In Quest of Benchmarking Security Risks to Cyber-Physical Systems

Transcription

1 In Quest of Benchmarkng Securty Rsks to Cyber-Physcal Systems Saurabh Amn, Massachusetts Insttute of Technology Galna A. Schwartz, Unversty of Calforna at Berkeley Alefya Hussan, Unversty of Southern Calforna Abstract We present a generc yet practcal framework for assessng securty rsks to cyberphyscal systems (CPSs). Our framework can be used to benchmark securty rsks when nformaton s less than perfect, and nterdependences of physcal and computatonal components may result n correlated falures. Such envronments are prone to externaltes, and can cause huge socetal losses. We focus on the rsks that arse from nterdependent relablty falures (faults) and securty falures (attacks). We advocate that a sound assessment of these rsks requres explct modelng of the effects of both technology-based defenses and nsttutons necessary for supportng them. Thus, we consder technology-based securty defenses grounded n nformaton securty tools and fault-tolerant control n conjuncton wth nsttutonal structures. Our game-theoretc approach to estmatng securty rsks facltates more effectve defenses, especally aganst correlated falures. Survvablty of crtcal nfrastructures n the presence of securty attacks and random faults s of natonal mportance. These nfrastructures are spatally dstrbuted across large physcal areas, and consst of heterogeneous cyber-physcal components nterconnected by communcaton networks wth complex peerng and herarches. Networked control systems (NCSs) and supervsory control and data acquston (SCADA) systems are wdely used to montor, control, and remotely manage nfrastructures over prvate or shared communcaton networks. Such cyber-physcal systems (CPSs) permt synergstc nteractons between physcal dynamcs and computatonal processes. Wde deployment of nformaton and communcaton technologes (ICT) n CPSs results n hgher relablty and lower operatonal costs relatve to the tradtonal propretary and closed systems. However, as recent ncdents ndcate, today s CPSs face new securty threats drven by ther exposure to ICT nsecurtes. Securty Threats To develop a classfcaton of securty threats to CPSs, we frst outlne how the operator(s) of modern CPSs typcally approach the montorng, control, and management of nfrastructures. As shown n Fg. 1, they use a layered archtecture consstng of regulatory control (layer 1), supervsory control (layer 1), and a management level (layer 3). Ths archtecture enables robust composton of multlevel controllers, and permts CPS operators to use defenses to lmt the effects of falures caused by faults and/or attacks. The regulatory control layer drectly nteracts wth the underlyng physcal nfrastructure dynamcs through a network of sensors and actuators. These feld devces are connected to programmable logc controllers (PLCs) or remote termnal unts (RTUs), and mplement detecton and regulaton mechansms that are prmarly reactve n nature. These mechansms can also respond to localzed falures of feld devces and communcaton lnks. The regulatory controllers (or PLCs) nteract wth the supervsory controllers va a control network. At the supervsory control layer, model-based dagnostc tools are combned wth optmal control-based tools to ensure on-tme response to dstrbuted falures. The supervsory workstatons are used for data loggng, dagnostc functons such as fault dagnoss, and supervsory control computatons such as set-pont control and controller reconfguratons. Lastly, the management (topmost) layer focuses on strateges that maxmze the operator s proft whle mnmzng ts losses due to securty and relablty falures. The CPS operator and other authorzed remote users can access nformaton about the CPS processes and send specfcatons to the controllers at lower layers va the Internet or a corporate network. Securty threats to herarchcally managed CPSs arse from four channels. Frst, CPSs nhert vulnerabltes from embedded commercal off-the-shelf ICT devces, and are subject to correlated software bugs and hardware malfunctons. Second, the propretary protocols and closed networks are beng replaced wth standard open Internet protocols and shared networks. Malcous attackers capable of explotng protocol and network nsecurtes can target CPS operatons. Thrd, numerous partes generate, use, and modfy CPS data. Ths poses new challenges n access control and authorzaton among the strategc players such as the operators, SCADA and ICT vendors, and end users of the system. Fourth, CPSs employ a large number of remote feld devces that can be accessed va short-range communcatons. Thus, CPSs are vulnerable to adversaral manpulaton, both remote and local. Adversares can explot the aforementoned threat channels va denal-of-servce (DoS) and decepton attacks, whch result n losses of avalablty and ntegrty of sensor-control data, /13/$ IEEE 19

