1. No category

Security of Cyber-Physical Systems

Important Examples of Cyber-Physical Systems
Cyber-Physical Systems under Attack
Models, Fundamental Limitations, and Monitor Design
Fabio Pasqualetti
Florian Dörfler
Francesco Bullo
Center for Control, Dynamical systems and Computation
University of California, Santa Barbara
Many critical infrastructures are cyber-physical systems:
power generation and distribution networks
water networks and mass transportation systems
econometric models (W. Leontief, Input - output economics, 1986)
sensor networks
energy-efficient buildings (heat transfer)
University of California, Los Angeles, CA, Feb 24, 2012
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
1 / 46
Security and Reliability of Cyber-Physical Systems
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
2 / 46
A Simple Example: WECC 3-machine 6-bus System
Cyber-physical security is a fundamental obstacle
challenging the smart grid vision.
b3
t1
1
0.8
0.6
0.4
0.2
1
0
0.8
0.6
b6
0.4
0.2
0
0.2
0.4
0.6
0.8
1
g2
H. Khurana, “Cybersecurity: A key smart grid priority,”
IEEE Smart Grid Newsletter, Aug. 2011.
b2
0.2
t
0.4
0.6
0.8
1
2
g3
t3
b4 b5
b1
S. Sridhar, A. Hahn, and M. Govindarasu, “Cyber-Physical System Security for the Electric Power Grid,”
Proceedings of the IEEE, Jan. 2012.
g1
1
0.8
Sensors
0.6
0.4
0.2
0
0.2
0.4
0.6
0.8
1
A. R. Metke and R. L. Ekl “Security technology for smart grid networks,”
IEEE Transactions on Smart Grid, 2010.
J. P. Farwell and R. Rohozinski “Stuxnet and the Future of Cyber War”
Survival, 2011.
1
Physical dynamics: classical generator model & DC load flow
T. M. Chen and S. Abu-Nimeh “Lessons from Stuxnet”
Computer, 2011.
2
Measurements: angle and frequency of generator g1
3
Attack: modify real power injections at buses b4 & b5
Water supply networks are among the nation’s most critical infrastructures
The attack affects the second and third generators while remaining
undetected from measurements at the first generator
J. Slay and M. Miller. “Lessons learned from the Maroochy water breach”
Critical Infrastructure Protection, 2007.
D. G. Eliades and M. M. Polycarpou. “A Fault Diagnosis and Security Framework for Water Systems”
IEEE Transactions on Control Systems Technology, 2010.
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
S. Amin, X. Litrico, S.S. Sastry, and A.M. Bayen. “Stealthy Deception Attacks on Water SCADA Systems”
ACM International Conference on Hybrid systems, 2010.
“Distributed internet-based load altering attacks against smart power grids” IEEE Trans on Smart Grid, 2011
3 / 46
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
4 / 46
Small-signal structure-preserving power network model:
1
•◦ ,
8
37
9
10
30
38
25
26
29
2
1
27
3
6
28
35
transmission network: generators , buses
DC load flow assumptions, and network
susceptance matrix Y = Y T
1
Cyber-physical security exploits system dynamics to assess correctness of
measurements, and compatibility of measurement equation
Models of Cyber-Physical Systems: Power Networks
39
From Fault Detection and Cyber Security
to Cyber-Physical Security
18
22
4
9
17
8
21
5
24
Cyber-physical security extends classical fault detection, and
complements/augments cyber security
7
12
buses
•◦
with constant real power demand:
X
Yij · θi − θj
0 = Pload,i −
