Control Systems Security: Challenges and Directions

Workshop at the 50th IEEE Conference on Decision and Control and European Control Conference

Time and Place: 8:30am - 5:00pm, Sunday, December 11, 2011, Hilton Orlando Bonnet Creek, Orlando, Florida

Organizers: Bruno Sinopoli (Carnegie Mellon University) and Shreyas Sundaram (University of Waterloo)


Control systems play a central role in a multitude of life-critical applications, from nuclear plants, power grids and manufacturing to aerospace systems and transportation. Disruptions in such applications (either by intent or by accident) could have dire consequences, and thus a concerted effort must be made to ensure that the underlying control systems are resilient to components that behave in malicious or unpredictable ways. Traditional control system security measures based on air-gaps and safety-through-obscurity are no longer sufficient, as control networks become increasingly connected to corporate backbones and utilize off-the-shelf components. The recent sophisticated intrusion of microcontrollers in nuclear plants by the Stuxnet worm is a prime example of the vulnerability of control systems to attacks.

The need for a rigorous theory of security in control systems has recently started to gain attention as a fertile and important area of research. For critical infrastructure projects, security must now be designed into control systems as a non-negotiable feature, rather than tacked on at the end. The goal of this workshop is to present the challenges in this area, together with tools and approaches that have been recently developed to address this problem. Future directions for research will be proposed and highlighted. The target audience is students, researchers and practitioners from academia and industry who are interested in learning about (and contributing to) the emerging field of control systems security. The workshop will be highly interactive and will feature tutorial-style talks, giving the audience a control systems view of security, and how to best combine different perspectives to develop reliable and resilient systems.



Time Speaker(s) Title
08:30 - 08:45 Bruno Sinopoli and Shreyas Sundaram Welcome and Overview of Workshop
08:45 - 09:30 Tamer Basar Game-Theoretic Approaches to Security
09:30 - 09:45 -- Coffee/Soda Break
09:45 - 10:30 Radha Poovendran Adversarial Models and Metrics: Some lessons from Wireless Security
10:30 - 11:15 Linda Bushnell Modeling and Analysis of Node Capture and Cloning Attacks in Wireless Sensor Networks
11:15 - 12:00 Shreyas Sundaram Structured System Theory as a Tool to Analyze Security of Dynamical Systems
12:00 - 13:30 -- Lunch
13:30 - 14:15 Bruno Sinopoli Secure Control of Cyber-Physical Systems
14:15 - 15:00 Karl H. Johansson Cyber-secure and resilient control systems with applications to state estimators in electric power systems
15:00 - 15:15 -- Coffee/Soda Break
15:15 - 16:00 Francesco Bullo and Fabio Pasqualetti Cyber-Physical Systems under Attack
16:00 - 16:30 -- Wrapup and Discussions


Game-Theoretic Approaches to Security
Tamer Basar, University of Illinois at Urbana-Champaign

Game theory has emerged in recent years as a powerful tool (conceptual, modeling as well as analytical and algorithmic) for addressing security issues in networked systems. Game-theoretic models provide an ideal paradigm capturing strategic interactions between malicious attackers and defenders. This is particularly true in problems of intrusion detection and response, where optimum adversarial actions and behavioral patterns of intruder(s) can be determined within the strategic framework of game theory, and the corresponding response strategies for the network can be formulated.

This talk will introduce some of the foundational elements of static and dynamic game theory as relevant to security, and discuss construction of effective strategies in deterministic, stochastic as well as limited information environments.

Adversarial Models and Metrics: Some lessons from Wireless Security
Radha Poovendran, University of Washington

Building secure systems depends on our ability to describe a set of properties that must be achieved by a system as well as characterize adversaries. Models such as Byzantine or Dolev-Yao have been effectively used to describe features, properties and capabilities of adversaries in traditional security. Desired system properties and adversarial models alone are not sufficient to secure the system. Metrics that quantify the adversarial actions and their impact on the system provide the necessary link between security, control and optimization. This coupling enables not only problem formulations for securing control systems but also viewing security as a dynamical system.

In this presentation, we will first provide traditional wired security properties and then identify wireless specific security properties. We will then present two categories of attacks: (a) medium exploiting or external attacks and (b) physical attacks in wireless networks. We will consider jamming in spatial domain with multipaths, node capture attacks in wireless sensor networks with secure links and control channel jamming by internal adversaries as examples to demonstrate how to couple the cryptography to the design and optimization formulations.

Modeling and Analysis of Node Capture and Cloning Attacks in Wireless Sensor Networks
Linda Bushnell, University of Washington

Wireless Sensor Networks (WSN) are used in many areas, including target tracking, surveillance, environmental sampling, remote plant control and power plant modeling. The wireless sensors are typically lo-cost hardware components with limited power, communication and computation capabilities. The WSN is expected to operate unattended over a long period of time. Thus, in order for the WSN to function, the sensors need to collaborate in collecting and exchanging data, as well as preserving their resources. Such WSN are susceptible to attacks by intelligent, stealthy adversaries. In this talk, we consider a type of attack called the node capture and cloning attack (NCC). In this attack, an adversary physically compromises a sensor, extracts its data and uses the obtained knowledge to deploy functional copies (clones) back into the WSN. Such an attack is effective in compromising WSNs that use aggregate-based decision rules. [Parno, Perrig and Gligor S&P 2005]. This talk will cover three areas of recent research involving WSN that are under a NCC attack.

Part 1: We will describe how to develop a basic model for a NCC attack on a WSN that is mounted by an intelligent, persistent adversary. The model is a linear dynamical model of the impact of the attack. [Bonaci, Bushnell and Poovendran CDC 2010].
Part 2: We will describe a game theoretic formulation of the NCC attack on a WSN. We formulate deterministic as well as stochastic versions of the game with full information available to both the network and the adversary. [Bonaci, Bushnell GameSec 2011].
Part 3: We will describe how to incorporate a system theoretic model to incorporate into clone detection schemes. We show clone detection methods such as random multicast (RM) and randomized efficient distributed (RED) can be formulated as optimization problems. [Bonaci, Lee, Bushnell, Poovendran D-SPAN 2011]

Structured System Theory as a Tool to Analyze Security of Dynamical Systems
Shreyas Sundaram, University of Waterloo

Structured system theory is a branch of control theory that uses graph-theoretic tools to analyze system properties based solely on the zero/nonzero structure of the system matrices. This provides insights into the underlying factors that impact system properties that cannot be gained via purely algebraic (rank-based) tests. In this talk, we provide an overview of structured system theory, and describe how it can be used to determine vulnerabilities in linear dynamical systems. In addition to analyzing given dynamical systems, we also show how structured system theory can be used to characterize the resilience of linear dynamics on networks to attackers. For instance, we show that linear iterative strategies for information dissemination in networks possess certain desirable characteristics (such as resilience to malicious nodes) by mapping these characteristics to properties of linear systems, and then applying structured system theory to relate these properties to the topology of the underlying network. The main result is as follows: if there are up to f malicious nodes in a network, any node can reliably recover all of the data held by the other nodes if and only if the connectivity of the network is 2f+1.

In addition to the application of data aggregation, we discuss how these ideas can be applied in a feedback control setting. Specifically, we describe a Wireless Control Network (WCN) where each node transmits a (stabilizing) linear combination of its neighbors' values. We use structured system theory to design an Intrusion Detection System (IDS) for this scheme, and show how malicious nodes can be identified by an IDS that listens to the transmissions of only a subset of the nodes in the network.

Secure Control of Cyber-Physical Systems
Bruno Sinopoli, Carnegie Mellon University

Cyber Physical Systems (CPS) refer to the embedding of widespread sensing, computation, communication, and control into physical spaces. Application areas are as diverse as aerospace, chemical processes, civil infrastructure, energy, manufacturing and transportation, most of which are safety-critical. The availability of cheap communication technologies such as the internet makes such infrastructures susceptible to cyber security threats, which may affect national security as some of them, such as the power grid, are vital to the normal operation of our society. Any successful attack may significantly hamper the economy, the environment or may even lead to loss of human life. As a result, security is of primary importance to guarantee safe operation of CPS. In this work, we study the effects of false data injection attacks on control systems. We assume that the control system is monitoring and controlling a linear time-invariant system. The attacker's goal is to destabilize the system by compromising a subset of sensors and sending altered readings to the state estimator. The attacker also wants to guarantee that its action can occur undetected. Under these assumptions, we will give a necessary and sufficient condition under which the attacker could destabilize the system without being detected. We will provide several illustrative examples.

Cyber-secure and resilient control systems with applications to state estimators in electric power systems
Karl H. Johansson, Royal Institute of Technology

Safe and reliable operation of infrastructures is of major societal importance. These systems need to be engineered in such a way so that they can be continuously monitored, coordinated, and controlled despite a variety of potential cyber-attacks and system disturbances. Unlike other IT systems where cyber-security mainly involves encryption and protection of data, attacks on control systems may influence the physical processes through the digital controllers or the communication infrastructure. Therefore focusing on encryption of data alone may not be enough to guarantee the security of the overall system, especially not for its physical component. In order to increase the resilience of these systems, one needs appropriate tools to first understand and then to protect against such attacks. In this talk, we will present some recently developed methods to analyze and design cyber-secure control systems. Motivating applications from the power grid and the process industry will be discussed. It will be shown that the power system state estimator can be vulnerable to malicious deception attacks on the measurements resulting in biased estimates, which can have severe consequences for the output of the optimal power flow algorithm. In current state estimation algorithms there are bad data detection schemes to detect random outliers in the measurement data. Such schemes typically fail in the presence of an intelligent attacker. We explore scenarios where deception attacks are performed, sending false information to the control center and we introduce a security index for the state estimators which provides a lower bound on the deception attack complexity. The index depends on the physical topology of the power network and the available measurements, and helps the system operator to identify possible sparse data manipulation patterns. This information is then used to strengthen the security by allocating a small number of protected measurement devices. The exact computation of the security index generally requires combinatorial optimization, but we show that it can be accurately estimated also for very large power systems using a minimum cut relaxation.

Cyber-Physical Systems under Attack
Fabio Pasqualetti, Florian Dorfler, and Francesco Bullo, University of California at Santa-Barbara

Cyber-physical systems integrate computation, communication, and physical capabilities to interact with the physical world and humans. Examples of cyber-physical systems include transportation networks, power generation and distribution networks, water and gas distribution networks, and advanced communication systems. Because of the crucial role of cyber-physical systems in everyday life, cyber-physical security challenges need to be promptly addressed.

We propose a unified framework to analyze the resilience of cyber-physical systems against attacks cast by an omniscient adversary. We model cyber-physical systems as linear descriptor systems, and attacks as exogenous unknown inputs. Despite its simplicity, our model captures various real-world cyber-physical systems and it includes and generalizes the most studied prototypical attacks, including stealth, (dynamic) false-data injection and replay attacks. For this model, we study various attack detection and identification procedures, and we characterize their fundamental limitations. We provide constructive algebraic conditions to cast undetectable and unidentifiable attacks, and graph-theoretic conditions for the existence of undetectable and unidentifiable attacks.

Following our analysis, we propose centralized and decentralized monitors for attack detection and identification. To be specific, we first design optimal centralized attack detection and identification monitors based upon the geometric notion of conditioned invariant subspace. Optimality refers here to the ability of detecting (resp. identifying) every detectable (resp. identifiable) attack. Then, starting from the centralized attack detection monitor we develop a fully distributed attack detection filter. By means of a decentralized representation of the system dynamics, we provide a distributed implementation of the attack detection filter based upon iterative local computations using the Gauss-Jacobi waveform relaxation technique. Finally, we show that the attack identification problem is inherently computationally hard, and we design a distributed identification method that achieves identification, at a low computational cost and for a certain class of attacks. Our distributed identification methods is based upon a divide and conquer procedure, in which first corrupted regions and then corrupted components are identified via local identification procedures and cooperation among neighboring regions.

Finally, we present several illustrative examples that, besides illustrating our findings, show the effectiveness of our methods also in the presence of system noise, nonlinearities, and modeling uncertainties.