Synthesis of covert actuator attackers for free
Rong Su2020, Discrete Event Dynamic Systems
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
In this paper, we shall formulate and address a problem of covert actuator attacker synthesis for cyber-physical systems that are modeled by discrete-event systems. We assume the actuator attacker partially observes the execution of the closedloop system and is able to modify each control command issued by the supervisor on a specified attackable subset of controllable events. We provide straightforward but in general exponential-time reductions, due to the use of subset construction procedure, from the covert actuator attacker synthesis problems to the Ramadge-Wonham supervisor synthesis problems. It then follows that it is possible to use the many techniques and tools already developed for solving the supervisor synthesis problem to solve the covert actuator attacker synthesis problem for free. In particular, we show that, if the attacker cannot attack unobservable events to the supervisor, then the reductions can be carried out in polynomial time. We also provide a brief discussion on some other conditions under which the exponential blowup in state size can be avoided. Finally, we show how the reduction based synthesis procedure can be extended for the synthesis of successful covert actuator attackers that also eavesdrop the control commands issued by the supervisor.
Related papers
Attack-Resilient Supervisory Control of Discrete-Event Systems: A Finite-State Transducer Approach
IEEE Open Journal of Control Systems
Resilience to sensor and actuator attacks is a major concern in the supervisory control of discrete events in cyber-physical systems (CPS). In this work, we propose a new framework to design supervisors for CPS under attacks using finite-state transducers (FSTs) to model the effects of the discrete events. FSTs can capture a general class of regular-rewriting attacks in which an attacker can nondeterministically rewrite sensing/actuation events according to a given regular relation. These include common insertion, deletion, event-wise replacement, and finite-memory replay attacks. We propose new theorems and algorithms with polynomial complexity to design resilient supervisors against these attacks. We also develop an open-source tool in Python based on the results and illustrate its applicability through a case study. INDEX TERMS Control system security, cyber-physical systems, formal methods.
On the Vulnerabilities Due to Manipulative Zero-Stealthy Attacks in Cyber-Physical Systems
SICE Journal of Control, Measurement, and System Integration
In this paper, we analyze the vulnerabilities due to integrity cyber attacks named zero-stealthy attacks in cyber-physical systems, which are modeled as a stochastic linear time invariant (LTI) system equipped with a Kalman filter, an LQG controller, and a χ 2 failure detector. The attacks are designed by a sophisticated attacker so that the measurement residual of the compromised system coincides with the healthy one, and thus it is impossible to detect the attacks. First, we characterize and analyze an existence condition of the attacks from an attacker's standpoint. Then, we extend the attacks into an attacker's goal: The scenario when the adversary wishes to manipulate the systems to an objective designed by him/her. Our results provide that the attacker can manipulate the compromised system to the objective without accessing the networks of real-time sensor or actuator data. Finally, we verify the dangerousness of the attacks through a simple numerical example.
Covert Attacks in Cyber-Physical Control Systems
IEEE Transactions on Industrial Informatics
The advantages of using communication networks to interconnect controllers and physical plants motivate the increasing number of Networked Control Systems, in industrial and critical infrastructure facilities. However, this integration also exposes such control systems to new threats, typical of the cyber domain. In this context, studies have been conduced, aiming to explore vulnerabilities and propose security solutions for cyberphysical systems. In this paper, it is proposed a covert attack for service degradation, which is planned based on the intelligence gathered by another attack, herein proposed, referred as System Identification attack. The simulation results demonstrate that the joint operation of the two attacks is capable to affect, in a covert and accurate way, the physical behavior of a system.
