A Bernoulli-Gaussian Physical Watermark for Detecting Integrity Attacks in Control Systems

We examine the merit of Bernoulli packet drops in actively detecting integrity attacks on control systems. The aim is to detect an adversary who delivers fake sensor measurements to a system operator in order to conceal their effect on the plant. Physical watermarks, or noisy additive Gaussian inputs, have been previously used to detect several classes of integrity attacks in control systems. In this paper, we consider the analysis and design of Gaussian physical watermarks in the presence of packet drops at the control input. On one hand, this enables analysis in a more general network setting. On the other hand, we observe that in certain cases, Bernoulli packet drops can improve detection performance relative to a purely Gaussian watermark. This motivates the joint design of a Bernoulli-Gaussian watermark which incorporates both an additive Gaussian input and a Bernoulli drop process. We characterize the effect of such a watermark on system performance as well as attack detectability in two separate design scenarios. Here, we consider a correlation detector for attack recognition. We then propose efficiently solvable optimization problems to intelligently select parameters of the Gaussian input and the Bernoulli drop process while addressing security and performance trade-offs. Finally, we provide numerical results which illustrate that a watermark with packet drops can indeed outperform a Gaussian watermark.Comment: Appearing in 55th Annual Allerton Conference on Communication, Control, and Computin

Detecting Generalized Replay Attacks via Time-Varying Dynamic Watermarking

Cyber-physical systems (CPS) often rely on external communication for supervisory control or sensing. Unfortunately, these communications render the system vulnerable to cyber-attacks. Attacks that alter messages, such as replay attacks that record measurement signals and then play them back to the system, can cause devastating effects. Dynamic Watermarking methods, which inject a private excitation into control inputs to secure resulting measurement signals, have begun addressing the challenges of detecting these attacks, but have been restricted to linear time invariant (LTI) systems. Though LTI models are sufficient for some applications, other CPS, such as autonomous vehicles, require more complex models. This paper develops a linear time-varying (LTV) extension to previous Dynamic Watermarking methods by designing a matrix normalization factor to accommodate the temporal changes in the system. Implementable tests are provided with considerations for real-world systems. The proposed method is then shown to be able to detect generalized replay attacks both in theory and in simulation using a LTV vehicle model.Comment: 16 pages, 2 figure

A Moving Target Defense for Securing Cyber-Physical Systems

This article considers the design and analysis of multiple moving target defenses for recognizing and isolating attacks on cyber-physical systems. We consider attackers who perform integrity attacks on a set of sensors and actuators in a control system. In such cases, a model aware adversary can carefully design attack vectors to bypass bad data detection and identification filters while causing damage to the control system. To counter such an attacker, we propose the moving target defense which introduces stochastic, time-varying parameters in the control system. The underlying random dynamics of the system limit an attacker's model knowledge and inhibits his/her ability to construct stealthy attack sequences. Moreover, the time-varying nature of the dynamics thwarts adaptive adversaries. We explore three main designs. First, we consider a hybrid system where parameters within the existing plant are switched among multiple modes. We demonstrate how such an approach can enable both the detection and identification of malicious nodes. Next, we investigate the addition of an extended system with dynamics that are coupled to the original plant but do not affect system performance. An attack on the original system will affect the authenticating subsystem and in turn be revealed by a set of sensors measuring the extended plant. Lastly, we propose the use of sensor nonlinearities to enhance the effectiveness of the moving target defense. The nonlinear dynamics act to conceal normal operational behavior from an attacker who has tampered with the system state, further hindering an attacker's ability to glean information about the time-varying dynamics. In all cases mechanisms for analysis and design are proposed. Finally, we analyze attack detectability for each moving target defense by investigating expected lower bounds on the detection statistic. Our contributions are tested via simulation