cred-c.org | 1

Metrics and Tools for Measuring Cyber Resiliency of Electric Grids

Venkatesh Venkataramanan, Anurag Srivastava, Adam HahnWashington State University

1

Saman ZonouzRutgers

cred-c.org | 2

What is cyber-physical resilience?

2

cred-c.org | 3

What is resilience?

From “Severe Impact Resilience: Considerations and Recommendations” NERC report, 2012.

“Keeping the power on during extreme weather events and other electric grid disruptions isessential, particularly so that critical facilities such as hospitals and water treatment plants cancontinue operating”DOE FOA allowed community to have their own definition of resiliency -http://energy.gov/articles/energy-department-announces-8-million-improve-resiliency-grid

PPD 21

Disaster Resilience – A national imperative

cred-c.org | 4

definition1 [the ability] to recover and resume operations within acceptable levels of service.2 a cyber system’s ability to function properly and securely despite disruptions to that system3 a holistic view of cyber risk, which looks at culture, people and processes, as well as technology4 A system’s ability to withstand cyber attacks or failures and then quickly reestablish itself5 ability of systems and organizations to withstand cyber events6 ability to withstand and recover quickly from unknown and known threats7 an organization’s ability to recover and return to normal operations after a cyber attack8 an organization’s ability to respond to and recover from a cybersecurity incident9 the ability to provide and maintain an acceptable level of service when facing attacks and challenges to normal operation10 Cyber resilience = cyber security + business resilience 11 the ability to operate the business processes in normal and adverse scenarios without adverse outcomes12 identifying and responding to security breaches13 the persistence of service delivery that can be justifiably be trusted, when facing changes and mainly regarded as fault tolerance14 maintaining the system’s critical functionality by preparing for adverse events, absorbing stress, recovering the critical functionality, and adapting to future threats15 withstand a major disruption because of unknown event16 organizations capability to cope with cyber attacks17 ‘robustness’ and ‘survivability’ measured in terms of performance and sustained availability. It also implies elements of both confidentiality and integrity18

The ability of a nation, organization, or mission or business process to anticipate, withstand, recover from, and evolve to improve capabilities conditions, stresses, or attacks on the supporting cyber resources it needs to function19 the ability of a substance or object to spring back into shape20 the ability of a system that is dependent on cyberspace in some manner to return to its original [or desired] state after being disturbed21 the ability of an organisation to understand the cyber threats it’s facing, to inform the known risks, to put in place proportionate protection, and to recover quickly from attack22 the ability of an organization to continue to function, even though it is in a degraded manner, in the face of impediments that affect the proper operation of some of its components23 the ability of cyber systems and cyberdependent missions to anticipate, continue to operate correctly in the face of, recover from, and evolve to better adapt to advanced cyber threats24 the ability of systems and organizations to develop and execute long-term strategy to withstand cyber events25 the ability of systems and organizations to withstand cyber events26 the ability of systems to anticipate/withstand/ recover from attacks and failures27 the ability to adapt and respond rapidly to disruptions and maintain continuity of operations28 the ability to continuously deliver the intended outcome despite adverse cyber events29 the ability to operate in the face of persistent attacks30 the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions31 the ability to prepare for and adapt to changing threat conditions while withstanding and rapidly recovering from attacks to infrastructure availability32 the ability to prepare for and recover quickly from both known and unknown threats33 the ability to provide and maintain an acceptable level of service in the face of faults and challenges to normal operation34 the ability to recover from or easily adjust to misfortune or change35 the ability to recover, returning to an original state, after some event that disrupts this state36 the ability to withstand attacks and failures, as well as to mitigate harm more than in other domain37 the capability of a supply chain to maintain its operational performance when faced with cyber-risk38 the capacity to recover quickly from difficulties; toughness39

the continuation of operations even when society faces a severe disturbance in its security environment, the capability to recover quickly from the shock, and the ability to either remount the temporarily halted functions or re-engineer them40 the ability of an information processing system’s ability to return to some level of desired performance after a degradation of that performance41

the alignment of prevention, detection, and response capabilities to manage, mitigate, and move on from cyberattacks. It is the capacity of an enterprise to maintain its core purpose and integrity in the face of cyberattacks

Courtesy - Aaron Clark-Ginsberg (Stanford, DHS) “What is cyber-resilience?”

What is Cyber-Resilience?

Resilience: The ability to supply its critical load through (and in spite of) limited extreme contingencies

cred-c.org | 5

1. Develop system-level quantitative cyber-physical resilience metrics

2. Develop tools to help utilities measure/monitor the resilience of their environment

Project Goals

Future: Transmission Current Focus: Microgrids/Distribution

Tools: CyPhyR CP-SAM

cred-c.org | 6

Putting a number to resiliencyWhat? The cyber-physical power grid currently lacks established metrics that can quantify resilienceWhy? To make the smart grid more resilient, it is important to develop metrics a “big-picture” cyber-physical model and also quantify device level resilienceHow? Using graph theoretic and physics based physical metrics, performance metrics from cyber system, and using testbeds for validation

cred-c.org | 7

CyPhyR solution

Incorporates:• Physical Grid: Topology based graph theory factors, switching operations, operation

constraints (power flow, voltage), redundancy of generators and paths• Cyber System: CVSS, IDS alerts, network topology

Create metrics for cyber-physical model of microgrid to evaluate impact of software vulnerabilities to the grid

Planning:

Operation:

Cyber Asset Impact Potential (CAIP) – measure worst case impact of attacks to microgrid components

Cyber Impact Severity (CIS) – measure real-time impact of attacks to systems

Phases

cred-c.org | 88

CyPhyR

cred-c.org | 9

Planning Phase• Pre deployment, design phase• Evaluate impact of each component in the cyber-physical

system• Metric used – CAIP (Cyber Asset Impact Potential)

• 𝜎𝜎𝑗𝑗𝑗𝑗 𝑑𝑑 − 𝑛𝑛𝑛𝑛𝑛𝑛𝑛𝑛𝑛𝑛𝑛𝑛 𝑜𝑜𝑜𝑜 𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝 𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑛𝑛𝑝𝑝 𝑝𝑝𝑝𝑛𝑛𝑜𝑜𝑛𝑛𝑝𝑝𝑝 𝑑𝑑• 𝜎𝜎𝑗𝑗𝑗𝑗 − 𝑛𝑛𝑛𝑛𝑛𝑛𝑛𝑛𝑛𝑛𝑛𝑛 𝑜𝑜𝑜𝑜 𝑝𝑝𝑝𝑜𝑜𝑛𝑛𝑝𝑝𝑛𝑛𝑝𝑝𝑝𝑝 𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝 𝑜𝑜𝑛𝑛𝑜𝑜𝑛𝑛 𝑗𝑗 𝑝𝑝𝑜𝑜 𝑘𝑘• Assume maximum CVSS score, and then multiply with the centrality score

of the node

• CAIP helps determine the impact of each device on the resiliency

• Uses vulnerability data, and determines impact based on position and topology of system

9

cred-c.org | 10

Operation Phase• Real time, operator in charge of making

decisions• Uses alerts from IDS and measurements

• Calculates CIS – Cyber Impact Severity • If CVE is discovered – sent to planning

phase for threat report • Provides real time CIS vs Time plot,

based on which operator can take control actions such as reconfiguration

• Distinguish between CVE discovered, exploited, and physical impact

10

cred-c.org | 11

Test System• Two proximal CERTS microgrid system is used• Communication model is based on mapping each component to a

node

11

cred-c.org | 12

Possible Reconfiguration States

cred-c.org | 13

CAIP (for switches in the system)

cred-c.org | 14

Operation Phase Results

14

cred-c.org | 15

CP-SAM• Cyber Physical Security Assessment Metric

• Security assessment and resiliency – system security with contingencies will enable resiliency

• What are the factors that affect the resiliency of microgrid and how to measure this resiliency?

• CP-SAM is a comprehensive metric that combines cyber and physical factors into a single metric instead of studying the effect of cyber vulnerabilities on the power system

cred-c.org | 16

How does CP-SAM work?

CP-SAM can be used by the microgrid and distribution system operator to analyze various scenarios at the control center, and can also be used in real-time to understand the performance of the system

cred-c.org | 17

Component level Resiliency: PLC and Controllers

Approach

input i; output o;read(“Input?”, i);if (i<10)

o = i+9; o = i/2;

print(“Output:”, o);

END

Entry

Attack design

cred-c.org | 18

What factors contribute?

Choquet Integral is used to as a way of measuring the expected utility of an uncertain event

cred-c.org | 19

Transmission resiliency proposed approachTransmission System (Challenges: Meshed network, multiple sources, multiple substations)

Resiliency Metric, Planning and Operational

(Integrated Factors with

AHP)

Network configuration and redundancy of the

transmission system (graph theory).

Voltage stability (indices).

Central/local control action schemes

Cyber Factors

cred-c.org | 20

Challenges and Future Direction• Combining factors from different domains poses problems in scaling and

understanding the nature of interaction• Well studied attacks lead to better understanding of effect of attack • Extending to transmission systems needs a re-think of formulation• Future Direction –

• Further refinement of metric – ex., including black start metrics • For 2018 we aim to test, and validate the performance of our proposed metrics

and tools, and combine with transmission system resiliency work• We aim to develop tools that can transition to utilities and other industrial

stakeholders

cred-c.org | 21

Questions?

Venkatesh Venkatramananvvenkata@eecs.wsu.edu

Anurag Srivastavaasrivast@eecs.wsu.edu

Adam Hahnahahn@eecs.wsu.edu