A Cyber-Physical and Agent -Based Defense to False Data ... · would not infringe privately owned...
Transcript of A Cyber-Physical and Agent -Based Defense to False Data ... · would not infringe privately owned...
A Cyber-Physical and Agent-Based Defense to False Data Injection
Attacks on a SCADA System
Joseph Andrew Giampapa PI, Senior Member of Technical Research Staff
Software Engineering Institute, Carnegie Mellon University
1
Gabriela Hug-Glanzmann Co-PI, Assistant Professor
Electrical and Computer Engineering, Carnegie Mellon University
Disclaimer This information was prepared as an account of work sponsored by an agency of the U.S. Government. Neither the U.S. government nor any agency thereof, nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness, of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the U.S. Government or any agency thereof. The views and opinions of authors expressed herein do not necessarily state or reflect those of the U.S. government or any agency thereof.
2
Additional Team Members Soummya Kar • Researcher, Assistant Research Professor • Electrical and Computer Engineering, Carnegie Mellon University David S. Kyle • Research Programmer, Member of the Technical Staff • Software Engineering Institute, Carnegie Mellon University Kawa Cheung • Research Assistant, MS Student • Electrical and Computer Engineering, Carnegie Mellon University Skyler B. Shatkin • Research Assistant, MS Student • Electrical and Computer Engineering, Carnegie Mellon University Mayank K. Malu • Research Programmer, MS Student • Institute for Software Research, Carnegie Mellon University
3
Acknowledgements
• SEI Ultra-Large-Scale (ULS) System Research Initiative – http://www.sei.cmu.edu/uls/index.cfm – Linda Northrop
• High-Confidence Cyber-Physical Systems (CPS) Program
– Mark Klein
• DoE Office of Electricity Delivery & Energy Reliability – Cybersecurity for Energy Delivery Systems (CEDS) Program – Carol Hawk
Research Problems 1. What is the security threat to the power grid posed by a compromised
SCADA (Supervisory Control and Data Acquisition) system? – Consequence analysis on power system functions – Baseline for understanding how to regain control if attacked
2. Considerations of the architectural components of a SCADA and EMS (Energy Management System):
– Which components need to be compromised? – How must they be compromised to perform an attack? – What are the implications for other components of the SCADA / EMS
architecture?
3. If a SCADA system is subverted: – How can the extent of the subversion be identified and isolated? – How can the power system operator regain control?
Cyber-Threat: False Data Injection (FDI) Attack
• Single-most critical EMS function is state estimation • Process is central to a grid control center • Receives noisy remote sensor data • Identifies and discards bad data • Determines state variables of the grid for power flow calculations • Based on this data, power grid operations are determined
• False Data Injection • Falsifies data that is input to state estimation • Has two potential impacts on operator’s perception of grid state:
• Loss of observability of power grid state (𝑚 < 2𝑁 − 1) • Perceived observability 𝑚 ≥ 2𝑁 − 1 , but
Incorrect and unsafe adjustments can be made Based on misperceptions of system state due to FDI data
Technical Approach • Focus on FDI attacks that create false sense of observable transmission
grid state (𝑚 ≥ 2𝑁 − 1) – There are at least as many perceived usable measurements as state variables – Unobservability (𝑚 < 2𝑁 − 1) will be addressed in the future
• Introduce autonomous software agents to model cyber-physical properties of the grid / EMS at their cyber-physical location
• Theoretically prove that for any and all vectors of FDI cyber-attack – The agents can autonomously detect it – Even if the agents may be compromised
• Validate proof by modeling and simulation
• Implement proof-of-concept on SCADA devices
7
Test Bed Data Flow Visualization
of the Power Grid’s Ground Truth
Visualization of the Power Grid Operator’s
Perception of Grid State
FDI Cyber- Attack State
Measure
Estimate State
Power grid operator’s perception should be as close to ground truth as possible. Bad
Data
Topologically- Motivated
Errors Estimated
State
Temporary Data Store
Measured State
Agree with Measurements
Disagree with Measurements
Evaluate Locally
SCADA Agents
Five Models Studied in the Proposed SCADA Agent Protection System
1. Electrical Model
2. SCADA Model
3. SCADA Attack Model
4. SCADA Agent Model
5. SCADA Agent Attack Model
1. Electrical Model
Line Bus Bus
Ground Truth
2. SCADA Model
Line Bus Bus
Control Center: Bad Data
Detection, State Estimation
RTU-1 RTU-2
Ground Truth
3. SCADA Attack Model
Line Bus Bus
Control Center: Bad Data
Detection, State Estimation
RTU-1 RTU-2
Ground Truth
4. SCADA Agent Model
Line Bus Bus
Control Center: Bad Data
Detection, State Estimation
RTU-1 RTU-2
Agent Model of the
Control Center
SCADA Agent-1
