Attack-Resilient Supervisory Control of Discrete-Event Systems
11 Attack-Resilient Supervisory Control ofDiscrete-Event Systems
Yu Wang, Alper Kamil Bozkurt and Miroslav Pajic
Abstract —In this work, we study the problem of supervisorycontrol of discrete-event systems (DES) in the presence of attacksthat tamper with inputs and outputs of the plant. We considera very general system setup as we focus on both determinis-tic and nondeterministic plants that we model as finite statetransducers (FSTs); this also covers the conventional approach tomodeling DES as deterministic finite automata. Furthermore, wecover a wide class of attacks that can nondeterministically add,remove, or rewrite a sensing and/or actuation word to any wordfrom predefined regular languages, and show how such attackscan be modeled by nondeterministic FSTs; we also present howthe use of FSTs facilitates modeling realistic (and very complex)attacks, as well as provides the foundation for design of attack-resilient supervisory controllers. Specifically, we first consider thesupervisory control problem for deterministic plants with attacks(i) only on their sensors, (ii) only on their actuators, and (iii) bothon their sensors and actuators. For each case, we develop newconditions for controllability in the presence of attacks, as wellas synthesizing algorithms to obtain FST-based description ofsuch attack-resilient supervisors. A derived resilient controllerprovides a set of all safe control words that can keep the plantwork desirably even in the presence of corrupted observationand/or if the control words are subjected to actuation attacks.Then, we extend the controllability theorems and the supervisorsynthesizing algorithms to nondeterministic plants that satisfy anonblocking condition. Finally, we illustrate applicability of ourmethodology on several examples and numerical case-studies.
I. I
NTRODUCTION
Security has been an major concern in many Cyber-PhysicalSystems (CPS) domains, such as autonomous systems [29, 25],smart grid [5], medical devices [14], industrial automation [9,7], and distributed control systems [36]. In contested scenarios,several components of such systems including the controllers,the plants and their physical environment, as well as com-munication between system components, may be subject tosimultaneous cyber and/or physical attacks. To allow for thedevelopment of security-critical CPS capable of operating evenin the presence of malicious activity, there has recently beenan effort of developing theory and tools for analyzing and syn-thesizing attack-resilient CPS (e.g., see [33, 18, 24, 10, 26, 15]and references therein). The goal has been to provide strongperformance guarantees for CPS using partial knowledge aboutthe possible attacks [11, 3], as opposed to simple tolerance ofrandom failures or robustness under small disturbances.
This work was supported in part by the National Science Foundation (NSF)Grant CNS-1652544, as well as by the Office of Naval Research (ONR) underagreements number N00014-17-1-2012 and N00014-17-1-2504. Some of thepreliminary results have appeared in [37].The authors are with the Department of Electrical & Computer Engineering,Duke University, Durham, NC 27707, USA. Email: [email protected],[email protected], [email protected].
In this work, we tackle the attack-resilient CPS problemfrom the prospective of the supervisory control of discrete-event systems [6], where the behavior of a discrete-timefinite-state plant is controlled by a supervisor in closed-loop.Between the plant and the supervisor, we consider a wide classof regular-rewriting attacks that can compromise the sensorsand actuators of the plant, as well as their communication withthe supervisor. These attackers have the ability to inject, delete,and replace events/symbols according to certain prespecifiedrules. Such attack model generalizes the attacks studied previ-ously in the context of discrete-event systems [35, 32, 12, 4],as well as captures new attacks which were previously notconsidered in such context (e.g., replay attacks [19, 18]).Mathematically, the regularly-rewriting attacks define a reg-ular relation between the input and output languages of theattackers [28, 8], and can be compactly realized by finitestate transducers (FSTs) or nondeterministic Mealy machines.These finite-state models, especially deterministic ones, havefound applications in a wide-range of application domains,such as applications in speech recognition [20, 23, 21, 22]. Inthis work, we exploit the nondeterminism in FSTs, which iscrucial in capturing possible attacker behaviors, as well asdesign resilient control for all cases (including the worst-case).Another advantage of using FSTs to model attacks is theavailability of a library of mathematically rigorous and com-putationally feasible operations. For example, FSTs are closedunder inversion and composition. Thus, complex system con-figurations and multiple attack-points/attackers can usually besimplified to a few basic configurations. Furthermore, as weshow in this work, modeling the attackers as FSTs facilitatescapturing of constraints imposed on the attacker by the systemdesign and underlying platform, such as how frequently attacksmay be enabled when security primitives (e.g., message au-thentication) are only intermittently employed, as in [15, 16].Besides its focus on attack-resiliency, this work differs fromthe conventional supervisory control of deterministic discrete-event systems (DES) with uncontrollable and unobservablesymbols in the following two aspects. First, we consider amore general supervisor model, where we model the super-visor also as an FST; note that this also covers supervisormodeling as automata, which is more a conventional approachfor DES. This gives the supervisor the ability to rewrite, inaddition to regulating, in order to counter the attacks andimprove system resiliency; as will be discussed (in Section V),conventionally supervisors may be feeble under some regular-rewriting attacks. In addition, we consider a more general classof plants modeled by FSTs instead of deterministic automata.FSTs can generate output symbols nondeterministically from a r X i v : . [ c s . F L ] A p r predefined regular languages upon receiving a possibly-emptyinput word, instead of simply dropping unobservable symbolsand autonomously triggering uncontrollable symbols, and aremore versatile in modeling plants with complex actuating andsensing architectures.As illustrated by Figure 1, we are mainly concerned withthree configurations, covering attacks on sensors and/or ac-tuators of the plant. They capture most forms of maliciousactivity in CPS, possibly resulting from network-based attacksthat corrupt the data communicated between the plant andsupervisor (e.g., as in [31, 33]), as well as non-invasive attacksthat affect the environment of the plant (e.g., such as GPSspoofing attacks on autonomous vehicles [27, 38] or Anti-lock Braking Systems (ABS) in cars [30]). To simplify ourpresentation, even if only the communication between sensorsand/or actuators and the supervisor is compromised, and notsensors (actuators) themselves, if a sensor’s (actuator’s) infor-mation delivered to (from) the supervisor is compromised, wewill refer to the sensor (actuator) as being under attack.By attack-resilient supervisory control we refer to a supervi-sor that even in the presence of attacks is able to constraint thebehavior of the controlled plant to a set of desired ones; suchdesired behaviors are specified as a regular language. Specifi-cally, our focus is on deriving conditions for attack-resiliency,which we capture as conditions for controllability under attack,as well as methods to design such attack-resilient supervisors.Compared to existing studies on supervisory control of DES inthe presence of attacks [35, 32, 12, 4], this work is different inthe following three aspects. First, we consider a more generalclass of attacks modeled by FSTs than the replacement-removal and the injection-deletion attacks in [35], actuatorenabling/disabling and sensor erasure/injection attacks in [4],and the replacement by bounded length attack in [32]. Weshow how additional attacks can be modeled as FSTs, aswell as how FSTs allow for capturing more complex attackscenarios. For example, consider coordinated attacks on sen-sors or actuators of the plant, or the communication network,capturing different ‘point-of-entry’ for the attack vectors –e.g., false data injection via sensor spoofing on part of plantsensors [34, 29] in addition to Denial-of-Service attacks ontransmitted measurements from other sensors. In such cases,while each attack may be modeled by an individual FST,the coordinated attacks from multiple attack points shown inFigure 1 can be captured by composition of such attack FSTs.Second, the fact that supervisor is also modeled by FSTs, isgiving it the extra ability to rewrite. These supervisors generatecontrol words that can keep the plant work desirably frompotentially corrupted observations from the plant, even if thesecontrol words are subject to actuation attacks. Note that theexecution of the supervisors is possibly nondeterministic for agiven observation, yielding the set of all feasible control wordsunder that observation. Consequently, controllability theoremsdifferent from [35, 32, 12, 4] are derived.Third, both attacks on the sensors and actuators of the plantare considered simultaneously, while [35] only studies attackson the output, and [4] considers attacks on the sensors andactuators individually. Finally, we consider a more generalclass of plants modeled by nondeterministic FSTs instead of Plant ActuatorSensorCommunication NetworkSupervisor ActuatorAttacksSensorAttacks
