14 - Amin

Motivation to study security of control systems. Our Results/Contribution. Summary.
Security constrained control under

denial-of-service attacks.
Saurabh Amin1 Alvaro Cárdenas2

Alexandre Bayen1 Shankar Sastry2
1 Systems engineering, Civil and Environmental Engineering

University of California, Berkeley
2 Electrical Engineering and Computer Sciences
University of California, Berkeley
TRUST Autumn 2008 Conference
Secure control systems UC Berkeley

Outline.
Motivation to study security of control systems.

Distributed control systems: vulnerabilities and threats.
Research challenges for security of control systems.
Our Results/Contribution.
Taxonomy of attacks to control systems.
Secure control problem under DoS attacks.

Outline


Distributed Control Systems (DCS).

◮ Sensor-actuator networks that monitor and control physical
processes,
◮ Safety-critical: their disruption can cause irreparable harm.
Sensors
Actuators s1
a1 Physical
s2
System
a2 a3 s3
s4
Network
c1 c2 c3
Distributed Controllers

New Vulnerabilities and New Threats.
◮ Controllers are computers,

◮ Networked,
◮ Commodity IT solutions,
◮ Open design
◮ New functionalities,
◮ Highly skilled global workforce,
◮ Cybercrime

Vulnerabilities can be exploited.

Outline


What is new and fundamentally different.
◮ Studying security of control systems is important,

◮ Does the problem pose new research challenges beyond
previous research in
◮ Traditional IT security
◮ Robust and networked control

Research challenges.
◮ Investigate realistic models of attacks to control systems
from the "systems viewpoint".
◮ Understand the consequences of an attack: How can the
adversary select an attack strategy after obtaining
unauthorized access to some control system components?
◮ Design attack-detection algorithms: Based on
measurements, how to identify if attacker is tampering with
control and/or sensor data?
◮ Design attack-resilient algorithms and architectures:
After detecting an attack, how to change state estimates
and control commands to improve system’s resiliency?

Outline


Example cases

Operational goals and security attributes.
System Model Operational goal Security attribute

Temperature control linear/hybrid ODE safety random delay
Chemical reactor linear/nonlin ODE safety, stability, MPC DoS, deception
Canal control linear PDE safety, perf. max. DoS, demand fluctuation
Traffic estimation nonlinear PDE estimation accuracy location privacy

Attacks on chemical reactor control system.
A5 A1
A4 Physical ỹ
System
A3 A2
ũ Controller
A1 & A3: integrity attacks; A2 & A4: DoS attacks; A5: Physical attack.

Effect of attacks on safety and performance.

Product Rate [kmol/h] Pressure [kPa] operation cost [$/kmol product] Manipulated Variables [%]
103 2820 80 100
feed1 valve
102 2800 feed2 valve
70
80 purge valve
2780
101
60
2760
100 60
2740 50
99
2720 40
98 40
2700
30
97
2680 20
96 20
2660
95 2640 10 0
0 10 20 30 40 50 0 10 20 30 40 50 0 10 20 30 40 50 0 10 20 30 40 50
Time [h] Time [h] Time [h] Time [h]
Product Rate [kmol/h] Pressure [kPa] operation cost [$/kmol product] Manipulated Variables [%]
120 3050 80
compromised feed1 valve
110 3000 signal 24.2 feed2 valve
70
real signal purge valve
24
100 2950
23.8 60
90 2900
23.6
80 2850 50
23.4
70 2800
23.2 40
60 2750
compromised 23
signal 30
50 2700 22.8
real signal
40 2650 22.6 20
0 5 10 15 0 5 10 15 0 5 10 15 0 5 10 15
Time [h] Time [h] Time [h] Time [h]
Figure: a. DoS attack on controller. b. DoS & deception attacks on sensors.

Outline


Secure control problem for DoS attacks.
Availability
The ability of a control system of being accessible and usable
upon demand; lack of availability results in DoS of sensor and
control data.
Secure control problem for DoS attacks

To design a (predictive) control strategy that (1) minimizes
operating costs, and/or (2) satisfies safety constraints, and/or
(3) maintains closed-loop stability; by surviving DoS attacks to
the measurements and control data under a well-defined
adversary model.

Secure control under DoS attacks.

Design robust (minimax) control for system under DoS attacks (γk , νk ):
xk +1 = Axk + Buka + wk k = 0, . . . , N − 1,
uka = νk uk νk ∈ {0, 1},
xka = γ k xk γk ∈ {0, 1},
to minimize
 
N−1
X ⊤
xk xk
JN (x̄, P0 , u0N−1 )
N−1
= E  xN⊤ Q xx xN + Q u0 , x̄, P0 
νk uk νk uk
k =0
subject to power constraints in an expected sense

" ⊤ #
xk xk
E Hi ≤ βi for i = 1, . . . , L, and k = 0, . . . , N − 1
νk uk νk uk
as well as safety constraints in a probabilistic sense
P [(Cxk + νk Duk ) ∈ T ] ≥ (1 − ε) for k = 0, . . . , N − 1

Attack models.
Random adversary
ABer(γ̄,ν̄) = {(γ0N−1 , ν0N−1 )|P(γk = 1) = γ̄, P(νk = 1) = ν̄, k = 0, . . . , N − 1}.
Resource constrained adversary
Apq = {(γ0N−1 , ν0N−1 ) ∈ {0, 1}2N k γ0N−1 k1 ≥ N − p, k ν0N−1 k1 ≥ N − q},

Advsersary with internal state

Stochastic dynamical model of adversary’s cognitive functions
composed with control system.

