Abstract

With the rapid integration of monitoring and controls automation devices into power grid Operational Technology (OT) networks, accurately detecting and defending against cyber events has become critical. To address this challenge, this paper presents a novel approach for detecting cyber threats, especially from unstructured OT cyber data. First, we generate unstructured cyber data from a realistic, real-time cyber-power testbed equipped with industry-grade OT devices. To overcome the lack of a standardized format in the cyber data, we propose two novel feature engineering approaches applied to the Sysmon logs from the substation's Human-Machine Interface (HMI), optimizing the data for automated Machine Learning (ML) tasks. An unsupervised Deep Autoencoder (DAE) is developed and utilized to identify cyber intrusions. Additionally, an alert-based visualization system has been developed using the syslog data from OT devices. Realistic cyber-attack scenarios, designed according to the MITRE ATT&CK framework, were used to validate the performance of the developed DAE model. Lastly, a comprehensive Cyber Threat Intelligence (CTI) report is compiled using the Structured Threat Information eXpression (STIX) framework for threat information sharing.