2 Electrc power Water and gas Relablty and securty rsk management Internet Layer 3 Dagnoss, response, and reconfguraton Control network Detecton and regulaton Sensor actuator network Physcal nfrastructures Layer 2 Layer 1 Attacks Defenses Faults Buldngs Transportaton Fgure 1. A layered archtecture for management of CPS. respectvely. In Table 1, we present examples of securty attacks on the regulatory and supervsory control layers. Attacks at the management level are smlar to attacks on computer networks. We refer the reader to [1, 2] for specfc dscussons on securty attacks to smart grd nfrastructures. Classfcaton of Correlated Falures The danger of correlated falures becomes especally profound n CPSs due to the tght couplng of typcally contnuous physcal dynamcs and dscrete dynamcs of embedded computng processes. Correlated falures orgnate from one or more of the followng events: Smultaneous attacks: Targeted cyber attacks (e.g., falures due to Stuxnet); non-targeted cyber attacks (e.g., falures due to Slammer worm, dstrbuted DoS attacks [3], congeston n shared networks); coordnated physcal attacks (e.g., falures caused by terrorsts) Smultaneous faults: Common-mode falures (e.g., falure of multple ICT components n an dentcal manner [4], programmng errors); random falures (e.g., natural events such as earthquakes and tropcal cyclones, and operator errors such as an ncorrect frmware upgrade) Cascadng falures: Falure of a fracton of nodes (components) n one CPS subnetwork can lead to progressve escalaton of falures n other subnetworks (e.g., power network blackouts affectng communcaton networks, and vce versa) [5]. The above classfcaton s nether fully dsjont nor exhaustve. Stll, we envson that t wll be useful for CPS rsk assessment. We term correlated falures caused by smultaneous attacks as securty falures and smultaneous faults as relablty falures. Due to the tght cyber-physcal nteractons, t s extremely dffcult (and often prohbtvely tme-consumng) to solate the cause of any specfc falure usng the dagnostc nformaton, whch, n general, s mperfect and ncomplete. Thus, relablty and securty falures n CPSs are nherently ntertwned. We beleve that the quest to fnd a mutually exclusve and jontly exhaustve partton of falure events must be abandoned. Instead, the research emphass should shft to the analyss of nterdependent relablty and securty falures, and rsk assessment. Informaton and CPS Rsks The Interplay of Technologcal Defenses and Insttutons There are two types of technologcal means to reduce CPS rsks: ICT securty tools and control-theoretc tools. The ICT securty tools nclude authentcaton and access control mechansms, network ntruson detecton systems, patch management, and securty certfcaton. In practce, the effectveness of these securty tools s lmted by CPS relablty and cost consderatons. For example, the frequency of securty patch updates s lmted by the real-tme constrants on the avalablty of CPS data; common crtera certfcaton s lmted by the resources for CPS securty and so on. The control-theoretc tools nclude model-based attack/fault detecton and solaton, robust control strateges that mantan closed-loop stablty and performance guarantees under a class of DoS/decepton attacks, and reconfgurable (swtchng) control strateges to lmt the effect of correlated falures. Recently, several organzatons (e.g., NIST, NERC, DHS) have proposed securty standards and recommendatons that combne the ICT-specfc securty defenses wth control theoretc tools. Whle technology-based defenses for CPS are the man channel to mprove ther survvablty aganst correlated falures, the mere exstence of these defenses s not suffcent. It s well establshed that the lack of prvate partes ncentves for securty mprovements s a severe mpedment to achevng socally desrable mprovements of CPS securty [6]. Indeed, large-scale crtcal nfrastructures are typcally managed by proft-drven prvate enttes. Proper mplementaton of technologcal defenses and reslent operaton requres complance of relevant enttes. Below we hghlght the nformatonal defcences that negatvely affect the ncentves for securty. Informatonal Defcences Due to the prohbtvely hgh costs of nformaton acquston, t