arxiv: v1 [cs.fl] 13 Jul 2018

Transcription

1 Detetion nd Mitigtion of Clsses of Attks in Supervisory Control Systems Lilin Kwkmi Crvlho, Yi-Chin Wu b, Rymond Kwong, Stéphne Lfortune d Deprtment of Eletril Engineering, Universidde Federl do Rio de Jneiro, Brsil b Deprtment of EECS, University of Mihign nd Deprtment of EECS, University of Cliforni t Berkeley, USA rxiv: v1 [s.fl] 13 Jul 2018 Abstrt Deprtment of ECE, University of Toronto, Cnd d Deprtment of EECS, University of Mihign, USA The deployment of ontrol systems with network-onneted omponents hs mde feedbk ontrol systems vulnerble to ttks over the network. This pper onsiders the problem of intrusion detetion nd mitigtion in supervisory ontrol systems, where the ttker hs the bility to enble or disble vulnerble tutor ommnds nd erse or insert vulnerble sensor redings. We present mthemtil model for the system under ertin lsses of tutor enblement ttks, sensor ersure ttks, or sensor insertion ttks. We then propose defense strtegy tht ims to detet suh ttks online nd disbles ll ontrollble events fter n ttk is deteted. We develop n lgorithmi proedure for verifying whether the system n prevent dmge from the ttks onsidered with the proposed defense strtegy, where dmge is modeled s the rehbility of pre-defined set of unsfe system sttes. The tehnil ondition of interest tht is neessry nd suffiient in this ontext, termed GF-sfe ontrollbility, is hrterized. We show tht the verifition of GF-sfe ontrollbility n be performed using dignoser or verifier utomt. Finlly, we illustrte the methodology with trffi ontrol system exmple. Key words: Disrete event systems; Automt; Filure dignosis; Cyber-ttks. 1 Introdution The inresing mount of networked omponents in feedbk ontrol systems hs mde these systems vulnerble to yber threts. Sine ontrol systems re often sfety ritil (e.g., vionis, power grid), it is impertive to embed defense mehnisms into them (Crdens et l., 2008; Bnerjee et l., 2012). In this pper, we onsider the losed-loop ontrol system rhiteture of Figure 1, where the plnt is ontrolled by the supervisor through sensors nd tutors in the trditionl feedbk loop. The ommunition hnnels for the sensor nd tutor signls re often unproteted, llowing ttkers to potentilly injet flse sensor or tutor signls. This work ws prtilly supported by the U.S. Ntionl Siene Foundtion (grnt CNS ) nd by Brzil s CNPq (Ntionl Counil of Tehnologil nd Sientifi Development). Emil ddresses: lilin@dee.ufrj.br (Lilin Kwkmi Crvlho), yihin.wu@berkeley.edu (Yi-Chin Wu), kwong@ontrol.utoronto. (Rymond Kwong), Atutors Plnt Supervisor Sensors Fig. 1. The losed-loop ontrol system rhiteture We onsider event-driven supervisory ontrol systems where the plnt is bstrted s disrete event system. The supervisor monitors the plnt behvior through the events generted by the sensors nd it dynmilly issues enble/disble tutor ommnds in order to enfore given speifition. We study the problem of intrusion detetion nd mitigtion for ontrol systems under four lsses of ttks: Atutor Enblement ttks (AE-ttks), Atutor Disblement ttks (AD-ttks), Sensor Ersure ttks (SE-ttks) nd Sensor Insertion ttks (SI-ttks). Speifilly, in n tstephne@umih.edu (Stéphne Lfortune). Preprint submitted to Automti 16 July 2018

2 tk senrio, some tutors or sensors re deemed vulnerble nd the ttker n hnge the tutor ommnds (from disble to enble or vie-vers) or hnge the sensor redings (by ersing genuine sensor event or inserting fititious one). We ddress the problem of proteting the system from rehing pre-defined set of unsfe sttes under eh of the bove ttk senrios. Note tht in generl tutor ttks or sensor ersure ttks re not diretly observble, while inserted fititious sensor events re ssumed to be indistinguishble from genuine ones for the supervisor. We leverge results from supervisory ontrol nd fult dignosis of disrete event systems nd propose defense strtegy tht detets ttks online nd disbles ll ontrollble tutor events fter deteting n ttk with ertinty. This defense strtegy my not be suffiient in generl to prevent dmge. Hene, we hrterize property termed Generl Form of sfe ontrollbility (GF-sfe ontrollbility for short) tht preisely ptures the pbility of preventing the system from rehing n unsfe stte fter n ttk, using the proposed defense