Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr....
-
Upload
ralf-howard -
Category
Documents
-
view
214 -
download
1
Transcript of Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr....
![Page 1: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/1.jpg)
Information Flow Properties for Security in Cyber-Physical Systems
Bruce McMillin, Ph.D., Sr. Member IEEEDir Center for Information Assurance
Department of Computer ScienceMissouri University of Science and
Technology(Formerly the University of Missouri-Rolla)
Rolla, MO 65409-0350 - USA(work done by Ravi Akella, Han Tang,
Thoshitha Gamage, and Tom Roth)
![Page 2: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/2.jpg)
Introduction: Cyber-Physical System• Modern Infrastructures consist of Cyber and
Physical Components– Smart Houses, – Air Transport, – Vehicle Transport, – Smart Structures, – Oil and Gas Pipelines, – Distributed Energy Resources, …
• All have an inherent commonality – Physical Actions integrated with Computation.
• Cyber Physical Systems (CPSs) are integrations of computation with physical processes.– National Science Foundation (US)– Artemis (EU)
![Page 3: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/3.jpg)
My topics for you today
• Smart Grid – Smart Distribution/Green Energy
• CPS Flow Security Basics• Smart Grid Security
– Modeling and Analysis– Mitigation
![Page 4: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/4.jpg)
Cyber-Enabled Smart Distribution
• Smart Grid – Automated Meter Reading (AMR)– Demand Side Management
• Centralized Supervisory Control And Data Acquisition (SCADA)
• Electric Utility Control
• Smart Grid Version 1 Source, Monitor Mapboard Systems
Scalability, fault management, security and privacy
![Page 5: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/5.jpg)
Cyber-Enabled Smart Distribution Systems and Micro Grids
• Move away from Centralized SCADA– Distributed Control
• Advanced Power Electronics – Finer-grained control over physical entities– Schedulable entities
• Design Issues– Complex and unpredictable interactions between
the cyber and physical processes– Information flow across the cyber-physical
boundaries
![Page 6: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/6.jpg)
Security and Privacy
Would you sign up for a discount with your power company in exchange for surrendering control of your thermostat? What if it means that, one day, your auto insurance company will know that you regularly arrive home on weekends at 2:15 a.m., just after the bars close? (MSNBC Red Tape Chronicles 2009)
![Page 7: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/7.jpg)
Future Renewable Electric Energy Delivery
and Management (FREEDM) – NSF ERCAn efficient and revolutionary power grid utilizing revolutionary power electronics technology and information technologyDecentralized management integrating distributed and scalable alternative energy sources and storage with existing power systems
![Page 8: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/8.jpg)
Shipping 250M pcs/yr.
Ubiquitous ownership
Ubiquitous use
Ubiquitous sharing
Pre-1980s
Internet
Paradigm Shift
Distributed ComputingCentralized Mainframes
Innovation & Industry
Transformation
![Page 9: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/9.jpg)
Ubiquitous sales
Ubiquitous ownership
Ubiquitous use
Ubiquitous sharing
Today
Centralized Generation100+ year old technology
New energy companies based on IT and power
electronics technologies
Paradigm Shift
FREEDM System
Innovation & Industry
Transformation
Distributed RenewableEnergy Resources (DRER)New technologies
for distributed renewable energy
![Page 10: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/10.jpg)
The FREEDM Concept – Smart Grid IDistribution
• Distributed Intelligence– People share
energy resources
– Neighborhood or industrial level
– Where is the centralized controller?
![Page 11: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/11.jpg)
ESD
User Interface
Distributed Grid Intelligence (DGI)FREEDM
Substation
12kV
120 V
Market & Economics
69kV
IEM
AC
AC
IFM IFM
IFM
LOAD DRER DESD
IEM
AC
AC
LOAD DRER DESD
IEM
AC
AC
3Φ 480V
RSC
Legacy grid
• IEM and IFM nodes each run a portion of the DGI to manage their own resources
• Coordinate to control the whole as a Distributed Algorithm
IEM: Intelligent Energy Management IFM: Intelligent Fault Management
DRER: Distributed Renewable Energy Resource DESD: Distributed Energy Storage Device
![Page 12: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/12.jpg)
13
![Page 13: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/13.jpg)
Schedulable Entity
….Advanced Power Electronics….
