샘플 데이터로 표현되는 사이버-물리 시스템의 취약점 분석 및 검출 불가능한 공격에 대한 방어 기법

학위논문 (박사) -- 서울대학교 대학원 : 공과대학 전기·정보공학부, 2020. 8. 심형보.The rapid evolution of communication network and computation speed has led to the emergence of cyber-physical systems in which the traditional physical plants are controlled remotely using digital controllers. Unfortunately, however, the separation between the plant and controller with a network communication provides a new chance for external adversaries to intrude control systems, which are highly connected to human life and social infrastructures. For this reason, among various issues of the cyber-physical system, security problems have gained particular attention to control engineers these days. This dissertation presents new theoretical vulnerabilities undetectable from the conventional anomaly detector, which arise due to the mixture of continuous- and discrete-time components on cyber-physical systems, and addresses countermeasures against such vulnerabilities. Specific subjects dealt with in the dissertation are listed as follows: 1) Zero dynamics attacks can be lethal to cyber-physical systems because they can be harmful to physical plants and impossible to detect. Fortunately, if the given continuous-time physical system is minimum phase, the attack is not so effective even if it cannot be detected. However, the situation can become unfavorable if one uses digital control by sampling the sensor measurement and using a zero-order hold for actuation because of the `sampling zeros.' When the continuous-time system has a relative degree greater than two and the sampling period is small, the sampled-data system must have unstable zeros, so that the cyber-physical system becomes vulnerable to `sampling zero dynamics attack.' In this dissertation, we present an idea to neutralize the zero dynamics attack for single-input and single-output sampled-data systems by shifting the unstable discrete-time zeros into stable ones. This idea is realized by employing the so-called `generalized hold' which replaces a standard zero-order hold. It is shown that, under mild assumptions, a generalized hold exists which places the discrete-time zeros at desired positions. Furthermore, we formulate the design problem as an optimization problem whose performance index is related to the inter-sample behavior of the physical plant, and propose an optimal gain which alleviates the performance degradation caused by generalized hold as much as possible, and in order to verify the theoretical results, we apply the proposed strategy to a DC/DC converter with an electrical circuit. 2) The zero dynamics attack has usually been studied as a type of actuator attack, but it can harm the physical plant through the sensor network. Specifically, when the system monitors abnormal behavior of the plant using the anomaly detector (fault detector), one can generate zero dynamics attack on the sensor network deceiving the anomaly detector by regarding the output of the plant and residual of the anomaly detector as a new input and output of a target system. It is noticed that this sensor attack is not so effective when the plant is stable even if the attack is still undetectable. Noting this point, we propose to reexamine the generalized hold as a countermeasure against the undetectable sensor attack. That is, using the fact that the output feedback passing through the generalized hold can stabilize the unstable systems by selecting an appropriate hold function, we show that the plant can be safe from the undetectable sensor attack. Furthermore, to relieve the performance degradation of the use of generalized hold feedback, we employ a discrete-time linear quadratic regulator minimizing a continuous-time cost function. 3) In the sampled-data framework, most anomaly detectors monitor the plant's output only at discrete time instants. Consequently, abnormal behavior between sampling instants cannot be detected if output behaves normally at every sampling instant. This implies that if an actuator attack drives the plant's state to pass through the kernel of the output matrix at each sensing time, then the attack compromises the system while remaining stealthy. This type of attack is always constructible when the sampled-data system has an input redundancy, i.e., the number of inputs being larger than that of outputs and/or the sampling rate of the actuators being higher than that of the sensors. Simulation results for the X-38 vehicle and other numerical examples illustrate this new attack strategy may result in disastrous consequences.디지털 장치들의 연산 속도와 네트워크 전송 속도의 급진적인 발전으로 고전적인 제어 시스템이 네트워크를 통해 원격으로 제어되는 사이버-물리 시스템(cyber-physical systems)이 등장하기 시작했다. 이러한 사이버-물리 시스템은 제어기와 제어 대상의 분리라는 특성상 외부의 악의적인 공격신호로 부터 공격당할 수 있는 잠재적인 위험에 노출되어 있으며 파워플랜트의 원격감시제어(SCADA, Supervisory Control And Data Acquisition)와 같은 사회 기반 시설과도 밀접한 연관이 있어 그 보안성에 관한 연구의 필요성이 강조되고 있다. 본 논문은 사이버-물리 시스템이 연속시간으로 이루어진 물리 플랜트(physical plant)와 디지털 제어기로 이루어져 있다는 사실로부터 이를 영차홀드(zero-order hold)와 샘플러(sampler)로 이산화(discretize)되는 샘플-데이터 시스템으로 표현하고, 연속시간과 이산시간의 결합으로 부터 발생할 수 있는 사이버 공격에 대한 이론적인 취약점을 분석하고 그에 대한 해결책을 제시한다. 구체적으로 본 논문에서는 다음의 세 가지 주제들을 다룬다. 첫 번째로, 본 논문은 시스템의 불안정한(unstable) 영점(zero)의 정보를 이용하여 입력 네트워크를 통해 주입될 경우 검출불가능(undetectable)한 영동역학 공격(zero dynamics attack)이 샘플 데이터 시스템에서 발생하는 샘플링 영점(sampling zero)을 이용하여도 가능하다는 점을 밝힌다. 그리고 영차홀드 대신 일반화된 홀드(generalized hold)를 이용할 경우 이산시간 시스템의 이산시간 영점을 모두 안정한(stable)한 영역으로 할당할 수 있다는 사실에 근거하여 영동역학 공격에 대한 근본적인 대응책으로 영차홀드를 일반화된 홀드로 대체하는 방안을 제안한다. 추가적으로, 일반화된 홀드를 이용할 경우 발생하는 성능저하를 최소화 하기 위해 볼록(convex) 최적화 문제로 일반화된 홀드를 설계하는 방법을 제시한다. 다른 한편, 이산시간 시스템의 출력 센서 네트워크를 입력 그리고 고장 검출기(fault detector)의 잔여신호(residual)를 출력으로 하는 시스템의 영동역학을 이용하여 검출 불가능한 센서 공격이 가능함을 보이고, 이에 대한 해결책으로 이산시간 출력 부터 연속시간 입력까지 일반화된 홀드를 이용한 피드백 루프를 추가하여 공격의 효과를 무효화하는 방법을 제안한다. 또한 이러한 피드백 루프로 인한 제어 성능 저하를 최소화하기 위해 연속시간 비용함수를 최소화하는 이산시간 최적 제어기법의 이용을 제안한다. 마지막으로, 영차홀드와 샘플러의 동작주기가 같지 않은 다중 입출력(MIMO) 샘플-데이터 시스템을 쌓인 시스템(lifted system)으로 표현쌓을 때 출력대비 입력 여유분이 많을 경우, 입력 네트워크를 통하여 검출 불가능한 공격을 가능하게 하는 충분조건을 찾고, 이를 활용하여 공격신호를 생성하는 설계법을 제안한다.1 Introduction 1 1.1 Overview of Security Issues on Cyber-Physical Systems 1 1.2 Contributions and Outline of Dissertation 4 1.3 Preliminary: Characterization of detectable and undetectable attacks 8 2 Use of Generalized Hold in Sampled-data Systems to Counteract Zero Dynamics Attack 13 2.1 Zero Dynamics Attack with Normal Form 13 2.1.1 Continuous-time Linear Systems 13 2.1.2 Sampled-data Linear Systems 16 2.1.3 Simulation Result: Zero Dynamics Attack on Sampling Zeros 18 2.1.4 Existing Countermeasures Against Zero Dynamics Attack 19 2.2 Optimal Generalized Hold Function to Neutralize Zero Dynamics Attack 22 2.2.1 Shifting discrete-time zeros by generalized hold 23 2.2.2 Design of optimal generalized hold function with security guaranteed 27 2.2.3 Simulation Results: Effect of Optimal Generalized Hold 34 2.3 Illustrative Example for Closed-loop System 36 2.4 Experiment: DC/DC Converter with Electrical Circuit 39 2.4.1 Simulation Results 43 2.4.2 Experiment Results 44 2.5 Study on the Effect of Generalized Hold on Intrinsic Zeros of Nonlinear Systems under Fast Sampling 47 3 Use of Generalized Hold Feedback in Sampled-data Systems to Counteract Zero-dynamics Sensor Attack 57 3.1 Undetectable Sensor Attack and its lethality 57 3.1.1 Construction of Zero Dynamics Sensor Attack 58 3.1.2 Simulation Results: Magnetic Levitation of a Steel Ball 61 3.2 Strategy to Neutralize Zero Dynamics Sensor Attack and Relieve Performance Degradation 63 3.2.1 Employing the generalized hold feedback to neutralize zero dynamics sensor attack 64 3.2.2 Simulation Results: Effectiveness of the Generalized Hold 69 3.2.3 DLQR under Consideration of Inter-sample Behavior 71 3.2.4 Simulation Results: Effectiveness of DLQR with Continuous-time Performance Index 77 4 Masking Attack for Sampled-data System via Input Redundancy 79 4.1 Problem Formulation 79 4.2 Design of Masking Attack with Zero-stealthy and Disruptive Properties 83 4.2.1 Clustering the Time Frame 86 4.2.2 Conditions for Masking Attack Design 90 4.2.3 Off-line Construction of Attack Signal 93 4.2.4 Practical Stealthiness of Masking Attack with R \in R 97 4.3 Simulation Results 99 4.3.1 Numerical Example: R = 1 with δ = 0 99 4.3.2 X-38 Vehicle: R = 4 with δ = 0 102 4.3.3 Numerical Example: R = 0.4 with δ = 0.75 105 5 Conclusion of Dissertation 111 BIBLIOGRAPHY 113 국문초록 121Docto