strtegy. Here, GF stnds for AE, SE, or SI. An lgorithmi proedure is developed to verify whether the system is GF-sfe ontrollble. For this purpose, dignoser or verifier utomt n be employed. The key feture distinguishing this work from the lrge mount of work in yberseurity is our fous on losedloop ontrol systems. We dopt model-bsed pproh to preisely pture the vulnerbilities nd the effets of n ttk on the ontrol system. The model-bsed pproh enbles forml hrteriztion of the unsfe behvior tht n ttker tries to indue nd the resilieny tht the system defender wnts to hieve. The model-bsed pproh lso llows for monitoring devitions from the norml system behvior. Our work is omplementry to the works on nomly/intrusion detetion in yber systems (e.g., Lzrevi et l. (2005); Hoffmn et l. (2009); Zhou et l. (2010); Modi et l. (2013)) where detetion is bsed on sttistil nlysis of network pkets, for instne. We do not fous on how ttkers infiltrte vulnerble tutors or sensors, but rther on the detetion of ttks nd on the modeling of their effets on the ontrol system. Under eh of the four types of ttks onsidered, we dopt firly simple ttk model whih n be prphrsed s ttk whenever possible. However, our methodology is generl nd more sophistited ttk models ould be embedded in it. Similrly, our defense strtegy upon detetion of ttks is bsed on sfety first, by swithing to sfe mode of opertion, but more refined defense mehnisms ould be embedded in our modeling methodology, if so desired. Intrusion detetion nd prevention in the setting of supervisory ontrol of disrete event systems hve been previously studied in Thorsley nd Teneketzis (2006), where the uthors onsider the design of supervisor tht hieves the speifition both in norml opertion nd fter n ttk. The fous in Thorsley nd Teneketzis (2006) is on finding lnguge onditions under whih the supervisor n prevent unsfe behvior in the presene of ttks while hieving given speifition, using notion lled disble lnguge, whih shres severl similrities with the sfe ontrollbility ondition used in this pper. Our fous is more expliit thn Thorsley nd Teneketzis (2006) in terms of modeling severl lsses of ttks, deteting them lgorithmilly using dignoser utomt, nd swithing to sfe mode upon detetion. The problem of intrusion detetion nd prevention is relted to fult tolernt supervisory ontrol problems, well-studied problem in the literture (see, e.g., Rohloff (2005); Nke nd Lunze (2011); Poli et l. (2011); Sulek nd Shmidt (2014); Wen et l. (2014); Moor (2015)), where robust supervisor is designed to mintin the speifition even when the system beomes fulty. Our pproh is losest to the work in Poli et l. (2011), where the uthors onsider strtegy tht detets fults online nd reonfigures the ontrol lw when fult is deteted. Our notion of GF-sfe ontrollbility is GF-ttk vrint of the sfe ontrollbility property introdued in Poli et l. (2011). The min ontributions of this pper re s follows. First, we present mthemtil model for supervisory ontrol systems under AE-ttks nd propose defense strtegy tht detets ttks online nd, upon detetion with ertinty, disbles ll ontrollble events in order to prevent ttk dmge. We define the property of AE-sfe ontrollbility tht hrterizes the system s pbility to prevent dmge under AE-ttks nd develop lgorithmi proedures for verifying AE-sfe ontrollbility using dignoser nd verifier utomt. Next, we onsider other types of ttks. We only briefly disuss AD-ttks nd fous insted on SE- nd SIttks. Prlleling the se of AE-ttks, we model the effet of SE- nd SI-ttks on the ontrol system. For AEnd SE- ttks, we onsider worst-se senrio where the ttker my ttk t every opportunity. For SI-ttks, we onsider n ttk strtegy where the ttker never inserts sensor reding tht is not defined in the urrent stte of the nominl supervisor. We then generlize AE-sfe ontrollbility to GF-sfe ontrollbility, the property tht the system should stisfy in order to suessfully prevent dmge from either AE-, SE- or SI-ttks, nd finlly we develop test to verify GF-sfe ontrollbility. In the se of SE- nd SI-ttks, in ddition to testing the orresponding version of GF-sfe-ontrollbility, it is lso neessry to test if the ontrol system under ttk hs dedlok. The reminder of this pper is orgnized s follows. We define the types of ttks we del with in Setion 2. Setion 3 introdues our mthemtil frmework. Setion 4 studies the effet of tutor enblement ttks. Then, in Setion 5, we define the property of AE-sfe ontrollbility nd disuss its verifition. We present the model of the system under sensor ersure nd insertion ttks in Setions 6 nd 7, respetively. In Setion 8, we define the property of GF-sfe ontrollbility nd present n lgorithm for its verifition. Finlly, in Setion 9, we illustrte our methodology with trffi ontrol system exmple nd in Setion 10, we onlude the pper. A preliminry nd prtil version of the results in Setions 4 nd 5 ws presented in Crvlho et l. (2016). The results 2

3 in Setions 5.4, 6, 7, nd 8 re new. 2 Types of ttks We depit in Figure 2 the ttk model under onsidertion. The ontrol system rhiteture under ttk hs plnt G equipped with set of potentilly vulnerble sensors nd tutors, nd G is ontrolled by prtil-observtion supervisor (or P-supervisor) S P. Let E be the event set of G. The tutors re modeled by the set of ontrollble events E, with E E, while the sensors re modeled by the set of observble events E o, with E o E. The supervisor observes the ourrenes of the plnt s observble events through projetion P o from set E to set E o. The ttker, represented by blok A, hs ess to subsets of E nd E o, representing vulnerble tutors nd sensors nd denoted by E,v E nd E o,v E o, respetively. The sets E,v nd E o,v re predefined bsed on system knowledge nd re pplition dependent. They n, for exmple, reflet the pbility of the ttker to exploit vulnerbilities of the system. Finlly, blok G D is the module tht detets ttks, whih we ll the intrusion detetion module. E +/ E,v G D S P G +/ E o,v A P o E o Fig. 2. The ontrol system rhiteture under ttk The ft tht the ttker n ompromise either sensors or tutors is ptured by the two outputs of A tht ffet: (i) the tul observtions of S P nd G D, whih onsist of the genuine sensor redings ffeted by the ttks on them; nd (ii) the tul ontrol tions tht re pplied to G, whih onsist of the ombintion of the genuine ontrol tions of S P with those of A. The ombintion of the ttks of A with genuine sensor redings nd genuine ontrol tions re denoted by the two +/ bloks in Figure 2. This +/ is oneptul opertion nd represents the following four types of ttk of A onsidered herein: AE for Atutor Enblement: A overrides ontrol tion of S P on prtiulr ontrollble event in E,v, by enbling n event tht is urrently disbled by S P ; AD for Atutor Disblement: A overrides ontrol tion of S P on prtiulr ontrollble event in E,v, by disbling n event tht is urrently enbled by S P ; SE for Sensor Ersure: A erses n ourrene of n observble event in E o,v, thereby mking tht ourrene unobservble to S P nd G D ; SI for Sensor Insertion: A inserts fititious ourrene of n observble event in E o,v to the observtion strem of S P nd G D. Herefter, we ssume tht S P hs lredy been designed nd is fixed. The gol is to design G D to detet nd mitigte ttks by A in eh of the four bove ses. The ttk model of A tht is onsidered by G D will be disussed in eh se. 3 Mthemtil frmework We onsider plnts modeled s deterministi finitestte utomt. An utomton is denoted by G = (X, E, f, x 0, X m ), where X is the finite set of sttes, E is the finite set of events, f : X E X is the (potentilly prtil) trnsition funtion, x 0 is the initil stte, nd X m is the set of mrked sttes. For the ske of simpliity, the set of mrked sttes will be omitted unless bloking is onsidered. The lnguge generted by G is the set of strings defined by L(G) := {s E : f(x 0, s) is defined} nd the lnguge mrked by G is L m (G) := {s E : f(x 0, s) X m }. Consider event set E E nd stte x X; the set of rehble sttes with respet to E nd x is defined s Reh(G, x, E ) = {x X : ( s E )[f(x, s) = x ]}. The tive event set of G t stte x is denoted by Γ G (x). As ws mentioned bove, E is prtitioned s E = E o E uo, where E o nd E uo denote, respetively, the sets of observble nd unobservble events; similrly, E = E E u, where E nd E u denote, respetively, the sets of ontrollble nd unontrollble events. When n event σ ppers in string s, we write σ s. Similrly, we write E s whenever s hs n event in E. The nturl projetion P o : E Eo is defined suh tht (i) P o (ε) = ε; (ii) P o (σ) = σ if σ E o ; (iii) P