Galina Schwartz

Security of interdependent and identical networked control systems

This article studies security decisions of identical plant-controller systems, when their security is interdependent due to network induced risks. Each plant is modeled by a discrete-time stochastic linear system, with the systems controlled over a shared communication network. We formulate the problem of security choices of the individual system operators (also called players) as a non-cooperative game. We consider a two-stage game, in which on the first stage the players decide whether to invest in security or not; and on the second stage, they apply control inputs to minimize the average operational costs. We characterize the equilibria of the game, which includes the determination of the individually optimal security levels. Next, we solve the problem of finding the socially optimal security levels. The presence of interdependent security causes a negative externality, and the individual players tend to under invest in security relative to the social optimum. This leads to a gap between the individual and the socially optimal security levels for a wide range of security costs. From our results, regulatory impositions to incentivize higher security investments are desirable.

Internet QoS and regulations

This paper investigates Internet service provider (ISP) incentives with a single-service class and with two-service classes in the Internet. We consider multiple competing ISPs who offer network access to a fixed user base, consisting of end-users who differ in their quality requirements and willingness to pay for the access. We model user-ISP interactions as a game in which each ISP makes capacity and pricing decisions to maximize its profits and the end-users only decide which service to buy (if any) and from which ISP. Our model provides pricing for networks with single- and two-service classes for any number of competing ISPs. Our results indicate that multiple service classes are socially desirable, but could be blocked due to the unfavorable distributional consequences that it inflicts on the existing Internet users. We propose a simple regulatory tool to alleviate the political economic constraints and thus make multiple service classes in the Internet feasible.

In quest of benchmarking security risks to cyber-physical systems

We present a generic yet practical framework for assessing security risks to cyber-physical systems (CPSs). Our framework can be used to benchmark security risks when information is less than perfect, and interdependencies of physical and computational components may result in correlated failures. Such environments are prone to externalities, and can cause huge societal losses. We focus on the risks that arise from interdependent reliability failures (faults) and security failures (attacks). We advocate that a sound assessment of these risks requires explicit modeling of the effects of both technology-based defenses and institutions necessary for supporting them. Thus, we consider technology-based security defenses grounded in information security tools and fault-tolerant control in conjunction with institutional structures. Our game-theoretic approach to estimating security risks facilitates more effective defenses, especially against correlated failures.

A game theory model for electricity theft detection and privacy-aware control in AMI systems

We introduce a model for the operational costs of an electric distribution utility. The model focuses on two of the new services that are enabled by the Advanced Metering Infrastructure (AMI): (1) the fine-grained anomaly detection that is possible thanks to the frequent smart meter sampling rates (e.g., 15 minute sampling intervals of some smart meter deployments versus monthly-readings from old meters), and (2) the ability to shape the load thanks to advanced demand-response mechanisms that leverage AMI networks, such as direct-load control. We then study two security problems in this context. (1) In the first part of the paper we formulate the problem of electricity theft detection (one of the use-cases of anomaly detection) as a game between the electric utility and the electricity thief. The goal of the electricity thief is to steal a predefined amount of electricity while minimizing the likelihood of being detected, while the electric utility wants to maximize the probability of detection and the degree of operational cost it will incur for managing this anomaly detection mechanism. (2) In the second part of the paper we formulate the problem of privacy-preserving demand response as a control theory problem, and show how to select the maximum sampling interval for smart meters in order to protect the privacy of consumers while maintaining the desired load shaping properties of demand-response programs.

Game-Theoretic Models of Electricity Theft Detection in Smart Utility Networks: Providing New Capabilities with Advanced Metering Infrastructure

The smart grid refers to the modernization of the power grid infrastructure with new technologies, enabling a more intelligently networked automated system with the goal of improving efficiency, reliability, and security, while providing more transparency and choices to electricity customers. A key technology being widely deployed on the consumption side of the grid is advanced metering infrastructure (AMI).

Impact of QoS on Internet User Welfare

In this paper, we investigate the welfare effects of transition from a single-service class to two-service classes in the Internet. We consider an ISP who offers network access to a fixed user base, consisting of users who differ in their quality requirements and willingness to pay for the access. We model user-ISP interactions as a game in which the ISP makes capacity and pricing decisions to maximize his profits and the users only decide which service to buy, if any. Our model provides robust pricing for networks with single- and two-service classes. Our results indicate that transition to multiple service classes is socially desirable, but could be blocked due to the unfavorable distributional consequences that it inflicts on the existing network users. To facilitate the transition, we propose a simple regulatory tool that alleviates the political economic constraints and thus makes the transition feasible.

Incentives and Security in Electricity Distribution Networks

We study incentive problems in electricity distribution when customer energy usage is imperfectly observable by the utility. Thus, we assume that each customer has private information about the amount of his consumed energy. Imperfect observability of individual user demand results is non-technical energy losses. In developing countries, these losses amount to 20 − 30% per year, and are largely attributed to theft by residential customers. Reducing these losses will allow a marked increase in efficiency of the electricity distribution. Usage of smart energy management devices enables new functionalities and brings the potential for such increased efficiency. However, employing smart energy management devices also entails a new set of problems. Typically, such devices are commercially produced, and employ off-the-shelf information technology (IT) solutions with inherent security vulnerabilities. Thus, due to technology limitations and cost constraints, smart devices are vulnerable to tampering and may enable systemic energy theft, threatening to reduce, or even erase the gains in efficiency. In this paper, we address incentives of utility company to combat theft (i.e., non-technical losses), when utility is subject to rate (tariff) regulation. From our analysis, such regulated utilities invest less than socially optimal in theft reduction. We suggest that regulators should include explicit targets for the allowable losses to remedy the problem of incentive misalignment.

On the interdependence of reliability and security in Networked Control Systems

This paper studies player incentives to invest in network reliability and security. We consider heterogeneous networked control system (NCS) - also called players - facing a class of problems involving discrete interdependent risks. We formulate the problem of security choices of the individual NCS as a non-cooperative two-stage game, in which players make they security and control decisions, respectively. We characterize equilibria of the game, thus determining the individually optimal security levels. The presence of interdependent security causes a negative externality, and the individual players tend to under invest in security relative to the social optimum. From our results, security and reliability decisions are tightly coupled, and should be considered jointly to improve efficiency.

A three-stage Colonel Blotto game with applications to cyberphysical security

We consider a three-step three-player complete information Colonel Blotto game in this paper, in which the first two players fight against a common adversary. Each player is endowed with a certain amount of resources at the beginning of the game, and the number of battlefields on which a player and the adversary fights is specified. The first two players are allowed to form a coalition if it improves their payoffs. In the first stage, the first two players may add battlefields and incur costs. In the second stage, the first two players may transfer resources among each other. The adversary observes this transfer, and decides on the allocation of its resources to the two battles with the players. At the third step, the adversary and the other two players fight on the updated number of battlefields and receive payoffs. We characterize the subgame-perfect Nash equilibrium (SPNE) of the game in various parameter regions. In particular, we show that there are certain parameter regions in which if the players act according to the SPNE strategies, then (i) one of the first two players add battlefields and transfer resources to the other player (a coalition is formed), (ii) there is no addition of battlefields and no transfer of resources (no coalition is formed). We discuss the implications of the results on resource allocation for securing cyberphysical systems.

Cyber-insurance framework for large scale interdependent networks

This article presents a framework for managing cyber-risks in large-scale interdependent networks where cyber insurers are strategic players. In our earlier work, we imposed that breach probability of each network node (which we view as a player) is a function of two variables: first, player own security action and second, average security of all players. In this article, we formally derive the expression of breach probability from the standard assumptions. For a homogeneous interdependent network (identical users), we provide a solution for optimal security choice of each node in environments without and with cyber insurers present. Then, we introduce a general heterogeneous network (many user types), and derive the expression for network security. Lastly, we consider the network with two user types (normal and malicious), in which we allow one user type (malicious users) to subvert monitoring of the insurers, even if these insurers are able to perfectly enforce security levels of normal users (at zero cost). Our analysis confirms a discrepancy between informal arguments that favor cyber-insurance as a tool to improve network security, and formal models, which tend to view insurance as an instrument of managing risks only. In particular, our results support the case against cyber-insurance as the means of improving security. Our framework helps to identify the crucial network parameters for improving incentives to provide secure networks.