Yee Wei Law ( 罗裔纬 ) 1 ARC Research Network on Intelligent Sensors, Sensor Networks and Information Processing (ISSNIP) The University of Melbourne

Yee Wei Law ( ) 1 ARC Research Network on Intelligent Sensors, Sensor Networks and Information Processing (ISSNIP) The University of Melbourne

A. Ginter, Smart Grid Security Guest Lecture: CPSC 529 - Information and Network Security, University of Calgary, 2011. Sense of Security, Securing the Smart Grid, Smart Electricity World Conference, Melbourne, 2011. P. Will, IT and the Smart Grid, USC Information Sciences Institute, 2010. 2

Corporate network Industrial control system (SCADA) Electricity grid Gas distribution network Sewage system Dams Telecommunications Hospitals Lighthouses Rail roads Critical infrastructures Cyber processes Physical processes Cyber-physical security: study of the impact of cyber attacks on the physical processes of a control system, and the prevention or mitigation of these attacks

44 2008200920102011 2012

5 58% threats from outsiders (e.g., hackers) 21% threats from insiders (employees or contractors) 2011 CyberSecurity Watch Survey by CERT (Aug 2009 Jul 2010) Fact 1: Insider attacks render cryptographic protection inadequate Fact 2: Control systems are prime targets 55% say SCADA / operational control systems targeted most often

6 United States Cyber Command (USCYBERCOM) embraces the philosophy of active defense North Koreas No. 91 Office South Korea teamed up with Korea University to establish a cyber-defense school From Wikipedia: the worlds largest hackers school is the military school of FAPSI (Federal Agency of Government Communications and Information) in Voronezh, i.e., Voronezh Military Aviation Engineering University, Russia Chinas Blue Army FAPSIs coat of arms

From power grid to smart grid Smart grid vs sensor network: conceptual similarities and differences Smart grid standards and guidelines Risk assessment Wide-area measurement system Threats and countermeasures State estimation Threats and countermeasures Automatic Generation Control (AGC) Threats and countermeasures 7

8 Australian Standard: AS 60038-2000 Standard voltages: Transmission EHV: 275kV, 330kV, 500 kV HV: 220kV MV: 66kV Distribution LV: 11kV, 22kV Smart Grid: The integration of power, communications, and information technologies for an improved electric power infrastructure serving loads while providing for an ongoing evolution of end-use applications.

Two main drivers: (1) sustainable generation, (2) sustainable return on investment in infrastructure 9 Steve Jetson, Smart meters helping industry save money by using energy efficiently, Sustainability and Technology Forum, 2011. Motivates demand response Motivates demand response Resilient to failures, disasters, attacks Resilient to failures, disasters, attacks Accommodates distributed generation Accommodates distributed generation Quality- focused Resource -efficient

10 Cap banksReclosersSwitchesSensorsTransformersMetersStorage SubstationWiresCustomers ServersData storage Web presentment TransactionsModeling Smart agents Intelligence Energy infrastructure 1 Communications infrastructure 2 Computing / information technology 3 Business applications Smart Energy Web 4 Generation / supply Solar monitoring & dispatch Backup generation Grid 2 Vehicle / Vehicle to Grid Distributed generation Distributed storage T&D SCADAT&D AutomationLoad limitingFault prediction Outage management Micro-grid Usage / demand Interval billing Load control PrepayIn home displays Energy mgmt systems Power quality management Grid appliances Security Energy information network Fiber/MPLRF MeshHome Area Network (HAN) Broadband WWAN3G Cellular Source: P. Will, IT and the Smart Grid, USC Information Sciences Institute, 2010.

Key technologies Communications Sensing Intelligence Same pillars of wireless sensor networks 11 Wang et al., A survey on the communication architectures in smart grid, Computer Networks, vol. 55, pp. 3604-3629, 2011.

