Transcript Information Flow Properties for Security in Cyber

Information Flow Properties
for Security in CyberPhysical Systems
Bruce McMillin, Ph.D., Sr. Member IEEE
Dir Center for Information Assurance
Department of Computer Science
Missouri University of Science and Technology
(Formerly the University of Missouri-Rolla)
Rolla, MO 65409-0350 - USA
(work done by Ravi Akella, Han Tang,
Thoshitha Gamage, and Tom Roth)
Introduction: Cyber-Physical System
• Modern Infrastructures consist of Cyber and
Physical Components
– Smart Houses,
– Air Transport,
– Vehicle Transport,
– Smart Structures,
– Oil and Gas Pipelines,
– Distributed Energy Resources, …
• All have an inherent commonality – Physical Actions
integrated with Computation.
• Cyber Physical Systems (CPSs) are integrations of
computation with physical processes.
– National Science Foundation (US)
– Artemis (EU)
My topics for you today
• Smart Grid – Smart Distribution/Green
Energy
• CPS Flow Security Basics
• Smart Grid Security
– Modeling and Analysis
– Mitigation
Cyber-Enabled Smart Distribution
• Smart Grid
– Automated Meter Reading (AMR)
– Demand Side Management
• Centralized Supervisory Control
And Data Acquisition (SCADA)
• Electric Utility Control
Scalability, fault management, security and privacy
Source, Monitor Mapboard Systems
• Smart Grid Version 1
Cyber-Enabled Smart Distribution Systems
and Micro Grids
• Move away from Centralized SCADA
– Distributed Control
• Advanced Power Electronics
– Finer-grained control over physical entities
– Schedulable entities
• Design Issues
– Complex and unpredictable interactions between
the cyber and physical processes
– Information flow across the cyber-physical
boundaries
Security and Privacy
Would you sign up for a discount with your
power company in exchange for
surrendering control of your thermostat?
What if it means that, one day, your auto
insurance company will know that you
regularly arrive home on weekends at 2:15
a.m., just after the bars close? (MSNBC
Red Tape Chronicles 2009)
Future Renewable Electric Energy Delivery
and Management (FREEDM) – NSF ERC
An efficient and revolutionary power grid utilizing
revolutionary power electronics technology and
information technology
Decentralized management integrating distributed and
scalable alternative energy sources and storage with
existing power systems
Pre-1980s
Paradigm Shift
Internet
Centralized Mainframes
Distributed Computing
Shipping 250M pcs/yr.
Ubiquitous ownership
Ubiquitous use
Ubiquitous sharing
Innovation &
Industry
Transformation
Today
Paradigm Shift
FREEDM
System
Centralized Generation
100+ year old technology
New technologies
for distributed
renewable energy
New energy companies
based on IT and power
electronics technologies
Distributed Renewable
Energy Resources (DRER)
Ubiquitous sales
Innovation &
Industry
Transformation
Ubiquitous ownership
Ubiquitous use
Ubiquitous sharing
The FREEDM Concept – Smart Grid I
Distribution
• Distributed
Intelligence
– People share
energy
resources
– Neighborhood
or industrial
level
– Where is the
centralized
controller?
• IEM and IFM
nodes each run
a portion of the
DGI to manage
69kV
their own
resources
• Coordinate to
control the
whole as a
Distributed
Algorithm
Legacy grid
User Interface
Market &
Economics
RSC
AC
AC
FREEDM
Substation
Distributed Grid Intelligence (DGI)
IEM
IFM
12kV
ESD
IFM
IFM
AC
AC
AC
AC
IEM
IEM
120 V
LOAD
DRER
DESD
3Φ 480V
LOAD
DRER
IEM: Intelligent Energy Management IFM: Intelligent Fault Management
DRER: Distributed Renewable Energy Resource
DESD: Distributed Energy Storage Device
DESD
13
Schedulable Entity
….Advanced Power Electronics….
The Solid State Transformer
Inside an IEM Node
• Solid State Transformer (SST)
– Power Electronics
– Schedulable Entity
7.2 kV
AC
DC/DC Converter
AC/DC Rectifier
SH1
SH2
SH5
SH6
L
12kV
DC
SH3
SH4
High
Frequency S1
Transformer
DC/AC Inverter
S2
+
400V
DC
-
SH7
SH8
S3
120V / 240V
AC
Ls
Port 1
Cs
Ls
Cs
+
-
S4
Port 2
High voltage
H-Bridge
High Voltage
H-Bridge
Low Voltage
H-Bridge
How to use it?