Fig. 1: Supervisory control under attacks on sensors, actuatorsas well as the communication between the sensors, controllerand actuators. In this work, we propose the use of finite-statetransducers to capture a very general class of such attacks.deterministic automata with uncontrollable and unobservablesymbols as in [35, 32, 12, 4].In this work, we introduce a new set of controllabilityconditions and synthesizing algorithms for attack-resilientsupervisors used for supervisory control of DES where attacksare modeled by FSTs. For actuator attacks, the controllabilitytheorem derived here generalizes the standard controllabilitytheorem [6]. As opposed to previous studies [6, 35, 32, 4],we show that when using FSTs as the supervisor, the designcan be performed separately for actuator and sensor attacks.In addition, we show that sensor attacks have no effect on thecontrollability of desired languages for deterministic plants,even in the presence of actuator attacks. This is caused bythe fact that the supervisor is model-based and can encodea copy of the plant’s model into the control policy, unliketraditional supervisors that can only allow/disallow symbols.For nondeterministic plants, however, we show that the sensorattacks may influence the controllability by blocking controlwords of the supervisor.To highlight impacts of different attack points, we presentour results progressively by considering first the supervisorycontrol problem for deterministic plants with (i) attacks onlyon their sensors, (ii) attacks only on their actuators, and(iii) attacks on both the sensors and actuators For deterministicplants, we show that sensor attacks can be countered by asupervisor derived by the serial composition of the inversion ofthe attack model and a model of the desired language. Actuatorattacks on deterministic plants can be partly countered by thesupervisor serially composing a model of the desired languageand the inversion of the attacker. The exact controllabilityis achieved if the desired language is invariant under theattack. For simultaneous sensor and actuator attacks, an attack-resilient supervisor can be derived by serially composingthe supervisors for the above two cases. Finally, we extendthe results for deterministic plants, to cover scenarios withnondeterministic plants, under nonblocking conditions.The rest of the paper is organized as follows. The prelimi-naries are provided in Section II. The considered system modeland problem formulation are presented in Section III. UsingFSTs to model attacks is demonstrated in Section IV. Westudy the supervisor control problem for deterministic plantsin the presence of only sensor attacks in Section V, with onlyactuator attacks in Section VI, and in the presence of both sensor and actuator attacks in Section VII. In Section VIII,we present extension of these results when nondeterministicplants are considered. Finally, we illustrate applicability of ourattack-resilient supervisory control framework in Section IX,before providing concluding remarks in Section X.II. P
RELIMINARIES
The empty string is denoted by ε . A finite-length sequenceof symbols taken from a given finite set is called a word . A setof words is called a language of the symbols. The cardinalityand the power set of a set I are denoted by | I | and I ,respectively. For two sets I and O , let I \ O = (cid:8) i ∈ I | i / ∈ O (cid:9) .For n ∈ N , where N is the set of natural numbers, let [ n ] = { , .., n } . For a word I = i i . . . i n , we call i i . . . i k ,with k ≤ n , a prefix of I . For a language L , its prefix-closure isdefined by L = (cid:8) I | I is a prefix of J , J ∈ L (cid:9) . The language L is prefix-closed if L = L . Also, we adopt the followingconvention on generating regular expressions: a superscript ∗ means repeating a symbol or a set of symbols finitely manytimes, and a comma means “or”.A relation R between two sets I and O is a set R ⊆ I × O .For i ∈ I , let R ( i ) = R ( i , · ) = (cid:8) o ∈ O | ( i , o ) ∈ R (cid:9) . Therelation R ( i ) is a partial function for the input a if |R ( i ) | ≤ ,for any i ∈ I . More generally, for I (cid:48) ⊆ I , while slightly abusingthe notation we define R ( I (cid:48) ) = R ( I (cid:48) , · ) = (cid:8) o ∈ O | ( i (cid:48) , o ) ∈R , i (cid:48) ∈ I (cid:48) (cid:9) . Thus, R ( · ) defines a function I → O . Forrelation R ⊆ I × O , its inversion is defined by R − = (cid:8) ( o , i ) ∈ O × I | ( i , o ) ∈ R (cid:9) . Finally, for two relations R ⊆ I × O and R (cid:48) ⊆ I (cid:48) × O (cid:48) , their (serial) composition is defined by R◦R (cid:48) = (cid:8) ( i , o (cid:48) ) ∈ I × O (cid:48) | ∃ o ∈ O ∩ I (cid:48) : ( i , o ) ∈ R ∧ ( i (cid:48) , o (cid:48) ) ∈ R (cid:48) (cid:9) . A. Finite State Transducers and Regular Relations
Finite State Transducers extend (nondeterministic) automataby generating a sequence of outputs nondeterministically dur-ing execution, by augmenting each transition with output.
Definition 1 (Finite State Transducer) . A (normalized) finitestate transducer (FST) is a tuple A = ( S , s init , I , O , Trans , S final ) where • S is a finite set of states ; • s init ∈ S is the initial state ; • I is a finite set of inputs ; • O is a finite set of outputs ; • Trans ⊆ S × (cid:0) I ∪ { ε } (cid:1) × (cid:0) O ∪ { ε } (cid:1) × S is a transitionrelation; • S final ⊆ S is a finite set of final states .The FST is deterministic if Trans ( s , i , · , · ) is a partial functionfor the input ( s , i ) . Specially, nondeterministic automata aretreated as special FSTs with identical input and output. A sequence ( s init , i , o , s )( s , i , o , s ) ... ( s n − , i n , o n , s n ) is called an execution of the FST A , if ( s i − , i i , o i , s i ) ⊆ Trans for i ∈ [ n ] , with s = s init . Note that this defines a regularrelation R A modeled by the FST A by letting R A only containsuch pairs of ( i . . . i n , o . . . o n ) . On the other hand, a relation R ⊆ I ∗ × O ∗ is regular , only if it is modeled by FSTs. Finally,the input language and output language of A are defined by L in ( A ) = R − A ( O ∗ ) and L out ( A ) = R A ( I ∗ ) , respectively. Attacker A a Plant P Attacker A s Supervisor S Fig. 2: Controllability under actuator and sensor attacks.
Remark 1 (Normalization) . The expressiveness of normalizedFSTs is the same as general FSTs, whose transitions arelabeled by regular languages of the input and output symbols.For a general FST, we can always find a normalized FSTmodeling the same regular relation by normalization [13, 22].
Remark 2 (Complexity) . Normalized FSTs can be viewed asnondeterministic automata with labels in ( I ∪{ ε } ) × ( O ∪{ ε } ) .Accordingly, a regular relation on I ∗ × O ∗ can be viewedas a regular language of I × O . Roughly, the computationalcomplexity for FST is the same as nondeterministic automatawith exceptions such as determinization of FSTs [8]. III. S
YSTEM M ODEL AND P ROBLEM F ORMULATION
In this work, we consider the problem of supervisory controlof discrete event systems subject to attacks both on the plant’ssensors and actuators. Specifically, we focus on the setupillustrated in Figure 2, where the supervisor S controls thebehavior of the plant P by observing the symbols that theplant generates and then sending the possible control symbolsback to the plant. Physically, this is usually performed by anumber of sensors and actuators on the plant. In reality, thesesensors and actuators, as well as their communication with thesupervisor, may be simultaneously compromised by multiplecoordinated malicious attacks that have the ability of inject,remove, or replace symbols in both the control (i.e., actuationcommands) and the observation (i.e., sensor measurements).The overall effects of these attacks can be represented bytwo attackers A a and A s on the actuators and sensors ofthe plant, respectively. The first challenge that needs to beaddressed is a suitable model that can capture attacker’s impacton the system. In this work, we propose to model the attackbehaviors A a and A s as FSTs. With FTSs, A a and A s can regularly rewrite an acceptable word, i.e., replace a symbol nondeterministically with an arbitrary word taken from somepredefined regular language, including injection, replacementand deletion; in Section IV we show how this allow us tocapture all reported attacks on supervisory-control systems.It is important to highlight that we do not assume to knowwhat actions the attacker may perform. Rather, the FST modelsemploy nondeterminism to capture all possible actions of theattacker for a specific set of compromised resources (e.g.,sensors, actuators), as well as all potential limitations imposedon the attacker’s actions by the system design (e.g., the use ofcryptographic primitives on some communication messages toprevent false-data injecting attacks over the network).Furthermore, we consider systems where the supervisor’sbehavior can also be captured by an FST, since the powerof rewriting symbols is essential to counter the attacks and i | i i | i i | i i | i Fig. 3: Example of a nondeterministic plant.improve system resiliency. The supervisor receives possiblycorrupted observations (i.e., sensor measurements) from theplant, and generates control words (i.e., actuation commands)that can keep the plant work desirably even if the system issubject to actuation attacks. In addition, we do not restrictthe supervisor’s models to deterministic FST; the execution ofthe supervisor can be nondeterministic for a given corruptedobservation, yielding the set of all such safe control wordsunder that observation. In implementation, the nondeterminismin the supervisors can be eliminated by choosing one ofthe feasible controls either arbitrarily or by certain merit(see Remark 4). Note that modeling supervisors with FSTsgeneralizes the models used for conventional supervisors forDES that only regulate the plant [6, 35, 32, 4, 37], as FSTscan be used to model.Finally, we also assume that the plant can be modeledas an FST where the output can be nondeterministic anddifferent from the input. Using such FSTs to model the plantsgeneralizes deterministic automata that are traditionally usedto model DES; FSTs are versatile in modeling discrete plantswith complex actuating and sensing architectures, comparedto conventional plant models as deterministic automata thatsimply drop unobservable symbols and autonomously triggeruncontrollable symbols.To simplify our discussion, without lost of generality, weassume that the supervisor, plant, and attackers share the sameset of symbols for both their inputs and outputs. The closed-loop system shown in Figure 2 is driven and clocked by thetransitions of the plant — at each time instance, the plantsends a fragment of symbols as output, which is subject to thenondeterministic revisions by the attacker and the supervisor,before returning to the input of the plant. Then, the plant makesstate transitions according to the pair of input and output,which we assume are always allowed by the model of theplant and will be discussed later in details, and start the nextround. The plant can stop upon entering a final state.The nondeterminism in the plant brings an extra challengefor supervisory control. When the plant is deterministic, thecontrol can be executed without blocking. However, blockingmay happen in nondeterministic plants. For example, considerthe nondeterministic plant shown in Figure 3 and the desiredcontrol i i . The plant may transit from the state to the state upon receiving i , thus blocking the next symbol i . We willdiscuss this issue in detail in Section VIII. A. Problem Formulation
We consider the problem of designing a supervisor S thatconstraints the behavior of the plant P to certain desired ones,even in the presence of malicious activity on the plant sensorsand actuators, captured by the FSTs A s and A a . The desired behavior can be suitably described by a desired regular lan-guage K ⊆ L in ( P ) , as formally stated in Definition 2. Specif-ically, our goal is to develop conditions for resiliency againstattacks, which are captured as conditions for controllabilityin the presence of attacks, as well as methods to synthesizesuch supervisors. Note that these controllability conditions andsupervisor synthesizing algorithms extend to nondeterministicplants with an additional nonblocking condition, and will bediscussed in Section VIII. Definition 2.
