Rakesh B. Bobba

SOCCA: A Security-Oriented Cyber-Physical Contingency Analysis in Power Infrastructures

Contingency analysis is a critical activity in the context of the power infrastructure because it provides a guide for resiliency and enables the grid to continue operating even in the case of failure. In this paper, we augment this concept by introducing SOCCA, a cyber-physical security evaluation technique to plan not only for accidental contingencies but also for malicious compromises. SOCCA presents a new unified formalism to model the cyber-physical system including interconnections among cyber and physical components. The cyber-physical contingency ranking technique employed by SOCCA assesses the potential impacts of events. Contingencies are ranked according to their impact as well as attack complexity. The results are valuable in both cyber and physical domains. From a physical perspective, SOCCA scores power system contingencies based on cyber network configuration, whereas from a cyber perspective, control network vulnerabilities are ranked according to the underlying power system topology.

Analyzing NASPInet data flows

One of the missions of the North American SynchroPhasor Initiative (NASPI) is to create a robust, widely available and secure synchronized data measurement infrastructure, dubbed NASPInet, that will improve reliability of the power grid. Phasor Measurement Unit (PMU), a GPS clock synchronized measurement device capable of measuring the current and voltage phasors in the power grid, is the main measurement device that NASPInet envisions to support. While the dataflow, latency and to some extent security requirements for individual PMU applications that depend on the measurement infrastructure have been characterized, this work undertakes the challenge of characterizing the collective dataflow, latency and security requirements of the measurement infrastructure when using different network architectures and when multiple PMU applications simultaneously utilize NASPInet. For our analysis we focus on a case study where we model a scalable scenario in NASPInet for a part of the North American Power Grid, the western interconnect, using Network Simulator v2 (NS-2).

Exploring a tiered architecture for NASPInet

One of the missions of the North American SynchroPhasor Initiative (NASPI) is to create a robust, widely available and secure synchronized data measurement infrastructure, called the NASPI network or NASPInet. Leveraging the Phasor Measurement Unit (PMU), a GPS clock synchronized measurement device capable of measuring the current and voltage phasors in the power grid, NASPI will improve reliability of the power grid with NASPInet providing data delivery. While a conceptual architecture of NASPInet and its functional requirements have been developed, in this work we address the challenge of designing a deployable architecture that can realize NASPInet on a continental scale. To do so, we explore a tiered architecture for NASPInet and analyze its impact on the Quality of Service (QoS), cyber security and network management services. Furthermore, we discuss the distributed computing opportunities afforded by our architecture.

A Framework for Evaluating Intrusion Detection Architectures in Advanced Metering Infrastructures

The scale and complexity of Advanced Metering Infrastructure (AMI) networks requires careful planning for the deployment of security solutions. In particular, the large number of AMI devices and the volume and diversity of communication expected to take place on the various AMI networks make the role of intrusion detection systems (IDSes) critical. Understanding the trade-offs for a scalable and comprehensive IDS is key to investing in the right technology and deploying sensors at optimal locations. This paper reviews the benefits and costs associated with different IDS deployment options, including either centralized or distributed solution. A general cost-model framework is proposed to help utilities (AMI asset owners) make more informed decisions when selecting IDS deployment architectures and managing their security investments. We illustrate how the framework can be applied through case studies, and highlight the interesting cost/benefit trade-offs that emerge.

Enhancing Grid Measurements: Wide Area Measurement Systems, NASPInet, and Security

Deregulation, market transactions, congestion management, and the separation of functions have created increasing complexity that is making it difficult to maintain situational awareness and supervision of power system performance over large areas. Past reliability events (such as blackouts) have highlighted the need for better situational awareness and advanced applications to improve planning, operations, and maintenance. The deployment of a continent- wide wide area measurement system (WAMS) is an important part of the solution to these complex problems, but it faces challenges with respect to communications and security.

Security of smart distribution grids: Data integrity attacks on integrated volt/VAR control and countermeasures

We examine the feasibility of an attack on the measurements that will be used by integrated volt-var control (VVC) in future smart power distribution systems. The analysis is performed under a variety of assumptions of adversary capability regarding knowledge of details of the VVC algorithm used, system topology, access to actual measurements, and ability to corrupt measurements. The adversary also faces an optimization problem, which is to maximize adverse impact while remaining stealthy. This is achieved by first identifying sets of measurements that can be jointly but stealthily corrupted. Then, the maximal impact of such data corruption is computed for the case where the operator is unaware of the attack and directly applies the configuration from the integrated VVC. Furthermore, since the attacker is constrained to remaining stealthy, we consider a game-theoretic framework where the operator chooses settings to maximize observability and constrain the adversary action space.

Real-Time Systems Security through Scheduler Constraints

Real-time systems (RTS) were typically considered to be invulnerable to external attacks, mainly due to their use of proprietary hardware and protocols, as well as physical isolation. As a result, RTS and security have traditionally been separate domains. These assumptions are being challenged by a series of recent events that highlight the vulnerabilities in RTS. In this paper we focus on integrating security as a first class principle in the design of RTS: we show that certain security requirements can be specified as real-time scheduling constraints. Using information leakage as a motivating problem, we illustrate our techniques with fixed-priority (FP) real-time schedulers. We evaluate our approach and discuss tradeoffs. Our evaluation shows that many real-time task sets can be scheduled under the proposed constraints without significant performance impact.

Formal Analysis of Fault-tolerant Group Key Management Using ZooKeeper

Security-as-a-Service (SecaaS) is gaining popularity, with cloud-based anti-spam and anti-virus leading the way. In this work we look at key management as a security service and focus on group key management witha central group key manager. Specifically, we analyze are writing logic model of a ZooKeeper-based group key management service specified in Maude and study its tolerance to faults and performance as it scales to service larger groups using the PVeStA statistical model checking tool.

Power flow cyber attacks and perturbation-based defense

In this paper, we present two contributions to false data injection attacks and mitigation in electric power systems. First, we introduce a method of creating unobservable attacks on the AC power flow equations. The attack strategy details how an adversary can launch a stealthy attack to achieve a goal. Then, we introduce a proactive defense strategy that is capable of detecting attacks. The defense strategy introduces known perturbations by deliberately probing the system in a specific, structured manner. We show that the proposed approach, under certain conditions, is able to detect the presence of false data injection attacks, as well the attack locations and information about the manipulated data values.

Reliable GPS-based timing for power systems: A multi-layered multi-receiver architecture

Synchronized voltage and current phasor measurements provided by phasor measurement units (PMUs) have the potential to augment power system monitoring, control, and protection functions. PMUs use the Global Positioning System (GPS) to synchronize measurements across a wide geographical area. Unfortunately, low-received-power, unencrypted civil GPS signals are vulnerable to jamming and spoofing attacks. Accidental receiver malfunction can also lead to incorrect position/time solutions. This paper presents a multi-layered multi-receiver architecture that hardens GPS-based timing against jamming, spoofing, and receiver errors. Our architecture integrates eight countermeasures in all layers of receiver signal and data processing; most of the countermeasures exploit the static and networked nature of time reference receivers. We define five threat models, and qualitatively analyze the effectiveness of each countermeasure against each threat model. The analysis demonstrates that the redundant, independent but complementary countermeasures provide high reliability and robustness.