Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Toward a Theory of High ConfidenceNetworked Control Systems
Closing the Loop around Wireless Sensor Networks
Saurabh Amin† and Shankar Sastry †
† University of California at Berkeley, CA, USA
Our CollaboratorsS. Oh (Seoul National), A. Cárdenas (Fuji. Labs), A. Bayen (Berkeley),
T. Roosta (Cisco), L. Schenato (Padova), B. Sinopoli (CMU), K-H.Johansson, A. Texeira, H. Sandberg (KTH)
Presented at the local PI Meeting of the CPS Action Webs Project,Berkeley, July 2010
Outline
Wireless Sensor Networks (WSN)Tech Push and ApplicationsAdvantages and Limitations of WSN
Closing the Loop around WSNOn-time WSN Based ControlRobustness and Fault Tolerance against Random FailuresVulnerabilities, Threats, and Countermeasures
Research on Secure and Resilient ControlThreat AssessmentDetection of Deception AttacksAttack Resilient Control
Future Work
Sensor Webs Closing the Loop Secure Control Future Work Tech Push Advantages and Limitations
Outline
Wireless Sensor Networks (WSN)Tech Push and ApplicationsAdvantages and Limitations of WSN
Closing the Loop around WSNOn-time WSN Based ControlRobustness and Fault Tolerance against Random FailuresVulnerabilities, Threats, and Countermeasures
Research on Secure and Resilient ControlThreat AssessmentDetection of Deception AttacksAttack Resilient Control
Future Work
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Tech Push Advantages and Limitations
Major Recent Progress
Ref: Ambient Intelligence, Eds: Weber, Rabaey, Aarts, 2005S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Tech Push Advantages and Limitations
Ubiquitous Intrumentation
Understanding Phenomena
Data Collection for offline analysis
Environmental monitoringHabitat monitoringStructural health monitoring
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Tech Push Advantages and Limitations
Sensor Webs Everywhere
Detecting changes in the environment
Thresholds, phase transitions, anomalydetection
Security systems and Health careWildfire detectionFault detection, threat detection
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Tech Push Advantages and Limitations
Widely deployed in Critical Infrastructure Systems
Real-time estimation and control
DCS and SCADA systems
Traffic control, building control,environmental controlManufacturing and plant automation,power gridsMuitiple Target Tracking,pursuit-evasion games, activesurveillance, search and rescue/capture
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Tech Push Advantages and Limitations
Sensor Web Application Taxonomy
Understanding Phenomena
Data Collection for offline analysis
Environmental monitoring, Habitat monitoringStructural health monitoring
Detecting changes in the environment
Thresholds, phase transitions, anomaly detection
Security systems, Health careFault detection, threat detection
Real-time estimation and control
Action Webs
Traffic control, building control, environmental controlManufacturing and plant automation, power gridsMuitiple Target Tracking, pursuit-evasion games,active surveillance
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Tech Push Advantages and Limitations
Societal Cyber Physical Systems
“A complex collection of sensors, controllers, compute nodes,and actuators that work together to improve our daily lives”
From very small: Ubiquitous, Pervasive, Disappearing,Perceptive, Ambient
To very large: Always Connectable, Reliable, Scalable,Adaptive, Flexible
Emerging Service Models
Environmental control, energy management and safety inbuildings
Automotive and avionic safety and control
Management of metropolitan traffic flows
Distributed health monitoring
Power distribution with decentralized energy generation
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Tech Push Advantages and Limitations
Why add Action Webs in Societal CPS?!
Cost reduction
More than 85% reduction in costcompared to wired systems (casestudy by Emerson)
Easy to deploy and enables newfunctionalities
Typical plant: 40+ years old,$ 10B infrastructure
Reliability
Robust estimation from noisymeasurements in the presence ofunreliable communication
Real-time control formission-critical systems
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Tech Push Advantages and Limitations
Limitations of Sensor Networks
Limited Resources
Energy RestrictionsLimited Communication and Computational Power (10 KBRAM, 250 kbps data rate, for example)Storage Restrictions
Random Topology
No prior knowledge of post-deployment topology
Measurement inconsistency
Noise, False alarms
Communication Reliability
Transmission failures and packet loss, Delays
Deployed in Hostile Environments
Vulnerability to physical capture
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Networked Control Robustness Security against Attacks
Outline
Wireless Sensor Networks (WSN)Tech Push and ApplicationsAdvantages and Limitations of WSN
Closing the Loop around WSNOn-time WSN Based ControlRobustness and Fault Tolerance against Random FailuresVulnerabilities, Threats, and Countermeasures
Research on Secure and Resilient ControlThreat AssessmentDetection of Deception AttacksAttack Resilient Control
Future Work
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Networked Control Robustness Security against Attacks
High Confidence Networked Control Systems
Next generation control systems will have
Robust estimation for control under randomdisturbances
Unreliable communications with delays andpacket lossMobile sensor and actuator dynamicsDistributed parameter systems
Closing-the-loop capability with fault-tolerantnetworked control
Characterization of limits on stability, safetyand optimalityScalable model predictive control
Security and resilience under attacks
Availability, Integrity and ConfidentialityGraceful degradation
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Networked Control Robustness Security against Attacks
On-Time Sensor Network-Based Control System
Hierarchical architecture
for real-time operation
Multiple layers of data fusion
for robustness and to reducecommunication load
LochNess: Large-scale On-time
Collaborative Heterogeneous Networked
Embedded Systems
Oh, Schenato, Chen, Sastry, Proc.S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Networked Control Robustness Security against Attacks
Multi-Target Tracking (MTT) Problem
Given
Multiple dynamics and measurement models
Sensor and clutter (false alarms) models
Target appearance and disappearance models
Set of noisy unlabeled observations Y
Find
Number of targets
States of all targets
Requires solutions to both
Requires solutions to both
Data association
State estimationS. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Networked Control Robustness Security against Attacks
Robustness against Transmission Failure
Simulation Results
Each single-hop transmission fails with probability(transmission failure rate)
Tolerates up to 50% lost-to-total packet ratio
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Networked Control Robustness Security against Attacks
Robustness against Communication Delays
Simulation Results
Each single-hop transmission gets delayed with probability(communication delay rate)
Tolerates up to 90% delayed-to-total packet ratio
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Networked Control Robustness Security against Attacks
Optimal control with both intermittent observations andcontrol packets
For unreliable communication
What is the minimum arrival probability that guaranteesacceptable performance of estimator and controller?
How is the arrival rate related to the system dynamics?
Can we design estimator and controller independently?
Are the optimal estimator and controllers still linear?
Can we provide design guidelines?
Joint work with L. Schenato and B. Sinopoli
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Networked Control Robustness Security against Attacks
Linear Quadratic Control Design for TCP-like andUDP-like communication protocols
Limits of Stability
Optimal LQG control with
constant gains
TCP-like: ACK is available,UDP-like: ACK Not available
Better performance of TCP compared to UDP
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Networked Control Robustness Security against Attacks
Wireless Security Myths
Licensed frequencies provide security
No! Only provide a right tocommunicate over a specificfrequency or range of frequencies
Enable legal recourse only ifadversary is found
Directional antenna means data issecure
Beamwidth must be large enoughto reach target
Wireless travels based ontopography
Left-over tower real estate
Courtesy: Mark Hadley, PNNL
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Networked Control Robustness Security against Attacks
Wireless Security Myths
SCADA radio communication is well behaved
Time between telemetry requests can be used for malicioustraffic injection
Encryption provides security
Encryption only provides confidentiality. It does not careabout the intent of the data
What about integrity and availability?
Both malicious and legitimate data can travel throughencrypted tunnels with equal ease
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Networked Control Robustness Security against Attacks
Attack Models for Sensor Networks
Mote-class Attacker
Controls a few ordinary sensor nodesHas the same capabilities as the network
Laptop-class Attacker
Greater battery, processing power, memory, high-power radiotransmitter, low-latency communication
Outsider Attacks
Passive eavesdroppingDenial of service attacksReplay attacks
Insider Attacks: compromised node
Node runs malicious codeNode has access to secret keys, participates in authenticatedcommunication
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Networked Control Robustness Security against Attacks
Previous Work on Countermeasures to Attacks on WSN
Secure communicationSPINS: Security Protocols for Sensor Networks (Perrig, Szewczyk,Wen, Culler, Tygar)
TinySec: Link Layer encryption for tiny devices (Karlof, Sastry,
Wagner)
Robust aggregationData aggregation is prone to insider attacks which inject faulty datainto the networkSIA: Secure Information Aggregation for Sensor Networks(Przydatek, Song, Perrig)
Resilient Aggregation in Sensor Networks (Wagner)
Sybil AttackNode pretends to have multiple identities, or the adversary createsnode identities that do not exist in the network.
Countermeasures (Newsome, Shi, Song, Perrig)
Courtesy of T. Roosta
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Networked Control Robustness Security against Attacks
Previous Work on Countermeasures to Attacks on WSN
Secure location verificationThe goal is to validate the claims of nodes
Verification of Location Claims (N. Sastry, Shankar, Wagner)
Robust localizationLocalization is used to find the position of the nodesStatistical Methods for Robust Localization (Z. Li, W. Trappe, Y.Zhang, B. Nath)
SeRLoc (Lazos, Poovendran)
Key distribution protocolsUsed for distributing the cryptographic keys in the network afterdeployment
Random Key Distribution Protocol (Chan, Perrig, Song and
Eschenauer, Gligor)
Courtesy of T. Roosta
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Networked Control Robustness Security against Attacks
Defense-in-depth
Security tools at each layer
Containtment measures: VLAN, logicalseparation, physical separation, egressfilters
Wired network tools: IDS, networkdesign, network registration, separatemanagement
Wireless network tools: network design,spectrum analyzer, limit transmit power,network registration, authenticate traffic,encrypt traffic, gateway
Physical tools: gates, doors, locks, mantraps, posted signage
Personnel controls: security staff trainingand awareness
Key Question: How to select security tools at each layer?
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Outline
Wireless Sensor Networks (WSN)Tech Push and ApplicationsAdvantages and Limitations of WSN
Closing the Loop around WSNOn-time WSN Based ControlRobustness and Fault Tolerance against Random FailuresVulnerabilities, Threats, and Countermeasures
Research on Secure and Resilient ControlThreat AssessmentDetection of Deception AttacksAttack Resilient Control
Future Work
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Vulnerabilities can be Exploited
2008 Huntington Beach
offshore oil platforms
2000 Maroochy Shire sewage
control systemoffshore oil platforms control system
2007 Tehama!Colusa Canal2007 Cal!ISO power
k ti ti2007 Tehama Colusa Canal marketing operations
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Vulnerabilities can be Exploited
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Attacks to Control System
Attacks can disrupt
Set points: man-in-the-middlesubstitutions,
Control: tuning parametersubstitutions
Process value readings: valuesubstitutions,
Communication: latency impactvia DoS attack,
Process disruption: disruptconnection to plant.
Multilayer Control Structure
(Tatjewski, ’08)
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Operational Goals and Attributes of the Adversary
Operational Goals
Maintain safe operational mode
- Limit the probability of undesirable behavior,
Meet production demands
- Keep certain process values within prescribed limits,
Maximize production profit.
Attributes of the Adversary
Mode of attack
- Availability, integrity, confidentiality,
Signature of attack
- Targeted, resource constrained, random,
Time of attack.
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Integrity and Availability for Control Systems
Integrity
Trustworthiness of sensor andcontrol data packets,
Lack of integrity results indeception,
A1 & A3: integrity attacks.
Availability
Ability of system components onbeing accessible,
Lack of availability results in DoSof sensor & control data,
A2 & A4: DoS attacks.
Physical System
Controller
y
u
A1
A2A3
A4
A5
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Secure ControlWhat is New and Fundamentally Different?
Control system security is importantAre there new research problems, or can problems be solved with
Traditional IT security?
Robust Fault-tolerant control?
Information security: What can help?
Prevention: Authentication, access control, software security
Detection: Intrusion detection, malware filtering
Resiliency: Separation of duty, principle of least privilege
What seems to be missing?
Effect of attacks on control and estimation algorithms interacting withphysical dynamics,
Trust and Adversary Model: How the attacker may manipulate controland sensor data to achieve goals.
