Aging plants, efficiency goals, and safety needs are driving increased digitalization in nuclear power plants (NPP). Security has always been a key design consideration for NPP architectures, but increased digitalization and the emergence of malware such as Stuxnet, CRASHOVERRIDE, and TRITON that specifically target industrial control systems have heightened concerns about the susceptibility of NPPs to cyber attacks. The cyber security community has come to realize the impossibility of guaranteeing the security of these plants with 100% certainty, so demand for including resilience in NPP architectures is increasing. Whereas cyber security design features often focus on preventing access by cyber threats and ensuring confidentiality, integrity, and availability (CIA) of control systems, cyber resilience design features complement security features by limiting damage, enabling continued operations, and facilitating a rapid recovery from the attack in the event control systems are compromised. This paper introduces the REsilience VeRification UNit (RevRun) toolset, a software platform that was prototyped to support cyber resilience analysis of NPP architectures. Researchers at Sandia National Laboratories have recently developed models of NPP control and SCADA systems using the SCEPTRE platform. SCEPTRE integrates simulation, virtual hardware, software, and actual hardware to model the operation of cyber-physical systems. RevRun can be used to extract data from SCEPTRE experiments and to process that data to produce quantitative resilience metrics of the NPP architecture modeled in SCEPTRE. This paper details how RevRun calculates these metrics in a customizable, repeatable, and automated fashion that limits the burden placed upon the analyst. This paper describes RevRun's application and use in the context of a hypothetical attack on an NPP control system. The use case specifies the control system and a series of attacks and explores the resilience of the system to the attacks. The use case further shows how to configure RevRun to run experiments, how resilience metrics are calculated, and how the resilience metrics and RevRun tool can be used to conduct the related resilience analysis.
Trust in a microelectronics-based systems can be characterized as the level of confidence that the system is free of subversive alterations inserted by a malicious adversary during system development. Outkin et al. recently developed GPLADD, a game-theoretic framework that enables trust analysis through a set of mathematical models that represent multi-step attack graphs and contention between system attackers and defenders. This paper extends GPLADD to include detection of attacks on development processes and defender decision processes that occur in response to detection events. The paper provides mathematical details for implementing attack detection and demonstrates the models on an example system. The authors further demonstrate how optimal defender strategies vary when solution concepts and objective functions are modified.
Trust in a microelectronics-based system can be characterized as the level of confidence that a system is free of subversive alterations made during system development, or that the development process of a system has not been manipulated by a malicious adversary. Trust in systems has become an increasing concern over the past decade. This article presents a novel game-theoretic framework, called GPLADD (Graph-based Probabilistic Learning Attacker and Dynamic Defender), for analyzing and quantifying system trustworthiness at the end of the development process, through the analysis of risk of development-time system manipulation. GPLADD represents attacks and attacker-defender contests over time. It treats time as an explicit constraint and allows incorporating the informational asymmetries between the attacker and defender into analysis. GPLADD includes an explicit representation of attack steps via multi-step attack graphs, attacker and defender strategies, and player actions at different times. GPLADD allows quantifying the attack success probability over time and the attacker and defender costs based on their capabilities and strategies. This ability to quantify different attacks provides an input for evaluation of trust in the development process. We demonstrate GPLADD on an example attack and its variants. We develop a method for representing success probability for arbitrary attacks and derive an explicit analytic characterization of success probability for a specific attack. We present a numeric Monte Carlo study of a small set of attacks, quantify attack success probabilities, attacker and defender costs, and illustrate the options the defender has for limiting the attack success and improving trust in the development process.
Control systems for critical infrastructure are becoming increasingly interconnected while cyber threats against critical infrastructure are becoming more sophisticated and difficult to defend against. Historically, cyber security has emphasized building defenses to prevent loss of confidentiality, integrity, and availability in digital information and systems, but in recent years cyber attacks have demonstrated that no system is impenetrable and that control system operation may be detrimentally impacted. Cyber resilience has emerged as a complementary priority that seeks to ensure that digital systems can maintain essential performance levels, even while capabilities are degraded by a cyber attack. This paper examines how cyber security and cyber resilience may be measured and quantified in a control system environment. Load Frequency Control is used as an illustrative example to demonstrate how cyber attacks may be represented within mathematical models of control systems, to demonstrate how these events may be quantitatively measured in terms of cyber security or cyber resilience, and the differences and similarities between the two mindsets. These results demonstrate how various metrics are applied, the extent of their usability, and how it is important to analyze cyber-physical systems in a comprehensive manner that accounts for all the various parts of the system.
This report describes the application of an approach for determining grid modernization investments that can best improve the resilience of communities. Under the direction of the US Department of Energy's Grid Modernization Laboratory Consortium, Sandia National Laboratories (Sandia) and Los Alamos National Laboratory (Los Alamos) collaborated with community stakeholders in New Orleans, Louisiana on grid modernization strategies for resilience. Past disruptions to the electric grid in New Orleans have contributed to an inability to provide citizens with adequate access to a wide range of infrastructure services. Using a performance-based resilience metric, Sandia and Los Alamos performed analysis on how to improve access to infrastructure services across New Orleans after a major disruption using a system of resilience nodes. Resilience nodes rely on a combination of urban planning with grid investment planning for resilience in order to design clustered infrastructure assets with highly resilient electrical supply. Results of the analysis led to suggestion of 22 draft resilience node locations that can provide a wide range of infrastructure services equitably to New Orleans citizens. This report serves as a proof-of-concept for the Urban Resilience Planning Process, and describes several gaps that should be overcome in order to integrate resilience planning between electric utilities and local governments.
Considerable effort is currently being spent designing neuromorphic hardware for addressing challenging problems in a variety of pattern-matching applications. These neuromorphic systems offer low power architectures with intrinsically parallel and simple spiking neuron processing elements. Unfortunately, these new hardware architectures have been largely developed without a clear justification for using spiking neurons to compute quantities for problems of interest. Specifically, the use of spiking for encoding information in time has not been explored theoretically with complexity analysis to examine the operating conditions under which neuromorphic computing provides a computational advantage (time, space, power, etc.) In this paper, we present and formally analyze the use of temporal coding in a neural-inspired algorithm for optimization-based computation in neural spiking architectures.
Grid resilience is a concept related to a power system's ability to continue operating and delivering power even in the event that low probability, high-consequence disruptions such as hurricanes, earthquakes, and cyber-attacks occur. Grid resilience objectives focus on managing and, ideally, minimizing potential consequences that occur as a result of these disruptions. Currently, no formal grid resilience definitions, metrics, or analysis methods have been universally accepted. This document describes an effort to develop and describe grid resilience metrics and analysis methods. The metrics and methods described herein extend upon the Resilience Analysis Process (RAP) developed by Watson et al. for the 2015 Quadrennial Energy Review. The extension allows for both outputs from system models and for historical data to serve as the basis for creating grid resilience metrics and informing grid resilience planning and response decision-making. This document describes the grid resilience metrics and analysis methods. Demonstration of the metrics and methods is shown through a set of illustrative use cases.