Network Security Games Saurabh Amin Massachusetts Institute of Technology ACCESS-FORCES CPS workshop KTH, October 26-27, 2015 Amin (MIT) FORCES October 26, 2015 1 / 46
FORCES National Science Foundation (NSF) sponsored CPS Frontiers project Claire*Tomlin* Dawn*Song* Galina*Schwartz* Alexandre*Bayen* Ian*Hiskens* Asuman*Ozdaglar* Threat'' Incen%ve'' assessment'&' theory' diagnos%cs' Xenofon*Koutsoukos* Shankar*Sastry* Robust' Inter4' Networked' dependent'' control' risks' System'–' Hamsa*Balakrishnan* Mechanism' Security' design' co4design' Demosthenis*Teneketzis* Gabor*Karsai* Saurabh*Amin* Janos*SzBpanovits* Collaborative Research: MIT, UC Berkeley, UMich, Vanderbilt University Amin (MIT) FORCES October 26, 2015 2 / 46
FORCES motivation: Resilient CPS Attributes Functional correctness by design 1 Robustness to reliability failures 2 (faults) Survivability against security failures 3 (attacks) Tools [Traditionally disjoint] ◮ Resilient Control (RC) over sensor-actuator networks ◮ Economic Incentives (EI) to influence strategic interaction of individuals within systemic societal institutions Cyber-Physical Systems (CPS) Amin (MIT) FORCES October 26, 2015 3 / 46
Reliability failures Local disruptions to cascading failures (blackouts) weather events ⇒ limited situational awareness ⇒ inadequate operator response ⇒ network failures Amin (MIT) FORCES October 26, 2015 4 / 46
Security failures: cyber-attacks & Stuxnet Los Angeles traffic control (2008) Maroochy Shire sewage plant (2000) Tehama Colusa canal system (2007) Cal-ISO system computers (2007) Amin (MIT) FORCES October 26, 2015 5 / 46
Failures in CPS ◮ Simultaneous faults [ reliability failures ] ◮ Common-mode failures ◮ Random failures due to nature ◮ Operator errors ◮ Simultaneous attacks [ security failures ] ◮ Targeted cyber-attacks ◮ Non-targeted cyber-attacks ◮ Coordinated physical attacks ◮ Cascading failures ◮ Failure of nodes in one subnet ⇒ progressive failures in other subnets Observation #1: Due to cyber-physical interactions, it is extremely difficult to distinguish reliability & security failures using imperfect diagnostic information. Amin (MIT) FORCES October 26, 2015 6 / 46
Operations and control of CPS ◮ Multi-agent systems (e.g., infrastructure control systems with multiple entities) ◮ Agents have different information about CPS (both private and public uncertainties) ◮ Agents are strategic and have different objectives ◮ Need to coordinate or influence the agents’ strategies so as to maximize the CPS’ utility to its users Observation #2: Asymmetric information and strategic behavior are key features of CPS. Amin (MIT) FORCES October 26, 2015 7 / 46
Robust Control (RC) and Economic Incentives (EI) Separation of RC and EI is not suited for CPS resilience RC tools Reliability and Security Risk Management ◮ Threat assessment & detection Internet ◮ Fault-tolerant networked control Diagnosis, Response, and Reconfiguration ◮ Real-time / predictive response Control Network ◮ Fundamental limits of defenses Detection and Regulation EI tools Sensor Actuator Network ◮ Incentive theory for resilience Electric Power Buildings Physical Infrastructures ◮ Mechanisms to align individually optimal allocations with socially Water & Gas Transportation optimum ones Attacks Defenses Faults ◮ Interdependent risk assessment Amin (MIT) FORCES October 26, 2015 8 / 46
FORCES research plan: hierarchical approach Upper layer ������������ ◮ How the collection of CPS’s agents deal ������������ with external strategic adversary(-ies) ◮ Network games that model both security ������������ Middle failures and reliability failures ������������������� Middle layer ������� ◮ How strategic agents contribute to CPS efficiency and safety, while protecting ����������� their conflicting individual objectives ������������ ���������� ◮ Joint stochastic control and ������������ incentive-theoretic design, coupled with the outcome of the upper layer game ������������ ������������ ������������ Lower layer Lower layer Lower layer Local Control ������������ ������������ Control Theory ������������������� ◮ Control at each individual agent’s site. ������� ������������ ������������ Amin (MIT) FORCES October 26, 2015 9 / 46 ����������� ������������������� ������������������� ���������� ������� ������� ����������� ����������� ���������� ����������
