Verifying Noninterference in a Cyber-Physical System the Advanced Electric Power Grid

The advanced electric power grid is a complex real-time system having both cyber and physical components. While each component may function correctly, independently, their composition may yield incorrectness due to interference. One specific type of interference is in the frequency domain, essentially, violations of the Nyquist rate. The challenge is to encode these signal processing problem characteristics into a form that can be model checked. To verify the correctness of the cyber-physical composition using model-checking techniques requires that a model be constructed that can represent frequency interference. In this paper, RT-PROMELA was used to construct the model, which was checked in RT-SPIN. In order to reduce the state explosion problem, the model was decomposed into multiple sub-models, each with a smaller state space that can be checked individually, and then the proofs checked for noninterference. Cooperation among multiple clock variables due to their lack of notion of urgency and their asynchronous interactions, are also addressed

Security Property Violation in CPS Through Timing

Security in a cyber-physical system (CPS) is not well understood. Interactions between components in the cyber and physical domains lead to unintended information flow. This paper makes use of formal information flow models to describe leakage in a model CPS, the Cooperating FACTS Power System. Results show that while a casual observer cannot ascertain confidential internal information, when application semantics, including timing, are considered, this confidentiality is lost. Model checking is used to verify the result. The significance of the paper is in showing an example of the complex interactions that occur between the Cyber and Physical domains and their impact on security

Information flow properties for cyber-physical systems

In cyber-physical systems, which are the integrations of computational and physical processes, security properties are difficult to enforce. Fundamentally, physically observable behavior leads to violations of confidentiality. This work analyzes certain noninterference based security properties to ensure that interactions between the cyber and physical processes preserve confidentiality. A considerable barrier to this analysis is the representation of physical system interactions at the cyber-level. This thesis presents encoding of these physical system properties into a discrete event system and represents the cyber-physical system using Security Process Algebra (SPA). The model checker, Checker of Persistent Security (CoPS) shows Bisimulation based NonDeducibility on Compositions (BNDC) properties, which are a variant of noninterference properties, to check the system\u27s security against all potential high-level interactions. This work considers a model problem of invariant pipeline flow to examine the BNDC properties and their applicability for cyber-physical systems--Abstract, page iii

Verification of information flow security in cyber-physical systems

With a growing number of real-world applications that are dependent on computation, securing the information space has become a challenge. The security of information in such applications is often jeopardized by software and hardware failures, intervention of human subjects such as attackers, incorrect design specification and implementation, other social and natural causes. Since these applications are very diverse, often cutting across disciplines a generic approach to detect and mitigate these issues is missing. This dissertation addresses the fundamental problem of verifying information security in a class of real world applications of computation, the Cyber-physical systems (CPSs). One of the motivations for this work is the lack of a unified theory to specify and verify the complex interactions among various cyber and physical processes within a CPS. Security of a system is fundamentally characterized by the way information flows within the system. Information flow within a CPS is dependent on the physical response of the system and associated cyber control. While formal techniques of verifying cyber security exist, they are not directly applicable to CPSs due to their inherent complexity and diversity. This Ph.D. research primarily focuses on developing a uniform framework using formal tools of process algebras to verify security properties in CPSs. The merits in adopting such an approach for CPS analyses are three fold- i) the physical and continuous aspects and the complex CPS interactions can be modeled in a unified way, and ii) the problem of verifying security properties can be reduced to the problem of establishing suitable equivalences among the processes, and iii) adversarial behavior and security properties can be developed using the features like compositionality and process equivalence offered by the process algebras --Abstract, page iii

Multiple security domain nondeducibility in cyber-physical systems

Cyber-physical Systems (CPS) present special problems for security. This dissertation examines the cyber security problem, the physical security problem, the security problems presented when cyber systems and physical systems are intertwined, and problems presented by the fact that CPS leak information simply by being observed. The issues presented by applying traditional cyber security to CPS are explored and some of the shortcomings of these models are noted. Specific models of a drive-by-wire\u27\u27 automobile connected to a road side assistance network, a Stuxnet type\u27\u27 attack, the smart grid, and others are presented in detail. The lack of good tools for CPS security is addressed in part by the introduction of a new model, Multiple Security Domains Nondeducibility over an Event System, or MSDND(ES). The drive-by-wire automobile is studied to show how MSDND(ES) is applied to a system that traditional security models do not describe well. The issue of human trust in inherently vulnerable CPS with embedded cyber monitors, is also explored. A Stuxnet type attack on a CPS is examined using both MSDND(ES) and Belief, Information acquisition, and Trust (BIT) logic to provide a clear and precise method to discuss issues of trust and belief in monitors and electronic reports. To show these techniques, the electrical smart grid as envisioned by the Future Renewable Electric Energy Delivery and Management Systems Center (FREEDM) project is also modeled. Areas that may lead to the development of additional tools are presented as possible future work to address the fact: CPS are different and require different models and tools to understand. --Abstract, page iii

