Research

In Power

Dr. Julian Rrushi and his graduate students develop novel physics-aware threat models and physics-driven countermeasures to cyber attacks

A stock image depicting cybersecurity with 0's and 1's spread across it.

Department of Computer Science and Engineering

icon of a calendarDecember 15, 2021

icon of a pencilBy Arina Bokas

Share this story

One of the most serious challenges and fastest rising crimes in the modern world is cybercrime. According to Cybercrime Magazine, in 2021, global cybercrime damage amounts to $190,000 per second or $16.4 billion a day. Electrical power distribution grids offer a tempting target for threat actors looking to cripple an entire region or city – the reason why it drew interest of Julian Rrushi, Ph.D., computer science and engineering faculty, and his graduate students, John Olijnyk and Benjamin Bond.

In the electric power industry, components that make up critical infrastructures and industrial systems are often attached to networks to allow for easier control and monitoring of their processes. However, this network access to components also opens the door for threat actors to observe and interfere with physical processes from the internet.

“One instance of an industrial control system malware that targeted power grid devices
is a 2015 attack on power distribution substations in Eastern Europe,” share Olijnyk and Bond. “The malware, once installed on information technology workstations, allowed the threat actors to gain privileged access to the industrial control system network, bringing power distribution to a halt.”

As cyber threat actors have increased their sophistication, by utilizing the knowledge of the cyber physical system architecture and physics laws to launch attacks, cyber-defenders need to know what type of attacks are possible and how they can design systems to prevent intrusions.

“A physics aware attack is an attack wherein the threat actor utilizes the knowledge of the natural laws of physics of the ecosystem to launch an attack against a cyber physical system,” says Bond, M.S. ’21, presently a Ph.D. student at Purdue University.

Under direction of Dr. Rrushi, Bond and Olijnyk developed methods that a threat actor might employ to compromise power transformers. The team designed a new physics-aware threat model and attack surface, performed threat modeling, and created a simulation of a cyber physical power transformer with emulations of the differential protection, harmonic restraint and tap changer control algorithms.

“We developed and emulated those physics-aware algorithms to demonstrate and validate their ability to deceive the power transformer protection algorithms with physics data. These deceptions could create both a false positive of fault to create shutdowns of equipment and false negatives to hide a true fault that results in damage to the electrical grid,” explains Olijnyk, who works as a research assistant at OU while pursuing a doctorate degree in Computer Science.

The findings demonstrate the value of a physics-aware threat model of the attack surface and physics-aware attack methods, which consequently require physics-driven countermeasures.

“Since both industrial computers in cyber-physical systems (CPS), such as the electrical power grid, and malware reason in terms of physics, deception tools in CPS deploy countermeasures developed via decoy physics. However, while many deception tools actively display decoy physics, they don’t make them appear as part of active physics on an industrial computer, therefore, risking detection by malware,” shares Dr. Rrushi, whose most recent study was dedicated to developing a novel physics-driven page fault handler in the seL4 microkernel.

Thus, in addition to reducing the page fault rate, Dr. Rrushi’s proposed page fault handler pioneers the concept of active physics as a critical factor in malware attacks and defenses. It differentiates active physics in main memory from passive physics in the backing store with the help of OS algorithms that enable deception tools to recognize and track active physics in memory. This makes it possible to customize deception, such as to deploy attack countermeasures, that match closely the physics-centric computing of industrial computers in CPS.

“Deception that leverages active physics makes cyber and physical decoys indistinguishable from their real counterparts. This translates to a higher likelihood of decoys receiving contact by malware, which leads to their immediate detection,” Dr. Rrushi says.

The study was completed by integrating computing machine operating system kernel, the seL4 microkernel, with artificial intelligence to confuse and disrupt malicious operations performed by attack code. The algorithms include support by CPU scheduling, which tracks the evolution of active physics over time, as well as page replacement that qualifies as an optimal page replacement algorithm. While these algorithms haven’t yet achieved a 100% accurate differentiation of active physics from passive physics, in many cases they come close to matching the accuracy of an optimal adversary.

Dr. Rrushi’s research is supported by the U.S. Department of Energy, with some parts of investigation completed at the Idaho National Lab during Bond’s and Olijnyk’s research internships. His future work will investigate physics-driven memory management further to seek ways of achieving a deeper insight into active physics for defensive deception. If you are interested in participating or supporting this research, contact Dr. Rrushi at [email protected]

Share this story