KTH ROYAL INSTITUTE

OF TECHNOLOGY

Physics-Based Attack Detection and

Countermeasures in Control Systems

Henrik Sandberg Department of Automatic Control

KTH, Stockholm, Sweden

In Collaboration With…

KTH and CERCES:

György Dán, Ragnar Thobaben, Mads Dam,

Kaveh Paridari, Jezdimir Milošević,

David Umsonst, Karl Henrik Johansson

Delft University of Technology:

André M.H. Teixeira

University of Texas at Dallas:

Alvaro A. Cárdenas, and co-workers

SPARKS (EU FP7):

AIT, UTRC, and EMC Corporation

2

Industrial Control System (ICS) under Attack

[Cardenas et al., Hotsec ‘08]

[Urbina et al., CCS ‘16]

IT perspective:

Control

perspective:

3

Example: Stealthy Water Tank Attack

4

2 hacked actuators (𝑢1 and 𝑢2)

2 healthy sensors (𝑦1 and 𝑦2)

Can the controller/detector

always detect the attack?

[Teixeira et al., HiCoNS ‘12]

Example: Stealthy Water Tank Attack [Movie]

5

[Teixeira et al., HiCoNS ‘12]

Example: Stealthy Water Tank Attack

2 hacked actuators (𝑢1 and 𝑢2)

2 healthy sensors (𝑦1 and 𝑦2)

Can the controller/detector

always detect the attack?

Not against an adversary with

physics knowledge

⇒ Undetectable attack

(zero-dynamics attack)

6

[Teixeira et al., HiCoNS ‘12]

Physics-Based Anomaly Detection

• Physics-based anomaly detectors work for

• Randomly failing components [safety]; and

• Physics-unaware adversaries [security]

• But example illustrates sensitivity to adversaries with

• Physical process knowledge; and ability to stage coordinated

(time & space) data corruption [security]

• Quantify performance of and compare different detectors?

7

[Urbina et al., CCS ‘16]

New Performance Metric for ICS Anomaly Detection

8

[Urbina et al., CCS ‘16]

Power System Example

9

Mean time between false alarm

(No attack and no component failure, caused by “normal” process and sensor noise)

[Umsonst et al., submitted ‘16]

The better detector

Physics-Based Attack Detection and

Countermeasures in Control Systems

What can we do in real time about the attacks and faults we

can detect using the anomaly detector?

I.e., what about the countermeasures (=reconfiguration)?

Example next…

10

A Test-bed and Case Study: NIMBUS Microgrid, Cork, Ireland

Electrical components

10kW wind turbine

35kWh (85kW peak) Li-Ion battery

50kW electrical/82kW thermal

combined heat and power unit

(CHP) and

Feeder management relay to manage

the point of coupling between the

microgrid and the rest of the

building, and a set of local loads.

Battery and wind turbine interfaced

through power electronics converters

CHP with synchronous machine

IT System

Interlinked Building Management

System and Microgrid SCADA

Three-layer control systems

UTRC Middleware

Supervisory system (control and optimization)

Power system control

and coordination

External grid

Wind Turbine

Boilers

CHP

Mic

ro-g

ridH

ea

ting

ConverterBattery

VSD Pump

Sub-circuit headerValve

Valve

Radiators

Header Flow (Hot Water)

Electricity

T M P

T

Header Return (Hot Water)

Load Forecast & ControlSupervisory Control of

Microgrid & Heating

14x Zone

Temperatures

22x Motion

Sensors &

16x People

Counters

2x Header Flow &

Return Temperature

4x Circuit Pumps

2x Weather

forecasts• 2x Outside Temp.

• 2x Solar Radiation

• 2x Humidity

• 1x Rain detection

2xThermal & Electrical Load Predictions

2x Header Flow & Return Temp.

Gas & Electricity Prices

2x Boiler Flow Temp.

Set-Point

• 1x CHP Elec. Power set-

point

• 1x VSD Pump set-point

1x Charging Current

Set-point

1x Power bought

from Grid

1x Wind Turbine Power

1x Battery SOC

• 2x CHP/Storage Flow &

Return Temps.

• 5x Storage Water Temps.

• 2x Heat meters

• 2x Gas Meters

2x Mixing Valves

• 2x Boiler Flow & Return

Temps.

• 4x Heat Meters

• 2x Gas Meter

20x Sub-circuit

Valves

1x Wind forecast

Proven 35-2Synch per. mag.

