Cyber – Physical Correlation Effects in Defense Games for Large Discrete Infrastructures

In certain critical infrastructures, correlations between cyber and physical components can be exploited to launch strategic attacks, so that disruptions to one component may affect others and possibly the entire infrastructure. Such correlations must be explicitly taken into account in ensuring the survival of the infrastructure. For large discrete infrastructures characterized by the number of cyber and physical components, we characterize the cyber–physical interactions at two levels: (i) the cyber–physical failure correlation function specifies the conditional survival probability of the cyber sub-infrastructure given that of the physical sub-infrastructure (both specified by their marginal probabilities), and (ii) individual survival probabilities of both sub-infrastructures are characterized by first-order differential conditions expressed in terms of their multiplier functions. We formulate an abstract problem of ensuring the survival probability of a cyber–physical infrastructure with discrete components as a game between the provider and attacker, whose utility functions are composed of infrastructure survival probability terms and cost terms, both expressed in terms of the number of components attacked and reinforced. We derive Nash equilibrium conditions and sensitivity functions that highlight the dependence of infrastructure survival probability on cost terms, correlation functions, multiplier functions, and sub-infrastructure survival probabilities. We apply these analytical results to characterize the defense postures of simplified models of metro systems, cloud computing infrastructures, and smart power grids.


Introduction
The operation of critical infrastructures such as metro systems, smart power grids, high-performance computing complexes, and cloud computing infrastructures requires the continued functioning of cyber components such as signals, servers, supervisory control and data acquisition (SCADA) systems, routers, and switches, and also physical components such as tracks, power lines, fiber lines, cooling systems, and power systems.Components of both types must be operational as individual units, and must also be available (i.e., accessible to other infrastructure components).The individual components are subject to direct attacks in that cyber attacks will disable individual cyber components and physical attacks will disable individual physical components, when the components have not been reinforced.Furthermore, critical correlations or inter-dependencies exist between cyber and physical components, which may be exploited to launch strategic component attacks that propagate the disruptions to several others.To counter such attacks, infrastructure providers have to explicitly account for the underlying cyber-physical correlations and adopt strategies that ensure the continued operation of both cyber and physical sub-infrastructures.
In this paper, we consider a discrete component model of infrastructures with a large number of cyber and physical components, such as a metro system with hundreds of signals and sensors, a cloud computing infrastructure with thousands of servers, or a power grid with hundreds to thousands of sensors.The notations for various quantities are provided in Table 1.The attacker launches y C cyber or y P physical component attacks but not both, and the provider reinforces x C cyber and x P physical components.The cyber-physical interactions may render the otherwise operational components unavailable, whether they are reinforced or not.For example, a physical attack on a fiber connection to a server site of a cloud computing infrastructure shown in Figure 1 may disconnect all servers (thousands in some cases) from the network, even if they are all fortified against cyber attacks.In addition to component-level characterizations, the cyber and physical sub-infrastructures can be separately identified in several cases.Indeed, they may be operated by different domain experts.For example, in a power grid, SCADA systems are maintained by operations staff, and the power routes are maintained by power engineering staff.We consider the cyber and physical sub-infrastructures consisting entirely of cyber and physical components, respectively.Disruptions to either could disrupt the entire infrastructure.Let P CP denote the survival probability of the infrastructure, and P C and P P denote the marginal survival probabilities of cyber and physical sub-infrastructures, respectively.The cyber-physical failure correlation function f (P C , P P ) is the failure probability of cyber sub-infrastructure given the other's failure, and is estimated using the structural properties of the infrastructure.Furthermore, we consider that P C and P P satisfy first-order differential conditions based on the multiplier functions [1] of cyber and physical sub-infrastructures, denoted by Λ C and Λ P , respectively, which are derived based on their component-level considerations.Together, these two characterizations [2,3] generalize the linearity and statistical independence conditions used in previous works [4,5] for this class of infrastructures with discrete cyber and physical components.The multiplier functions depend on x C , x P , y C , and y P , and also on additional infrastructure parameters (e.g., the number of power lines controlled by a SCADA system), and they provide an insightful abstraction.They appear in the estimates of survival probabilities of sub-infrastructures at Nash equilibrium (NE) and provide insights into the defense posture of the infrastructure.

