Yee Wei Law Marimuthu Palaniswami

pucefakeAI and Robotics

Nov 30, 2013 (3 years and 9 months ago)

90 views

Yee Wei Law

Marimuthu

Palaniswami

1

ARC Research Network on Intelligent Sensors,
Sensor Networks and Information Processing
(ISSNIP)



28th March 2011, Tonkin’s 3
rd

Smart Grids Forum


10 Australian
universities


Access
to an extended
network of over 200
researchers


Australia
, the USA, Europe
and
Asia


30
+
industry linkages, e.g.,

2

ISSNIP
Vision
Partners:



Universities



National



International



Industry



Research

Institutions

Funding:



ARC



DEST



DIISR



NSF



DARPA


With UNSW


Evaluate
impact of large
-
scale wind turbines
penetration on
the transient
and voltage stability of
power
systems


Effects of Flexible AC
Transmission Systems
(FACTS) devices

3


With University of Surrey


Reshaping energy demand
of users by communication
technology and economic
incentives


“Persuasive energy
-
conscious network”


usage


Cyber security,
not

to be confused with “power
system security”






Outline:

4

Confidentiality

Integrity

Availability

Recent developments

Introduce new smart grid infrastructure
and associated security issues

What tech from sensor networks is
applicable

What research is needed

5

2007

2008

2009

2010

6

Organizations

Guidelines/standards

Nuclear

Regulatory Commission (U.S.)

Cyber Security Programs for Nuclear
Facilities (2010)

Dept. Homeland Security (U.S.)

Catalog

of Control Systems Security:
Recommendations for Standards
Developers (2011)

Idaho National Laboratory (U.S.)

NSTB Assessments

Summary Report:

Common Industrial

Control System Cyber

Security Weaknesses (2010)

NIST (U.S.)

IR 7628 “Guidelines for Smart Grid
Cyber Security” (2010)

义協p⡕E匮p

却an摡d摳 牥癩vw ⠲〱EF

䝯癥牮浥湴 䅣捯An瑡扩ti瑹t佦晩捥c
⡕E匮p

剥灯牴r潮⁓浡 琠䝲i搠卥捵物瑹

䝵楤敬dn敳e⠲〱EF

and more…

7

58% threats from
outsiders (e.g.,
hackers)

21% threats from
insiders
(employees or
contractors)


Real
-
world example:
Stuxnet


Stuxnet

was introduced via
a USB stick


It seeks out and spreads to
machines running
WinCC

and PCS 7 SCADA software
(Siemens)

2011

CyberSecurity

Watch

Survey

by

CERT

(Aug

2009



Jul

2010
)

Fact

1
:

Insider

attacks

render

cryptographic

protection

inadequate

8

80% executives say
their SCADA are
Internet
-
accessible

55% say SCADA /
operational control systems
targeted most often

57% say security
patches applied regularly

Fact

2
:

Control

systems

are

prime

targets


AGA 12: cryptographic protection of communications


IEC62351: TLS encryption, security extension of DNP3, etc.









Multimillion
European research projects


CRUTIAL


VIKING

9

Resilient

control

system
:

A

system

that

maintains

state

awareness

and

an

accepted

level

of

operational

normalcy

in

response

to

disturbances,

including

th
reats

of

an

unexpected

or

malicious

nature
.

































Rieger

et

al
.
,

Idaho

National

Laboratory

10

Wide
-
Area
Measurement
System (WAMS)

Advanced
Distribution
Automation (ADA
)

Advanced Metering
Infrastructure (AMI
)

Part A

Part B

11

Substation

Control center

Part A

ADA according to EPRI
:
Complete
automation of all controllable
equipment and functions in the distribution system

RF temperature
sensor

RF
leakage
current
sensor

Metal insulated
semiconducting
(MIS) sensor for
detecting
hydrogen

Transmission
-
line robot

Recloser

Switched
capacitor bank

12

Neighborhood
Area Network

Home Area
Network

AMI

Smart

meter

13



CDMA2000

GE
-
MDS 900MHz

Silver Spring
Networks

Wi
-
Fi/IEEE 802.11

WiMAX/IEEE
802.16

Interoper
-
ability

Open standard

Proprietary

Proprietary

Open standard

Open standard

Capacity

76.8 kbps (80
-
ms frame)

153.6 kbps (40
-
ms
frame)

307.2 kbps (20
-
ms
frame)

19.2 kbps (80 km)

115 kbps (48 km)

1 Mbps (32 km)

100 kbps

54 Mbps (802.11a)

11 Mbps (802.11b)

54 Mbps (802.11g)

72 Mbps (802.11n)


9 Mbps

Latency

Hundreds of milliseconds

Tens of milliseconds

Tens of
milliseconds

Milliseconds

Milliseconds

Interference

rejection

DSSS, 2 GHz frequency
band allows frequency
band re
-
use



FHSS, 902
-
928 MHz

FHSS, 902
-
928
MHz

802.11a: ODFM, 5 GHz

802.11b: DSSS, 2.4 GHz

802.11g: OFDM/DSSS,
2.4 GHz

802.11n: OFDM, 2.4/5
GHz

*2.4 GHz band is
crowded; 5 GHz less so

OFDM, 3.65
-
3.70
GHz

Transmission

range

Nation
-
wide service
coverage


80 km

Unknown

802.11a: 120 m

802.11b/g: 140 m

802.11n: 250 m

20 km

Configuration

Point
-
to
-
multipoint

Point
-
to
-
point,
point
-
to
-
multipoint

Point
-
to
-
point

Point
-
to
-
point, point
-
to
-
multipoint

Point
-
to
-
multipoint

Jemena
, United Energy,
Citipower

and
Powercor

SP
AusNet

and Energy Australia

* Note:
ZigBee

is not in here

14

Vendor

CPU

RAM (KB)

Flash (KB)

Microchip PIC16Fxxxx

8
-
bit, 20 MHz

<

1

<

16

TI MSP430F471xx

16
-
bit, 8 MHz

4/8

56

120

Freescale

V1
ColdFire

32
-
bit, 50 MHz

8/16

64/128/256


ADA and AMI that utilize low
-
capacity networks and low
-
cost
mesh networking devices are in fact
wireless sensor networks

(WSNs)


Notable players:



Smart meter MCUs
have limited
computational power
& memory:

acquired by CISCO

founded by WSN pioneers


The only non
-
European
partner in the European
project “
SmartSantander



To
turn the Spanish city of
Santander into an
experimental smart city, by
deploying a large
-
scale
network of 20,000
sensors

15


Noise mapping for the City
of Melbourne


To measure
, monitor,
understand and manage
noise issues within the city

The Age


The security of WSN
is a
relatively well
-
researched area







Many
techniques are applicable, e.g.,


secure
routing


secure firmware
update

16

Application

Network

Data link

Physical

Key
management

Intrusion
detection and
response

Network
protocol
stack


Objective: to ensure the delivery of information


Robustness
: achieving objective despite hardware failures or
unstable connections


Resilience
: achieving objective despite attacks


Insider attacks:

17

Dropping

Flooding

Wormhole

Wormhole

Attacker
attracts traffic
to itself by
claiming to be 1
hop away from
base station

Sybil

C

I’m
C

B

I’m
B


RPL (IPv6 routing protocol for low
-
power and
lossy

networks)


New routing
protocol of the 6LowPAN protocol stack


Internet Draft


On top of RPL, apply “tunnel routing with support” (TRS) (co
-
designed with IBM Z
ürich
)


Principle:
monitoring of packet
forwarders, multiple paths

18

Fraction of malicious nodes in the network

AODV = Ad hoc
On
-
demand
Distance Vector


Compared to
AODV, TRS
increases packet
delivery rate

Andrea
Munari
, Wolfgang
Schott, and Yee Wei Law.
Dynamic tunnel routing for
reliable and resilient data
forwarding
in wireless
sensor networks. In
PIMRC
2009,
pages 1178
-
1182.
IEEE, 2009.


What: For updating firmware of network nodes
in situ
, i.e.,
over the air instead of via physical contact



Why:


Firmware needs to be updated for feature expansion or “bug fix”


Sensor nodes may be inaccessible


Labour cost too high



Challenges:


Limited computational power requires discreet use of crypto


Limited data rate requires careful coordination


Dynamic environment requires robustness to packet loss


Insider attacks requires resilience to packet pollution

19


Limit use of digital signature verification to once


Avoid flooding (
broadcast storm
), by exchanging
advertisement, request and data messages:







For robustness to packet loss, use
rateless

codes


Instead of sending packets as is, encode them in such a way that
any
k

number of encoded packets can be decoded


For resilience to packet pollution, use
Sreluge
, which isolates
polluters

20

Yee Wei Law, Yu Zhang,
Jiong

Jin,
Marimuthu Palaniswami
, and Paul Havinga.
“Secure
Rateless

Deluge: Pollution
-
Resistant
Reprogramming and Data
Dissemination
for Wireless Sensor
Networks,”
EURASIP
Journal on
Wireless
Communications and Networking: Special
Issue
on Security and Resilience for
Smart Devices and
Ap
plications
,
vol 2011
, 2010. Article ID 685219, 22 pages.


14 Aug 2003 North America blackout affected 50
million people


Reasons include:


Inadequate “situational awareness” at FirstEnergy


No real
-
time data from Stuart
-
Atlanta line for
Midwest ISO to work with

21

Part B


WAMS: High
-
capacity network of PMUs


Measures
voltage and
current
phasors

(magnitude + angle)


Typically 30 time
-
stamped samples per
sec


Real
-
time control of electromechanical oscillation, voltage,
frequency, etc
.










Aka
synchrophasors
, because time
-
synchronized using
GPS

22

ABB’s RES521

Macrodyne’s

1690

MiCOM

P847

Phadke

and Thorp’s prototype circa 1988

Commercial products:

23

Po
w
e
r
n
e
t
w
o
rk
En
e
rg
y
ma
n
a
g
e
me
n
t

syst
e
m
(EMS)
St
a
t
e

e
st
i
ma
t
o
r
Load
f
o
re
ca
st
Au
t
o
ma
t
i
c
g
e
n
e
ra
t
i
o
n

co
n
t
ro
l

(AG
C
)
O
t
h
e
r
f
u
n
ct
i
o
n
s
SC
AD
A
ma
st
e
r
RTU/
I
ED
Eco
n
o
mi
c
d
i
sp
a
t
ch
PMU
PD
C
...
...
...
...
W
i
d
e
-a
re
a

me
a
su
re
me
n
t

syst
e
m
(W
AMS)
24

State estimator

Measurements

Network topology
processor

Bad data detection

Possible
insider
attack
: inject
bad data to
foil
detection

Y. Liu et al., “False data injection
attacks against state estimation in
electric power grids,” Proc. 16
th

ACM
Computer and Communications
Security, 2009
.


Attack scenario: given
k

compromised meters
(RTUs/IEDs/
PMUs), find a vector of
k

false values that bypass detection

25

IEEE test systems

Larger networks

26

L
.
Xie
, Y. Mo, and B.
Sinopoli
,
“False data injection attacks in
electricity markets,” in Proc.
1st International Conference
on Smart Grid
Communications, 2010.

IEEE 14
-
bus test system

Actually
congested,
faked not
congested

Actually
congested,
faked not
congested

The attacker earns
$2/
MWh

here

The attacker loses
$1/
MWh

here

The attacker earns
$1/
MWh

net


It is impractical to tamper
-
proof a whole PMU, for
maintenance
reasons, etc.


Even if tamper
-
proofing all PMUs is achievable, impractical for all
RTUs and IEDs


Using redundant PMUs could reduce the risk, but also costly


Most (academic) research so far designed attacks under different
constraints


We are investigating anomaly detection methods to detect false data

27

Stewart et al., “
Synchrophasor

Security Practices,” white paper

A multilayered
architecture with a
perimeter
network

Firewall + VPN


J. C
Bezdek
, S. Rajasegarar, M.
Moshtaghi
, T. Havens, C. Leckie, and
M. Palaniswami, “Anomaly detection in environmental monitoring
networks,” IEEE Computational Intelligence Magazine,
2010
.


A
. Shilton, D.T.H. Lai, and M. Palaniswami, “A Division Algebraic
Framework for Multidimensional Support Vector Regression,” IEEE
Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics
,
vol.
40,
no.
2, page
517
-
528, Apr
2010
.


S.
Rajasegarar,
J. C.
Bezdek
,
C. Leckie,
and
M. Palaniswami,
“Elliptical Anomalies in Wireless Sensor
Networks,”
ACM Transactions
on Sensor
Networks, vol.
6,
no.
1, article 7,
Dec
2009
.


A. Shilton, M. Palaniswami, D. Ralph, and A. C.
Tsoi
, “Incremental
Training of Support Vector Machines
,”
IEEE
Transactions
on Neural
Networks, vol. 16, no. 1, page 114
-
131, Jan 2005
.


28

29

We (ISSNIP) welcome collaboration opportunities


Contact:
palani@unimelb.edu.au


30

Attack

Prevention

Containment

Detection
and
notification

Recovery
and
restoration


Synchrophasors

rely on GPS


GPS is vulnerable to jamming

(weak signal) and spoofing



Short
-
term solution: Enhanced

Long Range Navigation

(
eLORAN
)


Long
-
term solution: atomic

clocks


31

A LORAN transmitter

A
portable
GPS and
mobile
jammer

32

PMU
PMU
PMU
PMU
...
PDC
Application Data Buffer
Real
-
Time
Monitoring
Real
-
Time
Control
Real
-
Time
Protection
Layer
1
:
Data acquisition
Layer
2
:
Data management
Layer
3
:
Data services
Layer
4
:
Applications
WAN

Privatization of electricity market recent (‘80s)


Locational marginal pricing (LMP) aka nodal pricing


Case no constraint on
Tx

line: uniform market clearing price is the
highest marginal generator cost


Case congestion on
Tx

line: price varies with location



33

Attack [
Xie

‘10]:

1.
In the day
-
ahead forward market,
buy and sell virtual power at two
different locations
𝑃
1

and
𝑃
2

2.
Inject false data to manipulate
the nodal price of the Ex Post
market

3.
In the Ex Post market, sell and
buy virtual power at

𝑃
1

and
𝑃
2

respectively

4.
Profit


Advances in sensor and networking tech driving Smart Grid


Grid
modernization stimulates multi
-
disciplinary
research


In
progress:


$100m
“Smart
Grid, Smart
City”
demo project in
Newcastle


Intelligent Grid: CSIRO and five
universities


We have the expertise in
WSNs, control and machine learning,
seeking collaboration opportunities

34