Yee Wei Law ( ) 1 ARC Research Network on Intelligent Sensors,
Sensor Networks and Information Processing (ISSNIP) The University
of Melbourne
Slide 2
A. Ginter, Smart Grid Security Guest Lecture: CPSC 529 -
Information and Network Security, University of Calgary, 2011.
Sense of Security, Securing the Smart Grid, Smart Electricity World
Conference, Melbourne, 2011. P. Will, IT and the Smart Grid, USC
Information Sciences Institute, 2010. 2
Slide 3
Corporate network Industrial control system (SCADA) Electricity
grid Gas distribution network Sewage system Dams Telecommunications
Hospitals Lighthouses Rail roads Critical infrastructures Cyber
processes Physical processes Cyber-physical security: study of the
impact of cyber attacks on the physical processes of a control
system, and the prevention or mitigation of these attacks
Slide 4
44 2008200920102011 2012
Slide 5
5 58% threats from outsiders (e.g., hackers) 21% threats from
insiders (employees or contractors) 2011 CyberSecurity Watch Survey
by CERT (Aug 2009 Jul 2010) Fact 1: Insider attacks render
cryptographic protection inadequate Fact 2: Control systems are
prime targets 55% say SCADA / operational control systems targeted
most often
Slide 6
6 United States Cyber Command (USCYBERCOM) embraces the
philosophy of active defense North Koreas No. 91 Office South Korea
teamed up with Korea University to establish a cyber-defense school
From Wikipedia: the worlds largest hackers school is the military
school of FAPSI (Federal Agency of Government Communications and
Information) in Voronezh, i.e., Voronezh Military Aviation
Engineering University, Russia Chinas Blue Army FAPSIs coat of
arms
Slide 7
From power grid to smart grid Smart grid vs sensor network:
conceptual similarities and differences Smart grid standards and
guidelines Risk assessment Wide-area measurement system Threats and
countermeasures State estimation Threats and countermeasures
Automatic Generation Control (AGC) Threats and countermeasures
7
Slide 8
8 Australian Standard: AS 60038-2000 Standard voltages:
Transmission EHV: 275kV, 330kV, 500 kV HV: 220kV MV: 66kV
Distribution LV: 11kV, 22kV Smart Grid: The integration of power,
communications, and information technologies for an improved
electric power infrastructure serving loads while providing for an
ongoing evolution of end-use applications.
Slide 9
Two main drivers: (1) sustainable generation, (2) sustainable
return on investment in infrastructure 9 Steve Jetson, Smart meters
helping industry save money by using energy efficiently,
Sustainability and Technology Forum, 2011. Motivates demand
response Motivates demand response Resilient to failures,
disasters, attacks Resilient to failures, disasters, attacks
Accommodates distributed generation Accommodates distributed
generation Quality- focused Resource -efficient
Slide 10
10 Cap banksReclosersSwitchesSensorsTransformersMetersStorage
SubstationWiresCustomers ServersData storage Web presentment
TransactionsModeling Smart agents Intelligence Energy
infrastructure 1 Communications infrastructure 2 Computing /
information technology 3 Business applications Smart Energy Web 4
Generation / supply Solar monitoring & dispatch Backup
generation Grid 2 Vehicle / Vehicle to Grid Distributed generation
Distributed storage T&D SCADAT&D AutomationLoad
limitingFault prediction Outage management Micro-grid Usage /
demand Interval billing Load control PrepayIn home displays Energy
mgmt systems Power quality management Grid appliances Security
Energy information network Fiber/MPLRF MeshHome Area Network (HAN)
Broadband WWAN3G Cellular Source: P. Will, IT and the Smart Grid,
USC Information Sciences Institute, 2010.
Slide 11
Key technologies Communications Sensing Intelligence Same
pillars of wireless sensor networks 11 Wang et al., A survey on the
communication architectures in smart grid, Computer Networks, vol.
55, pp. 3604-3629, 2011.
