Cyber-Physical Security: A Whole New Ballgame
Written by Bruno Sinopoli
A grid that incorporates computing and communications intelligence unfortunately presents potential attackers with many new opportunities, requiring a holistic approach to security that takes both hardware infrastructure and software into account. Fortunately, researchers are addressing these new issues on a broad front.
A wide variety of motivations exist for launching an attack on the power grid, ranging from economic reasons (such as manipulating connections or markets to reduce billed costs) to terrorism (such as threatening people by controlling or disrupting electricity and other life-critical resources). The emerging smart grid, while benefiting benign participants like consumers and utility companies, also provides adversaries with powerful tools.
As it replaces its incredibly successful and reliable predecessor, the traditional power system, the smart grid poses a series of new security challenges that require different approaches to cyber security. We call this new field "cyber–physical security." The tight coupling between information and communication technologies (ICT) and physical systems introduces new security concerns, requiring reconsideration of commonly used objectives and methods. Existing security approaches are either inapplicable, not viable, insufficiently scalable, incompatible or simply inadequate in addressing the challenges posed by highly complex environments such as the smart grid.
Physical attacks can compromise key security properties such as data confidentiality, integrity and availability, without compromising the cyber part of the system. What is more, cyber security alone, without taking into account physical system dynamics, cannot predict the effects of an attack on the system; therefore, it is not well equipped to either provide insights aimed at robust design or appropriate countermeasures at runtime.
To address such challenges, cyber security needs to be integrated with system theory to guarantee resilience of the grid. This kind of marriage is at the heart of cyber-physical security. In contrast to cyber security, the goal of cyber-physical security is to protect the whole cyber-physical system, which uses widespread sensing, communication and control to operate safely and reliably. Dependence on widespread computing and networking naturally increases security concerns as the availability, integrity and secrecy of the data carried may be compromised. At the same time, the presence of the physical system widens the range of possible attacks and constrains the set of feasible countermeasures. For example, shutting off the physical system to troubleshoot a communications issue will not generally be a viable solution. On the other hand, the interaction between the cyber and the physical dimensions offers many opportunities for detection and response when the physical system is equipped with computational and communications capabilities.
Yet, an attack on the cyber system can severely compromise the physical system without incurring detection. This was the case with Stuxnet, a complex cyber attack that successfully targeted centrifuges used to enrich uranium in an Iranian facility. Stuxnet compromised the SCADA system and spun the centrifuges out of control while reporting normal operation to the SCADA master. My colleagues and I anticipated a Stuxnet-type attack and offered a suitable countermeasure in a paper that appeared over a year before the incident. Such an attack used knowledge of the system's dynamics and SCADA architecture to reach its goal. A similar attack could be launched against other SCADA systems. In a more recent paper, we explained how a power generation control system can be attacked to cause undesired effects such as involuntary load shedding.
Attacks against smart grids can also target the market infrastructure, as the nodal price (or in U.S. regulatory terms, the market-set locational marginal price) depends upon the estimate of physical quantities such as the load of the transmission lines. In this case, a smart attacker could take advantage of an attack for profit.
In all of these attack scenarios, system knowledge is essential to achieve the goal. Tomorrow's attackers are not just going to be just ingenious kids with deep knowledge of ICT infrastructure and creativity; they will need to acquire system expertise in order to be most effective.
Fortunately, physical systems, following very precise mathematical laws, display predictive behavior which can be used to detect anomalies related to attacks or malfunctions. Methods of detection can take advantage of system knowledge to identify discrepancies between measured and expected behavior of the system. Such methods, conceived originally for the purpose of fault detection and isolation, represent a starting point for the development of attack detection techniques for cyber-physical systems.
Finally, responses by defenders to cyber-physical attacks need to change. Physical systems, such as energy systems, are often safety-critical, as the lives of many depend on their correct operation. Consequently, resilience becomes a key property; the system needs to continue operating under attacks, perhaps at a reduced performance, while still guaranteeing the basic safety properties through graceful degradation.
The research community has begun addressing some of these challenges. Institutions such as Carnegie Mellon CYLAB, the National Science Foundation sponsored Science and Technology Center TRUST and the TCIPG Center at the University of Illinois, among others, are addressing the need to secure cyber-physical systems. The U.S. government has also clearly identified the need to secure cyber-physical infrastructures and has funded several initiatives on the security of smart grids, mainly through the Department of Energy (DoE).
In addition, several technology providers are developing solutions on their own. Northrop Grumman Information Systems has recently established a research consortium to address emerging security needs, including cloud computing and grid security.
I believe that only a concerted effort that includes technology vendors, utilities, academic institutions and government will succeed at developing and implementing a secure-by-design smart grid that avoids the cat-and-mouse game that dominates the IT industry, and this effort cannot be afforded in the context of critical infrastructures.
Bruno Sinopoli received a doctorate in engineering from the University of Padua in 1998, and M.S. and Ph.D. degrees in electrical engineering from the University of California at Berkeley in 2003 and 2005 respectively. He did postdoctoral work at Stanford University and then joined the faculty at Carnegie Mellon University, where he is an associate professor in the Department of Electrical and Computer Engineering; he has courtesy appointments in Mechanical Engineering and in the Robotics Institute. He was awarded the 2006 Eli Jury Award for outstanding research achievement in the areas of systems, communications, control and signal processing at University of California at Berkeley, as well as the NSF CAREER Award in 2010.