AH
A.M. Herdeiro Teixeira
info
Please Note
<p>This page displays the records of the person named above and is not linked to a unique person identifier. This record may need to be merged to a profile.</p>
16 records found
1
Co-simulation for Cyber Security Analysis
Data Attacks against Energy Management System
It is challenging to assess the vulnerability of a cyber-physical power system to data attacks from an integral perspective. In order to support vulnerability assessment except analytic analysis, suitable platform for security tests needs to be developed. In this paper we analyze the cyber security of energy management system (EMS) against data attacks. First we extend our analytic framework that characterizes data attacks as optimization problems with the objectives specified as security metrics and constraints corresponding to the communication network properties. Second, we build a platform in the form of co-simulation - coupling the power system simulator DIgSILENT PowerFactory with communication network simulator OMNeT++, and Matlab for EMS applications (state estimation, optimal power flow). Then the framework is used to conduct attack simulations on the co-simulation based platform for a power grid test case. The results indicate how vulnerable of EMS to data attacks and how co-simulation can help assess vulnerability.
...
It is challenging to assess the vulnerability of a cyber-physical power system to data attacks from an integral perspective. In order to support vulnerability assessment except analytic analysis, suitable platform for security tests needs to be developed. In this paper we analyze the cyber security of energy management system (EMS) against data attacks. First we extend our analytic framework that characterizes data attacks as optimization problems with the objectives specified as security metrics and constraints corresponding to the communication network properties. Second, we build a platform in the form of co-simulation - coupling the power system simulator DIgSILENT PowerFactory with communication network simulator OMNeT++, and Matlab for EMS applications (state estimation, optimal power flow). Then the framework is used to conduct attack simulations on the co-simulation based platform for a power grid test case. The results indicate how vulnerable of EMS to data attacks and how co-simulation can help assess vulnerability.
Conference paper
(2017)
-
Saba Chockalingam, Wolter Pieters, André Herdeiro Teixeira, Pieter van Gelder
Bayesian Networks (BNs) are an increasingly popular modelling technique in cyber security especially due to their capability to overcome data limitations. This is also instantiated by the growth of BN models development in cyber security. However, a comprehensive comparison and analysis of these models is missing. In this paper, we conduct a systematic review of the scientific literature and identify 17 standard BN models in cyber security. We analyse these models based on 9 different criteria and identify important patterns in the use of these models. A key outcome is that standard BNs are noticeably used for problems especially associated with malicious insiders. This study points out the core range of problems that were tackled using standard BN models in cyber security, and illuminates key research gaps.
...
Bayesian Networks (BNs) are an increasingly popular modelling technique in cyber security especially due to their capability to overcome data limitations. This is also instantiated by the growth of BN models development in cyber security. However, a comprehensive comparison and analysis of these models is missing. In this paper, we conduct a systematic review of the scientific literature and identify 17 standard BN models in cyber security. We analyse these models based on 9 different criteria and identify important patterns in the use of these models. A key outcome is that standard BNs are noticeably used for problems especially associated with malicious insiders. This study points out the core range of problems that were tackled using standard BN models in cyber security, and illuminates key research gaps.
Low-voltage distribution grids experience a rising penetration of inverter-based, distributed generation. In order to not only contribute to but also solve voltage problems, these inverters are increasingly asked to participate in intelligent grid controls. Communicating inverters implement distributed voltage droop controls. The impact of cyber-attacks to the stability of such distributed grid controls is poorly researched and therefore addressed in this article. We characterize the potential impact of several attack scenarios by employing the positivity and diagonal dominance properties. In particular, we discuss measurement falsification scenarios where the attacker corrupts voltage measurement data received by the voltage droop controllers. Analytical, control-theoretic methods for assessing the impact on system stability and voltage magnitude are presented and validated via simulation.
...
Low-voltage distribution grids experience a rising penetration of inverter-based, distributed generation. In order to not only contribute to but also solve voltage problems, these inverters are increasingly asked to participate in intelligent grid controls. Communicating inverters implement distributed voltage droop controls. The impact of cyber-attacks to the stability of such distributed grid controls is poorly researched and therefore addressed in this article. We characterize the potential impact of several attack scenarios by employing the positivity and diagonal dominance properties. In particular, we discuss measurement falsification scenarios where the attacker corrupts voltage measurement data received by the voltage droop controllers. Analytical, control-theoretic methods for assessing the impact on system stability and voltage magnitude are presented and validated via simulation.
We introduce a model of estimation in the presence of strategic, self-interested sensors. We employ a game-Theoretic setup to model the interaction between the sensors and the receiver. The cost function of the receiver is equal to the estimation error variance while the cost function of the sensor contains an extra term which is determined by its private information. We start by the single sensor case in which the receiver has access to a noisy but honest side information in addition to the message transmitted by a strategic sensor. We study both static and dynamic estimation problems. For both these problems, we characterize a family of equilibria in which the sensor and the receiver employ simple strategies. Interestingly, for the dynamic estimation problem, we find an equilibrium for which the strategic sensor uses a memory-less policy. We generalize the static estimation setup to multiple sensors with synchronous communication structure (i.e., all the sensors transmit their messages simultaneously). We prove the maybe surprising fact that, for the constructed equilibrium in affine strategies, the estimation quality degrades as the number of sensors increases. However, if the sensors are herding (i.e., copying each other policies), the quality of the receiver's estimation improves as the number of sensors increases. Finally, we consider the asynchronous communication structure (i.e., the sensors transmit their messages sequentially).
...
We introduce a model of estimation in the presence of strategic, self-interested sensors. We employ a game-Theoretic setup to model the interaction between the sensors and the receiver. The cost function of the receiver is equal to the estimation error variance while the cost function of the sensor contains an extra term which is determined by its private information. We start by the single sensor case in which the receiver has access to a noisy but honest side information in addition to the message transmitted by a strategic sensor. We study both static and dynamic estimation problems. For both these problems, we characterize a family of equilibria in which the sensor and the receiver employ simple strategies. Interestingly, for the dynamic estimation problem, we find an equilibrium for which the strategic sensor uses a memory-less policy. We generalize the static estimation setup to multiple sensors with synchronous communication structure (i.e., all the sensors transmit their messages simultaneously). We prove the maybe surprising fact that, for the constructed equilibrium in affine strategies, the estimation quality degrades as the number of sensors increases. However, if the sensors are herding (i.e., copying each other policies), the quality of the receiver's estimation improves as the number of sensors increases. Finally, we consider the asynchronous communication structure (i.e., the sensors transmit their messages sequentially).
Cyber Security of Intelligent Power Grids
Vulnerability and Impact Assessment for Combined Data Attacks
This work introduces combined data integrity and availability attacks to expand the attack scenarios against intelligent power grids. We propose security metrics that quantify vulnerability of power grids to combined data attacks under both power system models and communication models. The security metrics can be formulated as optimization problems. The relation between the security metrics of combined data attacks and pure data integrity attacks will be analyzed. Furthermore, co-simulation techniques will be employed to measure consequences of combined data attacks.
...
This work introduces combined data integrity and availability attacks to expand the attack scenarios against intelligent power grids. We propose security metrics that quantify vulnerability of power grids to combined data attacks under both power system models and communication models. The security metrics can be formulated as optimization problems. The relation between the security metrics of combined data attacks and pure data integrity attacks will be analyzed. Furthermore, co-simulation techniques will be employed to measure consequences of combined data attacks.
Data Attacks on Power System State Estimation
Limited Adversarial Knowledge vs. Limited Attack Resources
It has shown that with perfect knowledge of the system model and the capability to manipulate a certain number of measurements, the false data injection (FDI) attacks, as a class of data integrity attacks, can coordinate measurements corruption to keep stealth against the bad data detection schemes. However, a more realistic attack is essentially an attack with limited adversarial knowledge of the system model and limited attack resources due to various reasons. In this paper, we generalize the data attacks that they can be pure FDI attacks or combined with availability attacks (e.g., DoS attacks) and analyze the attacks with limited adversarial knowledge or limited attack resources. The attack impact is evaluated by the proposed metrics and the detection probability of attacks is calculated using the distribution property of data with or without attacks. The analysis is supported with results from a power system use case. The results show how important the knowledge is to the attacker and which measurements are more vulnerable to attacks
with limited resources.
...
with limited resources.
...
It has shown that with perfect knowledge of the system model and the capability to manipulate a certain number of measurements, the false data injection (FDI) attacks, as a class of data integrity attacks, can coordinate measurements corruption to keep stealth against the bad data detection schemes. However, a more realistic attack is essentially an attack with limited adversarial knowledge of the system model and limited attack resources due to various reasons. In this paper, we generalize the data attacks that they can be pure FDI attacks or combined with availability attacks (e.g., DoS attacks) and analyze the attacks with limited adversarial knowledge or limited attack resources. The attack impact is evaluated by the proposed metrics and the detection probability of attacks is calculated using the distribution property of data with or without attacks. The analysis is supported with results from a power system use case. The results show how important the knowledge is to the attacker and which measurements are more vulnerable to attacks
with limited resources.
with limited resources.
In this paper, we address the problem of distributed reconfiguration of networked control systems upon the removal of misbehaving sensors and actuators. In particular, we consider systems with redundant sensors and actuators cooperating to recover from faults. Reconfiguration is performed while minimizing a steady-state estimation error covariance and a quadratic control cost. A model-matching condition is imposed on the reconfiguration scheme. It is shown that the reconfiguration and its underlying computation can be distributed. Using an average dwell-time approach, the stability of the distributed reconfiguration scheme under finite-time termination is analyzed. The approach is illustrated in a numerical example.
...
In this paper, we address the problem of distributed reconfiguration of networked control systems upon the removal of misbehaving sensors and actuators. In particular, we consider systems with redundant sensors and actuators cooperating to recover from faults. Reconfiguration is performed while minimizing a steady-state estimation error covariance and a quadratic control cost. A model-matching condition is imposed on the reconfiguration scheme. It is shown that the reconfiguration and its underlying computation can be distributed. Using an average dwell-time approach, the stability of the distributed reconfiguration scheme under finite-time termination is analyzed. The approach is illustrated in a numerical example.
This paper addresses the detection and isolation of replay attacks on sensor measurements. As opposed to previously proposed additive watermarking, we propose a multiplicative watermarking scheme, where each sensor's output is separately watermarked by being fed to a SISO watermark generator. Additionally, a set of equalizing filters is placed at the controller's side, which reconstructs the original output signals from the received watermarked data. We show that the proposed scheme has several advantages over existing approaches: it has no detrimental effects on the closed-loop performance in the absence of attacks; it can be designed in a modular fashion, independently of the design of the controller and anomaly detector; it facilitates the detection of replay attacks and the isolation of the time at which the replayed data was recorded. These properties are discussed in detail and the results are illustrated through a numerical example.
...
This paper addresses the detection and isolation of replay attacks on sensor measurements. As opposed to previously proposed additive watermarking, we propose a multiplicative watermarking scheme, where each sensor's output is separately watermarked by being fed to a SISO watermark generator. Additionally, a set of equalizing filters is placed at the controller's side, which reconstructs the original output signals from the received watermarked data. We show that the proposed scheme has several advantages over existing approaches: it has no detrimental effects on the closed-loop performance in the absence of attacks; it can be designed in a modular fashion, independently of the design of the controller and anomaly detector; it facilitates the detection of replay attacks and the isolation of the time at which the replayed data was recorded. These properties are discussed in detail and the results are illustrated through a numerical example.
In networked control systems, leveraging the peculiarities of the cyber-physical domains and their interactions may lead to novel detection and defense mechanisms against malicious cyber-attacks. In this paper, we propose a multiplicative sensor watermarking scheme, where each sensor's output is separately watermarked by a Single Input Single Output (SISO) filter. Hence, such scheme does not require communication between multiple sensors, but can still lead to detection and isolation of malicious cyber-attacks. In particular, we analyze the benefits of the proposed watermarking scheme for two attack scenarios: The physical sensor re-routing attack and the cyber measurement re-routing one. For each attack scenario, detectability and isolability properties are analyzed with and without the proposed watermarking scheme and we show how the watermarking scheme can be leveraged to detect cyber sensor routing attacks. In order to detect compromised sensors, we design an observer-based detector with a robust adaptive threshold. Additionally, we identify the sensors involved in the re-routing attacks by means of a tailored Recursive Least Squares parameter estimation algorithm. The results are illustrated through a numerical example.
...
In networked control systems, leveraging the peculiarities of the cyber-physical domains and their interactions may lead to novel detection and defense mechanisms against malicious cyber-attacks. In this paper, we propose a multiplicative sensor watermarking scheme, where each sensor's output is separately watermarked by a Single Input Single Output (SISO) filter. Hence, such scheme does not require communication between multiple sensors, but can still lead to detection and isolation of malicious cyber-attacks. In particular, we analyze the benefits of the proposed watermarking scheme for two attack scenarios: The physical sensor re-routing attack and the cyber measurement re-routing one. For each attack scenario, detectability and isolability properties are analyzed with and without the proposed watermarking scheme and we show how the watermarking scheme can be leveraged to detect cyber sensor routing attacks. In order to detect compromised sensors, we design an observer-based detector with a robust adaptive threshold. Additionally, we identify the sensors involved in the re-routing attacks by means of a tailored Recursive Least Squares parameter estimation algorithm. The results are illustrated through a numerical example.
Cybersecurity as a Politikum
Implications of Security Discourses for Infrastructures
In the cybersecurity community it is common to think of security as a design feature for systems and infrastructures that may be difficult to balance with other requirements. What is less studied is how security requirements come about, for which reasons, and what their influence is on the actions the system facilitates. Security is for example often used as an argument for or against granting access rights that are of importance to stakeholders, such as in the discussion on counterterrorism and privacy. This paper argues that the ongoing politicization of security issues calls for a paradigm to study cybersecurity as a Politikum: a matter of political concern, embedded in existing and future infrastructures. We summarize literature which inspired this paper and explain the role of security arguments for infrastructure governance. Then we outline the new paradigm and its core concepts and contribution, including the notion of framing. Finally, we present discourse analysis and infrastructure ethnography as research methods and discuss cases in which discourses (may) shape infrastructures, in particular smart cities.
...
In the cybersecurity community it is common to think of security as a design feature for systems and infrastructures that may be difficult to balance with other requirements. What is less studied is how security requirements come about, for which reasons, and what their influence is on the actions the system facilitates. Security is for example often used as an argument for or against granting access rights that are of importance to stakeholders, such as in the discussion on counterterrorism and privacy. This paper argues that the ongoing politicization of security issues calls for a paradigm to study cybersecurity as a Politikum: a matter of political concern, embedded in existing and future infrastructures. We summarize literature which inspired this paper and explain the role of security arguments for infrastructure governance. Then we outline the new paradigm and its core concepts and contribution, including the notion of framing. Finally, we present discourse analysis and infrastructure ethnography as research methods and discuss cases in which discourses (may) shape infrastructures, in particular smart cities.