5 / 46
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Byzantine Cyber-Physical Attackers
1
reservoirs with constant pressure heads: hi (t) = hireservoir = const.
balanceP
at tank: P
Ai ḣi = j→i Qji − i→k Qik
4
5
2
Yik
k
Yjk
Pload,k
Security Seminar UCLA
7 / 46
colluding omniscent attackers:
attacker’s objective is to change/disrupt the physical state
Security System
1
2
pumps & valves:
pump/valves
hj − hi = +∆hij
= const.
3
knows structure and parameters
measures output signal
security systems’s objective is to detect and identify attack
1
⇒ Linear differential-algebraic dynamics: E ẋ = Ax
Cyber-Physical Systems Under Attack
4
know model structure and parameters
measure full state
perform unbounded computation
can apply some control signal and corrupt some measurements
demand
P = balance
Pat junction:
di = j→i Qji − i→k Qik
F. Pasqualetti, F. Dörfler, F. Bullo
33
⇒ Linear differential-algebraic dynamics: E ẋ = Ax
Linearized municipal water supply network model:
3
19
20
34
5
j
Models for Attackers and Security System
pipe flows obey linearized Hazen-Williams eq: Qij = gij · (hi − hj )
36
2
3
Models of Cyber-physical Systems: Water Networks
2
3
j
cyber security methods are ineffective against attacks that affect the
physics/dynamics
1
7
31
generators modeled by swing equations:
X
Yij · θi − θj
Mi θ̈i + Di θ̇i = Pmech.in,i −
cyber security does not exploit compatibility of measurement data
with physics/dynamics
Security Seminar UCLA
23
16
10
32
classical fault detection considers only generic failures, while
cyber-physical attacks are worst-case attacks
Cyber-Physical Systems Under Attack
15
13
11
2
F. Pasqualetti, F. Dörfler, F. Bullo
14
6
2
Security Seminar UCLA
8 / 46
characterize fundamental limitations on security system
design filters for detectable and identifiable attacks
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
9 / 46
Model of Cyber-Physical Systems under Attack
Related Results on Cyber-Physical Security
1
Physics obey linear differential-algebraic dynamics: E ẋ(t) = Ax(t)
S. Amin et al, “Safe and secure networked control systems under denial-of-service attacks,”
Hybrid Systems: Computation and Control 2009.
2
Measurements are in continuous-time: y (t) = Cx(t)
Y. Liu, M. K. Reiter, and P. Ning, “False data injection attacks against state estimation in electric power grids,”
ACM Conference on Computer and Communications Security, Nov. 2009.
3
Cyber-physical attacks are modeled as unknown input u(t)
with unknown input matrices B & D
A. Teixeira et al. “Cyber security analysis of state estimators in electric power systems,”
IEEE Conf. on Decision and Control, Dec. 2010.
S. Amin, X. Litrico, S. S. Sastry, and A. M. Bayen, “Stealthy deception attacks on water SCADA systems,”
Hybrid Systems: Computation and Control, 2010.
Y. Mo and B. Sinopoli, “Secure control against replay attacks,”
Allerton Conf. on Communications, Control and Computing, Sep. 2010
E ẋ(t) = Ax(t) + Bu(t)
G. Dan and H. Sandberg, “Stealth attacks and protection schemes for state estimators in power systems,”
IEEE Int. Conf. on Smart Grid Communications, Oct. 2010.
y (t) = Cx(t) + Du(t)
Y. Mo and B. Sinopoli, “False data injection attacks in control systems,”
First Workshop on Secure Control Systems, Apr. 2010.
