Quantifying Cyber Security for Networked Control Systems

Similar documents
Control Systems Security Metrics and Risk Management

Detection and Identification of Data Attacks in Power System

arxiv: v2 [math.oc] 15 Feb 2013

Electric Power Network Security Analysis via Minimum Cut Relaxation

Robustness Analysis of Power Grid under False Data Attacks Against AC State Estimation

Coding Sensor Outputs for Injection Attacks Detection

arxiv: v1 [math.oc] 8 Nov 2010

Quantifying Cyber-Security for Networked Control Systems

3194 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 59, NO. 12, DECEMBER 2014

Security of Cyber-Physical Systems

Cyber Attacks, Detection and Protection in Smart Grid State Estimation

Malicious Data Detection in State Estimation Leveraging System Losses & Estimation of Perturbed Parameters

Power Grid State Estimation after a Cyber-Physical Attack under the AC Power Flow Model

Fault Detection and Mitigation in Kirchhoff Networks

arxiv: v2 [math.oc] 27 Feb 2017

WITH the increasing integration of real-time monitoring,

False Data Injection Attacks in Control Systems

False Data Injection Attacks Against Nonlinear State Estimation in Smart Power Grids

Dynamic State Estimation in the Presence of Compromised Sensory Data

An Abrupt Change Detection Heuristic with Applications to Cyber Data Attacks on Power Systems π

Dynamic Attack Detection in Cyber-Physical. Systems with Side Initial State Information

Antagonistic Control

THE electric power system is a complex cyber-physical

DUE to their complexity and magnitude, modern infrastructure

Role of Synchronized Measurements In Operation of Smart Grids

Revealing Stealthy Attacks in Control Systems

CRITICAL infrastructure is undergoing a cyber-enablement

Mixed Integer Linear Programming and Nonlinear Programming for Optimal PMU Placement

Security Analysis of Cyber-Physical Systems Using H 2 Norm

Distributed Detection of Cyber Attacks and Faults for Power Systems

Moving Target Defense for Hardening the Security of the Power System State Estimation

STATE ESTIMATION IN DISTRIBUTION SYSTEMS

On Optimal Link Removals for Controllability Degradation in Dynamical Networks

Impacts of Bad Data and Cyber Attacks on Electricity Market Operations

Distributed Fault Detection for Interconnected Second-Order Systems with Applications to Power Networks

ANOMALY DETECTION IN LIQUID PIPELINES USING MODELING, CO-SIMULATION AND DYNAMICAL ESTIMATION

THE convergence of automation and information technology. Power Grid AC-based State Estimation: Vulnerability Analysis Against Cyber Attacks

Power System Security. S. Chakrabarti

Detecting Data Tampering in Synchrophasors using Power Flow Entropy

THE future smart grid, which leverages advanced information. CCPA: Coordinated Cyber-Physical Attacks and Countermeasures in Smart Grid

Indicator Constraints in Mixed-Integer Programming

EXPOSE the Line Failures following a Cyber-Physical Attack on the Power Grid

Dynamic Attacks on Power Systems Economic Dispatch

A Semidefinite Programming Relaxation under False Data Injection Attacks against Power Grid AC State Estimation

CHAPTER 3: INTEGER PROGRAMMING

Sporadic Data Integrity for Secure State Estimation

Secure Control Against Replay Attacks

Distributed Detection and Estimation in Wireless Sensor Networks: Resource Allocation, Fusion Rules, and Network Security

Information Hiding and Covert Communication

A Smart Grid Vulnerability Analysis Framework for Coordinated Variable Structure Switching Attacks

A Decomposition Based Approach for Solving a General Bilevel Linear Programming

16.410/413 Principles of Autonomy and Decision Making

Encoder Decoder Design for Feedback Control over the Binary Symmetric Channel

World Academy of Science, Engineering and Technology International Journal of Computer and Systems Engineering Vol:6, No:6, 2012

Disconnecting Networks via Node Deletions

Minimum Sparsity of Unobservable. Power Network Attacks

Power grid vulnerability analysis

Modeling disruption and dynamic response of water networks. Sifat Ferdousi August 19, 2016

Accelerating the Convergence of MIP-based Unit Commitment Problems

Active Fault Diagnosis for Uncertain Systems

Learning Model Predictive Control for Iterative Tasks: A Computationally Efficient Approach for Linear System

Developing Correlation Indices to Identify Coordinated Cyber-Attacks on Power Grids

Coordinated Variable Structure Switching in Smart Power Systems: Attacks and Mitigation

Optimal PMU Placement

Australian National University WORKSHOP ON SYSTEMS AND CONTROL

Design of Spectrally Shaped Binary Sequences via Randomized Convex Relaxations

Discrete Optimization 2010 Lecture 8 Lagrangian Relaxation / P, N P and co-n P

Resilient Distributed Optimization Algorithm against Adversary Attacks

Inderjit Dhillon The University of Texas at Austin

Finite-Time Thermodynamics of Port-Hamiltonian Systems

CYBER-Physical Systems (CPS) are systems that smoothly

Local Cyber-physical Attack with Leveraging Detection in Smart Grid

Encoder Decoder Design for Event-Triggered Feedback Control over Bandlimited Channels

On the Failure of Power System Automatic Generation Control due to Measurement Noise

Self-Calibration and Biconvex Compressive Sensing

The AR OPF: an Exact Convex Formulation for the Optimal Power Flow in Radial Distribution Networks

Unsupervised Anomaly Detection for High Dimensional Data

Malachite: Firewall Policy Comparison

What s under the hood? Improving SCADA security with process awareness

IMHOTEP-SMT: A Satisfiability Modulo Theory Solver For Secure State Estimation

Stealthy Deception Attacks on Water SCADA Systems

QUANTIZATION FOR DISTRIBUTED ESTIMATION IN LARGE SCALE SENSOR NETWORKS

From structures to heuristics to global solvers

A Benders Algorithm for Two-Stage Stochastic Optimization Problems With Mixed Integer Recourse

False Data Injection Attacks in Control Systems

Tractable Upper Bounds on the Restricted Isometry Constant

A bad example for the iterative rounding method for mincost k-connected spanning subgraphs

Smart Grid State Estimation by Weighted Least Square Estimation

Application-Aware Anomaly Detection of Sensor Measurements in Cyber-Physical Systems

Certifying the Global Optimality of Graph Cuts via Semidefinite Programming: A Theoretic Guarantee for Spectral Clustering

Power Grid Partitioning: Static and Dynamic Approaches

Investigations of Power Analysis Attacks on Smartcards *

Optimal Power Flow. S. Bose, M. Chandy, M. Farivar, D. Gayme S. Low. C. Clarke. Southern California Edison. Caltech. March 2012

certain class of distributions, any SFQ can be expressed as a set of thresholds on the sufficient statistic. For distributions

Consensus-Based Distributed Optimization with Malicious Nodes

Chapter 11. Approximation Algorithms. Slides by Kevin Wayne Pearson-Addison Wesley. All rights reserved.

An Algebraic Detection Approach for Control Systems under Multiple Stochastic Cyber-attacks

Detecting Integrity Attacks on SCADASystems

Learning discrete graphical models via generalized inverse covariance matrices

Cyber and Physical Information Fusion for Infrastructure Protection: A Game-Theoretic Approach

Transcription:

Quantifying Cyber Security for Networked Control Systems Henrik Sandberg ACCESS Linnaeus Centre, KTH Royal Institute of Technology Joint work with: André Teixeira, György Dán, Karl H. Johansson (KTH) Kin Cheong Sou (Chalmers) Julien M. Hendrickx, Raphael M. Jungers (Louvain) UC Berkeley May 17 th, 2013

Motivation Networked control systems are to a growing extent - based on commercial off-the-shelf components - integrated with data analytics environments etc. Leads to increasing vulnerability to cyberphysical threats with many potential points of attacks Need for tools and strategies to understand and mitigate attacks in networked control systems: - Which threats should we care about? - What impact can we expect from attacks? - Which resources should we protect (more)? 2

Contributions Adversary models for networked control systems Optimization tools for quantization of cyber security - Trade-off between protection resources and level of security - Trade-off between attack resources and attack impact Security metric for power network state estimators. Efficient computation using graph Min Cut relaxations Security metric for wireless LQG-controlled quadruple tank. Computation using mixed integer linear programs 3

Outline Adversary models for networked control systems Application 1: Power network state estimation Application 2: Wireless LQG-controlled quadruple tank 4

Networked Control System under Attack Physical plant ( ) Feedback controller ( ) Anomaly detector ( ) Physical Attacks Deception Attacks Disclosure Attacks 5

Adversary Model Adversary s goal to force the process state into an unsafe region Attack should be stealthy, i.e., no alarms (at least until it is too late) Adversary constrained by limited resources 6

Networked Control System with Adversary Model 7

Attack Space Covert [Smith] Eavesdropping [Bishop] Replay [Sinopoli] [Teixeira et al., 2012] 8

Outline Adversary models for networked control systems Application 1: Power network state estimation - Security index definition - Computation with LASSO/graph Min Cut relaxations Application 2: Wireless LQG-controlled quadruple tank 9

Power Network Control System state Remote Terminal Units (in substations) z measurement Supervisory Control And Data Acquisition 5/21/2013 10 ˆ

Model-Based State Estimation Given redundant measurement z, find state estimate ˆ based on steady-state model state measurement z z h 11

Power Network State Estimation Model States () = bus voltage phase angles (flow conservation) bus injection Measurements (z) = line power flow & bus injection z 1 ( 1 2 ) line power 2 1 flow z 12 z 23 z 2 z 34 4 DC power flow model [Abur et al.]: z H θ measurement matrix bus (node) 3 line (edge) meter 12

z H θ θˆ State Estimation by Least Squares State estimator (LS) wrong H T 1 H H T z wrong Contingency analysis wrong OPF calculations What if the measurements were wrong? z z z random measurement noise intentional data attack 5/21/2013 13

Stealth Additive False-Data Attack Measurements subject to attack: z z z z 12 +z 12 z 1 +z 1 z 2 +z 2 z 24 +z 24 Attack is constrained; otherwise will be detected by Bad Data Detection algorithm z 23 +z 23 z 3 z 34 +z 3 +z 34 Stealth attack [Liu et al., Giani et al.]: z Hθ 14

Adversary Model Adversary s goal to induce a bias in measurement channel Attack should be stealthy, i.e., no alarms Adversary should use minimal disruption resources 15

Security Index Stealth attack z Hθ e span In general, k H target additional Minimum # of meters attacked, targeting the k th measurement: min Hθ θ 0 s.t. H k,: θ1 Minimum objective value = security index [Sandberg et al.] Security index identifies network vulnerabilities 16

The Goal: Quantify Security security 1 12 13 11 6 5 14 10 9 4 7 8 dangerous moderate safe 2 3 17

Security Index Cardinality Minimization Security index problem min Hθ θ 0 s.t. H k,: θ1 H 2,: θ optimal solution set not convex H 1,: θ Closely related to compressed sensing and computation of the cospark of H, see [Tillmann and Pfetsch, 2005]. Problem known to be NP-hard in general. feasible set (affine subspace) 18

Security index problem min Hθ θ 0 s.t. H k,: θ1 How to solve? 19

Security Index Computation MILP min Hθ θ 0 s.t. H k,: θ1 Cardinality minimization problem Mixed integer linear program (MILP) Exact solution (solver: CPLEX) Solution algorithm not scalable min θ, y s.t. y i i My Hθ My H k,: θ1 yi 0,1 i MILP formulation 20

Security Index Computation LASSO min Hθ θ 1 s.t. H k,: θ1 Convex linear program (LP) Known as LASSO Approximate solution Less expensive to solve min θ, y s.t. y i i y Hθ y H k,: θ1 yi LP formulation i 21

The Challenge Can we find solutions as accurately as MILP, and faster than LASSO? For general H, the answer is no (problem NP-hard) Let us exploit DC-power flow structure of H and make a full measurement assumption Specialize into graph problems with accurate and efficient algorithms 22

