Verification of Information Flow Properties in Cyber-Physical Systems

Ravi Akella, Bruce McMillinDepartment of Computer ScienceMissouri University of Science &

Technology Rolla, MO, USA

CPS Week 2011: Workshop on Foundations of Dependable and Secure Cyber-Physical SystemsApril 11, 2011 Chicago, Illinois

This work was supported in part by the Future Renewable Electric Energy Delivery and Management Systems Center (FREEDM); a National Science Foundation supported Engineering Research Center, under grant NSF EEC-0812121 and in part by the Missouri S&T Intelligent Systems Center.

Cyber-Physical Systems (CPS)oIntegrations of computational and

physical processes

oAn example CPS is the FREEDM system: a smart grid managed with Distributed Grid Intelligence (DGI)

oDGI consists of cyber processes that perform distributed computation to efficiently manage distributed energy resources by interfacing with Intelligent Energy Management (IEM)

oThere is an inter-dependence of events within the physical and cyber processes

• Cyber events within a CPS involve:1) distributed computation,2) communication with other cyber components, and 3) communication with the physical component that it controls.

• Physical events include: 1) a local state change of the physical subsystem resulting from a cyber

component controlling it, 2) a local physical state change resulting from the dynamics of the physical

system, and3) the observability of the physical system modeled as events

CPS Interactions

CPS Smart grid Interactions

ea c

b d e

ac

b d e

At this IEM, information obtained from the observable physical event yields

information about the cyber command (b)

SST

PHEV Load PV

DGI

SST

PHEV Load Wind

DGI

SST

Battery Load PV

DGI

ab

c

d

Read state of Physical systemaIssue command to make a settingbMessage exchange including partial state information

c

Power draw or contribution on the shared power bus

d

e

Event due to physical flow on the shared power bus

e

IEM1 IEM2 IEM3

Information flow usecase of a CPS

• Information Flow Security aims at guaranteeing that no high level (confidential) information is revealed to users at a low level, even in the presence of any possible cyber/physical process

• Potential information flow models for CPSs:– Non-Interference: Information does not flow from high to low if the high

behavior has no effect on what low level observer can observe– Non-Inference: leaves a low level observer in doubt about high level events.– Non-deducibility: Given a set of low-level outputs, no low-level subject

should be able to deduce anything about the high-level inputs [Sutherland].– Composition of deducibly secure systems: not composable [McCullough]– McCullough`s Generalized noninterference-secure property considers non-

determinism of real systems

Objective: Analyze Information Flow Security in CPS

• A unified approach to deal with CPSs is necessary that can encompass the cyber and physical events

• We propose a process algebraic approach adopted to analyze the information flow in CPSs

• Security process algebra provides an abstract description for nondeterministic and concurrent systems with actions belonging to different levels of confidentiality (Low and High)

• Using process algebra, bisimulation provides a formal method to determine nondeducibility.

Information Flow Security for CPSProcess Algebra Approach

A system E is BNDC if for every high level process ∏, a low level user cannot distinguish E from E|∏

E| ∏ : Parallel Composition of E1& ∏ where executions of the two systems are interleaved

Bisimulation-based NonDeducibility on Composition (BNDC)

Bisimulation oTwo processes are weakly bisimilar if they are able to mutually simulate their behavior step by step.

oIn a weak bisimilarity relation, internal silent actions (τ) between processes is ignored.

E1 and E2 are bisimilar and they both simulate E3

E3 is not bisimilar to E1

Strong BNDC (SBNDC)

The system before and after execution of a high level event remains indistinguishable to the low level domain

E

E’’\H

E’

E’\H

E’’h

Simplification of SBNDC: Bisimulation up to H

The problem of verifying weak bisimulation for all high level transitions of the system can be transformed into finding a bisimulation up to H relation

E E\H

SST

Battery Load PV

DGI

SST

Battery Load PV

DGI

SST

Battery Load PV

DGI

Invariance of Flow in a CPS

Power shared between 1 and 2 due to DGI algorithm

• Power flow satisfies the Kirchhoff's law of invariance on the bus that can be represented as a physical event

SST

Battery Load PV

DGI

SST

Battery Load PV

DGI

SST

Battery Load PV

DGI

Smart grid in terms of SPA

SBNDC for FREEDM

The system before and after execution of a high level event remains indistinguishable to the low level domain

E

E’’\H

E’

E’\H

E’’h

SBNDC for FREEDM

o Such processes can be modified to satisfy SBNDC by inserting a complementary High level output, to make an internal action (τ) that is not observable

o Such compensating events hide the physically observable effects

d

d

Our Current Work

Prototype DGI for FREEDM – IEEE SmartGridComm 2010 Akella/Ditch/McMillin/Meng/Crow

Full Specification of DGI in SPA – EWICS SAFECOMP 2010 Akella/McMillin

Formal Verification of Transmission Grid/Pipeline Network Security with SPA/CoPS – J. of Critical Infrastructure Protection – Akella/Tang/McMillin 2010 Component Construction for Constructing Secure Smart Grid Systems –

IEEE COMPSAC 2011 Gamage/Roth/McMillin

Directions for future work

Information flow analysis, with its origins in computational systems, can be extended to the realm of cyber-physical systems to verify their security

Representation of physical events including attributes such as invariance and physical observability expose potential confidentiality violations

Process algebra presents a uniform model of defining cyber and physical processes that can be mechanically verified Model checking complexity incurred in automating the verification of CPS

processes can be reduced using techniques like partial order reduction and new bisimulation techniques to reduce state space