Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department.

Information Flow Properties for Security in Cyber-Physical Systems

Bruce McMillin, Ph.D., Sr. Member IEEEDir Center for Information Assurance

Department of Computer ScienceMissouri University of Science and

Technology(Formerly the University of Missouri-Rolla)

Rolla, MO 65409-0350 - USA(work done by Ravi Akella, Han Tang,

Thoshitha Gamage, and Tom Roth)

Introduction: Cyber-Physical System• Modern Infrastructures consist of Cyber and

Physical Components– Smart Houses, – Air Transport, – Vehicle Transport, – Smart Structures, – Oil and Gas Pipelines, – Distributed Energy Resources, …

• All have an inherent commonality – Physical Actions integrated with Computation.

• Cyber Physical Systems (CPSs) are integrations of computation with physical processes.– National Science Foundation (US)– Artemis (EU)

My topics for you today

• Smart Grid – Smart Distribution/Green Energy

• CPS Flow Security Basics• Smart Grid Security

– Modeling and Analysis– Mitigation

Cyber-Enabled Smart Distribution

• Smart Grid – Automated Meter Reading (AMR)– Demand Side Management

• Centralized Supervisory Control And Data Acquisition (SCADA)

• Electric Utility Control

• Smart Grid Version 1 Source, Monitor Mapboard Systems

Scalability, fault management, security and privacy

Cyber-Enabled Smart Distribution Systems and Micro Grids

• Move away from Centralized SCADA– Distributed Control

• Advanced Power Electronics – Finer-grained control over physical entities– Schedulable entities

• Design Issues– Complex and unpredictable interactions between

the cyber and physical processes– Information flow across the cyber-physical

boundaries

Security and Privacy

Would you sign up for a discount with your power company in exchange for surrendering control of your thermostat? What if it means that, one day, your auto insurance company will know that you regularly arrive home on weekends at 2:15 a.m., just after the bars close? (MSNBC Red Tape Chronicles 2009)

Future Renewable Electric Energy Delivery

and Management (FREEDM) – NSF ERCAn efficient and revolutionary power grid utilizing revolutionary power electronics technology and information technologyDecentralized management integrating distributed and scalable alternative energy sources and storage with existing power systems

Shipping 250M pcs/yr.

Ubiquitous ownership

Ubiquitous use

Ubiquitous sharing

Pre-1980s

Internet

Paradigm Shift

Distributed ComputingCentralized Mainframes

Innovation & Industry

Transformation

Ubiquitous sales

Ubiquitous ownership

Ubiquitous use

Ubiquitous sharing

Today

Centralized Generation100+ year old technology

New energy companies based on IT and power

electronics technologies

Paradigm Shift

FREEDM System

Innovation & Industry

Transformation

Distributed RenewableEnergy Resources (DRER)New technologies

for distributed renewable energy

The FREEDM Concept – Smart Grid IDistribution

• Distributed Intelligence– People share

energy resources

– Neighborhood or industrial level

– Where is the centralized controller?

ESD

User Interface

Distributed Grid Intelligence (DGI)FREEDM

Substation

12kV

120 V

Market & Economics

69kV

IEM

AC

AC

IFM IFM

IFM

LOAD DRER DESD

IEM

AC

AC

LOAD DRER DESD

IEM

AC

AC

3Φ 480V

RSC

Legacy grid

• IEM and IFM nodes each run a portion of the DGI to manage their own resources

• Coordinate to control the whole as a Distributed Algorithm

IEM: Intelligent Energy Management IFM: Intelligent Fault Management

DRER: Distributed Renewable Energy Resource DESD: Distributed Energy Storage Device

13

Schedulable Entity

….Advanced Power Electronics….

The Solid State Transformer

Inside an IEM Node

• Solid State Transformer (SST)– Power Electronics– Schedulable Entity

SH5

SH7

SH6

SH8

S1

S3 S4

SH1

SH3 SH4

SH2 S2

Low Voltage H-Bridge

+

-

+

-

400V DC

High Frequency

Transformer

AC/DC Rectifier DC/DC Converter DC/AC Inverter

High Voltage H-Bridge

High voltage H-Bridge

12kVDC

7.2 kV AC

120V / 240V AC

LLs

Cs

CsLs

Port 1

Port 2

How to use it?

17

• Each FREEDM IEM node runs a portion of the DGI to manage its own resources

• Power Management– Load Balance DESD, DRER,

and LOAD– Control and react to the SST– Migrate power through the

Gateway that connects an SST to the system shared bus.