The Solid State Transformer
![Page 14: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/14.jpg)
Inside an IEM Node
• Solid State Transformer (SST)– Power Electronics– Schedulable Entity
SH5
SH7
SH6
SH8
S1
S3 S4
SH1
SH3 SH4
SH2 S2
Low Voltage H-Bridge
+
-
+
-
400V DC
High Frequency
Transformer
AC/DC Rectifier DC/DC Converter DC/AC Inverter
High Voltage H-Bridge
High voltage H-Bridge
12kVDC
7.2 kV AC
120V / 240V AC
LLs
Cs
CsLs
Port 1
Port 2
![Page 15: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/15.jpg)
How to use it?
![Page 16: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/16.jpg)
17
• Each FREEDM IEM node runs a portion of the DGI to manage its own resources
• Power Management– Load Balance DESD, DRER,
and LOAD– Control and react to the SST– Migrate power through the
Gateway that connects an SST to the system shared bus.
Distributed Grid Intelligence Within the Context of FREEDM
![Page 17: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/17.jpg)
Distributed Power Balancing
• Correctness: Keep all IEM nodes’ “balanced” in terms of Supply and Demand and minimize energy cost
• Pass messages negotiating load changes until the system has stabilized
• Global optimization decomposed into individual processes that cooperate to meet the global correctness.
XActual = XLoad − XDRER
System Load State
XActual < 0 Low (Supply)
XActual > Threshold High (Demand)
0<=XActual <=Threshold Normal
![Page 18: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/18.jpg)
19
DGI Power Balancing Algorithm
![Page 19: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/19.jpg)
20
IEM 0
IEM 0 20.551 L
IEM 1 H
::
IEM n H
IEM 1
IEM 0 N
IEM 1 32.834 H
::
IEM n N
IEM n
IEM 0 N
IEM 1 H
::
IEM n 30.721 H
IEM 0
IEM 0 25.551 N
IEM 1 N
::
IEM n H
IEM 1
IEM 0 N
IEM 1 27.834 N
::
IEM n N
IEM n
IEM 0 L
IEM 1 H
::
IEM n 30.721 H
I CAN SUPPLY
Migrate 1 quantum of Power per successful request
More Critical need
Lesser need
After Load Balancing
![Page 20: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/20.jpg)
Optimality?
• G = Σ XActual = Σ XLoad,i - ΣXDRER,j
n, Local Load – m, Local Capacity
• Adding Costs– CostLow = 100 X∗ DRER + XDESD
• General Problem is to serve G while minimizing overall cost– Knapsack Problem– Pack a knapsack with m items each with cost, maximizing cost
subject to the constraints of supply and load.– NP Hard
![Page 21: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/21.jpg)
Optimality?
• Least Cost Fractional Knapsack Algorithm– Given ε > 0, C = lowest cost resource, m sources, K = εC/m– For each source si, define cost’(si ) = floor (cost(si)/K)
– Add up to K entries of each source in increasing order of cost’ into the set S’ such that Σs in S’ cost’(s) ≤ Σ XLoad,i.
– Output S’, the least cost set.