Distributed Grid Intelligence
Within the Context of
FREEDM
• Each FREEDM IEM node
runs a portion of the DGI to
manage its own resources
• Power Management
– Load Balance DESD, DRER,
and LOAD
– Control and react to the SST
– Migrate power through the
Gateway that connects an
SST to the system shared
bus.
17
Distributed Power Balancing
• Correctness: Keep all IEM nodes’ “balanced” in terms of
Supply and Demand and minimize energy cost
• Pass messages negotiating load changes until the
system has stabilized
• Global optimization decomposed into individual
processes that cooperate to meet the global correctness.
XActual = XLoad − XDRER
System Load
State
XActual < 0
Low (Supply)
XActual > Threshold
High (Demand)
0<=XActual <=Threshold
Normal
DGI Power Balancing Algorithm
19
IEM 0
IEM 0
20.551
IEM 1
L
H
IEM 1
More
Critical
need
IEM n
IEM 0
IEM 1
:
:
32.834
N
IEM 0
N
H
IEM 1
H
:
:
IEM n
H
Lesser
need
IEM n
N
:
:
IEM n
30.721
H
I CAN SUPPLY
Migrate 1 quantum of Power per successful request
After Load Balancing
IEM 0
IEM 0
IEM 1
25.551
IEM 1
N
IEM 0
N
IEM 1
:
:
IEM n
27.834
IEM n
N
IEM 0
L
N
IEM 1
H
:
:
H
IEM n
:
:
N
IEM n
30.721
H
20
Optimality?
• G = Σ XActual = Σ XLoad,i - ΣXDRER,j
n, Local Load – m, Local Capacity
• Adding Costs
– CostLow = 100 ∗ XDRER + XDESD
• General Problem is to serve G while minimizing overall
cost
– Knapsack Problem
– Pack a knapsack with m items each with cost, maximizing cost
subject to the constraints of supply and load.
– NP Hard
Optimality?
• Least Cost Fractional Knapsack Algorithm
– Given ε > 0, C = lowest cost resource, m sources, K = εC/m
– For each source si, define cost’(si ) = floor (cost(si)/K)
– Add up to K entries of each source in increasing order of cost’
into the set S’ such that Σs in S’ cost’(s) ≤ Σ XLoad,i.
– Output S’, the least cost set.
• Cost (S’) ≤ (1+ ε ) · OPT
Test 203: Two IEM nodes
supplying with cost function
IEM02 and IEM03 both migrate
power to IEM01
Test 203: 3-node migration
23
Distributed Grid Intelligence
• Distributed Long and Short Term Control
• Distributed Systems Management
– Distributed Group Management
– State Maintenance
• Simulation Architectures
• Power Economics Models and Control
• Fault Tolerance of Cyber-Physical system
• Security – Confidentiality, Integrity, and Availability of
Cyber-Physical system
• Resilience - Robust Distributed System
– Formal Correctness
– Usability as an autonomous system
Motivation: Why is this a problem
2003 Midwest Blackout
2010 Stuxnet Worm Attack
• A Rootkit which injects a
malicious controller program
• Caused by a cascading
to PLCs
failure in power lines
• Capable of manipulating
• An estimated 50 million
people affected by the
cyber and physical
outage lasting up to 4
components for its own
days
purposes
• $4 – 10 billion economical
• An estimated 100,000 hosts
loss in U.S. 0.7% gross
in over 30,000 organizations
production loss in Canada
from over 155 countries
affected
Formal Information Flow Theory
Modeling and Analysis
System Security: Primary Approaches
Access Control
• Restricts access to
information and resources
• Cannot restrict information
propagation after read
• Access grants need to be
given only to processes
guaranteed not to leak
confidential data [SM03]
Flow-based Security
• Restricts flow of information
between partially ordered
security clearances
• Prevent unintended high-level
(secure/private) domain
information disclosures to the
low-level (open/public)
domain
High-level
Domain
Low-level
Domain
Information Flow Models
• FREEDM contains Power Electronics Devices that
perform physical actions that are observable
• Cannot keep these secret – loss of confidentiality/privacy
• Some other models
– Non-Interference
• High-level events do not interfere with the low level
outputs
– Non-Inference
• Removing high-level events leaves a valid system
trace
– Non-Deducibility
• Low-level observation is compatible with any of the
high-level inputs.
Microgrid Observability
Fred and Barney
• Share Resources and Make a
Profit
• Fred Gets Greedy
– Stores wind energy and sells on
his own
• Barney Gets Suspicious
– Observes Fred’s wind and
power draw from utility
– If the wind isn’t blowing and
Fred is selling to the grid, Fred
is dishonest
– If the wind is blowing, Barney
cannot deduce anything
(Formal) Information Flow Models
Information Flow Models
• A unified approach to deal with CPSs is necessary that can
encompass the cyber and physical events
• We propose a process algebraic approach adopted to
analyze the information flow in CPSs
• Security process algebra provides an abstract description
for nondeterministic and concurrent systems with actions
belonging to different levels of confidentiality (Low and High)
• Using process algebra, bisimulation provides a formal
method to determine nondeducibility.