Symbol Explanation
x C , x P number of cyber and physical components reinforced, respectively y C , y P number of cyber and physical components attacked, respectively P CP (x C , x P , y C , y P ) survival probability of the infrastructure P C , P P marginal survival probabilities of cyber and physical sub-infrastructures, respectively f (P C , P P ) failure correlation function (i.e., the failure probability of cyber sub-infrastructure given the other's failure) Λ C (x C , x P , y C , y P ), Λ P (x C , x P , y C , y P ) multiplier functions of cyber and physical sub-infrastructures U D (x C , x P , y C , y P ), U A (x C , x P , y C , y P ) provider's and attacker's composite utility function, respectively F D,G (x C , x P , y C , y P ), F D,L (x C , x P , y C , y P ) provider's reward and cost multiplier functions, respectively F A,G (x C , x P , y C , y P ), F A,L (x C , x P , y C , y P ) attacker's reward and cost multiplier functions, respectively g D (x C , x P , y C , y P ) reward for rendering the infrastructure operational in the provider's sum-form utility function We formulate a game between the provider and attacker with the following considerations: (a) knowledge about the infrastructure is available to the attacker which is sufficient to launch component attacks; (b) costs of attacks and reinforcements of components, denoted by L A (y C , y P ) and L D (x C , x P ), respectively, are not available to the other player; (c) components chosen by the provider to reinforce, and by the attacker to attack, are not revealed; and (d) incidents and results of attacks on components are known to the provider and attacker.
The information in items (a) and (d) is available to both the provider and attacker, and that in item (b) is private.The provider and attacker minimize their respective utility functions, which are based on both types of information.
The composite utility function [1] to be minimized by the provider is the sum of two terms, representing the reward for keeping the infrastructure operational and the corresponding cost, respectively.It is given by where F D,G and F D,L are the reward and cost multiplier functions, respectively, of the provider, G D represents the reward of keeping the infrastructure operational, and L D is the total cost of reinforcing cyber and physical components.The composite utility function to be minimized by the attacker is given by where F A,G and F A,L are the reward and cost multiplier functions, respectively, G A is the reward for rendering the infrastructure non-operational, and L A is the total cost of cyber or physical attacks.These utility functions can be specialized to capture different provider and attacker considerations as shown in Table 2, in particular by expressing them in terms of the survival probability of the infrastructure P CP (x C , x P , y C , y P ).The sum-form utility [2] for the cyber-physical infrastructure provider is given by where P CP (x C , x P , y C , y P )g D is the expected reward in return for the reinforcement cost L D (x C , x P ) of cyber and physical components.In certain infrastructures, players focus on the cost term only, and the reward of operating the infrastructure is not explicit.In such cases, the product-form utility [3] of the provider is given by which represents the expected cost under infrastructure failure and thus represents the "wasted" effort.
The NE of this game represents the state of the infrastructure under the reinforcement and attack actions of the provider and attacker that attempt to minimize their respective utility functions based on their individual information (from which neither has a motivation to unilaterally deviate [6]).The choices of provider and attacker, given by (x C , x P ) and (y C , y P ), respectively, can be obtained using various available methods [6,7], which typically involves exploiting the scenario-specific details.Indeed, because of the large-scale and complexity feature of cyber-physical infrastructures, most game models obtain Nash equilibrium using numerical methods.Our objective in this paper is to show that critical insights about the infrastructure survival can be gained by deriving estimates of survival probabilities in terms of various correlations and multiplier functions, without requiring explicit solutions for (x C , x P ) and (y C , y P ).To this end, we derive NE conditions that highlight the dependence of P CP on the cost terms, correlation function, multiplier functions, and cyber and physical sub-infrastructure survival probabilities, as well as their partial derivatives.Indeed, the effects of infrastructure parameters will be reflected in estimates of P CP via the multiplier functions, while the correlation effects are "separated" from them.In particular, the impacts of the two players' strategies are captured using the composite gain-cost terms and gain-cost gradients that depend on gain and cost terms and their derivatives with respect to x C and x P (y C and y P ), respectively, which are specialized versions of those proposed for systems of systems [1].The NE conditions reveal a direct dependence of P CP on the parameters of cyber and physical components and sub-infrastructures, as well as a close coupling between them through the correlation function.We also estimate the sensitivity functions of P CP using the partial derivatives of parameters L A (•), L D (•), P C , P P , and f (P C , P P ) that indicate their relative importance in the defense posture of the infrastructure.
The contributions of this paper are as follows.We unify the analysis of previously separate sum-form [2] and product-form [3] formulations, and provide a deeper treatment of NE, including second-order conditions which are not considered in prior work.Although a special case of a system of systems [1], our formulation provides a more focussed treatment of cyber and physical sub-infrastructures.Our results provide insights into the defense postures of (simplified models) three infrastructures, including metro systems and smart power grids (new here), and cloud computing infrastructures from [8].We first consider cases where both cyber and physical components are uniform (Section 3.2), namely, signals and trains of metro systems, servers and fiber connections for cloud infrastructures, and SCADA system and power lines for smart power grids.Then, we consider different types of cyber components (Section 5), namely signals and the centralized traffic controls for a metro system, servers and routers for the cloud infrastructure, and SCADA system components and smart meters for the smart power grid.We explicitly derive NE conditions and sensitivity functions for these scenarios.
The organization of this paper is as follows.We compare our formulation with other related work in Section 2. In Section 3, we present a discrete component model for cyber-physical infrastructures, and discuss the failure correlation function and the differential conditions on sub-infrastructure survival probabilities.We present the game theoretic formulation in Section 4, and derive NE conditions and sensitivity estimates.We also describe two special cases, OR systems in Section 4.2 and statistically independent sub-infrastructures in Section 4.3, wherein the cyber-physical correlation effects are somewhat simplified.We discuss NE conditions for applications of metro systems, cloud computing infrastructures, and smart power grids in Section 5. We conclude in Section 6.

