Ignore: A Policy Server To Prevent Cyber-Attacks From Propagating To The Physical Domain

We present the intelligent governor for the smart grid system (IGNORE) to limit the success of attacks when a grid's cyber system has been compromised and leveraged by an adversary to mount attacks on the physical system. IGNORE is based on the concept of the security reference monitor. It is a component that serves to protect a system from attacks that are more severe and frequent than is acceptable by enforcing security policies on the actions of the system's higher-level functions. It enforces security and safety policies by ignoring commands issued by a system's higher-level functions if by executing those commands may cause violations of its security and safety constraints. The underlying principle for generating security policies is the requirement and safety property that evaluates whether commands issued by a cyber system are required and safe in/for the physical system. Our key contribution is to present the methodology to design a governor for a grid's higher-level function, that is, demand response. We define a set of attacks prevented by the governor, a set of rules that define the governor, and demonstrate its effectiveness through empirical results. This work sheds light upon how a higher-level functionality of a smart grid system is protected by analyzing the system's cyber and physical aspects even when some parts of the cyber system are compromised.