Bibliographical review on cyber attacks from a control oriented perspective

This paper presents a bibliographical review of definitions, classifications and applications concerning cyber attacks in networked control systems (NCSs) and cyber-physical systems (CPSs). This review tackles the topic from a control-oriented perspective, which is complementary to information or communication ones. After motivating the importance of developing new methods for attack detection and secure control, this review presents security objectives, attack modeling, and a characterization of considered attacks and threats presenting the detection mechanisms and remedial actions. In order to show the properties of each attack, as well as to provide some deeper insight into possible defense mechanisms, examples available in the literature are discussed. Finally, open research issues and paths are presented.Peer ReviewedPostprint (author's final draft

Distributed Fault Detection in Formation of Multi-Agent Systems with Attack Impact Analysis

Autonomous Underwater Vehicles (AUVs) are capable of performing a variety of deepwater marine applications as in multiple mobile robots and cooperative robot reconnaissance. Due to the environment that AUVs operate in, fault detection and isolation as well as the formation control of AUVs are more challenging than other Multi-Agent Systems (MASs). In this thesis, two main challenges are tackled. We first investigate the formation control and fault accommodation algorithms for AUVs in presence of abnormal events such as faults and communication attacks in any of the team members. These undesirable events can prevent the entire team to achieve a safe, reliable, and efficient performance while executing underwater mission tasks. For instance, AUVs may face unexpected actuator/sensor faults and the communication between AUVs can be compromised, and consequently make the entire multi-agent system vulnerable to cyber-attacks. Moreover, a possible deception attack on network system may have a negative impact on the environment and more importantly the national security. Furthermore, there are certain requirements for speed, position or depth of the AUV team. For this reason, we propose a distributed fault detection scheme that is able to detect and isolate faults in AUVs while maintaining their formation under security constraints. The effects of faults and communication attacks with a control theoretical perspective will be studied. Another contribution of this thesis is to study a state estimation problem for a linear dynamical system in presence of a Bias Injection Attack (BIA). For this purpose, a Kalman Filter (KF) is used, where we show that the impact of an attack can be analyzed as the solution of a quadratically constrained problem for which the exact solution can be found efficiently. We also introduce a lower bound for the attack impact in terms of the number of compromised actuators and a combination of sensors and actuators. The theoretical findings are accompanied by simulation results and numerical can study examples

