An official website of the United States government
For networked cyber-physical systems to proliferate, it is important to ensure that the resulting control system is secure. We consider a physical plant, abstracted as a single input- single-output stochastic linear dynamical system, in which a sensor node can exhibit malicious behavior. A malicious sensor may report false or distorted sensor measurements. For such compromised systems, we propose a technique which ensures that malicious sensor nodes cannot introduce any significant distortion without being detected. The crux of our technique consists of the actuator node superimposing a random signal, whose realization is unknown to the sensor, on the control law-specified input. We show that in spite of a background of process noise, the above method can detect the presence of malicious nodes. Specifically, we establish that by injecting an arbitrarily small amount of such random excitation into the system, one can ensure that either the malicious sensor is detected, or it is restricted to add distortion that is only of zero-power to the noise entering the system. The proposed technique is potentially usable in applications such as smart grids, intelligent transportation, and process control.
more »
« less
On minimal tests of sensor veracity for dynamic watermarking-based defense of cyber-physical systems
We address the problem of security of cyber-physical systems where some sensors may be malicious. We consider a multiple-input, multiple-output stochastic linear dynamical system controlled over a network of communication and computational nodes which contains (i) a controller that computes the inputs to be applied to the physical plant, (ii) actuators that apply these inputs to the plant, and (iii) sensors which measure the outputs of the plant. Some of these sensors, however, may be malicious. The malicious sensors do not report the true measurements to the controller. Rather, they report false measurements that they fabricate, possibly strategically, so as to achieve any objective that they may have, such as destabilizing the closed-loop system or increasing its running cost. Recently, it was shown that under certain conditions, an approach of “dynamic watermarking” can secure such a stochastic linear dynamical system in the sense that either the presence of malicious sensors in the system is detected, or the malicious sensors are constrained to adding a distortion that can only be of zero power to the noise already entering the system. The first contribution of this paper is to generalize this result to partially observed MIMO systems with both process and observation noises, a model which encompasses some of the previous models for which dynamic watermarking was established to guarantee security. This result, similar to the prior ones, is shown to hold when the controller subjects the reported sequence of measurements to two particular tests of veracity. The second contribution of this paper is in showing, via counterexamples, that both of these tests are needed in order to secure the control system in the sense that if any one of these two tests of sensor veracity is dropped, then the above guarantee does not hold. The proposed approach has several potential applications, including in smart grids, automated transportation, and process control.
more »
« less
- PAR ID:
- 10037668
- Date Published:
- Journal Name:
- 9th International Conference on Communication Systems & Networks (COMSNETS 2017)
- Page Range / eLocation ID:
- 23 to 30
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Control systems are increasingly targeted by malicious adversaries, who may inject spurious sensor measurements in order to bias the controller behavior and cause suboptimal performance or safety violations. This paper investigates the problem of tracking a reference trajectory while satisfying safety and reachability constraints in the presence of such false data injection attacks. We consider a linear, time-invariant system with additive Gaussian noise in which a subset of sensors can be compromised by an attacker, while the remaining sensors are regarded as secure. We propose a control policy in which two estimates of the system state are maintained, one based on all sensors and one based on only the secure sensors. The optimal control action based on the secure sensors alone is then computed at each time step, and the chosen control action is constrained to lie within a given distance of this value. We show that this policy can be implemented by solving a quadraticallyconstrained quadratic program at each time step. We develop a barrier function approach to choosing the parameters of our scheme in order to provide provable guarantees on safety and reachability, and derive bounds on the probability that our control policies deviate from the optimal policy when no attacker is present. Our framework is validated through numerical study.more » « less
-
We consider a prototypical intelligent transportation system with a control law that is specifically designed to avoid collisions. We experimentally demonstrate that, nevertheless, an attack on a position sensor can result in collisions between vehicles. This is a consequence of the feeding of malicious sensor measurements to the controller and the collision avoidance module built into the system. This is an instance of the broader concern of cybersecurity vulnerabilities opened up by the increasing integration of critical physical infrastructures with the cyber system. We consider a solution based on “dynamic watermarking” of signals to detect and stop such attacks on cyber-physical systems. We show how dynamic watermarking can handle nonlinearities arising in vehicular models. We then experimentally demonstrate that employing this nonlinear extension indeed restores the property of collision freedom even in the presence of attacks.more » « less
-
Network-on-chip (NoC) is widely used as an efficient communication architecture in multi-core and many-core System-on-chips (SoCs). However, the shared communication resources in an NoC platform, e.g., channels, buffers, and routers, might be used to conduct attacks compromising the security of NoC-based SoCs. Most of the proposed encryption-based protection methods in the literature require leaving some parts of the packet unencrypted to allow the routers to process/forward packets accordingly. This reveals the source/destination information of the packet to malicious routers, which can be exploited in various attacks. For the first time, we propose the idea of secure, anonymous routing with minimal hardware overhead to encrypt the entire packet while exchanging secure information over the network. We have designed and implemented a new NoC architecture that works with encrypted addresses. The proposed method can manage malicious and benign failures at NoC channels and buffers by bypassing failed components with a situation-driven stochastic path diversification approach. Hardware evaluations show that the proposed security solution combats the security threats at the affordable cost of 1.5% area and 20% power overheads chip-wide.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Conference Paper:
- https://doi.org/10.1109/COMSNETS.2017.7945354
