generated shutdown messages.

“The trick is that only knowledge of the process is required and the method of detection works automatically. It is consequently not necessary to generate a new method of detection for every new attack. The disadvantages are a substantially increased effort for data acquisition and a stronger process control”, Eibl complements the results.

Future research efforts at the Josef Ressel Center will not concentrate on process modeling only, but will additionally apply process mining to learn from event data.

• G. Eibl, C. Ferner, T. Hildebrandt, F. Stertz, S. Burkhart, S. Rinderle-Ma, and D. Engel, “Exploration of the Potential of Process Mining for Intrusion Detection in Smart Metering,” in 3rd International Conference on Information Systems Security and Privacy, 2017.
  [Bibtex]

  @InProceedings{Eibl17a,
  author = {Eibl, G{\"{u}}nther and Ferner, Cornelia and Hildebrandt, Tobias and Stertz, Florian and Burkhart, Sebastian and Rinderle-Ma, Stefanie and Engel, Dominik},
  title = {Exploration of the Potential of Process Mining for Intrusion Detection in Smart Metering},
  booktitle = {3rd International Conference on Information Systems Security and Privacy},
  year = {2017},
  abstract = {Process mining is a set of data mining techniques that learn and analyze processes based on event logs. While process mining has recently been proposed for intrusion detection in business processes, it has never been applied to smart metering processes. The goal of this paper is to explore the potential of process mining for the detection of intrusions into smart metering systems. As a case study the remote shutdown process has been modeled and a threat analysis was conducted leading to an extensive attack tree. It is shown that currently proposed process mining techniques based on conformance checking do not suffice to find all attacks of the attack tree; an inclusion of additional perspectives is necessary. Consequences for the design of a realistic testing environment based on simulations are discussed.},
  keywords = {IDS,Intrusion Detection,Process Mining,Smart Grids,Smart Metering,process mining,security},
  pdf = {http://www.en-trust.at/papers/Eibl17a.pdf},
  }