WIXLIB

AcknowledgementsAttack Detection and Identification in Cyber-Physical SystemsFrancesco BulloFlorian DörflerFabio PasqualettiCenter for Control,Dynamical Systems & ComputationUniversity of California at Santa Barbarahttp://motion.me.ucsb.eduInternational Workshop on Emerging Frontiers in Systems and ControlTsinghua University, Beijing, China, May 18, 2012Workshop Organizers:Center for Intelligent and Networked Systems, Tsinghua UniversityInstitute of Systems Science, Chinese Academy of SciencesChair: Xiaohong Guan, Co-Chair: Yiguang Hong, Program Chair: Qingshan JiaF. Bullo UCSBCyber-Physical SecurityBeijing 19may20121 / 30OutlineF. Bullo UCSBCyber-Physical SecurityBeijing 19may20122 / 30Cyber-Physical Systems1Cyber-Physical Security2Models of Cyber-Physical Systems and Attacks3Analysis and Design ResultsSummarySome Technical Details4Summary and Future DirectionsFigure 2-5. City of Portland Water Supply Schematic DiagramWater Supplier Description2-18Moore’s Law in Computing/Communication/ControlRenewables and PMUs in smart grid, autonomy/networking in robotics,distributed intelligence in industrial processescyber-physical networksF. Bullo UCSBCyber-Physical SecurityBeijing 19may20123 / 30F. Bullo UCSBCyber-Physical SecurityBeijing 19may20124 / 30

SCADA security, says: “In thepast there was a gap between theskill sets of IT people andcontrol engineers. These daysthere’s much more of an overlap– the growth of IT-based controlsystems has fostered a convergence between them in terms ofworking together. As a result,Application DomainsThe Cyber-Physical Security Problem!"# %&'''%()(*%( ,-.,*%/012-3*%)0-4%5677*%899:!"# 453224681015232011100221467-5353306070809107δi / rad185016395100203040510δi / rad10304350Fig. 9. The New England test system [10], [11]. The system includes10 synchronous generators and 39 buses. Most of the buses have constantactive and reactive power loads. Coupled swing dynamics of 10 generatorsare studied in the case that a line-to-ground fault occurs at point F near bus16.Figure 2-5. City of Portland Water Supply Schematic Diagram-50Water Supplier Description2468102-18TIME / sFig. 10. Coupled swing of phase angle δi in New England test system.The fault duration is 20 cycles of a 60-Hz sine wave. The result is obtainedby numerical integration of eqs. (11).power generation, transportation, distribution networkswater, oil, gas and mass transportation systemssensor networksprocess control and industrial automation systems(metallurgical process plants, oil refining, chemical plants,pharmaceutical manufacturing . ubiquitous SCADA/PLC systems)test system can be represented byδ̇i ωi ,10!Hiω̇i Di ωi Pmi Gii Ei2 Ei E j ·πfsj 1,j! i· {Gij cos(δi δj ) Bij sin(δi δj )}, (11)where i 2, . . . , 10. δi is the rotor angle of generator i withrespect to bus 1, and ωi the rotor speed deviation of generatori relative to system angular frequency (2πfs 2π 60 Hz).δ1 is constant for the above assumption. The parametersfs , Hi , Pmi , Di , Ei , Gii , Gij , and Bij are in per unitsystem except for Hi and Di in second, and for fs in Helz.The mechanical input power Pmi to generator i and themagnitude Ei of internal voltage in generator i are assumedto be constant for transient stability studies [1], [2]. Hi isthe inertia constant of generator i, Di its damping coefficient,and they are constant. Gii is the internal conductance, andGij jBij the transfer impedance between generators iand j; They are the parameters which change with networktopology changes. Note that electrical loads in the test systemare modeled as passive impedance [11].B. Numerical ExperimentCoupled swing dynamics of 10 generators in thetest system are simulated. Ei and the initial condition(δi (0), ωi (0) 0) for generator i are fixed through powerflow calculation. Hi is fixed at the original values in [11].Pmi and constant power loads are assumed to be 50% at theirratings [22]. The damping Di is 0.005 s for all generators.Gii , Gij , and Bij are also based on the original line datain [11] and the power flow calculation. It is assumed thatthe test system is in a steady operating condition at t 0 s,that a line-to-ground fault occurs at point F near bus 16 att 1 s 20/(60 Hz), and that line 16–17 trips at t 1 s. Thefault duration is 20 cycles of a 60-Hz sine wave. The faultis simulated by adding a small impedance (10 7 j) betweenbus 16 and ground. Fig. 10 shows coupled swings of rotorangle δi in the test system. The figure indicates that all rotorangles start to grow coherently at about 8 s. The coherentgrowing is global instability.are provided to discuss whether the instability in Fig. 10occurs in the corresponding real power system. First, theclassical model with constant voltage behind impedance isused for first swing criterion of transient stability [1]. This isbecause second and multi swings may be affected by voltagefluctuations, damping effects, controllers such as AVR, PSS,and governor. Second, the fault durations, which we fixed at20 cycles, are normally less than 10 cycles. Last, the loadcondition used above is different from the original one in[11]. We cannot hence argue that global instability occurs inthe real system. Analysis, however, does show a possibilityof global instability in real power systems.Stuxnet worm (Iran, 2010)New York Times 15jan2011: replayattack as if “out of the movies:”1 records normal operations andplays them back to operators2 spins centrifuges at damagingspeedsIV. T OWARDS A C ONTROL FOR G LOBAL S WINGI NSTABILITYGlobal instability is related to the undesirable phenomenonthat should be avoided by control. We introduce a keymechanism for the control problem and discuss