o (σ) = ε if σ E uo ; nd (iv) P o (sσ) = P o (s)p o (σ) for s E nd σ E, where ε denotes the empty string. Given s Eo, the inverse projetion of t is Po 1 (t) = {s E : P o (s) = t}. Both the projetion nd the inverse projetion opertions re extended to lnguges by pplying P o (s) nd Po 1 (s) to ll strings in the lnguge. We write s < s when s is strit prefix of s. Given L E, we define L/s := {t : st L}, whih is the set of ll suffix strings in L fter s. When it is neessry to restrit the behvior of G in order to stisfy some performne speifition K L(G), we introdue feedbk ontrol loop together with supervisor. We onsider speifitions defined in terms of dmissible sublnguges of L(G). The supervisor dynmilly enbles or disbles events of the plnt (Rmdge nd Wonhm, 1989), restriting the losed-loop behvior within the dmissible lnguge. In generl, the plnt is prtilly observble nd thus the supervisor deides whih events to be disbled bsed on the projetions of strings generted by G. More speifilly, supervisor under prtil observtion is mpping S P : P o [L(G)] 2 E ; for every string s generted by G, the supervisor mkes its deision bsed on P o (s). As 3

4 onsequene, two different strings s 1 nd s 2 with the sme projetion led to the sme ontrol tion. Suh supervisor is referred to s P-supervisor, nd the resulting ontrolled system is denoted by S P /G. We sy tht sublnguge K of L(G) is ontrollble with respet to L(G) nd E u if KE u L(G) K. Also, K is observble with respet to L(G), P o nd E if for ll s K nd σ E, sσ / K nd sσ L(G) implies tht [P o (s)]σ K =. It is well-known tht ontrollbility nd observbility re neessry nd suffiient for the existene of supervisor tht enfores K (Wonhm, 2013). Po 1 4 Atutor enblement ttks This setion nd the next one onsider supervisory ontrol system with vulnerble tutors. Speifilly, we onsider n ttk senrio where the ttker hs infiltrted set of vulnerble tutors nd overrides disble ontrol tions from the supervisor by enble tions for the ompromised tutors. The gol of the ttker is to use these enble ontrol tions to potentilly drive the system to n unsfe stte. We ll suh ttks Atutor Enblement ttks, or AE-ttks for short. To represent the AE-ttk model in Figure 2, the ombintion of the ontrol tions of the supervisor S P nd the ttker A (+/ blok) is to be interpreted s the OR opertion on the ontrol tions (i.e., enbled events) of S P nd those of the ttker A. Rell tht the set of vulnerble tutor events is denoted by E,v, whih is subset of E. The vulnerble tutor events in E,v n be either observble or unobservble. Our methodology ounts for both ses. The ttker potentilly observes the sme set of observble events through P o s the system does (this is left unspeified), nd it n override the supervisor s ontrol tions on vulnerble events. Ignoring ttks, the losed-loop behvior is L(S P /G) = K, where K is ontrollble nd observble sublnguge of L(G). Tht is, S P is the nominl supervisor tht ws designed to enfore K. It my or my not be resilient to ttks; this is wht we wish to determine. Module G D reeives the ourrenes of observble events through projetion P o nd its gol is to infer the presene of AE-ttks. When suh detetion ours with ertinty, we dopt the simple defense model tht G D fores S P to swith from enforing K to sfe mode, where ll ontrollble events re permnently disbled. In the development tht follows, we ssume tht G D hs no prior knowledge of the ttk model of A, so G D will onsider tht A n potentilly override every disble ommnd to vulnerble tutor; in other words, G D ssumes worst-se ttk senrio. But other ttk senrios ould be onsidered by suitbly ltering the modeling methodology presented next. The simple defense strtegy of disbling ll ontrollble events orresponds to expet the worst nd put sfety first. Our primry fous in this pper is to develop preise model for vrious types of ttks in supervisory ontrol systems nd to understnd the effets of suh ttks. This problem does not pper to hve been studied in this forml mnner in the literture. Sine this is the objetive of this work, we hve dopted the simple nd onservtive sfety first pproh to defend ttks, nd hve left the refinement of our methodology to ount for more sophistited defense mehnisms, s well s other issues suh s bloking, for future work. We now