On Reachable Sets of Hidden CPS Sensor Attacks

For given system dynamics, observer structure, and observer-based fault/attack detection procedure, we provide mathematical tools -- in terms of Linear Matrix Inequalities (LMIs) -- for computing outer ellipsoidal bounds on the set of estimation errors that attacks can induce while maintaining the alarm rate of the detector equal to its attack-free false alarm rate. We refer to these sets to as hidden reachable sets. The obtained ellipsoidal bounds on hidden reachable sets quantify the attacker's potential impact when it is constrained to stay hidden from the detector. We provide tools for minimizing the volume of these ellipsoidal bounds (minimizing thus the reachable sets) by redesigning the observer gains. Simulation results are presented to illustrate the performance of our tools

Characterization of Model-Based Detectors for CPS Sensor Faults/Attacks

A vector-valued model-based cumulative sum (CUSUM) procedure is proposed for identifying faulty/falsified sensor measurements. First, given the system dynamics, we derive tools for tuning the CUSUM procedure in the fault/attack free case to fulfill a desired detection performance (in terms of false alarm rate). We use the widely-used chi-squared fault/attack detection procedure as a benchmark to compare the performance of the CUSUM. In particular, we characterize the state degradation that a class of attacks can induce to the system while enforcing that the detectors (CUSUM and chi-squared) do not raise alarms. In doing so, we find the upper bound of state degradation that is possible by an undetected attacker. We quantify the advantage of using a dynamic detector (CUSUM), which leverages the history of the state, over a static detector (chi-squared) which uses a single measurement at a time. Simulations of a chemical reactor with heat exchanger are presented to illustrate the performance of our tools.Comment: Submitted to IEEE Transactions on Control Systems Technolog

A Comparison of Stealthy Sensor Attacks on Control Systems

As more attention is paid to security in the context of control systems and as attacks occur to real control systems throughout the world, it has become clear that some of the most nefarious attacks are those that evade detection. The term stealthy has come to encompass a variety of techniques that attackers can employ to avoid detection. Here we show how the states of the system (in particular, the reachable set corresponding to the attack) can be manipulated under two important types of stealthy attacks. We employ the chi-squared fault detection method and demonstrate how this imposes a constraint on the attack sequence either to generate no alarms (zero-alarm attack) or to generate alarms at a rate indistinguishable from normal operation (hidden attack)

Tuning Windowed Chi-Squared Detectors for Sensor Attacks

A model-based windowed chi-squared procedure is proposed for identifying falsified sensor measurements. We employ the widely-used static chi-squared and the dynamic cumulative sum (CUSUM) fault/attack detection procedures as benchmarks to compare the performance of the windowed chi-squared detector. In particular, we characterize the state degradation that a class of attacks can induce to the system while enforcing that the detectors do not raise alarms (zero-alarm attacks). We quantify the advantage of using dynamic detectors (windowed chi-squared and CUSUM detectors), which leverages the history of the state, over a static detector (chi-squared) which uses a single measurement at a time. Simulations using a chemical reactor are presented to illustrate the performance of our tools

Centralized Versus Decentralized Detection of Attacks in Stochastic Interconnected Systems

We consider a security problem for interconnected systems governed by linear, discrete, time-invariant, stochastic dynamics, where the objective is to detect exogenous attacks by processing the measurements at different locations. We consider two classes of detectors, namely centralized and decentralized detectors, which differ primarily in their knowledge of the system model. In particular, a decentralized detector has a model of the dynamics of the isolated subsystems, but is unaware of the interconnection signals that are exchanged among subsystems. Instead, a centralized detector has a model of the entire dynamical system. We characterize the performance of the two detectors and show that, depending on the system and attack parameters, each of the detectors can outperform the other. In particular, it may be possible for the decentralized detector to outperform its centralized counterpart, despite having less information about the system dynamics, and this surprising property is due to the nature of the considered attack detection problem. To complement our results on the detection of attacks, we propose and solve an optimization problem to design attacks that maximally degrade the system performance while maintaining a pre-specified degree of detectability. Finally, we validate our findings via numerical studies on an electric power system.Comment: Submitted to IEEE Transactions on Automatic Control (TAC

Causality and Temporal Dependencies in the Design of Fault Management Systems

Reasoning about causes and effects naturally arises in the engineering of safety-critical systems. A classical example is Fault Tree Analysis, a deductive technique used for system safety assessment, whereby an undesired state is reduced to the set of its immediate causes. The design of fault management systems also requires reasoning on causality relationships. In particular, a fail-operational system needs to ensure timely detection and identification of faults, i.e. recognize the occurrence of run-time faults through their observable effects on the system. Even more complex scenarios arise when multiple faults are involved and may interact in subtle ways. In this work, we propose a formal approach to fault management for complex systems. We first introduce the notions of fault tree and minimal cut sets. We then present a formal framework for the specification and analysis of diagnosability, and for the design of fault detection and identification (FDI) components. Finally, we review recent advances in fault propagation analysis, based on the Timed Failure Propagation Graphs (TFPG) formalism.Comment: In Proceedings CREST 2017, arXiv:1710.0277