Security and Vulnerability of Cyber-Physical Infrastructure Networks: A Control-Theoretic Approach

Transcription

1 C H A P T E R 1 Security and Vulnerability of Cyber-Physical Infrastructure Networks: A Control-Theoretic Approach Mengran Xue, Sandip Roy, Yan Wan, Sajal K. Das 1.1. INTRODUCTION The purpose of this chapter is to (1) introduce notions of security for the physical dynamics of complex cyber-physical networks and (2) provide a tutorial on control-theoretic tools for network inference that are promising for evaluation of such dynamic notions of security. Classically, computer scientists and infrastructure network engineers have conceptualized the modeling and resolution of threats and uncertainties in vastly different ways. In a very broad sense, computer scientists have extensively studied threat and uncertainty resolution from the perspective of securing information (e.g., [1]). That is, computing devices and computer networks are viewed as storing, processing, and transmitting valuable information; threats and uncertainties are seen as either modifying this information and its processing, or causing theft of the information for undesirable purposes. In contrast, infrastructure network engineers traditionally have approached threat and uncertainty modeling/resolution from a dynamical systems viewpoint (e.g., [2, 3]). That is, their key focus has been on analyzing and guiding the temporal behaviors or actions or dynamics of network components, and, in consequence, threats and uncertainties are viewed as undesirably modifying the dynamics. Given this viewpoint, infrastructure network engineers typically view the resolution of threats and uncertainties as stability, performance, and robustness (or vulnerability) concerns rather than security ones. As cyber and physical capabilities become increasingly intertwined and multifaceted, and the threats and uncertainties themselves become increasingly complicated, the notions of threat and uncertainty modeling/resolution that combine the computer science and infrastructure engineering perspectives are increasingly needed. For instance, both stakeholders and external players associated with electric power and transportation networks increasingly have available sophisticated cyber capabilities for surveillance, based on which they can deliberately obtain an Handbook on Securing Cyber-Physical Critical Infrastructure. DOI: /B c 2012 Elsevier Inc. All rights reserved.

2 6 CHAPTER 1 Security and Vulnerability of Cyber-Physical Infrastructure Networks information set on the network s dynamics and structure, and in turn enact self-serving alterations of the dynamics (e.g., [4]). Conversely, as algorithms for cyber and cyber-physical networks become increasingly complex and operate in harsher environments, the effects of uncertainties on the algorithms dynamics are becoming increasingly relevant (e.g., [5]). Given the increasing blurring and meshing between cyber and physical notions of threat and uncertainty modeling/resolution, we believe that new definitions that capture and combine notions of information violation and robustness/vulnerability of physical network dynamics are needed. In this chapter, we (1) develop a framework for studying the security and vulnerability of physical network dynamics in particular and (2) in turn provide a tutorial on network-theoretic tools that can be used to evaluate these dynamic notions of security. The first core aim of this chapter is to motivate and develop a framework for studying the security and vulnerability of network dynamics (Section 1.2). Precisely, we will motivate and define dynamic network security as a measure of estimability of network dynamics and structure from sensed measurements of some network responses, and in complement define network vulnerability in terms of potential disruption to the dynamics due to either physical modification or information violation in the network. To obtain these definitions, we will progress in several steps. To provide a concrete context for modeling threats and uncertainties in physical network dynamics, we will introduce a canonical yet fairly broadly applicable linear dynamical network model (Section 1.2.1). This dynamical model, defined on an underlying graph, is structured to capture complex (and possibly stochastic) network dynamics, complex processes generating uncertainties in these networks, and network sensing capabilities. Next, we will introduce several definitions for dynamical network security (and degree of security), as concepts of estimability/unestimability for the network model (Section 1.2.2). These definitions are structured to permit graph-theoretic characterizations for inference of the physical dynamics by an adversary operating at one or multiple network components. In complement, we will define notions of vulnerability to capture the possible impact of cyber or physical adversaries on the physical network dynamics (Section 1.2.3). These definitions of vulnerability, while tied to traditional notions of robustness/vulnerability in systems, take the further step of making the role of the network structure in vulnerability explicit. Third, we discuss how such definitions can be applied to capture the complex interrelationship between security and vulnerability, and between adversaries and system designers, that are common in modern cyberphysical networks (Section 1.2.4). Finally, with the tutorial purpose of the book in mind, we will discuss an example scenario where inference of dynamical information in networks is of concern, and carefully specify the notions of security and vulnerability in this scenario (Section 1.2.5). The example is focused on strategic management of transportation networks operating under weather uncertainty. The second core aim of our development is to introduce a family of promising new controltheoretic methods for (1) inference (estimation) of network dynamics including characterization of estimator performance, and (2) perturbation and control of networks that together allow evaluation of dynamical network security measures (Section 1.3). In fact, systems and control engineers have extensively studied estimation of system states (dynamics) and structures, over a period of almost 70 years [6]. Very recently, a focus on estimation of network dynamics has specifically emerged (e.g., [7 9]). These recent works can broadly be described as having three purposes: (1) construction of estimators for the multifaceted and highly stochastic dynamics that are characteristic of modern networks; (2) establishing relationship of the estimator structure to the graph topology of the network; and (3) characterization of the estimator performance in terms of the graph topology. As these studies of network inference have emerged, it has also become clear that tools for physical network partitioning from dynamical responses are necessary to inform inference design. We believe that these network

3 CHAPTER 1 Security and Vulnerability of Cyber-Physical Infrastructure Networks 7 estimation or inference techniques, and related network partitioning methods, are very germane to the study of dynamical network security. Specifically, they can provide explicit graph-theoretic characterizations of security measures and associated estimators, and hence permit design of network dynamics that are secure. Here, we overview these promising tools for network estimation and estimator characterization and summarize their application in characterizing network security (Section 1.3.1). Next, we overview new ideas on perturbation and control of network dynamics that are needed for characterization of network vulnerability (Section 1.3.2). Like estimation, perturbation/control of dynamical systems and even networks has been very extensively studied. However, to develop useful characterizations of the notions of vulnerability that we have proposed, we critically need methods that relate dynamics and control to the network s topological structure; we overview an interesting body of recent literature in this direction. Finally, we argue that the study of network inference and its application is very much a work in progress and describe several challenges that need to be addressed to achieve a comprehensive treatment (Section 1.3.3). Throughout this development, we expose the critical role played by the network s topological structure in the estimability of the network dynamics and structure, and hence in dynamical network security DEFINITIONS FOR SECURITY AND VULNERABILITY OF NETWORK DYNAMICS The purpose of this section is to introduce notions of security and vulnerability in cyber-physical systems that are concerned with the observation and modification of a network s physical dynamics by an adversary. Fundamentally, we define security as the amount of information about state dynamics and model parameters contained in local measurements made by an adversary in a cyber-physical network, and define vulnerability in terms of the possible impact on network-wide dynamics of local actuations/modifications made by an adversary. Our work is largely motivated by growing concerns about threats and uncertainties impacting the physical world of large-scale cyberphysical infrastructures. More formally, we are primarily concerned with infrastructure or physical networks, whose primary purpose is the completion of a physical task rather than only information transfer. Classically, the state dynamics of such physical-infrastructure networks have been viewed as being governed by the underlying laws of interaction (e.g., physics or population dynamics rules), which yield differential equation models defined on a graph for the dynamics. Historically, natural disturbances (e.g., weather phenomena) and unexpected operational failures have been considered the primary causes of failure for such networks, and hence the robustness or vulnerability of the networks to such natural adversaries has been fairly thoroughly studied. As these infrastructure networks are becoming increasingly tied with cyber capabilities and are operating in ever more complex environments, the possibility for deliberate attacks from sentient adversaries is also increasing. The behaviors of sentient adversaries in cyber systems (which may be either internal components or external agents of the network) as well as the possible responses by system designers have been extensively studied. However, analogous concepts of security have not been systematically developed for adversarial behavior in the physical world. We contend that a careful formulation of adversarial behavior in the physical world must be drawn on both the concepts of security developed for cyber systems, and a full understanding of the differential equation dynamics of the physical world. Here, we argue that control-theoretic notions regarding the estimation and actuation of network dynamics provide a natural mean for defining security of physical dynamics. Based on this viewpoint, we define concepts of security and vulnerability for physical network dynamics that encompass the behaviors of both natural and sentient adversaries as well as the responses of system designers to mitigate attacks. Precisely, we develop definitions of security associated

4 8 CHAPTER 1 Security and Vulnerability of Cyber-Physical Infrastructure Networks with three aspects of adversarial behavior and response: (1) We define notions of security for physical network dynamics that describe a sentient adversary s ability to compute or infer important global statistics of the network dynamics or structure, by processing local, noisy observations of the dynamics. (2) We define notions of vulnerability for physical network dynamics, which quantify the amount of disruption to the dynamics that can be caused by either a natural or a sentient adversary through localized actuation. (3) We briefly discuss integrative notions regarding threats and threat responses for physical network dynamics. Specifically, we consider the need for adversaries to sequentially infer and then disrupt network dynamics, and hence consider the interplay between security and vulnerability. We also argue that the system designer s effort to identify, predict, and respond to actuations by adversaries (whether natural or sentient) can be viewed as dual notions of security/vulnerability. The remainder of this section is organized as follows. We begin by briefly reviewing the types of models (defined on graphs) that are used to represent dynamics of physical-infrastructure networks, to provide a framework for our security definitions (Section 1.2.1). We then motivate and present control-theoretic definitions for each of the three aspects of adversarial behavior described above (Sections ). Finally, we introduce the security problems in several example physical networks, thus motivating the developed framework (Section 1.2.5) Review: Differential Equation Models for Infrastructure Networks The dynamics of infrastructures and other physical networks are often modeled using state-space differential equations or differential-algebraic equations defined on graphs, which are apt in capturing the physical interactions among network components that govern these networks. The differential equation models for the networks are often nonlinear, but linearized approximations (or linearized approximations embedded by static nonlinearities such as saturation elements) are used for design, with the nonlinear model being simulated to verify a proposed design. Here, we introduce a basic deterministic linear differential equation model defined on a graph, which can capture essential dynamics of several large-scale physical networks. The model provides us with a concrete framework for defining notions of security and adversarial behavior, as we will do in the subsequent sections. We consider a network comprising n components or nodes labeled 1,...,n. Each component i has associated with it a vector status x i (t), which describes the evolving physical properties of component i at time t. The status vector of each component is modeled as being governed by a linear differential equation, with the status update for component i modulated by the current status of its neighbors on a graph as well as by a local input u i (t). Precisely, we define a directed network graph G, which has n vertices corresponding to the n components of the network. An edge from vertex i to vertex j in the graph (drawn as an edge with an arrow impinging on vertex j) indicates that the status differential (change) of component j is dependent on the concurrent status of component i. Note here that we will use an edge from a vertex back to itself (i.e., a self-loop), to indicate that the status change of the corresponding component depends on its current status. In terms of the network graph, the (continuous-time) linear dynamics of the status vectors are specified as follows: Equation 1-1 ẋ i (t) = A ij (t)x j (t) + B i (t)u i (t), j U(i) where U(i) represents the upstream neighbors of vertex i, that is, the set of vertices j in the graph such that there is an edge from j to i, and the matrices A ij (t) are assumed to be nonzero. In general, the matrices A ij (t) and B i (t) can be either deterministic (i.e., fixed constant matrices) or stochastic (i.e., several possible values associated with certain probabilities). Such a flexible model has a wide capability to represent both

5 CHAPTER 1 Security and Vulnerability of Cyber-Physical Infrastructure Networks 9 U(1) = {vertex 2, vertex 4,vertex 5} Dynamics of vertex 1: x 1 (t) = A 12 (t)x 2 (t) + A 14 (t)x 4 (t) + A 15 (t)x 5 (t) + B 1 (t)x 1 (t) x 1 (t) u 1 (t) 1 A 15 (t) A 12 (t) u 5 (t) 5 x 5 (t) x 2 (t) 2 A 14 (t) u 2 (t) 4 x 4 (t) 3 u 4 (t) FIGURE 1-1 A network graph example. x 3 (t) u 3 (t) continuous-time and discrete-time linear models for infrastructures, including linear flow network models (e.g., Markov chains) and network synchronization models (e.g., voter models) [10]. Also, the matrices A ij (t) are tightly connected to the underlying graph structure. In some circumstances, we will find it convenient to identify the matrix A ij (t) as a weight associated with the edge from j to i. An illustration of a network graph and associated dynamics is shown in Figure 1-1. For convenience, we also assemble all the status vectors into a state vector x(t) = [ x1 (t) x n (t) T ] and the inputs into an input vector u(t) = [ u 1 (t) u n (t) ] T, and so write the system dynamics in the following form: Equation 1-2 ẋ(t) = A(t)x(t) + B(t)u(t), A 11 (t) A 1n (t) where A(t) =... and A n1 (t) A nn (t) B 1 (t) B(t) =.... B n (t) Defining Security Measures for the Dynamical Network Example In many network systems (e.g., power systems, computer networks), the network topology and dynamics are often hidden to the external adversaries. In order to obtain certain global/ partial network state information, an adversary often needs to use the observed status information from a few components (e.g., power stations, Internet hosts) to compute/infer the desired information without disturbing the network. In other words, the first aspect of the sentient adversarial behavior described above is to gain knowledge of the network systems based on observations, without changing the systems (both structures and dynamics). However, such a computation or inference task can become difficult for the following two main reasons: (1) for some cases where the network systems are quite complex or large-scaled, it is often difficult/impossible to obtain information of certain parts of the network, since they do not propagate information to the observation components where the external adversary is; and (2) especially when the systems have stochastic dynamics, and/or certain observation locations may be exposed to extra noise (which we call measurement noise or error), one cannot directly compute the desired information, so certain estimation tools need to be developed. To properly quantify how difficult such a computation or inference task is (equivalently, how easy it is for an adversary to estimate relevant information about the dynamics), we therefore introduce the notation security of network dynamics. We should clarify here that the term security, with regard to the infrastructure networks, has sometimes been used to represent the intrinsic stability property of the network. Let us distinguish that we here measure security in terms of the (possible) behavior of an adversary. That is, our definitions of security (and vulnerability ) capture the degree of difficulty (or performance level) of adversarial behavior on a dynamical network system. Now let us formally present a definition of network security from a control theory perspective.

6 10 CHAPTER 1 Security and Vulnerability of Cyber-Physical Infrastructure Networks We assume that a network system has the linear dynamics described in Eq. (1-1) or (1-2). To begin with, we need to properly model the observation processes of an adversary. Specifically, we view an adversary as having available (possibly processed and noisy) status information at certain locations, which we together call the adversary s observation y(t) of the network dynamics. We then need to specify what information an adversary can obtain. Typically, we will assume that, for each component, the adversary has available certain linear combinations or statistics M i (t)x i (t) of the local status vector over a time interval. We can represent a very wide range of adversarial behaviors using this model, by choosing the gain matrix M i (t) properly: (1) if M i (t) is a zero matrix, component i is not an observation location since no information is available; (2) if the matrix M i (t) is an identity matrix, the status at component i can be measured directly; (3) for the case where M i (t) is nonidentity, indirect measurements (i.e., scaled and projected measurements) of the status are obtained. For convenience, we also define a full gain matrix M 1 (t) M(t) =.... M n (t) In this notation, in the case that there is no measurement noise in the observation process, the adversary s observation y(t) is given by y(t) = M(t)x(t). We also consider a more general framework, where the adversary may have available linear combinations of multiple local status vectors. In this case, its observation is given by y(t) = M(t)x(t), where M(t) = [ M 1 (t) M n (t) ], that is, y(t) contains linear combinations of all components statuses. For many applications, uncertainties are present in the observation process, and hence the observations need to be modeled as a random process. Here, we use notation g(t) to represent the measurement noise. Therefore, the full observation process can be written as follows: Equation 1-3 y(t) = M(t)x(t) + g(t). In fact, if certain measurement noise is present in the observation process, the observation y(t) is a random process. What adversaries observe is a realization of y(t), which we call the actual observed data. For simplicity (and in accordance with standard notation), we use the notation y(t) to represent both the random observation process and its realization. Next, in order to develop the security notation based on an adversarial behavior, let us define another preliminary concept, which we call target information. Since we consider the first aspect of an adversarial behavior as a computation/inference task for network dynamics, the target information is the aspect of the model and/or model dynamics that an adversary aims to compute/infer from what he observes. For the modeling framework described above, there are two types of target information that are of particular interest: (1) certain state statistics of the whole network at certain times, and (2) the underlying graph edge weights, A ij (t). We refer to problems of computing/inferring the two types of target information as state estimation problems and parameter estimation problems, respectively. We use the notation s(t) to represent any target information trajectory that an adversary aims to compute/infer. More broadly, for many state/parameter estimation problems, values of s(t) at certain times are of more interest, for example, snapshots of network state x(t), which may include the initial condition of the network, and the asymptotic properties (steady state) of the network dynamics. For instance, in one of the examples described in the Methods section (Section 1.3), we will introduce an initialcondition estimation problem for a discretized linear dynamical network model. As mentioned earlier, since uncertainties are present in network dynamics (e.g., stochastic dynamics, measurement noise), proper estimation tools are needed for both state estimation and parameter estimation problems. Specifically, we need to establish estimators (i.e., rules for approximating the state from observations) to compute/infer the desired s(t). We use notation ŝ(t) to represent the estimate obtained from the measurements.

7 CHAPTER 1 Security and Vulnerability of Cyber-Physical Infrastructure Networks 11 In the control theory literature, a broad family of estimators (e.g., Mean Square Error or MSE estimators) for system state and parameters have been well studied [11, 12], although methods for network estimation and network estimator performance analysis are more limited. As we will discuss in the Methods section, such estimation methodologies can be invoked directly or enhanced in modeling adversarial behavior and defining security. So far, we have introduced observation and estimate computation as capabilities of an adversary. Thus, the adversarial behavior can be rephrased as a two-step process: (1) the adversary obtains observations (i.e., y(t)), and (2) he/she uses a proper estimator (i.e., ŝ(t)) to compute/ infer target information (i.e., s(t)). We have now introduced a framework for adversarial behavior in cyber-physical networks that permits a definition of security. Specifically, we view the ability of the adversary to obtain target information (either using his estimator or the best possible estimator) as a measure for security of a dynamical network system. That is, security is characterized as the performance of the estimator ŝ(t), for example, how well an adversary can estimate target information or how close the estimate ŝ(t) is to target information s(t). In other words, the estimation performance is a measure of distance/error between ŝ(t) and s(t), that is, estimation error e(t) = ŝ(t) s(t), for the adversary s estimator or for the best possible estimator. Therefore, the security of a dynamical network system can be defined as the estimation error (with regard to a norm measure, say). However, again, the estimation error e(t) is a random variable when uncertainty is present in the system. In general, a random variable cannot be directly quantified, so certain statistical analysis of e(t) is required in order to measure the estimation performance. Typically, the mean of e(t) (i.e., E[e(t)]) and error covariance measure of the estimator ŝ(t) (i.e., C E[e(t)e T (t)]) are two commonly used representative statistics. For example, we refer to an estimator with zero mean as an unbiased estimator. In many problems (particularly those with multiple target information variables), the error covariance measure C is a matrix, from which a scalar quantitative measure for security must be abstracted. Here, we present several measures of an error covariance matrix C, and briefly describe the motivations behind their use: 1. The trace of the error covariance, that is, the sum of its diagonal entries, is commonly used as a performance measure for numerous estimation tasks including optimal sensor design problems [13, 14]. Note that the trace, which we denote by tr(c), captures the total expected squared error in the parameter estimates [14]. 2. The determinant of the error covariance matrix, det(c), is also widely used as a performance measure in many estimation problems because (i) it captures the volume of the error ellipsoid around the true state/ parameter value, and (ii) it measures mutual information between unknown states/parameters and observations in estimation problems [14]. Based on either interpretation, the determinant of the error covariance matrix is important for us as a measure of the ability of the observations to pin down the target information. 3. Often, we may be interested in the squared error in the estimate of a particular linear combination of the target information, that is, for the estimate of w T s(t) for some vector w. The best estimate is seen to be w T ŝ(t) in that case, and the corresponding estimation error is E[(w T (ŝ(t) s(t))) 2 ] = w T Cw. For instance, we may be interested in the estimate quality for the average of s(t) corresponding to w = 1, or for a particular entry in s(t) corresponding to w as a basis vector. Of particular importance, are the minimum and maximum possible squared errors among unitary linear combinations of s(t). These can be shown to equal the minimum and maximum eigenvalues of C, respectively. In presenting the above measures of security, we have focused on the case where one adversary is seeking to estimate the critical state

8 12 CHAPTER 1 Security and Vulnerability of Cyber-Physical Infrastructure Networks information (i.e., target information). In the case where multiple (noncommunicating) adversaries are seeking to estimate a set of target information, it is natural to define security as the minimum among the security values for all adversaries. We have thus given an explicit performancebased definition for security of a dynamical network system. Now let us discuss the connection between the security and graph structure of the network topology. We note that the underlying graph structure plays a critical role in the form/ performance of the estimator. Characterizing this relationship is potentially valuable for several reasons, such as permitting the estimator design without full knowledge of the network structure, designing the network structure to change the security level (i.e., permit or prevent estimation), and facilitating sensor placement for estimator and controller design Definitions of Vulnerability for Infrastructure Network Dynamics A second key goal of our study on infrastructure network protection is to model the vulnerability of the network dynamics to attacks from natural and sentient adversaries. In recent years, the vulnerability of infrastructure networks to both planned cyber attacks, and natural or planned attacks in the physical world, has been of great concern. In fact, studies of vulnerability for a number of key infrastructures in the United States including the air transportation system and electric power networks have highlighted extensive shortcomings in protecting vital infrastructures (to both cyber and physical-layer attacks) and have warned about the high likelihood of costly attacks to these infrastructures. Such concerns have led to renewed scholarly interest in resiliency and robustness of infrastructure systems dynamics (a field that has an extensive history in the engineering sciences), but with the new perspective that cyber components play a critical role in the network dynamics. This recent research has yielded a diversity of new results on engineering for resiliency, ranging from philosophical treatises on the inherent fragility of complex networks to detailed lists of cyber vulnerabilities for a particular infrastructure. Here, we aim to provide definitions for vulnerability that are abstract enough to apply to numerous cyber-physical infrastructures, yet detailed enough to be informative in policy design for these infrastructures. Traditionally, robustness/resiliency of engineered systems has been defined to measure the susceptibility of the system s temporal dynamics to uncertain inputs or changes in the system structure, or more specifically to capture the possibility that the uncertainties can drive the system s state to undesirable locations. Our definitions of vulnerability are founded on these concepts, but are enhanced to (1) account for the complex network structure of modern infrastructures, and (2) capture the characteristics of cyber attacks that impact information on the network dynamics. Precisely, we contend that attacks on modern cyber-physical infrastructures have several special characteristics, which guide the definition of vulnerability for their dynamics. Let us describe these characteristics, so as to motivate our definition: Because modern infrastructure networks often have multifaceted components and large geographical scale, natural adversaries often enact complex spatially correlated modifications of network structure and/or actuations. Typically, some of these adversaries can be forecasted in advance to some extent, whereas others are completely unpredictable. For instance, the air transportation system may be subject to several types of uncertainties, including convective and winter weather events (which can be forecasted with some accuracy), passenger-related uncertainties, and failures in computer systems, some of which display complex spatial or spatiotemporal correlations. Given this characteristic of natural adversaries, the classical perspective on vulnerability needs to be enhanced to (1) allow modeling and (in some cases) forecasting of complex spatially correlated uncertainties and (2) make explicit, in a spatial

9 CHAPTER 1 Security and Vulnerability of Cyber-Physical Infrastructure Networks 13 sense, the component(s) in the network that are impacted by each uncertainty. Modern infrastructure networks may be attacked by sentient adversaries that impact the physical network. Like natural adversaries, these sentient adversaries aim at modifying the network structure and actuation. However, they tend to act locally and be more predictable and may be designed (whether through spatial placement or otherwise) to have extensive impact or to be hidden. To define vulnerability to these sentient adversaries of the physical network, we need to characterize how spatially extensive the impact of the local state and topological variations can be. Modern infrastructures may also be attacked by sentient adversaries that impact the cyber capabilities of the infrastructure. In a broad sense, these cyber capabilities measure and tabulate the state information, and in turn either drive automatic control systems or inform human operators of the infrastructure. Thus, sentient adversaries to the cyber system may act to corrupt the measured state information, interrupt communications, or modify automatic control systems. In either case, the action of the cyber adversary will serve to modify the dynamics or structure of the physical network in an undesirable way. We note that such cyber adversaries may be able to access and corrupt both local and networkwide state information (perhaps in a stealthy way) and in turn can cause local or networkwide perturbations to the physical network dynamics. Our definition for vulnerability should permit representation of the complex and potentially hidden attacks that can be conducted by a smart adversary in the cyber world. The consequence of an adversary s attack is a modification in the state dynamics of the physical network. The cost associated with this modification typically will depend on the extent of disruption to the dynamics, but may also be highly dependent on which components of the network have altered the dynamics, and the sense in which the dynamics are altered. This topological aspect to cost should be captured in evaluating the robustness. Based on these observations regarding attacks in the cyber-physical systems, let us develop an enriched definition for vulnerability in the context of the canonical infrastructure network model described above. We develop the definition in three aspects, first modeling attacks on the physical dynamics, then describing the measures for impact on the physical network dynamics, and finally describing a framework for evaluating the overall vulnerability of the network. A Model for Attacks. We propose a model for attacks that can abstractly capture the impact of the above described adversaries on the physical network dynamics, regardless of whether the adversary is natural or sentient, and whether it acts on the cyber- or physical-layer of the network. Specifically, we abstractly view an attack as possibly modifying the linear network dynamics in three different ways: (1) modifying the initial condition x(0) of the network, (2) modifying the network matrix A(t) over an interval [t o,t f ], and (3) modifying the network input u(t) over [t o,t f ]. Specifically, a particular attack is viewed as modifying the initial condition from a nominal value x(0) = x o (0) to x(0) = x o (0) + x (0), altering the network matrix from A(t) = A o (t) to A(t) = A o (0) + A (0), and altering the input from u(t) = u o (t) to u(t) = u o (t) + u (t). The perturbations x (0), A (0), and u (t) can be represented as being determined by either stochastic processes or deterministic rules. It is instructive to briefly discuss typical models for these perturbations, for the adversaries described above. Natural adversaries in the cyber or physical world: Very often, natural adversaries, whether directly acting on the physical-layer or acting through the cyber network, can be viewed as causing time-varying stochastic perturbations to both the network matrix and the input vector. Appropriate models for both physical-layer adversaries (e.g., environmental impacts such as weather-dependent

10 14 CHAPTER 1 Security and Vulnerability of Cyber-Physical Infrastructure Networks loads or capacities in a network) and cyberlayer adversaries (e.g., software faults) often must capture significant spatial and temporal correlations in impact, while also capturing wide variation in possible perturbations. We note that many of these perturbations are discrete-valued quantities: for instance, an environmental factor may cause failure of an interconnection or reduction of a nodal quantity (e.g., capacity) to one of a few possible levels. Because of the large geographical scale and complexity of many infrastructure networks, stochastic models for perturbations are often too complex and high-dimensional constructs. In [15, 16], we have introduced one promising methodology for modeling stochastic environmental impacts, as an influence network dynamics that is overlaid on the physical world. Sentient physical network adversaries: A sentient adversary acting directly on the physical network is often well modeled as deterministically perturbing local quantities in the network models, such as initial conditions, inputs, and parts of the network matrix. That is, a sentient advisory can be modeled as altering the inputs and initial conditions in a small subset of the components in the network, and also modifying a subset of the interconnections. Unlike a natural advisory, a sentient advisory often may choose among many possible attack policies, including which components/interconnections to attack and how to modify the inputs and topology (subject to the constraints on the maximum modification). Sentient cyber network adversaries: Sentient cyber network adversaries may disturb automatic control systems or modify the measured state information that is then used by human operators. Abstractly, we also model these sentient cyber adversaries as altering inputs and initial conditions, as well as interconnections, in parts of the network. Unlike physical world advisories, however, the cyber adversaries may cause immediate perturbations at many points in the network. In some cases, cyber adversaries may be able to enact quite refined modifications of the dynamics, and so should be modeled as having many possible attack policies. It is worth noting that cyber adversaries also can enact some changes that serve to modify the dynamical network model itself, not only its parameters: for instance, attacks on the communication system may impose delays on the dynamics. Measuring the Impact of Attacks. Any of the above described attacks serve to modify the physical network s dynamics. The dynamics when a given attack occurs can be simulated or analyzed using the modified network model. The new dynamics must be compared with the original one to determine whether or not the attack is harmful to the network and/or to determine the cost of the attack. It is worthwhile to discuss several measures for such comparison: In many settings, an attack harms the function of an infrastructure network dynamics if it drives the network state to an undesirable value: for instance, an attack on the electric power transmission system can lead to system-wide oscillation and failure, if the voltages at certain buses in the network fall below a threshold. With this motivation in mind, we will classify an attack as harmful if it drives the network state x(t) into a specified set W of undesirable values over an interval of time. We stress that this set may be closely tied with the network topology. Beyond classification of an attack as harmful or not, it is natural to measure the cost of an attack. A variety of metrics for cost can be imagined. One natural way to measure the cost is to quantify the disruption in the state caused by the attack. That is, cost measures that quantify the difference between the nominal state response (say x o (t)) and the response upon perturbation x(t), say according to a maximum error or integrated-squareerror measure, are often appropriate. Note that these measures often may be weighted to reflect the topology of the network: deviations in some network components may exact more significant cost. Alternately, it is also natural to measure the cost of an attack based on the

11 CHAPTER 1 Security and Vulnerability of Cyber-Physical Infrastructure Networks 15 extent to which it causes the state to enter the undesirable set W. In this case, the duration of time spent in the undesirable set, or an integration of costs associated with states in the undesirable set, may serve as an appropriate cost measure. Finally, often the cost of an attack may be measured according to an important statistic defined from the dynamics. For instance, if an attack initiates a virus (in a biological or computer network) or makes the network more susceptible to virus spread, then the spread rate (or potential spread rate) may serve as a measure of cost; it can be shown that this spread rate is tied to a dominant eigenvalue of the network state matrix. In defining the above measures of harm/cost, we have viewed the dynamics of the network for a given attack as a deterministic process. In fact, the dynamics of the network (and hence cost) may be stochastic even for a specified (deterministic) attack. In this case, the expected costs and probabilities of the state entering the undesirable set should be used to evaluate the corresponding impact. Defining Vulnerability. We have thus far discussed the modeling of attacks, and measurements of whether or not an attack is harmful and what its cost is, in the context of the canonical network model. We view vulnerability as a measure of the overall susceptibility of the network to harmful/costly attack. Noting that attacks are modeled differently for natural and sentient adversaries (as stochastic vs. designed processes), it is natural to provide a separate definition for vulnerability in each case: An infrastructure network typically can be impacted by multiple natural adversaries, each of which can produce a family of possible attacks according to a stochastic model. We define the vulnerability of the network dynamics as the total probability of the state entering the undesirable set W over an interval of time. We also define the vulnerability cost of the network dynamics as the expected cost due to attacks by the adversaries over the time duration. An infrastructure network may also be impacted by numerous sentient adversaries, whether operating on the physical or cyber network. We view each sentient adversary as being able to choose deliberately among a set of possible attacks. In a deterministic setting, each possible attack either is able to drive the state of the network to the undesirable set or not; in this case, we define vulnerability as a binary measure that indicates that at least one sentient adversary can launch an attack (among its choice of possible attacks) that drives the state to the undesirable set. If the dynamics for each attack are stochastic, instead we will define vulnerability as the maximum probability of the state entering the undesirable set due to any attack by any of the sentient adversaries. Similarly, we will define the vulnerability cost as the maximum among the costs (or expected costs) incurred by each possible attack of each sentient adversary. In our formulation, the evaluation of the vulnerability of a particular infrastructure requires consideration of the impacts of both natural and sentient adversaries, according to the above definitions Integrated Analysis: Prevention, Attack, and Mitigation Together Thus far, we have developed notions of security and vulnerability for infrastructure network dynamics as isolated constructs describing the adversarial impact. That is, we have viewed an adversary s efforts to (1) obtain information about a network s structure and dynamics, and (2) modify these dynamics, as isolated processes that are free from the active intervention by the system designers. In practice, an adversary s ability to launch a destructive attack is often predicated on his ability to estimate the network structure and dynamics, and further the attack will be resisted by active intervention of the system designers. Thus, the concepts of security and vulnerability for infrastructure network dynamics are intertwined, and must be studied

12 16 CHAPTER 1 Security and Vulnerability of Cyber-Physical Infrastructure Networks in the context of the system designers efforts to prevent and mitigate attacks. The possibility for such complex attacks and mitigation strategies are becoming especially pronounced as cyber capabilities continue to develop for infrastructure networks, since both adversaries and system designers are able to achieve increasingly more intricate impacts on the network dynamics and information flow. Our viewpoint here is that the definitions for security and vulnerability form the building blocks for understanding the protection of infrastructure network dynamics comprehensively. As our presentation of results will indicate, even characterization of security and vulnerability in isolation is challenging, and comprehensive modeling of the complex attack and mitigation scenarios in cyber-physical systems is in its incipient stages. Thus, we only give a brief discussion of complex attacks and associated mitigation strategies, and exclude formal definitions and measures in this case. Specifically, our focus here is to give a brief description of how some more complex scenarios can be studied using the above security and vulnerability definitions: Scenario 1: Attack Design by Adversaries. Typically, an adversary will need to obtain information about the network structure and possibly dynamics, to be able to choose a possible attack that incurs a significant cost. In such cases, the adversary must consider both its ability to infer the network structure/dynamics and the cost incurred by an attack in determining its strategy. For instance, the adversary may need to choose which network components to attack in order to maximize the inference capability (or in a random fashion), and then to choose among possible attacks at those components to maximize the cost. In such cases, insights into both security and vulnerability are critical to the adversarial behavior. Scenario 2: Prevention of Large-Impact Attacks. A system designer can seek to alter the structure or dynamics of an infrastructure network, so as to prevent large-impact attacks from adversaries. To do so, the system designer will need to understand which possible observation capabilities of adversaries may allow for inference of critical information (i.e., lead to a security violation). Similarly, the designer needs to understand which sets of actuation (attack) capabilities can incur large cost. We note that these efforts to find worst-case security violations and attacks (which incidentally need to be completed by the adversaries also) are, from a control theory standpoint, actuator and sensor placement problems. Once worst-case attacks have been determined, the system designers can pursue modification of the network to achieve higher security and lower vulnerability. We note that a good modification is one that is itself secure from observation by the adversaries. Scenario 3: Attack Detection/Mitigation and Stealth. A system designer may seek to identify an ongoing attack, and hence to apply resources to the network to mitigate its impact. The detection of an attack can be phrased as an estimation of the transient dynamics produced by the adversary s attack, that is, as a security problem in reverse. Similarly, mitigation of an ongoing attack by the system designer can be studied from the standpoint of the adversary s vulnerability to the (typically network-wide) control capabilities of the system designer. Given that the system designer will seek to detect and mitigate attacks, the adversary may seek to develop stealthy or robust attacks, that is, ones that not only produce large impact cost but also minimize the designer s ability to detect or mitigate the attack. We point the reader to [17] for one infrastructure network problem where stealthy attacks and their detection are considered An Illustrative Example So far, we have defined network security/vulnerability from a new network infrastructure perspective. To clarify the new definitions, we present one illustrative case study of an air traffic network system, so as to make the above definitions concrete in a real application area. Specifically, we briefly explain the security concept in the air traffic system from an attacker s viewpoint, and discuss modeling vulnerability to weather using

13 CHAPTER 1 Security and Vulnerability of Cyber-Physical Infrastructure Networks 17 an influence model-based dynamical network to capture weather impact on airspace parameters (e.g., capacity levels). The air traffic system is a complex large-scale cyber-physical network, which comprises a huge number of multifaceted components, including, airlines, airports, human traffic controllers, computerized decision support and communication systems, etc. It is important to stress that the air traffic system has numerous unique features, which require special consideration from an infrastructure network engineer s perspective. For example, in order to plan traffic to avoid congestion, attendants of many network components often need to coordinate with each other and come to an agreement before a control command is sent. Uncertain factors like future weather conditions and random human impacts particularly make the system more complex, and have a great impact on the system performance (e.g., flight delay/cancellation). Within the past several decades, a variety of network models (including route-based and flight-based models) have been proposed in order to improve the system performance and build new control tools [18, 19]. In many of these network models, components represent either regions of airspace or facilities and waypoints (e.g., airports, control towers, landmarks). As a whole, one general goal in modeling is to identify appropriate dynamical rules for both flow management and information communication among facilities, in the presence of sentient/natural adversaries that cause uncertainty in the dynamics. Here, let us discuss how such security and vulnerability analysis can potentially be informed using the framework introduced here. Let us begin by discussing the network security problem of the air traffic system. Air traffic operators are motivated to characterize security due to the threat of certain sentient adversarial behaviors, for example, human attacks on an aircraft or an airport, attacks on computer decision support systems, or attacks using an aircraft. As the air traffic system becomes increasingly automated, it is plausible that such attacks may be carried out through the cyber (decision support) system associated with the air traffic network. To this end, an attacker may want to figure out where a target plane is or which the most significant airport/ control tower is for air traffic management purposes before an attack. Such information could be obtained from the attacker even from partial knowledge of the network topology and dynamics for instance, information about management actions in place and partial information about filed flight plans. By observing available local information, he/she may be able to estimate the target location and the importance of an airport or traffic center for flow management at a particular time. From this perspective, how accurate this estimation is largely depends on how the network model behaves. In other words, if a network designer can hide certain information by changing some topological network structure, or add some noise to the attacker s observation process or even to the network dynamics, the security of the air traffic network system will be increased as well. The framework that we have introduced here permits us to explicitly study such problems in the context of network models for traffic flow or aircraft. Compared to the network security problem, vulnerability of the air traffic network system is often related to both sentient and natural adversarial behaviors, which may change the model parameters, network states, or even system inputs. Of these two behaviors, the sentient adversarial behavior can be either a deliberate attack or an unexpected human mistake. However, in the air traffic system, most delays are caused by uncertain weather conditions at future times since severe weather greatly reduces airspace capacities (including both en route planes and ground conditions). Of particular interest, decision support capability at a strategic (2 h per day) remains challenging to us since weather uncertainty significantly reduces the ability to predict airspace capacities at future times. For instance, if weather forecasts were nonprobabilistic and 100% accurate, airspace capacities could be determined based on future weather conditions. Then, strategic flow control plans (e.g., flight routes, ground managements) could be scheduled as well. Unfortunately,

14 18 CHAPTER 1 Security and Vulnerability of Cyber-Physical Infrastructure Networks weather forecasts at the time horizon of interest are inaccurate; this stochasticity yields significant complexity in analyzing the system and planning traffic flows. Recently, our group has developed an influence model-based weather-impact simulator to generate possible future weatherimpact scenarios [16] that match probabilistic forecasts. In the simulator, each site/node represents one geographical region and has two possible weather-impact statuses: low capacity and high capacity. Also, a directed edge between sites indicates that the corresponding two sites can have an impact on each other s next-timestep status. We specifically view that uncertain weather can modify the model parameters (e.g., influencing rates between sites). If severe weather (like a thunderstorm or blizzard) happens, the model s dynamics will yield many areas with low capacity status. Of key importance, the tool generates possible scenarios of weather impact. Using this information and combining the weather-impact model with traffic flow models, the network designer can potentially achieve better planning of flow management capabilities to reduce financial costs while increasing security and reducing human controller workloads. Thus, our preliminary effort [16] suggests that a stochastic automation model for environmental uncertainty, used in cohesion with a model for the infrastructure network s dynamics, can permit analysis of and resolution of a threat. This is an illustration of the framework for vulnerability analysis introduced here. We stress that, although we define network security/vulnerability in an explicit way, not all systems can be modeled using the linear model described in Eq. (1-1) or (1-2), nor do all adversaries have the observation processes of the form specified in Eq. (1-3). For instance, nonlinear queuing models are often more apt than linear ones for traffic flow management applications. However, the definitions are general/broad enough to capture many networks dynamics, and serve as representative approximations for gaining simple insights for many other networks. Meanwhile, they permit us to complete fundamental analyses for threat response: how to relate a network s partial reactions to the whole networkwide performance, or simply how network topology plays a role in determining network dynamics and its responses to exterior stimulations. Even for other application cases where these definitions need to be slightly rephrased, we believe that the essence of the analysis remains similar NETWORK CONTROL TOOLS FOR CHARACTERIZING AND DESIGNING SECURITY AND VULNERABILITY The above definitions for the security and vulnerability of infrastructure network dynamics aim to enhance both classical computer science notions and engineering notions to permit meaningful analysis of threats and uncertainties in modern infrastructures involving both cyber and physical aspects. As such, these definitions differ significantly from existing notions of security/vulnerability. We thus might expect that new methodologies are needed for systematic study, design and analysis of cyber-physical security and vulnerability revolving around these definitions based on network control theory. Therefore, we might expect that techniques from the field of network controls are relevant for resolving the definitions. Unfortunately, classical work in network control theory largely viewed topological network interactions as disturbances to local dynamics [20], whereas our understanding of infrastructure network security/vulnerability makes it very clear that the network interactions are of critical importance. Very recently, a new literature [21, 22] on network controls has emerged, that is focused on exposing the role of a complex network s topology in its dynamics, and hence exploiting the topological structure in inference and control. While this literature almost exclusively has not focused on security and vulnerability, and no comprehensive studies of these concepts are available, it does contain interesting treatments of inference and design in networks that are very relevant to our analysis of security/vulnerability.

15 CHAPTER 1 Security and Vulnerability of Cyber-Physical Infrastructure Networks 19 In this section, we briefly overview some exciting control-theoretic tools for analyzing and designing networks under uncertainty, that are promising for evaluating security/vulnerability according to the broad definitions above. Let us stress that these tools provide only a partial characterization even for the simple canonical network model described above, but they are promising stepping stones toward an integrative treatment. We view a comprehensive treatment of security and vulnerability for infrastructure networks as a task of critical importance, and hope that this chapter serves to stimulate further research on the topic (by both control-theoretic and other means). In the following, let us briefly review four sets of tools from the emerging network controls literature. First, we will introduce tools for network estimation and graph-theoretic characterization of estimators that are relevant in characterizing and designing network security. Second, we will overview tools for modeling the spatiotemporal evolution of the environmental uncertainties and interfacing these models with infrastructure network models; we believe that these methods can facilitate analysis of vulnerability to natural adversaries. Third, tools for graph-exploiting network control and design will be discussed, that can help characterize vulnerability to sentient adversaries. Consideration of the modeling, estimation, and design tools highlights the following: the connectivity of an infrastructure network and the locations of observers/actuators in the network play a central role in determining security and vulnerability levels. Many large-scale infrastructure networks have a special topological structure, consisting of strongly connected subnetworks that are weakly interconnected; it is this connectivity structure that primarily modulates security and vulnerability. Given the key role of the connectivity structure, tools for network partitioning are also necessary for analyzing and especially designing the security/vulnerability levels on infrastructure networks. Although a wide range of network partitioning tools can be brought to bear, signal-based partitioning methods that are based on control-theoretic features of local responses (e.g., damping or rise time measures) are especially promising because their performance in security/ vulnerability analysis potentially can be determined. We introduce such network partitioning tools as the fourth and final tool set. In the interest of space, we will only develop one of the tool sets namely the tools for network estimation in some detail. For the other three directions, we will solely focus on providing pointers to relevant literature, and presenting figures on some key results Tools for Network Inference Recently, a few research groups, including our group, have been developing results on estimation in networks that can potentially allow characterization of network security. Specifically, we believe that an infrastructure network s structure plays a critical role in determining network security, so our attention is primarily focused on characterizing network structure and its relationship to network security. The new results on estimation in networks characterize the effectiveness of estimation (i.e., the security level) in terms of the network s topological (graph) structure, and hence are central to the topological characterization of network security according to the definitions above. These graph-theoretic studies of estimation do not yet provide a comprehensive treatment of security for the canonical network model: they are only applicable to certain model sub classes (e.g., Markov chains or Laplacian networks [8, 9]), specialized observation capabilities (e.g., only observation of the full state at a single network component) and target information (e.g., full-state estimation), and only some performance measures. Nevertheless, they constitute a very promising starting point in studying network security from a graph-theoretic standpoint. Here, we introduce three graph-theoretic results on network estimation (one in a bit of detail, the other two quite briefly). Specifically, we discuss (1) initial-condition estimation in a Laplacian network dynamics, (2) steady-state probability estimation on an ergodic Markov chain, and (3) mode estimation in a Laplacian network, with

16 20 CHAPTER 1 Security and Vulnerability of Cyber-Physical Infrastructure Networks the hope of providing the reader with a brief tutorial in the network estimation methods. Initial-Condition Estimation on a Laplacian Network System. Synchronization or diffusion phenomena are common in modern cyberphysical networks: for instance, in the cyber world, some agreement and flooding algorithms have this form, whereas numerous physical dynamics such as electric power and diseasespread dynamics can also be well approximated in this way [10, 23, 24]. Thus, we are motivated to study security in network synchronization processes, by characterizing the performance of structure or dynamics estimator that use noisy local data. That is, we are motivated to characterize the ability of an adversary to estimate aspects of a synchronization dynamics, from local and noisy measurements. In fact, in our recent work, we have pursued a graph-theoretic analysis of state inference in discrete network synchronization (or diffusive) processes. Precisely, we have studied estimation of a nonrandom initial condition of a canonical synchronization dynamics defined on a Laplacian graph, from noisy observations at a single network node (see Figure 1-2). The key outcomes of this study are a family of relationships between a network s topological structure and the performance of initialcondition estimators; these results highlight that the network s topology, and the location of an adversary, plays a critical role in the security level; as such, the results also guide the design of diffusive dynamics that are secure. To give the reader some insight into the mathematics underlying the performance analysis, let Observation signal at node 2: y[k] = x 2 [k] + g[k] 1 2 Observation node 4 3 FIGURE 1-2 An example of initial-condition estimation on a Laplacian network. us briefly describe the synchronization model and initial-condition estimation problem, before summarizing results of the performance-analysis [8]. Most broadly, we consider a linear timeinvariant (LTI) dynamics specified by a weighted and directed graph G. Precisely, let us consider a graph Ɣ = (V,E : ), where the vertex set V contains n elements labeled 1,...,n, the edge set E contains q directed edges or ordered pairs of distinct vertices, and each edge (i,j) in E has associated with it a positive weight ω ij as given in the weight set. To describe the diffusive network dynamics, we find it convenient to specify an m m diffusion matrix L from the graph Ɣ, as follows: We set L ij equal to ω ij, for each ordered pair (i,j) E. We set L ij, i = j, equal to 0 otherwise. Lij. That is, we choose the diagonal entries so that each row sum is 0. We choose L ii = n j=1,j i Now let us specify a network s (discrete time) dynamics in terms of the diffusion matrix specified above. Specifically, we consider a network with n components or nodes labeled 1,..., n, which correspond to the n vertices in the graph G. We associate with each component a state x i [k ], that evolves in discrete time (for k = 0,1,2,...). To specify the network dynamics, let us define a network state x[k ] = [ x 1 [k] x n [k ] ] T. We consider the following evolution of the network state: Equation 1-4 x[k + 1] = x[k ] δlx[k ], where δ R scales the magnitude of the interactions among the network components specified in L (and, for instance, may represent a time step in a discretization of a continuous-time process). We note that the dynamics in Eq. (1-1) describes a process of state equalization through balancing or flow between each component and its graphical neighbors, and hence can be viewed as a diffusive dynamics. The edge-weight w ij in the graph captures the strength of impact of node i s current state on node j s next state, or

17 CHAPTER 1 Security and Vulnerability of Cyber-Physical Infrastructure Networks 21 in other words the extent of diffusing coupling from i to j. Our primary focus is to infer the unknown initial state x[0] of the network dynamics above from a sequence of noisy measurements at a single component j {1,...,n}, and relate the estimator and its performance to the structure of the graph, Ɣ. Specifically, we consider inference from a sequence of N observations y[0],y[1],...,y[n], where the observation signal at time step k (k = 0,1,...,N) is given by Equation 1-5 y[k ] = e T j x[k ] + g[k ], where e j is a standard basis vector with the unity entry in the jth component, and g[k ] is a sample of a scalar Gaussian white noise process with zero mean and variance σ 2. We refer to the component j where the observation is being made as the observation location/node. In the nominal case that the observations are not corrupted by noise, it is automatic that the initial condition either can be estimated perfectly or not at all, and that the condition for estimation resolves to an observability test for the dynamic system. For this nominal case, we are thus interested in how the network s topological structure impacts observability of the dynamics. In the more general and realistic case that noise is present, we progress by characterizing the maximum-likelihood estimate of the initial condition and the associated Cramer Rao bound [7]. Doing so, we identify graph properties (e.g., symmetries, interconnection strengths, spectral measures) that determine whether or not estimation is possible and also the quality of the estimate: these results are obtained through a combination of system-theoretic and optimization methods, together with algebraic graph theory techniques. From our perspective, these results provide explicit characterizations of security in terms of relevant network and adversary characteristics; as such, they also guide system design for security and, conversely, adversary design to reduce security. Holistically, they underscore the critical role of the network structure in determining security. Although the problem addressed here is a small subset of the full security analysis problem (only synchronization dynamics are considered, only the initial condition is estimated, and the observation process is purely local), we expect the presented methods to guide analysis of security in a much broader setting. Steady-State Probability Estimation for an Ergodic Markov Chain. Like synchronization models, Markov chains have been very widely used to represent networked cyber world and physical world phenomena. For instance, they are used to represent such diverse phenomena as movement of mobile users, action sequences of landing aircraft, and biochemical state changes, and it is clear that the Markov model s graph structure plays a critical role in its dynamics. As such, security and vulnerability analysis for Markov models, which translate to problems regarding estimability and perturbation of their dynamics (as defined in Section 1.2), are of great interest. We are just beginning to develop graph-theoretic characterizations of estimators and modifications of Markov-chain dynamics. As a first step in this direction, we have developed a spectral and graph-theoretic performance analysis of a classical estimator for steady-state probabilities in [9]. Specifically, we have connected a performance measure for the estimate to the structure of the underlying graph defined on the Markov chain s state transitions. To do so, we have developed a series of upper bounds on the performance measure in terms of the subdominant eigenvalue of the state transition matrix, which is closely connected with the graph structure. As an illustration of the graphtheoretic analysis, we have then related the subdominant eigenvalue to the connectivity of the graph, for both a strong-connectivity case and the weak-link case. Spectrum Estimation in a Laplacian Network. We recall that our definition of security is also concerned with whether or not a network s topology (graph-structure) can be estimated, with the motivation that an adversary often may not know the graph structure. We have taken the first step in this direction, by pursuing spectrum estimation in synchronization models.

18 22 CHAPTER 1 Security and Vulnerability of Cyber-Physical Infrastructure Networks The spectrum (eigenvalues and eigenvectors) of the state matrix describing a network s dynamics provides a full, and highly insightful, characterization of these dynamics (and of the graph topology itself). Thus, estimation of the spectrum of the network matrix of the canonical model, and especially estimation of its eigenvalues, is central to understanding security. We have begun to study spectrum estimation, for the particular case of a Laplacian network dynamics [7]. In particular, the article [7] develops a family of graph-theoretic characterizations of optimal estimator performance, for the problem of estimating the eigenvalues of a Laplacian network dynamics from observations at a single component. Of special importance, the article characterizes the performance of such estimators in the case that the graph has strongly interconnected subgraphs with weak links between them (as is very common in infrastructure networks) Tools for Modeling Environmental Uncertainties To achieve a comprehensive treatment of security and threat resolution in cyber-physical systems, we require appropriate models for uncertainties impacting the system dynamics. In our framework, these models are necessary for capturing the impact of natural adversaries acting in either the cyber or physical world. In some cases, they may also be useful for representing sentient adversaries with unknown capabilities. Broadly, we can view these uncertainties as diverse unknown environmental signals that impact the cyber or physical infrastructure. Although environmental uncertainties have been extensively modeled (e.g., in the weather forecasting community), it is becoming clear that much remains to be done to model the impacts of these uncertainties on engineered networks. Our research group is developing a framework for spatiotemporal modeling of such uncertain environmental impacts that is promising for several infrastructure network applications, including air traffic management and virus-spread mitigation. A common theme in our ongoing modeling efforts is the use of the influence model [25, 26], a stochastic automaton that has certain special moment-linearity properties, in representing environmental impacts. Broadly, influence modeling of environmental impact is promising because it can capture the rich hybrid, stochastic, and spatiotemporal evolution of environmental impact. At the same time, the model is sufficiently structured to permit (1) fast simulation and hence fast generation of impact (or threat) scenarios, (2) meshing with models for infrastructure dynamics to permit comprehensive analysis of impact, (3) analysis and estimation in the meshed model, and (4) parameterization to match more detailed, application-specific knowledge of environmental impact (for instance, weather forecasting and capacity-modeling knowledge in air traffic management [16]). Figure 1-3 shows several explorations of environmental-impact modeling using the influence model, that take advantage of these tractabilities. Let us stress that much remains to be done in the environmental-impact modeling aspect. Two outstanding tasks of particular interest to us are to (1) compare influence models with traditional Bayesian-network models in the computer sciences, and (2) fully analyze meshed linear and influence models and pursue inference in these meshed models. The second of these tasks, especially, is crucial to using the environmentalimpact models in network security studies, since its completion will permit evaluation of vulnerability to natural adversaries and consequent threat response Graph-Theoretic Tools for Network Control and Design The notion of design in complex dynamical networks, whether due to deliberate central planning or through evolutionary drives, has been studied in some depth in recent years [21, 22, 27, 28] (see Figures 1-4 and 1-5 for some illustration). At their core, these studies are concerned with designing nodal controllers or topological properties for a complex network, so as to shape or optimize the network s dynamics with

19 CHAPTER 1 Security and Vulnerability of Cyber-Physical Infrastructure Networks (a) h 4.5 h h (b) h FIGURE 1-3 We illustrate an influence model for a natural adversary s spatiotemporal impact. In particular, we model the impact of winter weather on traffic capacities in regions of the airspace. (a) shows the modeled regions (overlaid on a map of the Pacific Northwest). (b) shows probabilities of weather impact as obtained from the influence model, whereas (c) shows one stochastic trajectory of weather impact as generated by the influence model.

20 24 CHAPTER 1 Security and Vulnerability of Cyber-Physical Infrastructure Networks h 4.5 h h FIGURE 1-3 (continued) (c) h respect to a performance measure. These studies of complex network design are germane to our control-theoretic framework for security and vulnerability, for several reasons: (1) They identify typical structures of deliberately designed infrastructure networks, and so they hold promise for allowing specialization of security/vulnerability analyses (for instance, the inference-based analyses) to these special structures. That is, we can determine whether typical designed networks have favorable or unfavorable security/vulnerability properties, and develop response strategies based on these characterizations. (2) With some enhancement, the deliberate design methods can be used by infrastructure network engineers to allocate available resources to improve security or reduce vulnerability. Specifically, the design methods must be extended to the case that the performance metric for design includes security and/or vulnerability measures, in addition to other metrics for the network s dynamical performance. In the same vein as the network design results currently in the literature, we envision that designing for security will reveal high-security topological structures, and low-resource topology modifications that achieve these structures. Such design methods may also aid in constructing threat response policies. (3) We envision that the network design methods can conversely be used by sentient adversaries, to design sensing