Transcript
KTH ROYAL INSTITUTE OF TECHNOLOGY
Physics-Based Attack Detection and Countermeasures in Control Systems Henrik Sandberg Department of Automatic Control KTH, Stockholm, Sweden
In Collaboration With… KTH and CERCES: György Dán, Ragnar Thobaben, Mads Dam, Kaveh Paridari, Jezdimir Milošević, David Umsonst, Karl Henrik Johansson
Delft University of Technology: André M.H. Teixeira University of Texas at Dallas: Alvaro A. Cárdenas, and co-workers SPARKS (EU FP7): AIT, UTRC, and EMC Corporation
2
Industrial Control System (ICS) under Attack
[Cardenas et al., Hotsec ‘08] [Urbina et al., CCS ‘16]
IT perspective:
Control perspective:
3
[Teixeira et al., HiCoNS ‘12]
Example: Stealthy Water Tank Attack
2 hacked actuators (𝑢1 and 𝑢2 ) 2 healthy sensors (𝑦1 and 𝑦2 )
Can the controller/detector always detect the attack?
4
[Teixeira et al., HiCoNS ‘12]
Example: Stealthy Water Tank Attack [Movie]
5
[Teixeira et al., HiCoNS ‘12]
Example: Stealthy Water Tank Attack 2 hacked actuators (𝑢1 and 𝑢2 ) 2 healthy sensors (𝑦1 and 𝑦2 ) Can the controller/detector always detect the attack? Not against an adversary with physics knowledge ⇒ Undetectable attack (zero-dynamics attack)
6
[Urbina et al., CCS ‘16]
Physics-Based Anomaly Detection
• Physics-based anomaly detectors work for • Randomly failing components [safety]; and • Physics-unaware adversaries [security] • But example illustrates sensitivity to adversaries with • Physical process knowledge; and ability to stage coordinated (time & space) data corruption [security] • Quantify performance of and compare different detectors? 7
New Performance Metric for ICS Anomaly Detection [Urbina et al., CCS ‘16]
8
Power System Example [Umsonst et al., submitted ‘16]
The better detector
Mean time between false alarm (No attack and no component failure, caused by “normal” process and sensor noise) 9
Physics-Based Attack Detection and Countermeasures in Control Systems
What can we do in real time about the attacks and faults we can detect using the anomaly detector? I.e., what about the countermeasures (=reconfiguration)? Example next…
10
A Test-bed and Case Study: NIMBUS Microgrid, Cork, Ireland
Electrical components 10kW wind turbine 35kWh (85kW peak) Li-Ion battery 50kW electrical/82kW thermal combined heat and power unit (CHP) and Feeder management relay to manage the point of coupling between the microgrid and the rest of the 2xThermal & Electrical Load Predictions building, and a set of local loads. ontrol of Load Forecast & Control Battery and wind turbine interfaced eating 2x Header Flow through power electronics converters & Return Temp. CHP with synchronous machine 24x Window Actuators setpoints
ne Power
Storage Flow & mps. ge Water Temps. meters Meters
Supervisory Control of Microgrid & Heating Middleware
Gas & Electricity Prices
2x Energy Weather pricing and forecasts weather forecast
1x Power bought from Grid 1x Battery SOC
• 2x Outside Temp. • 2x Solar Radiation • 2x Humidity • 1x Rain detection
14x Zone Temperatures
External building loads
Proven 35-2 Synch per. mag. Turbine output 250 Vac 20 Hz
G59 Relay
Isolate Switch
20x Sub-circuit Valves
3-PH Rectifier <600 Vdc, 26 A
3 x Windy Boy SMA WB 6000 6 kW Inverter 400 Vac 50 Hz
14x Zon Temperatu
Control Panel
• 2x Boiler Flow & Return Temps. • 4x Heat Meters • 2x Gas Meter
12 kW Wind Turbine
T 1x Charging Current Set-point
P T
External grid
AC Bus
Mains Grid
3-PH AC
Universal Power Converter
+
DC 3-PH kWh Meter
90 kVA TriPhase PM90
(Gaia)
30 kW battery/grid interface
50 kW CHP Sokratherm GG50 Thermal Store
G59 Relay
Isolate Switch
Valve
Sub-circuit header
Thermal system
Electrical Microgrid Wind Turbine
• 1x CHP Elec. Power set-
Electricity
Mains
Battery Converter
30 kW Battery System TBD
Mains
3-PH kWh Meter
24x Window Actuators setpoints
• 2x CHP/Storage Flow & Return Temps. • 5x Storage Water Temps. • 2x Heat meters • 2x Gas Meters
2x Header Flow & Return Temperature
22x Motion Sensors & 16x People Counters
2x Header Flow & Return Temp.
1x Wind Turbine Power
Utility grid
Control Panel
Load Forecast & C
Power system control and coordination
Micro-grid
Micro-grid
Mains Grid
2xThermal & Electrical Load Predictions Supervisory system (control and optimization)
FMR
IT System Interlinked Building Management System and Microgrid SCADA T M Three-layer control systems Electricity Sub-circuit header UTRC Middleware Valve
• 2x Boiler Flow & Return Temps. • 4x Heat Meters • 2x Gas Meter
us
20x Sub-circuit Valves
1x Wind forecast
Critical Loads
Radiators
Attack Scenario
Adversary: Infect some field devices with malware (á la Stuxnet) corrupting measurements sent to PLCs (Here: 𝐴𝑇1 and 𝐴𝑇2 ) Defender: Access to remote correlated measurements and a physical model (here temp. measurements and modeling by system identification) In collaboration with UTRC and EMC Corporation (Ireland)
[Paridari et al., ICCPS ‘16]
12
Resilient Monitoring and Control 1. Anomaly detector in control center detects attacked measurement 𝑦𝑖 + Δ𝑦
2. Optimal physics-based prediction 𝑦𝑖 from un-attacked measurements 𝑦1 , . . , 𝑦𝑁 (Virtual sensor) 3. Feed 𝑦𝑖 back to PLCs [Paridari et al., ICCPS ‘16]
13
Verification: Control Performance 1400 sec delay in anomaly detector (“attacker free time”):
(sec)
(sec)
[Paridari et al., ICCPS ‘16]
Summary • Possibilities with physics-based anomaly detectors: • Randomly failing components [safety]: OK • Physics-unaware adversaries [security]: OK • Adversaries with physics knowledge and ability to stage coordinated (time & space) data corruption [security]: not always OK (example in movie) • New metric to evaluate anomaly detectors for ICS. Tools under development • Fault- and attack-tolerant (resilient) controller example
15
CERCES – Center for Resilient Critical Infrastructures
[Area 4] [Area 3] [Area 2] [Area 1]
• • • •
Area 1: Embedded Software Platforms (M. Dam) Area 2: Wireless Communication (R. Thobaben) Area 3: Communication and Computation Infrastructure (G. Dán) Area 4: Resilient Control of Cyber-Physical Systems (H. Sandberg) 16
Thank You!
• CERCES: www.ees.kth.se/cerces
• SPARKS: project-sparks.eu/
• Henrik Sandberg: people.kth.se/~hsan/
17