Graph Interpretation of Stealth Attack Stealth attack z Hθ = phase angle assignment 2 =? 3 1 =? 1.2 4 = 3? Phase angle differences flows 3 = -0.6? attack cost Hθ 0 = # of meters with nonzero flows 23

Binary Phases Assignment is Optimal No phase angle difference No flows Attack cost = 0 Next guess: (0,1) phase angle assignment? No attack Theorem: Optimal i can be restricted to 0 or 1, for all i 5/21/2013 min Hθ θ 0 s.t. Hk,: θ1 min Hθ θ 0 s.t. Hk,: θ1 θ 01, i 24

Binary Optimal Solution Justification Can always find (0,1) feasible solution with no worst cost negative becomes 0 2 = 0 2 = 0 1 = 1 4 = -1/4 1 = 1 4 = 0 3 = 1/4 Cost = 13 attacks positive becomes 1 3 = 1 Cost = 10 attacks 25

Reformulation as Node Partitioning Optimal i can be restricted to 0 or 1, for all i Phase angle assignment becomes node partitioning 2 = 0 1 = 1 4 = 0 or 1? Each cut line requires 2 attacks Each node incident to at least one cut line requires 1 attack Cut 3 = 0 or 1? Security index problem: Pick partition of minimum # of attacks 26

Security index problem Generalized Min Cut problem min Hθ θ 0 s.t. H k,: θ1 How to solve generalized Min Cut? 27

Standard Min Cut on Appended Graph Generalized Min Cut = Standard Min Cut on appended graph generalized min cut source v s V E p s = 2 nodes edges 1 1 sink v 1 100 v 2 1 v 3 100 v 4 p 1 = 0 p 2 = 4 p 3 = 4 p t = 0 0 0 standard min cut appended graph C v s 2 1 1 w ~ 1 w ~ 2 w ~ 3 w ~ t ~ C z s C ~ C C 4 v ~ 1 v ~ 2 v ~ ~ 3 v t 100 1 100 C 4 Nodes 3 V Edges 3 E 2 V z ~ 1 z ~ 28 2 z ~ 3 z ~ t C C 4 4 C C 0 0

Security Index Problem Summary Security index problem Generalized Min Cut problem min Hθ θ 0 s.t. H k,: θ1 Practical implications? Standard Min Cut problem on an appended graph [Sou et al., 2011] [Hendrickx et al., 2013] >> [maxflow,mincut] = max_flow(a,source,sink); 29

IEEE 14 Bus Benchmark Test Result Security indices for all measurements a k (security index) 25 20 15 10 5 MILP Min Cut LASSO 0 0 10 20 30 40 k (measurement index) Solve time: MILP 1.1s; LASSO 0.6s; Min Cut 0.02s 30

IEEE 14 Bus Vulnerable Measurements security index 1 12 13 11 6 5 14 10 9 4 7 8 4 7 10 2 3 31

IEEE 118, 300, 2383 Bus Benchmarks Min Cut solution is exact Solve time comparison: Method/Case 118 bus 300 bus 2383 bus MILP 763 sec 6708 sec About 5.7 days Min Cut 0.3 sec 1 sec 31 sec 32

What about LASSO (1-Norm Relaxation)? min Hθ θ 1 s.t. H k,: θ1 We have seen LASSO relaxation in general yields non-optimal solution Will LASSO ever work? Yes, when H is totally unimodular! [Sou et al., 2013] 33

Totally Unimodular Matrices A matrix is totally unimodular = determinant of all square sub-matrices are -1,0,1 network incidence matrix consecutive one matrix 1 1 0 0 1 1 0 1 1 0 0 1 1 1 1 Corresponds to full flow measurements (no bus injection measurements) 1 1 1 1 1 0 0 1 1 0 0 1 1 1 1 34

Summary Power Network State Estimation Adversary model - Induce measurement bias undetected - DC-power flow model known - Minimum disruption resources desired Security index problem yields lower bounds on required disruption resources. Suggests protection strategy [Vukovic et al., 2012] Security index computation in general NP-hard. Under appropriate assumptions graph Min Cut relaxation works very well 35