controlstrategies for preventing or avoiding the instability.A. Internal Resonance as Another MechanismInspired by [12], we here describe the global instabilitywith dynamical systems theory close to internal resonance[23], [24]. Consider collective dynamics in the system (5).For the system (5) with small parameters pm and b, the set{(δ, ω) S 1 R ω 0} of states in the phase plane iscalled resonant surface [23], and its neighborhood resonantband. The phase plane is decomposed into the two parts:resonant band and high-energy zone outside of it. Here theinitial conditions of local and mode disturbances in Sec. IIindeed exist inside the resonant band. The collective motionbefore the onset of coherent growing is trapped near theresonant band. On the other hand, after the coherent growing,it escapes from the resonant band as shown in Figs. 3(b),4(b), 5, and 8(b) and (c). The trapped motion is almostintegrable and is regarded as a captured state in resonance[23]. At a moment, the integrable motion may be interruptedby small kicks that happen during the resonant band. That is,the so-called release from resonance [23] happens, and thecollective motion crosses the homoclinic orbit in Figs. 3(b),4(b), 5, and 8(b) and (c), and hence it goes away fromthe resonant band. It is therefore said that global instabilityF. Bullo UCSBCyber-Physical SecurityCyber-Physical Security(') Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 10, 2009 at 14:48 from IEEE Xplore. Restrictions apply.PROPER MANAGEMENTREQUIREDYet all this technology will be asnothing without propermanagement, so who shouldhave overall responsibility for“Repository of Ind. Security Incidents”security incidentshttp://www.securityincidents.orgSOME OF MANYChemical industryIP address change shuts downchemical plant; hacker changeschemical plant set points; NachiWorm on advanced process controlservers; SCADA attack on plant ofchemical company; contractorconnects to remote PLC; BlasterWorm infects chemical plant.Power industrySlammer infects control central LANvia VPN; Slammer causes loss ofcomms to substations; Slammerinfects Ohio nuclear plant SPDS;Iranian hackers attempt to disruptIsrael power system; utility SCADASystem attacked; virus attacks aEuropean Utility; facility cyberattacks on Asian utility; power plantsecurity details leaked on Internet.Beijing 19may20125 / 306 Cyber Security, Fault ToleranceF. Bullo UCSBCyber-PhysicalSecurity040-043 ET issue19.indd43Beijing 19may20126 / 30An Incomplete List of Related ResultsY. Liu, M. K. Reiter, and P. Ning, “False data injection attacks against state estimation in electric power grids,”ACM Conference on Computer and Communications Security, Nov. 2009.Cyber-physical security complements cyber securityA. Teixeira et al. “Cyber security analysis of state estimators in electric power systems,”IEEE Conf. on Decision and Control, Dec. 2010.Cyber security (e.g., secure communication, secure code execution)does not verify “data compatible with physics/dynamics”is ineffective against direct attacks on the physics/dynamicsis never foolproof (e.g., insider attacks, OS zero-day vulnerabilities)S. Amin, X. Litrico, S. S. Sastry, and A. M. Bayen, “Stealthy deception attacks on water SCADA systems,”Hybrid Systems: Computation and Control, 2010.Y. Mo and B. Sinopoli, “Secure control against replay attacks,”Allerton Conf. on Communications, Control and Computing, Sep. 2010G. Dan and H. Sandberg, “Stealth attacks and protection schemes for state estimators in power systems,”IEEE Int. Conf. on Smart Grid Communications, Oct. 2010.Y. Mo and B. Sinopoli, “False data injection attacks in control systems,”First Workshop on Secure Control Systems, Apr. 2010.Cyber-physical security extends fault toleranceS. Sundaram and C. Hadjicostis, “Distributed function calculation via linear iterative strategies in the presence ofmalicious agents,” IEEE Transactions on Automatic Control, vol. 56, no. 7, pp. 1495–1508, 2011.R. Smith, “A decoupled feedback structure for covertly appropriating network control systems,”IFAC World Congress, Aug. 2011.fault detection considers accidental/generic failurescyber-physical security models worst-case attacksCyber-Physical SecurityThese incidenwww.theS. Amin et al, “Safe and secure networked control systems under denial-of-service attacks,”Hybrid Systems: Computation and Control 2009.F. Bullo UCSBfirewalls nement and mare not ‘fit atechnology,But whicyou choose,security neto board levhave it? “I’vplatforms; Code Red Worm defacesautomation Web pages; penetrationtest locks-up gas SCADA System.Water industryMaroochy Shire sewage spill; SaltRiver Project SCADA hack; softwareflaw makes MA water undrinkable;Trojan/Keylogger on Ontario SCADASystem; viruses on Aussie SCADAlaptops; audit/blaster causes waterSCADA crash; penetration ofCalifornia irrigation districtwastewater treatment plant SCADA;SCADA system tagged withmessage: ‘I enter in your server likeyou in Iraq’.Petroleum industryElectronic sabotage of Venezuela oiloperations; CIA Trojan causesSiberian gas explosion; anti-virussoftware prevents boiler safetyshutdown; slammer infected laptopshuts down DCS; electronicsabotage of gas processing plant;Slammer impacts offshoreSecurity of these networks is critically importantC. RemarksIt was confirmed that the system (11) in the New England test system shows global instability. A few commentsthat would have happened fiveyears ago.”F. Hamza, P. Tabuada, and S. Diggavi, “Secure state-estimation for dynamical systems under active adversaries,”Allerton Conf. on Communications, Control and Computing, Sep. 2011.Beijing 19may20127 / 30F. Bullo UCSBCyber-Physical SecurityBeijing 19may20128 / 30