The supervisor S weakly controls the determin-istic plant P to the desired language K , in the presence ofactuator and sensor attacks A a and A s if it holds that K ⊆ min L in ( P|S , A a , A s ) . (1) Here, L in ( P|S , A a , A s ) denotes the language passed to theinput of P in the closed-loop system with both actuator andsensor attacks, while ⊆ min stands for minimal inclusion –i.e., any supervisor S (cid:48) with K ⊆ L in ( P|S (cid:48) , A a , A s ) satisfies L in ( P|S , A a , A s ) ⊆ L in ( P|S (cid:48) , A a , A s ) . Furthermore, we saythat the supervisor controls the plant P to the desired language K when the equality in (1) holds.The languages passed to the input of P in the closed-loop setup with only actuator or sensor attacks are de-noted by L in ( P|S , A a ) and L in ( P|S , A s ) , respectively. Bothcontrollability and weak controllability for these cases aresimilarly defined. To simplify our presentation, we make the following as-sumptions (e.g., as in [6, 35, 32, 4, 37], For the plant P , allstates are final S final = S , i.e., both the sets of their inputs andoutputs are prefix-closed. Accordingly, the desired language K is also prefix-closed K = ¯ K and regular. Furthermore,we assume that in the considered setup from Figure 2, theFSTs A a , A s , S , and P always receive acceptable inputs – i.e., the attackers A a and A s only try to affect/breakthe supervisory control by generating undesired instead of unacceptable words to the plant. Note that this is generallyachievable with the proper use of FST models for the attacks A a and A s , and the supervisor S (as we show in Section IV).IV. M ODELING A TTACKS WITH F INITE S TATE T RANSDUCERS
In this section, we discuss several issues related to modelingattacks with FSTs and show how they generalize all existingattack models. Specifically, we show how FSTs can be usedto capture all previously reported attacks on control of DES,as well as additional attacks and attack features. For example,FSTs can be used to capture constraints imposed on the attacksby the system design, as well as model finite-memory replayattacks, where the attacker records a finite-length of symbolsand replays it repeatedly [19]; note however, that capturingreplay attacks without a memory constraint (i.e., with infinitememory) is beyond the capability of the FST formalism. This is formally captured as Assumptions 1 and 2 in Sections V and VI,respectively.
A. Examples of Attack Modeling using FSTs
One of the contribution of this work is to propose the use ofFSTs to model attacks in the supervisor control of DES. Thus,we start by showing that attack models proposed in previousworks [35, 4] can be also represented by FSTs as shown inthe following examples.
Example 1 (Projection/Deletion/Injection Attack) . Let I (cid:48) ⊆ I .The projection attack defined as Project I (cid:48) ( i ) = (cid:40) i , if i ∈ I (cid:48) ε, otherwise, (2) captures attacker’s actions that result in removing all symbolsthat belong to I \ I (cid:48) . On the other hand, the (nondeterministic)deletion attack defined as Delete I (cid:48) ( i ) = (cid:40) i , if i ∈ I (cid:48) ε or i, otherwise, (3) extends the Project I (cid:48) attack as it captures that the attackermay (or may not) remove symbols from I \ I (cid:48) ; e.g., if I (cid:48) = I thismodel can be used to capture Denial-of-Service attacks [39]over the communication network. Finally, the (nondeterminis-tic) injection attack defined as Inject I (cid:48) ( i ) = ( I (cid:48) ) ∗ i ( I (cid:48) ) ∗ (4) captures that a finite number of symbols from I (cid:48) can beadded before and/or after the symbols. These attacks can berepresented by FSTs as shown in Figure 4a, Figure 4b andFigure 4c, respectively. Example 2 (Replacement-removal Attack) . A replacement-removal attack defined by the replacing-removing rule φ : I → I ∪{ ε } is represented by an FST as shown in Figure 4d. Example 3 (Injection-removal Attack) . Let I (cid:48) ⊆ I . Aninjection-removal attack nondeterministically injects or re-moves symbols in I (cid:48) from a word. This is modeled by theFST in Figure 4e. Example 4 (Finite-Memory Replay Attack) . For systems withcontinuous-state dynamics, replay attacks have been modeledand studied in e.g., [17, 18]. On the other hand, for DES nosuch models have been introduced. In DES, a replay attackrecords a prefix of a word and replaces the rest with therepetitions of the recorded prefix, with the prefix size beingbounded by the finite-memory capacity (i.e., size) N . Forexample, a replay attack recording a prefix of length up to N = 2 for any word of symbols I = { i , i } can be modeledby an FST as shown in Figure 4f. Note that the FST canbe viewed as the parallel composition of two replay attacksrecording prefixes of length and , respectively.B. Composition of Finite State Transducers One of the main advantages of using FSTs to model attackson DES is their natural support for composition of multipleattacks that are captured with the corresponding FST models.With the general architecture from Figure 1, the system may beunder a coordinated attack from multiple deployed attackers, i | ε for i ∈ I \ I (cid:48) i | i for i ∈ I (cid:48) (a) Projection Attack i | ε for i ∈ I \ I (cid:48) i | i for i ∈ I (b) Deletion Attack ε | i for i ∈ I (cid:48) i | i for i ∈ I (c) Injection Attack i | φ ( i ) for i ∈ I (d) Replacement-RemovalAttack i | ε for i ∈ I (cid:48) ε | i for i ∈ I (cid:48) i | i for i ∈ I \ I (cid:48) (e) Injection-RemovalAttack i | i i | i i | i i | i i , i | i i , i | i i | i i | i i | i i | i i , i | i i , i | i i , i | i i , i | i (f) Replay Attack Fig. 4: FST realizations of different attack models.capturing different ‘point-of-entries’ for the attack vectors onsensors/actuators and communication network – e.g., false datainjection via sensor spoofing on part of plant sensors [34, 29]in coordination with Denial-of-Service attacks on transmittedmeasurements from other sensors. This attack configurationsare illustrated in Figure 5a, and the overall effect is equivalentto the serial composition A ◦ . . . ◦A n . In addition, the attackermay decide on using a specific attack vector from a set ofavailable attacks {A , . . . , A n } as studied in [35], e.g., whenthe attacker’s constraints limit the number simultaneouslyactive malicious components. Such attack configuration isillustrated in Figure 5b, and the overall effect can be capturedusing the parallel composition A (cid:107) . . . (cid:107)A n .
1) Serial Composition:
Two normalized FSTs A = ( S , s init , I , O , Trans , S final ) and A (cid:48) = ( S (cid:48) , s (cid:48) init , I (cid:48) , O (cid:48) , Trans (cid:48) , S (cid:48) final ) can be serially composed to A (cid:48)(cid:48) = A ◦ A (cid:48) if I (cid:48) = O by taking the output of A as the input of A (cid:48) . Generally, thecomposed FST is derived by (i) taking the Cartesian productof the states and transitions, (ii) contracting the transitions onwhich the output of the first component is identical to the inputof the second component, as well as (iii) keeping transitionswith ε output in A and ε input in A (cid:48) , while discarding theothers; this is captured in Algorithm 1. Specially, FSTs canbe composed with DESs by treating each DES as an FST withidentical inputs and outputs. The serial composition is also done for I (cid:48) (cid:54) = O by neglecting the symbolsnot in I (cid:48) ∩ O . Still, to simplify our presentation we assume that I (cid:48) = O . A . . . A n (a) Serial Composition . . . A A n (b) Parallel Composition A (cid:48) A (cid:48) A D DE (c) Modeling a frequency constraint imposedon the attacker
Fig. 5: Composition of FSTs and attack constraints modeling.