S. Sundaram and C. Hadjicostis, “Distributed function calculation via linear iterative strategies in the presence of
malicious agents,” IEEE Transactions on Automatic Control, vol. 56, no. 7, pp. 1495–1508, 2011.
This model includes genuine faults of system components, physical
attacks, and cyber attacks caused by an omniscient malicious intruder.
F. Hamza, P. Tabuada, and S. Diggavi, “Secure state-estimation for dynamical systems under active adversaries,”
Allerton Conf. on Communications, Control and Computing, Sep. 2011.
Q: Is the attack B, D, u(t) detectable/identifiable from the output y (t)?
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
10 / 46
Prototypical Attacks
affect system and reset output
x(0)
C
ũ(t)
C
y(t)
DK uK (t)
BK ūK (t)
(sE − A)−1
x̃(0)
(sE − A)−1
x(t)
C
Dynamic false data injection:
closed loop replay attack
render unstable pole unobservable
x(0)
(sE − A)−1
x(t)
(sE − A)−1
C
C
Cyber-Physical Systems Under Attack
Security Seminar UCLA
11 / 46
y (t) = Cx(t) + DK uK (t)
C
Covert attack:
BK ūK (t)
F. Pasqualetti, F. Dörfler, F. Bullo
E ẋ(t) = Ax(t) + BK uK (t)
Replay attack:
corrupt measurements according to C
+
Our framework includes and generalizes most of these results
Technical Assumptions
Static stealth attack:
x(t)
R. Smith, “A decoupled feedback structure for covertly appropriating network control systems,”
IFAC World Congress, Aug. 2011.
+
−
y(t)
DK uK (t)
x(0)
(sE − A)−1
x(t)
�
�
G(s) (s − p) − 1
C
+
+
−
y(t)
DK uK (t)
Technical assumptions guaranteeing existence, uniqueness, & smoothness:
(i) (E , A) is regular: |sE − A| does not vanish for all s ∈ C
y(t)
+
(ii) the initial condition x(0) is consistent
(can be relaxed)
(iii) the unknown input uK (t) is sufficiently smooth
(can be relaxed)
DK uK (t)
Attack set K = sparsity pattern of attack input
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
12 / 46
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
14 / 46
Undetectable Attack
Undetectable Attack
Definition
Condition
An attack remains undetected if its effect on measurements is
undistinguishable from the effect of some nominal operating conditions
Normal operating
condition
y(·, 0, t)
Undetectable
attacks
By linearity, an undetectable attack is such that y (x1 − x2 , uK , t) = 0
zero dynamics of input/output system
Detectable
attacks
y(·, uK (t), t)
Definition (Undetectable attack set)
The attack set K is undetectable if there exist initial conditions x1 , x2 , and
an attack mode uK (t) such that, for all times t
Theorem
For the attack set K , there exists an undetectable attack if and only if
sE − A −BK x
=0
g
C
DK
for some s, x 6= 0, and g .
y (x1 , uK , t) = y (x2 , 0, t).
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
15 / 46
Undetectability of Replay Attacks
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
16 / 46
Unidentifiable Attack
Definition
Replay attack:
1
two attack channels: ūK , uK
y(t)
2
Im(C ) ⊆ Im(DK )
DK uK (t)
3
BK 6= 0
affect system and reset output
x(0)
BK ūK (t)
(sE − A)−1
x̃(0)
(sE − A)−1
x(t)
C
C
+
+
−
The attack set K remains unidentified if its effect on measurements is
undistinguishable from an attack generated by a distinct attack set R 6= K
Attacks by K
y(·, uK (t), t)
Unidentifiable
attacks
Attacks by R
y(·, uR (t), t)
Undetectability follows from solvability of
sE − A −BK
C
0
0
DK
 
x
g1  = 0
g2
Definition (Unidentifiable attack set)
The attack set K is unidentifiable if there exists an admissible attack set
R 6= K such that
y (xK , uK , t) = y (xR , uR , t).
x = (sE − A)−1 BK g1 , g2 = DK† C (sE − A)−1 BK g1
replay attacks can be detected though active detectors
replay attacks are not worst-case attacks
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
an undetectable attack set is also unidentifiable
17 / 46
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
18 / 46
Unidentifiable Attack
WECC 3-machine 6-bus System
Condition
By linearity, the attack set K is unidentifiable if and only if there exists a
distinct set R 6= K such that y (xK − xR , uK − uR , t) = 0.
Theorem
For the attack set K , there exists an unidentifiable attack if and only if
 
x
sE − A −BK −BR  
gK = 0
C
DK
DR
gR
Security Seminar UCLA
0.4
0.2
0
b6
0.2
0
0.2
0.4
0.6
0.8
1
g2
b2
0.2
t2
0.4
0.6
0.8
1
g3
t3
b4 b5
g1
1
0.8
Sensors
0.6
0.4
0.2
0
0.2
0.4
0.6
0.8
1
So far we have shown:
fundamental detection/identification limitations
system-theoretic conditions for undetectable/unidentifiable attacks
Cyber-Physical Systems Under Attack
t1
1
0.8
0.6
1
0.8
0.6
0.4
b1
for some s, x 6= 0, gK , and gR .
F. Pasqualetti, F. Dörfler, F. Bullo
b3
1
Physical dynamics: classical generator model & DC load flow
2
Measurements: angle and frequency of generator g1
3
Attack: modified real power injections at buses b4 & b5
The attack through b4 and b5 excites only zero dynamics for the
measurements at the first generator
19 / 46
From Algebraic to Graph-theoretical Conditions
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
20 / 46
Zero Dynamics and Connectivity
A linking between two sets of vertices is a set of mutually-disjoint directed
paths between nodes in the sets
δ2
ω2
E ẋ(t) = Ax(t) + Bu(t)
u1
y(t) = Cx(t) + Du(t)
δ3
θ2
θ6
θ3
ω3
θ5
u2
θ4
y2
ω1
y1
δ1
θ1
Input
Output
Theorem (Detectability, identifiability, linkings, and connectivity)
the vertex set is the union of the state, input, and output variables
edges corresponds to nonzero entries in E , A, B, C , and D
system theoretic properties expressed through graph theoretic notions
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
22 / 46
If the maximum size of an input-output linking is k:
there exists an undetectable attack set K1 , with |K1 | ≥ k, and
there exists an unidentifiable attack set K2 , with |K2 | ≥ d k2 e.
statement becomes necessary with generic parameters
statement applies to systems with parameters in polytopes
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
23 / 46
WECC 3-machine 6-bus System Revisited
b3
Centralized Detection Monitor Design
δ2
System under attack B, D, u(t) :
δ3
E ẋ(t) = Ax(t) + Bu(t)
1
0.8
0.6
0.4
0.2
1
0.8
0
0.6
0.2
b6
0.4
0.2
0
0.2
0.4
0.6
0.8
1
g2
b2
0.4
ω2
0.6
0.8
1
g3
θ6
ω3
θ3
y (t) = Cx(t) + Du(t)
b4 b5
u1
b1
θ4
y2
ω1
y1
δ1
θ1
E ẇ (t) = (A + GC )w (t) − Gy (t)
r (t) = Cw (t) − y (t)
u2
θ5
Theorem (Centralized Attack Detection Filter)
g1
1
0.8
Sensors
θ2
Proposed centralized detection filter:
0.6
0.4
Assume w (0) = x(0), (E , A + GC ) is Hurwitz, and attack is detectable.
Then r (t) = 0 if and only if u(t) = 0.
0.2
0
0.2
0.4
0.6
0.8
1
t1
t
2
1
#attacks > max size linking
2
∃ undetectable attacks
3
attack destabilizes g2 , g3
t3
, the design is independent of B, D, and u(t)
, if w (0) 6= x(0), then asymptotic convergence
/ a direct centralized implementation may not be feasible
due to high dimensionality, spatial distribution, communication complexity, . . .
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
24 / 46
Decentralized Monitor Design
E1
 ..
E =.
0
0
..
.
0


0
C1
..  , C =  ..
.
. 
EN
0
0
..
.
0

0
.. 
. 
CN
Area 1
Area 3
G
G
G
G
y (t) = Cx(t) + Du(t)
G
G
G
G
G
G
G
···
..
.
···
A1N
..  = A + A
D
C
. 
AN
G
where A = AD + AC
Area 4
G
G
G
G
G
G
26 / 46
Decentralized detection filter:
E ẇ (t) = (AD + GC )w (t) + AC w (t) − Gy (t)
r (t) = Cw (t) − y (t)
G
where G = blkdiag(G1 , . . . , GN )
G
G
G
G
G
G
Area 2
G
G
Theorem (Decentralized Attack Detection Filter)
G
G
G
G
G
G
G
IEEE 118 Bus System
G
G
G
G
G
G
G
G
Area 5
G
G
G
(i) control center i knows Ei , Ai , and Ci , and neighboring Aij
(iii) E &C are blockdiagonal, (Ei , Ai ) is regular & (Ei , Ai , Ci ) is observable
Cyber-Physical Systems Under Attack
Security Seminar UCLA
Assume that w (0) = x(0), (E , AD + GC ) is Hurwitz, and
ρ ( jωE − AD − GC )−1 AC < 1 for all ω ∈ R .
If the attack is detectable, then r (t) = 0 if and only if u(t) = 0.
(ii) control center i can communicate with control center j ⇔ Aji 6= 0
F. Pasqualetti, F. Dörfler, F. Bullo
Security Seminar UCLA
G
G
G
A1
 ..
A= .
AN1
E ẋ(t) = Ax(t) + Bu(t)
G
G
G

G
System under attack:
G
G

Cyber-Physical Systems Under Attack
Decentralized Monitor Design: Continuous Communication
Partition the physical system with geographically deployed control centers:

F. Pasqualetti, F. Dörfler, F. Bullo
28 / 46
, the design is decentralized but achieves centralized performance
/ the design requires continuous communication among control centers
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
29 / 46
Digression: Gauss-Jacobi Waveform Relaxation
Distributed Monitor Design: Discrete Communication
Standard Gauss-Jacobi relaxation to solve a linear system Ax = u:
(k)
xi
X
1
(k−1)
=
ui −
aij xj
j6=i
aii
E ẇ (k) (t) = AD + GC w (k) (t) + AC w (k−1) (t) − Gy (t)
(k−1)
x (k) = −A−1
+A−1
D AC x
D u
⇔
Convergence: lim x (k) → x = A−1 u
k→∞
Distributed attack detection filter:
⇔
ρ A−1
D AC < 1
r (k) (t) = Cw (k) (t) − y (t)
where G = blkdiag(G1 , . . . , GN ), t ∈ [0, T ], and k ∈ N
Theorem (Distributed Attack Detection Filter)
Gauss-Jacobi waveform relaxation to solve E ẋ(t) = Ax(t) + Bu(t):
E ẋ (k) (t) = AD x (k) (t) + AC x (k−1) (t) + Bu(t) ,
t ∈ [0, T ]
Convergence for (E , A) Hurwitz & u(t) integrable in t ∈ [0, T ]:
lim x (k) (t) → x(t) ⇐
ρ ( jωE − AD )−1 AC < 1 ∀ ω ∈ R
If the attack is detectable, then limk→∞ r (k) (t) = 0 if and only if u(t) = 0
for all t ∈ [0, T ].
k→∞
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
Assume that w (k) (0) = x(0) for all k ∈ N, y (t) is integrable for t ∈ [0, T ],
(E , AD + GC ) is Hurwitz, and
ρ ( jωE − AD − GC )−1 AC < 1 for all ω ∈ R .
30 / 46
F. Pasqualetti, F. Dörfler, F. Bullo
Implementation of Distributed Attack Detection Filter
Area 1
Area 3
set k := k + 1, and compute
(k)
Ei ẇi (t)
2
3
transmit
= Ai +
(k)
wi (t)
(k)
Gi Ci wi (t)
+
t ∈ [0, T ], by integrating
G
=
G
Physics: classical generator model
and DC load flow model
G
G
G
Measurements: generator angles
G
G
Attack of all measurements in Area 1
Area 4
G
G
G
G
G
G
G
G
G
G
G
G
G
Area 2
G
G
G
(k)
Residuals ri (t) for k = 100:
G
G
G
G
G
G
IEEE 118 Bus System
1
Residual Area 1
G
G
G
0
G
G
G
G
G
(k)
⇒ For k sufficiently large,
31 / 46
G
G
ï1
0
1
G
Area 5
update wj (t) with the signal received from control center j
(k)
Ci wi (t)
G
G
− Gi yi (t)
to control center j if Aij 6= 0
(k)
ri (t)
G
G
G
G
(k−1)
Aij wj
(t)
j6=i
G
G
G
X
G
G
G
G
1
Security Seminar UCLA
An Illustrative Example: IEEE 118 Bus System
Distributed iterative procedure to compute the residual r (t), t ∈ [0, T ]:
(k)
wi (t),
Cyber-Physical Systems Under Attack
G
5
10
Convergence of waveform relaxation:
− yi (t) ≈ 0 ⇔ no attack
ï1
0
1
100
80
Error
⇒ Receding horizon implementation: move integration window [0, T ]
ï1
0
1
20
0
1
10
5
10
3
4
5
6
Iterations
7
8
9
10
ï1
0
30
35
40
15
20
25
30
35
40
15
20
25
30
35
40
25
30
35
40
25
30
35
Residual Area 4
5
10
15
20
Residual Area 5
0
2
25
Residual Area 3
0
60
40
⇒ Distributed verification of convergence cond.: ρ(·) < 1 ⇐ k · k∞ < 1.
5
0
120
20
Residual Area 2
0
ï1
0
1
15
5
10
15
20
40
Time
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
32 / 46
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
33 / 46
Centralized Identification Monitor Design
System under attack BK , DK , uK (t) :
Design Method
Controlled, Conditioned, and Deflating Subspaces
Centralized identification filter:
Ē ẇ (t) = Āw (t) − Ḡ y (t)
rK (t) = MCw (t) − Hy (t)
E ẋ(t) = Ax(t) + BK uK (t) + BR uR (t)
y (t) = Cx(t) + DK uK (t) + DR uR (t)
only uK (t) is active, i.e., uR (t) = 0 at all times
Theorem
Assume w (0) = x(0), and attack set is identifiable.
Then rK (t) = 0 if and only if K is the attack set.
Let SK∗ be the smallest subspace of the state space such that
∃ G such that (A + GC )SK∗ ⊆ SK∗ and R(BK + GDK ) ⊆ SK∗
, if w (0) 6= x(0), then asymptotic convergence
/ a direct centralized implementation may not be feasible
/ design depends on (BK , DK ) ⇒ combinatorial complexity (NP-hard)
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
35 / 46
Distributed Monitor Design
Design steps:
1) compute smallest conditioned invariant subspace SK∗
2) make the subspace SK∗ invariant by output injection
3) build a residual generator for the quotient space X \ SK∗
4) the residual is not affected by uK (t)
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
36 / 46
Distributed Attack Identification: a Naive Solution
Partition the physical system with geographically deployed control centers:

