Security of Smart Grids: A Cyber‐Physical Perspecve · Security of Smart Grids: A...
52
Security of Smart Grids: A Cyber‐Physical Perspec:ve Bruno Sinopoli Assistant Professor Department of ECE Carnegie Mellon 1 TexPoint fonts used in EMF. CyLab Silicon Valley Briefing March 25, 2011
Transcript of Security of Smart Grids: A Cyber‐Physical Perspecve · Security of Smart Grids: A...
Security of Smart Grids: A Cyber‐Physical Perspec:ve �
Bruno Sinopoli Assistant Professor
Department of ECE Carnegie Mellon �
1
TexPoint fonts used in EMF.
CyLab Silicon Valley Briefing March 25, 2011
The smart grid
From a smart grid to a smarter grid
• Integration of
3
Is it a worthwhile effort?
• Pros – Efficiency – Safety – Green – Competitiveness
• Cons – Cost – Complexity – Vulnerability
4
What are Cyber‐Physical Systems?
Computing
Control Communication Cyber Physical
6
Cyber vs Cyber‐Physical Security
• Key goals of informa;on security: – Confiden;ality: aAacker cannot read data packets. – Integrity: aAacker cannot modify data packets. – Availability: data packets are available for es;ma;on and control purpose.
– Etc.. • Key goal of CPS security:
– Guaranteeing reliable system opera;on
• Cyber security is a tool not a goal
Goal/Scope of the attack in CPS • Disrupt operations, e.g. destabilize the
system (e.g. Stuxnet) • Reduce system’s performance • Financial gain • Context
– Cyber warfare – Commercial advantage – Criminal intent
7
Types of CPS Attacks/ Remediation
• Attacks – Cyber range of attacks – Physical Attacks – Insider attacks
• Remediation – Detection/isolation – Guarantee continuity of operation – Graceful degradation – Service restoration
8
Today’s talk: provide some insights via case studies
• System definition – Focus on control systems
• Attacks on sensors – Analysis of Sensor Replay attacks – Analysis of Integrity attacks on sensors
• Examples • Conclusion
9
System model�
• We model the underlying physical system as a linear ;me‐invariant system:
• Sensors are used to monitor the system:
• Each element in represents the reading of a certain sensor at ;me . �
10
xk+1 = Axk + wk
yk = Cxk + vk
yk
k
Illustra:ve Example�
• We consider a vehicle moving along the - axis.
• Two sensors are used to measure position and velocity respectively.
11
x
xk+1 = xk + wk,1,
xk+1 = xk + xk + wk,2
yk,1 = xk + vk,1,
yk,2 = xk + vk,2.
x
12
Kalman Filter and LQG controller
Failure Detector �
• A failure detector is used to detect abnormality in the system, which triggers an alarm based on the following condi;on:
where
and the func;on is con;nuous.
13
gk > threshold
gk = g(yk, xk, . . . , yk!T , xk!T ),
g
Failure Detector �
• For example, for a chi‐square detector takes the following form:
where
and is the covariance of .
14
gk
zk = yk ! CAxk!1,
P zk
gk = zTk P!1zk
15
Replay AJack Model (Allerton conf. ‘09)
• The aAacker can – Record and modify the sensors’ readings – Inject malicious control input
• Replay AAack – Record sufficient number of without adding control inputs.
– Inject malicious control input to the system and replay the previous . . We denote the replayed measurements to be .
• When replay begins, there is no informa;on from the systems to the controller. As a result, the controller cannot guarantee any close‐loop control performance. The only chance is to detect the replay.
yk
yk
yk
y!k
Our Abstract
16
16 months later…
17
18
System Diagram
19
Simula:on • Suppose the aAacker records from ;me –T and replay
begins at ;me 0.
• For some systems, the Chi2 detector cannot dis;nguish system under replay and system without replay.
20
Detec:on of Replay AJack �
• Manipula;ng equa;ons:
• If converges to 0 very fast, then there is no way to dis;nguish the compromised system and healthy system. Ak
21
Counter Measure
• Replay is feasible because the op;mal es;mator and controller are determinis;c
• If we add random control input to the system: – If the system responds to this input, then there is no replay
– If not, then there is a replay – Random control inputs act like ;me stamps – Cost: The controller is not op;mal any more
22
Counter Measure
• Let control input to be
where is the op;mal control input, is an i.i.d. Gaussian random control input with zero mean and covariance of . can be seen as an authen;ca;on signal
• The increase in control cost is given by
uk = u!k + !uk,
u!k !uk
Q
trace!(U + BT SB)Q
"
!uk
23
Counter Measure
• Innova;on with random input:
24
New System Diagram
25
Simula:on Result
• One dimensional system, single sensor:
• Parameters: – R = 0.1, Q = 1 – W = U =1
– Detector window size 5, false alarm rate 5%
xk+1 = xk + uk + wk,
yk = xk + vk.
26 Detec;on Rate of Different Random Signal Strength
10 11 12 13 14 15 16 17 18 19 200
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
Time(k)
De
tec
tio
n R
ate
Chemical Plant (A + C → D)
Objectives: Maintain production rate by controlling valves Minimize operating cost (function of purge loss of A and C)
Restrictions:
Regular vs. Secure controller
Time for detection = 25 ms
Integrity AJack strategy�
• The aAacker has full knowledge of the system’s model.
• The aAacker can change the readings of a subset of sensors.
• The goals of the aAacker are: – To affect the system’s opera;ons; – Not being detected.
29
y!k = Cx!
k + vk + !yak
Ques:ons�
• Can the aAacker successfully destabilize the system?�
• If not what is the extent of the perturba;on that the aAacker can inflict to the system?