Outline Adversary models for networked control systems Application 1: Power network state estimation Application 2: Wireless LQG-controlled quadruple tank - Max-impact/min-resource attacks 36

Extension to Dynamical Systems Attacker needs to satisfy constraints not only across channels (spatial dimension) but also constraints across time (temporal dimension) Cases considered: 1. Minimum resource attacks 2. Maximum impact attacks 3. Maximum impact bounded resource attacks [Teixeira et al., 2013] 37

Dynamical Networked Control System Physical Plant Feedback Controller Alarm Anomaly Detector - Alarm triggered if 38

Adversary Model Adversary s goal is to force the process state into an unsafe region Attack should be stealthy, i.e., no alarms Adversary constrained by limited resources 39

The Dynamical Systems Case (1) Dynamical anomaly detector for closed-loop system: Lift to time interval with zero-initial conditions and no noise: 40

The Dynamical Systems Case (2) Dynamics of plant and controller: Lift to time interval with zero-initial conditions and no noise: 41

Max Impact/Bounded Resource Attack s.t. (physical impact) (residual in detector) (# channels attacked) Maximize impact (push far away from equilibrium) No alarms (threshold ) Attack no more than channels Mixed Integer Linear Program (MILP) [Teixeira et al., 2013] 42

Numerical Example Wireless LQG controller 4 channels: 2 actuators and 2 measurements Minimum phase or non-minimum phase depending on 43

Numerical Example (Non-Min Phase) Values of for max impact/bounded resource attack 44

Numerical Example (Non-Min Phase) 45

Numerical Example Maximum Impact/Bounded Resource attack illustrated 2 channels allowed: MILP selects the actuators 3-4 channels allowed: Unbounded impact (any attack on actuators can be hidden by corrupting 2 measurements) Infinity norm criteria yields more aggressive attack than 2-norm criteria (bounds get saturated) Not surprisingly, non-min phase plant more sensitive 46

Steady-State Attacks Consider attacks over where - - (sinusoidal attacks) Similar analysis carries through but make substitutions - - Yields worst-case attack frequency etc. 47

Summary Tools for quantitative trade-off analysis between attacker s impact and resources, also important for cyber defense prioritization For dynamical systems there are temporal as well as spatial (channel) constraints for attacker to fulfill - Enforced through lifting and frequency-response models - Solved using MILP. No well-working relaxation known by us 48

References Adversary models and quadruple tank process - Teixeira et al., Attack models and scenarios for networked control systems, Proc. of HiCoNS, ACM, 2012 - Teixeira et al., Quantifying Cyber-Security for Networked Control Systems, Workshop on Control of Cyber-Physical Systems, Springer Verlag, 2013 (to appear) The security index problem - Sandberg et al., On Security Indices for State Estimators in Power Networks, Preprints of 1st workshop on Secure Control Systems, CPSWEEK, 2010 - Vukovic et al., Network-aware Mitigation of Data Integrity Attacks on Power System State Estimation, IEEE JSAC, 2012 Efficient computation, and Min Cut relaxation - Sou et al., On the Exact Solution to a Smart Grid Cyber- Security Analysis Problem, IEEE Trans. on Smart Grid, 2013 - Hendrickx et al., Efficient Computations of a Security Index for False Data Attacks in Power Networks, arxiv:1204.6174 5/21/2013 49

Generalized Min Cut with Costly Nodes Focus on directed graph (undirected = bi-directed) edge weight = # of line meters node weight = # of bus meters source sink Find the cut (node partition) to minimize weights of cut edge + incident node weights Generalization of standard Min Cut! 50

The Network: SCADA System 5/21/2013 51 [Vukovic et al., 2012]

Numerical Example (2-Norm, Non-Min Phase) 52

Numerical Example (2-Norm, Non-Min Phase) 53

Numerical Example (Min Phase 2-norm) 54

Numerical Example (Min Phase inf-norm) 55

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback