315 research outputs found
Synthesis of Covert Actuator Attackers for Free
In this paper, we shall formulate and address a problem of covert actuator
attacker synthesis for cyber-physical systems that are modelled by
discrete-event systems. We assume the actuator attacker partially observes the
execution of the closed-loop system and is able to modify each control command
issued by the supervisor on a specified attackable subset of controllable
events. We provide straightforward but in general exponential-time reductions,
due to the use of subset construction procedure, from the covert actuator
attacker synthesis problems to the Ramadge-Wonham supervisor synthesis
problems. It then follows that it is possible to use the many techniques and
tools already developed for solving the supervisor synthesis problem to solve
the covert actuator attacker synthesis problem for free. In particular, we show
that, if the attacker cannot attack unobservable events to the supervisor, then
the reductions can be carried out in polynomial time. We also provide a brief
discussion on some other conditions under which the exponential blowup in state
size can be avoided. Finally, we show how the reduction based synthesis
procedure can be extended for the synthesis of successful covert actuator
attackers that also eavesdrop the control commands issued by the supervisor.Comment: The paper has been accepted for the journal Discrete Event Dynamic
System
Attack-Resilient Supervisory Control of Discrete-Event Systems
In this work, we study the problem of supervisory control of discrete-event
systems (DES) in the presence of attacks that tamper with inputs and outputs of
the plant. We consider a very general system setup as we focus on both
deterministic and nondeterministic plants that we model as finite state
transducers (FSTs); this also covers the conventional approach to modeling DES
as deterministic finite automata. Furthermore, we cover a wide class of attacks
that can nondeterministically add, remove, or rewrite a sensing and/or
actuation word to any word from predefined regular languages, and show how such
attacks can be modeled by nondeterministic FSTs; we also present how the use of
FSTs facilitates modeling realistic (and very complex) attacks, as well as
provides the foundation for design of attack-resilient supervisory controllers.
Specifically, we first consider the supervisory control problem for
deterministic plants with attacks (i) only on their sensors, (ii) only on their
actuators, and (iii) both on their sensors and actuators. For each case, we
develop new conditions for controllability in the presence of attacks, as well
as synthesizing algorithms to obtain FST-based description of such
attack-resilient supervisors. A derived resilient controller provides a set of
all safe control words that can keep the plant work desirably even in the
presence of corrupted observation and/or if the control words are subjected to
actuation attacks. Then, we extend the controllability theorems and the
supervisor synthesizing algorithms to nondeterministic plants that satisfy a
nonblocking condition. Finally, we illustrate applicability of our methodology
on several examples and numerical case-studies
Design-Time Quantification of Integrity in Cyber-Physical-Systems
In a software system it is possible to quantify the amount of information
that is leaked or corrupted by analysing the flows of information present in
the source code. In a cyber-physical system, information flows are not only
present at the digital level, but also at a physical level, and to and fro the
two levels. In this work, we provide a methodology to formally analyse a
Cyber-Physical System composite model (combining physics and control) using an
information flow-theoretic approach. We use this approach to quantify the level
of vulnerability of a system with respect to attackers with different
capabilities. We illustrate our approach by means of a water distribution case
study
Assessing and augmenting SCADA cyber security: a survey of techniques
SCADA systems monitor and control critical infrastructures of national importance such as power generation and distribution, water supply, transportation networks, and manufacturing facilities. The pervasiveness, miniaturisations and declining costs of internet connectivity have transformed these systems from strictly isolated to highly interconnected networks. The connectivity provides immense benefits such as reliability, scalability and remote connectivity, but at the same time exposes an otherwise isolated and secure system, to global cyber security threats. This inevitable transformation to highly connected systems thus necessitates effective security safeguards to be in place as any compromise or downtime of SCADA systems can have severe economic, safety and security ramifications. One way to ensure vital asset protection is to adopt a viewpoint similar to an attacker to determine weaknesses and loopholes in defences. Such mind sets help to identify and fix potential breaches before their exploitation. This paper surveys tools and techniques to uncover SCADA system vulnerabilities. A comprehensive review of the selected approaches is provided along with their applicability
Learning-guided network fuzzing for testing cyber-physical system defences
The threat of attack faced by cyber-physical systems (CPSs), especially when
they play a critical role in automating public infrastructure, has motivated
research into a wide variety of attack defence mechanisms. Assessing their
effectiveness is challenging, however, as realistic sets of attacks to test
them against are not always available. In this paper, we propose smart fuzzing,
an automated, machine learning guided technique for systematically finding
'test suites' of CPS network attacks, without requiring any knowledge of the
system's control programs or physical processes. Our approach uses predictive
machine learning models and metaheuristic search algorithms to guide the
fuzzing of actuators so as to drive the CPS into different unsafe physical
states. We demonstrate the efficacy of smart fuzzing by implementing it for two
real-world CPS testbeds---a water purification plant and a water distribution
system---finding attacks that drive them into 27 different unsafe states
involving water flow, pressure, and tank levels, including six that were not
covered by an established attack benchmark. Finally, we use our approach to
test the effectiveness of an invariant-based defence system for the water
treatment plant, finding two attacks that were not detected by its physical
invariant checks, highlighting a potential weakness that could be exploited in
certain conditions.Comment: Accepted by ASE 201
On Decidability of Existence of Nonblocking Supervisors Resilient to Smart Sensor Attacks
Cybersecurity of discrete event systems (DES) has been gaining more and more
attention recently, due to its high relevance to the so-called 4th industrial
revolution that heavily relies on data communication among networked systems.
One key challenge is how to ensure system resilience to sensor and/or actuator
attacks, which may tamper data integrity and service availability. In this
paper we focus on some key decidability issues related to smart sensor attacks.
We first present a sufficient and necessary condition that ensures the
existence of a smart sensor attack, which reveals a novel demand-supply
relationship between an attacker and a controlled plant, represented as a set
of risky pairs. Each risky pair consists of a damage string desired by the
attacker and an observable sequence feasible in the supervisor such that the
latter induces a sequence of control patterns, which allows the damage string
to happen. It turns out that each risky pair can induce a smart weak sensor
attack. Next, we show that, when the plant, supervisor and damage language are
regular, it is computationally feasible to remove all such risky pairs from the
plant behaviour, via a genuine encoding scheme, upon which we are able to
establish our key result that the existence of a nonblocking supervisor
resilient to smart sensor attacks is decidable. To the best of our knowledge,
this is the first result of its kind in the DES literature on cyber attacks.
The proposed decision process renders a specific synthesis procedure that
guarantees to compute a resilient supervisor whenever it exists, which so far
has not been achieved in the literature.Comment: 14 pages, 11 figure
- …