There has been an increased reliance on interconnected Cyber-Physical Systems (CPS) applications. This reliance has caused tremendous growth in high assurance challenges. Due to the functional interdependence between the internal systems of CPS applications, the utilities' ability to reliably provide services could be disrupted if security threats are not addressed. To address this challenge, we propose a multi-level, multi-agent detection and response architecture built on the formalisms of Hidden Markov Models (HMM) and Markov Decision Processes (MDP). We have evaluated the performance of the proposed architecture on one of the critical smart grid applications, Advanced Metering Infrastructure (AMI). This paper utilizes a simulation tool called SecAMI for performance evaluation. A Stealthy attack scenario contains multiple distinct multi-stage attacks deployed concurrently in a network to compromise the system and stop several critical services in a CPS. The results show that the proposed architecture effectively detects and responds to stealthy attack scenarios against Cyber-Physical Systems. In particular, the simulation results show that the proposed system can preserve the availability of more than 93% of the AMI network under stealthy attacks. A future study may evaluate the effectiveness of various stealthy attack strategies and detection and response systems. The high availability of any AMI should be protected against new attack techniques. The proposed system will also determine a distributed IDS's efficient placement for intrusion detection sensors and response nodes within an AMI.

security; detection; response; artificial intelligence; machine learning; CPS, AMI.

[Online]. Available: https://www.se.com.sa/en-us/customers/Pages/ SmartMeters.aspx

T. Shawly, J. Liu, N. Burow, S. Bagchi, R. Berthier, and R. B. Bobba, “A risk assessment tool for advanced metering infrastructures,†in 2014 IEEE International Conference on Smart Grid Communications, SmartGridComm 2014, 2015. doi: 10.1109/SmartGridComm.2014.7007777.

[Online]. Available: https://kts-intek.com/embee-iot-platform/home-area-network/

R. Anderson and S. Fuloria, “Who Controls the off Switch?,†in 2010 First IEEE International Conference on Smart Grid Communications, Oct. 2010, pp. 96–101. doi: 10.1109/SMARTGRID.2010.5622026.

National Electric Sector Cybersecurity Organization Resource (NESCOR). Electric sector failure scenarios and impact analyses. Technical report, EPRI, 2013.

A. Alromih, J. A. Clark, and P. Gope, “Electricity Theft Detection in the Presence of Prosumers Using a Cluster-based Multi-feature Detection Model,†in 2021 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), Oct. 2021, pp. 339–345. doi: 10.1109/SmartGridComm51999.2021.9632322.

S. McLaughlin, B. Holbert, S. Zonouz, and R. Berthier, “AMIDS: A multi-sensor energy theft detection framework for advanced metering infrastructures,†in 2012 IEEE Third International Conference on Smart Grid Communications (SmartGridComm), Nov. 2012, pp. 354–359. doi: 10.1109/SmartGridComm.2012.6486009.

D. Grochocki et al., “AMI threats, intrusion detection requirements and deployment recommendations,†in 2012 IEEE Third International Conference on Smart Grid Communications (SmartGridComm), Nov. 2012, pp. 395–400. doi: 10.1109/SmartGridComm.2012.6486016.

R. Berthir, W. Sanders. “Monitoring Advanced Metering Infrastructures with Amilyzer,†Proceedings of CESAR: The Computer and Electronics Security Applications Rendezvous, Rennes, France, Nov. 19-21, 2013.

SecAMI tool. [Online]. Available: https://github.com/nburow/SecAMI/

A. Ahmadian Ramaki, A. Rasoolzadegan, and A. Javan Jafari, “A systematic review on intrusion detection based on the Hidden Markov Model,†Statistical Analysis and Data Mining: The ASA Data Science Journal, vol. 11, no. 3, pp. 111–134, Jun. 2018, doi: 10.1002/sam.11377.

J. Navarro, A. Deruyver, and P. Parrend, “A systematic survey on multi-step attack detection,†Comput Secur, vol. 76, pp. 214–249, Jul. 2018, doi: 10.1016/j.cose.2018.03.001.

H. Zhao et al., “An enhanced intrusion detection method for AIM of smart grid,†J Ambient Intell Humaniz Comput, Feb. 2023, doi: 10.1007/s12652-023-04538-4.

J. Ding, A. Qammar, Z. Zhang, A. Karim, and H. Ning, “Cyber Threats to Smart Grids: Review, Taxonomy, Potential Solutions, and Future Directions,†Energies (Basel), vol. 15, no. 18, p. 6799, Sep. 2022, doi: 10.3390/en15186799.

A. M. Khattak, S. I. Khanji, and W. A. Khan, “Smart Meter Security: Vulnerabilities, Threat Impacts, and Countermeasures,†2019, pp. 554–562. doi: 10.1007/978-3-030-19063-7_44.

