Information Flow Properties for Security in Cyber-Physical Systems
69
Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department of Computer Science Missouri University of Science and Technology (Formerly the University of Missouri- Rolla) Rolla, MO 65409-0350 - USA
description
Information Flow Properties for Security in Cyber-Physical Systems. Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department of Computer Science Missouri University of Science and Technology (Formerly the University of Missouri-Rolla) - PowerPoint PPT Presentation
Transcript of Information Flow Properties for Security in Cyber-Physical Systems
Information Flow Properties for Security in Cyber-Physical Systems
Bruce McMillin, Ph.D., Sr. Member IEEEDir Center for Information Assurance
Department of Computer ScienceMissouri University of Science and
Technology(Formerly the University of Missouri-Rolla)
Rolla, MO 65409-0350 - USA(work done by Ravi Akella, Han Tang,
Thoshitha Gamage, and Tom Roth)
Introduction: Cyber-Physical System• Modern Infrastructures consist of Cyber and
Physical Components– Smart Houses, – Air Transport, – Vehicle Transport, – Smart Structures, – Oil and Gas Pipelines, – Distributed Energy Resources, …
• All have an inherent commonality – Physical Actions integrated with Computation.
• Cyber Physical Systems (CPSs) are integrations of computation with physical processes.– National Science Foundation (US)– Artemis (EU)
My topics for you today• Smart Grid – Smart Distribution/Green
Energy• CPS Flow Security Basics• Smart Grid Security
– Modeling and Analysis– Mitigation
Cyber-Enabled Smart Distribution
• Smart Grid – Automated Meter Reading (AMR)– Demand Side Management
• Centralized Supervisory Control And Data Acquisition (SCADA)
• Electric Utility Control
• Smart Grid Version 1 Source, Monitor Mapboard Systems
Scalability, fault management, security and privacy
Cyber-Enabled Smart Distribution Systems and Micro Grids
• Move away from Centralized SCADA– Distributed Control
• Advanced Power Electronics – Finer-grained control over physical entities– Schedulable entities
• Design Issues– Complex and unpredictable interactions between
the cyber and physical processes– Information flow across the cyber-physical
boundaries
Security and Privacy Would you sign up for a discount with your
power company in exchange for surrendering control of your thermostat? What if it means that, one day, your auto insurance company will know that you regularly arrive home on weekends at 2:15 a.m., just after the bars close? (MSNBC Red Tape Chronicles 2009)
Future Renewable Electric Energy Deliveryand Management (FREEDM) – NSF ERCAn efficient and revolutionary power grid utilizing revolutionary power electronics technology and information technologyDecentralized management integrating distributed and scalable alternative energy sources and storage with existing power systems
Shipping 250M pcs/yr. Ubiquitous ownership Ubiquitous use Ubiquitous sharing
Pre-1980s
Internet
Paradigm Shift
Distributed ComputingCentralized Mainframes
Innovation & Industry
Transformation
Ubiquitous sales Ubiquitous ownership Ubiquitous use Ubiquitous sharing
Today
Centralized Generation100+ year old technology
New energy companies based on IT and power
electronics technologies
Paradigm Shift
FREEDM System
Innovation & Industry
Transformation
Distributed RenewableEnergy Resources (DRER)New technologies
for distributed renewable energy
The FREEDM Concept – Smart Grid IDistribution
• Distributed Intelligence– People share
energy resources
– Neighborhood or industrial level
– Where is the centralized controller?
ESD
User Interface
Distributed Grid Intelligence (DGI)FREEDM
Substation
12kV
120 V
Market & Economics
69kV
IEM
AC
AC
IFM IFM
IFM
LOAD DRER DESD
IEM
AC
AC
LOAD DRER DESD
IEM
AC
AC
3Φ 480V
RSC
Legacy grid• IEM and IFM
nodes each run a portion of the DGI to manage their own resources
• Coordinate to control the whole as a Distributed Algorithm
IEM: Intelligent Energy Management IFM: Intelligent Fault Management DRER: Distributed Renewable Energy Resource DESD: Distributed Energy Storage Device
13
Schedulable Entity
….Advanced Power Electronics….The Solid State Transformer
Inside an IEM Node
• Solid State Transformer (SST)– Power Electronics– Schedulable Entity
SH5
SH7
SH6
SH8
S1
S3 S4
SH1
SH3 SH4
SH2 S2
Low Voltage H-Bridge
+
-+
-400V DC
High Frequency
Transformer
AC/DC Rectifier DC/DC Converter DC/AC Inverter
High Voltage H-Bridge
High voltage H-Bridge
12kVDC
7.2 kV AC
120V / 240V AC
LLs
Cs
CsLs
Port 1
Port 2
How to use it?
