Cyber-Physical Systems under Attack

Transcript

1. Cyber-Physical Systems under Attack Models, Fundamental Limitations, and Monitor Design

   Fabio Pasqualetti Florian D¨ orfler Francesco Bullo Center for Control, Dynamical systems and Computation University of California, Santa Barbara University of California, Los Angeles, CA, Feb 24, 2012 F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 1 / 46

2. Important Examples of Cyber-Physical Systems Many critical infrastructures are cyber-physical

   systems: power generation and distribution networks water networks and mass transportation systems econometric models (W. Leontief, Input - output economics, 1986) sensor networks energy-efficient buildings (heat transfer) F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 2 / 46

3. Security and Reliability of Cyber-Physical Systems Cyber-physical security is a

   fundamental obstacle challenging the smart grid vision. H. Khurana, “Cybersecurity: A key smart grid priority,” IEEE Smart Grid Newsletter, Aug. 2011. S. Sridhar, A. Hahn, and M. Govindarasu, “Cyber-Physical System Security for the Electric Power Grid,” Proceedings of the IEEE, Jan. 2012. A. R. Metke and R. L. Ekl “Security technology for smart grid networks,” IEEE Transactions on Smart Grid, 2010. J. P. Farwell and R. Rohozinski “Stuxnet and the Future of Cyber War” Survival, 2011. T. M. Chen and S. Abu-Nimeh “Lessons from Stuxnet” Computer, 2011. F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 3 / 46

4. Security and Reliability of Cyber-Physical Systems Cyber-physical security is a

   fundamental obstacle challenging the smart grid vision. Water supply networks are among the nation’s most critical infrastructures J. Slay and M. Miller. “Lessons learned from the Maroochy water breach” Critical Infrastructure Protection, 2007. D. G. Eliades and M. M. Polycarpou. “A Fault Diagnosis and Security Framework for Water Systems” IEEE Transactions on Control Systems Technology, 2010. S. Amin, X. Litrico, S.S. Sastry, and A.M. Bayen. “Stealthy Deception Attacks on Water SCADA Systems” ACM International Conference on Hybrid systems, 2010. R. Murray, T. Haxton, R. Janke, W. E. Hart, J. Berry, and C. Phillips. “Sensor Network Design for Drinking Water Contamination Warning Systems” United States Environmental Protection Agency, 2010. J. Qiao, D. Jeong, M. Lawley, J.J.P. Richard, D.M. Abraham, and Y. Yih. “Allocating security resources to a water supply network” IIE Transactions, 2007. F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 3 / 46

5. Security and Reliability of Cyber-Physical Systems Cyber-physical security is a

   fundamental obstacle challenging the smart grid vision. Water supply networks are among the nation’s most critical infrastructures Other critical infrastructures and cyber-physical systems: oil & gas transmission and distribution networks, mass transportation systems, telecommunications, banking & finance, . . . “We’ve failed to take cyber-security seriously. Now we’re paying the piper.” [N. Charlette, IEEE Spectrum, July 2011] F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 3 / 46

6. A Simple Example: WECC 3-machine 6-bus System g1 g2 g3

   b4 b1 b5 b2 b6 b3 1 0.8 0.6 0.4 0.2 0 0.2 0.4 0.6 0.8 1 1 0.8 0.6 0.4 0.2 0 0.2 0.4 0.6 0.8 1 1 0.8 0.6 0.4 0.2 0 0.2 0.4 0.6 0.8 1 Sensors t 1 t 2 t 3 1 Physical dynamics: classical generator model & DC load flow 2 Measurements: angle and frequency of generator g1 3 Attack: modify real power injections at buses b4 & b5 “Distributed internet-based load altering attacks against smart power grids” IEEE Trans on Smart Grid, 2011 The attack affects the second and third generators while remaining undetected from measurements at the first generator F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 4 / 46

7. From Fault Detection and Cyber Security to Cyber-Physical Security Cyber-physical

   security exploits system dynamics to assess correctness of measurements, and compatibility of measurement equation Cyber-physical security extends classical fault detection, and complements/augments cyber security classical fault detection considers only generic failures, while cyber-physical attacks are worst-case attacks cyber security does not exploit compatibility of measurement data with physics/dynamics cyber security methods are ineffective against attacks that affect the physics/dynamics F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 5 / 46

8. Outline 1 Problem Description and Motivation 2 Models of Cyber-Physical

   Systems and Attacks 3 Detectability and Identifiability Conditions System theoretic conditions Graph theoretic conditions 4 Monitor Design for Attack Detection and Identification Centralized attack detection Distributed attack detection Centralized attack identification Distributed attack identification A Case Study: RTS-96 Bus System 5 Summary of Results, Ongoing Work, and Conclusion F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 6 / 46

