Dynamic Bayesian Networks for the Detection and Analysis of Cyber Attacks to Power Systems

The growing decentralization of electro-energetic infrastructures and the consequent need for remote monitoring of bidirectional power flows have expanded the attack surface of modern Cyber Physical Power Systems (CPPSs), exposing them to more sophisticated cyber threats. This work proposes a cyberattack modeling and detection framework based on Dynamic Bayesian Networks (DBNs) to model and analyze causal dependencies between attack steps and detection analytics in power systems. We extend classical attack graph models by incorporating MITRE ATT&CK techniques and we present how this formalism can be converted in the corresponding DBN, enabling both predictive and diagnostic inference. To achieve real-time applicability, we analyze the Boyen–Koller (BK) approximate inference algorithm under multiple clustering strategies, including a heuristic configuration (CL) and a fully factorized baseline (FF), comparing them to exact inference (EX). Our evaluation, performed across simulated attack scenarios, with and without monitoring evidence, examines tradeoffs between inference accuracy and computational efficiency using Kullback–Leibler divergence, computation time and memory utilization metrics. Experimental results show that the CL configuration consistently achieves the lowest approximation error (KL divergence below 1.25 × 10−4 of the exact solution), while the FF clustering maintains comparable accuracy (within 2×10−2 divergence) when performing inference on the target variable (‘‘UnstablePS’’) in scenarios without evidence. In terms of resource consumption, both CL and FF configurations reduce average computation time by an order of magnitude (0.03 s per slice vs. 0.22 s for exact inference) and memory usage by more than 95% (tens of MB vs. several GB), making them both a practical and scalable option for real-time cybersecurity inference in critical energy infrastructures.