It seems like there is always one S4 paper that is a technical challenge for me to understand the full impact. This year it is Julian Rrushi and Roy Campbell’s paper, “Detecting Attacks in Power Plant Interfacing Substations through Probabilistic Validation of Attack-Effect Bindings”. You may remember Julian from last year when as a graduate student from University of Milan he had the “honor” of presenting his crypto algorithm at S4 in front of Whit Diffie. Talk about a trial by fire.

Julian is now at the University of Illinois, my alma mater and Rose Bowl participant, where he and Roy have done a very detailed study of the IEC 61850 protocol usage in an electric substation environment. This study has led to identifying causality relations via structural equations to probabilistically characterize the legitimacy and abnormality of IEC 61850 traffic.

This is a major step past identifying rare and likely malicious requests via IDS signatures like Digital Bond has developed. It is a major step past profiling legitimate communication by port and IP address discussed in an SRI paper at S4 2007. It actually models the context and values in the communication and looks for statistical deviations from the model as potential security incidents.

There is a lot of math in this paper along with an interesting discussion of IEC 61850. I’m curious to see what the S4 audience makes of this paper.