Baiting For Defense Against Stealthy Attacks on Cyber-Physical Systems
AIAA Scitech 2019 Forum
The goal of this thesis is to develop a defense methodology for a cyber-physical system (CPS) by which an attempted stealthy cyber-attack is detected in near real time. Improvements in networked communication have enabled vast and complex dynamic control systems to exploit networked control schemes to seamlessly integrate parts and processes. These cyber-physical systems exhibit a level of flexibility that was previously unavailable but also introduce communication channels that are vulnerable to outside interference and malicious intervention. This thesis considers the effects of a type of stealthy attack on a class of CPS that can be modeled as linear time-invariant systems. The effects of this attack are studied from both the perspective of the attacker as well as the defender. A previously developed method for conducting stealthy attacks is introduced and analyzed. This method consists of injecting malicious actuation signals into the control input of a CPS and then designing a sensor attack to conceal the effect of the actuator attack. The result is an attack that cannot be detected upon inspection of the Kalman filter residual. Successful implementation of this attack is shown to require the attacker to attain perfect model knowledge in order for the attack to be stealthy. Based on the execution of past attacks on CPS, this thesis proposes an attacker who starts their attack by "fishing" for critical and confidential system information such as the model parameters. A method is then proposed in which the defender attempts to feed the attacker a slightly falsified model, baiting the fishing attacker with data that will make an attack detectable. Because the attacker's model is no longer correct, their attack design will induce a mean-shift in the Kalman filter residual, breaking the stealthiness of the original attack formula. It is then shown that the defender can not only detect this faulty attack, but use observations of the Kalman filter residual to regain more accurate state estimates, mitigating the effect of the attack.
Limiting the Impact of Stealthy Attacks on Industrial Control Systems
ACM Conference on Computer and Communications Security (CCS'16), 2016
While attacks on information systems have for most practical purposes binary outcomes (information was manipu-lated/eavesdropped, or not), attacks manipulating the sensor or control signals of Industrial Control Systems (ICS) can be tuned by the attacker to cause a continuous spectrum in damages. Attackers that want to remain undetected can attempt to hide their manipulation of the system by following closely the expected behavior of the system, while injecting just enough false information at each time step to achieve their goals. In this work, we study if physics-based attack detection can limit the impact of such stealthy attacks. We start with a comprehensive review of related work on attack detection schemes in the security and control systems community. We then show that many of these works use detection schemes that are not limiting the impact of stealthy attacks. We propose a new metric to measure the impact of stealthy attacks and how they relate to our selection on an upper bound on false alarms. We finally show that the impact of such attacks can be mitigated in several cases by the proper combination and configuration of detection schemes. We demonstrate the effectiveness of our algorithms through simulations and experiments using real ICS testbeds and real ICS systems.
Secure state estimation for cyber-physical systems under sparse sensor attacks via a switched Luenberger observer
Information Sciences, 2017
Secure state estimation is the problem of estimating the state of a dynamical system from a set of noisy and adversarially-corrupted measurements. Intrinsically a combinatorial problem, secure state estimation has been traditionally addressed either by brute force search, suffering from scalability issues, or via convex relaxations, using algorithms that can terminate in polynomial time but are not necessarily sound. In this paper, we present a novel algorithm that uses a satisfiability modulo theory approach to harness the complexity of secure state estimation. We leverage results from formal methods over real numbers to provide guarantees on the soundness and completeness of our algorithm. Moreover, we discuss its scalability properties, by providing upper bounds on the runtime performance. Numerical simulations support our arguments by showing an order of magnitude decrease in execution time with respect to alternative techniques. Finally, the effectiveness of the proposed algorithm is demonstrated by applying it to the problem of controlling an unmanned ground vehicle.
Optimal Attack against Cyber-Physical Control Systems with Reactive Attack Mitigation
This paper studies the performance and resilience of a cyber-physical control system (CPCS) with attack detection and reactive attack mitigation. It addresses the problem of deriving an optimal sequence of false data injection attacks that maximizes the state estimation error of the system. The results will provide basic understanding on the limit of the attack impact. The design of the optimal attack is based on a Markov decision process (MDP) formulation, which is solved efficiently using the value iteration method. Using the proposed framework, we quantify the effect of false positives and misdetections on the system performance, which can help the joint design of the attack detection and mitigation. To demonstrate the use of the proposed framework in a real-world CPCS, we consider the voltage control system of power grids, and run extensive simulations using PowerWorld, a high-fidelity power system simulator, to validate our analysis. The results show that by carefully designing the attack sequence using our proposed approach, the attacker can cause a large deviation of the bus voltages from the desired setpoint. Further, the results verify the optimality of the derived attack sequence and show that, to cause maximum impact, the attacker must carefully craft his attack to strike a balance between the attack magnitude and stealthiness, due to the presence of attack detection and mitigation.
Controllability of Dynamical Systems: Threat Models and Reactive Security
Lecture Notes in Computer Science, 2013
We study controllability and stability properties of dynamical systems when actuator or sensor signals are under attack. We formulate a detailed adversary model that considers different levels of privilege for the attacker such as read and write access to information flows. We then study the impact of these attacks and propose reactive countermeasures based on game theory. In one case-study we use a basic differential game, and in the other case study we introduce a heuristic game for stability.
Skip to Secure: Securing Cyber-Physical Control Loops with Intentionally Skipped Executions
Proceedings of the 2020 Joint Workshop on CPS&IoT Security and Privacy, 2020
We consider the problem of provably securing a given control loop implementation in the presence of adversarial interventions on data exchange between plant and controller. Such interventions can be thwarted using continuously operating monitoring systems and also cryptographic techniques, both of which consume network and computational resources. We provide a principled approach for intentional skipping of control loop executions which may qualify as a useful control-theoretic countermeasure against stealthy attacks which violate message integrity and authenticity. As can be seen, such an approach helps in lowering the resource consumption caused by monitoring/cryptographic security measures.
Output-feedback Linear Quadratic Robust Control under Actuation and Deception Attacks
2019 American Control Conference (ACC), 2019
We consider output-feedback robust control of a linear system subject to disturbances and noise and in presence of an attacker who 1) can corrupt the measured output (deception attack) and, 2) can introduce perturbations to the control signal (actuation attack). We consider an open-loop control problem over a finite horizon which models the scenario where feedback control could be stopped if one is certain that an attack is ongoing. We formulate this problem as a zero-sum game between a defender that selects the control signal based on a measured output and an attacker that selects the attack signals. The game has asymmetric information in that the defender only knows the measured output, whereas the attacker knows additional information, which includes the value of initial conditions and disturbances/measurement noise. The main contributions are (i) sufficient conditions for the existence of a Nash equilibrium corresponding to a saddle-point for the defender and (ii) a computationally efficient procedure to compute a pair of policies that form a Nash equilibrium for the game. We apply the procedure to a finite horizon linear quadratic control problem. I. INTRODUCTION Networked control systems (NCS) have become prevalent in several domains over the past few decades. Although the systems enable advancements in performance and features, significant vulnerabilities have been reported in domains such as industrial power plants [1], automotives [2], and water networks [3]. Attackers may leverage flaws in the design of the NCS to launch coordinated deception attacks by covertly modifying the controller signals and the measurement values to ensure that while the system performs abnormally, the measurements appear to be perfectly normal. This paper addresses one such problem of controlling a system under coordinated actuation and deception attacks.
Supervisor synthesis for discrete event systems under partial observation and arbitrary forbidden state specifications
Discrete Event Dynamic Systems, 2012
In this paper, we consider the forbidden state problem in discrete event systems modeled by partially observed and partially controlled Petri nets. Assuming that the reverse net of the uncontrollable subnet of the Petri net is structurally bounded, we compute a set of weakly forbidden markings from which forbidden markings can be reached by ring a sequence of uncontrollable/unobservable transitions. We then use reduced consistent markings to represent the set of consistent markings for Petri nets with structurally bounded unobservable subnets. We determine the control policy by checking if the ring of a certain controllable transition will lead to a subsequent reduced consistent marking that belongs to the set of weakly forbidden markings; if so, we disable the corresponding controllable transition. This approach is shown to be minimally restrictive in the sense that it only disables behavior that can potentially lead to a forbidden marking. The setting in this paper generalizes previous work by studying supervisory control for partially observed and partially controlled Petri nets with a general labeling function and a nite number of arbitrary forbidden states. In contrast, most previous work focuses on either labeling functions that assign a unique label to each observable transition or forbidden states that are represented using linear inequalities. More importantly, we demonstrate that, in general, the separation between observation and control (as considered in previous work) may not hold in our setting.
Lyapunov-Based Economic Model Predictive Control for Detecting and Handling Actuator and Simultaneous Sensor/Actuator Cyberattacks on Process Control Systems
Frontiers in chemical engineering, 2022
The controllers for a cyber-physical system may be impacted by sensor measurement cyberattacks, actuator signal cyberattacks, or both types of attacks. Prior work in our group has developed a theory for handling cyberattacks on process sensors. However, sensor and actuator cyberattacks have a different character from one another. Specifically, sensor measurement attacks prevent proper inputs from being applied to the process by manipulating the measurements that the controller receives, so that the control law plays a role in the impact of a given sensor measurement cyberattack on a process. In contrast, actuator signal attacks prevent proper inputs from being applied to a process by bypassing the control law to cause the actuators to apply undesirable control actions. Despite these differences, this manuscript shows that we can extend and combine strategies for handling sensor cyberattacks from our prior work to handle attacks on actuators and to handle cases where sensor and actuator attacks occur at the same time. These strategies for cyberattack-handling and detection are based on the Lyapunovbased economic model predictive control (LEMPC) and nonlinear systems theory. We first review our prior work on sensor measurement cyberattacks, providing several new insights regarding the methods. We then discuss how those methods can be extended to handle attacks on actuator signals and then how the strategies for handling sensor and actuator attacks individually can be combined to produce a strategy that is able to guarantee safety when attacks are not detected, even if both types of attacks are occurring at once. We also demonstrate that the other combinations of the sensor and actuator attack-handling strategies cannot achieve this same effect. Subsequently, we provide a mathematical characterization of the "discoverability" of cyberattacks that enables us to consider the various strategies for cyberattack detection presented in a more general context. We conclude by presenting a reactor example that showcases the aspects of designing LEMPC.
Costs analysis of stealthy attacks with bounded output synchronized Petri nets
2021 IEEE 17th International Conference on Automation Science and Engineering (CASE), 2021
This paper concerns the security analysis of discrete event systems modeled with a particular class of synchronized Petri nets that include output functions, called Output Synchonized Petri nets. Such a formalism is suitable and tractable to represent a large variety of cyber-physical systems. In particular, we study here cyber-attacks that aim to drive the system from a given normal state to forbidden state. We assume that the attacker has a certain credit to insert and delete input and output events, depending on its own objectives. The proposed analysis aims to evaluate the costs of stealthy attacks on the controlled system depending on the objective of the controller, the structure of the system and the cost of the malicious actions.
An Algebraic Detection Approach for Control Systems under Multiple Stochastic Cyber-attacks}
In order to compromise a target control system successfully, hackers possibly attempt to launch multiple cyber-attacks aiming at multiple communication channels of the control system. However, the problem of detecting multiple cyber-attacks has been hardly investigated so far. Therefore, this paper deals with the detection of multiple stochastic cyber-attacks aiming at multiple communication channels of a control system. Our goal is to design a detector for the control system under multiple cyber-attacks. Based on frequency-domain transformation technique and auxiliary detection tools, an algebraic detection approach is proposed. By applying the presented approach, residual information caused by different attacks is obtained respectively and anomalies in the control system are detected. Sufficient and necessary conditions guaranteeing the detectability of the multiple stochastic cyber-attacks are obtained. The presented detection approach is simple and straightforward. Finally, two simulation examples are provided, and the simulation results show that the detection approach is effective and feasible. Citation: Yumei Li, Holger Voos, Mohamed Darouach, Changchun Hua. An algebraic detection approach for control systems under multiple stochastic cyber-attacks. IEEE/CAA Journal of Automatica Sinica, 2015, 2(3): 258-266
Learning-Based Attacks in Cyber-Physical Systems
IEEE Transactions on Control of Network Systems, 2021
We introduce the problem of learning-based attacks in a simple abstraction of cyber-physical systems-the case of a discrete-time, linear, time-invariant plant that may be subject to an attack that overrides the sensor readings and the controller actions. The attacker attempts to learn the dynamics of the plant and subsequently overrides the controller's actuation signal, to destroy the plant without being detected. The attacker can feed fictitious sensor readings to the controller using its estimate of the plant dynamics and mimic the legitimate plant operation. The controller, on the other hand, is constantly on the lookout for an attack; once the controller detects an attack, it immediately shuts the plant off. In the case of scalar plants, we derive an upper bound on the attacker's deception probability for any measurable control policy when the attacker uses an arbitrary learning algorithm to estimate the system dynamics. We then derive lower bounds for the attacker's deception probability for both scalar and vector plants by assuming an authentication test that inspects the empirical variance of the system disturbance. We also show how the controller can improve the security of the system by superimposing a carefully crafted privacy-enhancing signal on top of the "nominal control policy." Finally, for nonlinear scalar dynamics that belong to the Reproducing Kernel Hilbert Space (RKHS), we investigate the performance of attacks based on nonlinear Gaussian-processes (GP) learning algorithms.
