Sean Weerakkody

Detecting integrity attacks on control systems using robust physical watermarking

Ensuring the security of control systems against integrity attacks is a major challenge. Due to the events of Stuxnet, replay attacks in particular have been considered by the research community. Replaying previous measurements of a system in steady state allows an adversary to generate statistically correct virtual outputs which can bypass traditional detectors. The adversary can then inject destabilizing inputs to cause damage to the plant. The method of injecting secret noisy control inputs, or physical watermarking, has recently been proposed to detect replay attacks. However, the proposed watermarking design methods assume that the adversary does not use his potential access to real time communication channels to create stealthy virtual outputs to send to the defender. In this paper, we formulate an attack model for an adversary who uses knowledge of the system as well as access to a subset of real time control inputs and sensor outputs to construct stealthy virtual outputs. A robust physical watermark and detector to counter such an adversary is proposed.

Multi-Sensor Scheduling for State Estimation with Event-Based, Stochastic Triggers

In networked systems, state estimation is hampered by communication limits. Past approaches, which consider scheduling sensors through deterministic event-triggers, reduce communication and maintain estimation quality. However, these approaches destroy the Gaussian property of the state, making it computationally intractable to obtain an exact minimum mean squared error estimate. We propose a stochastic event-triggered sensor schedule for state estimation which preserves the Gaussianity of the system, extending previous results from the single-sensor to the multi-sensor case.

Detecting integrity attacks on control systems using a moving target approach

Maintaining the security of control systems in the presence of integrity attacks is a significant challenge. In literature, several possible attacks against control systems have been formulated including replay, false data injection, and zero dynamics attacks. The detection and prevention of these attacks require the defender to possess a particular subset of trusted communication channels. Alternatively, these attacks can be prevented by keeping the system model secret from the adversary. In this paper, we consider an adversary who has the ability to modify and read all sensor and actuator channels. To thwart this adversary, we introduce external states dependent on the state of the control system, with linear time-varying dynamics unknown to the adversary. We also include sensors to measure these states. The presence of unknown time-varying dynamics is leveraged to detect an adversary who simultaneously aims to identify the system and inject stealthy outputs. Potential attack strategies and bounds on the attackers performance are provided.

Is your commute driving you crazy?: a study of misbehavior in vehicular platoons

Traffic is not only a source of frustration but also a leading cause of death for people under 35 years of age. Recent research has focused on how driver assistance technologies can be used to mitigate traffic fatalities and create more enjoyable commutes. In this work, we consider cooperative adaptive cruise control (CACC) or platooning, a driver assistance technology that controls the speed of vehicles and inter-vehicle spacing. CACC equipped cars use radar to fine tune inter-vehicle spacing and dedicated short-range communication (DSRC) to collaboratively accelerate and decelerate. Platooning can reduce fuel consumption by over 5% and increases the density of cars on a highway. Previous work on platooning has focused on proving string stability, which guarantees that the error between cars does not grow with the length of a platoon, but little work has considered the impact an attacker can have on a platoon. To design safe distributed controllers and networks it is essential to understand the possible attacks that could be mounted against platoons. In this work, we design a set of insider attacks and abnormal behaviors that occur in a platoon of cars. For example, we introduce the collision induction attack where an attacker exploits the platoon controller to cause a high-speed accident with the car following it. To mitigate these insider attacks we design a model-based detection scheme that leverages the broadcast nature of DSRC. Each car uses DSRC messages from other cars in the platoon to model the expected behavior of the car directly preceding it. If the expected behavior and actual behavior differ the monitoring vehicle switches to non-cooperative ACC, relying solely on radar, to mitigate the impact of the attack. We show that our detection scheme is able to detect many of our proposed insider attacks and when combined with a well designed ACC controller can avoid collisions. We propose combining our detection scheme with a global reputation scheme to detect when a car is malicious or needs maintenance.

Information flow for security in control systems

This paper considers the development of information flow analyses to support resilient design and active detection of adversaries in cyber physical systems (CPS). CPS security, though well studied, suffers from fragmentation. In this paper, we consider control systems as an abstraction of CPS. Here, we use information flow analysis, a well established set of methods developed in software security, to obtain a unified framework that captures and extends results in control system security. Specifically, we propose the Kullback Liebler (KL) divergence as a causal measure of information flow, which quantifies the effect of adversarial inputs on sensor outputs. We show that the proposed measure characterizes the resilience of control systems to specific attack strategies by relating the KL divergence to optimal detection. We then relate information flows to stealthy attack scenarios where an adversary can bypass detection. Finally, this article examines active detection mechanisms where a defender intelligently manipulates control inputs or the system itself to elicit information flows from an attackers malicious behavior. In all previous cases, we demonstrate an ability to investigate and extend existing results through the proposed information flow analyses.