desribe how to model the losed-loop system under the bove senrio of n AE-ttk; then we will show how to design the intrusion detetion module G D in Setion 5. We employ two opertions in our modeling methodology: diltion nd ompression (Crvlho et l., 2012; Alves et l., 2014). These opertions re useful for modeling the ttker s tions. In order to do so, let E,v = {σ : σ E,v } denote the set of ttker s events on vulnerble tutors, whih we will refer to s ttked tutor events nd define E = E E,v. The diltion opertion is mpping D : E 2 E with the following properties: (i) D(ε) = {ε}; (ii) D(σ) = {σ} if σ E\E,v ; (iii) D(σ) = {σ, σ } if σ E,v ; nd (iv) D(sσ) = D(s)D(σ) where s E nd σ E. The ompression opertion reovers string s from diltion string in E. It is mpping C : E E suh tht (i) C(ε) = ε; (ii) C(σ) = σ, if σ E; (iii) C(σ ) = σ, if σ E,v; nd (iv) C(s σ) = C(s )C(σ) where s E nd σ E. Both the diltion nd the ompression opertions n be extended to lnguges by pplying them to ll strings in the lnguge. Tht is, D(L) = s L D(s) nd C(L ) = s L C(s ). We present in Algorithm 1 the onstrution of the losedloop system under AE-ttks. Consider the plnt G nd let H be the finite-stte utomton reliztion of supervisor S P. Rell tht the reliztion of prtil-observtion supervisor ptures in its tive event set the urrent set of enbled events; in prtiulr, enbled unobservble events re ptured by self-loops t the urrent stte of H. First, we onstrut G by dding to G ll possible ttker tions using the diltion opertor D on L(G). For trnsition lbeled by σ E,v on G, we dd in prllel trnsition lbeled by σ to represent n AE-ttk. This ptures n ttk by A on eh trnsition representing vulnerble tutor event. Next, we build H, the overll supervisor under the effet of AE-ttks. Speifilly, we tke the supervisor reliztion H nd dd self-loops to ll of its sttes with events in E,v, when the ompression of the ndidte event is not in the tive event set of the stte. These self-loops for ttk events model the ttker s bility to enble ttked tutor events, when those events re disbled by S P. In ddition, to pture the ft tht supervisor should never disble n unontrollble system event, we lso dd self-loops for every unontrollble event, when these events re not in 4

5 the tive event set of the stte. Indeed, fter n AE-ttk, new ourrenes of unontrollble events ould our tht re not defined t the urrent supervisor stte (sine the plnt my hve hnged stte unknown to the supervisor due to n AE-ttk). b () G: plnt model 1 2 (b) H: supervisor reliztion Finlly, we find the losed-loop system under AE-ttks, G M, by prllel omposing H nd G. Automton G M models the behvior of the system in the presene of AEttks on ll vulnerble tutors t ll times, whih orresponds to the worst-se senrio under onsidertion. For simpliity, in the reminder of this pper, we will write L M for L(G M ). Clerly, by onstrution of G M, L M will be ontrollble nd observble sublnguge of L(G ). Algorithm 1 Algorithm for AE-ttk model Inputs: G = (X, E, f, x 0 ) nd H = (X H, E, f H, x 0,H ) : plnt nd supervisor reliztions, respetively E o, E nd E,v : sets of observble, ontrollble nd vulnerble tutor events Output: Closed-loop system under AE-ttks G M = (X M, E, f M, x 0,M ) 1: Build G = (X, E, f, x 0 ), where f (x, σ ) := f(x, C(σ )) if f(x, C(σ )) is defined, σ E, x X 2: Build H = (X H, E, f H, x 0,H ), where f H (x H, σ) = f H (x H, σ), x H, 3: Compute G M = H G if f H (x H, σ) is defined if (σ E,v f H (x H, C(σ)) is undefined) (σ E u f H (x H, σ) is undefined) In G M, the only ontrollble events re those in E, sine the events in E,v re tions of the ttker nd thus unontrollble. Note tht the events in E,v re indeed ontrollble, but of ourse they n be overridden by the orresponding events in E,v. Also, the observbility properties of the events in E,v re inherited from the orresponding ones in E. Exmple 1 We onsider the plnt G in Figure 3() with E = E,v = {b}. Stte 4 is the unsfe stte of the plnt nd it is identifed with squre. The supervisor tht ontrols G is relized s utomton H in Figure 3(b). Notie tht the supervisor disbles event b t stte 2, thereby preventing the plnt from rehing unsfe stte 4. Following Algorithm 1, we build G in Figure 3() by dding trnsition lbeled by b in prllel with the trnsition lbeled by b. We then build in Figure 3(d) the reliztion of the supervisor under AE-ttks by dding self-loop for ttked tutor event b t every stte; we lso dd self-loops for unontrollble events nd when they re not in the tive event set of the stte. Finlly, we build in Figure 3(e) the losed-loop b b () G : plnt subjet to ttk b,, b, 1 2 (d) H : supervisor reliztion inluding the effets of the ttk b (1,1) (2,2) (2,3) (2,4) (e) G M : losed-loop system under ttk Fig. 3. Figures of Exmple 1 system under AE-ttks by G M = H G. Eh stte in G M is pir where the first stte is the supervisor stte nd the seond stte is the plnt stte. We n see tht, with the ttker enblement of vulnerble tutor event b, the plnt n trnsition from stte 2 to stte 3 nd then reh unsfe stte 4 through unontrollble event. 5 Detetion nd mitigtion of tutor enblement ttks 5.1 Detetion nd mitigtion strtegy As we n see in Exmple 1, under AE-ttks, the plnt n devite from the speifition enfored by the supervisor nd reh n unsfe stte. To mitigte the effets of suh ttks, our strtegy is to design n ttk detetion module nd then swith to sfe mode of opertion when n ttk hs been deteted. This defense strtegy my or my not be suffiient to prevent the system from rehing set of sttes deemed unsfe. Our gol is to identify ondition under whih this defense strtegy does work. We model the set of unsfe sttes distintly from the originl speifition K hieved by S P. Tht is, while ll sttes rehed by S P /G re ssumed to be sfe, not ll sttes outside of those rehed by S P /G my be unsfe. We denote the set of unsfe sttes by X f. X f is subset of X tht ptures physil sttes where dmge to the plnt would our, for instne. Suh sttes n be determined from properties of the physil system when the utomton model is developed. Our tehniques re dpted from tehniques developed in Poli et l. (2011) for sfe ontrollbility nd in Thorsley 5

6 nd Teneketzis (2006) for disble lnguges. Speifilly, with the model developed in the previous setion, we formulte the problem of ttk detetion s fult dignosis problem, where the fult events re the ttker s tions on vulnerble tutor events. We design n intrusion detetion module tht monitors the output from the plnt nd notifies the supervisor when n ttk hs been deteted (with ertinty). The supervisor, upon reeiving n ttk report from the intrusion detetion module, swithes to its sfe mode of opertion where it disbles ll ontrollble events. We remrk tht the ttk detetion together with the sfe ontrollbility strtegy derived here re lso suitble for on-thefly implementtions, sine they rely solely on dignosers, whih n be onstruted on-the-fly (s opposed to synthesized off-line). 5.2 AE-sfe ontrollbility We define vrint of sfe ontrollbility from Poli et l. (2011) in the ontext of AE-ttks nd ll it AE-Sfe Controllbility; it is formlly defined in Definition 1 below. Speifilly, onsider the set of unsfe sttes X f X. Let Ψ(E,v) = {t L(G) : t = t σ, t E, σ E,v} denote the set of strings for whih the lst event is n ttked tutor event. Consider G M built in Algorithm 1 tht models the losed-loop system subjet to AE-ttks nd let Xf M = {(x H, x) X M : x X f } be the set of unsfe sttes in G M. In words, AE-sfe ontrollbility holds if we n detet ny ttk ourrene nd then disble ontrollble event before the plnt rehes n unsfe stte. For the purpose of the definition tht follows, we define the following projetion: Po : E (E o D(E,v E o )). Definition 1 (AE-Sfe Controllbility) Consider G M = (X M, E, f M, x 0,M ) from Algorithm 1. Lnguge L M = L(G M ) is AE-sfe ontrollble with respet to projetion Po, ttked tutor events E,v, nd unsfe sttes Xf M if ( s Ψ(E,v))( t L M /s) [(f M (x o, st) Xf M ) ( s < st, f M (x o, s ) Xf M = )] ( t 1, t 2 E)[(t = t 1 t 2 ) ( ( ω L M )[Po (st 1 ) = Po (ω) E,v / ω] ) (E t 2 )]. s σ,v t t 2 t 1 σ Attk deteted unsfe stte x f Fig. 4. Illustrtion of AE-sfe ontrollbility where σ,v E,v, t = t 1t 2, σ E, nd x f X M f We will sometimes slightly buse terminology nd sy tht system G is AE-sfe ontrollble if the orresponding L M, Po, E,v nd Xf M re understood nd if Definition 1 holds. Figure 4 illustrtes the definition of AE-sfe ontrollbility. The first stte is rehed through string s whose lst event σ,v is n ttked tutor event. String t is the ontinution of s tht rehes n unsfe stte