Attacks and Counter Defense Mechanisms for Cyber-Physical Systems 1 Taha Hassan Lulu Wang CS 5214 Fall 2015

Overview ● Survivability of cyber-physical systems ● Failure types (attrition, pervasion, exfiltration) ● Case Study: Reliability in the electrical grid ● Optimal design conditions and tradeoffs 2

Survivability: System Model ●‘Smart’ grid conceptual model ●Centralized management nodes ●Sensors ●Distributed control nodes ●Actuators ●Communications Links 3

Survivability: Failure Types 4 ● Attrition failure (direct mission impact) ● Pervasion failure (direct means to damage) ● Exfiltration failure (secretion of grid data to instrument attack)

Survivability: Attacker Behavior 5 ● Surveilling attacker ● Long-term operations (trade secrets analogy) ● CM nodes, sensors, comm. links ● Need for discretion ● Destructive attacker ● Short-term disruption ● Actuators, CM nodes, control nodes ● Discretion not a concern

Survivability: Countermeasures 6 ● Intrusion detection ● Ｐ fnx, Ｐ fpx ● Optimal detection interval Ｔ IDS X ● Data leak rate control ● Ｔ TX, Ｔ sensing ● Redundancy ● Redundancy factor α x ● INIT x = MIN x ✕ α x

7 ●System behavior description based on SPN modeling ●Three devices represented by nodes: S,C,A Sensors, Control nodes and Actuators Performance Model

8 PATTRIT=1, sys. failure, too many C and A been evicted & compromised PLEAK=1, sys. failure, compromised S & C exfiltrating too much data PPERVADE=1, sys. failure, a high ratio of uncompromised C & A been compromised Performance Model

9

10 Performance Model

System initiation INITx nodes x ∈ {S,C,A}, for sensors, control nodes, and actuators, respectively. all nodes are uncompromised place PGOODx holds tokens one token representing one nodes 11 Performance Model: The first event

Transitions TCPx model this event: attacker Uncompromised nodes compromised TCPx: attacker compromises a device The time of this process: a random variable exponentially distributed Node: from good to malicious Place: node been moved from PGOODx to PBADx 12 Performance Model: The second event

The sys. 9-state representation (PATTRIT, PGOODS, PGOODC, PGOODA, PBADS, PBADC, PBADA, PLEAK, PPERVADE) If in state (0, ns, nc, na, 0, 0, 0, 0, 0), an uncompromised sensor node is compromised, a token will flow from PGOODS to PBADS, and the resulting state is (0, ns − 1, nc, na, 1, 0, 0, 0, 0). 13 Performance Model: The second event

Transitions TFPx model this event: Uncompromised nodes may be incorrectly evicted TFPx: the detection sys. IDS falsely detects a node Node: an uncompromised node be removed from place PGOODx Place: remove from PGOODx 14 Performance Model: The third event

15 The sys. 9-state representation (PATTRIT, PGOODS, PGOODC, PGOODA, PBADS, PBADC, PBADA, PLEAK, PPERVADE) If in state (0, ns, nc, na, 0, 0, 0, 0, 0) the IDS misdetects and evicts an uncompromised actuator, a token will flow from PGOODA, and the resulting state is (0, ns, nc, na − 1, 0, 0, 0, 0, 0). Performance Model: The third event

Transitions TIDx model this event: compromised nodes be correctly evicted TIDx: IDS correctedly detectes a compromised node as compromised Node: The # of unevicted compromised nodes - 1 Place: one token in place PBADx is to be removed 16 Performance Model: The fourth event

17 The sys. 9-state representation (PATTRIT, PGOODS, PGOODC, PGOODA, PBADS, PBADC, PBADA, PLEAK, PPERVADE) If in state (0, ns, nc−1, na, 0, 1, 0, 0, 0) the IDS detects and evicts a compromised control node, a token will flow from PBADC, and the resulting state is (0, ns, nc − 1, na, 0, 0, 0, 0, 0). Performance Model: The fourth event

Performance Model: The fifth event TATTRITx models the sys. attrition failure event TATTRITx: fired by EATTRITx, uncompromised control node count is lesser than the minimum count Node:one token set in place PATTRIT Place: PATTRIT When TATTRITx is enabled: the attrition failure condition is true enabling function returns true 18

Performance Model: The fifth event 19 Table V lists the enabling functions governing the firing of TATTRITx.