17
• Each FREEDM IEM node runs a portion of the DGI to manage its own resources
• Power Management– Load Balance DESD, DRER,
and LOAD– Control and react to the SST– Migrate power through the
Gateway that connects an SST to the system shared bus.
Distributed Grid Intelligence Within the Context of FREEDM
Distributed Power Balancing
• Correctness: Keep all IEM nodes’ “balanced” in terms of Supply and Demand and minimize energy cost
• Pass messages negotiating load changes until the system has stabilized
• Global optimization decomposed into individual processes that cooperate to meet the global correctness.
XActual = XLoad − XDRER
System Load State
XActual < 0 Low (Supply)
XActual > Threshold High (Demand)
0<=XActual <=Threshold Normal
19
DGI Power Balancing Algorithm
20
IEM 0
IEM 0 20.551 L
IEM 1 H
::IEM n H
IEM 1
IEM 0 N
IEM 1 32.834 H
::IEM n N
IEM n
IEM 0 N
IEM 1 H
::
IEM n 30.721 H
IEM 0
IEM 0 25.551 N
IEM 1 N
::IEM n H
IEM 1
IEM 0 N
IEM 1 27.834 N
::IEM n N
IEM n
IEM 0 L
IEM 1 H
::IEM n 30.721 H
I CAN SUPPLY
Migrate 1 quantum of Power per successful request
More Critical need
Lesser need
After Load Balancing
Optimality?
• G = Σ XActual = Σ XLoad,i - ΣXDRER,j
n, Local Load – m, Local Capacity
• Adding Costs– CostLow = 100 X∗ DRER + XDESD
• General Problem is to serve G while minimizing overall cost– Knapsack Problem– Pack a knapsack with m items each with cost, maximizing cost
subject to the constraints of supply and load.– NP Hard
Optimality?
• Least Cost Fractional Knapsack Algorithm– Given ε > 0, C = lowest cost resource, m sources, K = εC/m– For each source si, define cost’(si ) = floor (cost(si)/K)
– Add up to K entries of each source in increasing order of cost’ into the set S’ such that Σs in S’ cost’(s) ≤ Σ XLoad,i.
– Output S’, the least cost set.• Cost (S’) ≤ (1+ ε ) · OPT
23Test 203: 3-node migration
Test 203: Two IEM nodes supplying with cost function
IEM02 and IEM03 both migrate power to IEM01
Distributed Grid Intelligence• Distributed Long and Short Term Control• Distributed Systems Management
– Distributed Group Management– State Maintenance
• Simulation Architectures• Power Economics Models and Control• Fault Tolerance of Cyber-Physical system• Security – Confidentiality, Integrity, and Availability of
Cyber-Physical system• Resilience - Robust Distributed System
– Formal Correctness– Usability as an autonomous system
Motivation: Why is this a problem
2003 Midwest Blackout 2010 Stuxnet Worm Attack
• Caused by a cascading failure in power lines
• An estimated 50 million people affected by the outage lasting up to 4 days
• $4 – 10 billion economical loss in U.S. 0.7% gross production loss in Canada
• A Rootkit which injects a malicious controller program to PLCs
• Capable of manipulating cyber and physical components for its own purposes
• An estimated 100,000 hosts in over 30,000 organizations from over 155 countries affected
Formal Information Flow Theory
Modeling and Analysis
Access Control Flow-based Security• Restricts access to
information and resources
• Cannot restrict information propagation after read
• Access grants need to be given only to processes guaranteed not to leak confidential data [SM03]
• Restricts flow of information between partially ordered security clearances
• Prevent unintended high-level (secure/private) domain information disclosures to the low-level (open/public) domain
System Security: Primary Approaches
Cannot
identify such
processes
High-level Domain
Low-level Domain
Information Flow Models• FREEDM contains Power Electronics Devices that
perform physical actions that are observable• Cannot keep these secret – loss of confidentiality/privacy• Some other models
– Non-Interference• High-level events do not interfere with the low level
outputs– Non-Inference
• Removing high-level events leaves a valid system trace
– Non-Deducibility• Low-level observation is compatible with any of the
high-level inputs.