Multi-Sensor Scheduling for State Estimation with Event-Based, Stochastic Triggers*

Abstract In Networked Control Systems, remote state estimation is hampered by limitations in sensor to estimator communication. Past approaches involving scheduling sensors dynamically via a deterministic event-triggering mechanism reduce communication while maintaining estimation quality However, these approaches destroy the Gaussian property of the innovation process, making it computationally intractable to obtain an exact minimum mean squared error (MMSE) estimate. Recent work has proposed utilizing a stochastic event-triggered sensor schedule for state estimation. We extend these results to the multi-sensor case, obtaining closed-form expressions for the MMSE estimator and its covariance matrix as well as performance bounds for the system.

A moving target approach for identifying malicious sensors in control systems

In this paper, we consider the problem of attack identification in cyber-physical systems (CPS). Attack identification is often critical for the recovery and performance of a CPS that is targeted by malicious entities, allowing defenders to construct algorithms which bypass harmful nodes. Previous work has characterized limitations in the perfect identification of adversarial attacks on deterministic LTI systems. For instance, a system must remain observable after removing any 2q sensors to only identify q attacks. However, the ability for an attacker to create an unidentifiable attack requires knowledge of the system model. In this paper, we aim to limit the adversarys knowledge of the system model with the goal of accurately identifying all sensor attacks. Such a scheme will allow systems to withstand larger attacks or system operators to allocate fewer sensing devices to a control system while maintaining security. We explore how changing the dynamics of the system as a function of time allows us to actively identify malicious/faulty sensors in a control system. We discuss the design of time varying system matrices to meet this goal and evaluate performance in deterministic and stochastic systems.

Accountability in cyber-physical systems

Our position is that a key component of securing cyber-physical systems (CPS) is to develop a theory of accountability that encompasses both control and computing systems. We envision that a unified theory of accountability in CPS can be built on a foundation of causal information flow analysis. This theory will support design and analysis of mechanisms at various stages of the accountability regime: attack detection, responsibility-assignment (e.g., attack identification or localization), and corrective measures (e.g., via resilient control) As an initial step in this direction, we summarize our results on attack detection in control systems. We use the Kullback-Liebler (KL) divergence as a causal information flow measure. We then recover, using information flow analyses, a set of existing results in the literature that were previously proved using different techniques. These results cover passive detection, stealthy attack characterization, and active detection. This research direction is related to recent work on accountability in computational systems [1], [2], [3], [4]. We envision that by casting accountability theories in computing and control systems in terms of causal information flow, we can provide a common foundation to develop a theory for CPS that compose elements from both domains.

Cyber Meets Control: A Novel Federated Approach for Resilient CPS Leveraging Real Cyber Threat Intelligence

Cyber-physical systems (CPS) embody a tight integration between network-based communications, software, sensors, and physical processes. While the integration of cyber technologies within legacy systems will most certainly introduce opportunities and advancements not yet envisioned, it will undoubtedly also pave the way to misdemeanors that will exploit systems� resources, causing drastic and severe nationwide impacts. While almost all works in the literature exclusively tackled the security of one independent aspect of CPS (i.e., cyber or physical), we argue that these systems cannot be decoupled. In this context, we present what we believe is a first attempt ever to tackle the problem of CPS security in a coupled and a systematic manner. To this end, this article proposes a novel approach that federates the cyber and physical environments to infer and attribute tangible CPS attacks. This is achieved by - Leveraging real cyber threat intelligence derived from empirical measurements. - Capturing and investigating CP data flows by devising an innovative CPS threat detector. An added value of the proposed approach is rendered by physical remediation strategies, which are envisioned to automatically be invoked as a reaction to the inferred attacks to provide CPS resiliency. We conclude this article by discussing a few design considerations and presenting three case studies that demonstrate the feasibility of the proposed approach.

A graph theoretic characterization of perfect attackability and detection in Distributed Control Systems

This paper is concerned with the analysis and design of secure distributed control systems (DCS) in the face of integrity attacks on sensors and controllers by external attackers or insiders. In general a DCS consists of many heterogenous components and agents including sensors, actuators, and controllers. Due to its distributed nature, some agents may start misbehaving to disrupt the system. This paper first reviews necessary and sufficient conditions for deterministic detection of integrity attacks carried out by any number of malicious agents, based on the concept of left invertibility of structural control systems. It then develops a notion equivalent to structural left invertibility in terms of vertex separators of a graph, which allows a designer to efficiently determine if a network is perfectly attackable. This tool is then leveraged to design minimal communication networks for DCSs, which ensure that an adversary cannot generate undetectable attacks. Numerical examples are included to illustrate these results.