Critical infrastructures are the systems and networks that are so vital that their unavailability would have a major impact on national security, economy, safety, or any combination thereof. Examples of critical infrastructure are power systems, financial services, emergency services, health care, defense sector, and others. While these infrastructures are readily available, they are inherently vulnerable to attacks. New emerging threats have been highlighted in the recent literature with respect to critical infrastructures. Therefore, ensuring both accurate detection and robust deterrence is highly important for protecting these infrastructures from devastating, sophisticated, and evasive cyber and cyber-physical attacks. Deterrence is the ability to make intrusions very unlikely or highly expensive. However, the intrusion detection and deterrence techniques for critical infrastructure face many challenges. First, intrusion detection techniques should be real-time, accurate, robust against stealthy attacks, and economically feasible. Second, intrusion deterrence techniques should be unpredictable, computationally inexpensive, and effective against persistent attackers. In this thesis, we focus on intrusion detection and deterrence for energy delivery systems (EDS) of smart grids. This thesis has two key goals. The first goal is to develop real-time intrusion detection and robust deterrence techniques to protect EDS against stealthy attacks that can undermine the system's integrity. The second goal is to identify the limitations of existing intrusion detection techniques that allow for evasive attacks and develop techniques to reduce evasion margin for attackers. We, particularly, investigate advanced metering infrastructure (AMI) and automatic generation control (AGC) in the supervisory control and data acquisition network (SCADA) of smart grids. We show, based on statistical analysis of AMI and AGC operational data, that both AMI and AGC exhibit a predictable behavior that can be exploited to develop accurate and robust intrusion detection and deterrence techniques. First, we model AMI configuration specification using stochastic temporal properties that can be used to detect anomalous activities. As the AMI exhibits static behavior that can be exploited to launch mimicry and evasive attacks, we developed a new deterrence approach that randomizes the AMI configuration frequently to mislead attackers, without breaking the system operational integrity.Second, we address the AGC attacks that might result from manipulating sensor measurements that can bypass bad data detection algorithms. We developed a data-driven multi-tier intrusion detection technique for a single and multiple AGC, which exploits the temporal dependence of the measurements to identify potential anomalous behavior at real-time, and then incorporate system-wide knowledge through an offline process to reduce false positives. Last and third, we investigate the inherent limitations of existing intrusion detection systems against evasive attacks and developed a key-based deterrence approach to reduce the attack evasion margin by introducing a notion of randomized thresholds in intrusion detection systems.
