Cyber-Physical Systems Security Risk Modeling and Mitigation

Download Cyber-Physical Systems Security Risk Modeling and Mitigation

Post on 21-Apr-2015

34 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

<p>Cyber-Physical Systems Security: Risk Modeling and MitigationManimaran GovindarasuDept. of Electrical and Computer EngineeringIowa State University, USAgmani@iastate.eduhttp://powercyber.ece.iastate.eduPresented at Los Alamos National Laboratory, Nov. 2, 2010Electric Power Grid: A Cyber-Physical SystemPage 2Source: http://cnslab.snu.ac.kr/twiki/bin/view/Main/ResearchPage 3Presentation OutlineBackground &amp; potential cyber attacksRisk mdeling frameworkCase 1 - Intrusion-based attacks on substationCase 2 Data integrity attacks on wide area controlSCADA Security Testbed12345Conclusions6Power Grid in the U.S. Regions &amp; BAPage 4Source: NERCPage 5SCADA control network of power system Page 6Statistics of Cyber VulnerabilityTotal vulnerability: 39,490 (Up-to-date)1713453112624171090243741293784 378059908064723601000200030004000500060007000800090001995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007Total VulnerabilitiesCatelogedPage 7Cyber threat to power grid are real CIP Report, General Accounting Office, March 2004There has been a growing recognition that control systems are now vulnerable to cyber attacks from numerous sources, including hostile governments, terrorist groups, disgruntled employees, and other malicious intruders Repository for Industrial Control System (RISI) incident report, March 2010- # industrial cyber incidents has been stable, expected to rise- Power and utilities: 13 reported incidents in the last 5 years (30% increase from previous 5 years; Total: 28 incidents)McAfee report In the Crossfire: Critical Infrastructure in the Age of Cyber War- Shows similar data and increase in cyber incidentsPage 8Cyber Threats to Critical InfrastructuresCyber-Based AttacksProtocol AttacksIntrusionsWorms / Spyware/ MalwareRouting AttacksDenial of Service (DoS)[General Accounting Office, CIP Reports, 2004 to 2010]; [NSA Perfect Citizen, 2010]: Recognizes that critical infrastructures are vulnerable to cyber attacks from numerous sources, including hostile governments, terrorist groups, disgruntled employees, and other malicious intruders.Page 9Types of Cyber-Attacks on Power SystemsCyber-Based AttacksProtocol AttacksIntrusionsWorms / Spyware/ MalwareRouting AttacksDenial of Service (DoS)Attack ClassificationCyber Attacks onCritical InfrastructuresIsolated Attacks Coordinated AttacksIntelligent Coordinated AttacksBrute-force CoordinatedAttacksBrute-force Isolated AttacksIntelligent Isolated AttacksPage 111. Cyber-Physical System Security Modeling Risk Assessment &amp; Risk Mitigation (GAO CIP Report, 2010) Security Investment AnalysisReal-Time MonitoringThreat &amp; Vulnerability AnalysisImpact AnalysisResponseSystem VulnerabilityScenario VulnerabilityAccess Point VulnerabilityHierarchical modelinghigh risklow riskRisk Modeling and Mitigation Framework (1)Page 12Risk Modeling and Mitigation Framework (2)Security LogsSystem Event LogsGather informationCritical AlertsSystem Health MessagesPhysical Aspects Cyber AspectsFile Integrity Logs Heterogeneous CorrelationHomogeneous CorrelationCorrelate security event logs Correlate system event logs Correlate file integrity logs Output Anomaly DetectionCorrelate logs from Substations and Control CenterCorrelate the different type of logs from control centersPrevention RemedialDecision MakingCyber measures tolerance, rerouting, throttlingCyber measures access control, authorization, intrusion toleranceCorrect Voltage ProblemsRelieve the Overloaded Lines, Controlled islandingCause EffectWhat-If Scenarios? Extract potential evidencesFormulate a hypotheses