s often too costly to determne the followng: Whch hardware malfunctons and software bugs have caused a system falure Whether the system falure was caused by a relablty falure or securty falure or both In many cases, ths nformaton vares sgnfcantly across dfferent enttes (players), such as CPS operators, SCADA and ICT vendors, network servce provders, users, and local/ federal regulatory agences (or government). Informaton defcences arse from the conflctng nterests of ndvdual players whose choces affect the CPS rsks. One may say that nterdependent falures cause externaltes that result n msalgned player ncentves (.e., the ndvdually optmal CPS securty defenses dverge from the socally optmal ones). Moreover, n envronments wth ncomplete and also asymmetrc (and prvate) nformaton, the socetal costs of a correlated CPS falure typcally exceed the losses of the ndvdual players whose products and servces affect CPS operatons, and on whose actons the CPS rsks depend. Specfcally, nterdependences between securty and relablty falures n CPS are lkely to cause negatve externaltes. In such envronments, the ndvdual players tend to undernvest n securty relatve to a socally optmal benchmark. Ths requres desgn of nsttutonal means to realgn the ndvdual players ncentves to make adequate nvestments n securty. Examples of nsttutonal means nclude regulatons that requre players to certfy that they possess certan securty capabltes, and legal rules whch mandate that players share nformaton about securty ncdents wth government agences and/or the publc through establshed channels. 20

3 Control layer Decepton attacks DoS attacks Regulatory control Spoofng, replay Measurement substtuton Physcal jammng Increase n latency Table 1. Cyber-attacks to CPS control layers. Clearly, these ndvdual players cannot completely elmnate the rsk of CPS falures even n the presence of advanced technologcal defenses and nsttutonal measures, whch am to reduce (or even elmnate) ncentve msalgnment between ndvdual and socally optmal securty choces. For example, consder a benchmark case when securty defenses are optmally chosen by the socal planner for a gven technologcal and nsttutonal envronment. There stll remans a resdual rsk drven by fundamental physcal lmts. Indeed, when securty defenses are chosen by ndvdual players, the rsk s only hgher. Thus, non-neglgble (publc) resdual rsks are characterstc for CPSs that are subjected to correlated falures. So far, the occurrence of extreme correlated falures have been statstcally rare. However, wth the emergence of organzed cyber-crme groups capable of conductng ntrusons nto NCS/SCADA systems, the rsks of such rare falure events cannot be gnored. Unsurprsngly, cyber-warfare s projected to become the future of armed conflct, and managng CPS rsks must be at the core of any proactve defense program. Benchmarkng CPS Rsks Due to the aforementoned challenges, benchmarkng CPS rsks s a hard problem, and several questons reman unanswered [7 9]. Our goal n ths artcle s twofold: We suggest a game-theoretc framework that assesses securty rsks by quantfyng the msalgnment between ndvdually and socally optmal securty nvestment decsons when the CPS comprses nterdependent NCS. We advocate that better nformaton about these rsks s a prerequste to mprovement of CPS securty va a combnaton of more sophstcated technology-based defenses and the advancement of ther supportng nsttutons. Improved assessment of the CPS rsks wll lead to several benefcal developments, such as mproved rsk management at both the ndvdual and socetal levels. Thus, a standardzed framework should be establshed that can assess and compare dfferent technologcal and nsttutonal means for rsk management. At the very least, better knowledge of CPS rsks wll permt the players to make more nformed (and therefore better and cheaper) choces of securty defenses, thus mprovng the socetal welfare. Framework to Benchmark CPS Rsks Supervsory control Set-pont change Controller substtuton Network floodng Operatonal dsrupton We now present a rsk assessment framework from the perspectve of CPS operators. Our setup can readly be adapted to assess rsks from the perspectve of other players. CPS wth a Centralzed Control System Consder a CPS wth m ndependent components managed by a sngle operator (.e., centralzed control system). For the th component, let W denote the set of all hardware flaws, software bugs, and vulnerablty ponts that can be compromsed durng any relablty and/or securty falure event. The falure events form a collecton of subsets of W, whch we denote by F. Let the random varables X R : W Æ R and X S : W Æ R represent the relablty and securty levels of the -th component, respectvely, wth jont (cumulatve) dstrbuton functon: F X R,X S (x R, x S ) = P{w ŒW Ô X R (w) x R, X S (w) x S }, where the measure P assgns probabltes to falure events. Notce that the relablty level X R and securty level X S are defned on the same measure space (W, F ), and they are not mutually ndependent, that s, F XR,XS (x R, x S ) F XR (x R ). F XS (x S ). Unfortunately, the CPS operator does not have perfect knowledge of these dstrbutons. Reasonable estmates of F XR (x R ) may be obtaned from hstorcal falure data. However, estmatng the jont dstrbuton F XR,XS (x R, x S ) s dffcult as attackers contnue to fnd new ways to compromse securty vulnerabltes. In general, the random vector (X R, X S ) s nfluenced by: Acton set of the CPS operator A = U» V, where U : = {U 1, U m } and V : = {V 1,, V m } denote the set of control and securty choces, respectvely Acton set of other players B, such as vendors, attackers, servce provders, users, and regulatory agences Envronment E, ncludng the technologcal, organzatonal, and nsttutonal factors For gven relablty and securty levels x R, x S, let the functon L (x R, x S ) denote the losses faced by the CPS operator when the th component fals (e.g., the cost of servce dsruptons, mantenance/recovery costs, and penaltes for users sufferng). Then, for CPS wth m ndependent components, the aggregate rsk can be expressed as: 1 ( ) m R= R L ( X R, X S ), = 1 where the functonal R assgns a numercal value to each random varable L wth dstrbuton functon FL. Henceforth, we use the expected (mean) value of loss, m(l ) = E[L (X R, X S )], as a metrc of R, but cauton that t s nadequate to capture rsk of extreme falure events. 2 From Eq. 1, we observe that the aggregate rsk s also nfluenced by actons A, B, and envronment E. To emphasze ths dependence, we wll use R(A, B, E) to denote the aggregate CPS rsk. For a gven envronment E and fxed choces B of other players, the CPS operator s objectve s to choose securty actons V and control actons U to mnmze the total expected cost J(U, V) of operatng the system: J(U, V) = J I (V) + J II (U, V), (2) where J I (V) : = S m =1 l (V ) denotes the operator s cost of employng securty choces V, and J II (U, V) s the expected 1 The assumpton of ndependent components can easly be relaxed to nclude parallel, seres, and nterlnked components. 2 Other commonly used choces of rsk R nclude the mean-varance model: m(l ) + l s(l ), where l > 0 and s(l ) s the standard devaton of L ; and the value-of-rsk model: VaR a (L ) = mn {z F L(z) a }, whch s the same as a -quantle n dstrbuton of L. (1) 21

4 l so 1 l so 2 and and {S,N} and l so 2 and l so 2 and l so 1 l so 1 l so 2 l so 2 (a) (b) Fgure 2. Indvdual optma (Nash equlbra) and socal optma. operatonal cost. From Eq. 2, when the CPS operator s securty choces are V, s/he chooses control actons U = m*(v) to mnmze total expected cost, where m*(v) s an optmal control polcy. Let the CPS operator s mnmum cost for the case when securty choces are V and { } (.e., no securty defenses) be defned as J (V) : = J(m*(V),V) and J 0 : = J(m*({ }), { }), respectvely. To evaluate the effectveness of V, we use the dfference of correspondng expected costs: D(V) : = J 0 J (V). (3) CPS wth Interdependent Networked Control Systems Let us focus on the ssue of msalgnment between ndvdual and socally optmal actons n the case when a CPS comprses multple NCSs communcatng over a shared network. In contrast to the above, we now assume that each NCS s managed by a separate operator. The NCS operators choose ther securty levels to safeguard aganst network-nduced rsks (e.g., due to dstrbuted DoS attacks). Each NCS s modeled by a dscrete-tme stochastc lnear system, whch s controlled over a lossy communcaton network: Thus, D(V) denotes the CPS operator s gan from employng securty choces V. It can be vewed as the reducton of operator s rsk when s/he chooses V over no defenses, that s, xt + 1 = Axt + vt But + wt yt = γ t Cxt + vt t N 0, M, (5) R(A 0, B, E) R(A(V), B, E) = D(V), (4) where A(V) and A 0 denote the acton set correspondng to securty choces V and { }, respectvely. The problem of choosng optmal securty choces V* can now be vewed as an optmzaton problem over the set of securty defenses: max Δ( V), subject to the constrant J( V) K, v where K s the avalable budget for securty nvestments. The resdual rsk after the mplementaton of optmal securty choces V* can be obtaned as R(A 0, B, E) D(V*). Rsks from falure events (those resultng from securty attacks, random faults, cascadng falures, etc.) can thus be estmated and compared, and the best securty defenses V correspondng to antcpated falure types can be selected by the CPS operator. The above analyss assumes that the choces B of other players do not change n response to the CPS operator s choces A. When players are strategc, the optmal securty choces must be computed as best responses to the other players (Nash) strateges. Fnally, government or regulatory agences can also nfluence the envronment E. where M denotes the number of players, x t Œ R d the state, u t Œ R m the nput, w t Œ R d the process nose, y t Œ R p the measured output, and v t Œ R p the measurement nose, for player P at the tth tme step. Let the standard assumptons of lnear quadratc Gaussan (LQG) theory hold. The random varables g t (resp. n t ) are..d. Bernoull wth the falure probablty ~ g (resp. ~ n ), and model a lossy sensor (resp. control) channel. We formulate the problem of securty choces of the ndvdual players as a non-cooperatve two-stage game [10]. In the frst stage, each P chooses to make a securty nvestment (S) or not (N). The set of player securty choces s denoted V : = {V 1,, V m }, where V = S f P nvests n securty and N f not. Once player securty choces are made, they are rreversble and observable by all the players. In the second stage, each P chooses a control nput sequence U : = {u t, t Œ N 0 } to mantan optmal closed-loop performance. The objectve of each P s to mnmze hs/her total cost: J (V, U) = J I(V) + J II(V, U), Œ M, (6) where the frst stage cost s denoted J I(V): = (1 I )l, and J II(V, U) denotes second stage cost (the average LQG cost). Here l > 0 s the securty nvestment ncurred by P only f 22

5 s/he has chosen S, and the ndcator functon I = 0 when V = S, and I = 1 otherwse. In order to reflect securty nterdependences, n our model, the falure probabltes ~ g and ~ n depend on the P s own securty choce V and on the other players securty choces {V j, j }. Followng [10], we assume P[g t = 0 Ô V] = ~ g (V) := I g + (1 I g )a(h ). In Eq. 7, the frst term reflects the probablty of a drect falure, and the second term reflects the probablty of an ndrect falure. The nterdependence term a(h ) ncreases as the number of players, excludng P, who have chosen N ncrease, where h : = S j I j ; smlarly for n t. The socal planner objectve s to mnmze the aggregate cost: m SO J ( V, U) = J ( V, U). (8) = 1 Consder a two-player game, where the nterdependent falure probabltes are gven by Eq. 8. To derve optmal player actons (securty choces V ), we dstngush the followng two cases: ncreasng ncentves and decreasng ncentves. For the case of ncreasng ncentves, f a player secures, other player s gan from securng ncreases, that s, J II *() J II *({S, N}) J II * () J II * (), where J II * (.) denotes the optmal second stage cost. Smlarly, for the case of decreasng ncentves, a player s gan from nvestng n securty decreases when the other player nvests n securty, that s, J* II () J* II () J* II () J* II (). Fgure 2a (resp. Fg. 2b) characterzes the Nash equlbra (ndvdually optmal choces) and socally optmal choces of the game for the case of ncreasng (resp. decreasng) ncentves, where we assume l SO 1 < l 1 (resp. l 2 > l SO 2 ). For Œ {1, 2}, the thresholds l, l, l SO, and l SO are gven n [10]. Consder the case of ncreasng ncentves (Fg. 2a). If l < (resp. l > l 1 ), the symmetrc Nash equlbrum (resp. ) s unque. Thus, (resp. l 1 ) s the cutoff cost below (resp. above) whch both players nvest (resp. nether player nvests) n securty. If l l 1, both and are ndvdually optmal. However, f < & > l 1 (resp. > & < ), the asymmetrc strategy (resp. ) s an equlbrum. Now, f l < l SO 1 (resp. l > l SO 1 ), the socally optmal choces are (resp. ). If l SO 1 & l SO (resp. l SO 1 & l SO 1 ), socally optmal choces are (resp. ). Smlarly, we can descrbe ndvdually and socally optmal choces for the case of decreasng ncentves (Fg. 2b). For both cases, we observe that the presence of nterdependent securty causes a negatve externalty. The ndvdual players are subject to network-nduced rsks and tend to under-nvest n securty relatve to the socal optmum. From our results, for a wde parameter range, regulatory mpostons to ncentvze hgher securty nvestments are desrable (dscussed later). The effectveness of such mpostons on the respectve rsks faced by ndvdual players (NCS operators) can be evaluated n a manner smlar to Eqs Challenges n CPS Rsk Assessment Technologcal Challenges A sgnfcant challenge for the practcal mplementaton of our CPS rsk assessment framework s to develop data-drven, stochastc CPS models, whch account for dynamcs of CPS wth nterdependent relablty and securty falures. Each of these sngular/basc models should account for CPS dynamcs and focus on a specfc falure scenaro. The basc models can be composed nto a composte model to represent varous correlated falure scenaros, ncludng smultaneous attacks, common-mode falures, and cascadng falures. By usng of quanttatve technques from statstcal estmaton, modelbased dagnoss, stochastc smulaton, and predctve control, we can automatcally generate new falure scenaros from realtme sensor-control data. These technques enable the synthess of operatonal securty strateges and provde estmates of resdual rsks n envronments wth hghly correlated falures and less than perfect nformaton. Thus, theoretcal guarantees and computatonal tools are needed for the followng: Compostons of stochastc fault and attack models Inference and learnng of new falure scenaros Fast and accurate smulaton of CPS dynamcs Detecton and dentfcaton of falure events Operatonal ICT and control based strateges The DETERLab testbed [11] provdes the capablty to conduct experments wth a dverse set of CPS falure scenaros, where the controllable varables range from IP-level dynamcs to ntroducton of malcous enttes such as dstrbuted DoS attacks. The cyber-physcal aspects of large-scale nfrastructures can be ntegrated together on DETERLab to provde an expermental envronment for assessng CPS rsks. Specfcally, the DETERLab provdes a programmable network emulaton envronment, and a sute of tools that allow a user to descrbe the expermentaton apparatus, and montor and control the expermentaton procedure. Multple expermentatons can be executed at the same tme by dfferent users f computatonal resources are avalable. The man challenge for CPS expermentaton on the DETERLab testbed s to compose physcal system dynamcs (real/smulated/emulated) wth communcaton system emulaton. The expermentaton apparatus should model the communcaton network, the physcal network, and ther dynamc nteractons. The expermentaton procedure should descrbe the sensng and actuaton polces that are the best responses to strategc actons of other players. Insttutonal Challenges The desgn of nsttutonal means s a chcken-and-egg problem. On one hand, nsttutonal means such as mposton of legal lablty, mandatory ncdent dsclosure, and nsurance nstruments mprove the nformaton about CPS rsks. On the other hand, substantal knowledge of CPS rsks s requred for ther desgn and successful deployment. Gven the lmtatons of currently avalable rsk assessment tools, the CPS operators fnd t hard (and, as a result, costly) to manage ther rsks. Ths problem s especally acute for rsk management va fnancal means, such as dversfcaton, reallocaton to other partes, and nsurance. For example, nsurance nstruments of CPS rsks management are meager: the premums of cyber-securty contracts are not condtoned on the securty parameters. It would be no exaggeraton to say that so far, the cyber-nsurance market has faled to develop. For example, the volume of underwrtten contracts s essentally unchanged n a decade, despte multple predctons of ts growth by ndependent researchers and ndustry analysts. In fact, even the exstng superfcal market s largely sustaned by non-market (regulatory) forces. Indeed, the leadng reason for CPS operators to acqure nsurance polces at the prevalng exuberant prces s ther need to comply wth federal requrements for government contractors. Ctzens (.e., federal and state taxpayers) are the fnal bearers of these costs. We expect that ths stuaton wll reman as s unless nformaton on CPS rsks drastcally mproves. 23

6 Another related problem s that of suboptmal provder ncentves (as seen n Fg. 2). A CPS operator s estmates of hs/her own rsk tend to be understated (relatve to socetal ones), even when falure probabltes are known to hm/her. In such cases, the gap between ndvdually and socally optmal ncentves could be reduced va adjustments of legal and regulatory nsttutons. For example, t would be socally desrable to ntroduce lmted lablty (.e., a due care standard) for ndvdual enttes whose products and servces are employed n CPSs. Ths would mprove provders ncentves to nvest n ther products securty and relablty. However, due to nformaton ncompleteness, currently there s no lablty regme for provders of CPS components and servces, for nether securty nor relablty drven falures. Indeed, any lablty regme s based on knowng (the estmate[s] of) falure probabltes and the nduced losses. Ths agan requres benchmarkng of CPS rsks. Concludng Remarks Benchmarkng of CPS rsks s a hard problem. It s harder than the tradtonal rsk assessment problems for nfrastructure relablty or ICT securty, whch so far have been consdered n solaton. Estmaton of CPS rsks by navely aggregatng rsks due to relablty and securty falures does not capture the externaltes, and can lead to grossly suboptmal responses to CPS rsks. Such msspecfed CPS rsks lead to based securty choces and reduce the effectveness of securty defenses. Modern, and especally upcomng, CPSs are subjected to complex rsks, of whch very lttle s known despte the realzaton of ther sgnfcance. In ths artcle we are callng on our colleagues to embark on the hard task of assessng nterdependent CPS rsks. The effectveness of securty defenses can be ncreased only when our knowledge of CPS rsks mproves. Acknowledgments We are grateful to the anonymous revewers for ther feedback, and thank Professors S. Shankar Sastry (UC Berkeley) and Joseph M. Sussman (MIT) for useful dscussons. References [1] Y. Mo et al., Cyber-Physcal Securty of A Smart Grd Infrastructure, Proc. IEEE, vol. 100, no. 1, Jan. 2012, pp [2] S. Srdhar, A. Hahn, and M. Govndarasu, Cyber-Physcal System Securty for the Electrc Power Grd, Proc. IEEE, vol. 100, no. 1, Jan. 2012, pp [3] A. Hussan, J. Hedemann, and C. Papadopoulos, A Framework for Classfyng Denal of Servce Attacks, Proc ACM Conf. Applcatons, Technologes, Archtectures, and Protocols for Computer Communcatons, 2003, pp [4] S. Amn et al., Cyber Securty of Water SCADA Systems Part II: Attack Detecton Usng Enhanced Hydrodynamc Models, IEEE Trans. Control Systems Technology, [5] S. Buldyrev et al., Catastrophc Cascade of Falures n Interdependent Networks, Nature, vol. 464, no. 7291, Apr. 2010, pp [6] C. Hall et al., Reslence of the Internet Interconnecton Ecosystem, Proc. 10th Wksp. Economcs of Informaton Securty, June [7] T. Alpcan and T. Basar, Network Securty: A Decson and Game Theoretc Approach, Cambrdge Unv. Press, [8] P. Gross and H. Kunreuther, Catastrophe Modelng: A New Approach to Managng Rsk, Sprnger, 2005, vol. 25. [9] Y. Y. Hames, Rsk Modelng, Assessment, and Management, 3rd ed., Wley, [10] S. Amn, G. A. Schwartz, and S. S. Sastry, On the Interdependence of Relablty and Securty n Networked Control Systems, CDC-ECE, IEEE, 2011, pp [11] T. Benzel, The Scence of Cyber Securty Expermentaton: The Deter Project, Proc. 27th ACM Annual Computer Securty Applcatons Conf., 2011, pp Bographes SAURABH AMIN (amns@mt.edu) s an assstant professor n the Department of Cvl and Envronmental Engneerng, Massachusetts Insttute of Technology (MIT). Hs research focuses on the desgn and mplementaton of hgh-confdence network control algorthms for crtcal nfrastructures, ncludng transportaton, water, and energy dstrbuton systems. He receved hs B.Tech. n cvl engneerng from the Indan Insttute of Technology Roorkee n 2002, M.S. n transportaton engneerng from the Unversty of Texas at Austn n 2004, and Ph.D. n systems engneerng from the Unversty of Calforna at Berkeley n GALINA A. SCHWARTZ s a research economst n the Department of Electrcal Engneerng and Computer Scences at the Unversty of Calforna, Berkeley. Her prmary expertse s game theory and mcroeconomcs. She has publshed on the subjects of network neutralty, cyber rsk management and modelng of cyber-nsurance markets, and securty and prvacy of cyber-physcal systems. In her earler research, she has appled contract theory to study the nterplay between nformaton, transacton costs, nsttutons and regulatons. She has been on the faculty n the Ross School of Busness at the Unversty of Mchgan, Ann-Arbor, and has taught n the Economcs Departments at the Unversty of Calforna, Davs and Berkeley. She receved her M.S. n mathematcal physcs from Moscow Insttute of Engneerng Physcs, Russa, and Ph.D. n economcs from Prnceton Unversty n ALEFIYA HUSSAIN s a computer scentst at the Unversty of Southern Calforna s Informaton Scences Insttute (USC/ISI). Her research nterests nclude statstcal sgnal processng, protocol desgn, cyber securty, and network measurement systems. She receved her B.E. n computer engneerng from the Unversty of Pune, Inda, n 1997 and Ph.D. n computer scence from Unversty of Southern Calforna n Pror to jonng USC/ISI, she was a senor prncpal scentst at Sparta Inc. 24