E1
 ..
E =.
0
0
..
.
0


0
C1
..  , C =  ..
.
. 
EN
0
0
..
.
0

0
.. 
. 
CN
Area 1
Area 3
G
G
G
G
G
G
G
···
..
.
···
A1N
..  = A + A
D
C
. 
AN
G
G
G
Area 4
G
G
G
G
G
G
G
G
3
Unknown input attacks
G
G
G
G
G
G
G
G
G
G
Area 2
Unknown connection inputs
G
G
G
G
2
G
G
G
A1
 ..
A= .
AN1
G
G
G
G
areaG dynamics
Area 3 1 GKnown
G
G
G
G

Area 1
G
G
G

G
G
G
G
G
G
G
G
G
G
G
G
G
G
IEEE 118 Bus System
G
G
G
G
G
G
G
G
G
Area 5
G
G
Consider unknown interconnection inputs as attacks and design attack
detection and identification monitors as in the centralized case.
G
G
G
G
G
G
G
G
(i) control center i knows Ei , Ai , and Ci , and neighbouring Aij
(ii) control center i can communicate with control center j ⇔ Aji 6= 0
(iii) E &C are blockdiagonal, (Ei , Ai ) is regular & (Ei , Ai , Ci ) is observable
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
38 / 46
,
,
,
/
G
G
G
G
G
G
G
G
G
completely distributed the design
very low combinatorics
no communication among different areas
solvability conditions are very strict (boundary attacks)
F. Pasqualetti, F. Dörfler, F. Bullo
G
G
G
G
G
G
G
G
G
G
G
G
G
G G
Security Seminar UCLA
Cyber-Physical Systems UnderG Attack
G
G
39 / 46
Distributed Attack ID: a Divide & Conquer Solution
Area 1
Area 3
G
G
G
G
An Example of Distributed Attack Identification
G
Area 1
G
1
G
2
1
Attacker affects 3 (red)
2
Measurements {2, 5, 7},
{12, 13, 15} (blue)
3
3 is undetectable in Area1
4
Reconstruction with V2 = 0
5
3 is cooperatively identifiable
G
G
G
G
G
G
G
1
G
Treat
the connection inputs as unknown
G
G
4
3
9
10
13
14
16
15
12
G
G
Area 2
G
G
G
Reconstruct the state (modulo
V) of area via unknown-input observer
G
G
G
Communicate estimate and V to neighboring areas
G
G
G
G
G
G
The unknown part of the connection input is restricted
G
G to V.
G
F. Pasqualetti, F. Dörfler, F. Bullo
11
G
G
G
G
3
7
G
G
2
8
G
G
G
6
G
G
G
5
Cyber-Physical Systems Under Attack
G
G
G
G
Security Seminar UCLA
G
G
40 / 46
,
,
,
,
completely distributed the design
very low combinatorics
little communication among different areas
solvability conditions are easier to verify
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
41 / 46
G
G
A Case Study: RTS-96 Bus System
RTS-96 Bus System: Linear Dynamics without Noise
202
209
220
20
20
0
0
x(t)
216
ï20
0
102
(optio
nal D
C lin
5
10
15
20
x(t): generators trajectories
r (t): detection residual
ï20
14.5
1
0.1
0
0
15
15.5
rK (t): identification residual for K
rR (t): identification residual for R
k)
120
103
r(t)
ï1
0
309
118
310
5
10
15
20
ï0.1
14.5
1
0.05
0
0
filters are designed via conditioned
invariance technique
15
15.5
15
15.5
302
rK (t)
307
1
Physical dynamics: classical generator model & DC load flow
2
Measurements: angle and frequency of all generators
3
Attack: modify governor control at generators g101 & g102
ï1
0
rR (t)
5
10
15
20
ï0.05
14.5
1
1
0
0
ï1
0
5
10
15
20
ï1
14.5
15
15.5
Time
4
Monitors: our centralized detection and identification filters
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
43 / 46
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
43 / 46
RTS-96 Bus System: Linear Dynamics with Noise
20
20
0
0
x(t)
ï20
0
r(t)
15
20
ï20
14.5
0
0
5
10
15
20
ï0.1
14.5
1
0.1
0
0
ï1
0
rR (t)
10
0.1
ï1
0
rK (t)
5
1
5
10
15
20
ï0.1
14.5
1
1
0
0
ï1
0
5
10
15
20
ï1
14.5
RTS-96 Bus System: Nonlinear Dynamics
x(t): generators trajectories
15.5
20
0
0
x(t)
r (t): detection residual
15
20
rK (t): identification residual for K
ï20
0
rR (t): identification residual for R
filters are designed via conditioned
invariance and Kalman gain
15
r(t)
rK (t)
15
rR (t)
15
20
0
5
10
15
20
0.05
0
0
10
15
20
ï0.05
14.5
1
1
0
0
5
10
15
20
15
15.5
rK (t): identification residual for K
rR (t): identification residual for R
ï0.1
14.5
1
5
r (t): detection residual
ï20
14.5
0
ï1
0
15.5
15
0.1
ï1
0
15.5
10
1
ï1
0
15.5
5
x(t): generators trajectories
ï1
14.5
filters are designed via conditioned
invariance and Kalman gain
15
15.5
15
15.5
15
15.5
Time
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
43 / 46
Conclusion
Security Seminar UCLA
43 / 46
F. Pasqualetti, A. Bicchi, and F. Bullo. Distributed intrusion detection for secure consensus computations.
In IEEE Conf. on Decision and Control, pages 5594–5599, New Orleans, LA, USA, Dec. 2007.
1
a modeling framework for cyber-physical systems under attack
2
fundamental detection and identification limitations
3
system- and graph-theoretic detection and identification conditions
5
Cyber-Physical Systems Under Attack
References
We have presented:
4
F. Pasqualetti, F. Dörfler, F. Bullo
F. Pasqualetti, A. Bicchi, and F. Bullo. On the security of linear consensus networks.
In IEEE Conf. on Decision and Control and Chinese Control Conference, pages 4894–4901, Shanghai, China, Dec. 2009.
F. Pasqualetti, A. Bicchi, and F. Bullo. Consensus computation in unreliable networks: A system theoretic approach.
centralized attack detection and identification procedures
IEEE Transactions on Automatic Control, 2011, DOI: 10.1109/TAC.2011.2158130.
F. Pasqualetti, R. Carli, A. Bicchi, and F. Bullo. Identifying cyber attacks under local model information.
In IEEE Conf. on Decision and Control, Atlanta, GA, USA, December 2010.
F. Pasqualetti, R. Carli, A. Bicchi, and F. Bullo. Distributed estimation and detection under local information.
In IFAC Workshop on Distributed Estimation and Control in Networked Systems, Annecy, France, September 2010.
distributed attack detection and identification procedures
F. Pasqualetti, A. Bicchi, and F. Bullo. A graph-theoretical characterization of power network vulnerabilities.
In American Control Conference, San Francisco, CA, USA, June 2011.
F. Pasqualetti, R. Carli, and F. Bullo. Distributed estimation and false data detection with application to power networks.
Automatica, March 2011, To appear.
Ongoing and future work:
1
optimal network partitioning for distributed procedures
F. Pasqualetti, F. Dörfler, and F. Bullo. Cyber-physical attacks in power networks: Models, fundamental limitations and
monitor design. In IEEE Conf. on Decision and Control, Orlando, FL, USA, December 2011.
2
effect of noise, modeling uncertainties & communication constraints
