Effort Name:
Application of Cyber Security Techniques in the Protection of Efficient Cyber-Physical Energy Generation Systems
Lead Organization:

Lawrence Berkeley National Laboratory

Lawrence Berkeley National Laboratory (LBNL) is a member of the national laboratory system supported by the U.S. Department of Energy (DOE) through its Office of Science (SC). It is managed by the University of California (UC) and is charged with conducting unclassified research across a wide range of scientific disciplines. Berkeley Lab's Computing Sciences organization researches, develops, and deploys new tools and technologies to meet these needs and to advance research in such areas as global climate change, new energy sources, increased energy efficiency, new materials, biology and astrophysics. Computing Sciences carries out its mission by operating two national user facilities — NERSC and ESnet — and by conducting applied research and development in computer science, computational science, and applied mathematics — the three essential elements of computational modeling and simulation.
Contacts:
Primary Contact

Chuck McParland


Other Contacts

Sean Peisert

Effort Start Date:
1/3/2012
Funding Source:

U.S. Department of Energy (DOE) Office of Electricity Delivery and Energy Reliability (OE)

The Mission of the U.S. Department of Energy (DOE) Office of Electricity Delivery and Energy Reliability (OE) is to lead national efforts to modernize the electric grid; enhance security and reliability of the infrastructure; and facilitate recovery from disruptions to energy supply.
Funding To Date:
$100-$500K
Technology Readiness:
(Only for R&D)
Applied Research
25%
Effort Description:
Cyber-physical systems have always been designed with extremely high degrees of safety in mind, using a technique called safety engineering. Safety engineering sets the requirements and best practices for how systems should be operated by human operators, failure scenarios such as fail safe, fail fast, and fail stop. Similarly, designers of computer systems are well-advised to consider computer security principles. In fact, much existing effort in research and development relating to the security of these systems focuses on the two elements in tight compartments, where either the cyber infrastructure or the physical one work in an ideal manner and cannot be the root cause or trigger of security violations in the other domain.

The intersection of safety engineering and computer security is one of the most significant sources of concern for cyber-physical systems, however. Specifically, where are the gaps left by the designers of such systems in which unsafe assumptions are made about which particular system among the "cyber" and "physical" systems are responsible for safety and security?
 
Lawrence Berkeley National Laboratory (LBNL) is using protocols while considering the physical limitations of devices to develop specifications and enhanced monitoring techniques to determine when a system does, or is about to, violate a protocol, which may be the result of external or internal threats. The approach will characterize operational protocols using pre- and post-conditions of state transitions, and correlate behavior from local activity captured across multiple devices to:
1) verify that sent and received commands are consistent;
2) ensure that devices behave within security and safety specifications; and
3) initiate a diagnosis in the case of non-compliance that involves both physical and cyber elements
The effort will also research methods of delegating cyber and physical protection responsibilities to low level sensors and actuators.​
Results/Deliverables:
Our analysis to date is based on use cases and data from the University of California at Davis Central Heating and Cooling Plant (CHCP). One of the activities we have performed as part of our preliminary study is to examine a trace of traffic in the network by connecting a laptop with a network protocol analyzer (Wireshark) to the main PLC Cabinet. This step is necessary to develop mechanisms that would measure and enhance the security of such systems. Some of the questions that we are examining in the process of understanding the data captured include: what is the network really doing, anyhow? What does the network reveal about the operation of the cyber physical system? How will we evaluate the IDS that we are constructing? What kinds of tests (e.g., penetration testing) are appropriate?
 
To date, we have successfully obtained access to network monitoring and command streams as well as access to stored monitoring and archiving data (multiple data bases). We have also observed network traffic on major control network segments and mapped nodes and protocols onto expected behaviors.
We have used the network traffic traces to create network maps. Analyzing up-close the CHCP plant, what emerges is that while the newest physical assets have expanded and improved their networking capabilities, they have, in parallel, strengthened their local controls to help prevent to some extent unsafe use of the individual machines. But, as much as the operators are gratified with these safety advances and improved capabilities, they recognize that there are several older assets in these plants that were never intended to be connected to any network. Furthermore, these improved controls are local, which means there is no mechanism in place, nor test or certification process, for the networked system, that would ensure to a certain degree that machines cannot have a collective behavior that is damaging.
 
One of the key reason why the collective physical actions matter, is that all these physical systems, newer and older, are drawing energy from the same electrical grid. It is the combination of the two networks, the data network, and the electrical network that, even under the assumption of perfectly robust local control, can be a threat.  While the most recent literature gives a more positive and constructive outlook on the problem of networked control under communication constraints, modular and scalable solutions of networked control are still elusive in many cases. The most difficult class of problems in networked control arise when a separation of control and communications time scales is impossible. In these cases, networked control problems are hard to simplify and become intrinsically very complex, if not completely intractable, because of the lack of modularity between communication and control. It has long been known from the celebrated Witsenhausen's counterexample that, in these cases, the separation of estimation and controller design fails to hold even in the simplest settings.
 
The main conclusions we can draw from what we examined is that the networking of several devices has given the operators a greater sense of safety and flexibility, but that, in turn, what the network does is broadly misunderstood. The picture we derived confirms the concern that there is no form of support in these network deployments for contingency planning or analysis of events that originates in the cyber network and that attests the lack of testing models for these networked infrastructures in the industry suppliers that provide this equipment. The heterogeneity of devices connected to the network is particularly daunting, and daunting are also the challenges of networked control.
 
Going forward, considering the challenges encountered in compiling this inventory and accessing the data, we are in the process of creating a very simplified computer model that can shed some light on the first tasks that we outlined in our project objectives and represent our initial steps towards a computer model that can replace and inform these case studies.
Participating Organizations:

University of California at Davis

Project Mapped To:
2. Assess and Monitor Risk
2.3 Tools for real-time security state monitoring and risk assessment of all energy delivery system architecture levels and across cyber-physical domains commercially available
3. Develop and Implement New Protective Measures to Reduce Risk
3.4 Self-configuring energy delivery system network architectures widely available
4. Manage Incidents
4.1 Tools to identify cyber events across all levels of energy delivery system networks commercially available
4.2 Tools to support and implement cyber attack response decision making for the human operator commercially available
Related Documents: