Read an Excerpt

HANDBOOK ON SECURING CYBER-PHYSICAL CRITICAL INFRASTRUCTURE

Morgan Kaufmann

Chapter One

Mengran Xue, Sandip Roy, Yan Wan, Sajal K. Das

1.1. INTRODUCTION

The purpose of this chapter is to (1) introduce notions of security for the physical dynamics of complex cyber-physical networks and (2) provide a tutorial on control-theoretic tools for network inference that are promising for evaluation of such dynamic notions of security.

Classically, computer scientists and infrastructure network engineers have conceptualized the modeling and resolution of threats and uncertainties in vastly different ways. In a very broad sense, computer scientists have extensively studied threat and uncertainty resolution from the perspective of securing information (e.g.,). That is, computing devices and computer networks are viewed as storing, processing, and transmitting valuable information; threats and uncertainties are seen as either modifying this information and its processing, or causing theft of the information for undesirable purposes. In contrast, infrastructure network engineers traditionally have approached threat and uncertainty modeling/resolution from a dynamical systems viewpoint (e.g.,). That is, their key focus has been on analyzing and guiding the temporal behaviors or actions or dynamics of network components, and, in consequence, threats and uncertainties are viewed as undesirably modifying the dynamics. Given this viewpoint, infrastructure network engineers typically view the resolution of threats and uncertainties as stability, performance, and robustness (or vulnerability) concerns rather than security ones.

As cyber and physical capabilities become increasingly intertwined and multifaceted, and the threats and uncertainties themselves become increasingly complicated, the notions of threat and uncertainty modeling/resolution that combine the computer science and infrastructure engineering perspectives are increasingly needed. For instance, both stakeholders and external players associated with electric power and transportation networks increasingly have available sophisticated cyber capabilities for surveillance, based on which they can deliberately obtain an information set on the network's dynamics and structure, and in turn enact self-serving alterations of the dynamics (e.g.,). Conversely, as algorithms for cyber and cyber-physical networks become increasingly complex and operate in harsher environments, the effects of uncertainties on the algorithms' dynamics are becoming increasingly relevant (e.g.,). Given the increasing blurring and meshing between cyber and physical notions of threat and uncertainty modeling/ resolution, we believe that new definitions that capture and combine notions of information violation and robustness/vulnerability of physical network dynamics are needed. In this chapter, we (1) develop a framework for studying the security and vulnerability of physical network dynamics in particular and (2) in turn provide a tutorial on network-theoretic tools that can be used to evaluate these dynamic notions of security.

The first core aim of this chapter is to motivate and develop a framework for studying the security and vulnerability of network dynamics (Section 1.2). Precisely, we will motivate and define dynamic network security as a measure of estimability of network dynamics and structure from sensed measurements of some network responses, and in complement define network vulnerability in terms of potential disruption to the dynamics due to either physical modification or information violation in the network. To obtain these definitions, we will progress in several steps. To provide a concrete context for modeling threats and uncertainties in physical network dynamics, we will introduce a canonical yet fairly broadly applicable linear dynamical network model (Section 1.2.1). This dynamical model, defined on an underlying graph, is structured to capture complex (and possibly stochastic) network dynamics, complex processes generating uncertainties in these networks, and network sensing capabilities. Next, we will introduce several definitions for dynamical network security (and degree of security), as concepts of estimability/unestimability for the network model (Section 1.2.2). These definitions are structured to permit graph-theoretic characterizations for inference of the physical dynamics by an adversary operating at one or multiple network components. In complement, we will define notions of vulnerability to capture the possible impact of cyber or physical adversaries on the physical network dynamics (Section 1.2.3). These definitions of vulnerability, while tied to traditional notions of robustness/ vulnerability in systems, take the further step of making the role of the network structure in vulnerability explicit. Third, we discuss how such definitions can be applied to capture the complex interrelationship between security and vulnerability, and between adversaries and system designers, that are common in modern cyberphysical networks (Section 1.2.4). Finally, with the tutorial purpose of the book in mind, we will discuss an example scenario where inference of dynamical information in networks is of concern, and carefully specify the notions of security and vulnerability in this scenario (Section 1.2.5). The example is focused on strategic management of transportation networks operating under weather uncertainty.

The second core aim of our development is to introduce a family of promising new control-theoretic methods for (1) inference (estimation) of network dynamics including characterization of estimator performance, and (2) perturbation and control of networks that together allow evaluation of dynamical network security measures (Section 1.3). In fact, systems and control engineers have extensively studied estimation of system states (dynamics) and structures, over a period of almost 70 years. Very recently, a focus on estimation of network dynamics has specifically emerged (e.g.,). These recent works can broadly be described as having three purposes: (1) construction of estimators for the multifaceted and highly stochastic dynamics that are characteristic of modern networks; (2) establishing relationship of the estimator structure to the graph topology of the network; and (3) characterization of the estimator performance in terms of the graph topology. As these studies of network inference have emerged, it has also become clear that tools for physical network partitioning from dynamical responses are necessary to inform inference design. We believe that these network estimation or inference techniques, and related network partitioning methods, are very germane to the study of dynamical network security. Specifically, they can provide explicit graph-theoretic characterizations of security measures and associated estimators, and hence permit design of network dynamics that are secure. Here, we overview these promising tools for network estimation and estimator characterization and summarize their application in characterizing network security (Section 1.3.1). Next, we overview new ideas on perturbation and control of network dynamics that are needed for characterization of network vulnerability (Section 1.3.2). Like estimation, perturbation/ control of dynamical systems and even networks has been very extensively studied. However, to develop useful characterizations of the notions of vulnerability that we have proposed, we critically need methods that relate dynamics and control to the network's topological structure; we overview an interesting body of recent literature in this direction. Finally, we argue that the study of network inference and its application is very much a work in progress and describe several challenges that need to be addressed to achieve a comprehensive treatment (Section 1.3.3). Throughout this development, we expose the critical role played by the network's topological structure in the estimability of the network dynamics and structure, and hence in dynamical network security.

1.2. DEFINITIONS FOR SECURITY AND VULNERABILITY OF NETWORK DYNAMICS

The purpose of this section is to introduce notions of security and vulnerability in cyber-physical systems that are concerned with the observation and modification of a network's physical dynamics by an adversary. Fundamentally, we define security as the amount of information about state dynamics and model parameters contained in local measurements made by an adversary in a cyber-physical network, and define vulnerability in terms of the possible impact on network-wide dynamics of local actuations/modifications made by an adversary.

Our work is largely motivated by growing concerns about threats and uncertainties impacting the physical world of large-scale cyber-physical infrastructures. More formally, we are primarily concerned with infrastructure or physical networks, whose primary purpose is the completion of a physical task rather than only information transfer. Classically, the state dynamics of such physical-infrastructure networks have been viewed as being governed by the underlying laws of interaction (e.g., physics or population dynamics rules), which yield differential equation models defined on a graph for the dynamics. Historically, natural disturbances (e.g., weather phenomena) and unexpected operational failures have been considered the primary causes of failure for such networks, and hence the robustness or vulnerability of the networks to such natural adversaries has been fairly thoroughly studied. As these infrastructure networks are becoming increasingly tied with cyber capabilities and are operating in ever more complex environments, the possibility for deliberate attacks from sentient adversaries is also increasing. The behaviors of sentient adversaries in cyber systems (which may be either internal components or external agents of the network) as well as the possible responses by system designers have been extensively studied. However, analogous concepts of security have not been systematically developed for adversarial behavior in the physical world.

We contend that a careful formulation of adversarial behavior in the physical world must be drawn on both the concepts of security developed for cyber systems, and a full understanding of the differential equation dynamics of the physical world. Here, we argue that control-theoretic notions regarding the estimation and actuation of network dynamics provide a natural mean for defining security of physical dynamics. Based on this viewpoint, we define concepts of security and vulnerability for physical network dynamics that encompass the behaviors of both natural and sentient adversaries as well as the responses of system designers to mitigate attacks. Precisely, we develop definitions of security associated with three aspects of adversarial behavior and response: (1) We define notions of security for physical network dynamics that describe a sentient adversary's ability to compute or infer important global statistics of the network dynamics or structure, by processing local, noisy observations of the dynamics. (2) We define notions of vulnerability for physical network dynamics, which quantify the amount of disruption to the dynamics that can be caused by either a natural or a sentient adversary through localized actuation. (3) We briefly discuss integrative notions regarding threats and threat responses for physical network dynamics. Specifically, we consider the need for adversaries to sequentially infer and then disrupt network dynamics, and hence consider the interplay between security and vulnerability. We also argue that the system designer's effort to identify, predict, and respond to actuations by adversaries (whether natural or sentient) can be viewed as dual notions of security/vulnerability.

The remainder of this section is organized as follows. We begin by briefly reviewing the types of models (defined on graphs) that are used to represent dynamics of physical-infrastructure networks, to provide a framework for our security definitions (Section 1.2.1). We then motivate and present control-theoretic definitions for each of the three aspects of adversarial behavior described above (Sections 1.2.2–1.2.4). Finally, we introduce the security problems in several example physical networks, thus motivating the developed framework (Section 1.2.5).

(Continues...)

---

Excerpted from HANDBOOK ON SECURING CYBER-PHYSICAL CRITICAL INFRASTRUCTURE by SAJAL K. DAS KRISHNA KANT NAN ZHANG Copyright © 2012 by Elsevier, Inc.. Excerpted by permission of Morgan Kaufmann. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---