329 research outputs found
Synthesis of Covert Actuator Attackers for Free
In this paper, we shall formulate and address a problem of covert actuator
attacker synthesis for cyber-physical systems that are modelled by
discrete-event systems. We assume the actuator attacker partially observes the
execution of the closed-loop system and is able to modify each control command
issued by the supervisor on a specified attackable subset of controllable
events. We provide straightforward but in general exponential-time reductions,
due to the use of subset construction procedure, from the covert actuator
attacker synthesis problems to the Ramadge-Wonham supervisor synthesis
problems. It then follows that it is possible to use the many techniques and
tools already developed for solving the supervisor synthesis problem to solve
the covert actuator attacker synthesis problem for free. In particular, we show
that, if the attacker cannot attack unobservable events to the supervisor, then
the reductions can be carried out in polynomial time. We also provide a brief
discussion on some other conditions under which the exponential blowup in state
size can be avoided. Finally, we show how the reduction based synthesis
procedure can be extended for the synthesis of successful covert actuator
attackers that also eavesdrop the control commands issued by the supervisor.Comment: The paper has been accepted for the journal Discrete Event Dynamic
System
Attack-Resilient Supervisory Control of Discrete-Event Systems
In this work, we study the problem of supervisory control of discrete-event
systems (DES) in the presence of attacks that tamper with inputs and outputs of
the plant. We consider a very general system setup as we focus on both
deterministic and nondeterministic plants that we model as finite state
transducers (FSTs); this also covers the conventional approach to modeling DES
as deterministic finite automata. Furthermore, we cover a wide class of attacks
that can nondeterministically add, remove, or rewrite a sensing and/or
actuation word to any word from predefined regular languages, and show how such
attacks can be modeled by nondeterministic FSTs; we also present how the use of
FSTs facilitates modeling realistic (and very complex) attacks, as well as
provides the foundation for design of attack-resilient supervisory controllers.
Specifically, we first consider the supervisory control problem for
deterministic plants with attacks (i) only on their sensors, (ii) only on their
actuators, and (iii) both on their sensors and actuators. For each case, we
develop new conditions for controllability in the presence of attacks, as well
as synthesizing algorithms to obtain FST-based description of such
attack-resilient supervisors. A derived resilient controller provides a set of
all safe control words that can keep the plant work desirably even in the
presence of corrupted observation and/or if the control words are subjected to
actuation attacks. Then, we extend the controllability theorems and the
supervisor synthesizing algorithms to nondeterministic plants that satisfy a
nonblocking condition. Finally, we illustrate applicability of our methodology
on several examples and numerical case-studies
On Decidability of Existence of Nonblocking Supervisors Resilient to Smart Sensor Attacks
Cybersecurity of discrete event systems (DES) has been gaining more and more
attention recently, due to its high relevance to the so-called 4th industrial
revolution that heavily relies on data communication among networked systems.
One key challenge is how to ensure system resilience to sensor and/or actuator
attacks, which may tamper data integrity and service availability. In this
paper we focus on some key decidability issues related to smart sensor attacks.
We first present a sufficient and necessary condition that ensures the
existence of a smart sensor attack, which reveals a novel demand-supply
relationship between an attacker and a controlled plant, represented as a set
of risky pairs. Each risky pair consists of a damage string desired by the
attacker and an observable sequence feasible in the supervisor such that the
latter induces a sequence of control patterns, which allows the damage string
to happen. It turns out that each risky pair can induce a smart weak sensor
attack. Next, we show that, when the plant, supervisor and damage language are
regular, it is computationally feasible to remove all such risky pairs from the
plant behaviour, via a genuine encoding scheme, upon which we are able to
establish our key result that the existence of a nonblocking supervisor
resilient to smart sensor attacks is decidable. To the best of our knowledge,
this is the first result of its kind in the DES literature on cyber attacks.
