William G. Temple

Delay makes a difference: Smart grid resilience under remote meter disconnect attack

Modern smart meters commonly provide a service switch which allows remote connection or disconnection (RCD) of electrical service over a utilitys communication network. While this feature is valuable for utilities, researchers have raised concerns about possible (ab)use by malicious attackers, noting the high economic cost of blackouts, as well the potential for controlled on-off switching of meters to affect power grid stability, for example by disturbing its frequency. However, while security concerns have been identified, little work has been done to develop and assess concrete countermeasures that are specific to these attacks. In this paper, we design novel randomized time delay countermeasures for smart meter RCD attacks, and demonstrate their effectiveness under sophisticated attack scenarios. We show that even if an attacker successfully issues malicious RCD commands, a well-designed time delay countermeasure makes the smart grid more resilient by: 1) preventing rapid changes in overall system load; and 2) providing time for a utility to potentially detect and stop an attack in progress. In particular, we demonstrate that a geometric delay mechanism can greatly reduce the magnitude of an attack with little impact on a utilitys day-to-day operations.

Security analysis of urban railway systems: The need for a cyber-physical perspective

Urban railway systems are increasingly relying on information and communications technologies (ICT). This evolution makes cybersecurity an important concern, in addition to the traditional focus on reliability, availability, maintainability and safety. In this paper, we examine two examples of cyber-intensive systems in urban railway environments—a communications-based train control system, and a mobile app that provides transit information to commuters—and use them to study the challenges for conducting security analysis in this domain. We show the need for a cyber-physical perspective in order to understand the cross-domain attack/defense and the complicated physical consequence of cyber breaches. We present security analysis results from two different methods that are used in the safety and ICT security engineering domains respectively, and use them as concrete references to discuss the way to move forward.

Automatic Generation of Security Argument Graphs

Graph-based assessment formalisms have proven to be useful in the safety, dependability, and security communities to help stakeholders manage risk and maintain appropriate documentation throughout the system lifecycle. In this paper, we propose a set of methods to automatically construct security argument graphs, a graphical formalism that integrates various security-related information to argue about the security level of a system. Our approach is to generate the graph in a progressive manner by exploiting logical relationships among pieces of diverse input information. Using those emergent argument patterns as a starting point, we define a set of extension templates that can be applied iteratively to grow a security argument graph. Using a scenario from the electric power sector, we demonstrate the graph generation process and highlight its application for system security evaluation in our prototype software tool, Cyber SAGE.

Monotonic marginal pricing: demand response with price certainty

In this paper we develop a general dynamic pricing scheme based on consumer-indexed marginal cost, and demonstrate its properties in a simulated electricity market derived from New York ISO data. We show that monotonic marginal (MM) pricing provides price certainty, ensuring that every consumers instantaneous price is non-increasing for a constant consumption level. Additionally, we show that MM pricing ensures budget balance for energy suppliers, allowing them to recover any operating costs and a profit margin. Using a Summer 2012 peak load day as a case study, we simulate a population of over 25000 electricity users and evaluate the performance of an example MM pricing plan versus historical real-time prices under various demand elasticities. The results demonstrate that MM pricing can provide system-level demand response and cost savings comparable with real-time pricing, while protecting consumers from price volatility.

Data-driven model-based detection of malicious insiders via physical access logs

The risk posed by insider threats has usually been approached by analyzing the behavior of users solely in the cyber domain. In this paper, we show the viability of using physical movement logs, collected via a building access control system, together with an understanding of the layout of the building housing the system’s assets, to detect malicious insider behavior that manifests itself in the physical domain. In particular, we propose a systematic framework that uses contextual knowledge about the system and its users, learned from historical data gathered from a building access control system, to select suitable models for representing movement behavior. We then explore the online usage of the learned models, together with knowledge about the layout of the building being monitored, to detect malicious insider behavior. Finally, we show the effectiveness of the developed framework using real-life data traces of user movement in railway transit stations.

SecureRails: Towards an open simulation platform for analyzing cyber-physical attacks in railways

Analyzing the impact of cyber-physical attacks is important for railway operators to help them in assessing and prioritizing their efforts of securing the infrastructures. Since railways consist of several complex cyber-physical systems operating in tandem, it is difficult to assess the impact of an attack without a simulator. Commercially available simulators are intended to support operational design and lack the flexibility to incorporate different attack scenarios. Furthermore, many commercial tools are prohibitively expensive. To address the need for an open and extensible simulator, we propose to build SecureRails, an open source simulator for railway cyber-security analysis. SecureRails consists of two basic building blocks, a train motion simulator built on OpenRails platform, and a model based railway traction power flow simulator built on Matlab. In order to simulate the operation of a railway system, the two simulators interact with each other continuously during their simulation runtime using the JSON-RPC protocol. We have included several novel features in this simulator such as improving the timetable schedule and passenger flow modeling. We propose to develop a generic API framework on OpenRails and Matlab to allow users to specify their attack scenarios and call these APIs for their studies. While this work is in an early stage, we illustrate the utility of such a simulator using a case study for the Shenzhen metro system.

Developing Models for Physical Attacks in Cyber-Physical Systems

In this paper, we analyze the security of cyber-physical systems using the ADversary VIew Security Evaluation (ADVISE) meta modeling approach, taking into consideration the effects of physical attacks. To build our model of the system, we construct an ontology that describes the system components and the relationships among them. The ontology also defines attack steps that represent cyber and physical actions that affect the system entities. We apply the ADVISE meta modeling approach, which admits as input our defined ontology, to a railway system use case to obtain insights regarding the systems security. The ADVISE Meta tool takes in a system model of a railway station and generates an attack execution graph that shows the actions that adversaries may take to reach their goal. We consider several adversary profiles, ranging from outsiders to insider staff members, and compare their attack paths in terms of targeted assets, time to achieve the goal, and probability of detection. The generated results show that even adversaries with access to noncritical assets can affect system service by intelligently crafting their attacks to trigger a physical sequence of effects. We also identify the physical devices and user actions that require more in-depth monitoring to reinforce the systems security.

Reconciling Systems-Theoretic and Component-Centric Methods for Safety and Security Co-analysis

As safety-critical systems increasingly rely on computing, communication, and control, there have been a number of safety and security co-analysis methods put forth to identify, assess, and mitigate risks. However, there is an ideological gap between qualitative system-level methods that focus on control interactions, and more traditional methods based on component failure and/or vulnerability. The growing complexity of cyber-physical and socio-technical systems as well as their interactions with their environments seem to demand a systems-theoretic perspective. Yet, at the same time, more complex threats and failure modes imply a greater need for risk-based analysis to understand and prioritize the large volume of information. In this work we identify promising aspects from two existing safety/security co-analysis methods and outline a vision for reconciling them in a new analysis method.

Data-driven evaluation of building demand response capacity

Before a building can participate in a demand response program, its facility managers must characterize the sites ability to reduce load. Today, this is often done through manual audit processes and prototypical control strategies. In this paper, we propose a new approach to estimate a buildings demand response capacity using detailed data from various sensors installed in a building. We derive a formula for a probabilistic measure that characterizes various tradeoffs between the available demand response capacity and the confidence level associated with that curtailment under the constraints of building occupant comfort level (or utility). Then, we develop a data-driven framework to associate observed or projected building energy consumption with a particular set of rules learned from a large sensor dataset. We apply this methodology using testbeds in two buildings in Singapore: a unique net-zero energy building and a modern commercial office building. Our experimental results identify key control parameters and provide insight into the available demand response strategies at each site.

Enhancing Anomaly Diagnosis of Automatic Train Supervision System Based on Operation Log

Automatic train supervision (ATS) systems are designed to improve the reliability of train services. An ATS system coordinates the trains and other systems in a metro and records alarms if faults occur. In this work, we propose a context-aware anomaly diagnosis tool to analyze the underlying causes of alarms for ATS system. Using 61-day data collected from an operational ATS system, we apply our diagnosis tool to conduct systematic analysis of the alarms and identify interesting correlations among different assets and events. Our analysis shows that the alarms can be correlated with certain system events if they are in the same operations or the assets associated with them belong to the same or linked systems. These results can improve the efficiency of anomaly diagnosis and maintenance for metro system.