Читать книгу Cyber-Physical Distributed Systems - Min Xie - Страница 17

Attacks on complex systems, for example, CPSs, are fundamentally different from traditional internal failures (e.g., degradation and design) and external failures (e.g., natural disasters) [187–190]. Many attack models for complex systems embrace a partial perspective, which only focuses on component vulnerability, and neglects the dependence of system performance on it [191–193]. As a result, the insights provided by these models are not adequate for providing general recommendations in realistic applications. To address this limitation, recent studies investigate the influence of component vulnerability (attacks at the component level) on system performance [194–197].

Pioneering works [192198–202] develop optimal defense strategies to minimize the attachment vulnerability of parallel systems, assuming that attackers maximize either the damage probability or the expected damage over a time horizon. They also consider general features, that is, imperfect false target techniques and genuine targets [201,203]. These defense strategies reach a trade‐off between increasing the protection of existing components and providing redundancy by allocating additional components [192,203–205].

System performance is an essential feature in CPSs that can still operate if some components are unavailable and, therefore, are characterized by multiple performance levels [206–211]. System performance degrades with increasing component destruction or unavailability; if the system performance level decreases, the required demand may be partially unsatisfied. Two risk measures can be used for multi‐state complex systems [203–205]: 1) the probability that the demand is not satisfied is considered for complex systems that fail if performance cannot meet demand, for example, automatic train protection and block systems [212,213], and power system dynamic security systems [190]; 2) the expected damage proportional to the unsupplied demand is considered for complex systems that can operate even if the demand is partially supplied, for example, mobile ad hoc networks [191], NCSs [214,215], supervisory control and data acquisition (SCADA) systems [216,217], water distribution networks [218], and electric power grids [219–221].

Several works consider both the vulnerability and performance of complex systems subject to attacks [201–207,222,223]. These works generally describe a case as a dynamic contest between an attacker and a defender to develop a component vulnerability model and a multi‐state system performance model. The number of destroyed components quantifies the demand loss and expected damage costs [200,205]. To make the above contest more realistic, attack time uncertainties and the attacker's preference on the attack time should be considered.

In the literature, two different approaches exist for determining the attack time, that is, the strategic selection and the selection based on probability distributions. In the former, the attacker strategically selects whether to attack at some point in time or at a later point in time, based on the outcome of the game, given that the attack occurs at a specific time [224]. Thus, complex attack and defense strategies can be derived from a two‐stage min‐max multi‐period game. Extensive attack or defense in one period limits the attack or defense that can be exerted in the next period, and vice versa. Thus, players strategically choose whether to exert effort now or in the future [224–226]. The defender may determine optimal resource allocation strategies for redundancy [192] and protection, that is, individual or overarching protection [205,227–229]. On the other hand, the attacker may distribute the constrained resources optimally across sequential attacks [230–233].

In the second approach, the attacker prefers to conduct the attack at the time of the critical event [206]. Indeed, attacks in Nice, Berlin, Manchester, and London occurred several days before and after Bastille Day, Christmas, a concert, and the Champions League 2017 Final, respectively. In these cases, the defenders have increased the protection level in the immediate aftermath; therefore, it is not worthwhile and cost‐effective for the attacker to deploy another attack in a short period. Because attacks occurred at critical times, they can greatly influence public opinion. As a result, the attacker aims to maximize the system loss by strategically selecting a set of elements to attack based on the two‐stage min‐max game [234]. Because we can predict the distribution of the time at which the critical event occurs, the attack time can be inferred from a data‐driven probability distribution [192]. The two approaches aim to maximize the outcomes of the game given that the attack occurs at a specific time under a similar system structure and variable resources.

The truncated normal distribution is used to describe the uncertainty of the most probable attack time, that is, the time of the critical events, and the accuracy of the defender's estimate of it [206,235,236]. The truncated normal distribution has been adopted to represent uncertainties in many realistic applications, for example, traffic peaks of online video websites [193], the peak season of power supplies [237–239], the peak demand of water distribution systems [240], and the rush hour of public transportation [241]. Accounting for the influence of this uncertainty increases the relevance of the insights gained for the optimal resource allocation strategy against attacks.

CPSs are a new class of engineered complex systems that provide tight interactions between cyber and physical components. The corruption of a small subset of their components has the potential to trigger system‐level failures leading to entire system performance disruptions [191,215,221,242]. Previous studies on attack vulnerability and performance of complex systems can be extended to identify resource allocation strategies for cyber components and promote system performance during cyber‐attacks in CPSs [243,244]. Cyber vulnerabilities are exploited by attackers to launch insidious attacks on the integrity, confidentiality, and availability of cyber data by injecting false data into measurement devices, eavesdropping estimation of system states, and deploying denial of service (DoS) attacks on communication networks [216,217,220,245]. More sophisticated attack models specifically target weaknesses to cause maximal damage [191]. In this respect, it is key to capture the uncertainties intrinsic to the behavior of the attacker and the defender.

With respect to applications in smart grids, upgrading traditional grids to smart grids has brought many benefits to the overall management of power and energy systems, including higher reliability, better efficiency, improved integration of RERs, more flexible choice for stakeholders, and lower operation costs [246–248]. However, the core technologies, for example, communication techniques and SCADA systems [249–252], which deliver the advantages of smart grids, also open the grids to vulnerabilities that already exist in the information and communications technology (ICT) world. These vulnerabilities pose threats to smart grids, such as DoS attacks, false data injection, replay attacks, privacy data theft, and sabotage of critical infrastructure [253–255]. In addition, the failures in a smart grid caused by cyberattacks can easily cascade to other highly dependent critical infrastructure sectors, such as transportation systems, wastewater systems, health care systems, and banking systems, resulting in extensive physical damage and social and economic disruption [249,256].

While government, the private sector, and academia are recognizing the cyber vulnerability of smart grids, the likelihood and impact of a cyberattack are difficult to quantify. Furthermore, for a smart grid, there may be mandatory standards and operational requirements from grid stakeholders. Current risk management strategies are generally qualitative or heuristic [257]. In these strategies, some assumptions, for example, constant reward with respect to successful anti‐cyberattack [258,259], may be unrealistic for most smart grids.

Chapter 7 presents a probabilistic risk analysis framework to enhance smart grid cyber security. In particular, the dynamic and stochastic characteristics of smart grids, such as uncertain demands, are taken into account to investigate the effect of defending strategies on the real operation cost. The optimal power flow (OPF) model [260] is applied to an 11‐node radial smart grid originating from the Elia grid in Belgium. Compared with the existing studies that focus on the inherent risk [254,260], such as the natural degradation and uncertain RERs for better maintenance actions and power dispatch, Chapter 7 addresses the impact of the external threat (cyberattacks) on the operation cost for effective deployment of cyber defense teams. In previous works, the cost of each attack on a node was assumed to be a constant [259]. Nevertheless, by investigating some practical scenarios, it has been found that the costs are more likely to be determined by some adversarial factors. Therefore, an adversarial cost sequence associated with each node is assumed, and a widely used variation constraint is introduced for each cost sequence. To cope with the objective of sequential decision strategies, the problem is formulated using the reinforcement learning framework [261–263]. In particular, the Bayesian prior method [259] is employed for the model parameters, and the problem is formulated as a Bayesian adversarial multi‐node bandit model. In addition, a Bayesian minimax type regret function is constructed, which is subject to the learning context.