Login | Register

Automated Microgrid Security Monitoring and Threat Hunting

Title:

Automated Microgrid Security Monitoring and Threat Hunting

Karanfil, Mark (2025) Automated Microgrid Security Monitoring and Threat Hunting. PhD thesis, Concordia University.

[thumbnail of Karanfil_PhD_F2025.pdf]
Preview
Text (application/pdf)
Karanfil_PhD_F2025.pdf - Accepted Version
Available under License Spectrum Terms of Access.
2MB

Abstract

The microgrid is a valuable part of the growing smart grid critical infrastructure, generating its own electric power for local consumers while engaging in energy exchange with the main grid. As with other smart grid systems, the microgrid is reliant on the security of its Information Technology (IT) and Operational Technology (OT) networks for safe operation. Threat actors possessing large amounts of smart grid domain knowledge are a major threat to microgrid cybersecurity. Failure to protect the microgrid against these threat actors can lead to major loss of generation, data destruction, and equipment damage. Achieving extensive security coverage against microgrid cyberattacks requires consideration of numerous potential attack entry points, ranging from microgrid line equipment to hosts in the microgrid control centre. With this in mind, this thesis proposes a framework for automated microgrid security monitoring and threat hunting. The proposed automated framework incorporates several novel contributions related to microgrid cybersecurity. Among these contributions is a study on the effectiveness of various machine learning models for anomaly detection on IEC 62351-7:2017 Network and System Management (NSM) active monitoring data and for passive monitoring of power measurements to detect false data injection of line fault readings. Another contribution is a threat hunting approach for generating attack hypotheses based on available Cyber Threat Intelligence (CTI) and attributing the hypotheses to particular Advanced Persistent Threats (APTs). The final contribution is a risk-based methodology for predicting the subsequent actions of an attack campaign. A microgrid co-simulation platform is used to evaluate the impact of compromises to various microgrid components and to collect data in near-real time.

Divisions:Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering
Item Type:Thesis (PhD)
Authors:Karanfil, Mark
Institution:Concordia University
Degree Name:Ph. D.
Program:Information and Systems Engineering
Date:30 October 2025
Thesis Supervisor(s):Debbabi, Mourad and Hanna, Aiman and Kassouf, Marthe and Abdelhafez, Elnasser
ID Code:996628
Deposited By: MARK KARANFIL
Deposited On:29 Jun 2026 17:53
Last Modified:29 Jun 2026 17:53
All items in Spectrum are protected by copyright, with all rights reserved. The use of items is governed by Spectrum's terms of access.

Repository Staff Only: item control page

Downloads per month over past year

Research related to the current document (at the CORE website)
- Research related to the current document (at the CORE website)
Back to top Back to top