Slide 12
Similarities: Large number of nodes both a boon (resilience)
and a bane (every node is open to attacks) Data-centricity means
false data often adverse consequences Differences: 12 Smart grid
Control center is a fleet of interconnected components only a few
of which are assumed secure Wireless sensor networks Control center
is a single base station assumed to be secure
Slide 13
13 A complex computer system Virus outbreak in Integral Energys
IT network http://bit.ly/16wskS Microsofts shortcut bug exploited
to attack grid control centres http://bbc.in/d9usyE Communication
I/O controllers Open-access same-time information system
Inter-control centre comm. A. P. Sakis Meliopoulos, Power System
Modeling, Analysis and Control, lecture notes, Georgia Institute of
Technology
Slide 14
NERC CIP Identify critical assets Perimeter protection
(firewalls, logging, remote access) Host hardening, anti-virus,
patching, etc. IEEE 1686: Substation IEDs Cyber Security
Capabilities Passwords, alerts, audit logs IEC 62351: Security of
IEC communications protocols Encryption, authentication, spoofing
resistance, intrusion detection 14 DHS Cyber Security Procurement
Language for Control Systems DHS Catalog of Control System
Security: Recommendations for Standards Developers ISA SP-99
Industrial Automation and Control Systems Security ISA SP-100
Wireless Systems for Industrial Automation American Gas Association
(AGA) Report No. 12 Cryptographic protection of SCADA
communications
Slide 15
UCA International Users Group (ABB, Alstom, Cisco, etc.):
Security Profile for Wide-Area Monitoring, Protection, and Control
AMI System Security Requirements NIST 800-82: Guide to Industrial
Control System Security NIST IR 7628: Guidelines for Smart Grid
Cyber Security The differences between information technology (IT),
industrial, and Smart Grid security need to be accentuated... See
also reports United States Government Accountability Office:
Electricity Grid Modernization: Progress Being Made on
Cybersecurity Guidelines, but Key Challenges Remain to be Addressed
Idaho National Laboratory: NSTB Assessments Summary Report: Common
Industrial Control System Cyber Security Weaknesses 15 Resilient
control system: A system that maintains state awareness and an
accepted level of operational normalcy in response to disturbances,
including threats of an unexpected or malicious nature. Rieger et
al., Idaho National Laboratory Resilient control system: A system
that maintains state awareness and an accepted level of operational
normalcy in response to disturbances, including threats of an
unexpected or malicious nature. Rieger et al., Idaho National
Laboratory
Slide 16
EU project CRUTIAL: Security and resilience of SCADA systems 16
Enforces policies in a distributed manner Access control Intrusion
tolerance Self- healing Enforces policies in a distributed manner
Access control Intrusion tolerance Self- healing
Slide 17
EU project VIKING: To enhance data integrity, reliability and
resilience of SCADA systems, through the development and
application of cyber-physical models (hybrid system models) for the
interaction between the (cyber-) IT systems and the (physical)
power transmission and distribution systems Australia Government
established Trusted Information Sharing Network (TISN) for Critical
Infrastructure Resilience to let business and government share
vital information on security issues relevant to the protection of
national critical infrastructure 17
Slide 18
18 Simply speaking, risk = the probability and magnitude of an
undesirable event Risk assessment/analysis=process of identifying
the risks to system security and determining the likelihood of
occurrence, the resulting impact, and the additional safeguards
that mitigate this impact Ultimate objective is to reduce total
risk for a given expected return/utility Most standards and
guidelines stress the importance of risk assessment Australian
Government advocates the use of AS/NZS ISO 31000:2009 by owners and
operators of critical infrastructure
Slide 19
Leitch says ISO 31000:2009 is unclear leads to illogical
conclusions if followed is Impossible to comply with is not
mathematically based, having little to say about probability, data,
and models Risk map References: D. W. Hubbard, The Failure of Risk
Management: Why Its Broken and How to Fix It, Wiley, 2009. M.