9. Models of Cyber-Physical Systems: Power Networks Small-signal structure-preserving power network

   model: 1 transmission network: generators , buses • ◦, DC load flow assumptions, and network susceptance matrix Y = Y T 2 generators modeled by swing equations: Mi ¨ θi + Di ˙ θi = Pmech.in,i − j Yij · θi − θj 2 10 30 25 8 37 29 9 38 23 7 36 22 6 35 19 4 33 20 5 34 10 3 32 6 2 31 1 8 7 5 4 3 18 17 26 27 28 24 21 16 15 14 13 12 11 1 39 9 3 buses • ◦ with constant real power demand: 0 = Pload,i − j Yij · θi − θj ⇒ Linear differential-algebraic dynamics: E ˙ x = Ax Yjk Yik k Pload,k F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 7 / 46

10. Models of Cyber-physical Systems: Water Networks Linearized municipal water supply

    network model: 1 reservoirs with constant pressure heads: hi (t) = hreservoir i = const. 2 pipe flows obey linearized Hazen-Williams eq: Qij = gij · (hi − hj ) 3 balance at tank: Ai ˙ hi = j→i Qji − i→k Qik 4 demand = balance at junction: di = j→i Qji − i→k Qik 5 pumps & valves: hj −hi = +∆hpump/valves ij = const. ⇒ Linear differential-algebraic dynamics: E ˙ x = Ax F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 8 / 46

11. Models for Attackers and Security System Byzantine Cyber-Physical Attackers 1

    colluding omniscent attackers: know model structure and parameters measure full state perform unbounded computation can apply some control signal and corrupt some measurements 2 attacker’s objective is to change/disrupt the physical state Security System 1 knows structure and parameters 2 measures output signal 3 security systems’s objective is to detect and identify attack 1 characterize fundamental limitations on security system 2 design filters for detectable and identifiable attacks F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 9 / 46

12. Model of Cyber-Physical Systems under Attack 1 Physics obey linear

    differential-algebraic dynamics: E ˙ x(t) = Ax(t) 2 Measurements are in continuous-time: y(t) = Cx(t) 3 Cyber-physical attacks are modeled as unknown input u(t) with unknown input matrices B & D E ˙ x(t) = Ax(t) + Bu(t) y(t) = Cx(t) + Du(t) This model includes genuine faults of system components, physical attacks, and cyber attacks caused by an omniscient malicious intruder. Q: Is the attack B, D, u(t) detectable/identifiable from the output y(t)? F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 10 / 46

13. Model of Cyber-Physical Systems under Attack 1 Physics obey linear

    differential-algebraic dynamics: E ˙ x(t) = Ax(t) 2 Measurements are in continuous-time: y(t) = Cx(t) 3 Cyber-physical attacks are modeled as unknown input u(t) with unknown input matrices B & D E ˙ x(t) = Ax(t) + Bu(t) y(t) = Cx(t) + Du(t) This model includes genuine faults of system components, physical attacks, and cyber attacks caused by an omniscient malicious intruder. Q: Is the attack B, D, u(t) detectable/identifiable from the output y(t)? F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 10 / 46

14. Related Results on Cyber-Physical Security S. Amin et al, “Safe

    and secure networked control systems under denial-of-service attacks,” Hybrid Systems: Computation and Control 2009. Y. Liu, M. K. Reiter, and P. Ning, “False data injection attacks against state estimation in electric power grids,” ACM Conference on Computer and Communications Security, Nov. 2009. A. Teixeira et al. “Cyber security analysis of state estimators in electric power systems,” IEEE Conf. on Decision and Control, Dec. 2010. S. Amin, X. Litrico, S. S. Sastry, and A. M. Bayen, “Stealthy deception attacks on water SCADA systems,” Hybrid Systems: Computation and Control, 2010. Y. Mo and B. Sinopoli, “Secure control against replay attacks,” Allerton Conf. on Communications, Control and Computing, Sep. 2010 G. Dan and H. Sandberg, “Stealth attacks and protection schemes for state estimators in power systems,” IEEE Int. Conf. on Smart Grid Communications, Oct. 2010. Y. Mo and B. Sinopoli, “False data injection attacks in control systems,” First Workshop on Secure Control Systems, Apr. 2010. S. Sundaram and C. Hadjicostis, “Distributed function calculation via linear iterative strategies in the presence of malicious agents,” IEEE Transactions on Automatic Control, vol. 56, no. 7, pp. 1495–1508, 2011. R. Smith, “A decoupled feedback structure for covertly appropriating network control systems,” IFAC World Congress, Aug. 2011. F. Hamza, P. Tabuada, and S. Diggavi, “Secure state-estimation for dynamical systems under active adversaries,” Allerton Conf. on Communications, Control and Computing, Sep. 2011. Our framework includes and generalizes most of these results F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 11 / 46

