Mitigating Emergent Safety and Security Incidents of CPS by a Protective Shell

In today's modern world, Cyber-Physical Systems (CPS) have gained widespread prevalence, offering tremendous benefits while also increasing society's dependence on them. Given the direct interaction of CPS with the physical environment, their malfunction or compromise can pose significant risks to human life, property, and the environment. However, as the complexity of CPS rises due to heightened expectations and expanded functional requirements, ensuring their trustworthy operation solely during the development process becomes increasingly challenging. This thesis introduces and delves into the novel concept of the 'Protective Shell' – a real-time safeguard actively monitoring CPS during their operational phases. The protective shell serves as a last line of defence, designed to detect abnormal behaviour, conduct thorough analyses, and initiate countermeasures promptly, thereby mitigating unforeseen risks in real-time. The primary objective of this research is to enhance the overall safety and security of CPS by refining, partly implementing, and evaluating the innovative protective shell concept. To provide context for collaborative systems working towards higher objectives — common within CPS as system-of-systems (SoS) — the thesis introduces the 'Emergence Matrix'. This matrix categorises outcomes of such collaboration into four quadrants based on their anticipated nature and desirability. Particularly concerning are outcomes that are both unexpected and undesirable, which frequently serve as the root cause of safety accidents and security incidents in CPS scenarios. The protective shell plays a critical role in mitigating these unfavourable outcomes, as conventional vulnerability elimination procedures during the CPS design phase prove insufficient due to their inability to proactively anticipate and address these unforeseen situations. Employing the design science research methodology, the thesis is structured around its iterative cycles and the research questions imposed, offering a systematic exploration of the topic. A detailed analysis of various safety accidents and security incidents involving CPS was conducted to retrieve vulnerabilities that led to dangerous outcomes. By developing specific protective shells for each affected CPS and assessing their effectiveness during these hazardous scenarios, a generic core for the protective shell concept could be retrieved, indicating general characteristics and its overall applicability. Furthermore, the research presents a generic protective shell architecture, integrating advanced anomaly detection techniques rooted in explainable artificial intelligence (XAI) and human machine teaming. While the implementation of protective shells demonstrate substantial positive impacts in ensuring CPS safety and security, the thesis also articulates potential risks associated with their deployment that require careful consideration. In conclusion, this thesis makes a significant contribution towards the safer and more secure integration of complex CPS into daily routines, critical infrastructures and other sectors by leveraging the capabilities of the generic protective shell framework.:1 Introduction 1.1 Background and Context 1.2 Research Problem 1.3 Purpose and Objectives 1.3.1 Thesis Vision 1.3.2 Thesis Mission 1.4 Thesis Outline and Structure 2 Design Science Research Methodology 2.1 Relevance-, Rigor- and Design Cycle 2.2 Research Questions 3 Cyber-Physical Systems 3.1 Explanation 3.2 Safety- and Security-Critical Aspects 3.3 Risk 3.3.1 Quantitative Risk Assessment 3.3.2 Qualitative Risk Assessment 3.3.3 Risk Reduction Mechanisms 3.3.4 Acceptable Residual Risk 3.4 Engineering Principles 3.4.1 Safety Principles 3.4.2 Security Principles 3.5 Cyber-Physical System of Systems (CPSoS) 3.5.1 Emergence 4 Protective Shell 4.1 Explanation 4.2 System Architecture 4.3 Run-Time Monitoring 4.4 Definition 4.5 Expectations / Goals 5 Specific Protective Shells 5.1 Boeing 737 Max MCAS 5.1.1 Introduction 5.1.2 Vulnerabilities within CPS 5.1.3 Specific Protective Shell Mitigation Mechanisms 5.1.4 Protective Shell Evaluation 5.2 Therac-25 5.2.1 Introduction 5.2.2 Vulnerabilities within CPS 5.2.3 Specific Protective Shell Mitigation Mechanisms 5.2.4 Protective Shell Evaluation 5.3 Stuxnet 5.3.1 Introduction 5.3.2 Exploited Vulnerabilities 5.3.3 Specific Protective Shell Mitigation Mechanisms 5.3.4 Protective Shell Evaluation 5.4 Toyota 'Unintended Acceleration' ETCS 5.4.1 Introduction 5.4.2 Vulnerabilities within CPS 5.4.3 Specific Protective Shell Mitigation Mechanisms 5.4.4 Protective Shell Evaluation 5.5 Jeep Cherokee Hack 5.5.1 Introduction 5.5.2 Vulnerabilities within CPS 5.5.3 Specific Protective Shell Mitigation Mechanisms 5.5.4 Protective Shell Evaluation 5.6 Ukrainian Power Grid Cyber-Attack 5.6.1 Introduction 5.6.2 Vulnerabilities in the critical Infrastructure 5.6.3 Specific Protective Shell Mitigation Mechanisms 5.6.4 Protective Shell Evaluation 5.7 Airbus A400M FADEC 5.7.1 Introduction 5.7.2 Vulnerabilities within CPS 5.7.3 Specific Protective Shell Mitigation Mechanisms 5.7.4 Protective Shell Evaluation 5.8 Similarities between Specific Protective Shells 5.8.1 Mitigation Mechanisms Categories 5.8.2 Explanation 5.8.3 Conclusion 6 AI 6.1 Explainable AI (XAI) for Anomaly Detection 6.1.1 Anomaly Detection 6.1.2 Explainable Artificial Intelligence 6.2 Intrinsic Explainable ML Models 6.2.1 Linear Regression 6.2.2 Decision Trees 6.2.3 K-Nearest Neighbours 6.3 Example Use Case - Predictive Maintenance 7 Generic Protective Shell 7.1 Architecture 7.1.1 MAPE-K 7.1.2 Human Machine Teaming 7.1.3 Protective Shell Plugin Catalogue 7.1.4 Architecture and Design Principles 7.1.5 Conclusion Architecture 7.2 Implementation Details 7.3 Evaluation 7.3.1 Additional Vulnerabilities introduced by the Protective Shell 7.3.2 Summary 8 Conclusion 8.1 Summary 8.2 Research Questions Evaluation 8.3 Contribution 8.4 Future Work 8.5 Recommendatio