• Cost (S’) ≤ (1+ ε ) · OPT
![Page 22: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/22.jpg)
23Test 203: 3-node migration
Test 203: Two IEM nodes supplying with cost function
IEM02 and IEM03 both migrate power to IEM01
![Page 23: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/23.jpg)
Distributed Grid Intelligence• Distributed Long and Short Term Control• Distributed Systems Management
– Distributed Group Management– State Maintenance
• Simulation Architectures• Power Economics Models and Control• Fault Tolerance of Cyber-Physical system• Security – Confidentiality, Integrity, and Availability of
Cyber-Physical system• Resilience - Robust Distributed System
– Formal Correctness– Usability as an autonomous system
![Page 24: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/24.jpg)
Motivation: Why is this a problem
2003 Midwest Blackout 2010 Stuxnet Worm Attack
• Caused by a cascading failure in power lines
• An estimated 50 million people affected by the outage lasting up to 4 days
• $4 – 10 billion economical loss in U.S. 0.7% gross production loss in Canada
• A Rootkit which injects a malicious controller program to PLCs
• Capable of manipulating cyber and physical components for its own purposes
• An estimated 100,000 hosts in over 30,000 organizations from over 155 countries affected
![Page 25: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/25.jpg)
Formal Information Flow Theory
Modeling and Analysis
![Page 26: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/26.jpg)
Access Control Flow-based Security• Restricts access to
information and resources
• Cannot restrict information propagation after read
• Access grants need to be given only to processes guaranteed not to leak confidential data [SM03]
• Restricts flow of information between partially ordered security clearances
• Prevent unintended high-level (secure/private) domain information disclosures to the low-level (open/public) domain
System Security: Primary Approaches
Cannot
identify such
processes
High-level Domain
Low-level Domain
![Page 27: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/27.jpg)
Information Flow Models
• FREEDM contains Power Electronics Devices that perform physical actions that are observable
• Cannot keep these secret – loss of confidentiality/privacy• Some other models
– Non-Interference• High-level events do not interfere with the low level
outputs– Non-Inference
• Removing high-level events leaves a valid system trace
– Non-Deducibility• Low-level observation is compatible with any of the
high-level inputs.
![Page 28: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/28.jpg)
Microgrid ObservabilityFred and Barney
• Share Resources and Make a Profit
• Fred Gets Greedy– Stores wind energy and sells on
his own• Barney Gets Suspicious
– Observes Fred’s wind and power draw from utility
– If the wind isn’t blowing and Fred is selling to the grid, Fred is dishonest
– If the wind is blowing, Barney cannot deduce anything
![Page 29: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/29.jpg)
(Formal) Information Flow Models
Information Flow Models
![Page 30: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/30.jpg)
• A unified approach to deal with CPSs is necessary that can encompass the cyber and physical events
• We propose a process algebraic approach adopted to analyze the information flow in CPSs
• Security process algebra provides an abstract description for nondeterministic and concurrent systems with actions belonging to different levels of confidentiality (Low and High)
• Using process algebra, bisimulation provides a formal method to determine nondeducibility.
Information Flow Security for CPSProcess Algebra Approach
![Page 31: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/31.jpg)
A system E is BNDC if for every high level process ∏, a low level user cannot distinguish E from E|∏
E| ∏ : Parallel Composition of E1& ∏ where executions of the two systems are interleaved
Bisimulation-based NonDeducibility on Composition (BNDC)
![Page 32: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/32.jpg)
Case Study: Gas Distribution Network
• Physical limitation
• Changes in one section of the pipeline is visible to others
![Page 33: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/33.jpg)
Case Study: Gas Distribution Network
• LTC B changes flow
• Aggregated change of the system to re-stabilize
![Page 34: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/34.jpg)
Val(fb) Val(fc) Val(fa)
0 0 0
k 0 k
k/2 0 k/2
0 k/2 k/2
k k/2 3k/2
k/2 k/2 k
0 k k
k k 2k
k/2 k 3k/2
![Page 35: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/35.jpg)
System based on partitions
High Level
Low Level
Communications
![Page 36: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/36.jpg)
Uniform Semantic Representation
• SPA – Security Process Algebra• CoPS – Checker of Persistent Security
– BNDC– SBNDC
![Page 37: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/37.jpg)
bi Action
(Action1 | Action2)
bi Action1
(A_Writes | C_Writes)\L
bi Action2
(B_Writes)\L
bi State
(State_1 | State_2 | State_3 | State_4 | State_5 | State_6)\L
bi State_1
w_a.'val_1.State_1 + w_b.'val_2.State_1 + w_c.'val_2.State_1bi A_Writes
change_a.'w_a.State
bi B_Writes
change_b.'w_b.State
bi C_Writes
change_c.'w_c.State
//bi Stable NULL
basi L
w_a w_b w_c //values to be protected
basi N
val_1 val_2 val_3 //discrete values possible
acth
change_a change_b change_c //readings at cyber level
val_1 val_2 val_3
![Page 38: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/38.jpg)
Protection of flow between A and B against C
![Page 39: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/39.jpg)
Bisimulation oTwo processes are weakly bisimilar if they are able to mutually simulate their behavior step by step.
oIn a weak bisimilarity relation, internal silent actions (τ) between processes is ignored.