Algorithm 1
Composition of Normalized FSTs
Require:
Normalized FSTs A = ( S , s init , I , O , Trans , S final ) and A (cid:48) = ( S (cid:48) , s (cid:48) init , O , O (cid:48) , Trans (cid:48) , S (cid:48) final ) Let A (cid:48)(cid:48) = A ◦ A (cid:48) = ( S × S (cid:48) , ( s init , s (cid:48) init ) , I , O (cid:48) , ∅ , S final × S (cid:48) final ) . Add transition (( s , s (cid:48) ) , i , o (cid:48) , ( s , s (cid:48) )) to A (cid:48)(cid:48) if there exists o ∈ O such that ( s , i , o , s ) ∈ Trans and ( s (cid:48) , o , o (cid:48) , s (cid:48) ) ∈ Trans (cid:48) . Add transition (( s , s (cid:48) ) , i , ε, ( s , s (cid:48) )) to A (cid:48)(cid:48) for any ( s , i , ε, s ) ∈ Trans and any s (cid:48) ∈ S (cid:48) . Add transition (( s , s (cid:48) ) , ε, o , ( s , s (cid:48) )) to A (cid:48)(cid:48) for any ( s (cid:48) , ε, o , s (cid:48) ) ∈ Trans (cid:48) and any s ∈ S . return A (cid:48)(cid:48) Finally, it is worth noting also that Algorithm 1 providesan FST realization for composition of regular relations R A ◦R A = R A ◦A , and shows the closeness of regular relationsunder serial composition.
2) Parallel Composition:
Two normalized FSTs A = ( S , s init , I , O , Trans , S final ) and A (cid:48) = ( S (cid:48) , s (cid:48) init , I (cid:48) , O (cid:48) , Trans (cid:48) , S (cid:48) final ) can be composed in parallel to A (cid:48)(cid:48) = A(cid:107)A (cid:48) if I (cid:48) = I and O (cid:48) = O . The composed FST is derived by(i) taking the union of the states, final states and transitions,and (ii) adding a new starting state with transitions ε/ε tothe initial states s init and s (cid:48) init . The detailed algorithm can befound in [13, 22] and is omitted here. Example 5 (Serial Composition) . Consider two FSTs A and A , illustrated in Figures 6a and 6b, where one replaces i with i , and the other injects i . The composition of the FSTsderived using Algorithm 1 is presented in Figure 6c. It is easyto check that R A ◦A = R A ◦ R A .C. Modeling Constraints on Attackers Another advantage of using FSTs for attack modeling isthat they facilitate capturing of attack constraints that areimposed by the underlying platform. For instance, in some The parallel composition is also possible for I , O (cid:54) = I (cid:48) , O (cid:48) . i | i i | ε (a) FST A ε | i i | i (b) FST A
00 1001 11 i | i i | ε i | εε | i ε | i (c) Serial composition A ◦ A Fig. 6: Example of composition of FSTs.networked control systems, cryptographic primitives (e.g.,Message Authentication Codes – MACs) can only be in-termittently used due to resource constraints, and thus onlyintermittently preventing injection (i.e., injection) attacks fromoccurring [15, 16]. FSTs can be used to model such restrictionsspecified as counting or frequency constraints imposed on theattacker – e.g., allowing an attack to occur at most a certainnumber of times f within every window of size l [15, 16] oras studied in [32].For an FST A = ( S , s init , I , O , Trans , S final ) , let A (cid:48) =( S , s init , I , Trans , S final ) be the automaton derived from A byremoving the output symbols of A . Namely, A (cid:48) accepts thesame language as A , but does not revise. It accepts the sameinput language as A without rewriting. Let F be a frequencycounter modeled by a automaton. For example, the automatonin Figure 5c with transitions drawn in dotted lines constraintsthe attack frequency to once every three steps. The symbolsD/E in Figure 5c stands for attack disabling and enabling.An attack with frequency constraint is derived by combiningthe frequency counter F with A and A (cid:48) into a new FSTas shown in Figure 5c. Each transition with label D/E isreplaced by a connection to A (cid:48) / A , respectively. Note that forthe resulting FST from Figure 5c, the transitions in solid linesare labeled by ε | ε , namely, they are automatically triggeredwithout generating any output symbol. Remark 3 (Relationship with existing work) . The problemconsidered in this work generalizes previously investigatedproblems. To show this, let us assume the plant to be adeterministic finite state automaton. By specifying suitablemodels of actuator and sensor attacks, several previous prob-lem formulations can be derived as follows:(i) Let the actuator attack model A ( s ) a = Inject I uc ◦ P bethe serial composition of the injection attack from (4) and the plant. These injected symbols are acceptablesymbols of the plant, but not uncontrollable by thesupervisor. In addition, let the sensor attack modelsatisfy A ( s ) s = Project I o from (2) . The removed symbolscan be viewed as the unobservable symbols generatedby the plant. Such scenario results in the standard (i.e.,without taking security/attacks into account) supervisorycontrol formulation [6] with uncontrollable events I uc , and unobservable events I uo = I \ I o .(ii) Let the actuator attack be modeled as the serial com-position A ( ed ) a ◦ A ( s ) a , where A ( s ) a is defined as in(i) and A ( ed ) a is the injection-removal attack on a setof vulnerable control symbols from Example 3. Suchscenario results in the problem of supervisory con-trol under the actuator enablement/disablement attackswhich was studied in [4]. Similarly, if the sensor attackis A ( ed ) s ◦ A ( s ) s , with A ( s ) s defined as in (i) and A ( ed ) s isthe injection-removal attack on a set of vulnerable plantoutput symbols, then the problem considered in this workresults in the problem of supervisory control under thesensor enablement/disablement attack problem from [4].(iii) Let the sensor attack be A ( rr ) s ◦ A ( s ) s where A ( s ) s isdefined as in (i) and A ( rr ) s is the replacement-removalattack from Example 2. In this case, our problem formu-lation results in the problem of supervisory control underreplacement-removal attack from [35]. Similarly, addinga sensor attack module of injection-deletion attack fromExample 3 yields the problem of supervisory controlunder injection-deletion sensor attacks studied in [35]. V. C
ONTROLLABILITY U NDER S ENSOR A TTACKS
In Sections V to VII, we study the supervisory control ofFST-modeled deterministic plants in the presence of attacks.Specifically, we start by considering resiliency (i.e., control-lability) under sensor attacks in this section. We considerthe setup from Figure 2 without A a , where the sensorssymbols are under the attack modeled as A s before they arereceived by the supervisor S . At first glance, this looks like atrivial question — the supervisor can simply be the automatagenerating the desired language K . As the words generatedby the supervisor are directly sent to the plant, the plant isguaranteed to execute exactly words in K .However, when the attacker A s may compromise sensormeasurements, and assuming that the supervisor S can onlybe automata, then it is generally impossible to close the loopbetween the sensors of the plant to the input to the supervisoras illustrated in the following example. Example 6.
Following the architecture from Figure 2 without A a , consider a set of symbols I = { i , i } and a plant P accepting the language ( i , i ) ∗ , as shown in Figure 7a. The(prefix-closed) desired language is K = ( i i ) ∗ , representedby a discrete event system M K as shown in Figure 7c. Finally,let us assume that the attack on sensors A s is represented bythe FST from Figure 7b.In this case, supervising the plant without the ability torevise symbols is impossible, as the output of the supervisorshould be the desired the language ( i , i ) ∗ , but the input isalways i ∗ , as the plant only generates i ∗ and the attackerrewrites it to i ∗ . However, for such attack model there exists anattack-resilient supervisor for the plant, modeled as an FST S presented in Figure 7d. It counters the attacks by revising i back to i every other step. As illustrated in the above example, the problem is that ifthe sensors are corrupted by the attacker A s , the supervisor S i , i | i (a) Plant P i | i (b) Attacker A s i i (c) Model of the desiredlanguage K i | i i | i (d) Supervisor S Fig. 7: Example of sensor attacks that can only be counteredby FST-based supervisors.will need the ability to change it back. But, when modeled byan automaton, the supervisor can only enable or disable events.This is insufficient to counter the attack and provide resiliencyagainst such attacks. Therefore, in this work, we consider theuse FSTs to model supervisors. Modeling supervisors as FSTsinstead of automata provides them the extra ability to revisesymbols that are required to counter attacks on the plant’ssensors, as shown in Example 6.Now, when we consider the problem of controllability underattack, in the rest of the section, we make the followingassumption on the sensor attack model A s . Assumption 1.
