Important Examples of Cyber-Physical Systems Cyber-Physical Systems - PowerPoint PPT Presentation

Important Examples of Cyber-Physical Systems Cyber-Physical Systems under Attack Models, Fundamental Limitations, and Monitor Design Fabio Pasqualetti Florian D¨ orfler Francesco Bullo Center for Control, Dynamical systems and Computation University of California, Santa Barbara Many critical infrastructures are cyber-physical systems: power generation and distribution networks water networks and mass transportation systems econometric models (W. Leontief, Input - output economics , 1986) sensor networks University of California, Los Angeles, CA, Feb 24, 2012 energy-efficient buildings (heat transfer) F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 1 / 46 F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 2 / 46 Security and Reliability of Cyber-Physical Systems A Simple Example: WECC 3-machine 6-bus System Cyber-physical security is a fundamental obstacle b 3 challenging the smart grid vision. � 1 0.8 1 0.6 0.4 1 0.8 0 0.2 0.6 0.2 0.4 b 6 0.4 � 2 0.2 0.6 0 0.2 0.8 1 0.4 0.6 g 3 0.8 1 g 2 � 3 b 2 b 4 b 5 H. Khurana, “Cybersecurity: A key smart grid priority,” IEEE Smart Grid Newsletter , Aug. 2011. b 1 S. Sridhar, A. Hahn, and M. Govindarasu, “Cyber-Physical System Security for the Electric Power Grid,” g 1 Proceedings of the IEEE , Jan. 2012. 1 0.8 Sensors 0.6 0.4 0.2 0.2 0 0.4 0.6 0.8 A. R. Metke and R. L. Ekl “Security technology for smart grid networks,” 1 IEEE Transactions on Smart Grid , 2010. 1 Physical dynamics: classical generator model & DC load flow J. P. Farwell and R. Rohozinski “Stuxnet and the Future of Cyber War” Survival , 2011. 2 Measurements: angle and frequency of generator g 1 T. M. Chen and S. Abu-Nimeh “Lessons from Stuxnet” Computer , 2011. 3 Attack: modify real power injections at buses b 4 & b 5 Water supply networks are among the nation’s most critical infrastructures “Distributed internet-based load altering attacks against smart power grids” IEEE Trans on Smart Grid, 2011 The attack affects the second and third generators while remaining J. Slay and M. Miller. “Lessons learned from the Maroochy water breach” Critical Infrastructure Protection , 2007. undetected from measurements at the first generator D. G. Eliades and M. M. Polycarpou. “A Fault Diagnosis and Security Framework for Water Systems” IEEE Transactions on Control Systems Technology , 2010. F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 3 / 46 F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 4 / 46 S. Amin, X. Litrico, S.S. Sastry, and A.M. Bayen. “Stealthy Deception Attacks on Water SCADA Systems” ACM International Conference on Hybrid systems , 2010.

From Fault Detection and Cyber Security Models of Cyber-Physical Systems: Power Networks to Cyber-Physical Security Small-signal structure-preserving power network model: Cyber-physical security exploits system dynamics to assess correctness of � , buses • ◦ , 1 transmission network: generators � measurements, and compatibility of measurement equation 8 37 9 10 30 38 DC load flow assumptions, and network 25 26 29 2 1 3 27 susceptance matrix Y = Y T 6 1 28 35 39 18 22 4 9 17 21 8 5 24 Cyber-physical security extends classical fault detection, and 7 12 14 15 23 6 36 31 16 2 13 7 11 complements/augments cyber security 10 19 32 20 2 generators � 33 � modeled by swing equations: 3 34 4 5 M i ¨ θ i + D i ˙ � � � θ i = P mech.in, i − j Y ij · θ i − θ j classical fault detection considers only generic failures, while cyber-physical attacks are worst-case attacks 3 buses • ◦ with constant real power demand: k Y jk cyber security does not exploit compatibility of measurement data Y ik � � � 0 = P load, i − j Y ij · θ i − θ j with physics/dynamics P load ,k cyber security methods are ineffective against attacks that affect the ⇒ Linear differential-algebraic dynamics: E ˙ x = Ax physics/dynamics F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 5 / 46 F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 7 / 46 Models of Cyber-physical Systems: Water Networks Models for Attackers and Security System Byzantine Cyber-Physical Attackers Linearized municipal water supply network model: 1 colluding omniscent attackers: 1 reservoirs with constant pressure heads: h i ( t ) = h reservoir = const . know model structure and parameters i measure full state 2 pipe flows obey linearized Hazen-Williams eq: Q ij = g ij · ( h i − h j ) perform unbounded computation can apply some control signal and corrupt some measurements 3 balance at tank: 2 attacker’s objective is to change/disrupt the physical state A i ˙ h i = � j → i Q ji − � i → k Q ik Security System 4 demand = balance at junction: 1 knows structure and parameters d i = � j → i Q ji − � i → k Q ik 2 measures output signal 5 pumps & valves: 3 security systems’s objective is to detect and identify attack h j − h i = +∆ h pump/valves = const. ij 1 characterize fundamental limitations on security system ⇒ Linear differential-algebraic dynamics: E ˙ x = Ax 2 design filters for detectable and identifiable attacks F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 8 / 46 F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 9 / 46