E1 and E2 are bisimilar and they both simulate E3
E3 is not bisimilar to E1
![Page 40: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/40.jpg)
Strong BNDC (SBNDC)
The system before and after execution of a high level event remains indistinguishable to the low level domain
E
E’’\H
E’
E’\H
E’’h
![Page 41: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/41.jpg)
Simplification of SBNDC: Bisimulation up to H
The problem of verifying weak bisimulation for all high level transitions of the system can be transformed into finding a bisimulation up to H relation
E E\H
![Page 42: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/42.jpg)
Inherent ObfuscationElectrical Network
• Flow in a controllable circuit• Kirchhoff’s Laws
![Page 43: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/43.jpg)
57
In a series connection network with only two(2) configurable units, placement of any number of observers preserves Nondeducibility.
![Page 44: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/44.jpg)
58
A series circuit with n >= 2 configurable units is fully deducible, with a minimum of n distinct readings and n -1 observers
![Page 45: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/45.jpg)
59
In a base parallel-connected circuit with two parallel resistors, any combination of two observers is sufficient to fully deduce the circuit
![Page 46: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/46.jpg)
60
For a pure parallel circuit with n parallel resistors, a minimum of n “strategically located” observers are required to fully deduce the circuit.
`
![Page 47: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/47.jpg)
Microgrid Observability
• “Dumb” System from an Observer is Nondeducibility Secure
• Dumb System from an External Observer is NOT Nondeducibility Secure (if we can see everything)
![Page 48: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/48.jpg)
• Confidentiality with no DGI
• Power flow in the shared power bus is an invariant function of individual gateway loads of the participating nodes and the draw from or contribution to the utility grid
• Such a system can be defined as below:
![Page 49: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/49.jpg)
• External observer with limited observability or with a few gateway readings cannot deduce operation (no DGI)
Low = {DRER}High = { , Load, XSST , , , Gateway}For any high level process Π, say, XSST .Gateway or . XSST
(NodenoDGI |Π)\H ≡ {DRER}
NodenoDGI \H ≈B (NodenoDGI |Π) \H ∀ Π ∈ E.
DRER DESD Load
DESD
• External observer with total observation of gateways can deduce operation.– Using the invariance relation on
the bus
![Page 50: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/50.jpg)
• DGI system secure with respect to an Observer without DGI
• The DGI algorithm can be represented in SPA as:
• The IEM with DGI
Power shared between 1 and 2 due to DGI algorithm
![Page 51: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/51.jpg)
SBNDC for FREEDM
The system before and after execution of a high level event remains indistinguishable to the low level domain
E
E’’\H
E’
E’\H
E’’h
![Page 52: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/52.jpg)
SBNDC for FREEDM
o Such processes can be modified to satisfy SBNDC by inserting a complementary High level output, to make an internal action (τ) that is not observable
o Such compensating events hide the physically observable effects
d
d
![Page 53: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/53.jpg)
• Observer with DGI is not non-deducibility secure– Demand
• Trace the load table within the DGI - refusals
– Supply• Knows about
nodes in Demand state
Confidentiality with DGI
![Page 54: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/54.jpg)
• Malicious DGI process– Manipulates load table to
ascertain other DGI states
• IEM03’s observer deduces IEM01 is in a demand state
• IEM01’s observer can deduce that IEM02 and later, IEM03 are in a supply state.