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
CPS vs. Traditional IT Security
What is new and fundamentally different in control systemssecurity?
Model interaction with the physical world
Three new research directions
Threat assessment: How attacker may manipulate control variablesto achieve goals and study consequences to the physical system
Attack-detection by using models of the physical system
Study stealthy attacks (undetected attacks)Ensure safety of any automated response mechanism
Attack-resilient control algorithms
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Our Results in these three New Research Directions
Threat assessmentAd Hoc Networks 2009 Cárdenas, Roosta, SastryJ. of Critical Infrastructure Protection 2009 Huang, Cárdenas,Amin, Lin, SastryHSCC 2010 (to appear) Amin, Litrico, Sastry, Bayen
Control and Decision Conference 2010 (submitted) Teixeira, Amin,
Sandberg, Johansson, Sastry
Attack-detection using reduced-order models
Focus on power grid (Preprint), chemical process control(Tech. Report) Lin, Cárdenas, Amin, Huang, Sastry
Attack-resilient control algorithms
HSCC 2009, Amin, Cárdenas, SastryPrivacy-aware dynamic sensing (Preprint), Amin, Hofleitner,Herring, Bayen
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Risk Assessment Case StudyGignac Water Distribution System
The Gignac Project
Irrigates 2800 Hc of land by 50 km ofprimary, 270 km of secondary canals
Equipped with level and velocitysensors, and motorized gates withlocal slave controllers
SCADA system architecture:centralized base station thatcommunicates with field devicesthrough radio and telephonecommunication
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Attacks on Water Distribution Systems
. . . ℓ
hL
k
h0
k
Upstream Gate
Canal Bed
Canal Reach
Water level measurement
Remote Controller
Control Signal
yk = hL
k
uk
Qℓ
k
L0 1 2 3 4
wk
For regulatory control, attacks may result from1 Intermittent offtake withdrawals.
2 Certain deception/DoS attacks on sensor and control data.
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Cyber and Physical Infrastructure
Physical Infrastructure Cyber Infrastructure
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Experiment Site and SCADA Supervisory Interface
Avencq Cross-Regulator
SCADA Interface
Lagarel station is under alert (notfunctional) but Avencq is functional
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Cascade of Canal Reaches
Frequency domain model of canal reach
Control input variables: Upstream µi and downstreamdischarge µi+1, Controlled variable: the downstream water level yi ,Disturbance: pi offtake withdrawal
Frequency domain input-output relationship (Callier-Desoer
algebra) for reach i :
yi(s) = Gi(s)µi(s) + Gi(s)[µi+1(s) + pi(s)]
Low frequency approx. (integrator-delay model) used to design PI
controllers
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Effect of Hacking Level Sensor: Simulation
Water withdrawal by attacker Actual water level under attackWater withdrawal by attacker Actual water level under attack
Deception attack on level sensor Control action under attack
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Effect of Hacking Level Sensor: Experiment
Actual water level under attackWater withdrawal by attacker
Control action under attackDeception attack on level sensor
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Extension to decentralized, multivariable PI controllers
Compensating effect of water withdrawal at the boundaries bymanipulating sensor readings,
Such that the multivariable controller does not react to actualperturbation.
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Attack Detection Case StudyTennessee Eastman Process Control System (TE-PCS)
TE-PCS Plantwide Control
Process model (FORTRAN code) & Four-loop PIcontroller (MATLAB code)
Control Objective
- Regulate product rate- Maintain reactor pressure to safe limits- Minimize Operating Cost
Adversary Model
- Sensors y4, y5, y7 may be compromised- Block attack duration Ka = {ks , . . . , ke}- Observed sensor measurement yi
yi(k) =
{
yi(k) for k /∈ Ka, yi(k) ∈ [ymini , ymax
i ]
ai(k) for k ∈ Ka, ai(k) ∈ [ymini , ymax
i ]
- Models DoS and deception attacks
!""#$%
&"'()"**+)
!""#$,
&"'()"**+)
!""#$-
&"'()"**+)
!""#$.
&"'()"**+)
/+'0")$1.