Preventive / Remedial ActionsPreventive / Remedial ActionsPreventive / Remedial ActionsAnomaly DetectionReal-Time MonitoringResponsesImpact AnalysisC. Ten, G. Manimaran, C.C.Liu, Cybersecurity for critical infrastructures: Attack and defense modeling, IEEE Trans. on SMC Part A, July 2010Page 13Risk Modeling Intrusion AttacksC. Ten, C.C.Liu, and G. Manimaran, Vulnerability assessment of cybersecurity for SCADA systems, IEEE Trans. Power Systems, Nov. 2008.14Intrusion ScenariosStep 1: Searching for dial-up or wireless connections of utility through footprinting techniques. Step 2: Once the wireless access point is found, try to login using default password if the connection is secured with passphrase.Step 3: Sniff the network upon successful logon to the intranet through wireless access points. Determine the number of IP address in the intranet.Step 4: Found IP addresses, 10.0.10.1, 10.0.10.2, 10.0.10.3, use scanning programs (e.g., netcat) to check for available ports are alive. Use password cracking program to hack the system.Step 5: Another way to get into the intranet is through dial-up network. For instance, war-dialing programs by knowing the prefix of utility phone number. Password-guessing programs are used if the access point is password protected.Step 6: A new IP address is found. Scan the ports are alive and found it is used for GPS communication.Step 7: Found the Substation SCADA system. Use password guessing program to logon if it is password protected.Step 8: Using NMap to discover the firewall information; this reveals configurations of the firewalls. By doing so, a remote IP address is found to possibly log on to other intranet using windows terminal user interfaceStep 9: Upon successful logon to other intranet, sniff the local traffic and determine footprinting. IP addresses are also determined. These IP addresses are scanned to determine the ports are alive / listening.Step 10: Found VPN connections through machines (10.0.5.150, 10.0.5.82, and 10.0.5.83). Attempt to logon using password guessing programs if these are password protected.Step 11: Upon successful logon to control center intranet, sniff the network and gather IP addresses. Determine the ports are alive and attempt to logon using password guessing program if these are password protected.The Processes of Hacking: Footprint, Scan, Enumerate, and ExploitPage 15The Intrusion ProcessFootprinting Identification of organizations security posture locations of the substations, control centers, or generating units IP addresses and email address of the utility companyScanning Exhaustively identify the possibile access points Access points: Wireless connection, LAN, VLAN, VPN, and Tools: War dialing or Traffic snifferEnumerating Listing all active ports available on a target IP address Password guessing: Dictionary, brute-force, or social engineeringExploit! This is where an attacker got lucky! Steps to penetrate into a network involve:But we do not want them to be luckyPage 16Risk Analysis FrameworkKey stepsInput Data (Power Flow Model and Computer Network Model)Construct the network topology by identifying the access points to the network and control centerGroup the number of buses for each substation2. Power Flow Simulation: Determine the loss of load from power flow by disconnecting the controllable switching devices Select a substationDoes the selected substation have control capabilities?End of the substation list?1. Cyber-Net Model: Generate the CSPL to fit the data into SPNP Identify the number of switching devices for each substation that can be opened through the substation automation systemCompute scenario vulnerability indexNext substation in the listDetermine the system vulnerability based on the scenario vulnerability indicesRequires