Upload
bonnie-montgomery
View
214
Download
1
Tags:
Embed Size (px)
Citation preview
Verification of Information Flow Properties in Cyber-Physical Systems
Ravi Akella, Bruce McMillinDepartment of Computer ScienceMissouri University of Science &
Technology Rolla, MO, USA
CPS Week 2011: Workshop on Foundations of Dependable and Secure Cyber-Physical SystemsApril 11, 2011 Chicago, Illinois
This work was supported in part by the Future Renewable Electric Energy Delivery and Management Systems Center (FREEDM); a National Science Foundation supported Engineering Research Center, under grant NSF EEC-0812121 and in part by the Missouri S&T Intelligent Systems Center.
Cyber-Physical Systems (CPS)oIntegrations of computational and
physical processes
oAn example CPS is the FREEDM system: a smart grid managed with Distributed Grid Intelligence (DGI)
oDGI consists of cyber processes that perform distributed computation to efficiently manage distributed energy resources by interfacing with Intelligent Energy Management (IEM)
oThere is an inter-dependence of events within the physical and cyber processes
• Cyber events within a CPS involve:1) distributed computation,2) communication with other cyber components, and 3) communication with the physical component that it controls.
• Physical events include: 1) a local state change of the physical subsystem resulting from a cyber
component controlling it, 2) a local physical state change resulting from the dynamics of the physical
system, and3) the observability of the physical system modeled as events
CPS Interactions
CPS Smart grid Interactions
ea c
b d e
ac
b d e
At this IEM, information obtained from the observable physical event yields
information about the cyber command (b)
SST
PHEV Load PV
DGI
SST
PHEV Load Wind
DGI
SST
Battery Load PV
DGI
ab
c
d
Read state of Physical systemaIssue command to make a settingbMessage exchange including partial state information
c
Power draw or contribution on the shared power bus
d
e
Event due to physical flow on the shared power bus
e
IEM1 IEM2 IEM3
• Information Flow Security aims at guaranteeing that no high level (confidential) information is revealed to users at a low level, even in the presence of any possible cyber/physical process
• Potential information flow models for CPSs:– Non-Interference: Information does not flow from high to low if the high
behavior has no effect on what low level observer can observe– Non-Inference: leaves a low level observer in doubt about high level events.– Non-deducibility: Given a set of low-level outputs, no low-level subject
should be able to deduce anything about the high-level inputs [Sutherland].– Composition of deducibly secure systems: not composable [McCullough]– McCullough`s Generalized noninterference-secure property considers non-
determinism of real systems
Objective: Analyze Information Flow Security in CPS
• A unified approach to deal with CPSs is necessary that can encompass the cyber and physical events
• We propose a process algebraic approach adopted to analyze the information flow in CPSs
• Security process algebra provides an abstract description for nondeterministic and concurrent systems with actions belonging to different levels of confidentiality (Low and High)
• Using process algebra, bisimulation provides a formal method to determine nondeducibility.
Information Flow Security for CPSProcess Algebra Approach
A system E is BNDC if for every high level process ∏, a low level user cannot distinguish E from E|∏
E| ∏ : Parallel Composition of E1& ∏ where executions of the two systems are interleaved
Bisimulation-based NonDeducibility on Composition (BNDC)
Bisimulation oTwo processes are weakly bisimilar if they are able to mutually simulate their behavior step by step.
oIn a weak bisimilarity relation, internal silent actions (τ) between processes is ignored.
E1 and E2 are bisimilar and they both simulate E3
E3 is not bisimilar to E1
Strong BNDC (SBNDC)
The system before and after execution of a high level event remains indistinguishable to the low level domain
E
E’’\H
E’
E’\H
E’’h
Simplification of SBNDC: Bisimulation up to H
The problem of verifying weak bisimulation for all high level transitions of the system can be transformed into finding a bisimulation up to H relation
E E\H
SST
Battery Load PV
DGI
SST
Battery Load PV
DGI
SST
Battery Load PV
DGI
Invariance of Flow in a CPS
Power shared between 1 and 2 due to DGI algorithm
• Power flow satisfies the Kirchhoff's law of invariance on the bus that can be represented as a physical event
SBNDC for FREEDM
The system before and after execution of a high level event remains indistinguishable to the low level domain
E
E’’\H
E’
E’\H
E’’h
SBNDC for FREEDM
o Such processes can be modified to satisfy SBNDC by inserting a complementary High level output, to make an internal action (τ) that is not observable
o Such compensating events hide the physically observable effects
d
d
Our Current Work
Prototype DGI for FREEDM – IEEE SmartGridComm 2010 Akella/Ditch/McMillin/Meng/Crow
Full Specification of DGI in SPA – EWICS SAFECOMP 2010 Akella/McMillin
Formal Verification of Transmission Grid/Pipeline Network Security with SPA/CoPS – J. of Critical Infrastructure Protection – Akella/Tang/McMillin 2010 Component Construction for Constructing Secure Smart Grid Systems –
IEEE COMPSAC 2011 Gamage/Roth/McMillin
Directions for future work
Information flow analysis, with its origins in computational systems, can be extended to the realm of cyber-physical systems to verify their security
Representation of physical events including attributes such as invariance and physical observability expose potential confidentiality violations
Process algebra presents a uniform model of defining cyber and physical processes that can be mechanically verified Model checking complexity incurred in automating the verification of CPS
processes can be reduced using techniques like partial order reduction and new bisimulation techniques to reduce state space