Information Flow Properties for Security in Cyber- Physical Systems Bruce McMillin, Ph.D., Sr. Member IEEE Dir Center for Information Assurance Department of Computer Science Missouri University of Science and Technology (Formerly the University of Missouri-Rolla) Rolla, MO USA (work done by Ravi Akella, Han Tang, Thoshitha Gamage, and Tom Roth)

Introduction: Cyber-Physical System Modern Infrastructures consist of Cyber and Physical Components –Smart Houses, –Air Transport, –Vehicle Transport, –Smart Structures, –Oil and Gas Pipelines, –Distributed Energy Resources, … All have an inherent commonality – Physical Actions integrated with Computation. Cyber Physical Systems (CPSs) are integrations of computation with physical processes. –National Science Foundation (US) –Artemis (EU)

Where is Missouri S&T? Missouri S&T

My topics for you today Smart Grid – Smart Distribution/Green Energy CPS Flow Security Basics Smart Grid Security –Modeling and Analysis –Mitigation

Cyber-Enabled Smart Distribution Smart Grid –Automated Meter Reading (AMR) –Demand Side Management Centralized Supervisory Control And Data Acquisition (SCADA) Electric Utility Control Smart Grid Version 1 Source, Monitor Mapboard Systems Scalability, fault management, security and privacy

Cyber-Enabled Smart Distribution Systems and Micro Grids Move away from Centralized SCADA –Distributed Control Advanced Power Electronics –Finer-grained control over physical entities –Schedulable entities Design Issues –Complex and unpredictable interactions between the cyber and physical processes –Information flow across the cyber-physical boundaries

Security and Privacy Would you sign up for a discount with your power company in exchange for surrendering control of your thermostat? What if it means that, one day, your auto insurance company will know that you regularly arrive home on weekends at 2:15 a.m., just after the bars close? (MSNBC Red Tape Chronicles 2009)

Future Renewable Electric Energy Delivery and Management (FREEDM) – NSF ERC An efficient and revolutionary power grid utilizing revolutionary power electronics technology and information technology Decentralized management integrating distributed and scalable alternative energy sources and storage with existing power systems

Shipping 250M pcs/yr. Ubiquitous ownership Ubiquitous use Ubiquitous sharing Pre-1980s Internet Paradigm Shift Distributed Computing Centralized Mainframes Innovation & Industry Transformation

Ubiquitous sales Ubiquitous ownership Ubiquitous use Ubiquitous sharing Today Centralized Generation 100+ year old technology New energy companies based on IT and power electronics technologies Paradigm Shift FREEDMSystem Innovation & Industry Transformation Distributed Renewable Energy Resources (DRER) New technologies for distributed renewable energy

The FREEDM Concept – Smart Grid I Distribution Distributed Intelligence –People share energy resources –Neighborhood or industrial level –Where is the centralized controller?

IEM and IFM nodes each run a portion of the DGI to manage their own resources Coordinate to control the whole as a Distributed Algorithm IEM: Intelligent Energy Management IFM: Intelligent Fault Management DRER: Distributed Renewable Energy Resource DESD: Distributed Energy Storage Device

13

Schedulable Entity ….Advanced Power Electronics…. The Solid State Transformer

Inside an IEM Node Solid State Transformer (SST) –Power Electronics –Schedulable Entity

How to use it?

17 Each FREEDM IEM node runs a portion of the DGI to manage its own resources Power Management –Load Balance DESD, DRER, and LOAD –Control and react to the SST –Migrate power through the Gateway that connects an SST to the system shared bus. Distributed Grid Intelligence Within the Context of FREEDM

Distributed Power Balancing Correctness: Keep all IEM nodes’ “balanced” in terms of Supply and Demand and minimize energy cost Pass messages negotiating load changes until the system has stabilized Global optimization decomposed into individual processes that cooperate to meet the global correctness. X Actual = X Load − X DRER System LoadState X Actual < 0 Low (Supply) X Actual > Threshold High (Demand) 0<=X Actual <=Threshold Normal