Microgrid ObservabilityFred and Barney
• Share Resources and Make a Profit
• Fred Gets Greedy– Stores wind energy and sells on
his own• Barney Gets Suspicious
– Observes Fred’s wind and power draw from utility
– If the wind isn’t blowing and Fred is selling to the grid, Fred is dishonest
– If the wind is blowing, Barney cannot deduce anything
(Formal) Information Flow Models
Information Flow Models
• A unified approach to deal with CPSs is necessary that can encompass the cyber and physical events
• We propose a process algebraic approach adopted to analyze the information flow in CPSs
• Security process algebra provides an abstract description for nondeterministic and concurrent systems with actions belonging to different levels of confidentiality (Low and High)
• Using process algebra, bisimulation provides a formal method to determine nondeducibility.
Information Flow Security for CPSProcess Algebra Approach
A system E is BNDC if for every high level process ∏, a low level user cannot distinguish E from E|∏
E| ∏ : Parallel Composition of E1& ∏ where executions of the two systems are interleaved
Bisimulation-based NonDeducibility on Composition (BNDC)
Case Study: Gas Distribution Network
• Physical limitation
• Changes in one section of the pipeline is visible to others
Case Study: Gas Distribution Network
• LTC B changes flow
• Aggregated change of the system to re-stabilize
Val(fb) Val(fc) Val(fa)
0 0 0k 0 kk/2 0 k/20 k/2 k/2k k/2 3k/2k/2 k/2 k0 k kk k 2kk/2 k 3k/2
System based on partitions
High Level
Low Level
Communications
Uniform Semantic Representation
• SPA – Security Process Algebra• CoPS – Checker of Persistent Security
– BNDC– SBNDC
bi Action (Action1 | Action2)bi Action1 (A_Writes | C_Writes)\Lbi Action2 (B_Writes)\Lbi State (State_1 | State_2 | State_3 | State_4 | State_5 | State_6)\Lbi State_1 w_a.'val_1.State_1 + w_b.'val_2.State_1 + w_c.'val_2.State_1bi A_Writes change_a.'w_a.State
bi B_Writes change_b.'w_b.State
bi C_Writes change_c.'w_c.State//bi Stable NULL
basi Lw_a w_b w_c //values to be protected
basi Nval_1 val_2 val_3 //discrete values possible
acthchange_a change_b change_c //readings at cyber levelval_1 val_2 val_3
Protection of flow between A and B against C
Bisimulation oTwo processes are weakly bisimilar if they are able to mutually simulate their behavior step by step.
oIn a weak bisimilarity relation, internal silent actions (τ) between processes is ignored.
E1 and E2 are bisimilar and they both simulate E3
E3 is not bisimilar to E1
Strong BNDC (SBNDC)The system before and after execution of a high level event
remains indistinguishable to the low level domain
E
E’’\H
E’
E’\H
E’’h
Simplification of SBNDC: Bisimulation up to HThe problem of verifying weak bisimulation for all high level transitions of the system can be transformed into finding a bisimulation up to H relation
E E\H
Inherent ObfuscationElectrical Network
• Flow in a controllable circuit• Kirchhoff’s Laws
57
In a series connection network with only two(2) configurable units, placement of any number of observers preserves Nondeducibility.
58
A series circuit with n >= 2 configurable units is fully deducible, with a minimum of n distinct readings and n -1 observers
59
In a base parallel-connected circuit with two parallel resistors, any combination of two observers is sufficient to fully deduce the circuit
60
For a pure parallel circuit with n parallel resistors, a minimum of n “strategically located” observers are required to fully deduce the circuit.
`
Microgrid Observability
• “Dumb” System from an Observer is Nondeducibility Secure
• Dumb System from an External Observer is NOT Nondeducibility Secure (if we can see everything)
• Confidentiality with no DGI
• Power flow in the shared power bus is an invariant function of individual gateway loads of the participating nodes and the draw from or contribution to the utility grid
• Such a system can be defined as below:
• External observer with limited observability or with a few gateway readings cannot deduce operation (no DGI)
Low = {DRER}High = { , Load, XSST , , , Gateway}For any high level process Π, say, XSST .Gateway or . XSST
(NodenoDGI |Π)\H ≡ {DRER}
NodenoDGI \H ≈B (NodenoDGI |Π) \H ∀ Π ∈ E.
DRER DESD LoadDESD
• External observer with total observation of gateways can deduce operation.– Using the invariance relation on
the bus
• DGI system secure with respect to an Observer without DGI
• The DGI algorithm can be represented in SPA as:
• The IEM with DGI
Power shared between 1 and 2 due to DGI algorithm
SBNDC for FREEDMThe system before and after execution of a high level event
remains indistinguishable to the low level domain
E
E’’\H
E’
E’\H
E’’h
SBNDC for FREEDMo Such processes can be
modified to satisfy SBNDC by inserting a complementary High level output, to make an internal action (τ) that is not observable
o Such compensating events hide the physically observable effects
d
d
• Observer with DGI is not non-deducibility secure– Demand
• Trace the load table within the DGI - refusals
– Supply• Knows about
nodes in Demand state
Confidentiality with DGI
• Malicious DGI process– Manipulates load table to
ascertain other DGI states
• IEM03’s observer deduces IEM01 is in a demand state
• IEM01’s observer can deduce that IEM02 and later, IEM03 are in a supply state.