improvement?Improve the system vulnerability by lowering password thresholdENDSTARTNoYesYesNoYesNo1. Construct a cyber-net model - model the access points &amp; associated vulnerabilities2. Construct a GSPN: Stochastic Petri Net- compute steady state probabilities3. Perform impact analysis for the most likely scenarios- using Power Flow Simulation4. Calculate Risk = Vulnerability x ImpactPage 17Risk Modeling of Intrusions The hierarchical relationship among system, scenario, and access point vulnerabilitySystem VulnerabilityScenario VulnerabilityAccess Point Vulnerability( ) ) ( max I V VS=( ) ( ) ( ) { }Ki V i V i V I V , , , ) (2 1 =( ) =S jj ji V jjProbability of intrusion thro access point jImpact due to compromise of substation jPage 18Cyber model: 1 Firewall - 2 Machines (substation)Page 19Firewall Model model: n paths correspond to n rulesfpj ifpj ifpj iNfp,,,=frifrifriNfp =denot es t he frequency of mal i ci ous packet s t hrough t he fi rewal l rul e t ot al record of fi rewal l rul e j . probabi l i t y of mal i ci ous packet s t ravel i ng t hrough a fi rewal l rul e t he number of rej ect ed packet s denot es t he t ot al number of packet s i n t he fi rewal l l ogs probabi l i t y of t he packet s bei ng rej ect ed...DenyRule 1Rule 2Rule nMalicious packets passed through Firewall A (terminal 2)Intrusion Attempts (terminal 1)frip fpip1 ,fpip2 ,fpn ip,finifi fiPage 20Password Model The intrusion attempt to a machine is modeled by a transition probability associated with a solid bar. An empty bar represents the processing execution rate that responds to each attack event An account lockout feature, with a limited number of attempts, can be simulated by initiating the N tokens (password policy threshold). Attempt logging on to the targeted system, pipw Targeted system attempted (terminal 2)Targeted system responds to attacker,Intrusion attempt starts (terminal 1)pwi pwipwipwiNfp =t he i nt rusi on at t empt probabi l i t y of a comput er syst em, it ot al number of observed records number of i nt rusi on at t empt s Page 21Impact (factor) on power gridDefinition of Impact Factor Impact factor for the attack upon the power system is:LOL: the loss of load for a disconnected substationTo determine the value of L: Start with the value of L=1 at the substation Gradually increases the loading level of the entire system without the substation that has been removed Stop when power flow diverges1 ||.|</p> <p>\|= LTotalLOLPPPage 22Case Study Setup (IEEE 30 Bus System)Process Control Network 1Substation Network 1 Distribution Network 1 Model 3 Control Center NetworkIntrusion AttemptsSubstation Network 1 Distribution Network 1 Model 2 Control Center NetworkIntrusion AttemptsSubstation Network 1 Model 1Control Center NetworkIntrusion AttemptsControl Center NetworkSub. 1 (model 3)Sub. 2 (model 3)Sub. 3 (model 3)Sub. 4 (model 2)Sub. 5 (model 2)Sub. 6 (model 3)Sub. 7 (model 2)Sub. 8 (model 2)Sub. 14 (model 2)Sub. 15 (model 2)Sub. 16 (model 1)Sub. 17 (model 2)Sub. 18 (model 2)Sub. 19 (model 1)Sub. 20 (model 2)Sub. 21 (model 2)Sub. 22 (model 1)Sub. 23 (model 3)Sub. 24 (model 2)Sub. 25 (model 2)Sub. 26 (model 1)Sub. 27 (model 2)Sub. 29 (model 3)Sub. 30 (model 2)Communication between Control Center and Substation Networks 24 Substations associated to 30 buses Model 3: 3 possible access points to the networks Model 1 and 2: Without substation network Each consists of Firewall and Password submodels. Two cases for vulnerability evaluations are considered An attack from outside the substation-level networks An attack from within the substation networksIntrusion Attempts DenyRule1Rule2Rulenfrp2fpp1 , 2fpp2 , 2fpnp, 2nr2f2...DenyRule1Rule2Rulenfrp3fpp1 , 3fpp2 , 3fpnp, 3nr3f3...f2f2f3f3DenyRule1Rule2Rulenfrp5fpp1 , 5fpp2 , 5fpnp, 