Distributed Grid Intelligence Within the Context of FREEDM

Distributed Power Balancing

• Correctness: Keep all IEM nodes’ “balanced” in terms of Supply and Demand and minimize energy cost

• Pass messages negotiating load changes until the system has stabilized

• Global optimization decomposed into individual processes that cooperate to meet the global correctness.

XActual = XLoad − XDRER

System Load State

XActual < 0 Low (Supply)

XActual > Threshold High (Demand)

0<=XActual <=Threshold Normal

19

DGI Power Balancing Algorithm

20

IEM 0

IEM 0 20.551 L

IEM 1 H

::

IEM n H

IEM 1

IEM 0 N

IEM 1 32.834 H

::

IEM n N

IEM n

IEM 0 N

IEM 1 H

::

IEM n 30.721 H

IEM 0

IEM 0 25.551 N

IEM 1 N

::

IEM n H

IEM 1

IEM 0 N

IEM 1 27.834 N

::

IEM n N

IEM n

IEM 0 L

IEM 1 H

::

IEM n 30.721 H

I CAN SUPPLY

Migrate 1 quantum of Power per successful request

More Critical need

Lesser need

After Load Balancing

Optimality?

• G = Σ XActual = Σ XLoad,i - ΣXDRER,j

n, Local Load – m, Local Capacity

• Adding Costs– CostLow = 100 X∗ DRER + XDESD

• General Problem is to serve G while minimizing overall cost– Knapsack Problem– Pack a knapsack with m items each with cost, maximizing cost

subject to the constraints of supply and load.– NP Hard

Optimality?

• Least Cost Fractional Knapsack Algorithm– Given ε > 0, C = lowest cost resource, m sources, K = εC/m– For each source si, define cost’(si ) = floor (cost(si)/K)

– Add up to K entries of each source in increasing order of cost’ into the set S’ such that Σs in S’ cost’(s) ≤ Σ XLoad,i.

– Output S’, the least cost set.

• Cost (S’) ≤ (1+ ε ) · OPT

23Test 203: 3-node migration

Test 203: Two IEM nodes supplying with cost function

IEM02 and IEM03 both migrate power to IEM01

Distributed Grid Intelligence• Distributed Long and Short Term Control• Distributed Systems Management

– Distributed Group Management– State Maintenance

• Simulation Architectures• Power Economics Models and Control• Fault Tolerance of Cyber-Physical system• Security – Confidentiality, Integrity, and Availability of

Cyber-Physical system• Resilience - Robust Distributed System

– Formal Correctness– Usability as an autonomous system

Motivation: Why is this a problem

2003 Midwest Blackout 2010 Stuxnet Worm Attack

• Caused by a cascading failure in power lines

• An estimated 50 million people affected by the outage lasting up to 4 days

• $4 – 10 billion economical loss in U.S. 0.7% gross production loss in Canada

• A Rootkit which injects a malicious controller program to PLCs

• Capable of manipulating cyber and physical components for its own purposes

• An estimated 100,000 hosts in over 30,000 organizations from over 155 countries affected

Formal Information Flow Theory

Modeling and Analysis

Access Control Flow-based Security• Restricts access to

information and resources

• Cannot restrict information propagation after read

• Access grants need to be given only to processes guaranteed not to leak confidential data [SM03]

• Restricts flow of information between partially ordered security clearances

• Prevent unintended high-level (secure/private) domain information disclosures to the low-level (open/public) domain

System Security: Primary Approaches

Cannot

identify such

processes

High-level Domain

Low-level Domain

Information Flow Models

• FREEDM contains Power Electronics Devices that perform physical actions that are observable

• Cannot keep these secret – loss of confidentiality/privacy• Some other models

– Non-Interference• High-level events do not interfere with the low level

outputs– Non-Inference

• Removing high-level events leaves a valid system trace

– Non-Deducibility• Low-level observation is compatible with any of the

high-level inputs.

Microgrid ObservabilityFred and Barney

• Share Resources and Make a Profit

• Fred Gets Greedy– Stores wind energy and sells on

his own• Barney Gets Suspicious

– Observes Fred’s wind and power draw from utility

– If the wind isn’t blowing and Fred is selling to the grid, Fred is dishonest

– If the wind is blowing, Barney cannot deduce anything

(Formal) Information Flow Models

Information Flow Models

• A unified approach to deal with CPSs is necessary that can encompass the cyber and physical events

• We propose a process algebraic approach adopted to analyze the information flow in CPSs

• Security process algebra provides an abstract description for nondeterministic and concurrent systems with actions belonging to different levels of confidentiality (Low and High)

• Using process algebra, bisimulation provides a formal method to determine nondeducibility.

Information Flow Security for CPSProcess Algebra Approach

A system E is BNDC if for every high level process ∏, a low level user cannot distinguish E from E|∏

E| ∏ : Parallel Composition of E1& ∏ where executions of the two systems are interleaved

Bisimulation-based NonDeducibility on Composition (BNDC)

Case Study: Gas Distribution Network

• Physical limitation

• Changes in one section of the pipeline is visible to others

Case Study: Gas Distribution Network

• LTC B changes flow

• Aggregated change of the system to re-stabilize

Val(fb) Val(fc) Val(fa)

0 0 0

k 0 k

k/2 0 k/2

0 k/2 k/2

k k/2 3k/2

k/2 k/2 k

0 k k

k k 2k

k/2 k 3k/2

System based on partitions

High Level

Low Level

Communications

Uniform Semantic Representation

• SPA – Security Process Algebra• CoPS – Checker of Persistent Security

– BNDC– SBNDC

bi Action

(Action1 | Action2)

bi Action1

(A_Writes | C_Writes)\L

bi Action2

(B_Writes)\L

bi State

(State_1 | State_2 | State_3 | State_4 | State_5 | State_6)\L

bi State_1

w_a.'val_1.State_1 + w_b.'val_2.State_1 + w_c.'val_2.State_1bi A_Writes

change_a.'w_a.State

bi B_Writes

change_b.'w_b.State

bi C_Writes

change_c.'w_c.State

//bi Stable NULL

basi L

w_a w_b w_c //values to be protected

basi N

val_1 val_2 val_3 //discrete values possible

acth

change_a change_b change_c //readings at cyber level

val_1 val_2 val_3

Protection of flow between A and B against C

Bisimulation oTwo processes are weakly bisimilar if they are able to mutually simulate their behavior step by step.

oIn a weak bisimilarity relation, internal silent actions (τ) between processes is ignored.

E1 and E2 are bisimilar and they both simulate E3

E3 is not bisimilar to E1

Strong BNDC (SBNDC)

The system before and after execution of a high level event remains indistinguishable to the low level domain

E

E’’\H

E’

E’\H

E’’h

Simplification of SBNDC: Bisimulation up to H

The problem of verifying weak bisimulation for all high level transitions of the system can be transformed into finding a bisimulation up to H relation

E E\H

Inherent ObfuscationElectrical Network

• Flow in a controllable circuit• Kirchhoff’s Laws

57

In a series connection network with only two(2) configurable units, placement of any number of observers preserves Nondeducibility.

58

A series circuit with n >= 2 configurable units is fully deducible, with a minimum of n distinct readings and n -1 observers

59

In a base parallel-connected circuit with two parallel resistors, any combination of two observers is sufficient to fully deduce the circuit

60

For a pure parallel circuit with n parallel resistors, a minimum of n “strategically located” observers are required to fully deduce the circuit.

`

Microgrid Observability

• “Dumb” System from an Observer is Nondeducibility Secure

• Dumb System from an External Observer is NOT Nondeducibility Secure (if we can see everything)

• Confidentiality with no DGI

• Power flow in the shared power bus is an invariant function of individual gateway loads of the participating nodes and the draw from or contribution to the utility grid

• Such a system can be defined as below:

• External observer with limited observability or with a few gateway readings cannot deduce operation (no DGI)

Low = {DRER}High = { , Load, XSST , , , Gateway}For any high level process Π, say, XSST .Gateway or . XSST

(NodenoDGI |Π)\H ≡ {DRER}

NodenoDGI \H ≈B (NodenoDGI |Π) \H ∀ Π ∈ E.

DRER DESD Load

DESD

• External observer with total observation of gateways can deduce operation.– Using the invariance relation on

the bus

• DGI system secure with respect to an Observer without DGI

• The DGI algorithm can be represented in SPA as:

• The IEM with DGI

Power shared between 1 and 2 due to DGI algorithm

SBNDC for FREEDM

The system before and after execution of a high level event remains indistinguishable to the low level domain

E

E’’\H

E’

E’\H

E’’h

SBNDC for FREEDM

o Such processes can be modified to satisfy SBNDC by inserting a complementary High level output, to make an internal action (τ) that is not observable

o Such compensating events hide the physically observable effects

d

d

• Observer with DGI is not non-deducibility secure– Demand

• Trace the load table within the DGI - refusals

– Supply• Knows about

nodes in Demand state

Confidentiality with DGI

• Malicious DGI process– Manipulates load table to

ascertain other DGI states

• IEM03’s observer deduces IEM01 is in a demand state

• IEM01’s observer can deduce that IEM02 and later, IEM03 are in a supply state.

