DefRec: Establishing Physical Function Virtualization to Disrupt Reconnaissance of Power Grids’ Cyber-Physical Infrastructures
Hui Lin Jianing Zhuang—University of Nevada
Yih-Chun Hu—University of Illinois
Huayu Zhou—University of Nevada, Reno hzhou@nevada.unr.edu
Clip source: Summary of - DefRec.md · GitHub
DefRec: Establishing Physical Function Virtualization to Disrupt Reconnaissance of Power Grids’ Cyber-Physical Infrastructures
- Physical function virtualization (PFV) that “hooks” network interactions with real physical devices and uses these real devices to build lightweight virtual nodes that follow the actual implementation of network stacks, system invariants, and physical state variations in the real devices
- On top of PFV, DefRec, a defense mechanism that significantly increases the effort required for an adversary to infer the knowledge of power grids’ cyber-physical infrastructuations
- DefRec can mislead adversaries into designing damage-free attacks
- Preventing reconnaissance on a critical set of physical data allows us to cover a wide spectrum of attacks, including unknown ones
- Detecting and mislead attacks before they occur enables us to remove potential threats and prevent damage
The disruption policy deployed in DefRec is to achieve the anti-reconnaissance objectives RO1 and RO2.
- To disrupt passiveattacks in RO1, we randomize network packets issued to both real devices and virtual nodes, significantly increasing the time for adversaries to stealthily identify real devices (Section IV-A).
- In RO2, we introduce randomness when responding to probing of virtual nodes to reveal adversaries' existence with a high probability while reducing the information an adversary can learn.
- With more virtual nodes, it is more difficult for adversaries to identify real devices
- Meanwhile, with more virtual devices, we redirect more packets to seed devices which handle more requests
- To meet a security-performance trade-off, we can adjust the design parameters (i.e.,m 1,m 2, and�).
- Without careful design, data piggybacked by network packets from virtual nodes can still allow adversaries to learn grids’ physical knowledge, e.g., physical topology and measurements.
- Attack-misleading policy: Craft Decoy Data for Virtual Nodes
- Two requirements for constructing decoy data: mislead adversaries into designing ineffective strategies or follow the physical model of power grids to avoid suspicion from adversaries
- Decoy data for false data injection attacks (FDIAs)
- FDIAs can significantly downgrade accuracy of state estimation and the performance of many power grid applications.
- This indicates the necessary condition for adversaries to bypass DefRec, i.e., performing successful FDIAs even with injections of decoy data.
- In practice, this corresponds to one of the following two conditions:
- Adversaries are forced to change their attack strategies, to satisfy the conditionH^021 c+H 220 cd=H 2 c
- A power grid fails to deploy sufficient sensors
- Refine Decoy data to follow the physical model of the power grid
- DefRec aims at disrupting adversaries who need global knowledge of a power grid. In future smart grids, we can also experience increased data acquisition frequency
- Towards Future Smart Grids. DefRec may become less effective against adversaries that restrict their malicious activities in a region
- PFV was implemented as an SDN application in the ONOS network operating system and developed a testbed that simulates both cyber and physical infrastructures of power grids.
- Communication Networks
- Built six networks of different sizes (up to 124 nodes) from TopologyZoo dataset, which includes topology of real networks managed by different Internet Service Providers (ISPs) (see Table I).
- Implementation of PFV and DefRec: PFV does not require a dedicated virtual environment, and PFV is implemented in ONOS using around 1,000 lines of code
- DefRec’s disruption policy to delay passive attacks and isolate proactive attacks
- Physical Devices
- Used IEDs from three different vendors: Schweitzer Engineering Laboratories (SEL) 751A feeder protection relay, Allen Bradley (AB) MicroLogix 1400 PLC, and Schneider Electric (SE) ION7550 power meters
- To communicate with those devices, we implemented a DNP3 master by using the openDNP3 library
- EVALUATION
- Security Evaluation
- Focused on the effectiveness of: (i) PFV's virtualization on network flows of real devices
- (ii) Disruption of network flows
- Attackmisleading policy causing adversaries to design policy stacks
- Power Grid Simulations
- Two factors affect PFV's performance: the capability of virtualizing physical devices and overhead of device profiles and caching network interactions
- Performance Evaluation
- PFV can process around 600 packets per second, which is equivalent to processing 30,000 decoy data on a single site
- Overhead of Device Prof Profaching
- Storage overhead is related to the device profiles used by power grid and the impact of disruption on existing network types
- Theinaccessiblevirtual nodes introduce minimal runtime overhead, as DefRec isolates proactive attacks after a few attempts
- The time to craft decoy data is on the same order of magnitude as the execution time of state estimation.
- In future smart grids, when state estimation algorithm evolves, we can expect to see less time spent on this part of the process.
- NFV is an emerging technology to virtualize network nodes according to specific functionality, such as load balancing and access control.
- Moving Target Defense (MTD): disrupts adversaries by randomly changing system and network configurations, e.g., IP addresses and port numbers
- Remote attestation: a technique used by a device (verifier) to verify properties of another remote device (prover), such as its software integrity, policy enforcement, or physical locations
- Honeypots for ICSs: build separate computing or network environments to trace adversaries' activities on ICS devices
- Masquerading Attacks in Remote Attestations: remote attestation can be vulnerable to masquerading or relay attacks
- This material is based upon work partially supported by the National Science Foundation under Award No. CNS1850377
- Allen Bradley MicroLogix 1400 programmable logic controller systems
- "Randomization-based intrusion detection system for advanced metering infrastructure,"ACM Transactions on Information and System Security, vol. 18, no. 2, pp. 1-30, 2015
- S. Anagnostakis, "Defending against hitlist worms using network address space randomization," Computer Networks, vol 51, No. 12, 2007
- P. Berde, M. Gerola, J. Lantz, B. O'Connor, P. Radoslavov, W. Snow, and others, "ONOS: Towards an open, distributed SDN OS," inProceedings of the 3rd workshop on Hot topics in software defined networking. ACM, 2014
- D. Buza, F. Falliere, "W32: The precursor to the next stuxnet," in5th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET 12). San Jose, CA: U.S.ENIX Association, 2012
- Chi ** Tsang, Sam Kwong, and E. A. Overbye, "Detecting false data injection attacks on DC state estimation," inPreprints of the First Workshop on Secure Control Systems, CPSWEEK, 2010
- After an adversary accesses an inaccessible virtual node (marked as device 0), we isolate the adversary when she accesses a devicekwith the probability pk, regardless of whether devicekis a real device or a virtual node
- We set a threshold�such that the adversary will be isolated at her access to the device�+ 1
- In other words, the adversary can only access at most�real devices before it is isolated from control networks
- Ifpk= p 0 1 k�p 0, we always havep 0 = Q 0 =Q 1 =���=Q�.
- When the adversary accesses k-th device, the probability of not being isolated is 1 Qkor 1 p 0.
- Effectiveness in RO1
- Probability of Identifying Real Devices 24-bus 30-bus73-bus 118-bus 406-bus 1153-bus
- Probabilities that an adversary successfully guesses whether a device is real based on randomized requests
- Accuracy of State Assessments
- The accuracy of state estimation when we randomly retrieve 95% physical data from real devices
- Inaccessible-Virtual-Node to Real-Device Ratio 10-10-100 False Negative Rate
- False negative rate of the probabilistic dropping protocol with�=4andp 0 = 0: 18
- Successful measurement of real devices by proactive probing
- Failure to obtain all measurements through proactive probing
- Most power grid control operations are formulated as an optimization problem
- FDIAs aim at minimizing the errors of state estimation while optimal flow analysis aims at minimizing operational costs
- DefRec mixes decoy data with real one (specified byzd) such that (i) no solutions exist to achieve attack objectives
- (ii) achieving attack objectives requires modifying decoy data with significant changes
- Storage overhead is classified based on power systems and the ratio of virtual nodes to physical devices.
- Power Grid Base Ratio of Virtual Nodes to Physical Devices
- 10% 15% 20% 25%
- IEEE 24-bus 8.1KB 8.9KB 9.7KB 10.0KB 11.4KB 12.3KB RTS96 73-bus 25.6KB 28.9 KB 30.1 KB 31.4 KB
- IEEE 118-bus 38.2KB 43.8KB 45.0 KB
- Poland 1153-bus 301.5k 331.6k 361k 367k
- Total Storage Overhead: 8 KB
- Cached network interactions with three physical devices used in our evaluations