5nr1f5...DenyRule1Rule2Rulenfrp6fpp1 , 6fpp2 , 6fpnp, 6nr1f6...f6f6f5f5DenyRule1Rule2Rulenfrp1fpp1 , 1fpp2 , 1fpnp, 1f1nr1pw1f1 f1pwn......Machine MachineProcess Control NetworkDenyRule1Rule2Rulenfrp8 fpp1 , 8fpp2 , 8fpnp, 8f8nr8pw1 pwn......f8 f8Machine MachineSubstation NetworkDenyRule1Rule2Rulenfrp4fpp1 , 4fpp2 , 4fpnp, 4f4nr4pw1 pwn......f4 f4Machine MachineDistribution NetworkDenyRule1Rule2Rulenfrp7fpp1 , 7fpp2 , 7fpnp, 7nr7Machinepw1f7 pwn...... f7f7MachineControl Center NetworkFirewall 1Firewall 2Firewall 3Firewall 8Firewall 6Firewall 5Firewall 4Firewall 7ABCDEPage 23Vulnerability Evaluation - Outside Network00.20.40.60.811.21 2 3 4 5 6 7 8 14 15 16 17 18 19 20 21 22 23 24 25 26 27 29 30No password threshold Password threshold=3Substation V(i)Page 2400.20.40.60.811.21.41.61 2 3 4 5 6 7 8 14 15 16 17 18 19 20 21 22 23 24 25 26 27 29 30No password threshold Password threshold=3Vulnerability Evaluation - Within NetworkSubstation V(i)Coordinated AttacksPage 25 ExampleTripping lines marked by to ensure the load connected to bus 3 is deprived of or receives limited power supply. This result would be difficult to achieve with an isolated attack. The attack would require a good understanding of the system and operation, i.e., the control center for different components in the system.Target LoadPage 26Data Integrity Attacks and Impacts onWide Area ControlS. Siddharth and G. Manimaran, Data integrity attacks and their impacts on SCADA control system IEEE PES General Meeting, 2010.The SCADA Network: Control system viewControl System SchematicControl Center SchematicPage 27Control System Attack ModelingCyber SystemPhysical SystemControl SignalSensing SignalIntegrity AttackDoS AttackY. Huang, A. A. Cardenas, S. Sastry, Understanding the Physical and Economic Consequences of Attacks on Control Systems, Elsevier, International Journal of Critical Infrastructure Protection 2009.Signal((</p> <p>) ( ), ( max mint t y y i i| | ) ( ), (^ ^max mint tz z i i A = s t,e t| |Duration of the attackPage 28Man-in-the-middle attacksData integrity attacksDenial of service attacksTiming attacks Balancing Authorities in the U.S.Page 29Source: NERCAutomatic Generation Control (AGC)Area 1PowerSystemArea 2PowerSystemArea 1 Control CenterArea 2 Control CenterTie-Line FlowFrequency and Tie-Line Flow MeasurementsFrequency and Tie-Line Flow MeasurementsControl ActionControl ActionPage 30The AGC Algorithm Inputs to AGC algorithm: Frequency deviation f , Net tie-line flow Pi Page 31ACG: The Area Control Error The Area Control Error (ACE) represents the shift in generation requiredto restore frequency and net interchange Is a measure of the error in total generation from total desiredgeneration Calculation of ACEACEi= Pi+ if (1)i = Pi= 1i R+ i D+ Li Di AP i SP( ) (2)(3)Page 32AGC Operation (cont.) In general, a load increase of PLin area 1 of an n area system will result in a frequency deviation off = and a change in tie-line flow of where - Riis the regulation constant - D = % change in load divided by % change in frequency L PD+11 R+12 R+.... +1N R 1 net intP= L P( )11 R+12 R+... +1N R+ D| \ | . | D+11 R+12 R+... +1N R(4)(5)Page 33AGC OperationIn a 2-area system, the following guidelines apply to AGC operationLoad Variation Tie-Line Flow System FrequencyRequired Control ActionLoad increase in Area 2Increase in power flow to Area 2Decrease Increase generation in Area 2Load increase in Area 1Decrease in power flow to Area 2Decrease Increase generation in Area 1Load decrease in Area 1Increase in power flow to Area 2Increase Decrease generation in Area 1Load decrease in Area 2Decrease in power flow to Area 2Increase Decrease generation in Area 2Page 34Simulation Studies - System Parameters 2-Area system with 3 generating units e...</p>

Recommended

View more >