M. Shokry, A. I. Awad, M. K. Abd-Ellah, and A. A. M. Khalaf, “Systematic survey of advanced metering infrastructure security: Vulnerabilities, attacks, countermeasures, and future vision,†Future Generation Computer Systems, vol. 136, pp. 358–377, Nov. 2022, doi: 10.1016/j.future.2022.06.013.

A. Goudarzi, F. Ghayoor, M. Waseem, S. Fahad, and I. Traore, “A Survey on IoT-Enabled Smart Grids: Emerging, Applications, Challenges, and Outlook,†Energies (Basel), vol. 15, no. 19, p. 6984, Sep. 2022, doi: 10.3390/en15196984.

P. A. Schirmer and I. Mporas, “Non-Intrusive Load Monitoring: A Review,†IEEE Trans Smart Grid, vol. 14, no. 1, pp. 769–784, Jan. 2023, doi: 10.1109/TSG.2022.3189598.

C. Song, Y. Sun, G. Han, and J. J. P. C. Rodrigues, “Intrusion detection based on hybrid classifiers for smart grid,†Computers & Electrical Engineering, vol. 93, p. 107212, Jul. 2021, doi: 10.1016/j.compeleceng.2021.107212.

R. Yao, N. Wang, Z. Liu, P. Chen, and X. Sheng, “Intrusion Detection System in the Advanced Metering Infrastructure: A Cross-Layer Feature-Fusion CNN-LSTM-Based Approach,†Sensors, vol. 21, no. 2, p. 626, Jan. 2021, doi: 10.3390/s21020626.

T. Yang, Y. Liu, and W. Li, “Attack and defence methods in cyberâ€physical power system,†IET Energy Systems Integration, vol. 4, no. 2, pp. 159–170, Jun. 2022, doi: 10.1049/esi2.12068.

Z. A. Khan and A. S. Namin, “A Survey of DDOS Attack Detection Techniques for IoT Systems Using BlockChain Technology,†Electronics (Basel), vol. 11, no. 23, p. 3892, Nov. 2022, doi: 10.3390/electronics11233892.

Y. Javed, M. Felemban, T. Shawly, J. Kobes, and A. Ghafoor, “A Partition-Driven Integrated Security Architecture for Cyberphysical Systems,†Computer (Long Beach Calif), vol. 53, no. 3, pp. 47–56, Mar. 2020, doi: 10.1109/MC.2019.2914906.

L. R. Rabiner, “A tutorial on hidden Markov models and selected applications in speech recognition,†Proceedings of the IEEE, vol. 77, no. 2, pp. 257–286, 1989, doi: 10.1109/5.18626.

D. Ourston, S. Matzner, W. Stump, and B. Hopkins, “Applications of hidden Markov models to detecting multi-stage network attacks,†in 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the, 2003, p. 10 pp. doi: 10.1109/HICSS.2003.1174909.

S. A. Zonouz, H. Khurana, W. H. Sanders, and T. M. Yardley, “RRE: A Game-Theoretic Intrusion Response and Recovery Engine,†IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 2, pp. 395–406, Feb. 2014, doi: 10.1109/TPDS.2013.211.

S. Iannucci and S. Abdelwahed, “Model-Based Response Planning Strategies for Autonomic Intrusion Protection,†ACM Transactions on Autonomous and Adaptive Systems, vol. 13, no. 1, pp. 1–23, Mar. 2018, doi: 10.1145/3168446.

E. Miehling, M. Rasouli, and D. Teneketzis, “A POMDP Approach to the Dynamic Defense of Large-Scale Cyber Networks,†IEEE Transactions on Information Forensics and Security, vol. 13, no. 10, pp. 2490–2505, Oct. 2018, doi: 10.1109/TIFS.2018.2819967.

A. Beynier, F. Charpillet, D. Szer, and A.-I. Mouaddib, “DEC-MDP/POMDP,†in Markov Decision Processes in Artificial Intelligence, Hoboken, NJ USA: John Wiley & Sons, Inc., 2013, pp. 277–318. doi: 10.1002/9781118557426.ch9.

T. Shawly, A. Elghariani, J. Kobes, and A. Ghafoor, “Architectures for Detecting Interleaved Multi-stage Network Attacks Using Hidden Markov Models,†IEEE Trans Dependable Secure Comput, pp. 1–1, 2019, doi: 10.1109/TDSC.2019.2948623.

T. Shawly, M. Khayat, A. Elghariani, and A. Ghafoor, “Evaluation of HMM-Based Network Intrusion Detection System for Multiple Multi-Stage Attacks,†IEEE Netw, vol. 34, no. 3, pp. 240–248, May 2020, doi: 10.1109/MNET.001.1900426.

Snort intrusion detection/prevention system. [Online]. Available: https://www.snort.org