$23)4+
2)"536(789
#:;<
#0#
=.
=++5$%7>?@?&9
=++5$,7#3)+$>9
1>-
1>-0#
#
=.
=.0#
3-
3%
3,
/+'0")$1A
/+'0")$1B
=-
#
=%
=,
C;*D+
C;*D+
C;*D+
From L. Ricker (1993)
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Framework for Attack Detection
Four Step Process
Estimate model of the physical process
Linearized model around operating point
xk+1 = Axk + Buk , yk = Cxk
Propose detection scheme
Non-parametric Cumulative sum(CUSUM) statistic
Study stealthy attacks
Assume that adversary is adaptive andknows anomaly detection scheme
Ensure safety of automated response
Use internal model output to control thesystem when anomaly is detected
Computing Blocks
uk : control signal, yk : sensorsignal, wk : disturbance signalAnomaly Detection Module(ADM) output is yk underattack, and yk otherwise
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
CUSUM Change Detection Algorithm
CUSUM Algorithm
Random process Zi(k) follows p0 (null hypothesis H0) or p1
(alternate hypothesis p1)
CUSUM statistic updated as (starting from Si(0) = 0)
Si(k + 1) =
(
logp1(zi(k))
p0(zi(k))+ Si(k)
)+
Stopping time is the time when test stops and decides that achange has occured
N = infn
{n : Si(n) ≥ τi}
Where τi is selected based on false alarm constraint
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Nonparametric CUSUM for Sensor i
Nonparametric CUSUM does not a assume parametricdistribution for p0 and p1
Measure the difference between the expected and observedbehavior
zi(k) =‖ yi(k) − yi(k) ‖ −bi ,
Where bi > 0 selected such that E0[Zk ] < 0 and E1[Zk ] > 0
Nonparametric CUSUM:
Si(k) = (Si(k − 1) + zi(k))+
, Si(0) = 0
Decision rule at k : H1 if Si(k) > τ , H0 otherwise
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Tuning CUSUM ParametersTuning bi
Parameter bi chosen as the empirical expected value of distance|yi(k) − yi(k)| under no attack
Tuning threshold τi
Selected to achieve balance between false alarms and detection time
Number of false alarms decrease exponentially with increasing τ
0 10 20 30 40 500
5
10
15
20
X: 7Y: 1
y4
tau
fals
e
ala
rm
0 25 50 75 1000
5
10
15
20
X: 44Y: 1
y7
taufa
lse
ala
rm0 2500 5000 7500 10000
0
5
10
15
20
X: 4900Y: 1
y5
tau
fals
e
ala
rm
Time to detection increases linearly with increasing τ
0 25 50 75 1000
0.2
0.4
0.6
0.8
X: 50Y: 0.5
aver
age
det
ectio
n ti
me
(hou
r)
X: 50Y: 0.1
y4
tau
y = y * 0.9y = y * 0.7y = y * 0.5
0 2500 5000 7500 100000
0.5
1
1.5
2
2.5
3
X: 5000Y: 1.8
y5
tau
aver
age
det
ectio
n ti
me
(hou
r)
X: 5000Y: 0.3
X: 8000Y: 0.5
y = y * 0.9y = y * 0.7y = y * 0.5
0 50 100 150 2000
0.5
1
1.5
2
2.5
3
X: 100Y: 2
y7
tau
aver
age
det
ectio
n ti
me
(hou
r)
X: 150Y: 0.6X: 100
Y: 0.4
y = y * 0.9y = y * 0.7y = y * 0.5
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Stealthy Attack Model for Insider Attacks
Assumptions for stealthy attack model
Internal model and ADM parameters are known to adversary
Goal is to compromise plant safety by increasing pressure in thereactor
And yet remain undetected for fixed numer of time steps
Examples
Surge attack: Adversary tries to maximize the damage in shortest time,but when statistic reaches threshold, it stays at the threshold forremaining time
Bias attack: Aderversary adds a small bias at each time step
Geometric attack: Attacker combines slow initial drift of the bias attackwith surge attack at the end to cause maximum damage
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Geometric Stealthy Attack
Attack starts at T = 10 hrs and goal is to remain undetecteduntil T = 30 hrs