Threats to DGI
Execution Monitoring
Mitigation
Confidentiality Violation
Confidentiality: Preventing unauthorized access or/and disclosure of protected resources
Confidentiality Violation• Sequence of Actions
• What Low-level users should see
• What they actually see
Event
Confidentiality
Violated
Solution: What is required• A security mechanism that can,
– Execution Monitoring: Monitor execution steps of the target system during runtime and detect security property violations
– Safety Property: Able to identify action(s) causing the violation
– Event Compensation: Able to calculate corrective actions that can maintain functional integrity
– Emulation and Enforcement: Able to execute corrective actions in a timely coordinated manner
• Encode and capture system semantics to a security model– Account for cyber-physical interactions
EM Enforceable Security • Alpern-Schneider Framework: Every system property is
either a Safety or a Liveness property or the intersection [AS84]
• Safety: Nothing bad happens during execution
• Only safety properties can be EM enforced [Sc00]• Enforced using a security automata
– Terminate execution upon detecting a violation
But……• Information Flow Security Properties are,
– Not Safety Properties; sets of execution sets [Mc94]
– Decision to terminate can not be based on a single execution
– Cannot be enforced using Schneider’s security automata
Existing EM enforceable mechanisms need to be extended
• Restore the system back to a previous safe state– Cannot reverse a physical consequence of a
cyber action• Insert new actions to correct the violation
– Correct the violation while maintaining the functional integrity
What to do when a violation is detected?
Event Compensation• Insert corrective actions at the point where an execution
violates a given security property– This model considers Nondeducibility security
• Formalize this concept as information flow safe state transitions
• Research Contributions– EM Security Automata [Sc00] + IFP + Edit Automata
[LBW05] + Emulator [NW06] = Compensate Automata– Maintain functional integrity while preserving IFPs– Capture cyber-physical interaction as system semantics
Compensating Couple• Two compensating commands appended to an existing
information flow safe sequence– Existing Trace: – Compensating Couple: – Extended Trace
• Generalization– Compensating sequence:
• Compensated State Sequence
• Rearranged Action SequenceCoordinated High-level Actions
• Compensating Coupleo Both commands issued by
high-level domain userso Obfuscate observable
effects in the low-level domain
Stuxnet – Rearranges the
action sequence so the operator a DGIc
– never sees anything
• Traces
• Low-level projections
• Compensated projection
• Compensating Couple
Obfuscation by Compensation
Formal Model: Compensation Automata
Period of Vulnerability System exhibits vulnerability
to information flow safety during transition
This period can be minimized by cyber level synchronization
Time Domain Response
• Security Issues for Cyber and Physical Systems– Distributed “Smart Grid”– Confidentiality and Privacy – Formal Models –
• non-deducibility• compensation
• Consumer Acceptance and Usage– Social Science
AcknowledgementsThis work was supported in part by the Future Renewable Electric Energy
Distribution Management Center; a National Science Foundation supported Engineering Research Center, under grant NSF EEC-0812121 and NSF CSR award CCF-0614633 and the Missouri S&T Intelligent Systems Center.
Wrap Up
Read more about it
• FREEDM (freedm.ncsu.edu) A. Huang, “Renewable energy system research and education at the NSF FREEDM systems center,” in Power & Energy Society General Meeting, 2009. PES '09. IEEE, July 2009, pp. 1–6.
• Cascading failures and FACTS (filpower.mst.edu) K. Wang, M. Crow, B. McMillin, and S. Atcitty, “A novel real-time approach to unified power flow controller validation,” Power Systems, IEEE Transactions on, vol. 25, no. 4, pp. 1892 –1901, Nov. 2010.
• Information Flow and Verification: R. Akella, H. Tang, and B. McMillin, “Analysis of information flow security in cyber-physical systems,” International Journal of Critical Infrastructure Protection, vol. 3-4, pp. 157–173, December 2010.
• R. Akella and B. McMillin, “Information flow analysis of energy management in a smart grid,” in Proc. of the Int'l Conf. on Computer Safety, Reliability and Security (SAFECOMP'10). Springer-Verlag, Berlin, Heidelberg, September 2010, pp. 263–276.