Performance Model: The fifth event 20 The sys. 9-state representation (PATTRIT, PGOODS, PGOODC, PGOODA, PBADS, PBADC, PBADA, PLEAK, PPERVADE) TCPx: a token been moved from PGOODx to PBADx TFPx: remove a token from PGOODx

Performance Model: The sixth event TPERVADEx models this sys. pervasion failure event TPERVADEx: fired by EPERVADEx, Byzantine failure condition applied to nodes Node: when nodes from PGOODx transimit to PBADx, when nodes are evicted from PGOODx Place: PERVADE set 1 Byzantine failure: when at least 1/3 of the control nodes or actuators are compromised (PBADx), the system suffers from a byzantine failure. 21

Performance Model: The sixth event 22 The enabling functions of TPERVADEx with x ∈ {C,A} are defined in TableV governing the firing of TPERVADEx.

Performance Model: The sixth event 23 The sys. 9-state representation (PATTRIT, PGOODS, PGOODC, PGOODA, PBADS, PBADC, PBADA, PLEAK, PPERVADE) TCPx: a token been moved from PGOODx to PBADx PPERVADE: placed by 1

Performance Model: The seventh event TLEAKx models this system exfiltration failure event TLEAKx: attacker secretes enough data about victim sensor/control node Node: Bad nodes (odes from PBADx) transmit the data out of the system, criminals hack the system and steal the intelligence away Place: PLEAK set 1 countermeasures: data leak rate controls 24

Performance Model: The seventh event 25 The sys. 9-state representation (PATTRIT, PGOODS, PGOODC, PGOODA, PBADS, PBADC, PBADA, PLEAK, PPERVADE) PLEAK: placed by 1

Performance Analysis ●Model Parameterization ●Results 26

Model Parameterization 27

Model Parameterization The parameters are from input and design parameters Design parameter is one that the system manager can choose. Input parameter is one that the operating environment dictates. λT means the transition rate of transition T 28

Model Parameterization 29

Model Parameterization: Physical explanations 30 TCPx: Attracker compromises a device |PGOODx| : the # of uncompromised nodes of device type x λx : the per-node compromise rate for device type x. The more uncompromised devices, the more compromise opportunities

Model Parameterization: Physical explanations 31 TIDx: IDS ( IDS, intrusion detection system) detects a compromised device : rate that bad nodes are detected and forced to leave the place correctly |PBADx| : the # of compromised nodes Pfnx : the false negative probability ( : the IDS detection interval In every TIDSx interval, 1−Pfnx = probability (a bad node be correctly identified as a bad node)

Model Parameterization: Physical explanations 32 TLEAKS: attacker secretes a substantial amount of victim sensor data λTLEAKS: the rate that TLEAKS transition happens the first term is for a compromised sensor node to rotate in for reporting sensing data the second term is for the rate at which sensing reporting occurs the third term is for the maximum number of leaks the system can tolerate before an exfiltration failure occurs MAXLEAKS : an input parameter, the maximum number of leaks the system can tolerate

Model Parameterization: Physical explanations 33 TLEAKC: attacker secretes a substantial amount of victim control node data T TX : the data transmission rate per node allowable MAXLEAKC : an input parameter, the maximum data amount leaked beyond which an exfiltration failure occurs

Model Parameterization: Physical explanations 34 TFPx: IDS falsely detects a device : the rate that good nodes suffer from false positives |PGOODx| : the # of uncompromised nodes : the false positive probability that a good node of type x will be misidentified as a bad node : the IDS detection interval

Results: Effects of detection interval Ｔ IDS X 35 ● Ｐ fn < Ｐ fp : Mislabeling healthy nodes more probable so lesser Ｔ IDSx implies faster monotonic failure ●Exfiltration and pervasion failures depend on the ‘bad node ratio’, hence an optimal MTTF at optimal node ratio

Results: Effects of false pos./neg. prob. Ｔ IDS X 36 ● Ｐ fp : Rate of mislabeling healthy nodes more probable so lesser Ｔ IDSx implies faster monotonic failure ●Similar trends for Ｐ fn. MTTF is less sensitive to it though.

Results: Effects of redundancy factor (α c ) Ｔ IDS X 37 ●Attrition and pervasion: redundancy improves MTTF (bad node ratio decreases with redundancy) ●Exfiltration: redundancy limits MTTF (Note that transition rate for TLEAKC changes with num_bad_nodes, for TLEAKS, it’s bad_node_ratio)

Questions. 38