Turbine output

250 Vac 20 Hz

3-PH Rectifier<600 Vdc, 26 A

3-PH kWh Meter

G59 Relay

Isolate Switch

3 x Windy Boy SMA WB 6000

6 kW Inverter

400 Vac 50 Hz

Mains

90 kVA TriPhasePM90

30 kW Battery

System TBD(Gaia)

50 kW CHP

Sokratherm GG50

Thermal Store

To heating element

3-PH AC

DC

AC Bus

Critical Loads

Mains Grid

12 kW Wind Turbine

Universal Power Converter

30 kW battery/grid interface

CHP with thermal store

Hot w

ate

r

+

Control Panel

24x Window

Actuators set-

points

External grid

Wind Turbine

Boilers

CHP

Mic

ro-g

ridH

ea

ting

ConverterBattery

VSD Pump

Sub-circuit headerValve

Valve

Radiators

Header Flow (Hot Water)

Electricity

T M P

T

Header Return (Hot Water)

Load Forecast & ControlSupervisory Control of

Microgrid & Heating

14x Zone

Temperatures

22x Motion

Sensors &

16x People

Counters

2x Header Flow &

Return Temperature

4x Circuit Pumps

2x Weather

forecasts• 2x Outside Temp.

• 2x Solar Radiation

• 2x Humidity

• 1x Rain detection

2xThermal & Electrical Load Predictions

2x Header Flow & Return Temp.

Gas & Electricity Prices

2x Boiler Flow Temp.

Set-Point

• 1x CHP Elec. Power set-

point

• 1x VSD Pump set-point

1x Charging Current

Set-point

1x Power bought

from Grid

1x Wind Turbine Power

1x Battery SOC

• 2x CHP/Storage Flow &

Return Temps.

• 5x Storage Water Temps.

• 2x Heat meters

• 2x Gas Meters

2x Mixing Valves

• 2x Boiler Flow & Return

Temps.

• 4x Heat Meters

• 2x Gas Meter

20x Sub-circuit

Valves

1x Wind forecast

Proven 35-2Synch per. mag.

Turbine output

250 Vac 20 Hz

3-PH Rectifier<600 Vdc, 26 A

3-PH kWh Meter

G59 Relay

Isolate Switch

3 x Windy Boy SMA WB 6000

6 kW Inverter

400 Vac 50 Hz

Mains

90 kVA TriPhasePM90

30 kW Battery

System TBD(Gaia)

50 kW CHP

Sokratherm GG50

Thermal Store

To heating element

3-PH AC

DC

AC Bus

Critical Loads

Mains Grid

12 kW Wind Turbine

Universal Power Converter

30 kW battery/grid interface

CHP with thermal store

Hot w

ate

r

+

Control Panel

24x Window

Actuators set-

points

Energy pricing and weather forecast

Middleware

External building loads

Utilitygrid

Electrical Microgrid Thermal system

FMR

Attack Scenario

12

Adversary: Infect some field devices with malware (á la Stuxnet)

corrupting measurements sent to PLCs (Here: 𝐴𝑇1 and 𝐴𝑇2)

Defender: Access to remote correlated measurements and a physical

model (here temp. measurements and modeling by system identification)

In collaboration with UTRC and EMC Corporation (Ireland) [Paridari et al., ICCPS ‘16]

Resilient Monitoring and Control

13

1. Anomaly detector in control

center detects attacked

measurement 𝑦𝑖 + Δ𝑦

2. Optimal physics-based

prediction 𝑦 𝑖 from un-attacked

measurements 𝑦1, . . , 𝑦𝑁 (Virtual

sensor)

3. Feed 𝑦 𝑖 back to PLCs

[Paridari et al., ICCPS ‘16]

Verification: Control Performance

1400 sec delay in anomaly detector (“attacker free time”):

[Paridari et al., ICCPS ‘16]

(sec) (sec)

Summary

• Possibilities with physics-based anomaly detectors:

• Randomly failing components [safety]: OK

• Physics-unaware adversaries [security]: OK

• Adversaries with physics knowledge and ability to

stage coordinated (time & space) data corruption

[security]: not always OK (example in movie)

• New metric to evaluate anomaly detectors for ICS. Tools

under development

• Fault- and attack-tolerant (resilient) controller example

15

CERCES – Center for Resilient Critical Infrastructures

• Area 1: Embedded Software Platforms (M. Dam)

• Area 2: Wireless Communication (R. Thobaben)

• Area 3: Communication and Computation Infrastructure (G. Dán)

• Area 4: Resilient Control of Cyber-Physical Systems (H. Sandberg)

[Area 1]

[Area 3]

[Area 4]

[Area 2]

16

Thank You!

• CERCES: www.ees.kth.se/cerces

• SPARKS: project-sparks.eu/

• Henrik Sandberg: people.kth.se/~hsan/

17