Evaluating Resilience of Cyber-Physical-Social Systems

Nowadays, protecting the network is not the only security concern. Still, in cyber security, websites and servers are becoming more popular as targets due to the ease with which they can be accessed when compared to communication networks. Another threat in cyber physical social systems with human interactions is that they can be attacked and manipulated not only by technical hacking through networks, but also by manipulating people and stealing users’ credentials. Therefore, systems should be evaluated beyond cy- ber security, which means measuring their resilience as a piece of evidence that a system works properly under cyber-attacks or incidents. In that way, cyber resilience is increas- ingly discussed and described as the capacity of a system to maintain state awareness for detecting cyber-attacks. All the tasks for making a system resilient should proactively maintain a safe level of operational normalcy through rapid system reconfiguration to detect attacks that would impact system performance. In this work, we broadly studied a new paradigm of cyber physical social systems and defined a uniform definition of it. To overcome the complexity of evaluating cyber resilience, especially in these inhomo- geneous systems, we proposed a framework including applying Attack Tree refinements and Hierarchical Timed Coloured Petri Nets to model intruder and defender behaviors and evaluate the impact of each action on the behavior and performance of the system.Hoje em dia, proteger a rede não é a única preocupação de segurança. Ainda assim, na segurança cibernética, sites e servidores estão se tornando mais populares como alvos devido à facilidade com que podem ser acessados quando comparados às redes de comu- nicação. Outra ameaça em sistemas sociais ciberfisicos com interações humanas é que eles podem ser atacados e manipulados não apenas por hackers técnicos através de redes, mas também pela manipulação de pessoas e roubo de credenciais de utilizadores. Portanto, os sistemas devem ser avaliados para além da segurança cibernética, o que significa medir sua resiliência como uma evidência de que um sistema funciona adequadamente sob ataques ou incidentes cibernéticos. Dessa forma, a resiliência cibernética é cada vez mais discutida e descrita como a capacidade de um sistema manter a consciência do estado para detectar ataques cibernéticos. Todas as tarefas para tornar um sistema resiliente devem manter proativamente um nível seguro de normalidade operacional por meio da reconfi- guração rápida do sistema para detectar ataques que afetariam o desempenho do sistema. Neste trabalho, um novo paradigma de sistemas sociais ciberfisicos é amplamente estu- dado e uma definição uniforme é proposta. Para superar a complexidade de avaliar a resiliência cibernética, especialmente nesses sistemas não homogéneos, é proposta uma estrutura que inclui a aplicação de refinamentos de Árvores de Ataque e Redes de Petri Coloridas Temporizadas Hierárquicas para modelar comportamentos de invasores e de- fensores e avaliar o impacto de cada ação no comportamento e desempenho do sistema

Improving Attack Trees Analysis using Petri Net modeling of Cyber-Attacks

Publisher Copyright: © 2019 IEEE.Cyber security is one general concern to all network-based organizations. In recent years, by significant increasing cyber-attacks in critical infrastructures (CIs) the need of smart prediction, awareness and protection systems is not deniable. The first step for security assessment is on recognizing and analyzing attacks. In this paper, one of the graphical security assessments named Attack Tree (AT) is used to illustrate one kind of cyber-attacks scenario in Industry 4.0 and the system's behavior is analyzed by Petri Nets.authorsversionpublishe

Formal Synthesis of Controllers for Safety-Critical Autonomous Systems: Developments and Challenges

In recent years, formal methods have been extensively used in the design of autonomous systems. By employing mathematically rigorous techniques, formal methods can provide fully automated reasoning processes with provable safety guarantees for complex dynamic systems with intricate interactions between continuous dynamics and discrete logics. This paper provides a comprehensive review of formal controller synthesis techniques for safety-critical autonomous systems. Specifically, we categorize the formal control synthesis problem based on diverse system models, encompassing deterministic, non-deterministic, and stochastic, and various formal safety-critical specifications involving logic, real-time, and real-valued domains. The review covers fundamental formal control synthesis techniques, including abstraction-based approaches and abstraction-free methods. We explore the integration of data-driven synthesis approaches in formal control synthesis. Furthermore, we review formal techniques tailored for multi-agent systems (MAS), with a specific focus on various approaches to address the scalability challenges in large-scale systems. Finally, we discuss some recent trends and highlight research challenges in this area

DAG-Based Attack and Defense Modeling: Don't Miss the Forest for the Attack Trees