19 DGI Power Balancing Algorithm

20 IEM L IEM 1H :::: IEM nH IEM 1 IEM 0N IEM H :::: IEM nN IEM 0N IEM 1H :::: IEM n30.721H IEM N IEM 1N :::: IEM nH IEM 1 IEM 0N IEM N :::: IEM nN IEM 0L IEM 1H :::: IEM n30.721H I CAN SUPPLY Migrate 1 quantum of Power per successful request More Critical need Lesser need After Load Balancing

Optimality? G = Σ X Actual = Σ X Load,i - ΣX DRER,j n, Local Load – m, Local Capacity Adding Costs –Cost Low = 100 ∗ X DRER + X DESD General Problem is to serve G while minimizing overall cost –Knapsack Problem –Pack a knapsack with m items each with cost, maximizing cost subject to the constraints of supply and load. –NP Hard

Optimality? Least Cost Fractional Knapsack Algorithm –Given ε > 0, C = lowest cost resource, m sources, K = εC/m –For each source s i, define cost’(s i ) = floor (cost(s i )/K) –Add up to K entries of each source in increasing order of cost’ into the set S’ such that Σ s in S’ cost’(s) ≤ Σ X Load,i. –Output S’, the least cost set. Cost (S’) ≤ (1+ ε ) · OPT

Test 203: 3-node migration 23 Test 203: Two IEM nodes supplying with cost function IEM02 and IEM03 both migrate power to IEM01

Distributed Grid Intelligence Distributed Long and Short Term Control Distributed Systems Management –Distributed Group Management –State Maintenance Simulation Architectures Power Economics Models and Control Fault Tolerance of Cyber-Physical system Security – Confidentiality, Integrity, and Availability of Cyber-Physical system Resilience - Robust Distributed System –Formal Correctness –Usability as an autonomous system

Smart Grid II, Smart Transmission

Transmission Vulnerabilities Prevent Cascading failures: –2003 Blackout Causes –Physical & Cyber contingencies –Deliberate disruption Hackers Terrorist Activity

A Smart Grid Solution Flexible AC Transmission Systems (FACTS) –Power Electronic Controllers ( much like an SST, but much larger scale (MVA) –Means to modify the power flow through a particular transmission corridor – Reduce Congestion in Interconnected Areas –Operate under distributed control

G Riversde 1 Pokagon 2 HickryCk 3 NwCarlsl SouthBnd TwinBrch Corey Olive Bequine Breed 9 10 G FtWayne Kankakee JacksnRd Concord Sorenson GoshenJt N. E NwLibrty S.Kenton 38 S.Tiffin West End Howard WLima Rockhill EastLima Sterling Lincoln McKinley Adams 20 Jay 21 Randolph Grant Mullin Delaware DeerCrk Outage 37-39a From 65 MuskngumS Area Haviland

G Riversde 1 Pokagon 2 HickryCk 3 NwCarlsl SouthBnd TwinBrch Corey Olive Bequine Breed 9 10 G FtWayne Kankakee JacksnRd Concord Sorenson GoshenJt N. E NwLibrty S.Kenton 38 S.Tiffin West End Howard WLima Rockhill EastLima Sterling Lincoln McKinley Adams 20 Jay 21 Randolph Grant Mullin Delaware DeerCrk Outage 37-39b From 65 MuskngumS Area Haviland

G Riversde 1 Pokagon 2 HickryCk 3 NwCarlsl SouthBnd TwinBrch Corey Olive Bequine Breed 9 10 G FtWayne Kankakee JacksnRd Concord Sorenson GoshenJt N. E NwLibrty S.Kenton 38 S.Tiffin West End Howard WLima Rockhill EastLima Sterling Lincoln McKinley Adams 20 Jay 21 Randolph Grant Mullin Delaware DeerCrk Outage 37-39c From 65 MuskngumS Area Haviland

Add A FACTS Device Under Proper Control Avoids the overload that causes the outage that causes the cascade

