Physics-Based Attack Detection and Countermeasures in...
Transcript of Physics-Based Attack Detection and Countermeasures in...
KTH ROYAL INSTITUTE
OF TECHNOLOGY
Physics-Based Attack Detection and
Countermeasures in Control Systems
Henrik Sandberg Department of Automatic Control
KTH, Stockholm, Sweden
In Collaboration With…
KTH and CERCES:
György Dán, Ragnar Thobaben, Mads Dam,
Kaveh Paridari, Jezdimir Milošević,
David Umsonst, Karl Henrik Johansson
Delft University of Technology:
André M.H. Teixeira
University of Texas at Dallas:
Alvaro A. Cárdenas, and co-workers
SPARKS (EU FP7):
AIT, UTRC, and EMC Corporation
2
Industrial Control System (ICS) under Attack
[Cardenas et al., Hotsec ‘08]
[Urbina et al., CCS ‘16]
IT perspective:
Control
perspective:
3
Example: Stealthy Water Tank Attack
4
2 hacked actuators (𝑢1 and 𝑢2)
2 healthy sensors (𝑦1 and 𝑦2)
Can the controller/detector
always detect the attack?
[Teixeira et al., HiCoNS ‘12]
Example: Stealthy Water Tank Attack [Movie]
5
[Teixeira et al., HiCoNS ‘12]
Example: Stealthy Water Tank Attack
2 hacked actuators (𝑢1 and 𝑢2)
2 healthy sensors (𝑦1 and 𝑦2)
Can the controller/detector
always detect the attack?
Not against an adversary with
physics knowledge
⇒ Undetectable attack
(zero-dynamics attack)
6
[Teixeira et al., HiCoNS ‘12]
Physics-Based Anomaly Detection
• Physics-based anomaly detectors work for
• Randomly failing components [safety]; and
• Physics-unaware adversaries [security]
• But example illustrates sensitivity to adversaries with
• Physical process knowledge; and ability to stage coordinated
(time & space) data corruption [security]
• Quantify performance of and compare different detectors?
7
[Urbina et al., CCS ‘16]
New Performance Metric for ICS Anomaly Detection
8
[Urbina et al., CCS ‘16]
Power System Example
9
Mean time between false alarm
(No attack and no component failure, caused by “normal” process and sensor noise)
[Umsonst et al., submitted ‘16]
The better detector
Physics-Based Attack Detection and
Countermeasures in Control Systems
What can we do in real time about the attacks and faults we
can detect using the anomaly detector?
I.e., what about the countermeasures (=reconfiguration)?
Example next…
10
A Test-bed and Case Study: NIMBUS Microgrid, Cork, Ireland
Electrical components
10kW wind turbine
35kWh (85kW peak) Li-Ion battery
50kW electrical/82kW thermal
combined heat and power unit
(CHP) and
Feeder management relay to manage
the point of coupling between the
microgrid and the rest of the
building, and a set of local loads.
Battery and wind turbine interfaced
through power electronics converters
CHP with synchronous machine
IT System
Interlinked Building Management
System and Microgrid SCADA
Three-layer control systems
UTRC Middleware
Supervisory system (control and optimization)
Power system control
and coordination
External grid
Wind Turbine
Boilers
CHP
Mic
ro-g
ridH
ea
ting
ConverterBattery
VSD Pump
Sub-circuit headerValve
Valve
Radiators
Header Flow (Hot Water)
Electricity
T M P
T
Header Return (Hot Water)
Load Forecast & ControlSupervisory Control of
Microgrid & Heating
14x Zone
Temperatures
22x Motion
Sensors &
16x People
Counters
2x Header Flow &
Return Temperature
4x Circuit Pumps
2x Weather
forecasts• 2x Outside Temp.
• 2x Solar Radiation
• 2x Humidity
• 1x Rain detection
2xThermal & Electrical Load Predictions
2x Header Flow & Return Temp.
Gas & Electricity Prices
2x Boiler Flow Temp.
Set-Point
• 1x CHP Elec. Power set-
point
• 1x VSD Pump set-point
1x Charging Current
Set-point
1x Power bought
from Grid
1x Wind Turbine Power
1x Battery SOC
• 2x CHP/Storage Flow &
Return Temps.
• 5x Storage Water Temps.
• 2x Heat meters
• 2x Gas Meters
2x Mixing Valves
• 2x Boiler Flow & Return
Temps.
• 4x Heat Meters
• 2x Gas Meter
20x Sub-circuit
Valves
1x Wind forecast
Proven 35-2Synch per. mag.
