Information Flow Properties for Security in Cyber-Physical Systems

1. Information Flow Properties for Security in Cyber-Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department of Computer Science Missouri University of Science and Technology (Formerly the University of Missouri-Rolla) Rolla, MO 65409-0350 - USA (work done by Ravi Akella, Han Tang, Thoshitha Gamage, and Tom Roth)

2. Introduction: Cyber-Physical System • Modern Infrastructures consist of Cyber and Physical Components • Smart Houses, • Air Transport, • Vehicle Transport, • Smart Structures, • Oil and Gas Pipelines, • Distributed Energy Resources, … • All have an inherent commonality – Physical Actions integrated with Computation. • Cyber Physical Systems (CPSs) are integrations of computation with physical processes. • National Science Foundation (US) • Artemis (EU)

3. My topics for you today • Smart Grid – Smart Distribution/Green Energy • CPS Flow Security Basics • Smart Grid Security • Modeling and Analysis • Mitigation

4. Cyber-Enabled Smart Distribution • Smart Grid • Automated Meter Reading (AMR) • Demand Side Management • Centralized Supervisory Control And Data Acquisition (SCADA) • Electric Utility Control Scalability, fault management, security and privacy • Smart Grid Version 1 Source, Monitor Mapboard Systems

5. Cyber-Enabled Smart Distribution Systems and Micro Grids • Move away from Centralized SCADA • Distributed Control • Advanced Power Electronics • Finer-grained control over physical entities • Schedulable entities • Design Issues • Complex and unpredictable interactions between the cyber and physical processes • Information flow across the cyber-physical boundaries

6. Security and Privacy Would you sign up for a discount with your power company in exchange for surrendering control of your thermostat? What if it means that, one day, your auto insurance company will know that you regularly arrive home on weekends at 2:15 a.m., just after the bars close? (MSNBC Red Tape Chronicles 2009)

7. Future Renewable Electric Energy Deliveryand Management(FREEDM) – NSF ERC An efficient and revolutionary power grid utilizing revolutionary power electronics technology and information technology Decentralized management integrating distributed and scalable alternative energy sources and storage with existing power systems

8. Pre-1980s Paradigm Shift Internet Centralized Mainframes Distributed Computing • Shipping 250M pcs/yr. • Ubiquitous ownership • Ubiquitous use • Ubiquitous sharing Innovation & Industry Transformation

9. Paradigm Shift Today FREEDM System Centralized Generation100+ year old technology Distributed Renewable Energy Resources (DRER) New technologies for distributed renewable energy • Ubiquitous sales • Ubiquitous ownership • Ubiquitous use • Ubiquitous sharing Innovation & Industry Transformation New energy companies based on IT and power electronics technologies

10. The FREEDM Concept – Smart Grid IDistribution • Distributed Intelligence • People share energy resources • Neighborhood or industrial level • Where is the centralized controller?

11. IEM and IFM nodes each run a portion of the DGI to manage their own resources • Coordinate to control the whole as a Distributed Algorithm IEM: Intelligent Energy Management IFM: Intelligent Fault Management DRER: Distributed Renewable Energy Resource DESD: Distributed Energy Storage Device

13. Schedulable Entity ….Advanced Power Electronics…. The Solid State Transformer

14. Inside an IEM Node • Solid State Transformer (SST) • Power Electronics • Schedulable Entity

15. How to use it?

16. Distributed Grid Intelligence • Within the Context of FREEDM • Each FREEDM IEM node runs a portion of the DGI to manage its own resources • Power Management • Load Balance DESD, DRER, and LOAD • Control and react to the SST • Migrate power through the Gateway that connects an SST to the system shared bus.

17. Distributed Power Balancing • Correctness: Keep all IEM nodes’ “balanced” in terms of Supply and Demand and minimize energy cost • Pass messages negotiating load changes until the system has stabilized • Global optimization decomposed into individual processes that cooperate to meet the global correctness. XActual= XLoad − XDRER

18. DGI Power Balancing Algorithm

19. I CAN SUPPLY More Critical need After Load Balancing Lesser need Migrate 1 quantum of Power per successful request

20. Optimality? • G = ΣXActual= ΣXLoad,i - ΣXDRER,j n, Local Load – m, Local Capacity • Adding Costs • CostLow= 100 ∗ XDRER + XDESD • General Problem is to serve G while minimizing overall cost • Knapsack Problem • Pack a knapsack with m items each with cost, maximizing cost subject to the constraints of supply and load. • NP Hard

21. Optimality? • Least Cost Fractional Knapsack Algorithm • Given ε > 0, C = lowest cost resource, m sources, K = εC/m • For each source si, define cost’(si) = floor (cost(si)/K) • Add up to K entries of each source in increasing order of cost’ into the set S’ such that Σs in S’ cost’(s) ≤ ΣXLoad,i. • Output S’, the least cost set. • Cost (S’) ≤ (1+ ε ) · OPT

22. Test 203: Two IEM nodes supplying with cost function IEM02 and IEM03 both migrate power to IEM01 Test 203: 3-node migration

23. Distributed Grid Intelligence • Distributed Long and Short Term Control • Distributed Systems Management • Distributed Group Management • State Maintenance • Simulation Architectures • Power Economics Models and Control • Fault Tolerance of Cyber-Physical system • Security – Confidentiality, Integrity, and Availability of Cyber-Physical system • Resilience - Robust Distributed System • Formal Correctness • Usability as an autonomous system

