Identifying Implicit Component Interactions in Distributed Cyber ...€¦ · Introduction ModelingDistributedCyber-PhysicalSystems FormulatingImplicitInteractions IdentifyingImplicitInteractions

IntroductionModeling Distributed Cyber-Physical Systems

Formulating Implicit InteractionsIdentifying Implicit Interactions

Concluding Remarks

Identifying Implicit Component Interactions inDistributed Cyber-Physical Systems50th Hawaii International Conference on System Sciences

Jason Jaskolka1,∗ and John Villasenor1,2

1 Center for International Security and CooperationStanford University, Stanford, CA 943052 Department of Electrical Engineering

University of California, Los Angeles, Los Angeles, CA 90095∗ [email protected]

January 7, 2017

Jason Jaskolka and John Villasenor HICSS-50 1 / 23



Concluding Remarks

Acknowledgement & Disclaimer

Acknowledgement

This material is based upon work supported by the U.S. Department ofHomeland Security under Grant Award Number, 2015-ST-061-CIRC01.

DisclaimerThe views and conclusions contained in this document are those of theauthors and should not be interpreted as necessarily representing theofficial policies, either expressed or implied, of the U.S. Department ofHomeland Security.




Concluding Remarks

Outline

1 Introduction

2 Modeling Distributed Cyber-Physical Systems

3 Formulating Implicit Interactions

4 Identifying Implicit Interactions

5 Concluding Remarks




Concluding Remarks

Distributed Cyber-Physical SystemsCybersecurity Challenges in Distributed Cyber-Physical SystemsImplicit Component Interactions

Distributed Cyber-Physical Systems




Concluding Remarks


Cybersecurity Challenges in Cyber-Physical Systems

Ubiquitous and pervasive

Large and complex

Numerous components or agents

Even more interactions, some of which may be:

Unfamiliar, unplanned, or unexpected

Not visible or not immediately comprehensible

}Implicit

Interactions

Software/Hardware from third-party suppliers




Concluding Remarks


Cybersecurity Challenges in Cyber-Physical Systems

Ubiquitous and pervasive

Large and complex

Numerous components or agents

Even more interactions, some of which may be:

Unfamiliar, unplanned, or unexpected

Not visible or not immediately comprehensible

}Implicit

Interactions

Software/Hardware from third-party suppliers




Concluding Remarks


Implicit Component Interactions

Can indicate unforeseen flaws allowing for these interactions

Constitute linkages of which designers are generally unaware=⇒ security vulnerability

Hard to avoid simply by intuition

Difficult to detect (by nature)

Can be exploited to mount cyber-attacks at a later time




Concluding Remarks

Illustrative Example: Manufacturing CellModeling using C2KA

Illustrative Example: Manufacturing Cell




Concluding Remarks






Concluding Remarks



StorageAgent Handling

AgentProcessingAgent

Control/CoordinationAgent




Concluding Remarks


Illustrative Example: Manufacturing CellMessage Passing

Control Agent(C)

Handling Agent(H)

Processing Agent(P)

Storage Agent(S)

(1) start

(2) load

(3) loaded(6) unloaded

(4) prepare

(5) unload

(7) setup(10) done

(8) ready

(9) process

(9) process

(10) processed




Concluding Remarks


An Algebraic Modeling Framework

Communicating Concurrent Kleene Algebra (C2KA)

Formalism for modeling distributed multi-agent systems

Extension of Concurrent Kleene Algebra (CKA)

Captures communication and concurrency of agents at an abstractalgebraic level

Expresses influence of stimuli on agent behavior in open systems aswell as communication through shared environments

Other existing formalisms do not directly deal with describing howagent behaviors are influenced by stimuli

Primarily concerned with closed systems




Concluding Remarks


Communicating Concurrent Kleene Algebra (C2KA)

Definition (C2KA)

A Communicating Concurrent Kleene Algebra (C2KA) is a system(S,K

), where

S =(S ,⊕,�, d, n

)is a stimulus structure

K =(K ,+, ∗, ; , *©, ;©, 0, 1

)is a CKA(

SK ,+)is a unitary and zero-preserving left S-semimodule with next behavior

mapping ◦ : S × K → K(SK,⊕

)is a unitary and zero-preserving right K-semimodule with next stimulus

mapping λ : S × K → S

and where the following axioms are satisfied for all a, b, c ∈ K and s, t ∈ S:1 s ◦ (a ; b) = (s ◦ a) ;

(λ(s, a) ◦ b

)2 a ≤K c ∨ b = 1 ∨ (s ◦ a) ;

(λ(s, c) ◦ b

)= 0

3 λ(s � t, a) = λ(s, (t ◦ a)

)� λ(t, a)

4 s = d ∨ s ◦ 1 = 15 a = 0 ∨ λ(n, a) = n




Concluding Remarks


Agent SpecificationsIllustrative Example: Manufacturing Cell

Table: Stimulus-response specification of the Control Agent C

◦ start load loaded prepare done unload unloaded setup ready process processedidle idle idle prep idle idle idle idle idle idle idle idleprep prep prep prep prep prep prep init prep prep prep prepinit init init init init init init init init init proc initproc proc proc proc proc proc proc proc proc proc proc idle

