Grid securityUsing game theory to quantify threats of cyberattacks on power grid
Threat levels for cyberattacks on the power grid are usually labeled high, medium or low, but engineers say this is not good enough: Such judgements are too qualitative and too subjective. Could engineers incorporate scientific methods? Computer algorithms? And given that there are attackers and defenders – just like in a soccer match – could game theory be applied to help with risk assessment, attack-defense modeling and “what-if” contingency analysis that could help mitigate any attacks?
Threat levels for cyberattacks on the power grid are usually labeled high, medium or low. Well, that’s not good enough for a team of Iowa State University engineers.
That’s too qualitative and too subjective, said Manimaran Govindarasu, Iowa State’s Ross Martin Mehl and Marylyne Munas Mehl Computer Engineering Professor.
And, as he and his research collaborators wrote in a summary of a project to develop a better way to assess the threats of cyberattacks on the power grid, current assessments are “grossly inadequate” to account for dynamic and uncertain adversaries and the complexity of the computer controls and networks that support the grid.
“Can we do this in a quantitative way?” Govindarasu said.
Could engineers incorporate scientific methods? Computer algorithms? And given that there are attackers and defenders – just like in a soccer match – could game theory be applied to help with risk assessment, attack-defense modeling and “what-if” contingency analysis that could help mitigate any attacks?
Iowa says that athree-year, $777,271 grant from the National Science Foundation is supporting research and development of the idea. Govindarasu is leading the project with the collaboration of Sourabh Bhattacharya, an Iowa State assistant professor of mechanical engineering. Iowa State doctoral students Srayashi Konar, Hamid Emadi and Burhan Hyder are contributing to the project.
“We want to prove this concept is doable,” Govindarasu said. “And we want to develop a software tool industry can use – one that provides a systematic way of security planning and investment.”
The key will be developing models that analyze and predict threats, vulnerabilities and consequences, Govindarasu said. Of those, threat modeling is the least understood. He thinks game theory could change that.
Bhattacharya has expertise in game theory and is using it for other projects related to drones and multi-robot systems.
Bhattacharya says game theory is all about quantifying how people or teams try to maximize their outcomes – whether that’s scoring soccer goals or defending the power grid from cyberattacks.
“We can use game theory tools to figure out what we can expect from such interactions,” he said.
The primary tools are mathematical models that measure “optimality,” or “what’s the best I can do?” in any given scenario, Bhattacharya said.
In the case of the power grid, operators want to keep their computers and controls safe behind firewalls with strong authentication and access-control mechanisms. Attackers want to evade those protections and bring down the grid.
“They fight against each other,” he said.
That fight can be modeled to show how and where the grid is vulnerable to cyberattacks, Bhattacharya said.
“That’s a powerful tool to develop strategies to protect the system,” he said. “Given a fixed budget for security, it can show whether your need better locks in the ‘windows’ or the ‘doors.’”
Iowa notes that developing a useful tool for industry is an important part of the project. Govindarasu has long worked with industry on cybersecurity, including deployment of technologies and sharing lessons and training on the “PowerCyber” grid testbed developed at Iowa State. Iowa State’s Electric Power Research Center will also be involved in demonstrating and sharing the tools.
The study’s tools could also be adapted to other cyber-physical infrastructure such as oil, natural gas and transportation systems.
“We need to work hard to make something happen,” Govindarasu said. “We need to figure out how we can take this into the field because cybersecurity is a real problem.”