F. Dörfler, F. Pasqualetti, and F. Bullo. “Distributed detection of cyber-physical attacks in power networks: A waveform
relaxation approach,” in Allerton Conf. on Communications, Control and Computing, Sep. 2011.
3
quantitative analysis of cost and effect of attacks
F. Pasqualetti, F. Dörfler, and F. Bullo. “Attack Detection and Identification in Cyber-Physical Systems - Part I: Models
and Fundamental Limitations,” in IEEE Transactions on Automatic Control, Feb. 2012, Submitted.
4
applications to distributed-parameters cyber-physical systems
F. Pasqualetti, F. Dörfler, and F. Bullo. “Attack Detection and Identification in Cyber-Physical Systems - Part II:
Centralized and Distributed Monitor Design,” in IEEE Transactions on Automatic Control, Feb. 2012, Submitted.
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
44 / 46
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
45 / 46
A Case Study: Competitive Power Generation Environment
Cyber-Physical Systems under Attack
Our geometric control methods can also be used for attack design.
Models, Fundamental Limitations, and Monitor Design
Canada
Fabio Pasqualetti
Florian Dörfler
10
15
2
PacNW
North
9
14
Francesco Bullo
7
Montana
Center for Control, Dynamical systems and Computation
University of California, Santa Barbara
1
6
NoCal
16
13
8
5
Utah
South
SoCal
12
Arizona
4
11
3
Western North American Power Grid
scenario: a subset of utility
companies K form a coalition
goal: disrupt the power
generation of competitors
strategy: choose K ∗ ⊂ K
sacrificial generators and design
an input not affecting K \ K ∗
while maximizing damage at
non-colluding generators
additionally here: design such
that impact on K ∗ is minimal
University of California, Los Angeles, CA, Feb 24, 2012
C. L. DeMarco and J. V. Sariashkar and F. Alvarado “The potential for malicious control in a competitive power systems
environment” IEEE International Conference on Control Applications, 1996
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
46 / 46
A Case Study: Competitive Power Generation Environment
malicious coalition: K = {1, 9} (PacNW)
with sacrificial machine {9}
control minimizes kω9 (t)kL∞
subject to kω16 (t)kL∞ ≥ 1 (Utah)
Canada
10
15
2
7
North
PacNW
Montana
9
14
1
6
NoCal
16
13
8
5
Utah
⇒ non-colluding generators will be damaged
1
ω1
1
ω2
1
ω3
1
0.5
0.5
0.5
0.5
0
0
0
0
ï0.5
ï0.5
ï0.5
ï0.5
ï1
0
1
5
ω5
10
0
1
5
ω6
10
0
ω9
10
ï1
0
1
0.5
5
ω7
10
0
ω10
10
ï1
0
1
0.5
ω11
ï1
0
1
0.5
0
0
ï0.5
ï0.5
1
5
ω13
10
1
5
ω14
10
1
5
ω15
10
ï1
0
1
0.5
0.5
0.5
0.5
0
0
0
0
ï0.5
ï1
0
ï0.5
5
10
ï1
0
ï0.5
5
10
F. Pasqualetti, F. Dörfler, F. Bullo
ï1
0
5
10
11
3
Western North American Grid
1
ω12
0.5
0.5
0
ï0.5
ï1
0
10
Arizona
4
0
10
0
ï1
0
5
ω8
12
ï0.5
5
ï0.5
ï1
0
South
SoCal
0.5
ï0.5
5
ï1
0
1
0.5
ï0.5
5
ï1
0
1
0.5
ï0.5
ï1
0
ï1
0
1
0.5
ω4
0
ï0.5
5
ω16
10
ï1
0
10
ï1
0
2
3
4
5
6
7
8
9
10
governor control input
ï0.5
5
1
5
10
Cyber-Physical Systems Under Attack
Security Seminar UCLA
46 / 46
F. Pasqualetti, F. Dörfler, F. Bullo
Cyber-Physical Systems Under Attack
Security Seminar UCLA
46 / 46

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz