Learning-based attacks in cyber-physical systems

We introduce the problem of learning-based attacks in a simple abstraction of cyber-physical systems---the case of a discrete-time, linear, time-invariant plant that may be subject to an attack that overrides the sensor readings and the controller actions. The attacker attempts to learn the dynamics of the plant and subsequently override the controller's actuation signal, to destroy the plant without being detected. The attacker can feed fictitious sensor readings to the controller using its estimate of the plant dynamics and mimic the legitimate plant operation. The controller, on the other hand, is constantly on the lookout for an attack; once the controller detects an attack, it immediately shuts the plant off. In the case of scalar plants, we derive an upper bound on the attacker's deception probability for any measurable control policy when the attacker uses an arbitrary learning algorithm to estimate the system dynamics. We then derive lower bounds for the attacker's deception probability for both scalar and vector plants by assuming a specific authentication test that inspects the empirical variance of the system disturbance. We also show how the controller can improve the security of the system by superimposing a carefully crafted privacy-enhancing signal on top of the "nominal control policy." Finally, for nonlinear scalar dynamics that belong to the Reproducing Kernel Hilbert Space (RKHS), we investigate the performance of attacks based on nonlinear Gaussian-processes (GP) learning algorithms

Detection of replay attacks in CPSs using observer-based signature compensation

© 2019 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.This paper presents a replay attack detection method that addresses the performance loss of watermarking-based approaches. The proposed method injects a sinusoidal signal that affects a subset, chosen at random, of the system outputs. The presence of the signal in each one of the outputs is estimated by means of independent observers and its effect is compensated in the control loop. When a system output is affected by a replay attack, the loss of feedback of the associated observer destabilizes the signal estimation, leading to an exponential increase of the estimation error up to a threshold, above which the estimated signal compensation in the control loop is disabled. This event triggers the detection of a replay attack over the output corresponding to the disrupted observer. The effectiveness of the method is demonstrated using results obtained with a quadruple-tank system simulator.Peer ReviewedPostprint (author's final draft

Bibliographical review on cyber attacks from a control oriented perspective

This paper presents a bibliographical review of definitions, classifications and applications concerning cyber attacks in networked control systems (NCSs) and cyber-physical systems (CPSs). This review tackles the topic from a control-oriented perspective, which is complementary to information or communication ones. After motivating the importance of developing new methods for attack detection and secure control, this review presents security objectives, attack modeling, and a characterization of considered attacks and threats presenting the detection mechanisms and remedial actions. In order to show the properties of each attack, as well as to provide some deeper insight into possible defense mechanisms, examples available in the literature are discussed. Finally, open research issues and paths are presented.Peer ReviewedPostprint (author's final draft

Set-based replay attack detection in closed-loop systems using a plug & play watermarking approach

© 2019 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.This paper presents a watermarking signal injection method that compensates its effect in the loop, avoiding thus the signal reinjection. Similar to a virtual actuator scheme, the proposed methodology masks the presence of the authentication signal to the system controller, that do not need to be retuned as it remains immunized. Furthermore, a set-based analysis concerning the effect that the performance loss imposed by a watermarking signal has in the detectability of a replay attack is performed for the stationary, assuming that a standard state observer is used in order to monitor the plant. Finally, a numerical application example is used to illustrate the proposed approach.This work has been partially funded by the Spanish State ResearchAgency (AEI) and the European Regional Development Fund (ERFD)through the projects SCAV (ref. MINECO DPI2017-88403-R) and DEOCS(ref. MINECO DPI2016-76493) and AGAUR ACCIO RIS3CAT UTILITIES4.0 – P7 SECUTIL. This work has been also supported by the AEI throughthe Maria de Maeztu Seal of Excellence to IRI (MDM-2016-0656).Peer ReviewedPostprint (author's final draft

Learning-based Attacks in Cyber-Physical Systems

We introduce the problem of learning-based attacks in an abstraction of cyber-physical systems that may be subject to an attack that overrides the sensor readings and the controller actions. The attacker attempts to learn the dynamics of the plant and subsequently override the controller's actuation signal, to destroy the plant without being detected. The attacker can feed fictitious sensor readings to the controller using its estimate of the plant dynamics and mimic the legitimate plant operation. The controller, on the other hand, is constantly on the lookout for an attack; once the controller detects an attack, it immediately shuts the plant off. We derive lower bounds for the attacker's deception probability for linear plants by assuming a specific authentication test that inspects the empirical variance of the system disturbance. We also show how the controller can improve the security of the system by superimposing a carefully crafted privacy-enhancing signal on top of the control policy. Finally, for nonlinear scalar dynamics that belong to the Reproducing Kernel Hilbert Space, we investigate the performance of attacks based on Gaussian-processes regression

Replay Attack Detection in Smart Grids using Switching Multi-sine Watermarking

Cyber-Physical Systems (CPS) are systems that include physical and computational components linked by communication channels. In a Smart Grid (SG), the power plants and loads communicate with supervisors (Central Controllers (CC)) for managing the power demand more efficiently. As such, a smart grid can be regarded as a CPS. The computational components and communication links of a CPS can be subject to cyber-attacks. Researchers have been exploring detection and mitigation strategies for various types of cyber-attacks. An important type of attack is the replay attack for which various strategies based on watermarking signals have been proposed. One such scheme is based on switching multi-sine waves as the watermarking signal. This thesis adapts this scheme and develops a design procedure for detecting replay attacks for smart grids. Specifically, it examines the places in a grid where the watermarking signal can be injected and presents guidelines for choosing the amplitude and frequencies of sine waves that suit smart grids. One of the drawbacks of using a watermarking signal is the additional control cost (i.e., decrease in performance). In the context of smart grids, watermarking results in small fluctuations in delivered power. This thesis extends the single-input-single-output watermarking to a two-input-two-output watermarking scheme for smart grids in such a way to considerably lower grid power fluctuations due to watermarking. The proposed method is verified using a simulated grid connected inverter-based plants. Simulation results show that using the suggested strategy, the effect of watermarking on the overall grid power reduces significantly