Verification of Information Flow Properties in Cyber-Physical Systems Ravi Akella, Bruce McMillin Department of Computer Science Missouri University of Science & Technology Rolla, MO, USA CPS Week 2011: Workshop on Foundations of Dependable and Secure Cyber-Physical Systems April 11, 2011 Chicago, Illinois This work was supported in part by the Future Renewable Electric Energy Delivery and Management Systems Center (FREEDM); a National Science Foundation supported Engineering Research Center, under grant NSF EEC and in part by the Missouri S&T Intelligent Systems Center.

Cyber-Physical Systems (CPS) o Integrations of computational and physical processes o An example CPS is the FREEDM system: a smart grid managed with Distributed Grid Intelligence (DGI) o DGI consists of cyber processes that perform distributed computation to efficiently manage distributed energy resources by interfacing with Intelligent Energy Management (IEM) o There is an inter-dependence of events within the physical and cyber processes

Cyber events within a CPS involve: 1)distributed computation, 2)communication with other cyber components, and 3)communication with the physical component that it controls. Physical events include: 1)a local state change of the physical subsystem resulting from a cyber component controlling it, 2)a local physical state change resulting from the dynamics of the physical system, and 3)the observability of the physical system modeled as events CPS Interactions

CPS Smart grid Interactions e e a a c c b b d d e e a a c c b b d d e e At this IEM, information obtained from the observable physical event yields information about the cyber command (b) SST PHEV Load PV DGI SST PHEV Load Wind DGI SST Battery Load PV DGI a a b b c c d d Read state of Physical system a a Issue command to make a setting b b Message exchange including partial state information c c Power draw or contribution on the shared power bus d d e e Event due to physical flow on the shared power bus e e IEM 1 IEM 2 IEM 3

Information flow usecase of a CPS

Information Flow Security aims at guaranteeing that no high level (confidential) information is revealed to users at a low level, even in the presence of any possible cyber/physical process Potential information flow models for CPSs: – Non-Interference: Information does not flow from high to low if the high behavior has no effect on what low level observer can observe – Non-Inference: leaves a low level observer in doubt about high level events. – Non-deducibility: Given a set of low-level outputs, no low-level subject should be able to deduce anything about the high-level inputs [Sutherland]. – Composition of deducibly secure systems: not composable [McCullough] – McCullough`s Generalized noninterference-secure property considers non- determinism of real systems

A unified approach to deal with CPSs is necessary that can encompass the cyber and physical events We propose a process algebraic approach adopted to analyze the information flow in CPSs Security process algebra provides an abstract description for nondeterministic and concurrent systems with actions belonging to different levels of confidentiality (Low and High) Using process algebra, bisimulation provides a formal method to determine nondeducibility.

A system E is BNDC if for every high level process ∏, a low level user cannot distinguish E from E| ∏ E| ∏ : Parallel Composition of E1& ∏ where executions of the two systems are interleaved Bisimulation-based NonDeducibility on Composition (BNDC)

Bisimulation o Two processes are weakly bisimilar if they are able to mutually simulate their behavior step by step. o In a weak bisimilarity relation, internal silent actions ( τ ) between processes is ignored. E1 and E2 are bisimilar and they both simulate E3 E3 is not bisimilar to E1

Strong BNDC (SBNDC) The system before and after execution of a high level event remains indistinguishable to the low level domain E E E’’\H E’ E’\H E’’ h

Simplification of SBNDC: Bisimulation up to H The problem of verifying weak bisimulation for all high level transitions of the system can be transformed into finding a bisimulation up to H relation E E E\H

Recap: Process algebra and Bisimulation based security applied to a CPS The analysis involves the following steps: – Representation of cyber and physical processes and their interactions as events in the computational framework – Modeling the CPS using process algebra as a set of logic actions – Identification of the High Level and Low level events within the system – Finally, verification of bisimulation equivalence between the system that performed high level actions and the system that is restricted of performing high-level actions

SST Battery Load PV DGI SST Battery Load PV DGI SST Battery Load PV DGI Invariance of Flow in a CPS Power shared between 1 and 2 due to DGI algorithm Power flow satisfies the Kirchhoff's law of invariance on the bus that can be represented as a physical event

SST Battery Load PV DGI SST Battery Load PV DGI SST Battery Load PV DGI Smart grid in terms of SPA

SBNDC for FREEDM The system before and after execution of a high level event remains indistinguishable to the low level domain E E E’’\ H E’ E’\H E’’ h

SBNDC for FREEDM o Such processes can be modified to satisfy SBNDC by inserting a complementary High level output, to make an internal action (τ) that is not observable o Such compensating events hide the physically observable effects

Our Current Work Prototype DGI for FREEDM – IEEE SmartGridComm 2010 Akella/Ditch/McMillin/Meng/Crow Full Specification of DGI in SPA – EWICS SAFECOMP 2010 Akella/McMillin Formal Verification of Transmission Grid/Pipeline Network Security with SPA/CoPS – J. of Critical Infrastructure Protection – Akella/Tang/McMillin 2010 Component Construction for Constructing Secure Smart Grid Systems – IEEE COMPSAC 2011 Gamage/Roth/McMillin

Directions for future work Information flow analysis, with its origins in computational systems, can be extended to the realm of cyber-physical systems to verify their security Representation of physical events including attributes such as invariance and physical observability expose potential confidentiality violations Process algebra presents a uniform model of defining cyber and physical processes that can be mechanically verified Model checking complexity incurred in automating the verification of CPS processes can be reduced using techniques like partial order reduction and new bisimulation techniques to reduce state space