Turbine output
250 Vac 20 Hz
3-PH Rectifier<600 Vdc, 26 A
3-PH kWh Meter
G59 Relay
Isolate Switch
3 x Windy Boy SMA WB 6000
6 kW Inverter
400 Vac 50 Hz
Mains
90 kVA TriPhasePM90
30 kW Battery
System TBD(Gaia)
50 kW CHP
Sokratherm GG50
Thermal Store
To heating element
3-PH AC
DC
AC Bus
Critical Loads
Mains Grid
12 kW Wind Turbine
Universal Power Converter
30 kW battery/grid interface
CHP with thermal store
Hot w
ate
r
+
Control Panel
24x Window
Actuators set-
points
External grid
Wind Turbine
Boilers
CHP
Mic
ro-g
ridH
ea
ting
ConverterBattery
VSD Pump
Sub-circuit headerValve
Valve
Radiators
Header Flow (Hot Water)
Electricity
T M P
T
Header Return (Hot Water)
Load Forecast & ControlSupervisory Control of
Microgrid & Heating
14x Zone
Temperatures
22x Motion
Sensors &
16x People
Counters
2x Header Flow &
Return Temperature
4x Circuit Pumps
2x Weather
forecasts• 2x Outside Temp.
• 2x Solar Radiation
• 2x Humidity
• 1x Rain detection
2xThermal & Electrical Load Predictions
2x Header Flow & Return Temp.
Gas & Electricity Prices
2x Boiler Flow Temp.
Set-Point
• 1x CHP Elec. Power set-
point
• 1x VSD Pump set-point
1x Charging Current
Set-point
1x Power bought
from Grid
1x Wind Turbine Power
1x Battery SOC
• 2x CHP/Storage Flow &
Return Temps.
• 5x Storage Water Temps.
• 2x Heat meters
• 2x Gas Meters
2x Mixing Valves
• 2x Boiler Flow & Return
Temps.
• 4x Heat Meters
• 2x Gas Meter
20x Sub-circuit
Valves
1x Wind forecast
Proven 35-2Synch per. mag.
Turbine output
250 Vac 20 Hz
3-PH Rectifier<600 Vdc, 26 A
3-PH kWh Meter
G59 Relay
Isolate Switch
3 x Windy Boy SMA WB 6000
6 kW Inverter
400 Vac 50 Hz
Mains
90 kVA TriPhasePM90
30 kW Battery
System TBD(Gaia)
50 kW CHP
Sokratherm GG50
Thermal Store
To heating element
3-PH AC
DC
AC Bus
Critical Loads
Mains Grid
12 kW Wind Turbine
Universal Power Converter
30 kW battery/grid interface
CHP with thermal store
Hot w
ate
r
+
Control Panel
24x Window
Actuators set-
points
Energy pricing and weather forecast
Middleware
External building loads
Utilitygrid
Electrical Microgrid Thermal system
FMR
Attack Scenario
12
Adversary: Infect some field devices with malware (á la Stuxnet)
corrupting measurements sent to PLCs (Here: 𝐴𝑇1 and 𝐴𝑇2)
Defender: Access to remote correlated measurements and a physical
model (here temp. measurements and modeling by system identification)
In collaboration with UTRC and EMC Corporation (Ireland) [Paridari et al., ICCPS ‘16]
Resilient Monitoring and Control
13
1. Anomaly detector in control
center detects attacked
measurement 𝑦𝑖 + Δ𝑦
2. Optimal physics-based
prediction 𝑦 𝑖 from un-attacked
measurements 𝑦1, . . , 𝑦𝑁 (Virtual
sensor)
3. Feed 𝑦 𝑖 back to PLCs
[Paridari et al., ICCPS ‘16]
Verification: Control Performance
1400 sec delay in anomaly detector (“attacker free time”):
[Paridari et al., ICCPS ‘16]
(sec) (sec)
Summary
• Possibilities with physics-based anomaly detectors:
• Randomly failing components [safety]: OK
• Physics-unaware adversaries [security]: OK
• Adversaries with physics knowledge and ability to
stage coordinated (time & space) data corruption
[security]: not always OK (example in movie)
• New metric to evaluate anomaly detectors for ICS. Tools
under development
• Fault- and attack-tolerant (resilient) controller example
15
CERCES – Center for Resilient Critical Infrastructures
• Area 1: Embedded Software Platforms (M. Dam)
• Area 2: Wireless Communication (R. Thobaben)
• Area 3: Communication and Computation Infrastructure (G. Dán)
• Area 4: Resilient Control of Cyber-Physical Systems (H. Sandberg)
[Area 1]
[Area 3]
[Area 4]
[Area 2]
16
Thank You!
• CERCES: www.ees.kth.se/cerces
• SPARKS: project-sparks.eu/
• Henrik Sandberg: people.kth.se/~hsan/
17