G Riversde 1 Pokagon 2 HickryCk 3 NwCarlsl SouthBnd TwinBrch Corey Olive Bequine Breed 9 10 G FtWayne Kankakee JacksnRd Concord Sorenson GoshenJt N. E NwLibrty S.Kenton 38 S.Tiffin West End Howard WLima Rockhill EastLima Sterling Lincoln McKinley Adams 20 Jay 21 Randolph Grant Mullin Delaware DeerCrk Outage 37-39a From 65 MuskngumS Area Haviland

Question What does this have to do with Security? Device Physical Attack Natural Faults Device Cyber Attack

Information flow Explicit Communication Implicit Communication

Confidentiality If I can deduce the FACTS device settings, I can deduce the state of the power network Device Physical Attack Natural Faults Device Cyber Attack

Motivation: Why is this a problem 2003 Midwest Blackout2010 Stuxnet Worm Attack Caused by a cascading failure in power lines An estimated 50 million people affected by the outage lasting up to 4 days $4 – 10 billion economical loss in U.S. 0.7% gross production loss in Canada A Rootkit which injects a malicious controller program to PLCs Capable of manipulating cyber and physical components for its own purposes An estimated 100,000 hosts in over 30,000 organizations from over 155 countries affected

Formal Information Flow Theory Modeling and Analysis

Threats & Vulnerabilities? Cause a cascading failure Denial of (information) service –Localized power outages Privacy –My neighbors can now infer what I’m doing Gaming the system –Economic Gains Hacker in the Basement –What fun!

Access Control Flow-based Security Restricts access to information and resources Cannot restrict information propagation after read Access grants need to be given only to processes guaranteed not to leak confidential data [SM03] Restricts flow of information between partially ordered security clearances Prevent unintended high-level (secure/private) domain information disclosures to the low-level (open/public) domain System Security: Primary Approaches Cannot identify such processes High-level Domain Low-level Domain

Information Flow Models FREEDM contains Power Electronics Devices that perform physical actions that are observable Cannot keep these secret – loss of confidentiality/privacy Some other models –Non-Interference High-level events do not interfere with the low level outputs –Non-Inference Removing high-level events leaves a valid system trace –Non-Deducibility Low-level observation is compatible with any of the high-level inputs.

Microgrid Observability Fred and Barney Share Resources and Make a Profit Fred Gets Greedy –Stores wind energy and sells on his own Barney Gets Suspicious –Observes Fred’s wind and power draw from utility –If the wind isn’t blowing and Fred is selling to the grid, Fred is dishonest –If the wind is blowing, Barney cannot deduce anything

(Formal) Information Flow Models Information Flow Models

A unified approach to deal with CPSs is necessary that can encompass the cyber and physical events We propose a process algebraic approach adopted to analyze the information flow in CPSs Security process algebra provides an abstract description for nondeterministic and concurrent systems with actions belonging to different levels of confidentiality (Low and High) Using process algebra, bisimulation provides a formal method to determine nondeducibility.

A system E is BNDC if for every high level process ∏, a low level user cannot distinguish E from E| ∏ E| ∏ : Parallel Composition of E1& ∏ where executions of the two systems are interleaved Bisimulation-based NonDeducibility on Composition (BNDC)

Case Study: Gas Distribution Network Physical limitation Changes in one section of the pipeline is visible to others

Case Study: Gas Distribution Network LTC B changes flow Aggregated change of the system to re- stabilize

Val(f b )Val(f c )Val(f a ) 000 k0k k/20 0 k 3k/2 k/2 k 0kk kk2k k/2k3k/2

System based on partitions High Level Low Level Communications

Uniform Semantic Representation SPA – Security Process Algebra CoPS – Checker of Persistent Security –BNDC –SBNDC

bi Action (Action1 | Action2) bi Action1 (A_Writes | C_Writes)\L bi Action2 (B_Writes)\L bi State (State_1 | State_2 | State_3 | State_4 | State_5 | State_6)\L bi State_1 w_a.'val_1.State_1 + w_b.'val_2.State_1 + w_c.'val_2.State_1 bi A_Writes change_a.'w_a.State bi B_Writes change_b.'w_b.State bi C_Writes change_c.'w_c.State //bi Stable NULL basi L w_a w_b w_c //values to be protected basi N val_1 val_2 val_3 //discrete values possible acth change_a change_b change_c //readings at cyber level val_1 val_2 val_3