SCADA Agent-2
Ground Truth
5. SCADA Agent Attack Model
Line Bus Bus
Control Center: Bad Data
Detection, State Estimation
RTU-1 RTU-2
Agent Model of the
Control Center
SCADA Agent-1
SCADA Agent-2
Ground Truth
SCADA Agent Architecture
Ground Truth
Bus Bus
RTU-1 RTU-2
Control Center: Bad Data
Detection, State Estimation
SCADA Agent-1
SCADA Agent-2
Agent Model of the Control
Center
Distribution Grid
Other Control Centers
SCADA Agents of Other Areas
Other EMS Functions
… OPF CA AGC
OPF-A CA-A AGC-A DG-A OCC-A
Line
Architectural Rationale • Do not modify centralized state estimation functions with security
enhancements • It is an optimized process for current operations • Early and widespread adoption is desired
• Interoperability with legacy systems • Low-interference with current operations • Minimize startup and implementation costs
• Overlay distributed state estimation (DSE) verification for security • If DSE can be conducted autonomously by software agents • FDI attacks on centralized state estimation can be detected by
distributed agents • Power system is a closed system
• There is always knowledge elsewhere that can be leveraged
Results to Date: A Cyber-Attack is Possible G. Hug-Glanzmann and J.A. Giampapa, “Vulnerability Assessment of AC State Estimation with Respect to False Data Injection Cyber-Attacks,” in IEEE Transactions on Smart Grid, Vol. 3, No. 3, pp. 1362–1370, September 2012.
• Three techniques for determining which measurements to attack • DC Model
• Common in literature 2009 – present • Introduces detectable errors
• AC Model • Based on Jacobian matrix • Introduced
• Graph Theoretic Model • Extends AC Model for buses with no injections • Introduced
• Two techniques for determining measurement values • For an FDI-attack that falsifies observability • DC calculations – rapid but introduce detectable errors • AC calculations – non-linear, will not be detected
Take-Away Message
• Comprehensive power grid SCADA security requires a cyber-physical systems approach • Evaluate the threat with respect to its impact on properties of
the power grid, not just the cybernetic infrastructure • Remedies should also focus on mitigating the impact of the
threat, especially for cost-effective solutions to cyber-security.
• Knowledge to avert threat can be leveraged from multiple perspectives and sub-systems • Electrical properties, control theory, cybernetic properties • Leverage knowledge from other EMS functions
References
1. G. Hug-Glanzmann and J.A. Giampapa, “Vulnerability Assessment of AC State Estimation with Respect to False Data Injection Cyber-Attacks,” in IEEE Transactions on Smart Grid, Vol. 3, No. 3, pp. 1362–1370, September 2012, DOI: 10.1109/TSG. 2012.2195338. http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6275516&isnumber=6275510
2. A. Tajer, S. Kar, H.V. Poor, and S. Cui, “Distributed Joint Cyber Attack Detection and State Recovery in Smart Grids,” in Proceedings of Cyber and Physical Security and Privacy (IEEE SmartGridComm), © 2011 IEEE, pp. 202–207. http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=06102319
3. ieRoadmap: interactive energy Roadmap to Achieve Energy Delivery Systems Cybersecurity, https://www.controlsystemsroadmap.net/Pages/default.aspx
4. Energy Sector Control Systems Working Group (ESCSWG), “Roadmap to Secure Energy Delivery Systems”, September 2011, pp. 81. https://www.controlsystemsroadmap.net/ieRoadmap%20Documents/roadmap.pdf
5. Y. Liu, P. Ning, and M.K. Reiter, “False data injection attacks against state estimation in electric power grids,” in Proceedings of the 16th ACM Conference on Computer and Communications Security, Chicago, IL, November 2009.
6. National Communications System (NCS), Technical Information Bulletin 04-1, “Supervisory Control and Data Acquisition (SCADA) Systems”, NCS TIB 04-1, October 2004, pp. 76. http://www.ncs.gov/library/tech_bulletins/2004/tib_04-1.pdf
Contact Information Joseph Andrew Giampapa Senior Member of the Research
Technical Staff Research, Technology, and Systems
Solutions (RTSS) Program Telephone: +1 412-268-6379 Email: [email protected]
U.S. Mail Software Engineering Institute Carnegie Mellon University 4500 Fifth Avenue Pittsburgh, PA 15213-2612 USA
Web www.sei.cmu.edu www.sei.cmu.edu/staff/garof
• Copyright 2012 Carnegie Mellon University.
• This material is based upon work supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.
• Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense.
• NO WARRANTY
• THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
• This material has been approved for public release and unlimited distribution except as restricted below.
• Internal use:* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted, provided the copyright and “No Warranty” statements are included with all reproductions and derivative works.
• External use:* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at [email protected].
• *These restrictions do not apply to U.S. government entities.