15. Prototypical Attacks Dynamic false data injection: (sE − A)−1 C

    x(t) + y(t) x(0) DK uK (t) G(s) ￿ (s − p) − 1 ￿ Covert attack: (sE − A)−1 C x(t) + y(t) x(0) BK ¯ uK (t) DK uK (t) Static stealth attack: C x(t) + y(t) C DK uK (t) ˜ u(t) Replay attack: (sE − A)−1 C x(t) + y(t) x(0) BK ¯ uK (t) DK uK (t) ˜ x(0) + − − corrupt measurements according to C affect system and reset output closed loop replay attack render unstable pole unobservable (sE − A)−1 C (sE − A)−1 C F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 12 / 46

16. Outline 1 Problem Description and Motivation 2 Models of Cyber-Physical

    Systems and Attacks 3 Detectability and Identifiability Conditions System theoretic conditions Graph theoretic conditions 4 Monitor Design for Attack Detection and Identification Centralized attack detection Distributed attack detection Centralized attack identification Distributed attack identification A Case Study: RTS-96 Bus System 5 Summary of Results, Ongoing Work, and Conclusion F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 13 / 46

17. Technical Assumptions E ˙ x(t) = Ax(t) + BK uK

    (t) y(t) = Cx(t) + DK uK (t) Technical assumptions guaranteeing existence, uniqueness, & smoothness: (i) (E, A) is regular: |sE − A| does not vanish for all s ∈ C (ii) the initial condition x(0) is consistent (can be relaxed) (iii) the unknown input uK (t) is sufficiently smooth (can be relaxed) Attack set K = sparsity pattern of attack input F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 14 / 46

18. Undetectable Attack Definition An attack remains undetected if its effect

    on measurements is undistinguishable from the effect of some nominal operating conditions Normal operating condition Undetectable attacks Detectable attacks y(·, 0, t) y(·, uK (t), t) Definition (Undetectable attack set) The attack set K is undetectable if there exist initial conditions x1 , x2, and an attack mode uK (t) such that, for all times t y(x1 , uK , t) = y(x2 , 0, t). F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 15 / 46

19. Undetectable Attack Condition By linearity, an undetectable attack is such

    that y(x1 − x2 , uK , t) = 0 zero dynamics of input/output system Theorem For the attack set K, there exists an undetectable attack if and only if sE − A −BK C DK x g = 0 for some s, x = 0, and g. F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 16 / 46

20. Undetectability of Replay Attacks Replay attack: (sE − A)−1 C

    x(t) + y(t) x(0) BK ¯ uK (t) DK uK (t) ˜ x(0) + − affect system and reset output (sE − A)−1 C 1 two attack channels: ¯ uK , uK 2 Im(C) ⊆ Im(DK ) 3 BK = 0 Undetectability follows from solvability of sE − A −BK 0 C 0 DK   x g1 g2   = 0 x = (sE − A)−1BK g1, g2 = D† K C(sE − A)−1BK g1 replay attacks can be detected though active detectors replay attacks are not worst-case attacks F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 17 / 46

21. Unidentifiable Attack Definition The attack set K remains unidentified if

    its effect on measurements is undistinguishable from an attack generated by a distinct attack set R = K Attacks by K Unidentifiable attacks Attacks by R y(·, uK (t), t) y(·, uR (t), t) Definition (Unidentifiable attack set) The attack set K is unidentifiable if there exists an admissible attack set R = Ksuch that y(xK , uK , t) = y(xR , uR , t). an undetectable attack set is also unidentifiable F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 18 / 46

22. Unidentifiable Attack Condition By linearity, the attack set K is

    unidentifiable if and only if there exists a distinct set R = K such that y(xK − xR , uK − uR , t) = 0. Theorem For the attack set K, there exists an unidentifiable attack if and only if sE − A −BK −BR C DK DR   x gK gR   = 0 for some s, x = 0, gK , and gR. So far we have shown: fundamental detection/identification limitations system-theoretic conditions for undetectable/unidentifiable attacks F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 19 / 46

23. WECC 3-machine 6-bus System g1 g2 g3 b4 b1 b5

    b2 b6 b3 1 0.8 0.6 0.4 0.2 0 0.2 0.4 0.6 0.8 1 1 0.8 0.6 0.4 0.2 0 0.2 0.4 0.6 0.8 1 1 0.8 0.6 0.4 0.2 0 0.2 0.4 0.6 0.8 1 Sensors t 1 t 2 t 3 1 Physical dynamics: classical generator model & DC load flow 2 Measurements: angle and frequency of generator g1 3 Attack: modified real power injections at buses b4 & b5 The attack through b4 and b5 excites only zero dynamics for the measurements at the first generator F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 20 / 46