for the first time. AE-sfe ontrollble holds if for every suh s nd t, t n be written s t = t 1 t 2 where (1) the ttked tutor event n be deteted fter st 1 nd (2) t 2 ontins ontrollble event in E. Rell tht ll events in E re ontrollble nd tht events in E,v re unontrollble in G M. Tht is, AE-sfe ontrollbility holds if we n detet n ttk ourrene nd then disble ontrollble event before the plnt rehes n unsfe stte; nd this property hs to hold for every ttk ourrene. It should be noted tht the detetion ondition fter string st 1 is tht n ttk hs been deteted on ny of the vulnerble tutors (f. E,v / ω in detetion luse in definition), not neessrily for the sme event t the end of string s; s long s module G D knows for sure tht one vulnerble tutor ws indeed ttked, then it fores S P to swith to sfe mode. The onstrution proedure of G M nd the onditions in the definition of AE-sfe ontrollbility led diretly to the following result, whose proof is omitted. Theorem 1 Under the ttk nd defense model onsidered in this pper, system G will not reh n unsfe stte if nd only if it is AE-sfe ontrollble w.r.t. projetion P o, vulnerble tutor events E,v, nd set of unsfe sttes X M f. 5.3 Test of AE-sfe ontrollbility using dignoser To test if system is AE-sfe ontrollble, we develop n lgorithmi proedure tht relies on dignoser utomt (or simply, dignosers). The dignoser, s developed in Smpth et l. (1995), relies on the omputtion of the observer of the utomton obtined by performing prllel omposition between the plnt utomton nd the so-lled lbel utomton tht ptures ourrenes of fults, s desribed in Cssndrs nd Lfortune (2008). Our lgorithm verifies if the dignoser-bsed intrusion detetion module n detet ny ttk before the plnt rehes n unsfe stte nd if the supervisor n disble events to prevent the plnt from rehing X f. Before we formlly present the lgorithm, we first review the definition of the set of first-entered ertin sttes in dignoser from Poli et l. (2011); the reder is referred to Cssndrs nd Lfortune (2008) for the definition of dignoser nd ny undefined terminology. Definition 2 (Set of first-entered ertin sttes) Let G d = (Q d, E o, f d, q 0,d ) be the dignoser onstruted from given plnt nd the pproprite lbel utomton. Define Q Y N = {q Q d : q is unertin}, Q N = {q Q d : q is norml}, nd Q Y = {q Q d : q is ertin}. The set of first-entered ertin stes is FC = {q Q Y : ( q Q Y N Q N, σ E o )[f d (q, σ) = q]}. We n now present Algorithm 2, the dignoser-bsed lgorithm for testing AE-sfe ontrollbility. By onstrution 6

7 of G M, we n see tht our gol is to detet ourrenes of events in E,v in L M, bsed on observble event set E,o ; speifilly, the ttked tutor events in E,v re the fult events to be dignosed, nd they re ssumed to be ll of the sme fult type. Hene, we wish to build the dignoser of G M. In step 1, we onsider the lbel utomton A l in Figure 5 nd lbel the ttked tutor events E,v by building G l = G M A l. We then ompute in step 2 the dignoser u- N E,v E,v Y Fig. 5. Lbel utomton A l tomton G d = Obs(G l, E,uo ), where Obs(G l, E,uo ) denotes the observer of G l with respet to unobservble event set E,uo, where E,uo = E uo D(E,v E uo ). In step 3, we test if ny unertin stte ontins n unsfe stte. If this is the se, then the dignoser nnot detet the ttk before the plnt rehes n unsfe stte; hene, AEsfe ontrollbility is violted. Next, we ompute the set of first-entered ertin sttes FC nd then verify in step 6 if ny stte in FC ontins n unsfe stte. If this hppens, then even though the ttk is deteted, it lredy used the plnt to reh n unsfe stte; hene, the system is not AEsfe ontrollble. Finlly, we find the set of sttes rehble from FC through unontrollble or ttked tutor events, nd then test in step 10 whether this set ontins ny unsfe stte. If this hppens, then even though the ttk hs been deteted, the plnt n still unontrollbly reh n unsfe stte nd is therefore not AE-sfe ontrollble. In the lgorithm, q x := {x : ( l)[(x, l) q]} is the projetion of q to the set of orresponding G M sttes. Proposition 1 Consider G M = (X M, E, f M, x 0,M ) from Algorithm 1. Automton G d is the dignoser built in Algorithm 2. Lnguge L M is not AE-sfe ontrollble with respet to Po, E,v, nd Xf M if nd only if one of the following onditions holds true: (1) There exists