dddas for attack detection, isolation, and reconfiguration ... · longer time between false alarms...

DDDAS for Attack Detection, Isolation, and Reconfiguration of Control Systems

Luis Francisco Combita, Jairo Giraldo, Alvaro A. Cardenas, Nicanor Quijano

University of Texas at Dallas Universidad de Los Andes, Colombia

InfoSymbiotics/DDDAS August 11, 2016

Control Systems

■ Attacks to Regulatory Control ■ A1 and A3 are deception attacks:

the integrity of the signal is compromised

■ A2 and A4 are DoS attacks ■ A5 is a physical attack to the plant

The Threat is not Hypothetical

Defense in Depth• Security is not only about keeping attackers

out• It is also about

–Mitigating–Detecting–Responding

• to adversaries that have partial access to your system

4

Physical Process(Plant)

Actuators Sensors

Controller

Simulation

vk zk

yk

uk

yk�1

yk

Anomaly Detection (ignore bad

sensors, reconfigure simulation)

rk

Dynamically Request

More Data from Other Systems

Reconfigure Controller

(account for bad actuators)

Reconcile Data

DDDAS Anomaly Detection and Response

Network Intrusion Detection

6[Urbina et al. ACM CCS 2016]

Extracting Sensor and Control Commands from Network Traffic

7

Scapy parser for Modbus• Protocol specification correct but false info

Detection = Simulation + Statistics

813

LDS Model for Raw Water Tank

9

Implementing the Attack

10

Problem: We Can Always Create Attacks That Are Detected

11

Attackers are More Cunning than Failures (they try to avoid being detected)

12

threshold for raising an alarm

Anomaly Detection Statistic

Undetected Attacks to Water Testbed

13

Our Proposed Metric

14

Less

Impa

ct =

Mor

e Se

cure

Longer time between false alarms = More Usable

Secu

rity

Met

ric:

Impa

ct o

f und

etec

ted

atta

cks

Tradeoff Curve of Anomaly Detector 1

Tradeoff Curve of Anomaly Detector 2

Usability Metric: Time between false alarms

Detector 2 is better than Detector 1:For the same level of false alarms,undetected attackers can causeless damage to the system

Trade-off Curves Can Help us Identify Which Detectors are Better than Others

15

What Happens After Detection?

• Alert to operator • Automatic Response

• Identify compromised device • Isolate it • Reconfigure the control system

Three Tank Example for Isolation and Response

Pump 1 Pump 2

L1 L2L3

Luenberger vs. Unknown Input Observer (UIO) Estimators

0 200 400 600 800 1000 1200 1400 1600 1800 20000

0.02

0.04

Atta

cks

on s

enso

rs0

0.5

1

Det

ectio

n

Attacks on sensorsDetection

0 200 400 600 800 1000 1200 1400 1600 1800 2000Time (s)

0

0.01

0.02

Atta

ck

0

0.5

1

Det

ectio

nAttack on sensor 1Detection on sensor 1

0 200 400 600 800 1000 1200 1400 1600 1800 2000Time (s)

0

0.02

0.04

Atta

ck

0

0.5

1

Det

ectio

nAttack on sensor 2Detection on sensor 2

Luenberger Detects Attacks Faster with Little False Alarms, but difficult to identify source of attack

UIO identify source of anomaly but have higher false alarms / detection delay

Detection (Luenberger) + Isolation (UIO) + Reconfiguration

0 200 400 600 800 1000 1200 1400 1600 1800 2000

0.4

0.42

0.44

0.46

0.48

Leve

l 1 (m

)

Without reconfigurationWith reconfiguration

0 200 400 600 800 1000 1200 1400 1600 1800 2000Time (s)

0.2

0.22

0.24

0.26

0.28

Leve

l 1 (m

)

Without reconfigurationWith reconfiguration

Other DDDAS-Inspired Architectures for Secure/Private Control

Risk-Aware Operation Privacy-Preserving Control

20

Safe Control Under DoS Attacks[Amin, Cardenas, Sastry, HSCC 2009]

DDDAS-Inspired Risk-Operation

Physical Process(Plant)

Actuators Sensors

Simulation Under

Threat 1

vk zk

ykuk

Dynamically Reconfigure Based

on Threat Level

External Data

Simulation Under

Threat 2

Simulation Under

Threat n

• If there is any indicator “cyber or physical” of potential future attack, then predict attack and operate conservatively

Privacy Guidelines for Smart Grid

• Collect “only ... necessary [data] for Smart Grid operations, including planning and management”

– Perhaps plan and manage better with more data?

• Retain data “only for as long as necessary” – Data for a longer time presumably means better

forecasting?

Microgrid Synchronization with Privacy Sampling

24[Giraldo et al. IEEE CDC 2014]

Reaching consensus independent of sampling rate and time delays

25

New Sampling Policy: Discretionary Sampling

26

Questions?

Alvaro A. Cardenas alvaro.cardenas@utdallas.edu