Towards a Unifying Security Framework for Cyber- Physical Systems



Similar documents
Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

NSA/DHS CAE in IA/CD 2014 Mandatory Knowledge Unit Checklist 4 Year + Programs

Network Security Administrator

Firewall Security. Presented by: Daminda Perera

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

8. Firewall Design & Implementation

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Industrial Security for Process Automation

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Advanced Threats: The New World Order

COUNTERSNIPE

Network/Cyber Security

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Intelligence Driven Security

A Hierarchical Security Architecture for Cyber- Physical Systems

8/27/2015. Brad Schuette IT Manager City of Punta Gorda (941) Don t Wait Another Day

Firewalls Overview and Best Practices. White Paper

BM482E Introduction to Computer Security

Securing The Connected Enterprise

Improving SCADA Control Systems Security with Software Vulnerability Analysis

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

DNP Serial SCADA to SCADA Over IP: Standards, Regulations Security and Best Practices

CMPT 471 Networking II

Defending Against Cyber Attacks with SessionLevel Network Security

On Building Secure SCADA Systems using Security Patterns. Outline

Critical Controls for Cyber Security.

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz , ICSG 2014

Goals. Understanding security testing

On the features and challenges of security and privacy in distributed internet of things. C. Anurag Varma CpE /24/2016

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS

Sygate Secure Enterprise and Alcatel

Wireless Sensor Network Security. Seth A. Hellbusch CMPE 257

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Avaya TM G700 Media Gateway Security. White Paper

Avaya G700 Media Gateway Security - Issue 1.0

Panel Session: Lessons Learned in Smart Grid Cybersecurity

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Announcement of a new IAEA Co-ordinated Research Programme (CRP)

CYBERSPACE SECURITY CONTINUUM

Are Second Generation Firewalls Good for Industrial Control Systems?

CNA 432/532 OSI Layers Security

Network Access Security. Lesson 10

Network Mission Assurance

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

CLOUD FRAMEWORK & SECURITY OVERVIEW

CloudCheck Compliance Certification Program

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

REFERENCE ARCHITECTURES FOR MANUFACTURING

Wireless Sensor Networks Chapter 14: Security in WSNs

SCADA SYSTEMS AND SECURITY WHITEPAPER

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

A Biologically Inspired Approach to Network Vulnerability Identification

Industrial Security Solutions

Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation

Product Overview. Product Family. Product Features. Powerful intrusion detection and monitoring capacity

Secure Software Programming and Vulnerability Analysis

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Intrusion Detection Systems

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured!

Safeguards Against Denial of Service Attacks for IP Phones

Patching & Malicious Software Prevention CIP-007 R3 & R4

About Firewall Protection

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

LOGIIC Remote Access. Final Public Report. June LOGIIC - APPROVED FOR PUBLIC DISTRIBUTION

Managing and Maintaining Windows Server 2008 Servers

Intro to Firewalls. Summary

Fact Sheet FOR PHARMA & LIFE SCIENCES

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

Module 1: Overview. Module 2: AlienVault USM Solution Deployment. Module 3: AlienVault USM Basic Configuration

Accessing and sending data securely across security domains

Security Analytics for Smart Grid

Network Security A Decision and Game-Theoretic Approach

Bohatei: Flexible and Elas2c DDoS Defense

PCI v2.0 Compliance for Wireless LAN

Net Optics Learning Center Presents The Fundamentals of Passive Monitoring Access

Process Control Networks Secure Architecture Design

SANS Top 20 Critical Controls for Effective Cyber Defense

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

DeltaV System Cyber-Security

Cybersecurity considerations for electrical distribution systems

The Geospatial Approach to Cybersecurity: An Executive Overview. An Esri White Paper January 2014

Basics of Internet Security

Update On Smart Grid Cyber Security

Resilient and Secure Solutions for the Water/Wastewater Industry

About Sectra Communications

Transcription:

Towards a Unifying Security Framework for Cyber- Physical Systems Quanyan Zhu and Tamer Başar Coordinated Science Laboratory Department of Electrical and Computer Engineering University of Illinois at Urbana- Champaign {zhu31, basar1}@illinois.edu Workshop on FoundaPon of Dependable and Secure Cyber- Physical Systems CPS Week, Chicago, April 2011

Overview: Layered Architecture and Modularized Design Human Management Layer Supervisory Layer Flow control, PoA and PoI, data fusion, patching problem, pricing, etc. Cyber Network Layer CommunicaPon Layer IDS/IPS configurapon and defense mechanism, CODIPAS learning algorithms, jamming, eavesdropping, data injecpon, secure distributed roupng, reliability, stealthy a\ack, etc Physical Control Layer Physical Layer H- infinity robust control, adappve control, fault- tolerant control