Conference paper
(2016)
-
Saba Chockalingam, Dina Hadziosmanovic, Wolter Pieters, André Herdeiro Teixeira, Pieter van Gelder
Over the last years, we have seen several security incidents that compromised system safety, of which some caused physical harm to people. Meanwhile, various risk assessment methods have been developed that integrate safety and security, and these could help to address the corresponding threats by implementing suitable risk treatment plans. However, an overarching overview of these methods, systematizing the characteristics of such methods, is missing. In this paper, we conduct a systematic literature review, and identify 7 integrated safety and security risk assessment methods. We analyze these methods based on 5 different criteria, and identify key characteristics and applications. A key outcome is the distinction between sequential and non-sequential integration of safety and security, related to the order in which safety and security risks are assessed. This study provides a basis for developing more effective integrated safety and security risk assessment methods in the future.
...
Over the last years, we have seen several security incidents that compromised system safety, of which some caused physical harm to people. Meanwhile, various risk assessment methods have been developed that integrate safety and security, and these could help to address the corresponding threats by implementing suitable risk treatment plans. However, an overarching overview of these methods, systematizing the characteristics of such methods, is missing. In this paper, we conduct a systematic literature review, and identify 7 integrated safety and security risk assessment methods. We analyze these methods based on 5 different criteria, and identify key characteristics and applications. A key outcome is the distinction between sequential and non-sequential integration of safety and security, related to the order in which safety and security risks are assessed. This study provides a basis for developing more effective integrated safety and security risk assessment methods in the future.
Conference paper
(2016)
-
Yuxin Wang, Yifu Tian, André Herdeiro Teixeira, Joris Hulstijn, Yao-hua Tan
Currently international supply chains are facing risks concerning faults in compliance, such as altering shipping documentations, fictitious inventory, and inter-company manipulations. In this paper a method to detect and diagnose fault scenarios regarding customs compliance in supply chains is proposed. This method forms part of a general approach called model-based auditing, which is based on a normative meta-model of the movement of money and goods or services. The modeling framework is proposed on compliance monitoring of supply chains with focus on information systems and compliance reporting tools. The innovation lies in the application and mapping of modeling techniques from dynamical systems engineering to business process analysis for audit and supervision purposes. Specifically, the application domain is where money, goods as well as information are transferred between international supply chain partners. A case study of a leading company in electronics manufacturing applying the model is analyzed.
...
Currently international supply chains are facing risks concerning faults in compliance, such as altering shipping documentations, fictitious inventory, and inter-company manipulations. In this paper a method to detect and diagnose fault scenarios regarding customs compliance in supply chains is proposed. This method forms part of a general approach called model-based auditing, which is based on a normative meta-model of the movement of money and goods or services. The modeling framework is proposed on compliance monitoring of supply chains with focus on information systems and compliance reporting tools. The innovation lies in the application and mapping of modeling techniques from dynamical systems engineering to business process analysis for audit and supervision purposes. Specifically, the application domain is where money, goods as well as information are transferred between international supply chain partners. A case study of a leading company in electronics manufacturing applying the model is analyzed.
In this paper, we investigate detectability and identifiability of attacks on linear dynamical systems that are subjected to external disturbances. We generalize a concept for a security index, which was previously introduced for static systems. The index exactly quantifies the resources necessary for targeted attacks to be undetectable and unidentifiable in the presence of disturbances. This information is useful for both risk assessment and for the design of anomaly detectors. Finally, we show how techniques from the fault detection literature can be used to decouple disturbances and to identify attacks, under certain sparsity constraints.
...
In this paper, we investigate detectability and identifiability of attacks on linear dynamical systems that are subjected to external disturbances. We generalize a concept for a security index, which was previously introduced for static systems. The index exactly quantifies the resources necessary for targeted attacks to be undetectable and unidentifiable in the presence of disturbances. This information is useful for both risk assessment and for the design of anomaly detectors. Finally, we show how techniques from the fault detection literature can be used to decouple disturbances and to identify attacks, under certain sparsity constraints.