The attacker A s can (i) accept and (ii) onlyaccept words that are generated by the plant P , i.e., L in ( A s ) = L out ( P ) . The first part of Assumption 1 means that the attacker A s is well-defined for any acceptable word of the plant P . Oth-erwise, an error will occur when A s receives an unacceptableinput. The second part of Assumption 1 is always achievableby trimming the attacker A s .Intuitively, to supervise the plant under sensor attacks whileensuring attack-resiliency, the supervisor needs to (i) recoverthe possible output of the plant, (ii) recover the possible inputof the plant, and (iii) constrain the input to the plant. The task(i) is performed by taking the inversion of the attack modeldescribed as an FST; note that the attack model may capturea wide range of actions as it may be overly conservativeto assume a specific (e.g., deterministic) attack mapping.Similarly, the task (ii) is achievable by taking the inversionof the plant. Inversion:
A normalized FST A = ( S , s init , I , O , Trans , S final ) is inversed to A − = ( S , s init , O , I , Trans , S final ) by flipping the input and output symbol on each transition, aspresented in Algorithm 2.Note that Algorithm 2 provides an FST realization for inver-sion of regular relations R A − = R − A , and shows the close-ness of regular relations under inversion. We now introduce thefollowing lemma that follows immediately from Algorithm 2. Lemma 1.
For any FST A , the composed regular relations R A − ◦A and R A◦A − contains the identity relation, i.e., R M L in( A ) ⊆ R A◦A − , R M L out( A ) ⊆ R A − ◦A . Algorithm 2
Normalized FST Inversion
Require:
Normalized FST A = ( S , s init , I , O , Trans , S final ) Let A − = ( S , s init , O , I , ∅ , S final ) . for ( s , I, O, s (cid:48) ) ∈ Trans and | I | > do Add transition ( s , O, I, s (cid:48) ) to A − . end for return A − Algorithm 3
Design of a supervisor resilient to sensor attacks
Require:
Desire language K , plant P , sensor attacker A s . Find M K realizing K ⊆ L out ( P ) . Compute composition
P ◦ A s . Compute inversion ( P ◦ A s ) − . Compute composition S = ( P ◦ A s ) − ◦ M K . return Supervisor S . where M L in ( A ) and M L out ( A ) are FSAs (and thus also FSTsby Remark 2) realizing the input and output languages L in ( A ) and L out ( A ) of the FST A , respectively. Returning to the resilient supervisory control problem, tocounter the attacker A s , which may be nondeterministic,and recover the possible input of the plant P , we constructthe inversion ( P ◦ A s ) − . For any input I , of the plant,the corresponding output is P ( I ) , and then the attacker A s rewrites it to a word in R P◦A s ( I ) . Thus, the inversion canreverse it back to R ( P◦A s ) ◦ ( P◦A s ) − ( I ) , which is the set ofpossible words passing through the plant and yielding the sameobservation after attack as I . Restricting this set of words tothe desired language K guarantees the supervisory controlgoal. Therefore, the supervisor S should be designed to be ( P ◦ A s ) − ◦ M K , where M K is the automaton realizingthe desired language K . This is summarized by Theorem 1and Algorithm 3. Theorem 1 (Controllability under sensor attack) . In Figure 2without A a , the plant P is controllable to the desired regularlanguage K ⊆ L out ( P ) under the attacker A s on the plant’ssensors. This can be achieved by the supervisor S = A − s ◦P − ◦ M K .Proof. It suffices to show the language passing the plant isexactly K under the supervisor S = A − s ◦ P − ◦ M K .By construction, the supervisor only generates words con-tained in K . On the other hand, for any I ∈ K , notingthat by Lemma 1, I ∈ R ( P◦A s ) ◦ ( P◦A s ) − ( I ) , we know I ∈ R P◦A s ◦S ( I ) , i.e., the word I is allowed to transmit tothe plant.Theorem 1 provides a computational method to designsupervisor, which we introduce in Algorithm 3. Example 7 (Supervisor design under sensor attacks) . Let usrevisit Example 6 and the system from Figure 2 with only A s (and no A a ). Attack-resilient supervisor S in Figure 7d canbe derived by the serial composition of the inversion of theattacker A s in Figure 7b and the model of desired language K in Figure 7c – i.e., S = ( P ◦ A s ) − ◦ M K . Algorithm 4
Construction of an FST Filter for the DesiredLanguage K Require:
Desire language K , plant P . Find automata M and M (cid:48) with L ( M ) = L out ( P ) and L ( M (cid:48) ) = K . Convert M and M (cid:48) to FSTs by adding ε as output andinput symbol for each transition, respectively. A = M ◦ M (cid:48) . Trim off transitions with output symbol ε in A . return Supervisor A .VI. C ONTROLLABILITY U NDER A CTUATOR A TTACKS
In this section, we study the supervisory control problem un-der only actuator attacks for deterministic plants. We considerthe setup from Figure 2 without A s – the actuators of the plant P are under the attack modeled with A a , but the supervisor S has direct access to the sensing symbols (words) comingfrom the plant. Note that this problem is more complex thenthe resilient supervisory control problem with sensor attacksstudied in Section V, as the control words of the supervisorare not directly sent to the plant. Consequently, the desiredlanguage may not be controllable to the plant for differentattack models. For example, if the attacks A a generates theempty word ε upon all inputs, capturing Denial-of-Service(DoS) attacks, then the only controllable desired language forthe plant is { ε } .In the rest of the section, we make the following assumptionon the actuator attacks A a . Assumption 2.
The attacker A a can (i) generate and(ii) only generate words that are acceptable to the plant P ,i.e., L out ( A a ) = L in ( P ) . Similarly to the case of attacks on sensors, the first partof Assumption 2 means that the actuator attacks A a will notcause an error by sending an unacceptable input of the plant P , as such attacks are easy to detect. The way the attacker triesto interfere with the control goal is to inject an undesired wordin L in ( P ) \ K to the plant. The second part of Assumption 2ensures that every word in L I ( P ) may possibly be sent to theplant P .For attack-resilient supervision of the plant under sensorattacks, the supervisor S needs to (i) recover the possible inputword of the plant P from its output, (ii) constrain the possibleword within the desired language, and (iii) rewrite these wordsto counter the effects of the actuator attacks A a . The task (i)is achievable by the inversion P − of the plant. Filter:
Unlike the approach introduced in Section V, in thiscase task (ii) is achieved by an FST filter M K of the desiredlanguage K ∈ L in ( P ) . This is because an automaton of K cannot handle input words in L in ( P ) \ K . The filter takes aword I ∈ L in ( P ) and sends the same word if I ∈ K , and ε otherwise. To achieve this we introduce Algorithm 4.Finally, for the task (iii), we construct the inversion A − a ofthe actuator attack model. Consequently, the supervisor is S = P − ◦ M K ◦ A − a . (5) Specifically, for any word I ∈ L out ( P ) from the output ofthe plant, the inversion R P − ( I ) recovers the correspondingpossible inputs of the plant. Then the filter M K constraintsthem to R P − ◦M K ( I ) ⊆ K . Finally, the inversion A − a rewrites them to R P − ◦M K ◦A − a ( I ) to counter the actuatorattacks modeled by the FST A − a .By construction, only the words I (cid:48) ∈ K can pass thefilter M K . But, noting that R A − a ◦A a ( K ) is not necessarilycontained in K , the input language of the plant may notbe exactly K ; instead, the supervisor S from (5) may onlyrestrict the language passing the plant to a minimal supersetof K . The desired language K is controllable, when thecontainment holds. This is equivalent to checking if K iscontained in the output language of M K ◦ A − a ◦ A a .This is summarized by the following theorem. Theorem 2 (Controllability under actuator attacks) . Considerthe setup from Figure 2 without A s . The plant P is weaklycontrollable to the desired regular language K ⊆ L in ( P ) under the actuator attack A a by the supervisor S = P − ◦M K ◦ A − a . Furthermore, the minimal controllable languagecontaining K is ˜ K = R A − a ◦A a ( K ) . (6) The desired language is controllable if and only if ˜ K = K ,or equivalently the output language of M K ◦A − a ◦A a satisfies L out ( M K ◦ A − a ◦ A a ) ⊆ K . (7) Proof. Sufficiency:
It suffices to show that the language pass-ing to the plant is exactly K under the supervisor S = P − ◦ M K ◦ A − a . By (7), we have L out ( S ◦ A a ) ⊆ K , thusthe plant only receives words in K . On the other hand, forany I ∈ K , noting that I ∈ R A − a ◦A a ( I ) and I ∈ R P◦P − ( I ) by Lemma 1, we have I ∈ R P◦S◦A a ( I ) = R P◦P − ◦M K ◦A − a ◦A a ( I ) , namely, the word I is allowed to be transmitted to the plant. Necessity:
It suffices to show the minimality of ˜ K in (6).Suppose there exists a supervisor S that can weakly controlthe plant to K (cid:48) such that K ⊆ K (cid:48) ⊆ ˜ K . (8)Then for any I (cid:48) ∈ K (cid:48) , there exists an output word of thesupervisor I such that I ∈ R − A a ( I (cid:48) ) . Consequently, any wordin A a ( I ) can be transmitted to the plant, i.e., A a ( I ) ⊆ K (cid:48) .Namely, A − a ◦ A a ( K (cid:48) ) ⊆ K (cid:48) (9)Combining (6),(8), and (9), it follows that ˜ K = A − a ◦ A a ( K ) ⊆ A − a ◦ A a ( K (cid:48) ) ⊆ K (cid:48) . This implies that K (cid:48) = ˜ K .Theorem 2 provides a computational method to design suchsupervisor, as provided in Algorithm 5. Example 8 (Supervisor design for actuator attacker) . Follow-ing the configuration from Figure 2 without A s , consider a set Algorithm 5
Design of a supervisor resilient to actuator at-tacks
Require:
Desired language K , plant P , model of actuatorattacks A a . Find FST filter M K for K . Compute inversions A − a , P − . Compute serial composition S = P − ◦ M K ◦ A − a . if the output language L out ( M K ◦A − a ◦A a ) ⊆ K then return K is controllable. else return K is not controllable. end if return Supervisor S . i | i i | i (a) Plant. i | i i | i i | ε i | i i , i | ε (b) Filter of Desired language K . i | i i | i i | i i | i (c) Actuator Attacker I. i | i i | i i | i (d) Supervisor I. i , i | i , i (e) Actuator Attacker II. i | i , i i | i , i i | i , i i | i , i (f) Supervisor II. Fig. 8: Example supervisors for actuator attacks. of symbols I = { i , i } and a plant P accepting the language ( i , i ) ∗ , as shown in Figure 8a. The (prefix-closed) desiredlanguage is K = ( i , i ) i , associated with the FST filter M K (Figure 8b). Now consider the following two cases.Controllable: The attacker A I on the input of the plantis represented by an FST shown in Figure 8c. It rewrites thefirst i nondeterministically to i or i . The output language L out ( S ◦ A I ) = ( i , i ) i is exactly K . Thus, the plant iscontrollable to K by the supervisor S even under the attack.Weakly Controllable: The attacker A I on the input ofthe plant is represented by an FST from Figure 8e. It rewritesany i nondeterministically to i or i . It sends first i andthen i or i upon receiving i . The output language L out ( S ◦A I ) = ( i , i )( i , i ) is larger than K . Therefore, the plantis uncontrollable to K by the supervisor S . It is easy to seethat ( i , i )( i , i ) is a minimal superset of K . Remark 4.
Note that the supervisor in Figure 8f, derivedin Example 8, is nondeterministic, corresponding to multipleallowable controls. For example, the supervisor at the state can either send i or i upon receiving i . The controllability theorem guarantees that in the presence of attacks, the unionof all possible words received by the plant under all theseallowable controls is exactly the desired language K . In im-plementation, the nondeterminism can be resolved by choosingone of the allowable controls. Accordingly, the possible wordsreceived by the plant is contained in K . An avenue for futurework is to resolve the nondeterminism optimally when thereare different costs for the supervisor to revise the controlsymbols. VII. C
ONTROLLABILITY U NDER B OTH S ENSOR AND A CTUATOR A TTACKS
In this section, we study the supervisory control problemunder both sensor and actuator attacks for deterministic plants,as shown in Figure 2. This is a combination of the supervisorycontrol problems studied in Sections V and VI. In the rest ofthe section, we assume that the actuator attacker A a and thesensor attacker A s are well-defined as captured in Assump-tions 1 and 2.From Section VI, it follows that the FST P − ◦ M K ◦ A − a can constrain the input of the plant P , and revise these wordsto counter the actuator attacks modeled by A a . Here, M K isa filter. This, in combination with the analysis in Section V,implies that the supervisor A − s ◦ P − ◦ M K ◦ A − a canadditionally counter the sensor attacks A s . It is easy to checkthat K ⊆ R P◦A s ◦S◦A a ( K ) . However, R P◦A s ◦S◦A a ( K ) is not necessarily contained in K . The supervisor S = A − s ◦P − ◦M K ◦A − a only restricts the language passing theplant to a minimal superset of K . The desired language K iscontrollable, when the containment holds. This is summarizedby the following theorem. Theorem 3 (Controllability under actuator and sensor attacks) . In Figure 2, the plant P is weakly controllable to the desiredregular language K ⊆ L in ( P ) under the attacks A a and A s on its input and output, respectively, by the supervisor S = A − s ◦ P − ◦ M K ◦ A − a . Furthermore, the minimalcontrollable language containing K is ˜ K = R A − a ◦A a ( K ) . (10) The desired language is controllable if and only if ˜ K = K ,or equivalently the output language of M K ◦A − a ◦A a satisfies L out ( M K ◦ A − a ◦ A a ) ⊆ K . (11) Proof. Necessity:
Same as the proof for necessity for Theo-rem 2.
Sufficiency:
It suffices to show that the language passing theplant is exactly K under the supervisor S = A − s ◦ M K ◦A − a . By (11), we have that L out ( S ◦ A a ) ⊆ L out ( M K ◦ A − a ◦ A a ) ⊆ K , namely, the plant only receives words in K . On the otherhand, for any I ∈ K , noting that I ∈ R A − a ◦A a ( I ) and I ∈R ( P◦A s ) ◦ ( P◦A s ) − ( I ) , it follows that I ∈ R A s ◦S◦A a ( I ) = R P◦A s ◦ ( P◦A s ) − ◦M K ◦A − a ◦A a ( I ) , namely, the word I is allowed to transmit to the plant. Algorithm 6
Design supervisor under both actuator and sensorattacks
Require:
Plant P , actuator attacker A a , sensor attacker A s ,desired language K . Find a model M K of K . Compute inversion A − a , P − and A − s . Compute composition S = A − s ◦ P − ◦ M K ◦ A − a . if the output language L out ( M K ◦A − a ◦A a ) ⊆ K then return K is controllable else return K is not controllable end if return Supervisor S .As illustrated by the statement and proof of Theorem 3, thedesign of supervisor can be performed by separately takinginto accounts the actuator and sensor attacks, and the sensorattacks, modeled by A s , have no influence on the controllabil-ity. This result is different from most previous works [4, 6, 35].This is because the supervisor when modeled by an FST,and not an automaton, has more power in generating controlwords by itself, and depends much less on the input wordit receives. By adding a component A − s , the effect of thesensor attacker A s is totally countered, as is summarized bythe following corollary. Corollary 1.
For deterministic plants, the sensor attacker A s has no influence on the controllability of a desired languagein the supervisor control problem shown in Figure 2. Theorem 3 also provides a computational method to designsuch supervisor, as given in Algorithm 6.
Example 9 (Supervisor design for resiliency under bothsensor and actuator attacks) . Following Example 8 and theconfiguration in Figure 2, consider a set of symbols I = { i , i } and a plant P accepting the language ( i , i ) ∗ , asshown in Figure 8a. The (prefix-closed) desired language is K = ( i , i ) i , represented by an automaton M K as shownin Figure 9a. Now, let us consider the following two cases.Controllable: The attackers A a and A s on the sensorsand actuators of the plant are modeled by FSTs from Fig-ures 8c and 9b, respectively. The actuator attacker rewritesthe first i nondeterministically to i or i . The sensor attackerremoves i and replaces i with i . The supervisor shownin Figure 9c does not contain any transition with input label i ,as it will never appear due to the attack. The output language L out ( A s ◦ S ◦ A a ) = ( i , i ) i is equal to K . Thus, the plantis controllable to K by the supervisor S .Weakly Controllable: The attackers A a and A s aremodeled by FSTs from Figures 8e and 9d, respectively. Theactuator attacker rewrites i nondeterministically to i or i . The sensor attacker replaces i with i . The supervisordoes not contain any transition with input label i , as it willnever appear. Obviously, the output language ( i , i )( i , i ) minimally contains K .Comparing to Example 8, adding a sensor attacker has noinfluence on the controllability. This agrees with Corollary 1. i i i (a) Desired language K i | i i | ε (b) Sensor Attacker I i | i ε | i ε | i (c) Supervisor I i , i | i (d) Sensor Attacker II i | i , i i | i , i (e) Supervisor II Fig. 9: Example supervisors for sensor and actuator attacks.
Remark 5.
Recalling Remark 3, more controllable languagescan be achieved here than previous works [35, 32, 4, 6], asmore powerful supervisors that can revise symbols are used.The only exception is that Theorem 2 reduces to the standardcontrollability theorem K I c ∩ L in ( P ) = K in [6], since inthis case, the supervisor does not revise. Finally, we note that if the second part of Assumption 2is violated, i.e., L out ( A a ) ⊆ L in ( P ) , Theorems 2 and 3 stillhold on the trimmed plant accepting L out ( A a ) . Remark 6.
For Theorems 2 and 3, in the case of L out ( A a ) ⊆ L in ( P ) , it is easy to show that ˜ K = A − a ◦ A a ( K ) is theminimal controllable language containing K ∩ L out ( A a ) , and K is controllable if L out ( M K ◦ A − a ◦ A a ) ⊆ K and K ⊆ L out ( A a ) . VIII. C
ONTROLLABILITY FOR S YSTEMS WITH N ONDETERMINISTIC P LANTS
In this section, we extend the attack-resilient controllabil-ity theorems and supervisor synthesizing algorithms derivedin Sections V to VII to systems with nondeterministic plantsthat are nonblocking, as formally stated in Definition 3.
Definition 3 (Nonblocking) . The plant P = ( S , s init , I , O , Trans , S final ) is nonblocking for the regular relation R ⊆ R P if for any ( I, O ) ∈ R and K ∈ L in ( P ) , ∃ s ∈ Reach ( I,O ) ( s init ) , Trans ( s , i , · , · ) (cid:54) = ∅ = ⇒ ∀ s ∈ Reach ( I,O ) ( s init ) , Trans ( s , i , · , · ) (cid:54) = ∅ ; namely, if a symbol i is accepted by some s in the reachableset Reach ( I,O ) ( s init ) of an acceptable pair of input and outputwords ( I, O ) to the plant, then this symbol should be acceptedby any state in the reachable set. This property ensures that regardless of the nondeterministicpast executions taken by the plant that corresponds to observedinputs and outputs, the next accepting symbol can alwaysbe executed. It rules out the situation in Figure 3 where theexecution of the second input symbol i or i depends on thenondeterministic execution for the first input/output symbols i | i . Specially, a deterministic plant is nonblocking as thereis only one execution corresponding to any accepting input.The nonblocking property of a nondeterministic FST canbe checked via the well-known powerset construction. Specif-ically, we treat P as a nondeterministic automaton as discussedin Remark 2 and determinize it by the powerset construction to Algorithm 7
Check nonblocking for nondeterministic plants
Require:
Plant P , regular relation R Compute determinization P D by (12). Find automaton model M R and compute composition M R ◦ P D . if (13) holds for all transitions in Trans D then return P is nonblocking. else return P is blocking. end if P D = ( S D , { s init } , I D , Trans D , S D final ) where S D , S D final ⊆ S , I D = ( I ∪ { ε } ) × ( O ∪ { ε } ) \{ ( ε, ε ) } and Trans D = (cid:8)(cid:0) S , ( i , o ) , S (cid:1) | S ⊆ S , ( i , o ) ∈ I D , S = ∪ s ∈ S (cid:0) Trans ( s , i , o , · ) ∪ Trans ( s , ε, ε, · ) (cid:1)(cid:9) . (12)Now, the nonblocking property of P can be checked on P D as captured by Lemma 2. Lemma 2 (Checking Nonblocking) . The plant P is nonblock-ing for the regular relation R ⊆ R P if and only if for anyexecution (cid:0) { s init } , ( i , o ) , S (cid:1) . . . (cid:0) S n − , ( i n , o n ) , S n (cid:1) of P D with ( i . . . i n , o . . . o n ) ∈ R , we have for i ∈ [ n ] that S n = ∩ s ∈ S n − Trans ( s , i n , o n , · ) . (13) Proof.
First, we note that the determinized automaton P D isfree from ε -moves, because all its states are closed under the ε -moves of P . By construction, P D and P accept the sameregular language/relation, and the states of P D correspondto the reachable sets of P . Thus, combining (13) and (12)gives Definition 3, and vice versa.Let M R be an automaton model for the regular rela-tion R treated as a regular language, then the composition M R ◦ P D restricts the determinized automaton P D to its sub-language R . This fact and Lemma 2 lead to Algorithm 7.The controllability theorems and supervisor synthesizing al-gorithms extend from deterministic plants to nondeterministicplants, if and only if the control words of the supervisor can beexecuted without blocking for the composition of the rest ofthe closed-loop system. This immediately leads to Theorem 4. Theorem 4.
Theorems 1 to 3 and Algorithms 3, 5 and 6 arevalid for plants modeled by nondeterministic FSTs, if and onlyif the composed FSTs
P ◦A s , A a ◦P and A a ◦P ◦A s are non-blocking for the regular relation induced by the supervisor S ,respectively. m n | S M K | Time (ms) Memory (MB) .
566 0 . .
309 2 . .
852 47 . .
535 340 . .
68 7106 . TABLE I: Execution time and memory usage of the supervi-sory synthesizing algorithm for different values of n and m .Finally, note that when plant P is deterministic, the com-posed FSTs P ◦ A s , A a ◦ P and A a ◦ P ◦ A s are deterministicand satisfy (13). Unlike in case with deterministic plants, sen-sor attacks can influence the controllability of nondeterministicplants by blocking the control words of the supervisor.IX. ARSC T OOL AND S YNTHESIS S CALABILITY
Based on the proposed algorithms for synthesis of Attack-Resilient Supervisory Controllers we developed an open-source tool
ARSC , available at [1]; the tool exploits OpenFstlibraries [2]. In this section, we illustrate its efficiency onproblems on different scales. For all evaluations, the tool wasexecuted on an Intel Core i7-7700K CPU, and the executiontime and memory usage were measured.To illustrate effectiveness of our approach, we consider ascheduling problem from [6], where n players independentlyrequiring service for m sequential tasks t ij , i ∈ [ n ] , j ∈ [ m ] on a central server. The tasks of each player have to beserved in the index order. The sensors are corrupted by anattacker that removes the tasks performed by the first player;and the actuator attacks nondeterministically rotate the inputsequence t j t j . . . t ( n − j t nj to t j t j . . . t nj t j for any taskindex j ∈ [ m ] . For n = 2 , m = 2 , the desired language K for the system, as well as the attacks are modeled as shown inFigure 10. From Theorem 3, the language K is controllableand the attacks can be countered by the supervisor constructedby Algorithm 6. The supervisor for the case n = 2 , m = 2 isdisplayed in Figure 10e.The complexity of the supervisor synthesis algorithms is de-termined by the complexity of the composition operation. Thecomposition A ◦ A requires O ( | S A || S A | D A ( log ( D A ) + M A )) time and O ( | S A || S A | D A M A ) space where | S · | , D · and M · denote the number of states, the maximum out-degreeand the maximum multiplicity for the FST, respectively [2].The order in which the composition operations are performedcan also change the overall complexity. For simplicity, the term P − is dropped and the supervisor is computed as ( A − s ◦M K ) ◦ A − a in our implementation. Therefore, the overalltime complexity is reduced to O ( | S M K || S A a | D A s log ( D A a )) where S M K ∼ O (( m + 1) n ) and S A a = D A s = D A a ∼ O ( mn ) for this problem.Table I shows the running times of the algorithm averagedover synthesis and the maximum amount of memory usedduring the tool execution for different values of n and m . Wecan observe that a tenfold increase in the number of states in M K increases the execution time and the memory usage by atmost times. This sub-quadratic increase is a consequenceof the composition operations performed by the algorithm. X. C ONCLUSIONS
In this work, we have studied the problem of supervisorycontrol of discrete-event plants in the presence of attacks onthe plant’s sensors and actuators. We have considered a verygeneral class of attacks that have the ability to nondetermin-istically rewrite a word to any word of a regular language,and proposed to model them by FSTs that possess a li-brary of mathematically rigorous and computationally feasibleoperations, such as inversion and composition. Furthermore,we have onsidered a general supervisor model where thesupervisors are also captured by FSTs.We have first focused on the attack-resilient supervisorycontrol problem for deterministic plants in three setups whereattacks occur on the plant’s: (i) sensors, (ii) actuators, and(iii) both actuators and sensors; we have introduced new setsof controllability theorems and synthesis algorithms for attack-resilient supervisors. We have shown that for (i), the attacks onsensors can be countered by a supervisor derived by the serialcomposition of the inversion of the attacker and a model of thedesired language; for (ii), the attacks on actuators can be partlycountered by a supervisor derived by the serial compositionof a model of the desired language and the inversion of theattacker; and for (iii), a supervisor can be derived by seriallycomposing the supervisors in the cases (i) and (ii). The aboveresults have been also extended to nondeterministic plantswith the nonblocking conditions. Finally, we have introduceda tool for synthesis of such attack-resilient supervisors anddemonstrated its scalability. An avenue for future work is toresolve the nondeterminism optimally when there are differentcosts for the supervisor to revise the control symbols.R
EFERENCES [1] ARSC. https://github.com/alperkamil/arsc. Accessed: 2019-03-08.[2] C. Allauzen, M. Riley, J. Schalkwyk, W. Skut, and M. Mohri.OpenFst: A General and Efficient Weighted Finite-State Trans-ducer Library. In J. Holub and J. ˇZˇd´arek, editors,
Implementa-tion and Application of Automata , Lecture Notes in ComputerScience, pages 11–23. Springer Berlin Heidelberg, 2007.[3] A. A. Cardenas, S. Amin, and S. Sastry. Secure Control:Towards Survivable Cyber-Physical Systems. In , pages 495–500, 2008.[4] L. K. Carvalho, Y.-C. Wu, R. Kwong, and S. Lafortune. Detec-tion and mitigation of classes of attacks in supervisory controlsystems.
Automatica , 97:121–133, 2018.[5] C. G. Cassandras. Smart Cities as Cyber-Physical SocialSystems.
Engineering , 2(2):156–158, 2016.[6] C. G. Cassandras and S. Lafortune.
Introduction to DiscreteEvent Systems . Springer, New York, NY, 2. ed edition, 2008.[7] T. M. Chen and S. Abu-Nimeh. Lessons from stuxnet.
Com-puter , 44(4):91–93, April 2011.[8] M. Droste, W. Kuich, and H. Vogler, editors.
Handbook ofWeighted Automata . Monographs in Theoretical ComputerScience. Springer-Verlag, Berlin, 2009.[9] J. P. Farwell and R. Rohozinski. Stuxnet and the future of cyberwar.
Survival , 53(1):23–40, 2011.[10] H. Fawzi, P. Tabuada, and S. Diggavi. Secure estimation andcontrol for cyber-physical systems under adversarial attacks.
IEEE Trans. Autom. Control , 59:1454–1467, 2014.[11] H. Fawzi, P. Tabuada, and S. Diggavi. Secure Estimation andControl for Cyber-Physical Systems Under Adversarial Attacks. t | t t | t t | t t | t (a) Plant
10 3 2 54 76 8 t | t t | t t | t t | t t | t t | t t | t t | t t | t t | t t | t t | t (b) Desired language K t | εt | εt | t t | t (c) Sensor AttackModel
10 2 t | t t | t t | t t | t t | t t | t t | t t | t (d) Actuator Attack Model t | t t | t ε | t t | t ε | t t | t ε | t ε | t ε | t t | t ε | t t | t ε | t ε | t t | t t | t (e) Supervisor Fig. 10: Example supervisors resilient to sensor and actuator attacks.
IEEE Transactions on Automatic Control , 59(6):1454–1467,2014.[12] R. M. Goes, E. Kang, R. Kwong, and S. Lafortune. Stealthydeception attacks for cyber-physical systems. In , pages4224–4230, Melbourne, Australia, 2017. IEEE.[13] M. Holcombe.
Algebraic Automata Theory . Cambridge Uni-versity Press, 1982.[14] Z. Jiang, M. Pajic, and R. Mangharam. Cyber-Physical Mod-eling of Implantable Cardiac Medical Devices.
Proceedings ofthe IEEE , 100(1):122–137, Jan 2012.[15] I. Jovanov and M. Pajic. Relaxing integrity requirements forattack-resilient cyber-physical systems.
IEEE Transactions onAutomatic Control , pages 1–1, 2019. to appear.[16] V. Lesi, I. Jovanov, and M. Pajic. Security-aware schedulingof embedded control tasks.
ACM Trans. Embed. Comput. Syst. ,16(5s):188:1–188:21, Sept. 2017.[17] F. Miao, M. Pajic, and G. Pappas. Stochastic game approachfor replay attack detection. In
IEEE 52nd Annual Conferenceon Decision and Control (CDC) , pages 1854–1859, Dec 2013.[18] Y. Mo, T.-H. Kim, K. Brancik, D. Dickinson, H. Lee, A. Perrig,and B. Sinopoli. Cyber–physical security of a smart gridinfrastructure.
Proceedings of the IEEE , 100(1):195–209, 2012.[19] Y. Mo and B. Sinopoli. Secure control against replay attacks.In , pages 911–918, Sept 2009.[20] M. Mohri. Finite-State Transducers in Language and SpeechProcessing.
Computational Linguistics , 23:42, 1997.[21] M. Mohri. Weighted Finite-State Transducer Algorithms. AnOverview. In J. Kacprzyk, C. Mart´ın-Vide, V. Mitrana, andG. P˘aun, editors,
Formal Languages and Applications , volume148, pages 551–563. Springer Berlin Heidelberg, Berlin, Hei-delberg, 2004.[22] M. Mohri. Weighted Automata Algorithms. In M. Droste,W. Kuich, and H. Vogler, editors,
Handbook of WeightedAutomata , pages 213–254. Springer Berlin Heidelberg, Berlin,Heidelberg, 2009.[23] M. Mohri, F. Pereira, and M. Riley. Weighted finite-state trans-ducers in speech recognition.
Computer Speech & Language ,16(1):69–88, 2002.[24] M. Pajic, I. Lee, and G. J. Pappas. Attack-Resilient StateEstimation for Noisy Dynamical Systems.
IEEE Transactionson Control of Network Systems , 4(1):82–92, 2017. [25] M. Pajic, J. Weimer, N. Bezzo, O. Sokolsky, G. J. Pappas,and I. Lee. Design and implementation of attack-resilientcyberphysical systems: With a focus on attack-resilient stateestimators.
IEEE Control Systems , 37(2):66–81, April 2017.[26] F. Pasqualetti, F. Dorfler, and F. Bullo. Control-theoreticmethods for cyberphysical security: Geometric principles foroptimal cross-layer resilient control systems.
IEEE ControlSystems
GPSWorld , 23(8):30–33, 2012.[30] Y. Shoukry, P. Martin, P. Tabuada, and M. Srivastava. Non-invasive spoofing attacks for anti-lock braking systems. In
Cryptographic Hardware and Embedded Systems-CHES 2013 ,pages 55–72. Springer, 2013.[31] R. Smith. A decoupled feedback structure for covertly appropri-ating networked control systems.
Proc. IFAC World Congress ,pages 90–95, 2011.[32] R. Su. Supervisor synthesis to thwart cyber attack with boundedsensor reading alterations.
Automatica , 94:35–44, 2018.[33] A. Teixeira, D. P´erez, H. Sandberg, and K. H. Johansson. Attackmodels and scenarios for networked control systems. In
Conf.on High Confid. Net. Sys. (HiCoNS) , pages 55–64, 2012.[34] N. O. Tippenhauer, C. P¨opper, K. B. Rasmussen, and S. Capkun.On the requirements for successful gps spoofing attacks. In , CCS, pages 75–86,2011.[35] M. Wakaiki, P. Tabuada, and J. P. Hespanha. Supervisory Con-trol of Discrete-event Systems under Attacks. arXiv:1701.00881[cs, math] , 2017.[36] Y. Wang, Z. Huang, S. Mitra, and G. E. Dullerud. Differentialprivacy in linear distributed control systems: Entropy minimiz-ing mechanisms and performance tradeoffs.
IEEE Transactionson Control of Network Systems , 4(1):118–130, 2017.[37] Y. Wang and M. Pajic. Supervisory control of discrete eventsystems in the presence of sensor and actuator attacks. In
De-cision and Control (CDC), 2019 IEEE 58rd Annual ConferenceOn , page Under Review, 2019. [38] J. S. Warner and R. G. Johnston. A simple demonstration thatthe global positioning system (gps) is vulnerable to spoofing. Journal of Security Administration , 25(2):19–27, 2002.[39] A. D. Wood and J. A. Stankovic. Denial of service in sensornetworks. computer , 35(10):54–62, 2002.
Yu Wang is currently a Postdoctoral Associate in theDepartment of Electrical and Computer Engineeringat Duke University. He received his Ph.D. degreein Mechanical Engineering and his M.S. degrees inStatistics, Mathematics, and Mechanical Engineeringin 2018, 2017, 2016 and 2014, respectively from theUniversity of Illinois at Urbana-Champaign. Beforethat, he received his B.S. degree in Engineering Me-chanics from the School of Aerospace of TsinghuaUniversity in 2012.
Alper Kamil Bozkurt received the B.S. and M.S.degrees in computer engineering from Bogazici Uni-versity, Turkey, in 2015 and 2018, respectively. Heis currently a Ph.D. student in the Department ofComputer Science at Duke University. His researchinterests lie at the intersection of machine learning,control theory, and formal methods. In particular, hefocuses on developing learning based algorithms thatsynthesize provably safe and reliable controllers forcyber-physical systems.