24. Outline 1 Problem Description and Motivation 2 Models of Cyber-Physical

    Systems and Attacks 3 Detectability and Identifiability Conditions System theoretic conditions Graph theoretic conditions 4 Monitor Design for Attack Detection and Identification Centralized attack detection Distributed attack detection Centralized attack identification Distributed attack identification A Case Study: RTS-96 Bus System 5 Summary of Results, Ongoing Work, and Conclusion F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 21 / 46

25. From Algebraic to Graph-theoretical Conditions θ1 ω1 δ1 y2 u2

    θ5 δ3 ω3 θ3 u1 θ4 δ2 ω2 θ2 y1 θ6 E ˙ x(t) = Ax(t) + Bu(t) y(t) = Cx(t) + Du(t) the vertex set is the union of the state, input, and output variables edges corresponds to nonzero entries in E, A, B, C, and D system theoretic properties expressed through graph theoretic notions F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 22 / 46

26. Zero Dynamics and Connectivity A linking between two sets of

    vertices is a set of mutually-disjoint directed paths between nodes in the sets Input Output Theorem (Detectability, identifiability, linkings, and connectivity) If the maximum size of an input-output linking is k: there exists an undetectable attack set K1, with |K1 | ≥ k, and there exists an unidentifiable attack set K2, with |K2 | ≥ k 2 . statement becomes necessary with generic parameters statement applies to systems with parameters in polytopes F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 23 / 46

27. WECC 3-machine 6-bus System Revisited g1 g2 g3 b4 b1

    b5 b2 b6 b3 1 0.8 0.6 0.4 0.2 0 0.2 0.4 0.6 0.8 1 1 0.8 0.6 0.4 0.2 0 0.2 0.4 0.6 0.8 1 1 0.8 0.6 0.4 0.2 0 0.2 0.4 0.6 0.8 1 Sensors θ1 ω1 δ1 y2 u2 θ5 δ3 ω3 θ3 u1 θ4 δ2 ω2 θ2 y1 θ6 t 1 t 2 t 3 1 #attacks > max size linking 2 ∃ undetectable attacks 3 attack destabilizes g2, g3 F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 24 / 46

28. Outline 1 Problem Description and Motivation 2 Models of Cyber-Physical

    Systems and Attacks 3 Detectability and Identifiability Conditions System theoretic conditions Graph theoretic conditions 4 Monitor Design for Attack Detection and Identification Centralized attack detection Distributed attack detection Centralized attack identification Distributed attack identification A Case Study: RTS-96 Bus System 5 Summary of Results, Ongoing Work, and Conclusion F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 25 / 46

29. Centralized Detection Monitor Design System under attack B, D, u(t)

    : E ˙ x(t) = Ax(t) + Bu(t) y(t) = Cx(t) + Du(t) Proposed centralized detection filter: E ˙ w(t) = (A + GC)w(t) − Gy(t) r(t) = Cw(t) − y(t) Theorem (Centralized Attack Detection Filter) Assume w(0) = x(0), (E, A + GC) is Hurwitz, and attack is detectable. Then r(t) = 0 if and only if u(t) = 0. the design is independent of B, D, and u(t) if w(0) = x(0), then asymptotic convergence a direct centralized implementation may not be feasible due to high dimensionality, spatial distribution, communication complexity, . . . F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 26 / 46

30. Centralized Detection Monitor Design System under attack B, D, u(t)

    : E ˙ x(t) = Ax(t) + Bu(t) y(t) = Cx(t) + Du(t) Proposed centralized detection filter: E ˙ w(t) = (A + GC)w(t) − Gy(t) r(t) = Cw(t) − y(t) Theorem (Centralized Attack Detection Filter) Assume w(0) = x(0), (E, A + GC) is Hurwitz, and attack is detectable. Then r(t) = 0 if and only if u(t) = 0. the design is independent of B, D, and u(t) if w(0) = x(0), then asymptotic convergence a direct centralized implementation may not be feasible due to high dimensionality, spatial distribution, communication complexity, . . . F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 26 / 46

31. Outline 1 Problem Description and Motivation 2 Models of Cyber-Physical

    Systems and Attacks 3 Detectability and Identifiability Conditions System theoretic conditions Graph theoretic conditions 4 Monitor Design for Attack Detection and Identification Centralized attack detection Distributed attack detection Centralized attack identification Distributed attack identification A Case Study: RTS-96 Bus System 5 Summary of Results, Ongoing Work, and Conclusion F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 27 / 46

32. Decentralized Monitor Design Partition the physical system with geographically deployed

    control centers: E =    E1 0 0 . . . ... . . . 0 0 EN    , C =    C1 0 0 . . . ... . . . 0 0 CN    A =    A1 · · · A1N . . . . . . . . . AN1 · · · AN    = AD + AC                                                                                                                      G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G  G G G G G G G G G G G G G G 2QHOLQH'LDJUDPRI,(((EXV7HVW6\VWHP ,,73RZHU*URXS 6\VWHP'HVFULSWLRQ EXVHV EUDQFKHV ORDGVLGHV WKHUPDOXQLWV Area 1 Area 2 Area 4 Area 5 Area 3 IEEE 118 Bus System (i) control center i knows Ei , Ai , and Ci , and neighboring Aij (ii) control center i can communicate with control center j ⇔ Aji = 0 (iii) E&C are blockdiagonal, (Ei , Ai ) is regular & (Ei , Ai , Ci ) is observable F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 28 / 46

33. Decentralized Monitor Design: Continuous Communication System under attack: E ˙

    x(t) = Ax(t) + Bu(t) y(t) = Cx(t) + Du(t) where A = AD + AC Decentralized detection filter: E ˙ w(t) = (AD + GC)w(t) + AC w(t) − Gy(t) r(t) = Cw(t) − y(t) where G = blkdiag(G1 , . . . , GN) Theorem (Decentralized Attack Detection Filter) Assume that w(0) = x(0), (E, AD + GC) is Hurwitz, and ρ ( jωE − AD − GC)−1AC < 1 for all ω ∈ R . If the attack is detectable, then r(t) = 0 if and only if u(t) = 0. the design is decentralized but achieves centralized performance the design requires continuous communication among control centers F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 29 / 46

34. Digression: Gauss-Jacobi Waveform Relaxation Standard Gauss-Jacobi relaxation to solve a

    linear system Ax = u: x(k) i = 1 aii ui − j=i aij x(k−1) j ⇔ x(k) = −A−1 D AC x(k−1)+A−1 D u Convergence: lim k→∞ x(k) → x = A−1u ⇔ ρ A−1 D AC < 1 Gauss-Jacobi waveform relaxation to solve E ˙ x(t) = Ax(t) + Bu(t): E ˙ x(k)(t) = ADx(k)(t) + AC x(k−1)(t) + Bu(t) , t ∈ [0, T] Convergence for (E, A) Hurwitz & u(t) integrable in t ∈ [0, T]: lim k→∞ x(k)(t) → x(t) ⇐ ρ ( jωE − AD)−1AC < 1 ∀ ω ∈ R F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 30 / 46

35. Distributed Monitor Design: Discrete Communication Distributed attack detection filter: E

    ˙ w(k)(t) = AD + GC w(k)(t) + AC w(k−1)(t) − Gy(t) r(k)(t) = Cw(k)(t) − y(t) where G = blkdiag(G1 , . . . , GN), t ∈ [0, T], and k ∈ N Theorem (Distributed Attack Detection Filter) Assume that w(k)(0) = x(0) for all k ∈ N, y(t) is integrable for t ∈ [0, T], (E, AD + GC) is Hurwitz, and ρ ( jωE − AD − GC)−1AC < 1 for all ω ∈ R . If the attack is detectable, then limk→∞ r(k)(t) = 0 if and only if u(t) = 0 for all t ∈ [0, T]. F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 31 / 46

36. Implementation of Distributed Attack Detection Filter Distributed iterative procedure to

    compute the residual r(t), t ∈ [0, T]: 1 set k := k + 1, and compute w(k) i (t), t ∈ [0, T], by integrating Ei ˙ w(k) i (t) = Ai + Gi Ci w(k) i (t) + j=i Aij w(k−1) j (t) − Gi yi (t) 2 transmit w(k) i (t) to control center j if Aij = 0 3 update w(k) j (t) with the signal received from control center j ⇒ For k sufficiently large, r(k) i (t) = Ci w(k) i (t) − yi (t) ≈ 0 ⇔ no attack ⇒ Receding horizon implementation: move integration window [0, T] ⇒ Distributed verification of convergence cond.: ρ(·) < 1 ⇐ · ∞ < 1. F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 32 / 46

37. An Illustrative Example: IEEE 118 Bus System   

                                                                                                                      G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G  G G G G G G G G G G G G G G 2QHOLQH'LDJUDPRI,(((EXV7HVW6\VWHP ,,73RZHU*URXS 6\VWHP'HVFULSWLRQ EXVHV EUDQFKHV ORDGVLGHV WKHUPDOXQLWV Area 1 Area 2 Area 4 Area 5 Area 3 IEEE 118 Bus System Convergence of waveform relaxation: 1 2 3 4 5 6 7 8 9 10 0 20 40 60 80 100 120 Error Iterations Physics: classical generator model and DC load flow model Measurements: generator angles Attack of all measurements in Area 1 Residuals r(k) i (t) for k = 100: 0 5 10 15 20 25 30 35 40 ï1 0 1 0 5 10 15 20 25 30 35 40 ï1 0 1 0 5 10 15 20 25 30 35 40 ï1 0 1 0 5 10 15 20 25 30 35 40 ï1 0 1 0 5 10 15 20 25 30 35 40 ï1 0 1 Time Residual Area 1 Residual Area 2 Residual Area 4 Residual Area 5 Residual Area 3 F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 33 / 46

38. Outline 1 Problem Description and Motivation 2 Models of Cyber-Physical

    Systems and Attacks 3 Detectability and Identifiability Conditions System theoretic conditions Graph theoretic conditions 4 Monitor Design for Attack Detection and Identification Centralized attack detection Distributed attack detection Centralized attack identification Distributed attack identification A Case Study: RTS-96 Bus System 5 Summary of Results, Ongoing Work, and Conclusion F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 34 / 46

39. Centralized Identification Monitor Design System under attack BK , DK

    , uK (t) : E ˙ x(t) = Ax(t) + BK uK (t) + BRuR(t) y(t) = Cx(t) + DK uK (t) + DRuR(t) Centralized identification filter: ¯ E ˙ w(t) = ¯ Aw(t) − ¯ Gy(t) rK (t) = MCw(t) − Hy(t) only uK (t) is active, i.e., uR(t) = 0 at all times Theorem Assume w(0) = x(0), and attack set is identifiable. Then rK (t) = 0 if and only if K is the attack set. if w(0) = x(0), then asymptotic convergence a direct centralized implementation may not be feasible design depends on (BK , DK ) ⇒ combinatorial complexity (NP-hard) F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 35 / 46

40. Centralized Identification Monitor Design System under attack BK , DK

    , uK (t) : E ˙ x(t) = Ax(t) + BK uK (t) + BRuR(t) y(t) = Cx(t) + DK uK (t) + DRuR(t) Centralized identification filter: ¯ E ˙ w(t) = ¯ Aw(t) − ¯ Gy(t) rK (t) = MCw(t) − Hy(t) only uK (t) is active, i.e., uR(t) = 0 at all times Theorem Assume w(0) = x(0), and attack set is identifiable. Then rK (t) = 0 if and only if K is the attack set. if w(0) = x(0), then asymptotic convergence a direct centralized implementation may not be feasible design depends on (BK , DK ) ⇒ combinatorial complexity (NP-hard) F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 35 / 46

41. Design Method Controlled, Conditioned, and Deflating Subspaces Let S∗ K

    be the smallest subspace of the state space such that ∃ G such that (A + GC)S∗ K ⊆ S∗ K and R(BK + GDK ) ⊆ S∗ K Design steps: 1) compute smallest conditioned invariant subspace S∗ K 2) make the subspace S∗ K invariant by output injection 3) build a residual generator for the quotient space X \ S∗ K 4) the residual is not affected by uK (t) F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 36 / 46

42. Outline 1 Problem Description and Motivation 2 Models of Cyber-Physical

    Systems and Attacks 3 Detectability and Identifiability Conditions System theoretic conditions Graph theoretic conditions 4 Monitor Design for Attack Detection and Identification Centralized attack detection Distributed attack detection Centralized attack identification Distributed attack identification A Case Study: RTS-96 Bus System 5 Summary of Results, Ongoing Work, and Conclusion F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 37 / 46

43. Distributed Monitor Design Partition the physical system with geographically deployed

    control centers: E =    E1 0 0 . . . ... . . . 0 0 EN    , C =    C1 0 0 . . . ... . . . 0 0 CN    A =    A1 · · · A1N . . . . . . . . . AN1 · · · AN    = AD + AC                                                                                                                      G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G  G G G G G G G G G G G G G G 2QHOLQH'LDJUDPRI,(((EXV7HVW6\VWHP ,,73RZHU*URXS 6\VWHP'HVFULSWLRQ EXVHV EUDQFKHV ORDGVLGHV WKHUPDOXQLWV Area 1 Area 2 Area 4 Area 5 Area 3 IEEE 118 Bus System (i) control center i knows Ei , Ai , and Ci , and neighbouring Aij (ii) control center i can communicate with control center j ⇔ Aji = 0 (iii) E&C are blockdiagonal, (Ei , Ai ) is regular & (Ei , Ai , Ci ) is observable F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 38 / 46