Similarities: Large number of nodes both a boon (resilience) and a bane (every node is open to attacks) Data-centricity means false data often adverse consequences Differences: 12 Smart grid Control center is a fleet of interconnected components only a few of which are assumed secure Wireless sensor networks Control center is a single base station assumed to be secure

13 A complex computer system Virus outbreak in Integral Energys IT network http://bit.ly/16wskS Microsofts shortcut bug exploited to attack grid control centres http://bbc.in/d9usyE Communication I/O controllers Open-access same-time information system Inter-control centre comm. A. P. Sakis Meliopoulos, Power System Modeling, Analysis and Control, lecture notes, Georgia Institute of Technology

NERC CIP Identify critical assets Perimeter protection (firewalls, logging, remote access) Host hardening, anti-virus, patching, etc. IEEE 1686: Substation IEDs Cyber Security Capabilities Passwords, alerts, audit logs IEC 62351: Security of IEC communications protocols Encryption, authentication, spoofing resistance, intrusion detection 14 DHS Cyber Security Procurement Language for Control Systems DHS Catalog of Control System Security: Recommendations for Standards Developers ISA SP-99 Industrial Automation and Control Systems Security ISA SP-100 Wireless Systems for Industrial Automation American Gas Association (AGA) Report No. 12 Cryptographic protection of SCADA communications

UCA International Users Group (ABB, Alstom, Cisco, etc.): Security Profile for Wide-Area Monitoring, Protection, and Control AMI System Security Requirements NIST 800-82: Guide to Industrial Control System Security NIST IR 7628: Guidelines for Smart Grid Cyber Security The differences between information technology (IT), industrial, and Smart Grid security need to be accentuated... See also reports United States Government Accountability Office: Electricity Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed Idaho National Laboratory: NSTB Assessments Summary Report: Common Industrial Control System Cyber Security Weaknesses 15 Resilient control system: A system that maintains state awareness and an accepted level of operational normalcy in response to disturbances, including threats of an unexpected or malicious nature. Rieger et al., Idaho National Laboratory Resilient control system: A system that maintains state awareness and an accepted level of operational normalcy in response to disturbances, including threats of an unexpected or malicious nature. Rieger et al., Idaho National Laboratory

EU project CRUTIAL: Security and resilience of SCADA systems 16 Enforces policies in a distributed manner Access control Intrusion tolerance Self- healing Enforces policies in a distributed manner Access control Intrusion tolerance Self- healing

EU project VIKING: To enhance data integrity, reliability and resilience of SCADA systems, through the development and application of cyber-physical models (hybrid system models) for the interaction between the (cyber-) IT systems and the (physical) power transmission and distribution systems Australia Government established Trusted Information Sharing Network (TISN) for Critical Infrastructure Resilience to let business and government share vital information on security issues relevant to the protection of national critical infrastructure 17

18 Simply speaking, risk = the probability and magnitude of an undesirable event Risk assessment/analysis=process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards that mitigate this impact Ultimate objective is to reduce total risk for a given expected return/utility Most standards and guidelines stress the importance of risk assessment Australian Government advocates the use of AS/NZS ISO 31000:2009 by owners and operators of critical infrastructure

Leitch says ISO 31000:2009 is unclear leads to illogical conclusions if followed is Impossible to comply with is not mathematically based, having little to say about probability, data, and models Risk map References: D. W. Hubbard, The Failure of Risk Management: Why Its Broken and How to Fix It, Wiley, 2009. M. Leitch, ISO 31000:2009The New International Standard on Risk Management, Risk Analysis, 30(6):887892, 2010. 19

Multi-attribute utility theory Risk-versus-return curve (an example of utility curve) Analytic Hierarchy Process (extension: Analytic Network Process) Does not satisfy some statistical axioms including transitivity Problem with its mathematical foundation References: C. A. Bana e Costa and J.-C. Vansnick, A critical analysis of the eigenvalue method used to derive priorities in AHP, European Journal of Operational Research, vol. 187, pp. 14221428, 2008. 20

21 Logical Reference Model (NIST IR 7628): 47 actors, 137 inter-actor interfaces Power system is complex

22 Distribution networkTransmission network Energy management system The central nervous system of a transmission grid A suite of software tools for monitoring, controlling as well as optimizing generation and transmission operations Energy management system The central nervous system of a transmission grid A suite of software tools for monitoring, controlling as well as optimizing generation and transmission operations

23 Source: A. P. Sakis Meliopoulos, Power System Modeling, Analysis and Control, lecture notes, Georgia Institute of Technology + Wide-area Measurement System

Attacker model/assumptions: Core components (state estimator, automatic generation control) cannot be compromised but their I/O can All other components can be compromised False data injection can lead to wrong estimated states, cascading failures, or widespread blackouts General multilayered defence: Cryptography (auth + optionally enc) against outsider attackers Redundancy + heterogeneity + intrusion detection 24

Examples of phasor measurement units: 25 ABBs RES521 Macrodynes 1690 MiCOM P847 NIST IR 7628: Authentication Availability NIST IR 7628: Authentication Availability Oscillation control Voltage control Frequency control Line temperature monitoring Oscillation control Voltage control Frequency control Line temperature monitoring GPS

North American SynchroPhasor Initiative network architecture

Synchrophasors rely on GPS GPS is vulnerable to jamming (weak signal) and spoofing (see Nighswander et al. 2012) T. Nighswander et al., GPS Software Attacks, CCS12. Short-term solution: Enhanced Long Range Navigation (eLORAN) Long-term solution: atomic clocks 27 A LORAN transmitter A portable GPS and mobile jammer

PMU -> PDCs PDC -> PDCs Further example: System Integrity Protection Scheme (SIPS) 28 IEC 61850-90-5 governs the IEC 61850-compliant transmission of IEEE C37.118-formatted WAMS data Specifies GDOI (RFC 6407) for securing the distribution of group keys Specifies Ipsec (RFC 4301) for securing IP multicast using group keys

(1) Based on conventional digital signatures signature amortization (2) Multiple-time signature schemes (incl. one-time) +packet individually verifiable +resilient to packet loss +small code +lower computational cost (?) +lower memory cost (?) -long signatures References: J. Pieprzyk, H. Wang, and C. Xing, Multiple-time signature schemes against adaptive chosen message attacks, in Selected Areas in Cryptography, ser. LNCS. Springer Berlin / Heidelberg, 2004, vol. 3006, pp. 88100. 29 Well known MTS schemes Lamport Perrig: BiBa, TESLA, TESLA Reyzin & Reyzin: HORS

30 Note: Not all schemes support more than 2 signatures per epoch, under the comparison constraint

BiBa 0 : best performer in signature length but has far poorer efficiency in signing than the others. BiBa 1 : slightly longer signatures but has significantly better signing efficiency than BiBa 0. SCU+: efficient in signing and verification but requires far longer signatures than the others for the same security level. TSV+ is more efficient than TV-HORS in signature length for r = 1. TSV+ is several orders of magnitude slower than TV-HORS in signing and verification. Despite its algorithmic simplicity, TV-HORS is a good performer in all categories. SCU and TSV do not offer clear advantages over BiBa. 31 Yee Wei Law et al., WAKE: Key Management Scheme for Wide-Area Measurement Systems in Smart Grid, IEEE Communications Magazine, accepted 10 Oct 2012, to appear.

32 Source: A. P. Sakis Meliopoulos, Power System Modeling, Analysis and Control, lecture notes, Georgia Institute of Technology + Wide-area Measurement System

33 State estimator Measurements Network topology processor Bad data detection Possible insider attack: inject bad data to foil detection Y. Liu et al., False data injection attacks against state estimation in electric power grids, Proc. 16 th ACM Computer and Communications Security, 2009.