This paper presents the current state of the art on attack and defense modeling approaches that are based on directed acyclic graphs (DAGs). DAGs allow for a hierarchical decomposition of complex scenarios into simple, easily understandable and quantifiable actions. Methods based on threat trees and Bayesian networks are two well-known approaches to security modeling. However there exist more than 30 DAG-based methodologies, each having different features and goals. The objective of this survey is to present a complete overview of graphical attack and defense modeling techniques based on DAGs. This consists of summarizing the existing methodologies, comparing their features and proposing a taxonomy of the described formalisms. This article also supports the selection of an adequate modeling technique depending on user requirements

Quantification of the Impact of Cyber Attack in Critical Infrastructures

In this paper we report on a recent study of the impact of cyber-attacks on the resilience of complex industrial systems. We describe our approach to building a hybrid model consisting of both the system under study and an Adversary, and we demonstrate its use on a complex case study - a reference power transmission network (NORDIC 32), enhanced with a detailed model of the computer and communication system used for monitoring, protection and control. We studied the resilience of the modelled system under different scenarios: i) a base-line scenario in which the modelled system operates in the presence of accidental failures without cyber-attacks; ii) scenarios in which cyber-attacks can occur. We discuss the usefulness of our findings and outline directions for further work

ESTABLISHMENT OF CYBER-PHYSICAL CORRELATION AND VERIFICATION BASED ON ATTACK SCENARIOS IN POWER SUBSTATIONS

Insurance businesses for the cyberworld are an evolving opportunity. However, a quantitative model in today\u27s security technologies may not be established. Besides, a generalized methodology to assess the systematic risks remains underdeveloped. There has been a technical challenge to capture intrusion risks of the cyber-physical system, including estimating the impact of the potential cascaded events initiated by the hacker\u27s malicious actions. This dissertation attempts to integrate both modeling aspects: 1) steady-state probabilities for the Internet protocol-based substation switching attack events based on hypothetical cyberattacks, 2) potential electricity losses. The phenomenon of sequential attacks can be characterized using a time-domain simulation that exhibits dynamic cascaded events. Such substation attack simulation studies can establish an actuarial framework for grid operation. The novelty is three-fold. First, the development to extend features of steady-state probabilities is established based on 1) modified password models, 2) new models on digital relays with two-step authentications, and 3) honeypot models. A generalized stochastic Petri net is leveraged to formulate the detailed statuses and transitions of components embedded in a Cyber-net. Then, extensive modeling of steady-state probabilities is qualitatively performed. Methodologies on how transition probabilities and rates are extracted from network components and actuarial applications are summarized and discussed. Second, dynamic models requisite for switching attacks against multiple substations or digital relays deployed in substations are formulated. Imperative protection and control models to represent substation attacks are clarified with realistic model parameters. Specifically, wide-area protections, i.e., special protection systems (SPSs), are elaborated, asserting that event-driven SPSs may be skipped for this type of case study. Third, the substation attack replay using a proven commercially available time-domain simulation tool is validated in IEEE system models to study attack combinations\u27 critical paths. As the time-domain simulation requires a higher computational cost than power flow-based steady-state simulation, a balance of both methods is established without missing the critical dynamic behavior. The direct impact of substation attacks, i.e., electricity losses, is compared between steady-state and dynamic analyses. Steady-state analysis results are prone to be pessimistic for a smaller number of compromised substations. Finally, simulation findings based on the risk-based metrics and technical implementation are extensively discussed with future work