30
Integrity AJack Model
• An aAack sequence is defined as an infinite sequence of the aAacker’s input
• The innova;on is defined as
• An aAack sequence is call feasible if the following condi;ons hold from ;me 0 to ;me T:
31
Yya0 , ya
1 , . . .
zk = yk ! CAxk, z!k = y!
k ! CAx!k
Y (T, !)
12(z!k ! zk)TP"1(z!k ! zk)T " !
Reachable Set
• Define es;ma;on error as:
• Define the bias introduced by the aAacker as:
• The reachable region is defined as:
• The reachable region is defined as:
32
k
!ek = e!k ! ek.
Rk = {x ! Rn : x = !ek(Y), and Y is (k, 1) feasible}.
R =!!
k=1
Rk.
ek = xk ! xk, e!k = x!
k ! x!k
Which sensors should I aJack/protect?�
• To check the resilience of control system, one can find all the unstable eigenvector of A and compute Cv.
• If Cv is sparse, then the aAacker only need to compromise a few sensors to launch an aAack along the direc;on v.
• To improve the resilience, the defender could add redundant sensors to measure every unstable mode.
33
The reachable region R is unbounded if and only if A has an unstable eigen-value and the corresponding eigenvector v satisfies:
1. Cv ! span(!).
2. v is reachable for dynamic system "ek+1 = (A"KCA)"ek "K!yak+1.
Resilient systems allow only a finite reachable set �
• In general compu;ng the reachable set is very hard, since the number of inequali;es needed to describe the set quickly explodes.
• As a result, we use ellipsoids to approximate the reachable region.
34
Illustra:ve Example�
• We consider a car moving along the - axis.
• Two sensors are used to measure position and velocity respectively.
• We assume that . 35
x
Q = R = I2
xk+1 = xk + wk,1,
xk+1 = xk + xk + wk,2
yk,1 = xk + vk,1,
yk,2 = xk + vk,2.
Posi:on sensor is compromised
36
Simula:on Result: Compromising the Posi:on Sensor�
37
Velocity Sensor is compromised�
38
An applica:on: Electricity Market pricing�
• The price of electricity is determined by the state es;ma;on , i.e. genera;on, power flow over transmission and load of the power grid.
• If an aAacker was able to compromise some sensors, then it could introduce a bias in the state es;ma;on accordingly.
• Eventually, over a finite ;me‐horizon, the aAacker will affect the pricing to his advantage and make a profit. �
39
Day‐Ahead Forward Market and Virtual Bidding�
• The Regional Transmission Organiza;on (RTO) computes the nodal price based on the predicted load.
• The price is published usually 36 hours before actual opera;on.
• A market par;cipant could buy/sell virtual power at loca;on j in the day‐ahead market, and is obliged to sell/buy the same amount of power at the same loca;on in the real ;me market. �
40
Ex‐Post Market (Real Time Market)�
• A transmission line is posi;vely congested if . It is nega;vely congested if .
• In the real market, the RTO tries to solve the following minimiza;on problem: �
41
Fl > Fmaxl
Fl < Fminl
minimize!Pgi
I!
i=1
Ci!Pgi
subject toI!
i=1
!Pgi = 0
!Pgmini ! !Pgi ! !Pgmax
i "i = 1, ..., I
!Fl ! 0 "l # cl+
!Fl $ 0 "l # cl!,
Ex‐Post Market (Real‐Time Market)�
• The Lagrangian of the above minimiza;on problem is defined as �
42
L =I!
i=1
Ci(!Pgi + P g(i))! !I!
i=1
!Pgi
+I!
i=1
µi,max(!Pgi !!Pgmaxi )
+I!
i=1
µi,min(!Pgmini !!Pgi)
+!
l!cl+
"l!Fl +!
l!cl!
#l(!!Fl).
Ex‐Post Market (Real Time Market)�
• The nodal price at point j is given by
43
!j = ! +L!
l=1
("l ! #l)$Fl
$Ldj.
Profitability
• The nodal loca;onal marginal price (LMP) difference is caused by conges;ons in the transmission line.
• Given two node and , depending on the power distribu;on matrix, we could classify the transmission lines into three categories:
• If no line in ( ) is posi;vely(nega;vely) congested, then the price at will be greater than the price at .
j1 j2
L!, L0, L+.
j1L!L+
j2
Profitability
• The aAacker first buy/sell at the day ahead market at loca;on and , units of virtual power, with price . Assume that
• In the Ex‐post market, sell/buy at the same loca;on, with price .
• Manipula;ng the state es;ma;on to ensure:
• The total profit is
!DA1 < !DA
2 .
!1 > !2.
!(!DA
2 ! !DA1 ) + (!1 ! !2)
"" p.
!DA1 , !DA
2
j1 j2 p
!1, !2
Attacker’s strategy
46
Profitability Gaithersburg ($/MWh) Pittsburgh ($/MWh)
Day Ahead Market Buy at 25 Sell at 30 Ex-Post Market without the Attack
Sell at 20 Buy at 26
Ex-Post Market under the Attack
Sell at 24 Buy at 23
• Without the attack, the attacker could lose 1$/MWh. • With the attack, the attacker gains 6 $/MWh.
Conclusion
• Security of cyber‐physical systems is of paramount importance
• Security needs to be integrated with system theory/knowledge
• A science of security for CPS systems needs to be developed
• Small aAacks that run “under the radar” can have serious consequences
48
Thank You!�
49
Simulation Result�
50
Simulation Result�
51
Simulation Result�
52
