Publications

Abstract not provided.

Abstract not provided.

Abstract not provided.

A model of malicious attacks against an infrastructure system is developed that uses a network representation of the system structure together with a Hidden Markov Model of an attack at a node of that system and a Markov Decision Process model of attacker strategy across the system as a whole. We use information systems as an illustration, but the analytic structure developed can also apply to attacks against physical facilities or other systems that provide services to customers. This structure provides an explicit mechanism to evaluate expected losses from malicious attacks, and to evaluate changes in those losses that would result from system hardening. Thus, we provide a basis for evaluating the benefits of system hardening. The model also allows investigation of the potential for the purchase of an insurance contract to cover the potential losses when safeguards are breached and the system fails.

Supervisory Control and Data Acquisition (SCADA) systems are a part of the nation's critical infrastructure that is especially vulnerable to attack or disruption. Sandia National Laboratories is developing a high-security SCADA specification to increase the national security posture of the U.S. Because SCADA security is an international problem and is shaped by foreign and multinational interests, Sandia is working to develop a standards-based solution through committees such as the IEC TC 57 WG 15, the IEEE Substation Committee, and the IEEE P1547-related activity on communications and controls. The accepted standards are anticipated to take the form of a Common Criteria Protection Profile. This report provides the status of work completed and discusses several challenges ahead.

This report documents work supporting the Sandia National Laboratories initiative in Distributed Energy Resources (DERs) and Supervisory Control and Data Acquisition (SCADA) systems. One approach for real-time control of power generation assets using feedback control, Quantitative feedback theory (QFT), has recently been applied to voltage, frequency, and phase-control of power systems at Sandia. QFT provided a simple yet powerful philosophy for designing the control systems--allowing the designer to optimize the system by making design tradeoffs without getting lost in complex mathematics. The feedback systems were effective in reducing sensitivity to large and sudden changes in the power grid system. Voltage, frequency, and phase were accurately controlled, even with large disturbances to the power grid system.

This document represents the development of a protection profile (PP) for the IEC (International Electrotechnical Commission) protocol TASE.2 (Tele-control Application Service Element.2). A protection profile states assumptions about the TOE (Target of Evaluation), identifies threats to the TOE based on the assumptions, gives security goals to counter the threats, and finally identifies security functions to satisfy the security goals. Developing protection profiles for each protocol is a significant step towards developing measurable security for electric power automation systems. As an extension of the PP, the authors offer a generalization to any protocol at the evaluation assurance level (EAL) 2.

The critical energy inkstructures include gas, OL and electric power. These Mrastructures are complex and interdependent nmvorks that are vital to the national secwiy and social well being of our nation. Many electric power systems depend upon gas and oil, while fossil energy delive~ systems depend upon elecnic power. The control mechanisms for these Mrastructures are often referred to as SCADA (Supmivry CkmdandDaU Ac@itz&z) systems. SCADA systems provide remote monitoring and centralized control for a distributed tmnsportation infmsmucture in order to facilitate delivery of a commodi~. AIthough many of the SCADA concepts developed in this paper can be applied to automotive mmsponation systems, we will use transportation to refer to the movement of electrici~, gas, and oil. \ Recently, there have been seveml reports suggesting that the widespread and increasing use of SCADA for control of energy systems provides an increasing opportuni~ for an advers~ to cause serious darnage to the energy inbstmcturei~. This damage could arise through cyber infiltration of the SCADA networks, by physically tampering with the control networks, or through a combination of both means. SCADA system threats decompose into cyber and physical threats. One solution to the SCADA security problem is to design a standard for a highly secure KA.DA system that is both cyber, and physdly secure. Not all-physical threats are possible to guard again% but of those threats that are, high security SCADA provides confidence that the system will continue to operate in their presence. One of the most important problems in SCADA securi~ is the relationship between the cyber and physical vulnerabilities. Cyber intrusion increases physical Vulnerabilities, while in the dual problem physical tampering increases cyber vulnerabilit.ies. There is potential for feedback and the precise dynamics need to be understood. As a first step towards a stan~ the goal of this paper is to facilitate a discussion of the requirements analysis for a highly secure SCADA system. The fi-arnework for the discussion consists of the identification of SCADA security investment areas coupled with the tradeoffs that will force compromises in the solution. For example, computational and bandwidth requirements of a security standard could force the replacement of entire SCADA systems. The requirements for a real-time response in a cascading electric power failure could pose limitations on authentication and encryption mechanisms. The shortest path to the development of a high securi~ SC.ADA standard will be achieved by leveraging existing standards efforts and ensuring that security is being properly addressed in those standards. The Utility Communications Architecture 2.o (UC@, for real-time utili~ decision control, represents one such standard. The development of a SCADA secwiy specification is a complex task that will benefit from a systems engineering approach.