Threats to DGI
![Page 55: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/55.jpg)
Execution Monitoring
Mitigation
![Page 56: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/56.jpg)
Confidentiality Violation
Confidentiality: Preventing unauthorized access or/and disclosure of protected resources
![Page 57: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/57.jpg)
Confidentiality Violation
• Sequence of Actions
• What Low-level users should see
• What they actually see
Event
Confidentiality
Violated
![Page 58: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/58.jpg)
Solution: What is required• A security mechanism that can,
– Execution Monitoring: Monitor execution steps of the target system during runtime and detect security property violations
– Safety Property: Able to identify action(s) causing the violation
– Event Compensation: Able to calculate corrective actions that can maintain functional integrity
– Emulation and Enforcement: Able to execute corrective actions in a timely coordinated manner
• Encode and capture system semantics to a security model– Account for cyber-physical interactions
![Page 59: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/59.jpg)
EM Enforceable Security • Alpern-Schneider Framework: Every system property is
either a Safety or a Liveness property or the intersection [AS84]
• Safety: Nothing bad happens during execution
• Only safety properties can be EM enforced [Sc00]• Enforced using a security automata
– Terminate execution upon detecting a violation
![Page 60: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/60.jpg)
But……
• Information Flow Security Properties are, – Not Safety Properties; sets of execution sets
[Mc94] – Decision to terminate can not be based on a
single execution– Cannot be enforced using Schneider’s
security automata
Existing EM enforceable mechanisms need to be extended
![Page 61: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/61.jpg)
• Restore the system back to a previous safe state– Cannot reverse a physical consequence of a
cyber action• Insert new actions to correct the violation
– Correct the violation while maintaining the functional integrity
What to do when a violation is detected?
![Page 62: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/62.jpg)
Event Compensation• Insert corrective actions at the point where an execution
violates a given security property– This model considers Nondeducibility security
• Formalize this concept as information flow safe state transitions
• Research Contributions– EM Security Automata [Sc00] + IFP + Edit Automata
[LBW05] + Emulator [NW06] = Compensate Automata– Maintain functional integrity while preserving IFPs– Capture cyber-physical interaction as system semantics
![Page 63: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/63.jpg)
Compensating Couple• Two compensating commands appended to an existing
information flow safe sequence– Existing Trace: – Compensating Couple: – Extended Trace
• Generalization– Compensating sequence:
• Compensated State Sequence
![Page 64: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/64.jpg)
• Rearranged Action SequenceCoordinated High-level Actions
• Compensating Coupleo Both commands issued by
high-level domain userso Obfuscate observable
effects in the low-level domain
Stuxnet – Rearranges the
action sequence so the operator a DGIc
– never sees anything
![Page 65: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/65.jpg)
• Traces
• Low-level projections
• Compensated projection
• Compensating Couple
Obfuscation by Compensation
![Page 66: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/66.jpg)
Formal Model: Compensation Automata
Period of Vulnerability System exhibits vulnerability
to information flow safety during transition
This period can be minimized by cyber level synchronization
![Page 67: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/67.jpg)
Time Domain Response
![Page 68: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/68.jpg)
• Security Issues for Cyber and Physical Systems– Distributed “Smart Grid”– Confidentiality and Privacy – Formal Models –
• non-deducibility• compensation
• Consumer Acceptance and Usage– Social Science
AcknowledgementsThis work was supported in part by the Future Renewable Electric Energy
Distribution Management Center; a National Science Foundation supported Engineering Research Center, under grant NSF EEC-0812121 and NSF CSR award CCF-0614633 and the Missouri S&T Intelligent Systems Center.
Wrap Up
![Page 69: Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e875503460f94b8ac8c/html5/thumbnails/69.jpg)
Read more about it
• FREEDM (freedm.ncsu.edu) A. Huang, “Renewable energy system research and education at the NSF FREEDM systems center,” in Power & Energy Society General Meeting, 2009. PES '09. IEEE, July 2009, pp. 1–6.
• Cascading failures and FACTS (filpower.mst.edu) K. Wang, M. Crow, B. McMillin, and S. Atcitty, “A novel real-time approach to unified power flow controller validation,” Power Systems, IEEE Transactions on, vol. 25, no. 4, pp. 1892 –1901, Nov. 2010.
• Information Flow and Verification: R. Akella, H. Tang, and B. McMillin, “Analysis of information flow security in cyber-physical systems,” International Journal of Critical Infrastructure Protection, vol. 3-4, pp. 157–173, December 2010.
• R. Akella and B. McMillin, “Information flow analysis of energy management in a smart grid,” in Proc. of the Int'l Conf. on Computer Safety, Reliability and Security (SAFECOMP'10). Springer-Verlag, Berlin, Heidelberg, September 2010, pp. 263–276.