Security Against Network Attacks in Supervisory Control Systems
IFAC-PapersOnLine, 2017
Cyber-physical systems (CPSs) integrate computing and communication capabilities to monitor and control physical processes. In order to do so, communication networks are commonly used to connect sensors, actuators, and controllers to monitor and control physical systems. The use of communication networks increases the vulnerability of the CPS to cyber attacks that can drive the system to unsafe states. One of the most powerful cyber attacks is the so-called man-in-the-middle attack, where the intruder can observe, hide, create or replace information in the attacked network channel. We propose in this paper a defense strategy that detects intrusions and prevent damages caused by man-in-the-middle attacks in the sensor and/or control communication channels in supervisory control systems. We also introduce the definition of NA-Safe controllability, and we propose an algorithm to verify this property.
A Contribution to Cyber-Physical Systems Security: an Event-based Attack-tolerant Control Approach
IFAC-PapersOnLine, 2018
In the present paper, a model-based fault/attack tolerant scheme is proposed to deal with cyber-threats on Cyber Physicals Systems. A common scheme based on observers is designed and a state feedback control based on an event-triggered framework is given with control synthesis and condition on the switching time. An event-based implementation is proposed in order to achieve novel security strategy. Observer and controller gains are deduced by solving sufficient Bilinear Matrix Inequality (BMI) condition. Simulation results on a real-time laboratory three tank system are given to show the attack-tolerant control ability despite data deception attacks on both actuators and sensors.
Industrial Control Systems Security via Runtime Enforcement
ACM Transactions on Privacy and Security
With the advent of Industry 4.0 , industrial facilities and critical infrastructures are transforming into an ecosystem of heterogeneous physical and cyber components, such as programmable logic controllers , increasingly interconnected and therefore exposed to cyber-physical attacks , i.e., security breaches in cyberspace that may adversely affect the physical processes underlying industrial control systems . In this article, we propose a formal approach based on runtime enforcement to ensure specification compliance in networks of controllers, possibly compromised by colluding malware that may locally tamper with actuator commands, sensor readings, and inter-controller communications. Our approach relies on an ad-hoc sub-class of Ligatti et al.’s edit automata to enforce controllers represented in Hennessy and Regan’s Timed Process Language . We define a synthesis algorithm that, given an alphabet 𝒫 of observable actions and a timed correctness property e , returns a monitor that ...
Attack models and scenarios for networked control systems
HiCoNS'12 - Proceedings of the 1st ACM International Conference on High Confidence Networked Systems, 2012
Cyber-secure networked control is modeled, analyzed, and experimentally illustrated in this paper. An attack space defined by the adversary's system knowledge, disclosure, and disruption resources is introduced. Adversaries constrained by these resources are modeled for a networked control system architecture. It is shown that attack scenarios corresponding to replay, zero dynamics, and bias injection attacks can be analyzed using this framework. An experimental setup based on a quadruple-tank process controlled over a wireless network is used to illustrate the attack scenarios, their consequences, and potential counter-measures.
Formal Synthesis of Monitoring and Detection Systems for Secure CPS Implementations
2020
We consider the problem of securing a given control loop implementation of a cyber-physical system (CPS) in the presence of Man-in-the-Middle attacks on data exchange between plant and controller over a compromised network. To this end, there exists various detection schemes which provide mathemat¬ical guarantees against such attacks for the theoretical control model. However, such guarantees may not hold for the actual control software implementation. In this article, we propose a formal approach towards synthesizing attack detectors with varying thresholds which can prevent performance degrading stealthy attacks while minimizing false alarms.
Related topics
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.