0 10 20 30 4096
97
98
99
100
101
102
103
104
105
y4
Time (hour)
Pro
duct
Rate
(km
ol
/hr)
y4y4
0 10 20 30 402600
2650
2700
2750
2800
2850
2900
2950
3000
y5
Time (hour)
Pre
ssure
(kP
a)
y5y5
0 10 20 30 4042
43
44
45
46
47
48
49
50
y7
Time (hour)
Am
ount
of
Ain
purg
e(m
ol
%)
y7y7
0 5 10 15 20 25 30 35 400
10
20
30
40
50
60
S4
Time (hour)0 5 10 15 20 25 30 35 40
0
2000
4000
6000
8000
10000
12000
S5
Time (hour)0 5 10 15 20 25 30 35 40
0
20
40
60
80
100
120
140
160
180
200
220
S7
Time (hour)
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Resiliency under Stealthy Attacks
Stealthy attacks are not able compromise plant safety due toresilient control structure in place
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Automatic Response Mechanism
Response of ADM
When attack is detected, (Si(k) > τi), replace yi(k) by output frominternal (linear) model yi(k)
Else, use yi(k) compute control action
0 10 20 30 401000
1500
2000
2500
3000
3500X: 23.2Y: 3000
y5
Time (hour)
Pre
ssure
( k
Pa )
y5
y5
0 10 20 30 401000
1500
2000
2500
3000
3500
X: 10.6Y: 1369
y5
Time (hour)
Pre
ssure
( k
Pa )
y5
y5
. . . Measurement under attack, – Original measurement
Attack starts at T = 10, system crashes at T = 29, Attack detected
at T = 10.8S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Automatic Response to False Alarms
Response to false alarm does not violate safety
Maximum pressure under false alarm is (2779 kPa) which is in sameorder of magnitude as normal maximum pressure under no false alarm
(2757 kPa)
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Constrained Linear Systems Under DoS Attack Mode
Discrete-time linear system under DoS attack with dynamics
xk+1 = Axk + Buak + wk , k = 1, . . . , N − 1
xak = γkxk , γk ∈ {0, 1}
uak = νkuk , νk ∈ {0, 1}
uk = µk(xa0 , . . . , xa
k ),
and constraints on state and control input
(xak , ua
k) ∈ T , wk ∈ W.
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Operational Goals for Secure Control Problem
Power Constraints(
xak
uak
)⊤(
Hxxi 00 Huu
i
)(
xak
uak
)
≤ βi , i = 1, . . . , L1,
Safety constraints(
xak
uak
)
∈ Tj , j = 1, . . . , L2,
Cost functionJ(x0, u, w) =
∑Nk=1 x⊤
k Qxxxk +∑N−1
k=1 νku⊤k Quuuk ,
For disturbance sets
w ∈ Wα := {w| ‖ w ‖2≤ α},
- Constraints and cost in worst-case sense.
w ∼ N (0, W ),
- Constraints and cost in expected/probabilistic sense.
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
DoS Attack Signatures for Secure Control Problem
Random adversary(Sinopoli et al., ’04, Elia, ’04) ABer(γ,ν)
= {(γN−10 , νN−1
0 )|P(γk = 1) =
γ, P(νk = 1) = ν, k = 0, . . . , N − 1}.
Probability of successful measurement (resp. control) transmission is γ(resp. ν).
Resource constrained adversaryApq = {(γN−1
0 , νN−10 ) ∈ {0, 1}2N
∣
∣ ‖ γN−10 ‖1≥ N − p, ‖ νN−1
0 ‖1≥ N − q}.
Adversary can deny measurement (resp. control) transmission for at mostp (resp. q) times.
Apq attacks include block attacks
Aτx τupq = {(γN−1
0 , νN−10 ) ∈ {0, 1}2N |γτx+p−1
τx= 0, ντu+q−1
τu= 0},
- τx (resp. τu) start of attack on measurement (resp. control)data.
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Secure Control Problem for DoS attack mode
Definition (Secure Control Problem)
To design a (predictive) control strategy that
Minimizes operating costs,
Satisfies safety constraints,
Maintains closed-loop stability,
by surviving DoS attacks to measurement andcontrol data under a well-defined adversary model(e.g., random or resource-constrained attacksignature).