24. Motivation: Why is this a problem 2003 Midwest Blackout 2010 Stuxnet Worm Attack Caused by a cascading failure in power lines An estimated 50 million people affected by the outage lasting up to 4 days $4 – 10 billion economical loss in U.S. 0.7% gross production loss in Canada A Rootkit which injects a malicious controller program to PLCs Capable of manipulating cyber and physical components for its own purposes An estimated 100,000 hosts in over 30,000 organizations from over 155 countries affected

25. Formal Information Flow Theory Modeling and Analysis

26. System Security: Primary Approaches Access Control Flow-based Security Restricts access to information and resources Cannot restrict information propagation after read Access grants need to be given only to processes guaranteed not to leak confidential data [SM03] Restricts flow of information between partially ordered security clearances Prevent unintended high-level (secure/private) domain information disclosures to the low-level (open/public) domain Cannot identify such processes High-level Domain Low-level Domain

27. Information Flow Models • FREEDM contains Power Electronics Devices that perform physical actions that are observable • Cannot keep these secret – loss of confidentiality/privacy • Some other models • Non-Interference • High-level events do not interfere with the low level outputs • Non-Inference • Removing high-level events leaves a valid system trace • Non-Deducibility • Low-level observation is compatible with any of the high-level inputs.

28. MicrogridObservabilityFred and Barney • Share Resources and Make a Profit • Fred Gets Greedy • Stores wind energy and sells on his own • Barney Gets Suspicious • Observes Fred’s wind and power draw from utility • If the wind isn’t blowing and Fred is selling to the grid, Fred is dishonest • If the wind is blowing, Barney cannot deduce anything

29. (Formal) Information Flow Models Information Flow Models

30. Information Flow Security for CPSProcess Algebra Approach • A unified approach to deal with CPSs is necessary that can encompass the cyber and physical events • We propose a process algebraic approach adopted to analyze the information flow in CPSs • Security process algebra provides an abstract description for nondeterministic and concurrent systems with actions belonging to different levels of confidentiality (Low and High) • Using process algebra, bisimulation provides a formal method to determine nondeducibility.

31. Bisimulation-based NonDeducibility on Composition (BNDC) A system E is BNDC if for every high level process ∏, a low level user cannot distinguish E from E|∏ E| ∏ : Parallel Composition of E1& ∏ where executions of the two systems are interleaved

32. Case Study: Gas Distribution Network Physical limitation Changes in one section of the pipeline is visible to others

33. Case Study: Gas Distribution Network LTC B changes flow Aggregated change of the system to re-stabilize

35. System based on partitions Communications High Level Low Level

36. Uniform Semantic Representation • SPA – Security Process Algebra • CoPS – Checker of Persistent Security • BNDC • SBNDC

37. bi Action (Action1 | Action2) bi Action1 (A_Writes | C_Writes)\L bi Action2 (B_Writes)\L bi State (State_1 | State_2 | State_3 | State_4 | State_5 | State_6)\L bi State_1 w_a.'val_1.State_1 + w_b.'val_2.State_1 + w_c.'val_2.State_1 bi A_Writes change_a.'w_a.State bi B_Writes change_b.'w_b.State bi C_Writes change_c.'w_c.State //bi Stable NULL basi L w_a w_b w_c //values to be protected basi N val_1 val_2 val_3 //discrete values possible acth change_a change_b change_c //readings at cyber level val_1 val_2 val_3

38. Protection of flow between A and B against C

39. Bisimulation • Two processes are weakly bisimilarif they are able to mutually simulate their behavior step by step. • In a weak bisimilarity relation, internal silent actions (τ) between processes is ignored. E1 and E2 are bisimilar and they both simulate E3E3 is not bisimilar to E1

40. Strong BNDC (SBNDC) The system before and after execution of a high level event remains indistinguishable to the low level domain E E’ E’’ h E’\H E’’\H

41. Simplification of SBNDC: BisimulationuptoH The problem of verifying weak bisimulation for all high level transitions of the system can be transformed into finding a bisimulation up to H relation E\H E

42. Inherent ObfuscationElectrical Network • Flow in a controllable circuit • Kirchhoff’s Laws

43. 57 • In a series connection network with only two(2) configurable units, placement of any number of observers preserves Nondeducibility.

44. 58 • A series circuit with n >= 2 configurable units is fully deducible, with a minimum of n distinct readings and n -1 observers

45. 59 • In a base parallel-connected circuit with two parallel resistors, any combination of two observers is sufficient to fully deduce the circuit

46. 60 • For a pure parallel circuit with n parallel resistors, a minimum of n “strategically located” observers are required to fully deduce the circuit. `

47. MicrogridObservability • “Dumb” System from an Observer is Nondeducibility Secure • Dumb System from an External Observer is NOT Nondeducibility Secure (if we can see everything)

48. Confidentiality with no DGI Power flow in the shared power bus is an invariant function of individual gateway loads of the participating nodes and the draw from or contribution to the utility grid Such a system can be defined as below:

49. Low = {DRER} High = { , Load, XSST , , , Gateway} For any high level process Π, say, XSST .Gateway or . XSST (NodenoDGI |Π)\H ≡ {DRER} NodenoDGI \H ≈B (NodenoDGI |Π)\H ∀Π ∈ E. External observer with limited observability or with a few gateway readings cannot deduce operation (no DGI) • External observer with total observation of gateways can deduce operation. • Using the invariance relation on the bus

50. Power shared between 1 and 2 due to DGI algorithm DGI system secure with respect to an Observer without DGI The DGI algorithm can be represented in SPA as: The IEM with DGI