Related Work
Critical infrastructures are vital to national security [9], and there are numerous published reports, books, and studies on identifying [10] and securing [11][12][13][14] critical infrastructures.A detailed scientific analysis of critical infrastructures is provided in [15].The author draws insights that critical infrastructures are complex systems, and their architecture is the most crucial factor in deciding their reliability and resilience.Securing cyber-physical networks has been studied extensively from various perspectives [16][17][18][19][20].A risk assessment approach is used in [21] to identify and address the vulnerabilities of a cyber-physical system, without explicitly using the interactions between the attacker and the provider.Consequently, the quantification of risk and correlations is somewhat limited.Although cyber-physical networks form an integral part of many critical infrastructures such as energy, information technology, and transportation systems, these works primarily cater to applications on power systems and smart power grids.To our best knowledge, there has not been any study that rigorously models the correlations between cyber and physical components in a general system.Our objective is to develop such a general formulation and illustrate its generality by using models of various applications, such as metro systems, cloud computing infrastructures, and smart power grids.
Game-theoretic methods have been extensively applied to capture the interactions between providers and attackers of critical infrastructures [22] to develop strategies to ensure their continued operation in the presence of evolving threats.Such interactions are being increasingly analyzed ever since the 9/11 attacks [23], after which there has been an increased emphasis on protecting critical infrastructures.Most of these studies use sequential models with the provider as the first mover and the attacker as the second.This is useful in enabling analysts to draft preemptive recommendations [24].Game theory has been used widely in the field of cyber-physical network security [25][26][27].An overview of the game-theoretic models in network security is provided in [28].However, these works do not consider the physical components that are critical to the functioning of cyber networks.
Several infrastructures to support power distribution, transportation, and agriculture have been analyzed using game-theoretic approaches.They typically employ complex dynamic models of the underlying physical systems [11]-in particular, using partial differential equations.Both game-theoretic formulations and their solutions are quite extensive for such infrastructures, including: multiple-period games [29] that address multiple time-scales of system dynamics; incomplete information games [30][31][32] that account for partial knowledge about the system dynamics and attack models; and multiple-target games [33,34] that account for possibly competing objectives.A comprehensive review of the defense and attack models in various game-theoretic formulations has been presented in [35].
Game-theoretic methods have been developed specifically to address the system reliability and robustness for several applications [22], which are particularly applicable to critical infrastructures.Recently, there have been increasing levels of integration of cyber components, including computing and networking devices, into several critical infrastructures.This contributes to faster information transmission and processing, but also lead to unprecedented security vulnerabilities due to the underlying cyber-physical correlations [36].While many existing formulations utilize detailed dynamic infrastructure models, the cyber-physical correlations have only recently been explicitly addressed, and in a limited way [36].Because of the large scale and complexity of cyber-physical systems, most game models obtain Nash equilibrium using numerical methods.The current paper analytically presents players' best responses and provides insights for defense strategy at NE.
Due to the wide spectrum of the game-theoretic methods used for critical infrastructures, we now briefly consider the ones that are directly related to our discrete cyber-physical component models.These are much simpler than others used in infrastructures such as power distribution, transportation, and agriculture [11].For example, partial differential equations that model traffic dynamics.In terms of overall goals, they belong to formulations that integrate system reliability and robustness parameters [22], which are applied for example to smart power grids [37], cloud computing infrastructures [38], and power systems [39].Within this class, Stackelberg games are an important subclass, wherein the provider chooses actions based on instantaneous information.They lead to more reactive and sensitive responses to dynamic disruptions compared to long-term strategies used in Markov game models [37,40].
Stackelberg formulations have been applied to discrete models of cyber-physical infrastructures in various forms [36], and an important subset is formulated using the number of cyber and physical components that are attacked or reinforced.These formulations capture infrastructures with a large number of components, and are coarser than formulations that consider the attack and defense of individual cyber and physical components [41].The correlation function was proposed in [2] to capture the dependencies between the survival probabilities of cyber and physical sub-infrastructures; this is a generalization of simple linear forms studied earlier in [4,5].First-order differential conditions on the sub-infrastructure survival probabilities are proposed in [2] as a generalization of the statistical independence and contest survival functions [42], and the role of multiplier functions on these conditions has been further expanded in [1].
We now place our formulation and results within the broader context above.The composite utility functions described in the introduction generalize the sum-form [2] and product-form [3] utility functions used for infrastructures with discrete components.The composite utility functions have been applied to more general systems of systems (SOS) in [1,43], and here we customize them to cyber-physical sub-infrastructures.The resultant NE conditions unify the previous results by using composite gain-cost terms (Theorem 1), and also provide second-order NE derivative conditions (Theorem 2), which together enable us to apply them to more detailed and newer (metro system) infrastructure models.SOS have been studied under a similar formulation [43,44], and also under additional conditions due to an asymmetric role played by the inter-connection network [1,45,46].The current paper explicitly targets the cyber and physical sub-infrastructures, provides in-depth results based on cyber-physical correlations, and also addresses the second-order NE conditions that have not been addressed in earlier works on cyber-physical infrastructures [2,3].To make the presentation self-contained, we provide or re-state definitions of various terms needed for our formulation (Section 3) from the references.

Discrete System Models
A cyber-physical infrastructure (CPI) consists of cyber and physical sub-infrastructures with N C cyber components and N P physical components.Both components must be operational and available as parts of the infrastructure, but they can be functionally disabled or operationally disconnected from the infrastructure through attacks.In particular, cyber attacks may render physical components unavailable even if they are functional.For example, cyber attacks on a power grid's SCADA system might disable power flows on the lines it controls.Physical component attacks may also render cyber components unavailable, as in the case of fiber cuts in a cloud infrastructure described in the previous section.We capture these cyber-physical interactions using the survival probabilities of cyber and physical sub-infrastructures using: (i) the cyber-physical failure correlation function f (P C , P P ) that captures the correlations at the sub-infrastructure level (Section 3.1), and (ii) the differential conditions on P C and P P using the multiplier functions that capture the component-level correlations (Section 3.2).

Cyber-Physical Structural Interactions
The failure probabilities of cyber and physical sub-infrastructures are P C = 1 − P C and P P = 1 − P P , respectively.The probability that a CPI is operational is given by The joint failure probability P C∩ P is expressed in terms of the conditional failure probability as P C∩ P = P C| P P P, which leads to the following definition.

Condition 1. Cyber-Physical Correlation Function:
The survival probability a CPI is given by P CP = P C + P P − 1 + f (P C , P P ) (1 − P P ), where f (P C , P P ) = P C| P is the cyber-physical failure correlation function of cyber and physical sub-infrastructures.
The failure correlation function captures the dependence of cyber sub-infrastructure failure on that of physical sub-infrastructure.For example, in a cloud computing infrastructure with N S servers at each site, disabling the fiber would disconnect all servers at the site, which can be reflected by choosing f (P C , P P ) = N S (1 − P P ).This shows that the physical failure rate is amplified by N S in rendering the servers unavailable.The following are two illustrative forms of f (P C , P P ).
(a) OR Systems: A special class called the OR systems are defined in [4,5] to illustrate cases where cyber and physical parts can be independently analyzed.For these systems, the probability of failure of cyber or physical sub-infrastructure is P C∪ P = P C + P P or equivalently P C∩ P = 0.That is, the failure of the physical sub-infrastructure is guaranteed not to cause the failure of the cyber sub-infrastructure.Thus, we have P CP = P C + P P − 1 and f (P C , P P ) = 0.These systems are of mostly academic interest.(b) Linear Forms: The linear form expresses the correlation in terms of multiplicative and additive coefficients, denoted by a C and b C , respectively, and is used in [5] (in [4] only a C is used).Here, a C represents a proportional change in P C due to the physical sub-infrastructure failure, whereas b C represents an independent factor.There are two special cases under this form: (i) Statistical Independence: We have f (P C , P P ) = 1 − P C .That is, a C = 1 and b C = 0, so that P C∩ P = P C P P or equivalently P CP = P C P P , and (ii) Failure Certainty: When physical failures lead to cyber failures with certainty, we have f (P C , P P ) = 1.That is, a C = 0 and b C = 1, such that P CP = P C (i.e., infrastructure survival probability solely depends on cyber sub-infrastructure).
More generally, if a C > 1 and b C ≥ 0, or a C ≥ 1 and b C > 0, the cyber failures are positively correlated to physical failures.That is, they occur with higher probability following physical failures (i.e., P C| P > P C).If a C < 1 and b C ≤ 0, or a C ≤ 1 and b C < 0, i.e., f (P C , P P ) < 1 − P C , cyber failures are negatively correlated to physical failures (i.e., P C| P < P C).
We now consider that the effects of reinforcements and attacks can be separated at the sub-infrastructure level such that ∂P P ∂z C = 0 and ∂P C ∂z P = 0, where z = x, y.Intuitively, these conditions indicate that only direct impacts are dominant at the level of sub-infrastructures.For example, cyber reinforcements contribute to improving the cyber sub-infrastructure but not directly to physical sub-infrastructure.We capture the sub-infrastructure correlations for the provider using the following conditions.

Condition 2. De-Coupled Reinforcement Effects:
The partial derivatives of P CP in Condition 1 satisfy the following conditions for the provider.

Sub-Infrastructure Survival Probabilities
We consider that the sub-infrastructure survival probabilities satisfy the following differential conditions.

Condition 3. Cyber and Physical Multiplier Functions:
The derivatives of survival probabilities of cyber and physical sub-infrastructures can be expressed as These multiplier functions capture the underlying details of cyber and physical sub-infrastructures (specialized systems of [1]) after factoring out the corresponding survival probabilities.They depend on the the parameters of cyber and physical sub-infrastructures, in addition to game variables x C , x P , y C , and y P .For example, for the cloud computing infrastructure described in Example 1, Λ C depends on the number of servers N S at each site, and for the metro system in Example 2, Λ P depends on the number of lines N L controlled by a signal.These somewhat abstract functions enable us to encapsulate some of the sub-infrastructure details so that the multiplier functions appear explicitly in various estimates at NE (including the survival probability estimates in Theorem 1), and provide valuable insights into the underlying dependencies.These multiplier functions can take simple forms in the following two important cases, which have been studied extensively in the literature.
(a) Statistically Independent Components: Let p C|R and p C|N denote the conditional survival probability of a cyber component with and without reinforcement, respectively.Under the assumption of statistical independence of component failures, the probabilities that the cyber and physical parts survive the attacks are given by [4] , for which we have .
We now describe three simplified illustrative cyber-physical infrastructure models for which we derive estimates for the multiplier functions Λ B (•), where B = C, P under uniform selection of components to reinforce and attack.We will expand further on these examples in Section 5 by taking additional details into account.
Example 1. Cloud Computing Infrastructure: A cloud computing infrastructure (Figure 1) consisting of multiple sites can be simply modeled with N S servers at each site.Cyber attacks may bring down the individual servers, and the communication fiber routes to the sites may be physically cut.Reinforcements to these components may be in the form of replicated stand-by servers, and redundant physically-separated fiber routes.Since a physical fiber cut disconnects all servers at the site from the network, a first-order model is f (P C , P P ) = N S (1 − P P ), which indicates the multiplicative effect of physical attacks.There are [y P − x P ] + non-reinforced fiber connections that are vulnerable to physical attacks, where [•] + represent the non-negative part.That is, [z] + = z for z > 0, and [z] + = 0 otherwise.Under a uniform distribution of attacks and reinforcements, the probability that a cyber-reinforced server survives y P fiber attacks is estimated by where 0 ≤ f C ≤ 1 is an appropriately chosen normalization factor.This estimate decreases with higher values of [y P − x P ] + .If a server is not reinforced, it will be brought down by a direct cyber attack, or disconnected through a fiber attack.Thus, the survival probability of such a non-reinforced server is which reflects a decrease due to y C compared to a reinforced server.For example, in an infrastructure with 10,000 servers at each site with a non-reinforced fiber, a single fiber attack has an effect similar to 10,000 individual server cyber attacks.Using these formulae, we have for the cyber sub-infrastructure, which interestingly does not depend on cyber x C but depends on physical x P .
Example 2. Metro System: A metro system (Figure 2) consists of many components, including trains, tracks, perway, telecommunication systems, and electrical systems.The system operates normally when trains are running smoothly, being controlled by the signals located along the lines.A simplified model of a metro system may be based on abstracting its signaling system.The model consists of N S signals along the tracks and the actuators on N T trains, which are centrally controlled.The communication between the signals and the control center may be interrupted through cyber means, while the actuators on trains may be damaged physically.Reinforcements to these components may be in the form of redundant communication routes for the signals and better physical protection of the actuators on trains.Since a cyber attack on a signal along the tracks partially disrupts the smooth running of all the trains running the line through that signal, a first-order model is given by P P| C = αN L (1 − P C ), which captures the multiplicative effect of cyber attacks, where 0 < α < 1 is properly chosen to represent a partial effect and N L indicates the number of trains running on a line.Then, by using the Bayes formula P C| P = P P| C P C /P P, we have f (P C , P P ) = αN L (1−P C ) 2 (1−P P ) .Typically, N L is on the order of tens, whereas N S in the previous example could be in the thousands.
We now consider that the attacker and provider choose components to attack and reinforce, respectively, according to uniform distribution.Then, there are [y C − x C ] + non-reinforced signals.The probability that a reinforced actuator survives the cyber attacks is estimated by where 0 ≤ f P ≤ 1 is a normalization factor.This estimate reflects that cyber attacks are more likely to disrupt the actuator functioning for higher values of [y C − x C ] + , and the physical attacks have no effect on a reinforced actuator.If the actuator is not reinforced, it will be brought down by a direct physical attack, or indirectly through a cyber attack.Thus, we estimate its survival probability as which is inversely proportional to the number of physical attacks y P .Using these formulae, we have for the physical sub-infrastructure, which interestingly does not depend on physical x P but captures the dependence on cyber x C .Note that the roles of cyber and physical components are switched in this example compared to the cloud computing infrastructure.Example 3. Smart Power Grid Infrastructure: A power grid infrastructure (Figure 3) is controlled by a SCADA system using information collected by a network of sensors that monitor transmission and distribution lines.The sensors are placed at strategic locations for effective flow control, and they have good connectivity to the SCADA system via communication nodes.We assume that each communication node relays information from sensors of N L lines to the SCADA system, and it may be disabled by a direct cyber attack, which will disrupt the information flow from all N L lines.Typically, N L is of the order of tens.When the monitoring information of a line is lost, the SCADA system may assume the line to be down for safety reasons, and hence disrupting a node will also disrupt the power flow on all N L lines.By using reasoning analogous to the previous two examples, we have P P| C = N L (1 − P C ).Then, by using the Bayes formula P C| P = P P| C P C /P P, we have f (P C , P P ) = N L (1−P C ) 2 (1−P P ) .We then estimate the survival probability of a reinforced line, which can be disconnected by [y C − x C ] + cyber attacks, as where 0 ≤ f P ≤ 1 is appropriately chosen under uniform attack and reinforcement distributions.Meanwhile, a power line can be directly disrupted by physical means if it is not reinforced, and it is more likely to be unavailable if there are more physical attacks (i.e., higher y P ).Thus, an attack on a communication node will have an amplified effect on power lines compared to direct physical attacks, such that which provides an estimate of the probability of survival of a non-reinforced power line.Using the above formulae, we have which does not depend on x P as in the case of the metro system.

Game-Theoretic Formulation
The provider's objective is to make the infrastructure resilient by reinforcing x C and x P cyber and physical components, respectively, to minimize the utility function.For uniform component reinforcement costs, we have L D (x C , x P ) = c CD x C + c PD x P , where c CD and c PD are reinforcement costs of cyber and physical components, respectively.The attacker's objective is to disrupt the infrastructure by attacking y C or y P cyber and physical components, respectively (but not both), in order to minimize the utility function.For uniform component attack costs, we use L A (y C , y P ) = c CA y C + c PA y P , where c CA and c PA are the attack costs of cyber and physical components, respectively, and only one of y C and y P is non-zero.

Nash Equilibrium Conditions
The Nash equilibrium conditions are derived by equating the corresponding derivatives of the utility functions (as shown in Section 1) to zero, which yields where B = C, P for the provider.We define as the composite gain-cost term, and as the gain-cost gradient with respect to x B , B = C, P. For the attacker, we similarly obtain, for B = C, P,

OR Systems
The OR subsystems are a special case where the probability of simultaneous failures of cyber and physical sub-infrastructures is negligible.[4].Here, the infrastructure will fail if either of the cyber or physical sub-infrastructures fail, such that P C∪ P = P C + P P, or equivalently P CP = P C + P P − 1.In these (theoretical) systems, the dependence of P CP on system parameters at NE is easier to derive and interpret, since it is determined entirely by Condition 3 without involving f (P C , P P ).We have a much simpler form of Condition 2 given by ∂P and ∂P CP ∂x P = ∂P P ∂x P . At NE, we have wherein Θ C (•) and Θ P (•) are called the cyber and physical scaled gain-cost gradients, respectively.Using Condition 3, we obtain the following estimates for the survival probabilities of cyber and physical sub-infrastructures: PC;D (x C , x P , y C , y P ) = − Θ C (x C , x P , y C , y P ) Λ C (x C , x P , y C , y P ) and PP;D (x C , x P , y C , y P ) = − Θ P (x C , x P , y C , y P ) Λ P (x C , x P , y C , y P ) .
These estimates for cyber and physical sub-infrastructures depend mainly on the corresponding scaled gain-cost gradients, and thus represent a "separation" of the cyber and physical parts at this level.In this sense, OR systems constitute an important analytical case wherein the cyber-physical correlations between the sub-infrastructures may be ignored.In addition, these estimates provide the sensitivity information of the survival probabilities of cyber and physical sub-infrastructures, and they depend only on the derivatives of the corresponding probabilities.Although they do not involve the failure correlation function f (P C , P P ), the cyber-physical interactions are still captured by Λ C (•) and Λ P (•) at the component level.Both survival probability estimates PC;D and PP;D are proportional to the corresponding weighted cost and reward functions, and are inversely proportional to their weighted derivatives.This seemingly counter-intuitive trend applies only to the set of Nash equilibria, and not to the overall system behavior.

Statistical Independence of Cyber and Physical Sub-Infrastructures
We consider that the cyber sub-infrastructure failures are statistically independent such that P CP = P C P P and f (P C , P P ) = 1 − P C .At NE, we have Qualitatively, at NE, the survival probability estimates of cyber and physical sub-infrastructures PC;D and PP;D have an inverse relationship, but their product is determined by Λ C (•) and Λ P (•) in a manner similar to the individual probabilities PC;D and PP;D of OR systems.However, unlike OR systems, statistical independence is not sufficient to decouple the estimates PC;D and PP;D so that they depend solely on Λ C (•) and Λ P (•), respectively.

NE Sensitivity Functions
We now derive estimates for P C and P P at NE using the scaled gain-cost gradients and failure correlation function to obtain qualitative information about their sensitivities to different parameters from the provider's perspective.
Theorem 1.Under Conditions 1, 2, and 3, an estimate of the survival probability of physical sub-infrastructure at the Nash equilibrium for and, for .
An estimate of the survival probability of cyber sub-infrastructure is x P , y C , y P ) and ∂P CP ∂x P = −Θ P (x C , x P , y C , y P ).By using the formulae in Condition 2, we have 1 + (1 The expression for PP;D is obtained by solving for P P using the above quadratic equation, and the expression for PC;D follows from the equation above it. Compared to OR Systems, there are significant cyber-physical interactions at the sub-infrastructure level in both PP;D (x C , x P , y C , y P ) and PC;D (x C , x P , y C , y P ).
In particular, PP;D (x C , x P , y C , y P ) depends on both f (•) and its partial derivatives with respect to P P , and the partial derivatives of G D and L D with respect to x P and Λ P , as expected.Its dependence on P C is implicit through the failure correlation function f (P C , P P ).The qualitative behavior of PC;D (x C , x P , y C , y P ) is quite similar with respect to L D , but its dependence on P P is also through f .They are both affected by Λ C (•) and Λ P (•), and each of them in turn depends on the number of both cyber and physical component attacks and reinforcements.Thus, the estimates PP;D and PC;D reflect the correlations between the sub-infrastructures explicitly through f , as well as those captured by the survival probabilities of individual sub-infrastructures.
Theorem 1 utilizes P C| P = f (P C , P P ), which captures the failure effects of physical sub-infrastructure on the cyber sub-infrastructure.Alternatively, we can utilize P P| C = g(P C , P P ), which captures the failure effects of cyber sub-infrastructure on the physical sub-infrastructure.In this case, we obtain a quadratic expression in P C .Then, we can estimate PC;D (x C , x P , y C , y P ) in terms of g(P C , P P ) by solving the quadratic equation as in Theorem 1.Additionally, results expressed in terms of f (P C , P P ) and g(P C , P P ) can be converted between each other using the following expression: The qualitative effects of f (•) and g(•) on the sensitivity function estimates is quite similar, and their choice is determined by their functional forms and the accuracy with which they can be estimated.
The estimates in Theorem 1 are based on the first-order derivatives of utility functions, and their minimization leads to second-order derivative conditions, which in turn provides an upper bound on P P as follows: Theorem 2. Under Conditions 1, 2, and 3, an upper bound on the survival probability of physical sub-infrastructure at the Nash equilibrium for Proof: At NE, the first derivative of the utility function is given by where B = C, P. The second derivative condition is given by which in turn provides a bound on ∂P CP ∂x B as follows, The upper bound on P P then follows from Condition 2 by using x B = x P and ∂ f This theorem indicates that the ratio of the correlation function and its derivatives can add to this effect.

Sum-Form and Product-Form Utility Functions
The utility functions can be specialized to reflect different aspects of the infrastructure, in particular explicitly expressing the terms using P CP (x C , x P , y C , y P ).Corresponding to the sum-form in Section 1, the utility of the attacker is given by U A+ (x C , x P , y C , y P ) = [P CP (x C , x P , y C , y P )] g A + L A (y C , y P ), where [1 − P CP (x C , x P , y C , y P )]g A is the expected reward for the cost L A (y C , y P ) of cyber or physical attacks.Similarly, the product-form utility of the attacker is given by U A× (x C , x P , y C , y P ) = P CP (x C , x P , y C , y P )L A (y C , y P ), which represents the expected cost when the infrastructure survives the attacks and thus represents "wasted" effort.The individual terms of the utility functions for sum-and product-forms are simplified as shown in Table 3 for the provider.Table 3. Gain and cost terms and their multipliers for sum-form and product-form utilities of the provider.
Special cases of Theorem 1 for sum-and product-forms are presented in [2,4], and the second-order condition in Theorem 2 provides us with additional conditions on achievable P P .In particular, for the sum-form utility of the provider, the second derivative condition is which provides an upper bound on ∂ 2 P CP ∂x 2

B
. And for the product-form utility of the provider, the second derivative condition is which provides an upper bound on P CP .

Survival Probabilities of Sub-Infrastructures
It is instructive to compare the individual survival probabilities of cyber and physical sub-infrastructures P C and P P , respectively, since the minimum of the two determines the survival probability of the infrastructure.Using the equations from the proof of Theorem 1, we have In this section, for simplicity we denote Λ C (x C , x P , y C , y P ), Λ P (x C , x P , y C , y P ), Θ C (x C , x P , y C , y P ), and Θ P (x C , x P , y C , y P ) by Λ C , Λ P , Θ C , and Θ P , respectively.By dividing the above two equations by , respectively, and eliminating the term (1 − P P ) by subtraction, we obtain the following condition: Then, by using , we obtain the following relationship between P P and P C : .
By comparing the right hand side to P C , the condition P P ≥ P C is equivalent to , where .
= is either ≤ or ≥ based on the sign of the denominator above.If .= is ≤, then the above condition is not satisfied if the right hand side is negative, which in turn corresponds to the signs of the two terms = is ≥, then this condition is not true if the right hand side is greater than 1.These two boundary conditions determine that one of the two conditions P P ≥ P C and P P ≤ P C is true.In the other cases, this relationship is not that simply determined, and can take a more complicated form.
For the special case f (P C , P P ) = a C (1 − P C ) + b C , we have Then, the condition P P ≥ P C leads to a quadratic equation with the following solution: The boundary conditions in this case can be derived as in the general case.However, a different line of analysis done in this case in [5] provides a much simpler characterization of the relationship between P C and P P .It yields the following simpler condition: where . Then, the relationship between P C and P P is described by 12 different regions determined solely by a C , b C , d CD , and d PD such that in each region exactly one of the two conditions P P ≥ P C and P P ≤ P C is true.

Application Examples
In this section, we expand the three examples from Section 3.2 by taking more component details into account.First, we consider different types of cyber and physical components such that x i C , i ∈ A C is the number of cyber components of type i, and x j P , j ∈ A P is the number of physical components of type j.Thus, in terms of the original indices, we have x C = ∑ The component failures are considered statistically independent for different types in [5] such that We consider that these conditions are satisfied in both of the following examples.

Cloud Computing Infrastructure
The simple cloud computing infrastructure model of Example 1 in Section 3.2 is expanded to include a gateway router at each site, which connects to all servers at the site.A cyber attack on a gateway router will also have essentially the same effect as a physical fiber attack-namely, disconnecting all servers at the site.A fiber attack requires physical proximity, whereas a router cyber attack may be remotely launched, thereby representing different types of costs.Cyber components now belong to two classes, namely, servers and routers, such that x C = x S C + x R C where x S C and x R C denote the number of reinforced servers and routers, respectively.Similarly, we have y C = y S C + y R C , where y S C and y R C denote the number of servers and routers attacked, respectively.Then, for the two cyber sub-infrastructures, we have the failure correlation functions f S P S C , P P = N S (1 − P P ) and f R P R C , P P = (1 − P P ), wherein the physical failures are amplified by N S for the servers but are the same for routers.Thus, the composite failure correlation function f (P C , P P ) is given as follows: f (P C , P P ) = ∑ B∈{S,R} P B C| P = f S P S C , P P + f R P R C , P P = (N S + 1)(1 − P P ).
Then, the survival probabilities of cyber-reinforced components are computed separately for the servers and routers, which are denoted by p S C|R and p R C|R , respectively.The probability that a cyber-reinforced server survives fiber or router attacks is given by , which now depends on both physical attacks on fiber and cyber attack on routers.An estimate of the probability that a cyber-reinforced router survives a physical fiber attack is given by p , since a cyber attack on a reinforced router has no impact and a fiber attack will disconnect only one router.If the router is not cyber-reinforced, then we have , which additionally depends on y R C .By using these estimates for the router, we have which increases in the number of cyber router attacks but decreases in the number of attacks on non-reinforced routers.If the cyber component, server or router, is not reinforced, it will be brought down by a direct cyber attack or indirectly by fiber attack, but the latter will have a greater impact.However, cyber attacks on servers and routers will have different impacts on the availability of the infrastructure.That is, a server attack will only bring it down, but a router attack will make all N S servers unavailable.In some current infrastructures, N S could be on the order of thousands.Thus, for a server that is not cyber-reinforced, we use the estimate , which reflects the additional lowering of survival probability inversely proportional to the level of cyber attack y S C , and to y R C but amplified by a factor N S .Thus, for servers, we have , which increases in the number of server attacks but decreases in the attacks on non-reinforced routers and fibers.The survival probabilities of physical fiber components depend on y P such that p P|R = f P and p P|N = f P 1+y P .By combining the two formulae for fiber, we have Λ P (y P ) = ln (1 + y P ) , which increases in the number of physical attacks.Similar to the case of the metro system, in addition to Λ P (•) and Λ B C (•), where B = S, R, the survival probabilities of cyber and physical sub-infrastructures are determined by the correlation function f (P C , P P ), as described in Section 4.6.

Metro System
We refine the metro system model of Example 2 in Section 3.2 to include multiple traffic control centers, each connecting to all signals of a single line.A cyber attack on a control center will disconnect all signals of its line and disrupt all trains running on that line.Now, we separate the cyber components into two classes, namely, control centers and signals, and x C = x T C + x S C such that x T C and x S C denote the number of reinforced control centers and signals, respectively.Similarly, y C = y T C + y S C , such that y T C and y S C denote the number of control centers and signals attacked, respectively.Since we focus on the smooth running of the trains, it is more instructive to carry out the analysis in terms of the failure correlation function g(P C , P P ) = P P| C.Then, for the sub-infrastructures, we have the failure correlation functions g T P T C , P P = N L 1 − P T C and g S P S C , P P = αN L 1 − P S C , wherein the physical failures are amplified by N L for control centers and by αN L for the signals.We now estimate the composite failure correlation function g(P C , P P ) as follows: and signal, respectively, given that the cyber sub-infrastructure of the metro system failed.The probability that a physically-reinforced actuator on a train survives cyber attacks on a control center or signal is given by , which now depends on both cyber attacks on control centers and signals.If the actuator is not physically-reinforced, then we have , which additionally decreases with respect to y P .By using these estimates for an actuator, we have , where B = T, S. Note that the net effect of the number of attacks and reinforcements on the survival probabilities of cyber and physical sub-infrastructures is also determined by the correlation function as described in Section 4.6, in addition to Λ P and Λ B C , where B = T, S.

Smart Power Grid Infrastructure
The power grid model described in Example 3 in Section 3.2 is expanded to include smart meters on the lines that provide the demand information to generation and distribution control systems.The smart meters can be attacked by cyber means to manipulate the demand information (e.g., to make it zero).We group the cyber components into two classes, namely, communication nodes and smart meters, such that x C = x S C + x M C , where x S C and x M C are the number of reinforced communication nodes and smart meters, respectively.Similarly, we have y C = y S C + y M C , where y S C and y M C are the number of communication nodes and smart meters attacked, respectively.Since the electricity transmission in the grid takes place on the physical sub-infrastructure, it is more instructive to carry out the analysis in terms of the failure correlation function g(P C , P P ) = P P| C. As in the metro system example, for the sub-infrastructures, we have the failure correlation functions g S P S C , P P = N L 1 − P S C and g M P M C , P P = 1 − P M C , wherein the attacks on communication nodes are amplified by the number of lines N L controlled by each of them, but are the same for smart meter attacks.Then, we utilize the estimate Then, the survival probabilities of cyber components are estimated separately for the communication nodes and smart meters.The survival probabilities of the power supply lines with and without reinforcement are denoted by p P|R and p P|N , respectively.A communication node or a smart meter may be disabled by cyber means, which will disrupt the power flow on the lines so that , for physically-reinforced power lines.Note that cyber attacks on communication nodes are amplified by N L times compared to attacks on smart meters.Each power line can be directly disrupted by physical means such that it can be brought down if not reinforced, and thus we have , where B = S, M, which increases in the total number of cyber attacks.As in the previous examples, the net effect of the number of attacks and reinforcements on the survival probabilities of cyber and physical sub-infrastructures is also determined by the correlation function (in addition to Λ P and Λ B C , where B = S, M) as described in Section 4.6.

Conclusions
We studied a class of infrastructures characterized by the number of discrete components that can be disrupted by either cyber or physical attacks, and are protected by cyber and physical reinforcements.We characterized the cyber-physical interactions in these infrastructures at two levels: (i) the failure correlation function specifies the conditional survival probability of a cyber sub-infrastructure given that of the physical sub-infrastructure as a function of their marginal probabilities, and (ii) the individual survival probabilities of both sub-infrastructures are characterized by first-order differential conditions.We derived Nash equilibrium conditions in terms of partial derivatives of cost terms, failure correlation function, multiplier functions, and survival probabilities of sub-infrastructures and their partial derivatives.We then estimated the sensitivity functions that indicate the dependence of infrastructure survival probability on these parameters.We applied this approach to models of metro systems, cloud computing infrastructures, and smart power grids at different levels of abstraction when all have a large number of components.These results generalize previous results using simpler utility functions in [2][3][4][5], and specialize the results on systems of systems in [8,[43][44][45][46][47][48].Together, our results enable us to unify the previous results and consider more detailed models of the correlations between the sub-infrastructures in the metro systems, cloud computing infrastructures, and smart power grids, with sharpened focus on cyber and physical sub-infrastructures.
Several extensions of this formulation could be pursued in future studies, including the cases where the effects of attacks and reinforcements of specific components are explicitly accounted for.In such formulations, x C and x P may be replaced by vectors whose components are Boolean representing the reinforcement of a component or a fraction representing the probability of reinforcement.It would also be of future interest to explicitly model various redundancies incorporated by infrastructures to avoid single-point failures (e.g., abstracted by fiber cuts).Such extensions may also require a more refined characterizations of attacks (e.g., single-or multiple-fiber attacks) and defenses, which may lead to their partial successes.Indeed, the attack and defense models can be extended to include their success probabilities to capture cases wherein the attacks and reinforcements are not always guaranteed to fully fail or succeed.It would be interesting to study sequential game formulations of this problem, and cases where different levels of knowledge are available to the attacker and provider.Other future formulations could include multiple attackers and hybrid infrastructure models.For example, physical sub-infrastructure represented by partial differential equations and cyber sub-infrastructures represented by graphs.Applications of our approach to more detailed models of metro systems, cloud computing infrastructures, smart power grids, and high-performance computing complexes would be of future interest.

Figure 3 .
Figure 3. Smart power grid infrastructure.SCADA: supervisory control and data acquisition.

Condition 4 .P
consisting of only cyber components of type i and physical components of type j, with their survival probabilities denoted by P i C and P j P , respectively.Now we generalize Condition 3 as follows.The survival probabilities of cyber and physical sub-infrastructures are given by C , x C , x P , y C , y P = Λ i C (x C , x P , y C , y P )P i C for x i C , i ∈ A C , corresponding to cyber components of type i, and ∂P , x C , x P , y C , y P = Λ j P (x C , x P , y C , y P )P ∈ A P , corresponding to physical components of type j.
probabilities of reinforced cyber component of type i and reinforced physical component of type j, respectively; p i C|N and p j P|N denote the probabilities of cyber component of type i and physical component of type j without reinforcement, respectively; and N i C and N j P denote the number of type i cyber components and type j physical components, respectively.These conditions in turn lead to the special case of Condition 4: for i ∈ A C , j ∈ A P ,

g
(P C , P P ) = g T P T C , A and P S A are the probabilities of a cyber attack on a control center and a signal of the metro system, respectively, and probabilities of the control center g(P C , P P ) = N L 1 − A and P M A are the probabilities of an attack on a communication node and smart meter, probabilities of a communication node and smart meter, respectively, given that the cyber sub-infrastructure failed.

p P|N = f P 1 +
y P + N L [y S C − x S C ] + + [y M C − x M C ] +, which reflects the amplified effect of cyber attacks on communication nodes compared to physical line attacks.Combining the two formulae, we haveΛ P x S C , x M C , y S C , y M C , y P = ln 1 + y P 1 + N L [y S C − x S C ] + + [y M C − x M C ] + ,which increases in the number of attacks on non-reinforced power lines and decreases in the number of attacks on non-reinforced communication nodes and non-reinforced smart meters, but the former effect is amplified N L times.The survival probabilities of cyber components are given by p B C|R = f B C B = S, M.Then, we have Λ B C y B C = ln 1 + y B C

Table 2 .
Gain and cost terms for sum-form and product-form utilities of the provider.
[42]est Survival Functions: The contest survival functions are used to characterize P C and P P in[42]such that P C = ξ+x C ξ+x C +y C y C , y P ) and P C ∂P P ∂x P = −Θ P (x C , x P , y C , y P ) .
Θ C (x C , x P , y C , y P ) Λ C (x C , x P , y C , y P )and PC;D PP;D = − Θ P (x C , x P , y C , y P ) Λ P (x C , x P , y C , y P ) .
x C , x P , y C , y P ), P (x C , x P , y C , y P ).Θ C (x C , x P , y C , y P ) Λ C (x C , x P , y C , y P ) , 1 − f (P C , P P ) + (1 − P P ) ∂ f ∂P P P P = − Θ P (x C , x P , y C , y P ) Λ P (x C , x P , y C , y P ) .
Λ C Λ P Θ P + ∂P C ∂P P Θ C and 1 − f (P C , P P ) + ∂P C which increases in the number of physical attacks on actuators, but decreases in the number of cyber attacks on control centers and signals.Since the term Λ P appears in the denominator, PP;D in Theorem 1 decreases with the number of physical attacks y P , and increases with [y T C − x T C ] + and [y S C − x S C ] + , which are the number of cyber attacks on the control centers and signals exceeding the reinforcements, respectively.The latter condition may appear counter-intuitive at the surface, but note that it only characterizes the states that satisfy NE conditions.An analogous dependence of PP;D on the parameters x C , x P , y C , and y P (shown in Theorem 1) is less direct, since Λ P appears inside the square root but is qualitatively somewhat similar since they appear in the denominator.+ y B C , where B = T, S, which increases in the total number of cyber attacks on the specific type of component.Since the term Λ B C appears in the denominator, PC;D in Theorem 1 decreases with the number of cyber attacks y B C