Cyber Security of Cyber Physical Systems: Cyber Threats and Defense of Critical Infrastructures

Most critical infrastructures such as the power grid, railway or air traffic control, industrial automation in manufacturing, water/sewage infrastructure, banking system, etc., are cyber physical systems (CPS). Since continued availability of the major functions of these are extremely important for economic and normal lives of people, there is a wide spread concern that these might come under intense cyber attacks. In fact, a number of such cases have occurred in the last decade. Therefore, defending these systems from cyber threats is extremely important. Because of the cyber physical nature of most of these systems, and due to increasing use of networking, embedded computing, and SCADA (Supervisory Control and Data Acquisition) the attack surfaces have grown. In this tutorial, we shall consider some of these cyber threats, discuss the methodologies, tools and techniques for defending such systems, and show how the design of secure cyber physical systems differs from previous design methodologies of CPS systems. In the past, CPS design methodology usually followed a model based engineering approach, where as a first step of the design process -a physics based mathematical model of the physical system, and a control theoretic model of the control system -were integrated in a formal or semi-formal framework. The designers would start from an abstract model, and refine it down to an implementation model in several steps, either formally or informally. The implementation model is then validated for functional correctness, performance, real-time requirements etc. Functional Safety, robustness to input assumptions, reliability under fault assumptions, and resilience to unknown adversities were considered as good design goals. With the increasing networked distributed control of large and geographically distributed critical infrastructures such as smart grid, smart transportation systems, air traffic control system etc. -the exposure to cyber-attacks ushered in by the IP-convergence -the design goals should prioritize cyber-security and cyber defense as first class design objectives. In order to do so, designers have to don a dual personality -while designing for robustness, reliability, functional safety -a model driven engineering approach would work -whereas for designing for cyber-security and defense, the designer has to step into the shoes of a malicious attacker. Consider an example where one has to consider the various observation or sampling points of the system (e.g. sensors to read or sample the physical environment), and consider how an attacker might compromise the unobservability of those points without authentication, and what knowledge of the system dynamics or the control mechanism of the system might be actually reconstructed by the attacker.. One also has to consider the actuation points of the system, and ponder the least number of such actuation points the attacker has to take over in order to disrupt the dynamics of the system enough to create considerable damage. One has to envision how to obfuscate the dynamics of the system even when certain sensing or actuation points are compromised. Further complication arises because it is known that a large percentage of attacks are induced by inside attackers. Thus perimeter defense alone cannot defend the system. In such cases, the question that one is confronted with is whether there is enough indication of an ongoing attack in the dynamics of the system itself. This approach to viewing the system from an adversarial position requires one to topple the design paradigm over its head, and we will need to build models from data, and not just generate data from models. The designer has to observe a system in action – even through partial observations, and construct a model close enough to the real system model – and then use the partial access to create damages to the because the approximate model allows her to do so. Almost like a schizophrenic duality, the engineer also has to wear the designers hat, and consider a game in which the observations are obfuscated enough to render it impossible for an attacker to build any useful model to induce clever 2016 29th International Conference on VLSI Design and 2016 15th International Conference on Embedded Systems 978-1-4673-8700-2/16 $31.00 © 2016 IEEE DOI 10.1109/VLSID.2016.153 30 attacks. The designer has to worry if she can construct from unobfuscated observations a dynamics quickly enough so that the difference between the expected dynamics and the real dynamics can trigger alarms to alert the system administrators. In this tutorial, we will discuss how game theory, machine learning, and other algorithmic techniques are being used in studying threat models and mitigation techniques for CPS. We will also briefly talk about VSCADA -a virtual distributed SCADA lab we created for modeling SCADA systems for critical infrastructures, and how to use such a virtual lab completely implemented in simulation -to achieve the cyber security and cyber defense objectives of critical infrastructures -through attack injections, attack detection, and experiments on new defense mechanisms. We will also discuss a co-simulation tool that co-simulated a physical system, and a cyber system in order to experiment with cyber security issues in critical infrastructures.