The development of successful cyber security systems for intrusion and malicious activity detection involves the ability to fuse information from many disparate sources at multiple levels of a system, potentially from deep packet analysis to traffic analysis within and between networks. While the large volume of transactions to be considered provides a vast amount of data for the inference of models and the collection of statistically significant samples, it also offers substantial cover for bad actors making the identification of intrusions and malicious activity akin to finding the proverbial needle in a haystack.
Problems associated with the detection of cyber attacks are compounded when it comes to cyber-physical systems that integrate computational, networking, and physical processes. Cyber-physical systems are engineered systems that are built from and depend upon the synergy of computational and physical components. Computers and networks monitor and control the physical processes, with feedback loops where physical processes affect computations and vice versa. Examples of the many CPS application areas include the smart electric grid, smart transportation, smart buildings, smart medical technologies, next-generation air traffic management, and advanced manufacturing
The physical dynamics of cyber-physical systems may be exploited to either mount or obscure an attack. Our nation's critical infrastructure includes many large-scale, complex cyber-physical systems. For example, the modernization of electric power transmission systems has included the implementation of new sensors, control actuators and a communications network overlay on legacy power systems for monitoring and control.
Compound cyber-physical electric power generation and transmission systems are susceptible to both physical and cyber attacks. For instance synchrophasors, phase measurement units synchronized using GPS time to monitor voltage angles at points separated by large distances, are susceptible to GPS time spoofing. The communication network transmissions of the synchrophasor observations can also be maliciously corrupted. Thus, data can be corrupted at the source, or in transmission, to induce dangerous control actions potentially resulting in the destabilization of power generation and distribution systems.
A related issue is that the power generation and distribution systems are also needed to power the monitoring and control systems. Thus, the effects of local disturbances are tremendously amplified when the monitoring and control resources for larger areas are taken off-line.
Cyber physical systems typically comprise a large number of disparate components, where the number of interactions between components can increase exponentially with the number of components. The intentional corruption of phase measurement data, as well as other forms of deliberate exploitation, often cannot be identified by conventional analysis of network traffic or condition monitoring of sensors. In many cases, cyber and/or physical attacks are indistinguishable from expected behavior when viewed using traditional observation approaches and processes which typically have a very local scope based on limited sensing. However, malicious attacks, particularly cyber attacks focused on corrupting data do not, in general, do so in a way that is physically consistent with other, non-corrupted sources of information. Cyber and/or physical attacks can become distinguishable from naturally occurring behavior when observations are interpreted in a broader context embedding the physical constraints inherent in system dynamics considered over a larger (potentially global) spatiotemporal domain.
Traditional analysis tools are unable to cope with the full complexity of cyber-physical systems or adequately predict system behavior. The present electric power grid has experienced blackouts over large regions, tripped by minor events that escalate with surprising speed into widespread power failures. Even minor changes to consumer devices, such as air conditioners, have been shown to affect behavior of the power grid. For example, a recent event was caused by a low-cost relay that took longer to close in conditions that stalled the air conditioning unit's compressor pump motor. The aggregate effect of multiple air conditioning units having stalled motors caused an inductive load, causing voltage sag, that in turn stalled more pump motors leading to a voltage collapse. This illustrates the limitations of the current technology.