Attack scenario: given k compromised meters (RTUs/IEDs/ PMUs), find a vector of k false values that bypass detection 34 IEEE test systems Larger networks

35 L. Xie, Y. Mo, and B. Sinopoli, False data injection attacks in electricity markets, in Proc. 1st International Conference on Smart Grid Communications, 2010. IEEE 14-bus test system Actually congested, faked not congested The attacker earns $2/MWh here The attacker loses $1/MWh here The attacker earns $1/MWh net

It is impractical to tamper-proof a whole PMU, for maintenance reasons, etc. Even if tamper-proofing all PMUs is achievable, impractical for all RTUs and IEDs Using redundant PMUs could reduce the risk, but also costly Most (academic) research so far designed attacks under different constraints We are investigating anomaly detection methods to detect false data 36 Stewart et al., Synchrophasor Security Practices, white paper A multilayered architecture with a perimeter network Firewall + VPN

Attacker exploits assumptions about bad data 2 test assumes bad data cause errors to not be Gaussian Largest normalized residual test assumes bad data cause measurement residuals to not be Gaussian distributed Among latest solutions Bobba et al.s solution determines and makes critical PMUs tamper- resistant Vukovi et al.s solution assumes a core subset of substations are beyond attacks, and espouses multipath routing State estimation: secure centralized estimation problem Multi-area state estimation: secure distributed estimation problem linear time-invariant average-consensus (linear consensus) Selected references: R. B. Bobba, K. M. Rogers, Q. Wang, H. Khurana, K. Nahrstedt, and T. J. Overbye, Detecting False Data Injection Attacks on DC State Estimation, in First Workshop on Secure Control Systems, ser. SCS, 2010. O. Vukovic, K. C. Sou, G. Dan, and H. Sandberg, Network-layer protection schemes against stealth attacks on state estimators in power systems, 2011 IEEE International Conference on Smart Grid Communications (SmartGridComm), pp.184-189, 2011. S. Zheng, et al., Robust State Estimation Under False Data Injection in Distributed Sensor Networks, in IEEE GLOBECOM 2010. 37

38 Source: A. P. Sakis Meliopoulos, Power System Modeling, Analysis and Control, lecture notes, Georgia Institute of Technology + Wide-area Measurement System Rotor angle Voltage Frequency

Most standards tolerate a deviation from nominal of only 1% Three levels of control: Simple electro-mechanical proportional feedback control leaves a steady-state error residue Load-frequency control Manual control 39 LoadSystem frequency LoadSystem frequency G. Anderson, Dynamics and control of electric power systems, lecture notes 227-0528-00, ETH Zrich, February 2010. control area 1 control area 2 control area 3 tie line AGC regulates system frequency and maintains power interchanges via the tie line at scheduled values

AGC is one of few automatic closed loops between the IT department and the power system 40 References: P. M. Esfahani et al., A Robust Policy for Automatic Generation Control Cyber Attack in Two Area Power Network, in IEEE Conference on Decision and Control, Atlanta, Dec. 2010. P. M. Esfahani et al., Cyber Attack in a Two-Area Power System: Impact Identification using Reachability, in American Control Conference, Baltimore, MD, USA, Jun. 2010. Y. W. Law et al., Security games and risk minimization for automatic generation control in smart grid, in J. Grossklags and J. Walrand, editors, Proc. 3rd Conference on Decision and Game Theory for Security (GameSec 2012), volume 7638 of LNCS, pp. 281295. Springer Heidelberg, 2012. Oscillatory growth in phase angle diff. Oscillatory growth in interchanged power Effects of a successful attack:

41 Area 1 Area 2 Underfrequency load shedding CentralizedDistributed 1/R Control area 1 Control area 2 Tie line

Frequency deviation exceeds threshold -> overfrequency/underfrequency protection relays When frequency deviation rises above 1.5 Hz, overfrequency relays start tripping thermal plants When frequency deviation drops below 0.35 Hz, underfrequency relays shed load: Goal: To model and quantify the risks posed by an attacker whose intention is to inflict revenue loss on the electricity provider by injecting false data to the automatic generation controller in the hope of triggering load shedding 42 S. K. Mullen, Plug-In Hybrid Electric Vehicles as a Source of Distributed Frequency Regulation, Ph.D. thesis, University of Minnesota, 2009.

