Campus Units

Electrical and Computer Engineering

Document Type

Book Chapter

Publication Version

Accepted Manuscript

Publication Date


Journal or Book Title

Wide Area Power Systems Stability, Protection, and Security

First Page


Last Page





Today’s electric power grid is a complex, automated, and interconnected cyber-physical system (CPS) that relies on supervisory control and data acquisition (SCADA)-based communication infrastructure for operating wide-area monitoring, protection, and control (WAMPAC) applications. With a push towards making the grid smarter, the critical SCADA infrastructure like power system is getting exposed to countless cyberattacks that necessitate the development of state-of-the-art intrusion detection systems (IDS) to provide comprehensive security solutions at different layers in the smart grid network. While considering the continuously evolving attack surfaces at physical, communication, and application layers, existing conventional IDS solutions are insufficient and incapable to resolve multi-dimensional cybersecurity threats because of their specific nature of the operation, either a data-centric or protocol-centric, to detect specific types of attacks. This chapter presents a hybrid intrusion detection system framework by integrating a network-based IDS, model-based IDS, and state-of-the-art machine learning-based IDS to detect unknown and stealthy cyberattacks targeting the SCADA networks. We have applied the cyber-kill model to develop and demonstrate attack vectors and their associated mechanisms. The hybrid IDS utilizes attack signatures in grid measurements and network packets as well as leverages secure phasor measurements to detect different stages of cyber-attacks while following the kill-chain process. As a proof of concept, we present the experimental case study in the context of centralized wide-area protection (CWAP) cybersecurity by utilizing resources of the PowerCyber testbed at Iowa State University (ISU). We also describe different classes of implemented cyber-attacks and generated heterogeneous datasets using the IEEE 39 bus system. Finally, the performance of the hybrid IDS is evaluated based in terms of detection rate in real-time cyber-physical environment.


This is a post-peer-review, pre-copyedit version of a chapter published as Singh, Vivek Kumar, and Manimaran Govindarasu. "Cyber Kill Chain-Based Hybrid Intrusion Detection System for Smart Grid." In: Haes Alhelou H., Abdelaziz A.Y., and Siano P. (eds.) Wide Area Power Systems Stability, Protection, and Security. (2021): 571-599. The final authenticated version is available online at DOI:10.1007/978-3-030-54275-7_22. Posted with permission.

Copyright Owner

The Editor(s) (if applicable) and The Author(s)



File Format


Available for download on Wednesday, September 22, 2021

Published Version