Detection and Characterization of Actuator Attacks Using Kalman Filter Estimation

In this thesis, two discrete-time control systems subject to noise, are modeled, analyzed and estimated. These systems are then subjected to attack by false signals such as constant and ramp signals. In order to find out how and when the control systems are being attacked by the false signals, several detection algorithms are applied to the systems. This work focuses on actuator attack detection. To detect the presence of false actuator signals, a bank of Kalman filters is set up which uses adaptive estimation and conditional probability density functions for detecting the false signals. The individual Kalman filters are each tuned to satisfy a control system: one of which is the original system and the other of which is the system with a false signal. The use of the bank of Kalman filters to detect actuator attacks is tested in 4 cases; first-order system attacked by a constant or ramp signal and then a second-order system subject to the same types of attack signals. This work shows the bank of Kalman filters can successfully detect the intrusion of false signals for actuator attack by using several different detection algorithms. Simulations show that the false signal is found and detected in all cases

A Hierarchical Architectural Framework for Securing Unmanned Aerial Systems

Unmanned Aerial Systems (UAS) are becoming more widely used in the new era of evolving technology; increasing performance while decreasing size, weight, and cost. A UAS equipped with a Flight Control System (FCS) that can be used to fly semi- or fully-autonomous is a prime example of a Cyber Physical and Safety Critical system. Current Cyber-Physical defenses against malicious attacks are structured around security standards for best practices involving the development of protocols and the digital software implementation. Thus far, few attempts have been made to embed security into the architecture of the system considering security as a holistic problem. Therefore, a Hierarchical, Embedded, Cyber Attack Detection (HECAD) framework is developed to provide security in a holistic manor, providing resiliency against cyber-attacks as well as introducing strategies for mitigating and dealing with component failures. Traversing the hardware/software barrier, HECAD provides detection of malicious faults at the hardware and software level; verified through the development of an FPGA implementation and tested using a UAS FCS

Detection and Characterization of Actuator Attacks Using Kalman Filter Estimation

In this thesis, two discrete-time control systems subject to noise, are modeled, analyzed and estimated. These systems are then subjected to attack by false signals such as constant and ramp signals. In order to find out how and when the control systems are being attacked by the false signals, several detection algorithms are applied to the systems. This work focuses on actuator attack detection. To detect the presence of false actuator signals, a bank of Kalman filters is set up which uses adaptive estimation and conditional probability density functions for detecting the false signals. The individual Kalman filters are each tuned to satisfy a control system: one of which is the original system and the other of which is the system with a false signal. The use of the bank of Kalman filters to detect actuator attacks is tested in 4 cases; first-order system attacked by a constant or ramp signal and then a second-order system subject to the same types of attack signals. This work shows the bank of Kalman filters can successfully detect the intrusion of false signals for actuator attack by using several different detection algorithms. Simulations show that the false signal is found and detected in all cases

State of the art of cyber-physical systems security: An automatic control perspective

Cyber-physical systems are integrations of computation, networking, and physical processes. Due to the tight cyber-physical coupling and to the potentially disrupting consequences of failures, security here is one of the primary concerns. Our systematic mapping study sheds light on how security is actually addressed when dealing with cyber-physical systems from an automatic control perspective. The provided map of 138 selected studies is defined empirically and is based on, for instance, application fields, various system components, related algorithms and models, attacks characteristics and defense strategies. It presents a powerful comparison framework for existing and future research on this hot topic, important for both industry and academia