λ start load loaded prepare done unload unloaded setup ready process processedidle load n prepare n n n n n n n nprep n n n n n n setup n n n ninit n n n n n n n n n done nproc n n n n n n n n n n end

Control Agent C 7→⟨idle + prep + init + proc

⟩Storage Agent S 7→

⟨empty + full

⟩Handling Agent H 7→

⟨wait + move

⟩Processing Agent P 7→

⟨stby + set + work

⟩Figure: Abstract behavior specification of the manufacturing cell agents




Concluding Remarks

Intended Systems InteractionsFormulation of Implicit Interaction Existence

Intended System Interactions

Control Agent(C)

Handling Agent(H)

Processing Agent(P)

Storage Agent(S)

(1) start

(2) load

(3) loaded(6) unloaded

(4) prepare

(5) unload

(7) setup(10) done

(8) ready

(9) process

(9) process

(10) processed

Pintended denotes the set of intended system interactions




Concluding Remarks


Illustrative Example: Manufacturing CellIntended System Interactions

C S C H S C P H

P

C P

C

Pintended ={

C→ S→ C→ H→ S→ C→ P→ H→ P→ C,

C→ S→ C→ H→ S→ C→ P→ H→ C→ P}




Concluding Remarks



C S C H S C P H

P

C P

C

Pintended ={

C→ S→ C→ H→ S→ C→ P→ H→ P→ C,

C→ S→ C→ H→ S→ C→ P→ H→ C→ P}




Concluding Remarks



C S C H S C P H

P

C P

C

Pintended ={

C→ S→ C→ H→ S→ C→ P→ H→ P→ C,

C→ S→ C→ H→ S→ C→ P→ H→ C→ P}




Concluding Remarks


Formulating Existence of Implicit Interactions

Definition (Existence of Implicit Interactions)

An implicit interaction (via stimuli) exists in a system formed by a set Aof agents, if and only if for any two agents A,B ∈ A with A 6= B:

∃(p | p =⇒ (A→+

S B) : ∀(q | q ∈ Pintended : ¬SubPath(p, q) ))

where SubPath(p, q) is a predicate indicating that p is a subpath of q.




Concluding Remarks

Identification of Implicit InteractionsExperimental Results

Identifying Implicit Interactions

1 Determine the potential communication paths that exist from thesystem specification

Example: Consider the manufacturing cell:

$ pfc system agentP agentSP ->+ S: True

P -> C -> H -> SP -> C -> SP -> H -> C -> SP -> H -> S

$ pfc system agentH agentCH ->+ C: True

H -> CH -> P -> CH -> S -> C

Control Agent(C)

Handling Agent(H)

Processing Agent(P)

Storage Agent(S)




Concluding Remarks


Identifying Implicit Interactions

2 Determine if a potential communication path is an implicitinteraction

Example: Consider the following potential communication paths:H → S → C and P → C → S

P→ C→ SPintended =

{C→ S→ C→ H→ S→ C→ P→ H→ P→ C,

C→ S→ C→ H→ S→ C→ P→ H→ C→ P}




Concluding Remarks


Identifying Implicit InteractionsControl Agent

(C)

Handling Agent(H)

Processing Agent(P)

Storage Agent(S)

C S C H S C P H

P

C P

C




Concluding Remarks


Identifying Implicit InteractionsControl Agent

(C)

Handling Agent(H)

Processing Agent(P)

Storage Agent(S)

C S C H S C P H

P

C P

C




Concluding Remarks


Experimental Results

For the manufacturing cell system:

11 of the 30 total interactions are implicit interactions

Result of the potential for out-of-sequence stimuli from systemagents

Demonstrates hidden complexity and coupling among agents

Potential for unexpected system behaviors




Concluding Remarks

Impact of this ResearchFuture Research DirectionsConcluding RemarksQuestions

Impact of this Work

Enhances the understanding of the hidden complexity and couplingin distributed cyber-physical systems

Formal foundation upon which mitigation approaches can bedeveloped

Basis for developing guidelines for designing and implementingcyber-physical systems that are resilient to cyber-threats

There is still much more to be done!




Concluding Remarks


Impact of this Work

Enhances the understanding of the hidden complexity and couplingin distributed cyber-physical systems

Formal foundation upon which mitigation approaches can bedeveloped

Basis for developing guidelines for designing and implementingcyber-physical systems that are resilient to cyber-threats

There is still much more to be done!




Concluding Remarks


Where Do We Go From Here?

Extension with potential for communication via shared environments

Classification and measurement of severity

Measure the exploitability of identified implicit interactions

Study impact of implicit interactions through simulation

Articulate mitigation approaches

Study the applicability on real systems




Concluding Remarks


Concluding Remarks

Implicit component interactions can pose a serious cyber-threat tocyber-physical systems

Elimination of implicit interactions in an ongoing and ambitiousundertaking

Focus on evolving and enhancing the understanding of our modernsystems and networks




Concluding Remarks


Questions

Questions?




Concluding Remarks


Thank You

Thank You!


Documents

Identifying Implicit Component Interactions in Distributed Cyber ...€¦ · Introduction ModelingDistributedCyber-PhysicalSystems FormulatingImplicitInteractions IdentifyingImplicitInteractions