Bisimulation-based NonDeducibility on
Composition (BNDC)
A system E is BNDC if for every high level process ∏,
a low level user cannot distinguish E from E|∏
E| ∏ : Parallel Composition of E1& ∏ where executions of the two systems are
interleaved
Case Study: Gas
Distribution Network
• Physical limitation
• Changes in one
section of the
pipeline is visible to
others
Case Study: Gas
Distribution Network
• LTC B changes flow
• Aggregated change of
the system to restabilize
Val(fb)
Val(fc)
Val(fa)
0
0
0
k
0
k
k/2
0
k/2
0
k/2
k/2
k
k/2
3k/2
k/2
k/2
k
0
k
k
k
k
2k
k/2
k
3k/2
System based on partitions
Communications
High
Level
Low
Level
Uniform Semantic Representation
• SPA – Security Process Algebra
• CoPS – Checker of Persistent Security
– BNDC
– SBNDC
bi Action
(Action1 | Action2)
bi Action1
(A_Writes | C_Writes)\L
bi Action2
(B_Writes)\L
bi State
(State_1 | State_2 | State_3 | State_4 | State_5 | State_6)\L
bi State_1
w_a.'val_1.State_1 + w_b.'val_2.State_1 + w_c.'val_2.State_1
bi A_Writes
change_a.'w_a.State
bi B_Writes
change_b.'w_b.State
bi C_Writes
change_c.'w_c.State
//bi Stable NULL
basi L
w_a w_b w_c //values to be protected
basi N
val_1 val_2 val_3 //discrete values possible
acth
change_a change_b change_c //readings at cyber level
val_1 val_2 val_3
Protection of flow between A and B against C
Bisimulation
o Two processes are weakly bisimilar if they are able to mutually
simulate their behavior step by step.
o In a weak bisimilarity relation, internal silent actions (τ) between
processes is ignored.
E1 and E2 are
bisimilar and they both
simulate E3
E3 is not bisimilar to
E1
Strong BNDC (SBNDC)
The system before and after execution of a high level event
remains indistinguishable to the low level domain
E
E
’
E’\
H
h
E’’
E’’\H
Simplification of SBNDC: Bisimulation up to H
The problem of verifying weak bisimulation for all high
level transitions of the system can be transformed into
finding a bisimulation up to H relation
E
E\H
Inherent Obfuscation
Electrical Network
• Flow in a controllable circuit
• Kirchhoff’s Laws
57

In a series connection network with only two(2)
configurable units, placement of any number of
observers preserves Nondeducibility.
58

A series circuit with n >= 2 configurable units is
fully deducible, with a minimum of n distinct
readings and n -1 observers
59

In a base parallel-connected circuit with two
parallel resistors, any combination of two
observers is sufficient to fully deduce the circuit
60

For a pure parallel circuit with n parallel
resistors, a minimum of n “strategically located”
observers are required to fully deduce the
circuit.
Microgrid Observability
• “Dumb” System from
an Observer is
Nondeducibility
Secure
• Dumb System from
an External Observer
is NOT
Nondeducibility
Secure (if we can see
everything)
• Confidentiality with no DGI
•
Power flow in the shared power bus is an
invariant function of individual gateway loads of
the participating nodes and the draw from or
contribution to the utility grid
• Such a system can be
defined as below:
• External observer with limited observability or with a few
gateway readings cannot deduce operation (no DGI)
Low = {DRER}
High = { DRER , Load, XSST , DESD , Load , Gateway}
For any high level process Π, say, XSST .Gateway or DESD. XSST
(NodenoDGI |Π)\H ≡ {DRER}
NodenoDGI \H ≈B (NodenoDGI |Π) \H ∀ Π ∈ E.
• External observer with total
observation of gateways can
deduce operation.
– Using the invariance relation on
the bus
• The DGI algorithm can be represented in SPA as:
• The IEM with DGI
• DGI system secure with respect
to an Observer without DGI
Power shared between 1 and 2 due
to DGI algorithm
SBNDC for FREEDM
The system before and after execution of a high level event
remains indistinguishable to the low level domain
E
E
’
E’\
H
h
E’’
E’’\
H
SBNDC for FREEDM
o Such processes can be
modified to satisfy
SBNDC by inserting a
complementary High
d
level output, d to
make
an internal action (τ)
thatis not observable

o Such compensating
events hide the
physically observable
effects
Confidentiality with DGI
• Observer with DGI is
not non-deducibility
secure
– Demand
• Trace the load
table within the
DGI - refusals
– Supply
• Knows about
nodes in Demand
state
Threats to DGI
• Malicious DGI process
– Manipulates load table to
ascertain other DGI
states
• IEM03’s observer deduces
IEM01 is in a demand state
• IEM01’s observer can
deduce that IEM02 and
later, IEM03 are in a supply
state.
