Cyber-Physical Modeling and Security Assessment Rakesh B. Bobba
2nd Industrial Control System Security Workshop December 6th, 2016
RAKESH BOBBA UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN Funded by: DOE, DHS, and ARPA-E
Project Team
Kate Davis Robin Berthier David Nicol Edmond Rogers Bill Sanders Pete Sauer Gabe Weaver Mouna Bamba Olivier Soubigou
2
Rakesh Bobba Panini Patapanchala Vishnu Priya Rayala
Saman Zonouz Luis Garcia
Matt Davis
POWER GRID AS CYBERPHYSICAL INFRASTRUCTURE 3
12/15/16
Electric Power System Overview
Transmission 69kV – 500kV Generation Distribution 12kV – 34kV
Consumption 120V, 240V
4
12/15/16
Courtesy: David E. Whitehead, Schweitzer Engineering Laboratories, Inc
Cyber Infrastructure: Monitoring and Control • Supervisory Control and Data Acquisition (SCADA) • Get sensor measurements • Send control commands
• Energy Management System (EMS) • “brains” of control center • State Estimation, Optimal Power Flow, Contingency Analysis etc.
5
12/15/16
Typical SCADA/EMS Architecture
Risk of Cyber Attacks!! 6
12/15/16
Source: EU Viking Project
7
Contingency
• Cyber attacks can impact the physical system! Source: EU Viking Project
• Threat is real!
• Stuxnet, DuQu, Flame, The Mask, BlackEnergy
Dealing with the Threat • Prevention/Protection • Securing the system • No such thing as 100% secure! • Large system with legacy equipment
• Detection • Monitor the system for intrusions
• Impact Mitigation/Recover/Respond • Resiliency
8
12/15/16
CYBER-PHYSICAL MODELING AND SECURITY ASSESMENT 9
12/15/16
Challenges How to ensure opera-onal reliability given our increasing dependence on cyber systems? How to understand the impact of cyber vulnerabili-es on grid opera-ons? How to priori-ze cyber security efforts in control networks and substa-ons?
Traditional Approach: Contingency Analysis • Answers the question: “What happens when component C goes out of service?” • Example: Will it lead to line limit violations? • Traditionally C is : Line, Generator, Transformer etc.
• Contingency analysis is a fundamental tool for reliable power system operation
11
12/15/16
Traditional Contingency Analysis Manually Define Con-ngencies
Automa-cally Insert Con-ngencies
Simulate Impact through a Power Flow simulator
Rank con-ngencies by severity and priori-ze mi-ga-on response
Traditional Contingency Analysis (CA) • Meant to be prepared for one outage (“N - 1” criterion) • no violations when any one component (line, generator or major transformer) fails • “N - 1” criterion is a reliability regulation
• Is preparedness for one outage enough? • probability of multiple independent accidental failures is (was?) considered small enough to ignore the risk
• Cyber-assets are not considered. Why? • redundant provisioning • probability of multiple independent accidental failures is considered small enough to ignore the risk 13
12/15/16
SO WHAT IS THE PROBLEM WITH THIS APPROACH?
14
12/15/16
Cyber Attack Induced Contingencies!
15
Contingency Source: EU Viking Project
Limitations of Traditional CA • With threat of cyber-attacks • multiple failures no longer unlikely • redundant provisioning alone not sufficient
• Prevention/protection mechanisms are not foolproof • Power system needs to be resilient even in the face of cyber-attacks • Need to deal with multiple outages (“N – x” or “N-1-1”) • Need to deal with failures of “cyber assets”
16
12/15/16
Challenges with Multiple Outages • Size of the contingency list can grow very large* • For 1000 line system • N-1 means solving 1000 line outages • N-2 means solving 499500 line outages (1000 choose 2)! • WECC N-2 for transmission lines ~135M contingencies ~15 days with super computer!
• More Important: Operating at “N – x” reliability criterion can be expensive • limits flow capacity
*Charles Davis, Thomas Overbye: Linear Analysis of Multiple Outage Interaction. HICSS 2009: 1-8 17
12/15/16
In Summary Manually Define Con-ngencies
Automa-cally Insert Con-ngencies
Cyber-induced con-ngencies?
Simulate Impact through a Power Flow simulator
Dependencies among cyber and physical assets?