Leitch, ISO 31000:2009The New International Standard on Risk
Management, Risk Analysis, 30(6):887892, 2010. 19
Slide 20
Multi-attribute utility theory Risk-versus-return curve (an
example of utility curve) Analytic Hierarchy Process (extension:
Analytic Network Process) Does not satisfy some statistical axioms
including transitivity Problem with its mathematical foundation
References: C. A. Bana e Costa and J.-C. Vansnick, A critical
analysis of the eigenvalue method used to derive priorities in AHP,
European Journal of Operational Research, vol. 187, pp. 14221428,
2008. 20
Slide 21
21 Logical Reference Model (NIST IR 7628): 47 actors, 137
inter-actor interfaces Power system is complex
Slide 22
22 Distribution networkTransmission network Energy management
system The central nervous system of a transmission grid A suite of
software tools for monitoring, controlling as well as optimizing
generation and transmission operations Energy management system The
central nervous system of a transmission grid A suite of software
tools for monitoring, controlling as well as optimizing generation
and transmission operations
Slide 23
23 Source: A. P. Sakis Meliopoulos, Power System Modeling,
Analysis and Control, lecture notes, Georgia Institute of
Technology + Wide-area Measurement System
Slide 24
Attacker model/assumptions: Core components (state estimator,
automatic generation control) cannot be compromised but their I/O
can All other components can be compromised False data injection
can lead to wrong estimated states, cascading failures, or
widespread blackouts General multilayered defence: Cryptography
(auth + optionally enc) against outsider attackers Redundancy +
heterogeneity + intrusion detection 24
Slide 25
Examples of phasor measurement units: 25 ABBs RES521 Macrodynes
1690 MiCOM P847 NIST IR 7628: Authentication Availability NIST IR
7628: Authentication Availability Oscillation control Voltage
control Frequency control Line temperature monitoring Oscillation
control Voltage control Frequency control Line temperature
monitoring GPS
Slide 26
North American SynchroPhasor Initiative network
architecture
Slide 27
Synchrophasors rely on GPS GPS is vulnerable to jamming (weak
signal) and spoofing (see Nighswander et al. 2012) T. Nighswander
et al., GPS Software Attacks, CCS12. Short-term solution: Enhanced
Long Range Navigation (eLORAN) Long-term solution: atomic clocks 27
A LORAN transmitter A portable GPS and mobile jammer
Slide 28
PMU -> PDCs PDC -> PDCs Further example: System Integrity
Protection Scheme (SIPS) 28 IEC 61850-90-5 governs the IEC
61850-compliant transmission of IEEE C37.118-formatted WAMS data
Specifies GDOI (RFC 6407) for securing the distribution of group
keys Specifies Ipsec (RFC 4301) for securing IP multicast using
group keys
Slide 29
(1) Based on conventional digital signatures signature
amortization (2) Multiple-time signature schemes (incl. one-time)
+packet individually verifiable +resilient to packet loss +small
code +lower computational cost (?) +lower memory cost (?) -long
signatures References: J. Pieprzyk, H. Wang, and C. Xing,
Multiple-time signature schemes against adaptive chosen message
attacks, in Selected Areas in Cryptography, ser. LNCS. Springer
Berlin / Heidelberg, 2004, vol. 3006, pp. 88100. 29 Well known MTS
schemes Lamport Perrig: BiBa, TESLA, TESLA Reyzin & Reyzin:
HORS
Slide 30
30 Note: Not all schemes support more than 2 signatures per
epoch, under the comparison constraint
Slide 31
BiBa 0 : best performer in signature length but has far poorer
efficiency in signing than the others. BiBa 1 : slightly longer
signatures but has significantly better signing efficiency than
BiBa 0. SCU+: efficient in signing and verification but requires
far longer signatures than the others for the same security level.
TSV+ is more efficient than TV-HORS in signature length for r = 1.
TSV+ is several orders of magnitude slower than TV-HORS in signing
and verification. Despite its algorithmic simplicity, TV-HORS is a
good performer in all categories. SCU and TSV do not offer clear
advantages over BiBa. 31 Yee Wei Law et al., WAKE: Key Management
Scheme for Wide-Area Measurement Systems in Smart Grid, IEEE
Communications Magazine, accepted 10 Oct 2012, to appear.
Slide 32
32 Source: A. P. Sakis Meliopoulos, Power System Modeling,
Analysis and Control, lecture notes, Georgia Institute of
Technology + Wide-area Measurement System
Slide 33
33 State estimator Measurements Network topology processor Bad
data detection Possible insider attack: inject bad data to foil
detection Y. Liu et al., False data injection attacks against state
estimation in electric power grids, Proc. 16 th ACM Computer and
Communications Security, 2009.