44. Distributed Attack Identification: a Naive Solution    

                                                                                                                    G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G  G G G G G G G G G G G G G 2QHOLQH'LDJUDPRI,(((EXV7HVW6\VWHP ,,73RZHU*URXS 6\VWHP'HVFULSWLRQ EXVHV EUDQFKHV ORDGVLGHV WKHUPDOXQLWV Area 1 Area 3 1 Known area dynamics 2 Unknown connection inputs 3 Unknown input attacks Consider unknown interconnection inputs as attacks and design attack detection and identification monitors as in the centralized case. completely distributed the design very low combinatorics no communication among different areas solvability conditions are very strict (boundary attacks) F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 39 / 46

45. Distributed Attack ID: a Divide & Conquer Solution  

                                                                                                                     G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G G  G G G G G G G G G G G G G 2QHOLQH'LDJUDPRI,(((EXV7HVW6\VWHP 6\VWHP'HVFULSWLRQ EXVHV EUDQFKHV ORDGVLGHV WKHUPDOXQLWV Area 1 Area 3 1 Treat the connection inputs as unknown 2 Reconstruct the state (modulo V) of area via unknown-input observer 3 Communicate estimate and V to neighboring areas The unknown part of the connection input is restricted to V. F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 40 / 46

46. An Example of Distributed Attack Identification 1 6 5 8

    7 3 4 2 9 14 13 16 15 11 12 10 Area 2 Area 1 1 Attacker affects 3 (red) 2 Measurements {2, 5, 7}, {12, 13, 15} (blue) 3 3 is undetectable in Area1 4 Reconstruction with V2 = 0 5 3 is cooperatively identifiable completely distributed the design very low combinatorics little communication among different areas solvability conditions are easier to verify F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 41 / 46

47. Outline 1 Problem Description and Motivation 2 Models of Cyber-Physical

    Systems and Attacks 3 Detectability and Identifiability Conditions System theoretic conditions Graph theoretic conditions 4 Monitor Design for Attack Detection and Identification Centralized attack detection Distributed attack detection Centralized attack identification Distributed attack identification A Case Study: RTS-96 Bus System 5 Summary of Results, Ongoing Work, and Conclusion F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 42 / 46

48. A Case Study: RTS-96 Bus System (optional DC link) 220

    309 310 120 103 209 102 102 118 307 302 216 202 1 Physical dynamics: classical generator model & DC load flow 2 Measurements: angle and frequency of all generators 3 Attack: modify governor control at generators g101 & g102 4 Monitors: our centralized detection and identification filters F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 43 / 46

49. RTS-96 Bus System: Linear Dynamics without Noise 0 5 10

    15 20 ï20 0 20 0 5 10 15 20 ï1 0 1 0 5 10 15 20 ï1 0 1 0 5 10 15 20 ï1 0 1 14.5 15 15.5 ï20 0 20 14.5 15 15.5 ï0.1 0 0.1 14.5 15 15.5 ï0.05 0 0.05 14.5 15 15.5 ï1 0 1 Time x(t) r(t) rK (t) rR (t) x(t): generators trajectories r(t): detection residual rK (t): identification residual for K rR (t): identification residual for R filters are designed via conditioned invariance technique F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 43 / 46

50. RTS-96 Bus System: Linear Dynamics with Noise 0 5 10

    15 20 ï20 0 20 0 5 10 15 20 ï1 0 1 0 5 10 15 20 ï1 0 1 0 5 10 15 20 ï1 0 1 x(t) r(t) rK (t) rR (t) 14.5 15 15.5 ï20 0 20 14.5 15 15.5 ï0.1 0 0.1 14.5 15 15.5 ï0.1 0 0.1 14.5 15 15.5 ï1 0 1 x(t): generators trajectories r(t): detection residual rK (t): identification residual for K rR (t): identification residual for R filters are designed via conditioned invariance and Kalman gain F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 43 / 46

51. RTS-96 Bus System: Nonlinear Dynamics 0 5 10 15 20

    ï20 0 20 0 5 10 15 20 ï1 0 1 0 5 10 15 20 ï1 0 1 0 5 10 15 20 ï1 0 1 14.5 15 15.5 ï20 0 20 14.5 15 15.5 ï0.1 0 0.1 14.5 15 15.5 ï0.05 0 0.05 14.5 15 15.5 ï1 0 1 Time x(t) r(t) rK (t) rR (t) x(t): generators trajectories r(t): detection residual rK (t): identification residual for K rR (t): identification residual for R filters are designed via conditioned invariance and Kalman gain F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 43 / 46

