Defense mechanisms - Systems and control methods for CPS security

2. Systems and control methods for CPS security

2.2. Defense mechanisms

Inthispaper, we characterizethree defense mechanisms, em-ployed eitherprior to, orduringthe occurrenceof the attack, to ensureCPSsecurity.Inordertopresentthesethreemechanismsin auniﬁedmanner,weconsideranoverallthreatassessmentmetric illustratedinFig.4.Ourthesis isthatinordertodevelop a com-prehensivedefense mechanism forsecurity,all three components ofprevention (to postpone theonset of an attack), resilience(to containthemaximumimpact oftheattackandoperateasclosely tonormalaspossible),anddetectionandisolation(toidentifythe sourceoftheattack,isolatethecorruptedsubsystems,andrestore thenormalmodeasquicklyaspossible)areequallyimportantand haveto be layered in.If the defense strategy relies on detection alone, then the threat of the same attack recurring is not mini-mized.Inaddition,intheintervalbetweentheonsetoftheattack anddetection,thesystemcouldexperienceasigniﬁcantdamage.A goodexampleofsuch ascenarioistheStuxnet(Chen,2010). Ma-roochy isalsoan outcome ofthe lackof detectionandresilience mechanisms (Slay & Miller, 2007). The absence of resilience in

RQ-170 is apparent, asthe control systemwas unable to defend against the spooﬁng attack. It could be viewed that preventive mechanismsare activeprior to theattack whereas resilienceand detectionandisolationmechanismsareinvokedduringtheattacks anduntilthesystemisrestoredtonormaloperation.

Each of the three defense mechanisms represents a certain pointofviewofensuring securityandthereforecorresponds toa certaincontrol methodologyandrelatedsystemstools.Thegoals, the tools used, and the resulting performance are therefore in-timatelyconnected with the defense mechanism. In the sections thatfollow,thecontrolmethodology,thetools,andtheresults re-portedintheliteratureareprovidedindetail.

2.2.1. Preventionmechanisms

Methodsinthiscategoryaretoguardagainstdisclosureattacks, which start from an inﬁltration stage to steal the vital informa-tionofthe systemandleverage themin futureattacks.A simple exampleofthisstage is through an insider(like the casein Ma-roochy attack) orAdvanced Persistent Threats (APTs), an attack in whichtheaccessofthesystemisgiventoanunauthorizeduserin astealthy fashion foran extensiveperiodoftime (Chen,Desmet,

&Huygens,2014). Wegroupdefensemechanismsinthiscategory into two cases; Cryptography and Randomization. The former is along-standingtopicwithitsunderpinningsincomputer science andextensivelystudied(Katz,Menezes,VanOorschot,&Vanstone, 1996).Thelatter,ontheotherhand,isgroundedincontroltheory andhasarichhistoryinrobustcontrolproblems(Milanese,2013).

(i)Cryptography:

Cryptographyisthescienceofconstructingandanalyzing pro-tocolsthatpreventthirdpartiesorthepublicfromreadingprivate messages.ModerncryptographystartedafterWorldWarIImaking useoftheconceptofpublickey(Diﬃe&Hellman,1976),Fig.5(a).

The idea behindcryptography isto make surethat the data be-tweenasenderandareceivercannotberevealedviaan unautho-rizeduser.Authenticationcanbecheckedwithsharingthesecure acknowledgemessages.Fig.5(b)showswhymakinguseof encryp-tionanddecryptionishelpfulinmaintainingtheconﬁdentialityof data. However, if the eavesdropper has access to the points be-tween decryptorand B, or encryptorand A, it can still read the message. As A and B can be any of three components, sensors, communicationnetwork, or actuators, shown in Fig.1, this kind ofattacks may take place in CPS. However, if a form of encryp-tionthatallowscomputationonciphertextsisused,itcanprevent theeavesdropperfromaccessingthesemessages.Farokhi,Shames, and Batterham (2017) and Darup, Redder, Shames, Farokhi, and Quevedo (2018) discuss a homomorphic cryptographic platform with closed-loop stability analysis to address. An application of this method to secure transportation systems is discussed in Farokhi,Shames,andJohansson(2017).Akeymanagementscheme forprivacyissuesinSCADAsystemsisalsoproposed inRezai, Ke-shavarzi, and Moravej (2013). A polynomial-based scheme for a symmetric key generation in SCADA is discussed in Pramod and Sunitha (2015) and a cryptographic framework for the threats

