Metrics for Secrecy and Resilience in Cyber-Physical-Systems

Abstract

<p>In this dissertation, we study the problem of Secrecy and Resiliency quantification for cyber physical systems. Secrecy (also known as confidentiality) refers to the ability to withstand attempts to uncover information/behaviors, whereas resilience (also known as integrity) refers to the ability to withstand attempts to modify information/behaviors. Thus, former is an observability related attribute while the latter is an attribute related to controllability. In this dissertation we are primarily concerned with protecting systems behaviors from being revealed or altered.</p> <p>Unlike information, behaviors cannot be encrypted and may instead be protected by providing covers that generate indistinguishable observations from behaviors needed to be kept secret. Such a scheme may still leak information about secrets due to statistical difference between the occurrence probabilities of the secrets and their covers. Jensen-Shannon Divergence (JSD) is a possible means of quantifying statistical difference between two distributions and can be used to measure such information leak as presented in this dissertation. Using JSD, we quantify loss of secrecy in stochastic partially-observed discrete event systems in two settings: (i) the centralized setting, corresponding to a single attacker/observer, and (ii) the distributed collusive setting, corresponding to multiple attackers/observers, exchanging their observed information. In the centralized case, an observer structure is formed and used to aide the computation of JSD, in the limit, as the length of observations approach infinity to quantify the worst case loss of secrecy. In the distributed collusive case, channel models are introduced</p> <p>to extend the system model to capture the effect of exchange of observations, that allows the JSD computation of the centralized case to be applied over the extended model to measure the distributed secrecy loss.</p> <p>We also formulate a measure for resiliency for dynamical hybrid systems with focus on power systems. The resiliency measure, called Level-of-Resilience (LoR), determined by examining: (i) the Region-of-Stability-Reduction (RoSR), as the RoS evolves under attack and recovery actions as captured by a “modal-RoS”, (ii) the eventual Level-of-Performance-Reduction (LoPR), as measured by percentage of reduction of load served, and (iii) Recovery-Time (RT), which is the time system takes to detect and recover from an attack or a fault. We illustrate our measure by comparing resiliency level of two power systems under two different attack scenarios.</p> <p>The level of resilience of a given system is assessed under various attack scenarios. We</p> <p>present a model-based approach for generating such attack scenarios. This requires a comprehensive description of the system model (describing architecture and connectivity, components and behaviors, assets, defenses, vulnerabilities, atomic attacks), as well as of security/resiliency properties being investigated. A state exploration based approach has been proposed to find all behaviors/paths of the model leading to those reachable states where the specified security/resiliency properties are violated. An attack graph is a collection of all paths from initial states to such reachable violating states. We present a model-based attack graph generation approach and its implementation.</p>