Rank con-ngencies by severity and priori-ze mi-ga-on response
Cyber-Physical Security Assessment (CyPSA) • Key Idea: • Limit the number of “multiple outages” to consider by leveraging “cyber state” • only consider “high-risk” cyber-attack induced multiple outages
• Significantly reduces list of multiple contingencies to plan for • Example: 1000 line system • 5 high-risk lines; • “N – 2” criterion => ~6K contingencies vs. 0.5M
19Zonouz,
S.; Davis, C.M.; Davis, K.R.; Berthier, R.; Bobba, R.B.; Sanders, W.H., "SOCCA: A Security-Oriented Cyber-Physical Contingency Analysis in Power Infrastructures," Smart Grid, IEEE Transactions on 2014
What is “high-risk”? • “exposure/vulnerability” • • • •
physical connectivity access control (e.g., firewall rules) vulnerabilities intrusion detection alerts (if available)
• “impact” • power system state • Example: performance-index, load loss etc.
tcipg.org 20
Zonouz, S.; Davis, C.M.; Davis, K.R.; Berthier, R.; Bobba, R.B.; Sanders, W.H., "SOCCA: A SecurityOriented Cyber-Physical Contingency Analysis in Power Infrastructures," Smart Grid, IEEE Transactions on 2014
CYBER-PHYSICAL SECURITY ASSESSMENT: TOOLKIT 21
CyPSA: Cyber-Physical Security Assessment • Combining cyber and power topologies to create a realistic model of the infrastructure • Developing algorithms to compute potential attack paths and to assess risks accurately • Focus: line outages/contingencies • Keep the problem manageable
CyPSA Basic Pipeline -- Take 1 Vulnerability Informa-on
Cyber Physical Topology Cyber Topology
CyPSA Toolset
NP-View
• Compute connec-vity
SOCCA
• Generate aNack paths • Combine cyber aNack paths with power con-ngencies • Rank asset by cri-cality
Cyber-physical Interconnec-on Power Topology
PowerWorld
• Analyze con-ngencies
Results
Security Oriented Cyber-Physical Contingency Analysis (SOCCA) • Focuses on cyber-attack induced outages • Can account for multiple outages • Key Idea: prioritize “important” multiple outages given the current system state (both cyber and power) • “important” – based on “impact” and “likelihood” • significantly reduces list of multiple contingencies
Zonouz, S.; Davis, C.M.; Davis, K. R.; Berthier, R.; Bobba, R.B.; Sanders, W.H., "SOCCA: A Security-Oriented Cyber-Physical Contingency Analysis in Power Infrastructures," IEEE Transactions on Smart Grid, 2014 24
12/15/16
CyPSA Basic Pipeline -- Take 1 Vulnerability Informa-on
Cyber Physical Topology Cyber Topology
CyPSA Toolset
NP-View
• Compute connec-vity
SOCCA
• Generate aNack paths • Combine cyber aNack paths with power con-ngencies • Rank asset by cri-cality
Cyber-physical Interconnec-on Power Topology
PowerWorld
• Analyze con-ngencies
Results
27
12/15/16
Cyber-Topology: Control Center
28
Cyber-Physical Interconnection Substation
Interconnections Power Topology Cyber Topology CPTL*
colors are relays
Control network
Node-breaker
NP-View** * https://github.com/ITI/cptl-power/wiki ** www.network-perception.com
29
SOCCA Take 1: Process Overview • Generate a Markov Decision Process (MDP) model • Captures vulnerability of control network to attacks • using transition probabilities
• Captures physical impact (i.e. line outages) of attack • in reward function
• Depends on control network topology, access control policies, cyber-physical interconnections • states dependent on connectivity
30
12/15/16
MDP Model Generation
31
12/15/16
SOCCA: Process Overview • Computes a security index for each state in the MDP model • Index based on ease-of-traversing to a contingency state and the impact of that contingency
• Rank Contingencies based on the index
32
12/15/16
Computing Security Index 1/2 Performance Index
fs (l) is flow on line l in state s; fmax (l) is maximum allowed flow on line l;
33
12/15/16
Computing Security Index 2/2 Security Index
a is adversarial action possible in state s; P (s’|s,a) is probability of reaching state s’ from s through action a; ∆F (s, s’) is gain in performance index from s to s’ γ is discounting factor 34
12/15/16
Ranking Contingencies Adversarial Benefit a is adversarial action possible in state s; P (s’|s,a) is probability of reaching state s’ from s through action a; ∆F (s, s’) is gain in performance index from s to s’ I (s’) is the security index of state s’ γ is discounting factor 35
12/15/16
Example: 8-substsation Model
State # F(s) I(s)
Sample Model State Space
F(s) = overload severity I(s) = calculated security index
Path 1 Path 2 Path 3
State-space Markov Decision Process (MDP) model for sample network
37
North Haverbrook
Odgenville
First attack path
Substation
Substation
Shelbyville
Substation
H1
H3
Capital City
H0
A
86% MVA
R2
Substation
Substation
Control Center
R1
Cypress Creek A
142%
slack
MV A
Paris
A
153% MV A
Substation
Haverbrook
H2
Substation
Springfield
Step
H0-> H1 H1-> H2 H2-> R1
I(s)
1.21
3.81
5.99
38
North Haverbrook
Odgenville
Second attack path
Substation
Substation
Shelbyville
Substation
H1
H3
Capital City
H0
A
86% MVA
R2
Substation
Substation
Control Center
R1
Cypress Creek A
88%
slack
MVA
Paris
A
95% MVA
Substation
Haverbrook
H2
Substation
Springfield
Step
H0-> H1 H1-> H3 H3->R2
I(s)
1.21
2.13
3.35
39
North Haverbrook
Odgenville
Substation
Substation
Third: a more complex path
Shelbyville
Substation
H1
H3
Capital City
H0
A
86% MVA
R2
Substation
Substation
Control Center
R1
Cypress Creek A
225% 142%
slack
MV A
Paris
A
242% 153% MV A
Substation
Substation
H2
Springfield Haverbrook Step H0-> H1 H1-> H3 H1-> H2 H2-> R1 R1-> R2
I(s)
1.21
2.13
4.09
6.85
13.77
40
Shared Cri-cal Elements • ANacks can be more complex – involve more than one ac-on with a physical consequence
• Highest ranked cri-cal paths share several of the same ini-al elements and steps • Targe&ng protec&on efforts to the iden&fied elements can have a widespread benefit 41
Limitations & Challenges • Scalability • MDP can grow very quickly as the system size and vulnerability factor increase
• Probabilities • Computing and validating transition probabilities can be very tricky/subjective • Vulnerability information (e.g., from ICS-CERT, NVD) can provide objective basis
42
12/15/16
CyPSA Basic Pipeline – Take 2 Vulnerability Informa-on
Cyber Physical Topology Cyber Topology
CyPSA Toolset
NP-View
• Compute connec-vity • Generate aNack paths • Prune aNack paths
SOCCA
• Combine cyber aNack paths with power con-ngencies • Rank asset by cri-cality
Cyber-physical Interconnec-on Power Topology
PowerWorld
• Analyze con-ngencies
Results
Security Indices for Path Rankings • NP-View provides the "cost" for each cyber path, p(i), that leads to a cri-cal asset: Cost(p(i)) • Each cri-cal asset is assigned a reward based on aNached physical con-ngencies: PerformanceIndex(p(i)) • CyPSA ranks low cost, high impact aNacks by : SecurityIndex(p(i))
44
NP-View Vulnerability Module
45
CyPSA Analysis Pipeline NP-View
CyPSA Web UI
CyPSA Engine
1
3
2
PowerWorld
46
CyPSA Analysis Pipeline NP-View
CyPSA Web UI
CyPSA Engine
1
3
2
PowerWorld 1. NP-View analyzes cybernetwork and provides cyber vulnerability analysis aNack paths XML file to CyPSA
47
CyPSA Analysis Pipeline NP-View
CyPSA Web UI
CyPSA Engine
1
3
2
PowerWorld
48
2. CyPSA uses PowerWorld to calculate performance indices for all cri-cal assets and then generates a cyber-physical aNack path list ranked by security index
CyPSA Analysis Pipeline NP-View
CyPSA Web UI
CyPSA Engine
1
3
2
PowerWorld 3. CyPSA sends the new cyber-physical aNack graph to be displayed by the Web UI
49
Use Case: Asset Ranking • Rank based on both “impact” and “cyber exposure” • impact: power system performance index • cyber exposure: different metrics • number of potential attack paths • ease of realizing at attack
• Rank “cyber” and “physical” assets • cyber: hosts in the network – e.g., Jump Host • physical: relays
50
Use Case: Asset Ranking
51
Use case: Asset Ranking
52
Many Interesting Use Cases • Aggregate Exposure • based on similar assets and/or due to a given vulnerability
• Prioritizing Multiple Contingencies • N-1-1: exposed line is 1st and rest of the lines are 2nd
• Exposure of Substations to Cyber Attack • identify exposed assets leading to multi-substation attack?