Model of Cyber-Physical Systems under Attack Related Results on Cyber-Physical Security S. Amin et al, “Safe and secure networked control systems under denial-of-service attacks,” 1 Physics obey linear differential-algebraic dynamics: E ˙ x ( t ) = Ax ( t ) Hybrid Systems: Computation and Control 2009. Y. Liu, M. K. Reiter, and P. Ning, “False data injection attacks against state estimation in electric power grids,” 2 Measurements are in continuous-time: y ( t ) = Cx ( t ) ACM Conference on Computer and Communications Security , Nov. 2009. A. Teixeira et al. “Cyber security analysis of state estimators in electric power systems,” 3 Cyber-physical attacks are modeled as unknown input u ( t ) IEEE Conf. on Decision and Control , Dec. 2010. with unknown input matrices B & D S. Amin, X. Litrico, S. S. Sastry, and A. M. Bayen, “Stealthy deception attacks on water SCADA systems,” Hybrid Systems: Computation and Control, 2010. Y. Mo and B. Sinopoli, “Secure control against replay attacks,” Allerton Conf. on Communications, Control and Computing , Sep. 2010 E ˙ x ( t ) = Ax ( t ) + Bu ( t ) G. Dan and H. Sandberg, “Stealth attacks and protection schemes for state estimators in power systems,” IEEE Int. Conf. on Smart Grid Communications , Oct. 2010. y ( t ) = Cx ( t ) + Du ( t ) Y. Mo and B. Sinopoli, “False data injection attacks in control systems,” First Workshop on Secure Control Systems , Apr. 2010. S. Sundaram and C. Hadjicostis, “Distributed function calculation via linear iterative strategies in the presence of malicious agents,” IEEE Transactions on Automatic Control , vol. 56, no. 7, pp. 1495–1508, 2011. This model includes genuine faults of system components, physical R. Smith, “A decoupled feedback structure for covertly appropriating network control systems,” attacks , and cyber attacks caused by an omniscient malicious intruder. IFAC World Congress , Aug. 2011. F. Hamza, P. Tabuada, and S. Diggavi, “Secure state-estimation for dynamical systems under active adversaries,” Allerton Conf. on Communications, Control and Computing , Sep. 2011. � � Q: Is the attack B , D , u ( t ) detectable/identifiable from the output y ( t )? Our framework includes and generalizes most of these results F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 10 / 46 F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 11 / 46 Prototypical Attacks Technical Assumptions E ˙ x ( t ) = Ax ( t ) + B K u K ( t ) Replay attack: Static stealth attack: corrupt measurements according to C affect system and reset output y ( t ) = Cx ( t ) + D K u K ( t ) x (0) x ( t ) ( sE − A ) − 1 y ( t ) x ( t ) y ( t ) C + C + B K ¯ u K ( t ) + − Technical assumptions guaranteeing existence, uniqueness, & smoothness: u ( t ) ˜ ( sE − A ) − 1 C x (0) ˜ C D K u K ( t ) D K u K ( t ) (i) ( E , A ) is regular: | sE − A | does not vanish for all s ∈ C Covert attack: Dynamic false data injection: (ii) the initial condition x (0) is consistent (can be relaxed) closed loop replay attack render unstable pole unobservable (iii) the unknown input u K ( t ) is sufficiently smooth (can be relaxed) x ( t ) x (0) x ( t ) ( sE − A ) − 1 y ( t ) x (0) ( sE − A ) − 1 y ( t ) C + C + − B K ¯ u K ( t ) D K u K ( t ) D K u K ( t ) � � ( sE − A ) − 1 G ( s ) ( s − p ) − 1 C Attack set K = sparsity pattern of attack input F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 12 / 46 F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 14 / 46