**Êtes-vous un étudiant de l'EPFL à la recherche d'un projet de semestre?**

Travaillez avec nous sur des projets en science des données et en visualisation, et déployez votre projet sous forme d'application sur GraphSearch.

Publication# Time-Synchronization Attacks against Critical Infrastructures and their Mitigation

Résumé

This work focuses on the security of critical infrastructures against time-synchronization attacks (TSA). A TSA can impact any network that relies on the dynamic analysis of data, by altering the time synchronization between its nodes. Such attacked networks can start failing. Some TSAs are thwarted by cyber-security tools such as authentication and confidentiality algorithms. However, such tools cannot counter TSAs that are implemented physically. Such TSAs are undetectable but they may be detected if they lead to non-plausible observations. The identification of TSAs requires in-depth knowledge of the system's operation.We focus on TSAs in two settings. First, we consider smart grids. Their control and operation require the timely knowledge of the system state, which is inferred from an estimate computed from measurements. We consider phasor measurements taken from phasor measurement units (PMUs). However, they require a precise time synchronization, which is a weakness as existing synchronization methods are vulnerable to attacks. We aim to assess the vulnerability of the synchrophasor-based state estimation of a system, by exploring the feasibility and detectability of TSAs on PMUs. A widespread technique to make the state estimation more robust is to couple it with a bad-data detection (BDD) scheme. However, it is known that false data injection attacks and TSAs can impact the state estimation without being detected by the BDD algorithms. We present practical attack strategies for undetectable TSAs and novel vulnerability conditions. One of them is a static condition that does not depend on the measurement values. We propose a security requirement that prevents it and a greedy offline algorithm that enforces it. If this requirement is satisfied, the grid may still be attacked, although we reason that it is unlikely. We identify two sufficient and necessary vulnerability conditions which depend on the measurement values. For each, we provide a metric that shows the distance between the observed and vulnerability conditions. Enforcing our requirement requires increasing the amount of measurement points of the grid. We investigate the benefits of utilizing the three-phase model instead of the direct-sequence model for security. We show that if the power system is unbalanced, then the use of the three-phase model enables to detect attacks that are undetectable if the direct-sequence model is used. Numerical results from simulations with real load profiles from the Lausanne grid, confirm our findings. Second, we consider sensor networks for passive-source localization. We focus on the localization of a passive source from time difference of arrival (TDOA) measurements. Such measurements are highly sensitive to time-synchronization offsets. We first illustrate that TSAs can affect the localization and we show that residual analysis does not enable the detection and identification of TSAs. Second, we propose a two-step TDOA-localization technique that is robust against TSAs. It uses a known source to define a weight for each pair of sensors, reflecting the confidence in their synchronization. We then use the weighted least-squares estimator with the new weights and the TDOA measurements received from the unknown source. Our method either identifies the network as being too corrupt, or gives a corrected estimate of the unknown position along with a confidence metric. Numerical results illustrate the performance of our technique.

Official source

Cette page est générée automatiquement et peut contenir des informations qui ne sont pas correctes, complètes, à jour ou pertinentes par rapport à votre recherche. Il en va de même pour toutes les autres pages de ce site. Veillez à vérifier les informations auprès des sources officielles de l'EPFL.

Concepts associés

Chargement

Publications associées

Chargement

Concepts associés (36)

Mesure physique

La mesure physique est l'action de déterminer la ou les valeurs d'une grandeur (longueur, capacité), par comparaison avec une grandeur constante de même espèce prise comme terme de référence (étalon

Analyse numérique

L’analyse numérique est une discipline à l'interface des mathématiques et de l'informatique. Elle s’intéresse tant aux fondements qu’à la mise en pratique des méthodes permettant de résoudre, par des

Sûreté

En politique, la sûreté est la protection contre le pouvoir ou la violence, le danger ou les menaces. Plus particulièrement, dans la déclaration des Droits de l'homme et du citoyen de 1789, la sûreté

Publications associées (61)

Chargement

Chargement

Chargement

An active distribution network (ADN) is an electrical-power distribution network that implements a real-time monitoring and control of the electrical resources and the grid. Effective monitoring and control is realised by deploying a large number of sensing and actuating devices and a communication network to facilitates the two-way transfer of data. The reliance of ADN operations on a large number of electronic devices and on communication networks poses a challenge in protecting the system against cyber-attacks. Identifying these challenges and commissioning appropriate solutions is of utmost importance to realize the full potential of a smart grid that seamlessly integrates distributed generation, such as renewable energy sources. As a first step, we perform a thorough threat analysis of a typical ADN. We identify potential threats against field devices, the communication infrastructure and servers at control centers. We also propose a check-list of security solutions and best practices that guarantee a distribution network's resilient operation in the presence of malicious attackers, natural disasters, and other unintended failures that could potentially lead to islanded communication zone. For the next step, we investigate the security of MPLS-TP, a technology that is mainly used for long-distance inter-domain communication in smart grid. We find that an MPLS-TP implementation in Cisco IOS has serious security vulnerabilities in two of its protocols, BFD and PSC. These two protocols control protection-switching features in MPLS-TP. In our test-bed, we demonstrate that an attacker who has physical access to the network can exploit the vulnerabilities in order to inject forged BFD or PSC messages that affect the network's availability. Third, we consider multicast source authentication for synchrophasor data communication in grid monitoring systems (GMS). Ensuring source authentication without violating the stringent real-time requirement of GMS is challenging. Through an extensive review of existing schemes, we identified a set of schemes that satisfy some desirable requirements for GMS. The identified schemes are ECDSA, TV-HORS and Incomplete- key-set. We experimentally compared these schemes using computation, communication and key management overheads as performance metrics. A tweak in ECDSA's implementation to make it use pre-generated tokens to generate signatures significantly improves the computation overhead of ECDSA, making it the preferred scheme for GMS. This finding is contrary to the generally accepted view that asymmetric cryptography is inapplicable for real-time systems. Finally, we studied a planning problem that arises when a utility wants to roll out a software patch that requires rebooting to all PMUs while maintaining system observability. The problem we address is how to find a partitioning of the set of the deployed PMUs into as few subsets as possible such that all the PMUs in one subset can be patched in one round while all the PMUs in the other subsets provide full observability. We show that the problem is NP-complete in the general case and and formulated it as binary integer linear programming (BILP) problem. We have also provided an heuristic algorithm to find an approximate solution. Furthermore, we have identified a special case of the problem where the grid is a tree and provided a polynomial-time algorithm that finds an optimal patching plan that requires only two rounds to patch the PMUs.

Marguerite Marie Nathalie Delcourt, Jean-Yves Le Boudec

Time-synchronization attacks on phasor measurement units (PMUs) pose a real threat to smart grids; it was shown that they are feasible in practice and that they can have a nonnegligible negative impact on state estimation, without triggering the bad data detection mechanisms. Previous works identified vulnerability conditions when targeted PMUs measure a single phasor. Yet, PMUs are capable of measuring several quantities. We present novel vulnerability conditions in the general case, where PMUs measure any number of phasors and can share the same time reference. One is a sufficient condition that does not depend on the measurement values. We propose a security requirement that prevents it and provide a greedy offline algorithm that enforces it. If this security requirement is satisfied, there is still a possibility that the grid can be attacked, although we conjecture that it is very unlikely. We identify two sufficient and necessary vulnerability conditions, which depend on the measurement values. For each, we provide a metric that shows the distance between the observed and vulnerability conditions. We recommend their monitoring for security. Numerical results on the IEEE-39 bus benchmark with real load profiles show that the measurements of a grid satisfying our security requirement are far from vulnerable.

Gyorgy Miklos Dan, Marguerite Marie Nathalie Delcourt, Jean-Yves Le Boudec, Mario Paolone

Phasor measurement units (PMU) rely on an accurate time-synchronization to phase-align the phasors and timestamp the voltage and current phasor measurements. Among the symmetrical components computed from the phasors in three-phase systems, the standard practice only uses the direct-sequence component for state estimation and bad data detection (BDD). Time-synchronization attacks (TSAs) can compromise the measured phasors and can, thus, significantly alter the state estimate in a manner that is undetectable by widely used power-system BDD algorithms. In this paper we investigate the potential of utilizing the three-phase model instead of the direct-sequence model for mitigating the vulnerability of state estimation to undetectable TSAs. We show analytically that if the power system is unbalanced then the use of the three-phase model as input to BDD algorithms enables to detect attacks that would be undetectable if only the direct-sequence model was used. Simulations performed on the IEEE 39-bus benchmark using real load profiles recorded on the grid of the city of Lausanne confirm our analytical results. Our results provide a new argument for the adoption of three-phase models for BDD, as their use is a simple, yet effective measure for reducing the vulnerability of PMU measurements to TSAs.

2021