Execution Monitoring
Mitigation
Confidentiality Violation
Confidentiality:
Preventing unauthorized
access or/and disclosure
of protected resources
Confidentiality Violation
• Sequence of Actions
• What Low-level users should see
• What they actually see
Solution: What is required
• A security mechanism that can,
– Execution Monitoring: Monitor execution steps of the
target system during runtime and detect security
property violations
– Safety Property: Able to identify action(s) causing the
violation
– Event Compensation: Able to calculate corrective
actions that can maintain functional integrity
– Emulation and Enforcement: Able to execute
corrective actions in a timely coordinated manner
• Encode and capture system semantics to a security
model
– Account for cyber-physical interactions
EM Enforceable Security
• Alpern-Schneider Framework: Every system property is
either a Safety or a Liveness property or the intersection
[AS84]
• Safety: Nothing bad happens during execution
• Only safety properties can be EM enforced [Sc00]
• Enforced using a security automata
– Terminate execution upon detecting a violation
But……
• Information Flow Security Properties are,
– Not Safety Properties; sets of execution sets
[Mc94]
– Decision to terminate can not be based on a
single execution
– Cannot be enforced using Schneider’s
security automata
Existing EM enforceable mechanisms
need to be extended
What to do when a violation is detected?
• Restore the system back to a previous safe
state
– Cannot reverse a physical consequence of a
cyber action
• Insert new actions to correct the violation
– Correct the violation while maintaining the
functional integrity
Event Compensation
• Insert corrective actions at the point where an execution
violates a given security property
– This model considers Nondeducibility security
• Formalize this concept as information flow safe state
transitions
• Research Contributions
– EM Security Automata [Sc00] + IFP + Edit Automata
[LBW05] + Emulator [NW06] = Compensate Automata
– Maintain functional integrity while preserving IFPs
– Capture cyber-physical interaction as system semantics
Compensating Couple
• Two compensating commands appended to an existing
information flow safe sequence
– Existing Trace:
– Compensating Couple:
– Extended Trace
• Generalization
– Compensating sequence:
• Compensated State Sequence
Coordinated High-level Actions
• Rearranged Action Sequence
• Compensating Couple
o
o
Both commands issued by
Stuxnet –
high-level domain
users
Rearranges the
Obfuscate
actionobservable
sequence so
a DGIc
effectsthe
in operator
the low-level
domain – never sees
anything
• Traces
Obfuscation by Compensation
• Low-level projections
• Compensated projection
• Compensating Couple
Formal Model: Compensation Automata
Period of Vulnerability
Time Domain Response
Wrap Up
• Security Issues for Cyber and Physical Systems
– Distributed “Smart Grid”
– Confidentiality and Privacy
– Formal Models –
• non-deducibility
• compensation
• Consumer Acceptance and Usage
– Social Science
Acknowledgements
This work was supported in part by the Future Renewable Electric Energy
Distribution Management Center; a National Science Foundation supported
Engineering Research Center, under grant NSF EEC-0812121 and NSF
CSR award CCF-0614633 and the Missouri S&T Intelligent Systems Center.
Read more about it
•
•
•
•
FREEDM (freedm.ncsu.edu) A. Huang, “Renewable energy system
research and education at the NSF FREEDM systems center,” in Power &
Energy Society General Meeting, 2009. PES '09. IEEE, July 2009, pp. 1–6.
Cascading failures and FACTS (filpower.mst.edu) K. Wang, M. Crow, B.
McMillin, and S. Atcitty, “A novel real-time approach to unified power flow
controller validation,” Power Systems, IEEE Transactions on, vol. 25, no. 4,
pp. 1892 –1901, Nov. 2010.
Information Flow and Verification: R. Akella, H. Tang, and B. McMillin,
“Analysis of information flow security in cyber-physical systems,”
International Journal of Critical Infrastructure Protection, vol. 3-4, pp. 157–
173, December 2010.
R. Akella and B. McMillin, “Information flow analysis of energy management
in a smart grid,” in Proc. of the Int'l Conf. on Computer Safety, Reliability
and Security (SAFECOMP'10). Springer-Verlag, Berlin, Heidelberg,
September 2010, pp. 263–276.