This talk : Upper hierarchical layer ������������ Game with security failures ������������ ������������ Middle ������������������� ������� ����������� ������������ ���������� Game played on a graph representing the ������������ topological structure of CPS ◮ Attacker: Strategic adversary ������������ ������������ ������������ Lower layer ◮ Defender: CPS network designer Lower layer Local Control ������������ ������������ Control Theory ������������������� ������� Amin (MIT) FORCES October 26, 2015 10 / 46 ������������ ������������ ����������� ������������������� ������������������� ���������� ������� ������� ����������� ����������� ���������� ����������
Related work Control of networks ◮ S. Low, N. Li, J. Lavaei: Distributed control and optimization ◮ F. Bullo, F. Dörfler: Distributed control, oscillations, microgrids ◮ P. Khargonekar, K. Poolla, P. Varaiya: Selling random wind ◮ K. Turitsyn, I. Hiskens: Distributed optimal VAR control Resilience and security of networked systems ◮ H. Sandberg, K. Johansson: Secure control, networked control ◮ R. Baldick, K. Wood, D. Bienstock: Network Interdiction, Cascades ◮ T. Başar, C. Langbort: Network security games ◮ J. Baras: Network security games and trust Amin (MIT) FORCES October 26, 2015 11 / 46
Outline: Network security games (upper layer) Distribution network control under node disruptions 1 Network flow routing under link disruptions 2 Devendra Shelar Mathieu Dahan Amin (MIT) FORCES October 26, 2015 12 / 46
Model of DER disruptions ◮ Hack substation communications Vulnerability(-ies) published by EPRI ◮ Introduce incorrect set-points and disrupt DERs Generation Transmission lines ◮ Create supply-demand mismatch ◮ Cause voltage & freq. violations ◮ Induce cascading failures Substation Distribution lines Control Central Typical communication New communication requirenments Amin (MIT) FORCES October 26, 2015 13 / 46
Main questions When malicious entities (or random failures) compromise DERs/PVs: ◮ How to perform security threat assessment of distribution networks under DER/PV disruptions? ◮ How to design decentralized defender (network operator) strategies? Nodes with PVs sg d � � Control sg Substation Critical Nodes Center sg a � 0 13 1 4 12 11 5 2 10 3 6 7 8 19 18 17 16 14 9 20 21 15 25 26 22 23 28 24 27 29 28 35 35 31 32 33 34 36 Amin (MIT) FORCES October 26, 2015 14 / 46
Attacker-defender interaction Stackelberg game model (bilevel optimization) ◮ Leader: Attacker compromises a subset of DERs/PVs; ◮ Follower: Defender response via network control. Problem statement: ◮ Determine worse-case attack plan (compromise DERs/PVs) to induce: ◮ loss of voltage regulation ◮ loss due to load shedding ◮ loss of frequency regulation [esp., for large PV installations] ◮ Best defender response (reactive control): ◮ Non-compromised DERs provide active and reactive power (VAR) ◮ Load control: demand at consumption nodes may be partly satisfied Amin (MIT) FORCES October 26, 2015 15 / 46
Network model Tree networks ◮ G = ( N , E ) - tree network of nodes and edges ◮ ν i = | V i | 2 - square of voltage magnitude at node i ◮ ℓ ij = | I ij | 2 - square of current magnitude from node i to j ◮ z ij = r ij + j x ij - impedance on line ( i , j ) ◮ P ij , Q ij - real and reactive power from node i to node j ◮ S ij = P ij + j Q ij - complex power flowing on line ( i , j ) ∈ E V 0 V i V j V y P y , Q y P 01 , Q 01 P ij , Q ij P ik , Q ik V k V l V z Amin (MIT) FORCES October 26, 2015 16 / 46
Recommend
More recommend