Unified knowledge model for stability analysis in cyber physical systems

The amalgamation and coordination between computational processes and physical components represent the very basis of cyber-physical systems. A diverse range of CPS challenges had been addressed through numerous workshops and conferences over the past decade. Finding a common semantic among these diverse components which promotes system synthesis, verification and monitoring is a significant challenge in the cyber-physical research domain. Computational correctness, network timing and frequency response are system aspects that conspire to impede design, verification and monitoring. The objective of cyber-physical research is to unify these diverse aspects by developing common semantics that span each aspect of a CPS. The work of this thesis revolves around the design of a typical smart grid-type system with three PV sources built with PSCADʼ. A major amount of effort in this thesis had been focused on studying the system behavior in terms of stability when subjected to load fluctuations from the PV side. The stability had been primarily reflected in the frequency of the generator of the system. The concept of droop control had been analyzed and the parameterization of the droop constant in the shape of an invariant forms an essential part of the thesis as it predicts system behavior and also guides the system within its stable restraints. As an extension of a relationship between stability and frequency, the present study goes one step ahead in describing the sojourn of the system from stability to instability by doing an analysis with the help of tools called Lyapunov-like functions. Lyapunov-like functions are, for switched systems, a class of functions that are used to measure the stability for non linear systems. The use of Lyapunov-like functions to judge the stability of this system had been tested and discussed in detail in this thesis and simulation results provided --Abstract, page iii

An Open Framework for Highly Concurrent Real-Time Hardware-in-the-Loop Simulation

Hardware-in-the-loop (HIL) real-time simulation is becoming a significant tool in prototyping complex, highly available systems. The HIL approach permits testing of hardware prototypes of components that would be extremely costly or difficult to test in the deployed environment. In power system simulation, key issues are the ability to wrap the systems of equations (such as Partial Differential Equations) describing the deployed environment into real-time software models, provide low synchronization overhead between the hardware and software, and reduce reliance on proprietary platforms. This paper introduces an open source HIL simulation framework that can be ported to any standard Unix-like system on any shared-memory multiprocessor computer, requires minimal operating system scheduler controls, enables an asynchronous user interface, and allows for an arbitrary number of secondary control components. The framework is implemented in a soft real-time HIL simulation of a power transmission network with physical Flexible AC Transmission System (FACTS) devices. Performance results are given that demonstrate a low synchronization overhead of the framework

Cyber- Physical Robustness Enhancement Strategies for Demand Side Energy Systems

An integrated Cyber-Physical System (CPS) system realizes the two-way communication between end-users and power generation in which customers are able to actively re-shaped their consumption profiles to facilitate the energy efficiency of the grid. However, large-scale implementations of distributed assets and advanced communication infrastructures also increase the risks of grid operation. This thesis aims to enhance the robustness of the entire demand-side system in a cyber-physical environment and develop comprehensive strategies about outage energy management (i.e., community-level scheduling and appliance-level energy management), communications infrastructure development, and cybersecurity controls that encounter virus attacks. All these aspects facilitate the demand-side system’s self-serve capability and operational robustness under extreme conditions and dangerous scenarios. The research that contributes to this thesis is grouped around and builds a general scheme to enhance the robustness of CPS demand-side energy system with outage considerations, communication network layouts, and virus intrusions. Under system outage, there are two layers for maximizing the duration of self-power supply duration in extreme conditions. The study first proposed a resilient energy management system for residential communities (CEMS), by scheduling and coordinating the battery energy storage system and energy consumption of houses/units. Moreover, it also proposed a hierarchical resilient energy management system (EMS) by fully considering the appliance-level local scheduling. The method also takes into account customer satisfaction and lifestyle preferences in order to form the optimal outcome. To further enhance the robustness of the CPS system, a complex multi-hop wireless remote metering network model for communication layout on the CPS demand side was proposed. This decreased the number and locations of data centers on the demand side and reduced the security risk of communication and the infrastructure cost of the smart grid for residential energy management. A novel evolutionary aggregation algorithm (EAA) was proposed to obtain the minimum number and locations of the local data centers required to fulfill the connectivity of the smart meters. Finally, the potential for virus attacks has also been studied as well. A trade-off strategy to confront viruses in the system with numerous network nodes is proposed. The allocation of antivirus programs and schemes are studied to avoid system crashes and achieve the minimum potential damages. A DOWNHILL-TRADE OFF algorithm is proposed to address an appropriate allocation strategy under the time evolution of the expected state of the network. Simulations are conducted using the data from the Smart Grid, Smart City national demonstration project trials

An open framework for highly concurrent hardware-in-the-loop simulation

Hardware-in-the-loop (HIL) simulation is becoming a significant tool in prototyping complex, highly available systems. The HIL approach allows an engineer to build a physical system incrementally by enabling real components of the system to seamlessly interface with simulated components. It also permits testing of hardware prototypes of components that would be extremely costly to test in the deployed environment. Key issues are the ability to wrap the systems of equations (such as Partial Differential Equations) describing the deployed environment into real-time software models, provide low synchronization overhead between the hardware and software, and reduce reliance on proprietary platforms. This thesis introduces an open source HIL simulation framework that can be ported to any standard Unix-like system on any shared-memory multiprocessor computer, requires minimal operating system scheduler controls, provides a soft real-time guarantee for any constituent simulation that does likewise, enables an asynchronous user interface, and allows for an arbitrary number of secondary control components --Abstract, page iii

Cyber-security for embedded systems: methodologies, techniques and tools

L'abstract è presente nell'allegato / the abstract is in the attachmen