State Estimation of Timed Discrete Event Systems and Its Applications

Many industrial control systems can be described as discrete event systems (DES), whose state space is a discrete set where event occurrences cause transitions from one state to another. Timing introduces an additional dimension to DES modeling and control. This dissertation provides two models of timed DES endowed with a single clock, namely timed finite automata (TFA) and generalized timed finite automata (GTFA). In addition, a timing function is defined to associate each transition with a time interval specifying at which clock values it may occur. While the clock of a TFA is reset to zero after each event occurs and the time semantics constrain the dwell time at each discrete state, there is an additional clock resetting function associated with a GTFA to denote whether the clock is reset to a value in a given closed time interval. We assume that the logical and time structure of a partially observable TFA/GTFA is known. The main results are summarized as follows. 1. The notion of a zone automaton is introduced as a finite automaton providing a purely discrete event description of the behaviour of a TFA/GTFA of interest. Each state of a zone automaton contains a discrete state of the timed DES and a zone that is a time interval denoting a range of possible clock values. We investigate the dynamics of a zone automaton and show that one can reduce the problem of investigating the reachability of a given timed DES to the reachability analysis of a zone automaton. 2. We present a formal approach that allows one to construct offline an observer for TFA/GTFA, i.e., a finite structure that describes the state estimation for all possible evolutions. During the online phase to estimate the current discrete state according to each measurement of an observable event, one can determine which is the state of the observer reached by the current observation and check to which interval (among a finite number of time intervals) the time elapsed since the last observed event occurrence belongs. We prove that the discrete states consistent with a timed observation and the range of clock values associated with each estimated discrete state can be inferred following a certain number of runs in the zone automaton. In particular, the state estimation of timed DES under multiple clocks can be investigated in the framework of GTFA. We model such a system as a GTFA with multiple clocks, which generalizes the timing function and the clock resetting function to multiple clocks. 3. As an application of the state estimation approach for TFA, we assume that a given TFA may be affected by a set of faults described using timed transitions and aim at diagnosing a fault behaviour based on a timed observation. The problem of fault diagnosis is solved by constructing a zone automaton of the TFA with faults and a fault recognizer as the parallel composition of the zone automaton and a fault monitor that recognizes the occurrence of faults. We conclude that the occurrence of faults can be analyzed by exploring runs in the fault recognizer that are consistent with a given timed observation. 4. We also study the problem of attack detection in the context of DESs, assuming that a system may be subject to multiple types of attacks, each described by its own attack dictionary. Furthermore, we distinguish between constant attacks, which corrupt observations using only one of the attack dictionaries, and switching attacks, which may use different attack dictionaries at different steps. The problem we address is detecting whether a system has been attacked and, if so, which attack dictionaries have been used. To solve it in the framework of untimed DES, we construct a new structure that describes the observations generated by a system under attack. We show that the attack detection problem can be transformed into a classical state estimation/diagnosis problem for these new structures

Selection of a stealthy and harmful attack function in discrete event systems

In this paper we consider the problem of joint state estimation under attack in partially-observed discrete event systems. An operator observes the evolution of the plant to evaluate its current states. The attacker may tamper with the sensor readings received by the operator inserting dummy events or erasing real events that have occurred in the plant with the goal of preventing the operator from computing the correct state estimation. An attack function is said to be harmful if the state estimation consistent with the correct observation and the state estimation consistent with the corrupted observation satisfy a given misleading relation. On the basis of an automaton called joint estimator, we show how to compute a supremal stealthy joint subestimator that allows the attacker to remain stealthy, no matter what the future evolution of the plant is. Finally, we show how to select a stealthy and harmful attack function based on such a subestimator

Modeling humanoid swarm robots with petri nets

Master's thesis in Computer scienceRobots have become a hot topic in today‟s electronic world. There are many definitions for it. One of the definition in Oxford dictionary states “a robot is a machine capable for carrying out a complex series of action automatically especially one programmable by a computer”. This paper deals with a special kind of robot, which is also known as humanoid robot. These robots are replication of human beings with head, torso, arms and legs. A model of human is presented in this paper as discrete event system adapted from “Modeling and simulating motions of human bodies…”[1]. This model consists of sixteen interrelated limbs defined in 3D space, so most limbs/joints are able to make movement in three different angles (α, β and γ). Full details regarding Range of Motion (ROM) of rigid body in forward kinematic is illustrated. Human motions are categorized into two types: stochastic and deterministic motions. Deterministic motions are demonstrated using gait cycle of walking and running of normal adult person. The main focus of this paper is to model and simulate humanoid robot represented as Discrete Event Systems (DES); in Petri Net using GPenSIM and later expand those group of robots to swarm setting. GPenSIM is General Purpose Petri Net simulator [2] developed as toolbox for MATLAB to model and simulated discrete events using Petri net tools. Each joint‟s angle is treated as a separate Petri Net model which is independent from each other and their movement‟s limits are defined by ROM of normal human body. The instructions relating to the motion of joints for simulation are fed through a file to the instructor. These movements of joints are represented by variation of tokens displayed at the end of simulation in a graphical figure. Further, same structure of model is used in swarm of robots. Instead of feeding instructions to individual robots, a central instructor is created. This instructor acts as a master to robots acting as slaves where slaves include some predetermined commands embedded inside them. With central command system, a proper synchronization is achieved among group of robots working as swarm. A normal routine of group dance or simple group sport can be accomplished with calculated instructions on this swarm of robot