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Problem Statement for Resource Constrained Adversary
For constrained linear systems
xk+1 = Axk + Buak + wk , k = 1, . . . , N − 1
xak = γkxk , ua
k = νkuk , (γk , νk) ∈ {0, 1}2
find causal feedback policies uk = µk(xa0 , . . . , xa
k ), thatminimize J(x0, u, w) =
∑Nk=1 x⊤
k Qxxxk +∑N−1
k=1 νku⊤k Quuuk ,
subject to power constraints(
xak
uak
)⊤(
Hxxi 00 Huu
i
)(
xak
uak
)
≤ βi , i = 1, . . . , L1,
and safety constraints(
xak
uak
)
∈ Tj , j = 1, . . . , L2,
for all disturbances w ∈ Wα OR w ∼ N (0, W ) and a given set of(γN−1
0 , νN−10 ) ∈ Apq attack signatures.
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Key Ideas from Robust Control
Using following ideas
Semi-definite program (SDP) viewpoint of linear quadraticcontrol (LQC) problem,
Constrained LQC with affine state-feedback policies,
Robust appoximations of probabilistic constraints on state andcontrol input,
we can arrive at feedback policies that are robust to certain classesof DoS attacks.
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Robust Control For a Set of Apq Attacks
The solution of the secure control problem for a set of attacksignatures of type (γN−1
0 , νN−10 ) ∈ Apq using the
affine-feedback control policies
uk = u◦k +
k−1∑
j=0
γjMk,jwj , k = 0, . . . , N − 1
can be obtained as a solution of a semidefinite program. Here,u◦
k is the open-loop part of the control, and Mk,j is thefeedback gain or recourse at time k from past sensormeasurement xj .
The result holds for both w ∈ Wα and w ∼ N (0, W ).
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Implications for the Defender
Receding horizon implementation An admissible control policycan be computed at each time, with first component of thepolicy applied.
Predicted state estimates, disturbance, and attack signatures:
(x⊤0|k , . . . , x⊤
N|k)⊤, (w⊤
0|k , . . . , w⊤N−1|k)
⊤
(γ⊤0|k , . . . , γ⊤
N−1|k)⊤, (ν⊤
0|k , . . . , ν⊤N−1|k)
⊤
A solution provides certificate of feasibility: Policy is(p, q, α)−secure.
If the feasibility margins are violated, the constraints can besoftened and open-loop or back-up policies aimed at drivingthe system back to feasible set computed.
If back-up policies fail, reconfiguration is the only option.
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work Threat Assessment Attack Detection Resilient Control
Implications for the Attacker
Give a set of attack signatures(γN−1
0 , νN−10 )1, . . . , (γN−1
0 , νN−10 )r ∈ Apq, the attacker
computes robustness margins for each attack signature bysuccessively increasing uncertainty bounds.
The attack signature with least feasibility margin is mostpromising from attackers viewpoint
Candidate attack signatures
Block A0ppq attacks,
(
Np
)
most informative attacks (Joshi and Boyd, ’08).
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work
Outline
Wireless Sensor Networks (WSN)Tech Push and ApplicationsAdvantages and Limitations of WSN
Closing the Loop around WSNOn-time WSN Based ControlRobustness and Fault Tolerance against Random FailuresVulnerabilities, Threats, and Countermeasures
Research on Secure and Resilient ControlThreat AssessmentDetection of Deception AttacksAttack Resilient Control
Future Work
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work
Building Operating System
Courtesy of Arun MajumdarS. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work
Cooperative Continuous Reduction
Aim of the Action Webs Project
To achieve 40% reduction over 4 years
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work
Heterogeneous Sensor Webs
For tracking moving objects
Simple background to extract movingobjects in a scene
Built on Intel Vision Library
UCB/ITRI CITRIC Mote
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley
Sensor Webs Closing the Loop Secure Control Future Work
Towards Foundations of Multi-Person, Networked Games
S. Amin, S. Sastry High Confidence Networked Control Systems TRUST, UC Berkeley