Cross- Layer Design Management Layer Human Supervisory Layer Network Layer Cyber CommunicaPon Layer Control Layer Physical Physical Layer

Security Issues in Cyber- Physical Systems IntegraPon of IT infrastructure with industrial control systems has put a closed network of systems in the publicly accessible network: Cost and performance benefits, Vulnerable to security risks and threats. ConvenPonal IT solupons to security can not be directly applied. Security objecpves Security architecture Quality- of- service requirement Reliability and robustness in an isolated control system vs. resilience and security in an open system.

A HolisPc Viewpoint Resilience Reliability Cyber System Physical Plant Cyber A\ack Disturbances Security Cyber Defense Control System Robustness

A Possible SoluPon: Defense- in- Depth PotenPal Threat Physical Security Firewalls, IDS and DMZs Control Systems AuthorizaPon and Access Control

A Unifying Security Model The cascading counter- measures using a mulptude of security devices and agents offers the administrators more opportunipes for informapon and resource control with the advent of potenpal threats. creates possible issues on the latency and the packet drop rate of communicapons between the controller and the plant. ẋ(t) =A(t)x(t)+B(t)Θ(t)u(t)+D(t)w(t) Cyber Security Architecture Control Systems

Physical Layer: H- Infinity OpPmal Control ẋ(t) =A(t)x(t)+B(t)Θ(t)u(t)+D(t)w(t) A zero- sum differenpal game between two players w(t) is the disturbance who maximizes the cost u(t) is the control who minimizes the cost Q f 0; Q f (t) 0 has piece- wise conpnuous entries γ is the disturbance a\enuapon level

Cyber Security Architecture: An Example Internet Control System LAN ID IDS/IPS Firewall Q 1 Q 2 Q 3

Intrusion DetecPon/PrevenPon Systems Arrival Rate IDS/IPS Service Rate Packet Loss Rate p 1 p 2 p L l 1 l 2 l 1 p 1 p L 1 2 1 - p L 1 - p i : packet drop rate µ i : service rate M/M/1 queue

IDS/IPS ConfiguraPon The IDS/IPS has a set of L rules L = {l 1,l 2,,l L } IPS rules can drop packets to prevent malicious acpvipes. IDS rules check packets, idenpfy a\ack pa\erns and log the acpvipes. IDS/IPS is configured by choosing a subset of rules L L. Tradeoffs: Heavy- weight security policies lead to larger delays and higher packet loss. Light- weight security policies increase missed detecpons.

Impact of Cyber- Policies on Physical Layer Control For a given configurapon L L. Incurred delay Incurred packet loss rate Modified system dynamics: Modified cost criterion:

OpPmal Control (1) An oppmal control to achieve disturbance a\enuapon for a given γ is Z γ is a solupon to the following generalized RiccaP equapon (GRDE): Infinite- dimensional compensator

OpPmal Control (2) If γ > ˆγ τd, the game admits a unique saddle- point solupon and the saddle- point value is given by A separapon principle: For γ > ˆγ τd, the oppmal saddle- point is only dependent on the packet loss rate. OpPmal a\enuapon level is only dependent on the delay. ˆγ τd

Impact of Physical Layer Control on Cyber Policies A separapon principle: For γ > ˆγ τd, the oppmal saddle- point is only dependent on the packet loss rate. OpPmal a\enuapon level is only dependent on the delay. ˆγ τd α i uplity associated with each rule

Conclusion (1) Modular and Cross- Layer Design Physical/Control layer: H- infinity robust control, adappve control, fault- tolerant control, etc. CommunicaPon layer: IDS/IPS configurapon and defense mechanism, CODIPAS learning algorithms, jamming, eavesdropping, data injecpon, etc. Network layer: secure distributed roupng, reliability, stealthy a\ack, etc. Supervisory layer: flow control, PoA and PoI, data fusion, etc. Management layer: patching problem, pricing, etc.

Conclusion (2) We have proposed a unifying framework to address security issues in cyber- physical systems. Cyber policies and physical layer controls are interdependent. We have used IDS/IPS as an example to illustrate the two main effects of the cyber architecture on control systems: delay and packet drop rate. A zero- sum differenpal game framework enables cross- layer design and analysis for security issues in cyber- physical systems. Future DirecPons: We can consider adversarial behaviors at the cyber- level and construct a two- level game framework. The framework can be applied to study mulp- agent systems.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information