The proposed decision process renders a specific synthesis procedure that
guarantees to compute a resilient supervisor whenever it exists, which so far
has not been achieved in the literature.Comment: 14 pages, 11 figure
Efficient Synthesis of Sensor Deception Attacks Using Observation Equivalence-Based Abstraction
This paper investigates the synthesis of successful sensor deception attack functions in supervisory control using abstraction methods to reduce computational complexity. In sensor deception attacks, an attacker hijacks a subset of the sensors of the plant and feeds incorrect information to the supervisor with the intent on causing damage to the supervised system. The attacker is successful if its attack causes damage to the system and it is not identified by an intrusion detection module. The existence test and the synthesis method of successful sensor deception attack functions are computationally expensive, specifically in partially observed systems. For this reason, we leverage results on abstraction methods to reduce the computational effort in solving these problems. Namely, we introduce an equivalence relation called restricted observation equivalence, that is used to abstract the original system before calculating attack functions. Based on this equivalence relation we prove that the existence of successful attack functions in the abstracted supervised system guarantees the existence of successful attack functions in the unabstracted supervised system and vice versa. Moreover, successful attack functions synthesized from the abstracted system can be exactly mapped to successful attack functions on the unabstracted system, thereby providing a complete solution to the attack synthesis problem
Resilience Against Sensor Deception Attacks at the Supervisory Control Layer of Cyber-Physical Systems: A Discrete Event Systems Approach
Cyber-Physical Systems (CPS) are already ubiquitous in our society and include medical devices, (semi-)autonomous vehicles, and smart grids. However, their security aspects were only recently incorporated into their design process, mainly in response to catastrophic incidents caused by cyber-attacks on CPS. The Stuxnet attack that successfully damaged a nuclear facility, the Maroochy water breach that released millions of gallons of untreated water, the assault on power plants in Brazil that disrupted the distribution of energy in many cities, and the intrusion demonstration that stopped the engine of a 2014 Jeep Cherokee in the middle of a highway are examples of well-publicized cyber-attacks on CPS. There is now a critical need to provide techniques for analyzing the behavior of CPS while under attack and to synthesize attack-resilient CPS. In this dissertation, we address CPS under the influence of an important class of attacks called sensor deception attacks, in which an attacker hijacks sensor readings to inflict damage to CPS.
The formalism of regular languages and their finite-state automata representations is used to capture the dynamics of CPS and their attackers, thereby allowing us to leverage the theory of supervisory control of discrete event systems to pose our investigations. First, we focus on developing a supervisory control framework under sensor deception attacks. We focus on two questions: (1) Can we automatically find sensor deception attacks that damage a given CPS? and (2) Can we design a secure-by-construction CPS against sensor deception attacks? Answering these two questions is the main contribution of this dissertation.
In the first part of the dissertation, using techniques from the fields of graph games and Markov decision processes, we develop algorithms for synthesizing sensor deception attacks in both qualitative and quantitative settings. Graph games provide the means of synthesizing sensor deception attacks that might damage the given CPS. In a second step, equipped with stochastic information about the CPS, we can leverage Markov decision processes to synthesize attacks with the highest likelihood of damage.
In the second part of the dissertation, we tackle the problem of designing secure-by-construction CPS. We provide two different methodologies to design such CPS, in which there exists a trade-off between flexibility on selecting different designs and computational complexity of the methods. The first method is developed based on supervisory control theory, and it provides a computationally efficient way of designing secure CPS. Alternatively, a graph-game method is presented as a second solution for this investigated problem.
The graph-game method grants flexible selection of the CPS at the cost of computational complexity. The first method finds one robust supervisor, whereas the second method provides a structure in which all robust supervisors are included.
Overall, this dissertation provides a comprehensive set of algorithmic techniques to analyze and mitigate sensor deception attacks at the supervisory layer of cyber-physical control systems.PHDElectrical and Computer EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/166117/1/romulo_1.pd
Stealthy Sensor Attacks for Plants Modeled by Labeled Petri Nets
The problem of stealthy sensor attacks for labeled Petri nets is considered. An operator observes the plant to establish if a set of critical markings has been reached. The attacker can corrupt the sensor channels that transmit the sensor readings, making the operator incapable to establish when a critical marking is reached. We first construct the stealthy attack Petri net that keeps into account the real plant evolutions observed by the attacker and the corrupted plant evolutions observed by the operator. Starting from the reachability graph of the stealthy attack Petri net, an attack structure is defined: it describes all possible attacks. The supremal stealthy attack substructure can be obtained by appropriately trimming the attack structure. An attack function is effective if the supremal stealthy attack substructure contains a state whose first element is a critical marking and the second element is a noncritical marking
- …