Fig. 5. (a) German Lorenz cipher machine, used in World War II to encrypt very- high-level messages, (b) Encryption and Decryption’s roles in conﬁdentiality.

in cyber-physicalsystems is analyzed inBurmester, Magkos, and Chrissikopoulos (2012).Also Sherif et al.(2017) proposesa simi-larity technique between encrypted data to preserve the privacy of ride-sharingautonomous vehicles. Secureestimation with pri-vacy assurance of the encoded data is discussed in Wiese etal.

(2018).

(ii)Randomization:

Randomizationasadefensivetoolisutilizedtoconfusethe po-tential attackerand has proved useful whenever the predictabil-ity of the deterministic rules may be leveraged by the attackers to obtain key informationof thesystem, potentially for conduct-ing much more advanced attacks. Randomized algorithms have proved useful in a wide range of mathematical and algorithmic problems(Motwani&Raghavan,2010).Randomizationasarobust control technique has been employed in the last decade (Frasca, Ishii, Ravazzi, & Tempo,2015; Milanese, 2013). Most ofthe tech-niques which aim to provide a conﬁdentiality service use ran-domization of data. An example of masking the private data in the presence of an adversarial agent is Mo and Murray (2017). Theregular (non-adversarial)agentsobtainthecorrectstatesand compute the average consensus using the masked data with a noise. Asimilar techniqueina network ofagentsis proposed by Nozari etal. (2017),where theprivacy of thestates is preserved in an approximate manner. The latter methoduses the differen-tial privacy technique to tackle the problem (Corts et al., 2016;

Dwork, 2011). The idea there is to use an alternative random-ized data set to maintain the main data set from conﬁdentiality breaches.Theideaofrandomizationhasbeenproposedalsoin ad-versarial machinelearning(Huang, Joseph,Nelson,Rubinstein,and Tygar(2011)).InGupta,Katz,andChopra(2017),theideaof mask-ingdatatoachievetheexactaverageconsensusinthepresenceof aneavesdropper isproposed.Dibaji,Pirani,Annaswamy,Johansso, andChakrabortty(2018)proposesarandomgainselectionmethod tosecurethe closedloop systemagainstdisclosureattackson A₃ andA₉.

2.2.2. Resiliencemechanisms

Resilienceisapropertydeﬁnedastheabilitytowithstandand recover from severe stresses induced by natural stresses or de-liberate attacks (Annaswamy, Malekpour, andBaros, 2016; Fawzi, Tabuada,andDiggavi,2014; Khargonekar,2015; Obama presiden-tialpolicy;Rieger,Gertman,&McQueen,2009).Resiliencemaynot be aninherent propertyofthesystemandneedstobe bestowed through a suitable design of the control system. A large num-ber ofthemethods reportedintheliterature canbe viewedasa resilience-increasingmechanism. Inwhatfollows,we groupthese methodsintofourtypes,whichinclude(i)Gametheory,(ii) Event-triggeredControl,(iii)MeanSubsequenceReducedalgorithms,and (iv)Trust-basedapproaches.While(i)and(ii)arebasedon state-spacemethods,(iii)and(iv)aregraph-based.

(i)Game-theoreticmethods:

Agame-theoretic approach that provides resilienceconsistsof trying to maximize the priceof attacking a system or minimize thedamage that an attackercan apply tothe system. Game the-ory,inanutshell,isaninteractionbetweentwo ormultiple play-ers, whereeach player triesto optimizesome objectivefunction.

The challengingpartof games isthat the objective functionof a playerdependson thechoicesofatleastone otherplayer inthe game.Thus,eachplayercannotoptimizeitsobjectiveindependent ofchoicesofotherplayers.

There isa vastliterature on game-theoreticapproachesto the security and resilience ofcontrol systems since the past decade.

These approaches vary dependingon the structure of the cyber-physicalsystemorbased onthe speciﬁctype ofmalicious action acting on the cyber layer. Each of these two approaches is dis-cussedbrieﬂyasfollows:

Fig. 6. Schematic ﬁgure of games in games in physical and cyber layers.

TheﬁrstapproachistomodelthegameforthesecurityofCPS basedonthestructureofthecyberandthephysicallayers(Amin, Schwartz, & Sastry,2013; Chen& Zhu, 2015; Clark, Zhu, Pooven-dran,&Ba¸sar,2013;Ferdowsi,Saad,&Mandayam,2017;La,2017;

Sanjab & Saad, 2016;Sanjab, Saad,& Ba¸sar, 2017; Zhu, Bushnell,

& Ba¸sar,2013;Zhu,Tembine, & Ba¸sar, 2010). Oneofthe common approaches isto deﬁne games in both physicaland cyberlayers.

Moreformally,consideringthatinthephysicallayer,theevolution ofthesystemismodeledwiththefollowinggeneraldynamics

(

)

(

^t,x,u,w,

η (

α

β ))

, (5)

whereg(.)isanonlinearfunctionofthestatex,thecontrolaction u,thedisturbanceeffectwand

η

⁽^t,

α

β

⁾^which^is^a^switching

sig-nal indicatingthe stateofthe cyber-layer.Here tis thetime and

α

^and

β

âre ^the âctions ôf^the âttacker ând^defender ⁱⁿ^the

cy-ber layer, respectively. Parameter

η

^evolves ⁱⁿ ^discrete ^time, ^e.g.,

Markov jump model, in the cyber-layer which makes the over-all hybridsystemshowninFig.6.Theconceptofgames-in-games reﬂects two interconnected games, one in the physical layer and the otherinthe cyberlayer.Atthe physicallayercontrol system, a zero-sum differential game between the robust controller and the disturbance is used to design an H∞ controller for achiev-ing robust performance foruncertain parameters or disturbances (Pan&Ba¸sar,1999).Atthecyberlayerdefensesystem,azero-sum stochasticgamebetweenadefenderandanattackerisusedto de-signan optimalcyberpolicy forensuringsystemsecurity (Zhu &

Ba¸sar,2011).

Anotherapproachisbasedonthetype oftheattackand mali-ciousbehaviour(Horák,Zhu,&Bošansk`y,2017;Khanafer,Touri,&

Baar,2013; Miao,Zhu,Pajic, &Pappas, 2018;Ugrinovskii & Lang-bort,2017;Wu,Li,&Shi,2017).Moreparticularly,inthiscase, de-pending on the type ofadversarial or malicious behavior that is activeorpassive,anappropriategamestrategy,e.g.,Nashor Stack-elberg, has been discussed. More speciﬁcally, the interaction be-tween a jammer and a passive defender can be reasonably cap-turedbyaStackelberggameinthatthejammerisanactiveplayer whosendssignalsatanintendedleveltointerferewith communi-cation channelswhilethelegitimateuserrationallydefends itself fromsuchanattack.Ontheotherhand,inthecasewherethe de-fendinguserbehavesactivelyoreithersidehasaninformation ad-vantage,theNashequilibriumbecomesareasonablesolution con-cept(Felegyhazi&Hubaux,2006;Gupta,Langbort,&Ba¸sar,2010).

Another example is eavesdropping action. As eavesdropping is a passive attack where an eavesdropper receives information that leaks from a communication channel, the behavior of an eaves-droppercanbeviewedasthatofafollowerinaStackelberggame against a userwhoemploys active defenses(Manshaei,Zhu, Alp-can, Basar,& Hubaux, 2013). Recently, an attacker-defendergame framework on networks with unknown topology is proposed in whichthe defenderinjectscontrol inputstoreacha

synchroniza-tionwhile attenuatingthe (worst case)attack signal from adver-sarialagents(Vamvoudakis&Hespanha,2018a;2018b).

Inadditionto theabove game-theoretic approaches,other ap-proacheshavebeenproposedaswell.Forinstance,theevolutionof networkcontrol systemshasbeenmodeled ascooperativegames (Marden,Arslan,& Shamma,2009) andtheresilienceofthese co-operativegames to the actions of adversarial agents or commu-nicationfailures havebeeninvestigated. InBrown, Borowski,and Marden (2019), Brown and Marden (2017) and Amin, Schwartz, et al. (2013) the effect of adversarial agents and communica-tion failures on a cooperative game was discussed. Moreover, in Vamvoudakis,Hespanha,Sinopoli,andMo(2014)azero-sumgame fortheproblemofestimationunderattackedsensorsissuggested.

