On the Role of Primary and Secondary Assets in Adaptive Security: An Application in Smart Grids

peer-reviewedAdaptive security aims to protect valuable assets managed by a system, by applying a varying set of security controls. Engineering adaptive security is not an easy task. A set of effective security countermeasures should be identified. These countermeasures should not only be applied to (primary) assets that customers desire to protect, but also to other (secondary) assets that can be exploited by attackers to harm the primary assets. Another challenge arises when assets vary dynamically at runtime. To accommodate these variabilities, it is necessary to monitor changes in assets, and apply the most appropriate countermeasures at runtime. The paper provides three main contributions for engineering adaptive security. First, it proposes a modeling notation to represent primary and secondary assets, along with their variability. Second, it describes how to use the extended models in engineering security requirements and designing required monitoring functions. Third, the paper illustrates our approach through a set of adaptive security scenarios in the customer domain of a smart grid. We suggest that modeling secondary assets aids the deployment of countermeasures, and, in combination with a representation of assets variability, facilitates the design of monitoring function

Security Evaluation of Cyber-Physical Systems in Society- Critical Internet of Things

In this paper, we present evaluation of security awareness of developers and users of cyber-physical systems. Our study includes interviews, workshops, surveys and one practical evaluation. We conducted 15 interviews and conducted survey with 55 respondents coming primarily from industry. Furthermore, we performed practical evaluation of current state of practice for a society-critical application, a commercial vehicle, and reconfirmed our findings discussing an attack vector for an off-line societycritical facility. More work is necessary to increase usage of security strategies, available methods, processes and standards. The security information, currently often insufficient, should be provided in the user manuals of products and services to protect system users. We confirmed it lately when we conducted an additional survey of users, with users feeling as left out in their quest for own security and privacy. Finally, hardware-related security questions begin to come up on the agenda, with a general increase of interest and awareness of hardware contribution to the overall cyber-physical security. At the end of this paper we discuss possible countermeasures for dealing with threats in infrastructures, highlighting the role of authorities in this quest

On the Impact of Wireless Jamming on the Distributed Secondary Microgrid Control

The secondary control in direct current microgrids (MGs) is used to restore the voltage deviations caused by the primary droop control, where the latter is implemented locally in each distributed generator and reacts to load variations. Numerous recent works propose to implement the secondary control in a distributed fashion, relying on a communication system to achieve consensus among MG units. This paper shows that, if the system is not designed to cope with adversary communication impairments, then a malicious attacker can apply a simple jamming of a few units of the MG and thus compromise the secondary MG control. Compared to other denial-of-service attacks that are oriented against the tertiary control, such as economic dispatch, the attack on the secondary control presented here can be more severe, as it disrupts the basic functionality of the MG

On Ladder Logic Bombs in Industrial Control Systems

In industrial control systems, devices such as Programmable Logic Controllers (PLCs) are commonly used to directly interact with sensors and actuators, and perform local automatic control. PLCs run software on two different layers: a) firmware (i.e. the OS) and b) control logic (processing sensor readings to determine control actions). In this work, we discuss ladder logic bombs, i.e. malware written in ladder logic (or one of the other IEC 61131-3-compatible languages). Such malware would be inserted by an attacker into existing control logic on a PLC, and either persistently change the behavior, or wait for specific trigger signals to activate malicious behaviour. For example, the LLB could replace legitimate sensor readings with manipulated values. We see the concept of LLBs as a generalization of attacks such as the Stuxnet attack. We introduce LLBs on an abstract level, and then demonstrate several designs based on real PLC devices in our lab. In particular, we also focus on stealthy LLBs, i.e. LLBs that are hard to detect by human operators manually validating the program running in PLCs. In addition to introducing vulnerabilities on the logic layer, we also discuss countermeasures and we propose two detection techniques.Comment: 11 pages, 14 figures, 2 tables, 1 algorith

Subspace Methods for Data Attack on State Estimation: A Data Driven Approach

Data attacks on state estimation modify part of system measurements such that the tempered measurements cause incorrect system state estimates. Attack techniques proposed in the literature often require detailed knowledge of system parameters. Such information is difficult to acquire in practice. The subspace methods presented in this paper, on the other hand, learn the system operating subspace from measurements and launch attacks accordingly. Conditions for the existence of an unobservable subspace attack are obtained under the full and partial measurement models. Using the estimated system subspace, two attack strategies are presented. The first strategy aims to affect the system state directly by hiding the attack vector in the system subspace. The second strategy misleads the bad data detection mechanism so that data not under attack are removed. Performance of these attacks are evaluated using the IEEE 14-bus network and the IEEE 118-bus network.Comment: 12 page