DDDAS for Attack Detection, Isolation, and Reconfiguration of Control Systems
Luis Francisco Combita, Jairo Giraldo, Alvaro A. Cardenas, Nicanor Quijano
University of Texas at Dallas Universidad de Los Andes, Colombia
InfoSymbiotics/DDDAS August 11, 2016
Control Systems
■ Attacks to Regulatory Control ■ A1 and A3 are deception attacks:
the integrity of the signal is compromised
■ A2 and A4 are DoS attacks ■ A5 is a physical attack to the plant
The Threat is not Hypothetical
Defense in Depth• Security is not only about keeping attackers
out• It is also about
–Mitigating–Detecting–Responding
• to adversaries that have partial access to your system
4
Physical Process(Plant)
Actuators Sensors
Controller
Simulation
vk zk
yk
uk
yk�1
yk
Anomaly Detection (ignore bad
sensors, reconfigure simulation)
rk
Dynamically Request
More Data from Other Systems
Reconfigure Controller
(account for bad actuators)
Reconcile Data
DDDAS Anomaly Detection and Response
Network Intrusion Detection
6[Urbina et al. ACM CCS 2016]
Extracting Sensor and Control Commands from Network Traffic
7
Scapy parser for Modbus• Protocol specification correct but false info
Detection = Simulation + Statistics
813
LDS Model for Raw Water Tank
9
Implementing the Attack
10
Problem: We Can Always Create Attacks That Are Detected
11
Attackers are More Cunning than Failures (they try to avoid being detected)
12
threshold for raising an alarm
Anomaly Detection Statistic
Undetected Attacks to Water Testbed
13
Our Proposed Metric
14
Less
Impa
ct =
Mor
e Se
cure
Longer time between false alarms = More Usable
Secu
rity
Met
ric:
Impa
ct o
f und
etec
ted
atta
cks
Tradeoff Curve of Anomaly Detector 1
Tradeoff Curve of Anomaly Detector 2
Usability Metric: Time between false alarms
Detector 2 is better than Detector 1:For the same level of false alarms,undetected attackers can causeless damage to the system
Trade-off Curves Can Help us Identify Which Detectors are Better than Others
15
What Happens After Detection?
• Alert to operator • Automatic Response
• Identify compromised device • Isolate it • Reconfigure the control system
Three Tank Example for Isolation and Response
Pump 1 Pump 2
L1 L2L3
Luenberger vs. Unknown Input Observer (UIO) Estimators
0 200 400 600 800 1000 1200 1400 1600 1800 20000
0.02
0.04
Atta
cks
on s
enso
rs0
0.5
1
Det
ectio
n
Attacks on sensorsDetection
0 200 400 600 800 1000 1200 1400 1600 1800 2000Time (s)
0
0.01
0.02
Atta
ck
0
0.5
1
Det
ectio
nAttack on sensor 1Detection on sensor 1
0 200 400 600 800 1000 1200 1400 1600 1800 2000Time (s)
0
0.02
0.04
Atta
ck
0
0.5
1
Det
ectio
nAttack on sensor 2Detection on sensor 2
Luenberger Detects Attacks Faster with Little False Alarms, but difficult to identify source of attack
UIO identify source of anomaly but have higher false alarms / detection delay
Detection (Luenberger) + Isolation (UIO) + Reconfiguration
0 200 400 600 800 1000 1200 1400 1600 1800 2000
0.4
0.42
0.44
0.46
0.48
Leve
l 1 (m
)
Without reconfigurationWith reconfiguration
0 200 400 600 800 1000 1200 1400 1600 1800 2000Time (s)
0.2
0.22
0.24
0.26
0.28
Leve
l 1 (m
)
Without reconfigurationWith reconfiguration
Other DDDAS-Inspired Architectures for Secure/Private Control
Risk-Aware Operation Privacy-Preserving Control
20
Safe Control Under DoS Attacks[Amin, Cardenas, Sastry, HSCC 2009]
DDDAS-Inspired Risk-Operation
Physical Process(Plant)
Actuators Sensors
Simulation Under
Threat 1
vk zk
ykuk
Dynamically Reconfigure Based
on Threat Level
External Data
Simulation Under
Threat 2
Simulation Under
Threat n
• If there is any indicator “cyber or physical” of potential future attack, then predict attack and operate conservatively
Privacy Guidelines for Smart Grid
• Collect “only ... necessary [data] for Smart Grid operations, including planning and management”
– Perhaps plan and manage better with more data?
• Retain data “only for as long as necessary” – Data for a longer time presumably means better
forecasting?
Microgrid Synchronization with Privacy Sampling
24[Giraldo et al. IEEE CDC 2014]
Reaching consensus independent of sampling rate and time delays
25
New Sampling Policy: Discretionary Sampling
26