Slide 34
Attack scenario: given k compromised meters (RTUs/IEDs/ PMUs),
find a vector of k false values that bypass detection 34 IEEE test
systems Larger networks
Slide 35
35 L. Xie, Y. Mo, and B. Sinopoli, False data injection attacks
in electricity markets, in Proc. 1st International Conference on
Smart Grid Communications, 2010. IEEE 14-bus test system Actually
congested, faked not congested The attacker earns $2/MWh here The
attacker loses $1/MWh here The attacker earns $1/MWh net
Slide 36
It is impractical to tamper-proof a whole PMU, for maintenance
reasons, etc. Even if tamper-proofing all PMUs is achievable,
impractical for all RTUs and IEDs Using redundant PMUs could reduce
the risk, but also costly Most (academic) research so far designed
attacks under different constraints We are investigating anomaly
detection methods to detect false data 36 Stewart et al.,
Synchrophasor Security Practices, white paper A multilayered
architecture with a perimeter network Firewall + VPN
Slide 37
Attacker exploits assumptions about bad data 2 test assumes bad
data cause errors to not be Gaussian Largest normalized residual
test assumes bad data cause measurement residuals to not be
Gaussian distributed Among latest solutions Bobba et al.s solution
determines and makes critical PMUs tamper- resistant Vukovi et al.s
solution assumes a core subset of substations are beyond attacks,
and espouses multipath routing State estimation: secure centralized
estimation problem Multi-area state estimation: secure distributed
estimation problem linear time-invariant average-consensus (linear
consensus) Selected references: R. B. Bobba, K. M. Rogers, Q. Wang,
H. Khurana, K. Nahrstedt, and T. J. Overbye, Detecting False Data
Injection Attacks on DC State Estimation, in First Workshop on
Secure Control Systems, ser. SCS, 2010. O. Vukovic, K. C. Sou, G.
Dan, and H. Sandberg, Network-layer protection schemes against
stealth attacks on state estimators in power systems, 2011 IEEE
International Conference on Smart Grid Communications
(SmartGridComm), pp.184-189, 2011. S. Zheng, et al., Robust State
Estimation Under False Data Injection in Distributed Sensor
Networks, in IEEE GLOBECOM 2010. 37
Slide 38
38 Source: A. P. Sakis Meliopoulos, Power System Modeling,
Analysis and Control, lecture notes, Georgia Institute of
Technology + Wide-area Measurement System Rotor angle Voltage
Frequency
Slide 39
Most standards tolerate a deviation from nominal of only 1%
Three levels of control: Simple electro-mechanical proportional
feedback control leaves a steady-state error residue Load-frequency
control Manual control 39 LoadSystem frequency LoadSystem frequency
G. Anderson, Dynamics and control of electric power systems,
lecture notes 227-0528-00, ETH Zrich, February 2010. control area 1
control area 2 control area 3 tie line AGC regulates system
frequency and maintains power interchanges via the tie line at
scheduled values
Slide 40
AGC is one of few automatic closed loops between the IT
department and the power system 40 References: P. M. Esfahani et
al., A Robust Policy for Automatic Generation Control Cyber Attack
in Two Area Power Network, in IEEE Conference on Decision and
Control, Atlanta, Dec. 2010. P. M. Esfahani et al., Cyber Attack in
a Two-Area Power System: Impact Identification using Reachability,
in American Control Conference, Baltimore, MD, USA, Jun. 2010. Y.
W. Law et al., Security games and risk minimization for automatic
generation control in smart grid, in J. Grossklags and J. Walrand,
editors, Proc. 3rd Conference on Decision and Game Theory for
Security (GameSec 2012), volume 7638 of LNCS, pp. 281295. Springer
Heidelberg, 2012. Oscillatory growth in phase angle diff.
Oscillatory growth in interchanged power Effects of a successful
attack:
Slide 41
41 Area 1 Area 2 Underfrequency load shedding
CentralizedDistributed 1/R Control area 1 Control area 2 Tie
line
Slide 42
Frequency deviation exceeds threshold ->
overfrequency/underfrequency protection relays When frequency
deviation rises above 1.5 Hz, overfrequency relays start tripping
thermal plants When frequency deviation drops below 0.35 Hz,
underfrequency relays shed load: Goal: To model and quantify the
risks posed by an attacker whose intention is to inflict revenue
loss on the electricity provider by injecting false data to the
automatic generation controller in the hope of triggering load
shedding 42 S. K. Mullen, Plug-In Hybrid Electric Vehicles as a
Source of Distributed Frequency Regulation, Ph.D. thesis,
University of Minnesota, 2009.
