Professional Documents
Culture Documents
The Security Implication of Multiple Observers in A Distributed System
The Security Implication of Multiple Observers in A Distributed System
The Security Implication of Multiple Observers in A Distributed System
_
A B C D E
1 1 0 0 0 1
2 1 0 0 1 0
3 1 0 1 0 0
4 0 1 0 0 1
5 0 1 0 1 0
6 0 1 1 0 0
7 0 0 1 1 0
_
_
(3)
R =
_
_
.036
.067
0.059
.045
.125
.100
.667
_
_
(4)
Then, as previously dened, the Laplacian is calculated:
L = A
T
R
1
A
=
_
_
60 0 17 15 28
0 40 10 8 22
17 10 30 3 0
15 8 3 26 0
28 22 0 0 50
_
_
(5)
The Laplacian provides a relationship between the potentials
and currents. This can be seen, since the Laplacian contains
entries of the conductances, or inverse resistance. Then the
relationship v = i r becomes v
1
r
= v c = i, where c
is the conductance, or inverse resistance. It can be seen,
then, that using the Laplacian with vector multiplication
would result in a vector of currents that build-up at each
vertex. According to Kirchoffs law, this must be zero for
each vertex not at a generation or a load. This gives us the
following equation:
L
V =
I (6)
where
V contains the voltage potentials at each vertex and
_
60 17 0 15 28
17 30 10 3 0
0 10 40 8 22
15 3 8 26 0
28 0 22 0 50
_
_
_
_
1
0
v
B
v
D
v
E
_
_
=
_
_
i
A
i
C
0
0
0
_
_
(7)
Now, we solve the system using block matrices to derive
the following:
_
A B
T
B C
_ _
b
v
_
=
_
i
0
_
A
b + B
T
v =
i
B
b + Cv =
0
v = C
1
B
b
=
_
_
.036 .011 .016
.011 .042 .005
.016 .005 .027
_
_
_
_
0 10
15 3
28 0
_
_
_
1
0
_
=
_
_
.608
.764
.827
_
_
(8)
Finally, the result of the system potentials when applying
a 1-volt battery is represented by the vector v, hereafter
referred to as the unit-voltage potentials vector. We can also
calculate the unit-voltage currents vector, represented by
I,
which is the same as the found in equation 6. They are both
listed here:
V =
_
_
1
0.6079
0
0.7640
0.8275
_
I =
_
_
25.3710
0
25.3710
0
0
_
_
(9)
As a by-product of the previous calculations, we can
calculate the relationship between voltage and current be-
tween the source and the sink. This relationship is the
effective resistance between the source and sink. Following
the derivation in equation 8, we can solve for
i.
i = A
b B
T
C
1
B
b
= (AB
T
C
1
B)
b
=
_
_
1 1
1 1
__
b
(10)
As seen above, the equation (AB
T
C
1
B) yields a scalar,
, which is the inverse of the effective resistance between
the two vertices A and C . We can also use this effective
resistance as a scalar map to get the fraction of current from
the source that ows across each edge.
Theorem 1: For a system a single source and single sink,
only one measurement is required in order to calculate the
full system state.
Proof:
Using v, we can calculate the currents on each edge in
the graph where i
xy
= (v
x
v
y
)R
xy
. With
i, the unit-
voltage ow vector we can solve for the proportion of current
from the source that ows over each edge within the graph.
We do this by transforming
i to
i, called the unit-current
ow vector. This can be done using the observation that
the effective resistance between the any two vertices of the
graph demonstrates the ratio between the currents per edge
by applying a unit voltage and a unit current [10] (as seen
in equation 11).
v = R
eff
i
v = R
eff
i
v =
i =
1
i = R
eff
i
(11)
For our graph, the calculated unit-current ow vector is:
i =
_
_
.1904
.1395
.6701
.1904
.0492
.2396
.0903
_
_
These represent the proportion of current originating at
A that ows across each edge. Going back to our original
question asking how many observers are required to solve
the system, we now only need one measurement of the
current to determine the amount of power generated. Once
we have found this value, we can nd all of the current ows
across any edge.
C. Multiple Generations, Single Load
Following the discussion found in Section IV-B, it be-
comes almost trivial to solve a system with multiple gener-
ators, or sources. As is found in the original power system
diagram (Figure 1), we add a generator at vertex B.
Solving this system begins with the observation that the
current owing across each edge is the sum of the compo-
nent currents owing across the edge [11]. The components
in this case are the currents from each source in the system.
It is important to take into account the direction of the ow
when doing this.
i
xy
=
i
A
i
A,xy
+
i
B
i
B,xy
, where i
xy
= i
yx
(12)
A single observer is now presented with a single equation
containing two unknown values. The obvious solution to this
problem is to add an additional line measurement, which
is equivalent to adding another observer. This leads to the
following:
Corollary 1: For any electrical network modeled by a
graph with N sources and one sink, the network can be
solved given N or more observers.
Proof: Directly from the discussion above.
A second observer taking measurements on the independent
edge, (u,v), yields the system of equations:
i
A
=
i
xy
i
A,xy
i
B
i
B,xy
i
A,xy
i
B
=
i
uv
i
B,uv
i
A
i
A,uv
i
B,uv
(13)
D. Multiple Generations, Multiple Loads
In real power systems, there are several generators and
loads at most buses. Modeling this into a graph puts a sink
at each vertex, which adds a large amount of obfuscation,
with respect to our observers. Since every load between
the observer an any given generator can be arbitrarily large
(subject to limits of the transmission lines), an observer or
team of observers can no longer fully deduce the entire
power system using the one observer to one generator rule
presented above. In fact, in order to fully deduce the power
system, N-1 observers are required, where there are N edges
in the graph [12].
