synergistic security for smart water networks: redundancy
Post on 06-May-2022
1 Views
Preview:
TRANSCRIPT
Synergistic Security for Smart Water Networks:Redundancy, Diversity, and Hardening
Aron Laszka, Waseem AbbasYevgeniy Vorobeychik, Xenofon Koutsoukos
April 21, 2017
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 1 / 31
Motivation
An adversary attacks a waterdistribution network
by introducing contaminants.
by disabling sensing devices.
A network can be made resilientagainst attacks by
by adding more sensors,
by introducing different types ofsensing devices,
by increasing protection &security of devices.
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 2 / 31
Motivation
What is the most effectivestrategy to make the networkresilient against such attacks?
An adversary attacks a waterdistribution network
by introducing contaminants.
by disabling sensing devices.
A network can be made resilientagainst attacks by
by adding more sensors,
by introducing different types ofsensing devices,
by increasing protection &security of devices.
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 2 / 31
Contributions
Cyber-physical attacks in smart water-distribution network.
To improve resilience against attacks, an optimal defensestrategy that combines
redundancy, diversity, and hardening approaches.
Models
System model, security investment model, and cyber-physicalattack model.
Problem formulation
Preliminary results and numerical evaluation
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 3 / 31
Cyber-Physical Attack in Smart Water-DistributionNetwork
Physical attack
Contaminating drinking water
Example: during the 2016Olympic games, a terroristgroup planned a biochemicalattack on a water-reservoir.
Even without attacks, providingclean drinking water is critical forpublic health and safety.
Cyber attack
Disabling network monitoringsystem
Example: disabling sensordevices.
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 4 / 31
Redundancy, Diversity, and Hardening
Redundancy
example: deploying additional sensor devices.
adversary has to compromise more devices.
Diversity
example: using multiple software/hardware platforms.
single, common vulnerability cannot be exploited to compromise alldevices.
Hardening
example: penetration testing, vulnerability discovery for platforms andtamper resistant hardware for devices.
devices are harder to compromise for adversary.
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 5 / 31
Optimal Strategy to Resilience
Each of these approacheshas been extensivelystudied in isolation.
Example: sensorplacement, investmentinto software securityetc.
Optimal Strategy
How to combine canonical approaches optimally toimprove network resilience against attacks?
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 6 / 31
Model
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 7 / 31
System Model
Water network G (V ,E )
links E model pipes
nodes V model junctions ofpipes, reservoirs, tanks,consumers, etc.
every consumer node v has awater-consumption value Uv
Sensor devices S
each sensor s ∈ S is deployed at node ls ∈ V ,
every sensor continuously monitors the water at its node, and raisesan alarm when the concentration of a contaminant reaches athreshold level τ .
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 8 / 31
Security Investment Model – Redundancy
Minimum number of sensors (for adequate monitoring withoutattacks) = Smin
Level of redundancy: R = |S | − Smin
Redundancy investment = CR · R
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 9 / 31
Security Investment Model – Redundancy
Minimum number of sensors (for adequate monitoring withoutattacks) = Smin
Level of redundancy: R = |S | − Smin
Redundancy investment = CR · R
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 10 / 31
Security Investment Model – Diversity
Set of implementation types of sensors = T
Implementation type of sensor s is ts ∈ T .
Level of diversity: D = |T | − 1
Diversity investment = CD · D
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 11 / 31
Security Investment Model – Diversity
Set of implementation types of sensors = T
Implementation type of sensor s is ts ∈ T .
Level of diversity: D = |T | − 1
Diversity investment = CD · D
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 12 / 31
Security Investment Model – Hardening
Investment into hardening implementation type t is ht .
Investment into hardening sensor s is hs .
Hardening investment: H =∑t∈T
ht +∑s∈S
hs
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 13 / 31
Security Investment Model – Hardening
Investment into hardening implementation type t is ht .
Investment into hardening sensor s is hs .
Hardening investment: H =∑t∈T
ht +∑s∈S
hs
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 14 / 31
Physical-Attack Model
Water-supply contaminationadversary can introduce acontaminant at one of theintroduction points Pdiscrete-time spread model:from introduction point p ∈ P, aftern time steps, the concentration atnode v is Cp(n, v)
Detection time Lp
Lp(S) = min {n ∈ N | ∃s ∈ S : Cp(n, ls) ≥ τ}detection threshold
Physical impact Ip
Ip(S) =Lp(S)∑n=1
∑v∈V
Uv · Cp(n, v) concentration
water consumption
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 15 / 31
Cyber-Attack Model
Adversary finds a common vulnerability in implementation type t ∈ T
Pr [finding a vulnerability in type t] = Vt · e−ht/CT
H
all devices of this type are disabled by the adversary
Adversary compromises each sensor device s ∈ S with probability
Pr [compromising sensor s] = Vs · e−hs/CS
H
each compromised device is disabled by the adversary
SA is the set of sensors that have not been disabled, then
Expected impact of cyber-physical attack = ESA
[Ip(SA)]
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 16 / 31
Problem Statement
Worse-case attack
adversary mounts worst-case attack
argmaxp∈P
ESA
[Ip(SA)] .