Threats to DGI

Execution Monitoring

Mitigation

Confidentiality Violation

Confidentiality: Preventing unauthorized access or/and disclosure of protected resources

Confidentiality Violation

• Sequence of Actions

• What Low-level users should see

• What they actually see

Event

Confidentiality

Violated

Solution: What is required• A security mechanism that can,

– Execution Monitoring: Monitor execution steps of the target system during runtime and detect security property violations

– Safety Property: Able to identify action(s) causing the violation

– Event Compensation: Able to calculate corrective actions that can maintain functional integrity

– Emulation and Enforcement: Able to execute corrective actions in a timely coordinated manner

• Encode and capture system semantics to a security model– Account for cyber-physical interactions

EM Enforceable Security • Alpern-Schneider Framework: Every system property is

either a Safety or a Liveness property or the intersection [AS84]

• Safety: Nothing bad happens during execution

• Only safety properties can be EM enforced [Sc00]• Enforced using a security automata

– Terminate execution upon detecting a violation

But……

• Information Flow Security Properties are, – Not Safety Properties; sets of execution sets

[Mc94] – Decision to terminate can not be based on a

single execution– Cannot be enforced using Schneider’s

security automata

Existing EM enforceable mechanisms need to be extended

• Restore the system back to a previous safe state– Cannot reverse a physical consequence of a

cyber action• Insert new actions to correct the violation

– Correct the violation while maintaining the functional integrity

What to do when a violation is detected?

Event Compensation• Insert corrective actions at the point where an execution

violates a given security property– This model considers Nondeducibility security

• Formalize this concept as information flow safe state transitions

• Research Contributions– EM Security Automata [Sc00] + IFP + Edit Automata

[LBW05] + Emulator [NW06] = Compensate Automata– Maintain functional integrity while preserving IFPs– Capture cyber-physical interaction as system semantics

Compensating Couple• Two compensating commands appended to an existing

information flow safe sequence– Existing Trace: – Compensating Couple: – Extended Trace

• Generalization– Compensating sequence:

• Compensated State Sequence

• Rearranged Action SequenceCoordinated High-level Actions

• Compensating Coupleo Both commands issued by

high-level domain userso Obfuscate observable

effects in the low-level domain

Stuxnet – Rearranges the

action sequence so the operator a DGIc

– never sees anything

• Traces

• Low-level projections

• Compensated projection

• Compensating Couple

Obfuscation by Compensation

Formal Model: Compensation Automata

Period of Vulnerability System exhibits vulnerability

to information flow safety during transition

This period can be minimized by cyber level synchronization

Time Domain Response

• Security Issues for Cyber and Physical Systems– Distributed “Smart Grid”– Confidentiality and Privacy – Formal Models –

• non-deducibility• compensation

• Consumer Acceptance and Usage– Social Science

AcknowledgementsThis work was supported in part by the Future Renewable Electric Energy

Distribution Management Center; a National Science Foundation supported Engineering Research Center, under grant NSF EEC-0812121 and NSF CSR award CCF-0614633 and the Missouri S&T Intelligent Systems Center.

Wrap Up

Read more about it

• FREEDM (freedm.ncsu.edu) A. Huang, “Renewable energy system research and education at the NSF FREEDM systems center,” in Power & Energy Society General Meeting, 2009. PES '09. IEEE, July 2009, pp. 1–6.

• Cascading failures and FACTS (filpower.mst.edu) K. Wang, M. Crow, B. McMillin, and S. Atcitty, “A novel real-time approach to unified power flow controller validation,” Power Systems, IEEE Transactions on, vol. 25, no. 4, pp. 1892 –1901, Nov. 2010.

• Information Flow and Verification: R. Akella, H. Tang, and B. McMillin, “Analysis of information flow security in cyber-physical systems,” International Journal of Critical Infrastructure Protection, vol. 3-4, pp. 157–173, December 2010.

• R. Akella and B. McMillin, “Information flow analysis of energy management in a smart grid,” in Proc. of the Int'l Conf. on Computer Safety, Reliability and Security (SAFECOMP'10). Springer-Verlag, Berlin, Heidelberg, September 2010, pp. 263–276.