Slide 43
Motivation: model interaction between attacker and defender to
derive optimal defense strategy (optimal resource alloc)
Terminology: 43 Matrix game Multi-agent Single-state Zero-sum:
matrix games Nonzero-sum: bi-matrix games Matrix game Multi-agent
Single-state Zero-sum: matrix games Nonzero-sum: bi-matrix games
Markov decision process Single-agent Multi-state Markov decision
process Single-agent Multi-state Stochastic/Markov game Multi-agent
Multi-state Stochastic/Markov game Multi-agent Multi-state Security
game Two-agent Noncooperative Zero-sum Risk model Security game
Two-agent Noncooperative Zero-sum Risk model Dynamic programming M.
Bowling and M. Veloso, Multiagent learning using a variable
learning rate, Artificial Intelligence, vol. 136, pp. 215-250,
2002.
Slide 44
44 Transition probability determined by state transition matrix
M : A cost (from the defenders perspective) of G a,d (s(t)) is
incurred by actions a and d, thus constituting the game matrix:
Attacker action space: Defender action space: Attacker
strategy:
Slide 45
45 saddle-point strategy Bellman equations
Slide 46
46 Solve for saddle-point strategy: Minimum upper bound for
cost
Slide 47
47 Risk state
Slide 48
48 Generators Transmission lines Turbine governors Energy
management system Underfrequency load shedding relays
Redundancy: Saturation filter: Detection: Clustering 51 AGC
(integral controller) AGC (integral controller) 3.5 Hz -4.5 Hz time
Data that form more than one cluster are suspicious
Slide 52
52 Zero gain/loss for attacker/defender Expected total load
shed
Slide 53
Disinfection model: Disinfection model: The AGC software reads
frequency samples alternately from two meters, through a saturation
filter 53 If Meter 1 is detected to be compromised here......it
will be disinfected by this instance Redundancy measure Saturation
filter
Slide 54
Attacker actions: a 1 : falsify N/2 frequency samples for
overcompensation a 2 : falsify N frequency samples for
overcompensation Defender actions: d 1 : hypothetical Detection
Algo. with det. prob. d 2 : hypothetical Detection Algo. with det.
prob. 54 N=20 1 =0.2 1 =0.8127 2 =20 2 =0.5203 0.2
Slide 55
55 A sample snapshot Reads from compromised meter 1 Reads from
compromised meter 2
Slide 56
56
Slide 57
57
Slide 58
Response to attacks: what to do if control area (say 1) is
compromised? Reroute power to bypass control area 1? Replace the
surrounding environment of the AGC? 58 control area 1 control area
2 control area 3 tie line Distributed AGC -Communication between
control areas -Faster convergence -Few existing schemes
-Susceptible DoS attacks on comm infrastructure -Signal processing
and machine learning to detect anomalies in messages Decentralized
AGC -No communication between control areas -Slower convergence
-100s existing schemes -No comm. infrastructure cost -Signal
processing techniques to detect oscillations in tie-lines vs
Slide 59
Resilience and false data injection important issues for both
sensor networks and smart grid Smart grid research so far focused
on attacks, highlights the importance of security measures, without
prescribing any no universally recognized attack model, no common
solution Fusion of multi-disciplinary techniques: security +
control = secure control [Cardenas et al. 2008] security concepts
formalized in control theory AI techniques expected to play an
increasingly important role multilayered defense with crypto on the
front line References: A. Cardenas, S. Amin, and S. Sastry, Secure
Control: Towards Survivable Cyber-Physical Systems, in 28th
International Conference on Distributed Computing Systems
Workshops, ser. ICDCS, Jun. 2008, pp. 495500. H. J. LeBlanc and X.
D. Koutsoukos, Consensus in networked multi-agent systems with
adversaries, in Proc. 14th international conference on Hybrid
systems: computation and control (HSCC '11), pp. 281-290, ACM,
2011. S. Sundaram and C. N. Hadjicostis, "Distributed Function
Calculation via Linear Iterative Strategies in the Presence of
Malicious Agents," IEEE Transactions on Automatic Control, vol.56,
no.7, pp.1495-1508, July 2011. 59