Motivation: model interaction between attacker and defender to derive optimal defense strategy (optimal resource alloc) Terminology: 43 Matrix game Multi-agent Single-state Zero-sum: matrix games Nonzero-sum: bi-matrix games Matrix game Multi-agent Single-state Zero-sum: matrix games Nonzero-sum: bi-matrix games Markov decision process Single-agent Multi-state Markov decision process Single-agent Multi-state Stochastic/Markov game Multi-agent Multi-state Stochastic/Markov game Multi-agent Multi-state Security game Two-agent Noncooperative Zero-sum Risk model Security game Two-agent Noncooperative Zero-sum Risk model Dynamic programming M. Bowling and M. Veloso, Multiagent learning using a variable learning rate, Artificial Intelligence, vol. 136, pp. 215-250, 2002.

44 Transition probability determined by state transition matrix M : A cost (from the defenders perspective) of G a,d (s(t)) is incurred by actions a and d, thus constituting the game matrix: Attacker action space: Defender action space: Attacker strategy:

45 saddle-point strategy Bellman equations

46 Solve for saddle-point strategy: Minimum upper bound for cost

47 Risk state

48 Generators Transmission lines Turbine governors Energy management system Underfrequency load shedding relays

49 AGC (integral controller) AGC (integral controller) Attacker

50 AGC (integral controller) AGC (integral controller) Attacker

Redundancy: Saturation filter: Detection: Clustering 51 AGC (integral controller) AGC (integral controller) 3.5 Hz -4.5 Hz time Data that form more than one cluster are suspicious

52 Zero gain/loss for attacker/defender Expected total load shed

Disinfection model: Disinfection model: The AGC software reads frequency samples alternately from two meters, through a saturation filter 53 If Meter 1 is detected to be compromised here......it will be disinfected by this instance Redundancy measure Saturation filter

Attacker actions: a 1 : falsify N/2 frequency samples for overcompensation a 2 : falsify N frequency samples for overcompensation Defender actions: d 1 : hypothetical Detection Algo. with det. prob. d 2 : hypothetical Detection Algo. with det. prob. 54 N=20 1 =0.2 1 =0.8127 2 =20 2 =0.5203 0.2

55 A sample snapshot Reads from compromised meter 1 Reads from compromised meter 2

Response to attacks: what to do if control area (say 1) is compromised? Reroute power to bypass control area 1? Replace the surrounding environment of the AGC? 58 control area 1 control area 2 control area 3 tie line Distributed AGC -Communication between control areas -Faster convergence -Few existing schemes -Susceptible DoS attacks on comm infrastructure -Signal processing and machine learning to detect anomalies in messages Decentralized AGC -No communication between control areas -Slower convergence -100s existing schemes -No comm. infrastructure cost -Signal processing techniques to detect oscillations in tie-lines vs

Resilience and false data injection important issues for both sensor networks and smart grid Smart grid research so far focused on attacks, highlights the importance of security measures, without prescribing any no universally recognized attack model, no common solution Fusion of multi-disciplinary techniques: security + control = secure control [Cardenas et al. 2008] security concepts formalized in control theory AI techniques expected to play an increasingly important role multilayered defense with crypto on the front line References: A. Cardenas, S. Amin, and S. Sastry, Secure Control: Towards Survivable Cyber-Physical Systems, in 28th International Conference on Distributed Computing Systems Workshops, ser. ICDCS, Jun. 2008, pp. 495500. H. J. LeBlanc and X. D. Koutsoukos, Consensus in networked multi-agent systems with adversaries, in Proc. 14th international conference on Hybrid systems: computation and control (HSCC '11), pp. 281-290, ACM, 2011. S. Sundaram and C. N. Hadjicostis, "Distributed Function Calculation via Linear Iterative Strategies in the Presence of Malicious Agents," IEEE Transactions on Automatic Control, vol.56, no.7, pp.1495-1508, July 2011. 59

Email: [email protected] / [email protected]@[email protected] URL: wsnlabs.com 60

Documents

Yee Wei Law ( 罗裔纬 ) 1 ARC Research Network on Intelligent Sensors, Sensor Networks and Information Processing (ISSNIP) The University of Melbourne