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 17 / 31
Problem Statement
Decision variables:
Set of sensors: S
Set of implementation types: T
For each sensor s ∈ S
location lsimplementation type tshardening investment hs
For implementation type t ∈ T
hardening investment ht .
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 18 / 31
Problem Statement
Decision variables:
Set of sensors: S
Set of implementation types: T
For each sensor s ∈ S
location lsimplementation type tshardening investment hs
For implementation type t ∈ T
hardening investment ht .
Resulting investments:
Redundancy: R = |S | − Smin
Diversity: D = |T | − 1
Hardening: H =∑t∈T
ht +∑s∈S
hs
Constraint:
Investment budget: C
CR · R + CD · D + H ≤ C
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 19 / 31
Problem Statement
Decision variables:
Set of sensors: S
Set of implementation types: T
For each sensor s ∈ S
location lsimplementation type tshardening investment hs
For implementation type t ∈ T
hardening investment ht .
Resulting investments:
Redundancy: R = |S | − Smin
Diversity: D = |T | − 1
Hardening: H =∑t∈T
ht +∑s∈S
hs
Constraint:
Investment budget: C
CR · R + CD · D + H ≤ C
Optimal defense
minS,T ,〈ls ,ts ,hs〉s∈S ,〈ht〉t∈T
maxp∈P
ESA
[Ip(SA)]
subject to, CR · R + CD · D + H ≤ C
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 20 / 31
Preliminary Results
Finding an optimal defense is computationally hard.
Problem complexity
Given a fixed amount of security investment C and a threshold expectedimpact K , determining if there exists a defense that results in expectedimpact less than or equal to K is an NP-hard problem.
Most variants and subproblems are also computationally challenging.
We use a greedy heuristic to find placements, type assignments, anddistributions of hardening expenditure
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 21 / 31
Numerical Illustration
Based on a real-world water-distribution network from Kentucky
obtained from the Water Distribution System Research Database atuky.educontains topology and water-demand values
Simulating physical attacks
contaminant may beintroduced at one of six nodesP (3 tanks and 3 reservoirs);for each node p ∈ P, wesimulated the spread of acontaminant using EPANET(epa.gov/water-research/epanet)
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 22 / 31
Simulation Example
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 23 / 31
Numerical Setup
Physical system parameters
topology G : from real-world data,contaminant concentrations Cp(n, v): from simulations,impact Ip: from concentrations Cp(n, v) and real-world data.
Cyber system parameters
to study various combinations of R, D, and H, we letminimum number of sensors: Smin = 1cost of hardening types: CT
H = 100cost of hardening devices: CD
H = 1.
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 24 / 31
Numerical Results
Comparison of security investment strategies
0 2 4 6 8 10
0.6
0.8
1
·105
Investment budget
Vulnerab
ility
(exp
ectedloss) only R
only H
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 25 / 31
Numerical Results
Comparison of security investment strategies
0 2 4 6 8 10
0.6
0.8
1
·105
Investment budget
Vulnerab
ility
(exp
ectedloss) only R
only H
R+H (optimal)
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 26 / 31
Numerical Results
Comparison of security investment strategies
0 2 4 6 8 10
0.6
0.8
1
·105
Investment budget
Vulnerab
ility
(exp
ectedloss) only R
only H
R+H (optimal)
R+H (naive)
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 27 / 31
Numerical Results
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 28 / 31
Numerical Results contd.
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 29 / 31
Conclusions
Theoretical foundations for studying redundancy, diversity, andhardening in an integrated framework.
Numerical results show that the three approaches can be significantlymore effective when combined.
Finding optimal defense is computationally challenging.
Future workconsider a wider range of CPS (e.g., smart grids, transportationnetworks).provide efficient algorithms for finding optimal defense.establish general principles for secure and resilient CPS design.
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 30 / 31
Acknowledgments
National Science Foundation (CNS-1238959)
Air Force Research Laboratory (FA 8750-14-2-0180)
Thank You
Laszka, Abbas, Vorobeychik, Koutsoukos Synergistic Security for Smart Water Networks April 21, 2017 31 / 31
top related