This paper introduces combined data integrity and availability attacks to expand the attack scenarios against power system state estimation. The goal of the adversary, who uses the combined attack, is to perturb the state estimates while remaining hidden from the observer. We propose security metrics that quantify vulnerability of power grids to combined data attacks under single and multi-path routing communication models. In order to evaluate the proposed security metrics, we formulate them as mixed integer linear programming (MILP) problems. The relation between the security metrics of combined data attacks and pure data integrity attacks is analyzed, based on which we show that, when data availability and data integrity attacks have the same cost, the two metrics coincide. When data availability attacks have a lower cost than data integrity attacks, we show that a combined data attack could be executed with less attack resources compared to pure data integrity attacks. Furthermore, it is shown that combined data attacks would bypass integrity-focused mitigation schemes. These conclusions are supported by the results obtained on a power system model with and without a communication model with single or multi-path routing.
...
This paper introduces combined data integrity and availability attacks to expand the attack scenarios against power system state estimation. The goal of the adversary, who uses the combined attack, is to perturb the state estimates while remaining hidden from the observer. We propose security metrics that quantify vulnerability of power grids to combined data attacks under single and multi-path routing communication models. In order to evaluate the proposed security metrics, we formulate them as mixed integer linear programming (MILP) problems. The relation between the security metrics of combined data attacks and pure data integrity attacks is analyzed, based on which we show that, when data availability and data integrity attacks have the same cost, the two metrics coincide. When data availability attacks have a lower cost than data integrity attacks, we show that a combined data attack could be executed with less attack resources compared to pure data integrity attacks. Furthermore, it is shown that combined data attacks would bypass integrity-focused mitigation schemes. These conclusions are supported by the results obtained on a power system model with and without a communication model with single or multi-path routing.
Conference paper
(2016)
-
Kaveh Paridari, Alie El Din Mady, Silvio La Porta, Rohan Chabukswar, Jacobo Blanco, A.M. Herdeiro Teixeira, Henrik Sandberg, Menouer Boubekeur
Energy management systems (EMS) are used to control energy usage in buildings and campuses, by employing technologies such as supervisory control and data acquisition (SCADA) and building management systems (BMS), in order to provide reliable energy supply and maximise user comfort while minimising energy usage. Historically, EMS systems were installed when potential security threats were only physical. Nowadays, EMS systems are connected to the building network and as a result directly to the outside world. This extends the attack surface to potential sophisticated cyber-attacks, which adversely impact EMS operation, resulting in service interruption and downstream financial implications. Currently, the security systems that detect attacks operate independently to those which deploy resiliency policies and use very basic methods. We propose a novel EMS cyber-physical-security framework that executes a resilient policy whenever an attack is detected using security analytics. In this framework, both the resilient policy and the security analytics are driven by EMS data, where the physical correlations between the data-points are identified to detect outliers and then the control loop is closed using an estimated value in place of the outlier. The framework has been tested using a reduced order model of a real EMS site.
...
Energy management systems (EMS) are used to control energy usage in buildings and campuses, by employing technologies such as supervisory control and data acquisition (SCADA) and building management systems (BMS), in order to provide reliable energy supply and maximise user comfort while minimising energy usage. Historically, EMS systems were installed when potential security threats were only physical. Nowadays, EMS systems are connected to the building network and as a result directly to the outside world. This extends the attack surface to potential sophisticated cyber-attacks, which adversely impact EMS operation, resulting in service interruption and downstream financial implications. Currently, the security systems that detect attacks operate independently to those which deploy resiliency policies and use very basic methods. We propose a novel EMS cyber-physical-security framework that executes a resilient policy whenever an attack is detected using security analytics. In this framework, both the resilient policy and the security analytics are driven by EMS data, where the physical correlations between the data-points are identified to detect outliers and then the control loop is closed using an estimated value in place of the outlier. The framework has been tested using a reduced order model of a real EMS site.