Secure control problem for random adversary.
Theorem
The solution to the secure control problem for the
(γ0N−1 , ν0N−1 ) ∈ ABer(γ̄,ν̄) attack model using the affine
error-feedback parameterization
k
X
uk = uk◦ + γj Mk ,j (xj − x̂j|j−1 ), k = 0, . . . , N − 1
j=0
can be obtained as a solution of a semi-definite program. Here

uk◦ ∈ ℜm is the open-loop part of the control, and Mk ,j ∈ ℜm×n is
the feedback gain or the recourse at time k from sensor
measurement xj .

Optimal attack plan for resource constrained attacker.

Theorem ∗ ∗
The optimal attack plan {γ0N−1 , ν0N−1 } that maximizes the minimum cost for the Apq
attack model is the solution of the following:
(γk∗ , νk∗ ) = arg max E[xk⊤ Sk xk |Ik ] + ck

γk ,νk ∈{0,1}2
kγkN−1 k1 ≥(N−p)
kνkN−1 k1 ≥(N−q)
⊤ xx ∗ ⊤ ⊤ uu −1 ⊤
Sk = A Sk +1 A + Q − νk +1 A Sk +1 B(B Sk +1 B + Q ) B Sk +1 A
⊤ xx
ck = Tr{(A Sk +1 A + Q − Sk )Σk |k } + Tr(Sk +1 Q) + ck +1
starting with SN = Q xx and cN = 0 and
k −1
kX k
k k⊤ i i⊤
Y Y
Σk |k = (1 − γj )A P0 A + (1 − γj )A QA .
j=0 i=0 j=(k −i)

Summary and current focus.

◮ Defined secure control problem for random and
resource-constrained adversaries.
◮ Controller synthesis using convex and dynamic
programming.
◮ Current focus on
◮ Proving closed-loop stability for receding horizon control
law,
◮ Using IDS to detect coordinated integrity attacks on sensor
and control channels using limited number of sensors,
◮ Framework extensible to other systems such as highway
traffic estimation using mobile phone data under privacy
constraints.

Appendix
For Further Reading
A. Cárdenas, S. Amin, S. Sastry.

Research challenges for the security of control systems.
HotSec, 2008.
S. Amin, A. Bayen, A. Cárdenas, S. Sastry.
Security constrained control under DoS attacks.
Under review, 2008.

14 - Amin

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

14 - Amin

Uploaded by

Copyright:

Available Formats

Motivation to study security of control systems. Our Results/Contribution. Summary.

Security constrained control under

Saurabh Amin1 Alvaro Cárdenas2

1 Systems engineering, Civil and Environmental Engineering

TRUST Autumn 2008 Conference

Secure control systems UC Berkeley

Motivation to study security of control systems.

Secure control systems UC Berkeley

Distributed control systems: vulnerabilities and threats.

Motivation to study security of control systems.

Secure control systems UC Berkeley

Distributed control systems: vulnerabilities and threats.

Distributed Control Systems (DCS).

Secure control systems UC Berkeley

Distributed control systems: vulnerabilities and threats.

New Vulnerabilities and New Threats.

◮ Controllers are computers,

Secure control systems UC Berkeley

Distributed control systems: vulnerabilities and threats.

Vulnerabilities can be exploited.

Secure control systems UC Berkeley

Research challenges for security of control systems.

Motivation to study security of control systems.

Secure control systems UC Berkeley

Research challenges for security of control systems.

What is new and fundamentally different.

◮ Studying security of control systems is important,

Secure control systems UC Berkeley

Research challenges for security of control systems.

Secure control systems UC Berkeley

Taxonomy of attacks to control systems.

Motivation to study security of control systems.

Secure control systems UC Berkeley

Taxonomy of attacks to control systems.

Secure control systems UC Berkeley

Taxonomy of attacks to control systems.

Operational goals and security attributes.

System Model Operational goal Security attribute

Chemical reactor linear/nonlin ODE safety, stability, MPC DoS, deception

Traffic estimation nonlinear PDE estimation accuracy location privacy

Secure control systems UC Berkeley

Taxonomy of attacks to control systems.

Attacks on chemical reactor control system.

Secure control systems UC Berkeley

Taxonomy of attacks to control systems.

Effect of attacks on safety and performance.

Figure: a. DoS attack on controller. b. DoS & deception attacks on sensors.

Secure control systems UC Berkeley

Secure control problem under DoS attacks.

Motivation to study security of control systems.

Secure control systems UC Berkeley

Secure control problem under DoS attacks.

Secure control problem for DoS attacks.

Secure control problem for DoS attacks

Secure control systems UC Berkeley

Secure control problem under DoS attacks.

Secure control under DoS attacks.

subject to power constraints in an expected sense

as well as safety constraints in a probabilistic sense

P [(Cxk + νk Duk ) ∈ T ] ≥ (1 − ε) for k = 0, . . . , N − 1

Secure control systems UC Berkeley

Secure control problem under DoS attacks.

ABer(γ̄,ν̄) = {(γ0N−1 , ν0N−1 )|P(γk = 1) = γ̄, P(νk = 1) = ν̄, k = 0, . . . , N − 1}.

Resource constrained adversary