Protection of flow between A and B against C

Bisimulation o Two processes are weakly bisimilar if they are able to mutually simulate their behavior step by step. o In a weak bisimilarity relation, internal silent actions ( τ ) between processes is ignored. E1 and E2 are bisimilar and they both simulate E3 E3 is not bisimilar to E1

Strong BNDC (SBNDC) The system before and after execution of a high level event remains indistinguishable to the low level domain E E E’’\H E’E’ E’E’ E’\ H E’’ h

Simplification of SBNDC: Bisimulation up to H The problem of verifying weak bisimulation for all high level transitions of the system can be transformed into finding a bisimulation up to H relation E E E\H

Recap: Process algebra and Bisimulation based security applied to a CPS The analysis involves the following steps: –Representation of cyber and physical processes and their interactions as events in the computational framework –Modeling the CPS using process algebra as a set of logic actions –Identification of the High Level and Low level events within the system –Finally, verification of bisimulation equivalence between the system that performed high level actions and the system that is restricted of performing high-level actions

Inherent Obfuscation Electrical Network Flow in a controllable circuit Kirchhoff’s Laws

57  In a series connection network with only two(2) configurable units, placement of any number of observers preserves Nondeducibility.

58  A series circuit with n >= 2 configurable units is fully deducible, with a minimum of n distinct readings and n -1 observers

59  In a base parallel-connected circuit with two parallel resistors, any combination of two observers is sufficient to fully deduce the circuit

60  For a pure parallel circuit with n parallel resistors, a minimum of n “strategically located” observers are required to fully deduce the circuit.

Microgrid Observability “Dumb” System from an Observer is Nondeducibility Secure Dumb System from an External Observer is NOT Nondeducibility Secure (if we can see everything)

Confidentiality with no DGI Power flow in the shared power bus is an invariant function of individual gateway loads of the participating nodes and the draw from or contribution to the utility grid Such a system can be defined as below:

External observer with limited observability or with a few gateway readings cannot deduce operation (no DGI) Low = {DRER} High = {, Load, X SST,,, Gateway} For any high level process Π, say, X SST.Gateway or. X SST (Node noDGI |Π)\H ≡ {DRER} Node noDGI \H ≈ B (Node noDGI |Π) \H ∀ Π ∈ E. External observer with total observation of gateways can deduce operation. –Using the invariance relation on the bus

DGI system secure with respect to an Observer without DGI The DGI algorithm can be represented in SPA as: The IEM with DGI Power shared between 1 and 2 due to DGI algorithm

SBNDC for FREEDM The system before and after execution of a high level event remains indistinguishable to the low level domain E E E’’\ H E’E’ E’E’ E’\ H E’’ h

SBNDC for FREEDM o Such processes can be modified to satisfy SBNDC by inserting a complementary High level output, to make an internal action (τ) that is not observable o Such compensating events hide the physically observable effects

Observer with DGI is not non-deducibility secure –Demand Trace the load table within the DGI - refusals –Supply Knows about nodes in Demand state Confidentiality with DGI

Malicious DGI process –Manipulates load table to ascertain other DGI states IEM03’s observer deduces IEM01 is in a demand state IEM01’s observer can deduce that IEM02 and later, IEM03 are in a supply state. Threats to DGI

Usecase scenario for confidentiality in FREEDM Modeling of the scenarios and formal proofs are performed in a Security Process Algebraic (SPA)/ Model Checking approach Generalizing this theory of information flow analysis for a wide range of cyber-physical systems

Execution Monitoring Mitigation

Confidentiality Violation Confidentiality: Preventing unauthorized access or/and disclosure of protected resources

Confidentiality Violation Sequence of Actions What Low-level users should see What they actually see Event Confidentiality Violated