Powertrain Systems for Net-Zero Transport

The transport sector continues to shift towards alternative powertrains, particularly with the UK Government’s announcement to end the sale of petrol and diesel passenger cars by 2030 and increasing support for alternatives. Despite this announcement, the internal combustion continues to play a significant role both in the passenger car market through the use of hybrids and sustainable low carbon fuels, as well as a key role in other sectors such as heavy-duty vehicles and off-highway applications across the globe. Building on the industry-leading IC Engines conference, the 2021 Powertrain Systems for Net-Zero Transport conference (7-8 December 2021, London, UK) focussed on the internal combustion engine’s role in Net-Zero transport as well as covered developments in the wide range of propulsion systems available (electric, fuel cell, sustainable fuels etc) and their associated powertrains. To achieve the net-zero transport across the globe, the life-cycle analysis of future powertrain and energy was also discussed. Powertrain Systems for Net-Zero Transport provided a forum for engine, fuels, e-machine, fuel cell and powertrain experts to look closely at developments in powertrain technology required, to meet the demands of the net-zero future and global competition in all sectors of the road transportation, off-highway and stationary power industries

THE SYNTHESIS OF NAVISECTION: MODERNIZING DRIVER REHABILITATION PROGRAMS TO ENCOMPASS INTELLIGENT VEHICLE TECHNOLOGIES

The synthesis of NAViSection introduced a concept for using vehicle-based sensor data to improve the practice of driver evaluation. This project to reinforce licensing recommendations acknowledges that pen and paper documentation confines the expertise of evaluators to driving programs, while advances in vehicle sensors could address driving privilege as people age, experience medical impairments, and acquire disabilities. Through a review of medical record data, client files showed internal and external limitations to current practice. Within the program, a majority of evaluations resulted in a recommendation to continue driving despite the medical conditions referenced in the physician’s referral. This finding connected to concerns of client intake waiting lists before evaluation. Additionally, driver rehabilitation programs lack insight to council clients with poor medical prognosis on when to review driving capability. The NAViSection methodology proposed a way to integrate data collection with the standard processes of a driver rehabilitation program. While collecting event data based on evaluator intervention, the broader vision sought to correlate interventions with vehicle data patterns for typical driving errors. Through multiple tests and simulations, a design project yielded a novel data collection system based on the NAViSection methodology. The pilot study results showed that assisted-driving events (steering, braking, and verbal cue assistance) correlate best with the recommendations of a Certified Driver Rehabilitation Specialist (CDRS). The NAViSection correlation presented improved predictive values compared to clinical assessment scores and driver history as screening tools. Future work could extend the reach of the CDRS by establishing correlations to telematics products (ex. OBD2 readers) and other sensing technologies as a screening system in future vehicles. In relation to driving simulators and naturalistic driving studies, the NAViSection system is better suited to help with at-risk drivers (teen and older Americans) within the setting of driving programs. Lastly, the assisted-driving events by a CDRS present a unique source of collision-avoidance, which may provide an opportunity to validate collision avoidance technologies from automotive manufacturers through real drivers, on real roads, and in real scenarios

Powertrain Systems for Net-Zero Transport

The transport sector continues to shift towards alternative powertrains, particularly with the UK Government’s announcement to end the sale of petrol and diesel passenger cars by 2030 and increasing support for alternatives. Despite this announcement, the internal combustion continues to play a significant role both in the passenger car market through the use of hybrids and sustainable low carbon fuels, as well as a key role in other sectors such as heavy-duty vehicles and off-highway applications across the globe. Building on the industry-leading IC Engines conference, the 2021 Powertrain Systems for Net-Zero Transport conference (7-8 December 2021, London, UK) focussed on the internal combustion engine’s role in Net-Zero transport as well as covered developments in the wide range of propulsion systems available (electric, fuel cell, sustainable fuels etc) and their associated powertrains. To achieve the net-zero transport across the globe, the life-cycle analysis of future powertrain and energy was also discussed. Powertrain Systems for Net-Zero Transport provided a forum for engine, fuels, e-machine, fuel cell and powertrain experts to look closely at developments in powertrain technology required, to meet the demands of the net-zero future and global competition in all sectors of the road transportation, off-highway and stationary power industries

GAN-CAN: A Novel Attack to Behavior-Based Driver Authentication Systems

openFor many years, car keys have been the sole mean of authentication in vehicles. Whether the access control process is physical or wireless, entrusting the ownership of a vehicle to a single token is prone to stealing attempts. Modern vehicles equipped with the Controller Area Network (CAN) bus technology collects a wealth of sensor data in real-time, covering aspects such as the vehicle, environment, and driver. This data can be processed and analyzed to gain valuable insights and solutions for human behavior analysis. For this reason, many researchers started developing behavior-based authentication systems. Many Machine Learning (ML) and Deep Learning models (DL) have been explored for behavior-based driver authentication, but the emphasis on security has not been a primary focus in the design of these systems. By collecting data in a moving vehicle, DL models can recognize patterns in the data and identify drivers based on their driving behavior. This can be used as an anti-theft system, as a thief would exhibit a different driving style compared to the vehicle owner. However, the assumption that an attacker cannot replicate the legitimate driver behavior falls under certain conditions. In this thesis, we propose GAN-CAN, the first attack capable of fooling state-of-the-art behavior-based driver authentication systems in a vehicle. Based on the adversary's knowledge, we propose different GAN-CAN implementations. Our attack leverages the lack of security in the CAN bus to inject suitably designed time-series data to mimic the legitimate driver. Our malicious time series data is generated through the integration of a modified reinforcement learning technique with Generative Adversarial Networks (GANs) with adapted training process. Furthermore we conduct a thorough investigation into the safety implications of the injected values throughout the attack. This meticulous study is conducted to guarantee that the introduced values do not in any way undermine the safety of the vehicle and the individuals inside it. Also, we formalize a real-world implementation of a driver authentication system considering possible vulnerabilities and exploits. We tested GAN-CAN in an improved version of the most efficient driver behavior-based authentication model in the literature. We prove that our attack can fool it with an attack success rate of up to 99%. We show how an attacker, without prior knowledge of the authentication system, can steal a car by deploying GAN-CAN in an off-the-shelf system in under 22 minutes. Moreover, by considering the safety importance of the injected values, we demonstrate that GAN-CAN can successfully deceive the authentication system without compromising the overall safety of the vehicle. This highlights the urgent need to address the security vulnerabilities present in behavior-based driver authentication systems. In the end, we suggest some possible countermeasures to the GAN-CAN attack.For many years, car keys have been the sole mean of authentication in vehicles. Whether the access control process is physical or wireless, entrusting the ownership of a vehicle to a single token is prone to stealing attempts. Modern vehicles equipped with the Controller Area Network (CAN) bus technology collects a wealth of sensor data in real-time, covering aspects such as the vehicle, environment, and driver. This data can be processed and analyzed to gain valuable insights and solutions for human behavior analysis. For this reason, many researchers started developing behavior-based authentication systems. Many Machine Learning (ML) and Deep Learning models (DL) have been explored for behavior-based driver authentication, but the emphasis on security has not been a primary focus in the design of these systems. By collecting data in a moving vehicle, DL models can recognize patterns in the data and identify drivers based on their driving behavior. This can be used as an anti-theft system, as a thief would exhibit a different driving style compared to the vehicle owner. However, the assumption that an attacker cannot replicate the legitimate driver behavior falls under certain conditions. In this thesis, we propose GAN-CAN, the first attack capable of fooling state-of-the-art behavior-based driver authentication systems in a vehicle. Based on the adversary's knowledge, we propose different GAN-CAN implementations. Our attack leverages the lack of security in the CAN bus to inject suitably designed time-series data to mimic the legitimate driver. Our malicious time series data is generated through the integration of a modified reinforcement learning technique with Generative Adversarial Networks (GANs) with adapted training process. Furthermore we conduct a thorough investigation into the safety implications of the injected values throughout the attack. This meticulous study is conducted to guarantee that the introduced values do not in any way undermine the safety of the vehicle and the individuals inside it. Also, we formalize a real-world implementation of a driver authentication system considering possible vulnerabilities and exploits. We tested GAN-CAN in an improved version of the most efficient driver behavior-based authentication model in the literature. We prove that our attack can fool it with an attack success rate of up to 99%. We show how an attacker, without prior knowledge of the authentication system, can steal a car by deploying GAN-CAN in an off-the-shelf system in under 22 minutes. Moreover, by considering the safety importance of the injected values, we demonstrate that GAN-CAN can successfully deceive the authentication system without compromising the overall safety of the vehicle. This highlights the urgent need to address the security vulnerabilities present in behavior-based driver authentication systems. In the end, we suggest some possible countermeasures to the GAN-CAN attack

Encouraging eco-driving: the case for vibrotactile information presented through the accelerator pedal

different methods of in-vehicle information presentation to encourage fuel efficient driving behaviours, and to explore the theoretical justifications for the use of in-vehicle haptic stimuli (related to the sense of touch), presented at the site of control (i.e., the accelerator pedal). A review of the literature concerning design, behaviour, and energy use led on to an exploration of Ecological Interface Design, and the Skills, Rules, and Knowledge (SRK) taxonomy of human behaviour, particularly with regard to haptic information presented through the accelerator pedal. Survey and on-road studies served to shed light on the practice of eco-driving more generally, in terms of attitudes, knowledge, behaviour, and cognition. Then followed an analysis of expert eco-drivers’ decision-making processes. This made use of the decision ladder, an analysis tool rooted in the SRK framework. Results of the analysis went on to inform the design of an in-vehicle information system that aimed to support optimum use of the accelerator pedal, both for efficient accelerations, and for maximisation of the coasting phase of the vehicle when approaching deceleration events. A simulator-based experiment served to assess the effects of presenting stimuli in different sensory modes (visual, auditory, vibrotactile), resulting in the conclusion that vibrotactile feedback, being both effective and well received by participants, is indeed suitable for the support of eco-driving. In a second simulator-based study, coasting support provided the sole focus; acceleration behaviours were not investigated. Results suggested that there is a minimum distance away from an event below which stimuli encouraging removal of the foot from the accelerator pedal (in order to coast down to the desired speed)have neither a beneficial effect on driving performance, nor attract positive acceptance ratings from users. Moreover, stimuli presented farther from the event supported greater benefits in terms of efficiency. Overall findings are discussed with regard to the practical aspect of how best to support eco-driving in the private road vehicle, and in relation to the theoretical justifications for accelerator-based haptic feedback in the vehicle

The design and implementation of serious games for driving and mobility

The automotive and transportation sectors are showing consistent improvements in trends and standards concerning the safe and convenient travel of the road users. In this growing community of road users, the driver performance is a notable factor as many on-road mishaps emerge out of poor driver performance. In this research work, a case-study and experimental analysis were conducted to improve driver performance through the deployment of serious games. The primary motive of this work is to stimulate the on-road user performance through immediate feedback, driver coaching, and real-time gamification methods. The games exploit the cloud-based architecture to retrieve the driver performance scores based on real-time evaluation of vehicle signals and display the outcomes on game scene by reflecting the game parameters based on real-world user performance (in the context of driving and mobility). The deployment of games in cars is the topic of interest in current state-of-the-art, as there are more factors associated with it, such as safety, usability, and willingness of the users. These aspects were taken into careful consideration while designing the paradigm of gamification model. The user feedback for the real-time games was extracted through pilot tests and field tests in Genova. The gamification and driver coaching aspects were tested on various occasions (plug-in and field tests conducted at 5 European test sites), and the inputs from these field tests enabled to tune the parameters concerning the evaluation and gamification models. The improvement of user behavior was performed through a virtuous cycle with the integration of virtual sensors to the serious gaming framework. As the culmination, the usability tests for the real-time games were conducted with 18 test users to understand the user acceptance criteria and the parameters (ease of use and safety) that would contribute to the deployment of games. Other salient factors such as the impact of games, large-scale deployment, collaborative gaming and exploitation of gaming framework for 3rd party applications were also investigated in this research activity. The analysis of the usability tests states that the user acceptance of the implemented games is good. The report from usability study has addressed the user preferences in games such as duration, strategy and gameplay mechanism; these factors contribute a foundation for future research in implementing the games for mobility

Predicting Safety Benefits of Automated Emergency Braking at Intersections - Virtual simulations based on real-world accident data

Introduction: Intersections are a global traffic safety concern. In the United States, around half of all fatal road traffic accidents take place at intersections or were related to them. In the European Union, about one fifth of road traffic fatalities occur at intersections.Intersection Automated Emergency Braking (AEB) seems to be a promising technology with which to address intersection accidents, as information retrieval by on-board sensing is operational on its own, and, in critical situations, braking is initiated independent of driver reaction. This is not the case for Vehicle-to-Everything (V2X) communication, which requires all conflict-involved vehicles to be equipped with this technology and drivers to respond to an initiated warning. The objective of this thesis is to evaluate the effectiveness of a theoretical Intersection AEB system in avoiding accidents and mitigating injuries. As it will take several decades for a new safety technology to penetrate the vehicle fleet and full coverage of all vehicles may never be achieved, the technology benefit is here analyzed as a function of market penetration. Finally, this research assesses whether a set of test scenarios can be derived without compromising the variance of real-world accidents.Methods: Data from the United States National Automotive Sampling System / General Estimates System and the Fatality Analysis Reporting System was used to compare the capacity of on-board sensing and V2X communication to save lives. To investigate Intersection AEB in detail, the German In-Depth Accident Study (GIDAS) data and the related Pre-Crash Matrix (PCM) were utilized to re-simulate accidents with and without Intersection AEB using different parameter settings of technical aspects and driver comfort boundaries. Machine learning techniques were used to identify opportunities for data clustering.Result: On-board sensing has a substantially higher capability to save lives than V2X communication during the period before full market penetration of both is reached. The analysis of GIDAS and PCM data indicate that about two thirds of left-turn across path accidents with oncoming traffic (LTAP/OD) and about 80 percent of straight crossing path (SCP) accidents can be avoid by an idealized Intersection AEB. Moderate to fatal injuries could be avoided to an even higher extent. Key parameters impacting effectiveness are vehicle speed and potential path choice; to increase effectiveness, these should be limited and narrowed down, respectively.Conclusion and Limitations: Intersection AEB is effective in reducing LTAP/OD and SCP accidents and mitigating injuries However, intersection accidents are highly diverse and accurate performance evaluation requires taking variations into account. The simulations were conducted using ideal sensing without processing delays and an ideal coefficient of friction estimation