Inordertoaddress thethreatsoncloud-based controlsystems,a signaling game is designed to model the trust between the de-fenderandthethreats(Chen&Zhu,2017;Pawlick,Farhang,&Zhu, 2015).

(ii)Event-triggeredcontrol:

Basedonhow frequenttheattacksoccur, event-triggered con-trol schemes instead of time-triggered schemes emerged as ap-propriate tools to increase the resilience of control systems (for an introduction to event-triggered control, refer to Heemels, Jo-hansson, & Tabuada,2012). Sensordisruption attacks (also called jammingorDoS),insometime intervals,onmeasurements (A₁ in Fig.1),are amongthethreatswhose effectscanbe mitigated via appropriate event-triggered control policies. Event-triggered con-troltechniqueshavebeenusedtodesign thesequenceofcontrol inputsu(t_k) inorderto preservetheinputtostate stabilityofthe closed-loopsystem. TheDoSattacksintheseworksarelimitedby thefrequencyandlength.The applicationofevent-triggered con-troltotheresilienceofcyber-physicalsystemshasbeenstudiedin DePersisandTesi(2014),DePersisandTesi(2015),DePersisand Tesi(2018),Cetinkaya,Ishii, andHayakawa (2017)andSun,Peng, Zhang,Yang, andWang (2018). Inthese works,thecontrol input is sample-and-hold inthe time sequence of t_k− tk−1>

δ

^instead

ofperiodicsampled-datasystems.The triggeringfunction to gen-erate a new control input is based on the errors of state vari-ablesx(^tk)− x(^t)^.^For^acomprehensivesurveyonDoSattacksand event-triggeredcontrol toolsagainstthem,thereadercan referto Cetinkaya,Ishii, andHayakawa(2019) andthe referencestherein.

In addition to the case of disruption attacks, mitigating the ef-fectsofcomputational deception attacks (A₆ in Fig.1) via event-triggered control techniques has been investigated (Lei, Yang, &

Yang,2016;Yang,Lei,&Yang,2017).

(iii)MeanSubsequenceReduced(MSR)algorithms:

MSRisaresilientcontrolapproachinwhichateachtimeofthe updates,thecontroller,inordertonotgetaffectedbytheattacks, ignoresthesuspiciousvaluesandcomputesthecontrolinput.One ofthewell-knownapplicationsofMSRalgorithmsisagainst Byzan-tine threats. Byzantine nodes are the computational nodes that, in an adversarial manner, send inconsistent information to their neighbors (Dibaji, Ishii, & Tempo, 2018; LeBlanc & Koutsoukos, 2018;LeBlanc,Zhang,Koutsoukos,&Sundaram,2013;Lynch,1996;

Usevitch & Panagou, 2018b; Zhang, Fata, & Sundaram, 2015).

Byzantineattackshavebeen investigatedinthe ’80sincomputer science(e.g.,Lynch,1996).Recently,Byzantineconsensusisgetting revisited,againinthecomputersciencecommunity,todevelop se-cureandreliablecryptocurrencies (see, e.g.,Algorand). MSR algo-rithmshavebeen applied todistributed computational problems, includingconsensus (Dibaji& Ishii,2017;Dibaji,Ishii,etal.,2018;

LeBlanc et al., 2013), distributed state estimation (Mitra & Sun-daram,2018),synchronization(LeBlanc&Koutsoukos,2018),clock synchronization(Kikuya,Dibaji,& Ishii,2018),anddistributed op-timization(Sundaram&Gharesifard,2016).MSRalgorithmsactas localﬁlters,inwhich,byassumingthatthemaximumnumberfof maliciousagentsin thenetwork isknown,every node disregards

flargest andfsmallestvaluesfromits neighbors.Hence,there is noneedtohaveaknowledgeabouttheglobaltopology.³Inthese studies,network-theoretic necessary and sufficient conditions for theconvergenceofMSRalgorithmshavebeenintroduced.The crit-icalpropertyiscalledgraphrobustnesswhichisameasureof con-nectivitywithinagraphandcharacterizeshowwellgroupswithin thenetworkareconnectedviamultiplepaths.Networkrobustness wasfirstintroduced byLeBlancetal.(2013)fortheresilient con-sensusofagents withfirst-orderinteraction dynamics. Graph ro-bustnesscanbe determinedwithlinearprogramming(Usevitch&

Panagou,2018a)andingeneralwasshowninZhangetal.(2015)to be a computationally hard problembut can be obtained almost surelyinrandomlargenetworks.Whileasimilarproblemof mul-tiplesensorsbeingattackedsimultaneouslyhasbeenaddressedin Fawzietal.(2014)aswell,thedefenseapproachtakenisdifferent fromthe MSR-approach andisbasedon compressedsensingand errorcorrection.