Solution: What is required A security mechanism that can, –Execution Monitoring: Monitor execution steps of the target system during runtime and detect security property violations –Safety Property: Able to identify action(s) causing the violation –Event Compensation: Able to calculate corrective actions that can maintain functional integrity –Emulation and Enforcement: Able to execute corrective actions in a timely coordinated manner Encode and capture system semantics to a security model –Account for cyber-physical interactions

EM Enforceable Security Alpern-Schneider Framework: Every system property is either a Safety or a Liveness property or the intersection [AS84] Safety: Nothing bad happens during execution Only safety properties can be EM enforced [Sc00] Enforced using a security automatasecurity automata –Terminate execution upon detecting a violation

But…… Information Flow Security Properties are, –Not Safety Properties; sets of execution sets [Mc94] –Decision to terminate can not be based on a single execution –Cannot be enforced using Schneider’s security automata

Restore the system back to a previous safe state – Cannot reverse a physical consequence of a cyber action Insert new actions to correct the violation orrect the violation while maintaining the functional integrity What to do when a violation is detected?

Related Concepts Predict Future Events [NW06] –Allow next action if only information flow secure Edit Automata [LBW05] –Empower the basic automata with truncation, suppression and insertion capabilities –Able to modify the behavior of the target execution during runtime Program rewriting [HMS06] –Employ a multi-tape (3) TM to modify an untrusted program before execution within a finite time – a Program Machine (PM) Shallow History Automata (SHA) [Fon04] / Bounded History Automata (BHA) [TTD08] –SHA considers a shallow history of recently granted actions to decide the next transition – information based characterization –BHA considers a memory bounded execution history

Event Compensation Insert corrective actions at the point where an execution violates a given security property –This model considers Nondeducibility security Formalize this concept as information flow safe state transitions Research Contributions –EM Security Automata [Sc00] + IFP + Edit Automata [LBW05] + Emulator [NW06] = Compensate Automata –Maintain functional integrity while preserving IFPs –Capture cyber-physical interaction as system semantics

Compensating Couple Two compensating commands appended to an existing information flow safe sequence –Existing Trace: –Compensating Couple: –Extended Trace Generalization –Compensating sequence: Compensated State Sequence

Rearranged Action Sequence Coordinated High-level Actions Compensating Couple o Both commands issued by high-level domain users o Obfuscate observable effects in the low-level domain Stuxnet – Rearranges the action sequence so the operator a DGIc – never sees anything

Traces Low-level projections Compensated projection Compensating Couple Obfuscation by Compensation

Formal Model: Compensation Automata Period of Vulnerability

Time Domain Response

Security Issues for Cyber and Physical Systems –Distributed “Smart Grid” –Confidentiality and Privacy –Formal Models – non-deducibility compensation Consumer Acceptance and Usage –Social Science Acknowledgements This work was supported in part by the Future Renewable Electric Energy Distribution Management Center; a National Science Foundation supported Engineering Research Center, under grant NSF EEC and NSF CSR award CCF and the Missouri S&T Intelligent Systems Center. Wrap Up

Read more about it FREEDM (freedm.ncsu.edu) A. Huang, “Renewable energy system research and education at the NSF FREEDM systems center,” in Power & Energy Society General Meeting, PES '09. IEEE, July 2009, pp. 1–6. Cascading failures and FACTS (filpower.mst.edu) K. Wang, M. Crow, B. McMillin, and S. Atcitty, “A novel real-time approach to unified power flow controller validation,” Power Systems, IEEE Transactions on, vol. 25, no. 4, pp –1901, Nov Information Flow and Verification: R. Akella, H. Tang, and B. McMillin, “Analysis of information flow security in cyber-physical systems,” International Journal of Critical Infrastructure Protection, vol. 3-4, pp. 157– 173, December R. Akella and B. McMillin, “Information flow analysis of energy management in a smart grid,” in Proc. of the Int'l Conf. on Computer Safety, Reliability and Security (SAFECOMP'10). Springer-Verlag, Berlin, Heidelberg, September 2010, pp. 263–276.