Formal Approaches to Control System Security From Static Analysis to Runtime Enforcement

With the advent of Industry 4.0, industrial facilities and critical infrastructures are transforming into an ecosystem of heterogeneous physical and cyber components, such as programmable logic controllers, increasingly interconnected and therefore exposed to cyber-physical attacks, i.e., security breaches in cyberspace that may adversely affect the physical processes underlying industrial control systems. The main contributions of this thesis follow two research strands that address the security concerns of industrial control systems via formal methodologies. As our first contribution, we propose a formal approach based on model checking and statistical model checking, within the MODEST TOOLSET, to analyse the impact of attacks targeting nontrivial control systems equipped with an intrusion detection system (IDS) capable of detecting and mitigating attacks. Our goal is to evaluate the impact of cyber-physical attacks, i.e., attacks targeting sensors and/or actuators of the system with potential consequences on the safety of the inner physical process. Our security analysis estimates both the physical impact of the attacks and the performance of the IDS. As our second contribution, we propose a formal approach based on runtime enforcement to ensure specification compliance in networks of controllers, possibly compromised by colluding malware that may tamper with actuator commands, sensor readings, and inter-controller communications. Our approach relies on an ad-hoc sub-class of Ligatti et al.’s edit automata to enforce controllers represented in Hennessy and Regan’s Timed Process Language. We define a synthesis algorithm that, given an alphabet P of observable actions and a timed correctness property e, returns a monitor that enforces the property e during the execution of any (potentially corrupted) controller with alphabet P, and complying with the property e. Our monitors correct and suppress incorrect actions coming from corrupted controllers and emit actions in full autonomy when the controller under scrutiny is not able to do so in a correct manner. Besides classical requirements, such as transparency and soundness, the proposed enforcement enjoys deadlock- and diverge-freedom of monitored controllers, together with compositionality when dealing with networks of controllers. Finally, we test the proposed enforcement mechanism on a non-trivial case study, taken from the context of industrial water treatment systems, in which the controllers are injected with different malware with different malicious goals

Implementation of an Autotunable Decoupling TITO Controller

In the process industry general TITO systems, i.e. systems with two inputs and two outputs, are usually assumed to be two separate systems. If the system is strongly coupled, the performance is generally poor, but usually nothing is done about this since there are no automatic means to improve it. The aim of this master's thesis is to develop a module with a completely automated design procedure which improves the performance of coupled TITO systems. For this to be possible an automated TITO system identification will be required, as well as automated decouple filter design and PID tuning for decoupled systems. Finally, to confirm that the developed module really works it is tested on a real process

SYSTEM IDENTIFICATION AND MODEL PREDICTIVE CONTROL FOR INTERACTING SERIES PROCESS WITH NONLINEAR DYNAMICS

This thesis discusses the empirical modeling using system identification technique and the implementation of a linear model predictive control with focus on interacting series processes. In general, a structure involving a series of systems occurs often in process plants that include processing sequences such as feed heat exchanger, chemical reactor, product cooling, and product separation. The study is carried out by experimental works using the gaseous pilot plant as the process. The gaseous pilot plant exhibits the typical dynamic of an interacting series process, where the strong interaction between upstream and downstream properties occurs in both ways. The subspace system identification method is used to estimate the linear model parameters. The developed model is designed to be robust against plant nonlinearities. The plant dynamics is first derived from mass and momentum balances of an ideal gas. To provide good estimations, two kinds of input signals are considered, and three methods are taken into account to determine the model order. Two model structures are examined. The model validation is conducted in open-loop and in closed-loop control system. Real-time implementation of a linear model predictive control is also studied. Rapid prototyping of such controller is developed using the available equipments and software tools. The study includes the tuning of the controller in a heuristic way and the strategy to combine two kinds of control algorithm in the control system. A simple set of guidelines for tuning the model predictive controller is proposed. Several important issues in the identification process and real-time implementation of model predictive control algorithm are also discussed. The proposed method has been successfully demonstrated on a pilot plant and a number of key results obtained in the development process are presented

Structure-Preserving Model Reduction of Physical Network Systems

This paper considers physical network systems where the energy storage is naturally associated to the nodes of the graph, while the edges of the graph correspond to static couplings. The first sections deal with the linear case, covering examples such as mass-damper and hydraulic systems, which have a structure that is similar to symmetric consensus dynamics. The last section is concerned with a specific class of nonlinear physical network systems; namely detailed-balanced chemical reaction networks governed by mass action kinetics. In both cases, linear and nonlinear, the structure of the dynamics is similar, and is based on a weighted Laplacian matrix, together with an energy function capturing the energy storage at the nodes. We discuss two methods for structure-preserving model reduction. The first one is clustering; aggregating the nodes of the underlying graph to obtain a reduced graph. The second approach is based on neglecting the energy storage at some of the nodes, and subsequently eliminating those nodes (called Kron reduction).</p

SYSTEM IDENTIFICATION AND MODEL PREDICTIVE CONTROL FOR INTERACTING SERIES PROCESS WITH NONLINEAR DYNAMICS

This thesis discusses the empirical modeling using system identification technique and the implementation of a linear model predictive control with focus on interacting series processes. In general, a structure involving a series of systems occurs often in process plants that include processing sequences such as feed heat exchanger, chemical reactor, product cooling, and product separation. The study is carried out by experimental works using the gaseous pilot plant as the process. The gaseous pilot plant exhibits the typical dynamic of an interacting series process, where the strong interaction between upstream and downstream properties occurs in both ways. The subspace system identification method is used to estimate the linear model parameters. The developed model is designed to be robust against plant nonlinearities. The plant dynamics is first derived from mass and momentum balances of an ideal gas. To provide good estimations, two kinds of input signals are considered, and three methods are taken into account to determine the model order. Two model structures are examined. The model validation is conducted in open-loop and in closed-loop control system. Real-time implementation of a linear model predictive control is also studied. Rapid prototyping of such controller is developed using the available equipments and software tools. The study includes the tuning of the controller in a heuristic way and the strategy to combine two kinds of control algorithm in the control system. A simple set of guidelines for tuning the model predictive controller is proposed. Several important issues in the identification process and real-time implementation of model predictive control algorithm are also discussed. The proposed method has been successfully demonstrated on a pilot plant and a number of key results obtained in the development process are presented