Even with this limitation, however, an attacker could
partially deduce the system. This partial deduction can
still provide enough information in order to successfully
complete an attack upon the system. Going back to the
types of attacks on a power system, the primary avenue of
attack is to overload a transmission line. Each transmission
line has a safe operating range and a physical limit to the
amount of current that it can transmit. In addition to that,
power substations have circuit breakers which will trip given
too large of a current. The attacker could gain a set of
inequalities using the above techniques.
Theorem 2: When a load is placed between an attackers
observation and the source of the current, the uncertainty
in the measurement is increased. The amount by which it
increased is dependent upon the structure of the graph and
the placement of the load in relation to the observer.
Proof: Specically, equation 13 changes to produce the
following inequality:
i
A
i
xy
i
A,xy
i
B
i
B,xy
i
A,xy
i
B
i
uv
i
B,uv
i
A
i
A,uv
i
B,uv
(14)
Uncertainty is dened here, as the difference between the
estimates of equation 14 and the exact state provided by
equation 13
Using this system of inequalities, if an attacker can
calculate the maximum current that a line can transmit, he
can calculate the maximum amount of current that needs
to drawn to a specic load, in order to trip any given line
in the graph. Another attack that could be performed is to
locate the lines which would cause the largest disruption in
the event that the power needed to be rerouted due to a fault
to ground.
For our example system, the graph in Figure 3 depicts the
relationship between the number of observers in the system
and the uncertainty of the solutions. In this sense, uncertainty
refers to the margin error between the calculated power ow,
and the actual power ow. At this time, there is not a formal
generic way to determine this relationship. It is dependent on
the placement of the observers and the topologica structure
of graph. The optimal placement of observers, and therefore
the techniques to thwart this are outside the scope of this
article.
V. RESULTS
This paper has demonstrated simple techniques that are
already used in calculation of power systems, but presents
them in a new light. Using these techniques, an attacker can
solve or partially solve a system. If an attacker can arrange
tight enough bounds upon a power system, then he could use
the demonstrated bounds to locate and exploit vulnerabilities
within the system. This is due to the fact that the real-time
condentiality of the state of the power system is revealed.
Even with these simple tools available to would-be at-
tackers, it is possible to thwart these types of attacks. For
example, one could limit the effectiveness of the bounds, or
even make the information gathering stage more difcult.
One way this can occur, is by increasing the connectivity
within the power system. This will make discovery of the
topology more difcult.
Further research in this area can determine exactly how
much information about a systems state can be deduced
using this partial deducibility technique. Little work has been
done to ascertain the implications of a partially deducible
system with respect to the system security. By combining
graph theory and probability analysis, it may be possible to
shed some light in this research void.
REFERENCES
[1] H. Tang and B. McMillin, Security property violation in CPS
through timing, Distributed Computing Systems Workshops,
International Conference on, vol. 0, pp. 519524, 2008.
[2] E. A. Lee, Cyber physical systems: Design challenges,
EECS Department, University of California, Berkeley, Tech.
Rep. UCB/EECS-2008-8, Jan 2008. [Online]. Available:
http://www.eecs.berkeley.edu/Pubs/TechRpts/2008/EECS-
2008-8.html
[3] A. Armbruster, M. Gosnell, B. McMillin, and M. Crow,
Power transmission control using distributed max-ow,
Computer Software and Applications Conference, 2005.
COMPSAC 2005. 29th Annual International, vol. 1, pp. 256
263 Vol. 2, July 2005.
[4] H. Tang and B. McMillin, Security of information ow in
the electric power grid, in Critical Infrastructure Protection,
Post-Proceedings of the First Annual IFIP Working Group
11.10 International Conference on Critical Infrastructure
Protection, Dartmouth College, Hanover, New Hampshire,
USA, March 19-21, 2007, ser. IFIP, E. Goetz and S. Shenoi,
Eds., vol. 253. Springer, 2007, pp. 4356.
[5] A. Monticelli, Electric power system state estimation, Pro-
ceedings of the IEEE, vol. 88, no. 2, pp. 262282, 2000.
[6] B. Bollob as, Graph Theory: An Introductory Course.
Springer, 1979.
[7] A. Abur and A. G. Exp osito, Power System State Estimation:
Theory and Implementation. New York: Marcel Dekker,
2004.
[8] F. R. K. Chung, Spectral graph theory, Regional Confer-
ence Series in Mathematics, American Mathematical Society,
vol. 92, pp. 1212, 1997.
[9] D. Brewer and M. Nash, The Chinese Wall security policy,
in Security and Privacy, 1989. Proceedings., 1989 IEEE
Symposium on, 1989, pp. 206214.
[10] P. G. Doyle and J. L. Snell, Random walks
and electric networks, 2000. [Online]. Available:
http://www.citebase.org/abstract?id=oai:arXiv.org:math/0001057
[11] G. L. Miller, Flow in planar graphs with multiple sources
and sinks, SIAM J. Comput., vol. 24, no. 5, pp. 10021017,
1995.
[12] T. Gamage and B. McMillin, Observering for changes:
Nondeducibility based analysis of cyber-physical systems,
in Critical Infrastructure Protection III, Post-Proceedings of
the Third Annual IFIP Working Group 11.10 International
Conference on Critical Infrastructure Protection, Dartmouth
College, Hanover, New Hampshire, USA, March 22-25, 2009,
ser. IFIP. Springer, 2009.
(a) 5 Node Power System Diagram
(b) 5 Node Power System Graph
Figure 1. Example Power System
Figure 2. 5 Node Power System Graph with 2 Sources
Figure 3. Example relationship between number of observers and amount
of uncertainty.