I. Introduction
Critical national infrastructure has become increasingly complex. The power grid exemplifies a cyber-physical infrastructure, with data collected from its physical components and processed by control algorithms running on computers to provide for accurate and safe monitoring and control. Such a large-scale trusted computing base introduces a hard-to-protect attack surface. Events such as proliferation of the Stuxnet worm [10], the coordinated attack on the Ukranian power grid [5], and the emergence of new threats that leverage existing weaknesses in these systems [23] demonstrate that cyber-physical infrastructures are unprepared to maintain their safe and secure operation in the face of malicious adversaries.