• Proximity to Cascading Outages • Track cyber-exposure of cascading outages
• Looking Beyond Line Outages 53
• Loss of situational awareness, EMS functionality etc
Enhanced CyPSA Pipeline Vulnerability Informa-on Current Cyber State (e.g. Badger) Cyber Physical Network Cyber Topology (firewall rules)
CyPSA Toolset
NP-View
• Compute connec-vity • Generate aNack paths • Prune aNack paths
SOCCA
• Combine cyber aNack paths with power con-ngencies • Rank asset by cri-cality
Cyber-physical Interconnec-on Power Topology
PowerWorld
• Analyze con-ngencies
Results
Takeaways • Grid operations should account for cyber infrastructure and cyber-attacks • Accurate inventory of dependencies among cyber assets and physical systems is crucial • Cyber-Physical Modeling and Security Assessment • Improves operational resiliency • Provides metrics to compare alternatives
55
12/15/16
Challenges • Creating the cyber-physical model • Bus/Branch and Node/Breaker models are easy to get • EMS systems typically has it
• Secondary topology: substation topology ßàprotection schemes • Not readily available, manual • CAD drawings, PowerBase, Excel sheets
• Cyber-topology • Now tools available for network visualization (IP level)
• Access Control/Firewall • Tools available but need manual work • Vulnerability Data • semi-automated 56
Evaluation Partners • Working with utilities • AVISTA
• Lessons • dealing with lock-out relays • cyber-physical inventory and asset management • IP vs. Serial penetration • transient stability, clearing times etc.
57
CyPSA streamlines a utility’s ability to inventory and analyze cyber-physical assets.
58
Relevant Publications • Panini Sai Patapanchala, Chen Huo, Rakesh B. Bobba and Eduardo Co-lla-Sanchez, “Exploring Security Metrics for Electric Grid Infrastructures Leveraging AMack Graphs,” in Proceedings of SusTech, IEEE, October 2016. • Gabriel A. Weaver, Kate Davis, MaN Davis, Edmond J. Rogers, Rakesh B. Bobba, Saman Zonouz, Robin Berthier, Peter W. Sauer, and David M. Nicol, ”Cyber-Physical Models for Power Grid Security Analysis: 8-SubstaRon Case,” in proceedings of SmartGridComm, 2016., IEEE, November 2016. • K. R. Davis, R. Berthier, S. A. Zonouz, G. Weaver, R. Bobba, E. Rogers, P. W. Sauer, and D. M. Nicol, “Cyber-Physical Security Assessment (CyPSA) for Electric Power Systems,” The Bridge, vol. 112, no. 2, May 2016 • Davis, K.R.; Davis, C.M.; Zonouz, S.; Bobba, R.B.; Berthier, R.; Garcia, L.; Sauer, P.W., “A CyberPhysical Modeling and Assessment Framework for Power Grid Infrastructures,” Smart Grid, IEEE Transac5ons on , vol.6, no.5, pp. 2464 - 2475, Sept. 2015 • Zonouz, S.; Davis, C.M.; Davis, K.R.; Berthier, R.; Bobba, R.B.; Sanders, W.H., "SOCCA: A SecurityOriented Cyber-Physical ConRngency Analysis in Power Infrastructures," Smart Grid, IEEE Transac5ons on , vol.5, no.1, pp.3-13, Jan. 2014 • Zonouz, S.; Rogers, K.M.; Berthier, R.; Bobba, R.B.; Sanders, W.H.; Overbye, T.J., "SCPSE: SecurityOriented Cyber-Physical State EsRmaRon for Power Grid CriRcal Infrastructures," Smart Grid, IEEE Transac5ons on , vol.3, no.4, pp.1790-1799, Dec. 2012 59
12/15/16
QUESTIONS?
[email protected]
60
12/15/16