(iv)Trust-basedapproaches:

Trust-basedmethodshavebeeninvestigatedfornotonly cyber-security but also general problems where some of the subsys-temsmaybeuntrustworthy.Mikulski,Lewis,Gu,andHudas(2011), Mikulski,Lewis,Gu, andHudas(2014)andHausetal.(2014)have used a multi-agent approach in order to improve overall re-silience.Thisstrategyisequivalenttoredundancy-basedapproaches ingraphs andis based onthe assumption that if thenumber of attacksissufficiently small,correctinformationcan flowthrough thepaths formed by trustednodes.Trust-based approaches have beeninvestigatedinJiangandBaras(2006)andAbbas,Laszka,and Koutsoukos(2018)tospreadtheinformationinamulti-agent sys-tem in the presence of adversarial nodes. An alternative way is todefine a function oftrust andupdate the trust value between thenodesasthesystemevolves. Insuchapproaches, thereliance and effects of each healthy node on its neighbors is a function ofthe trust value. A survey on how to use trust models in dif-ferentnetworkdomainsisMomaniandChalla(2010).Trust-based approacheshavebeen used mainlyfor defense against deception attacksandmoreofteninthecontextofsensornetworks(Ahmed, Bakar, Channa, Haseeb, & Khan, 2015; Khan & Stanković, 2013) andinDCmicrogridcontrol(Abhinav,Modares,Lewis,&Davoudi, 2019).

(v)Otherapproaches:

In addition tothe above fourmethods, resiliencemechanisms have been proposed using a variety of other control methods.

Sun, Peng, Yang, Zhang, and He (2017), for instance, suggests a resilient control assuming that the probability of the disruption attacks at each time is at least partially known. A sliding mode control for the resilience against DoS attacks in nonlinear and chaotic systems hasbeen proposed in Zhao andYang (2017).An acknowledge-basedcheatingschemeisproposedinDing,Ren,and Shi(2016).AnothertechniqueisLiu,Xu,Li,andLiu(2017),where itproposesadecomposition ofKalmanﬁlters asa weightedsum oflocalstate estimatesundersparsesensordeceptionattacks(A₂) intoamoresecureestimationframework. Withthehelp of com-pressed sensing methods and their relation in error corrections overthe reals,Fawzi etal. (2014)proposes adecoding algorithm to recovertrue states despite the existence of attacks.Moreover, byusing separationprinciple, itshows thatif thesystemis con-trollable, one can enforce the number of correctable errors (at-tacks) to be maximum without loosing the performance of the system(Fawzi, Tabuada,& Diggavi,2012). InSatchidanandan and Kumar (2018a,b) when the state space is subject to malicious

3 One reason that in such algorithms detection is not utilized is that detection- based approaches require global topology of the network and have a heavy computational burden on each node ( Sundaram & Hadjicostis, 2011 ).

actions, a decomposition of the state space into a securable and anunsecurablesubspaceiscarriedout,wherethemaliciousnodes cannot degrade the state estimation performance in the former but only along the latter. Another recent work is Dibaji, Pirani, etal.(2018)wherefordefendingagainstthedeceptionattacks(A₆) on the cyberlayer, an informationretrieval approach is hired so that the state feedback, at each time step, makes use of healthy andunattackeddata.Finally,inLu,Chang,Zhang,Marinovici,and Conejo (2016), a Lyapunov stabilitymethod is employed forDoS attacksinwide-areacontrol ofpowersystems. InDibaji,Saﬁ and Ishii(2019),aresilientdistributedretrievalalgorithmbasedon se-cure broadcasting and accepting has been employed to compute averaging over strongly robust graphs. Yet another tool used for

In document A systems and control perspective of CPS security Annual Reviews in Control (Page 6-11)