52. Conclusion We have presented: 1 a modeling framework for cyber-physical

    systems under attack 2 fundamental detection and identification limitations 3 system- and graph-theoretic detection and identification conditions 4 centralized attack detection and identification procedures 5 distributed attack detection and identification procedures Ongoing and future work: 1 optimal network partitioning for distributed procedures 2 effect of noise, modeling uncertainties & communication constraints 3 quantitative analysis of cost and effect of attacks 4 applications to distributed-parameters cyber-physical systems F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 44 / 46

53. References F. Pasqualetti, A. Bicchi, and F. Bullo. Distributed intrusion

    detection for secure consensus computations. In IEEE Conf. on Decision and Control, pages 5594–5599, New Orleans, LA, USA, Dec. 2007. F. Pasqualetti, A. Bicchi, and F. Bullo. On the security of linear consensus networks. In IEEE Conf. on Decision and Control and Chinese Control Conference, pages 4894–4901, Shanghai, China, Dec. 2009. F. Pasqualetti, A. Bicchi, and F. Bullo. Consensus computation in unreliable networks: A system theoretic approach. IEEE Transactions on Automatic Control, 2011, DOI: 10.1109/TAC.2011.2158130. F. Pasqualetti, R. Carli, A. Bicchi, and F. Bullo. Identifying cyber attacks under local model information. In IEEE Conf. on Decision and Control, Atlanta, GA, USA, December 2010. F. Pasqualetti, R. Carli, A. Bicchi, and F. Bullo. Distributed estimation and detection under local information. In IFAC Workshop on Distributed Estimation and Control in Networked Systems, Annecy, France, September 2010. F. Pasqualetti, A. Bicchi, and F. Bullo. A graph-theoretical characterization of power network vulnerabilities. In American Control Conference, San Francisco, CA, USA, June 2011. F. Pasqualetti, R. Carli, and F. Bullo. Distributed estimation and false data detection with application to power networks. Automatica, March 2011, To appear. F. Pasqualetti, F. D¨ orfler, and F. Bullo. Cyber-physical attacks in power networks: Models, fundamental limitations and monitor design. In IEEE Conf. on Decision and Control, Orlando, FL, USA, December 2011. F. D¨ orfler, F. Pasqualetti, and F. Bullo. “Distributed detection of cyber-physical attacks in power networks: A waveform relaxation approach,” in Allerton Conf. on Communications, Control and Computing, Sep. 2011. F. Pasqualetti, F. D¨ orfler, and F. Bullo. “Attack Detection and Identification in Cyber-Physical Systems - Part I: Models and Fundamental Limitations,” in IEEE Transactions on Automatic Control, Feb. 2012, Submitted. F. Pasqualetti, F. D¨ orfler, and F. Bullo. “Attack Detection and Identification in Cyber-Physical Systems - Part II: Centralized and Distributed Monitor Design,” in IEEE Transactions on Automatic Control, Feb. 2012, Submitted. F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 45 / 46

54. Cyber-Physical Systems under Attack Models, Fundamental Limitations, and Monitor Design

    Fabio Pasqualetti Florian D¨ orfler Francesco Bullo Center for Control, Dynamical systems and Computation University of California, Santa Barbara University of California, Los Angeles, CA, Feb 24, 2012 F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 46 / 46

55. A Case Study: Competitive Power Generation Environment Our geometric control

    methods can also be used for attack design. 10 1 2 3 4 5 6 7 8 9 11 12 13 14 15 16 South Arizona SoCal NoCal PacNW Canada North Montana Utah Western North American Power Grid scenario: a subset of utility companies K form a coalition goal: disrupt the power generation of competitors strategy: choose K∗ ⊂ K sacrificial generators and design an input not affecting K \ K∗ while maximizing damage at non-colluding generators additionally here: design such that impact on K∗ is minimal C. L. DeMarco and J. V. Sariashkar and F. Alvarado “The potential for malicious control in a competitive power systems environment” IEEE International Conference on Control Applications, 1996 F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 46 / 46

56. A Case Study: Competitive Power Generation Environment malicious coalition: K

    = {1, 9} (PacNW) with sacrificial machine {9} control minimizes ω9(t) L∞ subject to ω16(t) L∞ ≥ 1 (Utah) ⇒ non-colluding generators will be damaged 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 ω1 ω5 ω9 ω13 ω2 ω3 ω4 ω6 ω7 ω8 ω10 ω11 ω12 ω14 ω15 ω16 10 1 2 3 4 5 6 7 8 9 11 12 13 14 15 16 South Arizona SoCal NoCal PacNW Canada North Montana Utah Western North American Grid 0 1 2 3 4 5 6 7 8 9 10 ï1 ï0.5 0 0.5 1 governor control input F. Pasqualetti, F. D¨ orfler, F. Bullo Cyber-Physical Systems Under Attack Security Seminar UCLA 46 / 46