q Y N = {(x i1, l i1 ),..., (x in, l in )} Q Y N suh tht j {1,..., n}, x ij X M f nd l ij = Y. (2) There exists q Y = {(x i1, Y ),..., (x in, Y )} FC suh tht j {1,..., n}, x ij X M f. (3) There exists x M X u suh tht x M X M f, where X u is defined in Algorithm 2. Proof: Given in Appendix. Note tht the dignoser will lwys immeditely detet the ttks on vulnerble events in σ E,v E o, sine the orresponding event σ is observble. However, in this se, the plnt my still reh n unsfe stte vi unontrollble nd ttked tutor events, violting AE-sfe ontrollbility. Algorithm 2 AE-sfe ontrollbility test using dignoser Inputs: G M = (X M, E, f M, x 0,M ): losed-loop system subjet to AE-ttks X f : set of unsfe sttes E,v : set of ttked tutor events Output: AESfeControllbility {true, f lse} 1: Build G l = G M A l, where A l is shown in Figure 5 2: Compute dignoser G d = Obs(G l, E,uo ), where E,uo = E uo D(E,v E uo ) 3: if there is unertin stte q = {(x i1, l i1 ),..., (x in, l in )} Q Y N in whih there exists x ij X M f then 4: AESfeControllbility = flse 5: else Compute FC ording to Definition 2 6: if there is q = {(x i1, Y ),..., (x in, Y )} FC in whih there exists x ij X M f then 7: AESfeControllbility = flse 8: else 9: Compute X u = q FC x M q x Reh(G M, x M, E u E,v) 10: if X u X M f then 11: AESfeControllbility = flse 12: else AESfeControllbility = true Hene, the onditions in Definition 1 still need to be tested, s desribed in Algorithm 2. Exmple 2 Returning to Exmple 1, we show the losedloop system under AE-ttks in Figure 3(e). We follow Algorithm 2 to test whether the system is AE-sfe ontrollble. In step 1, we build G l with respet to E,v = {b } in Figure 6. Assuming E,uo = for simpliity, the dignoser is the sme utomton s G l. By exmining the dignoser sttes in Figure 6, we see tht the ttk will be deteted in dignoser stte ((2, 3), Y ), before the plnt rehes unsfe stte 4. However, with the test in step 10, we find tht X u = {(2, 3), (2, 4)} ontins unsfe stte (2, 4). Tht is, lthough the dignoser n detet the ttk before entering n unsfe stte, sine the supervisor nnot disble unontrollble event, the plnt n still reh unsfe stte (2, 4) Xf M under ttk. Consequently, AE-sfe ontrollbility is violted. b ((1,1),N) ((2,2),N) ((2,3),Y) ((2,4),Y) Fig. 6. Automton G l 5.4 Test of AE-sfe ontrollbility using verifier Another wy to verify lnguge dignosbility is by using verifier utomt, or simply verifiers (Yoo nd Lfortune, 2002; Shengbing et l., 2001; Moreir et l., 2011). The 7

8 min dvntge of verifiers over dignosers is tht their omputtion requires polynomil time in the stte spe of the utomton, while building dignosers will hve omplexity exponentil in the number of sttes of the plnt utomton in the worst se. On the other hnd, unlike dignosers, verifiers re not suitble for online dignosis. Algorithm 3 tests AE-sfe ontrollbility using verifier. Step 1 of Algorithm 3 is the sme s step 1 of Algorithm 2. In step 2, verifier G V is built bsed on the methodology in Moreir et l. (2011) (whih is only briefly reviewed here).the onstrution of G V strts by omputing utomt G N nd G F tht model the norml nd the fulty/ttked behvior of the system, respetively. After obtining G N (with stte spe denoted by X N ), we renme its unobservble events using the renming funtion R : E \ E,v E R, where R(σ) = σ, if σ E,o nd R(σ) = σ R, if σ E,uo \E,v. Thus, the unobservble events of G N nd G F beome privte events of these utomt. In step 3, we test if ny stte in verifier G V is n unsfe stte. In step 5, we omplete G V by dding observble events to new stte A. This new stte mrks possible ttk detetion. For stte A, only unontrollble events re dded, sine fter dignosing the ttk, AE-sfe ontrollbility is violted if there exists tre tht rehes n unsfe stte through unobservble events only. In step 6, G T trks ll tres tht, fter the ttk hs been dignosed, hve only unontrollble events in their ontinutions; its stte spe is denoted by X T. In step 7, if G T ontins n unsfe stte, then the ttk n steer the system to n unsfe ste before dignosis of n ttk. Proposition 2 Let L M denote the lnguge generted by G M. Then, L M is not AE-sfe ontrollble with respet to Po : E E,o, E,v nd Xf M if nd only if t lest one of the onditions holds true (1) There exists x V = {(x N, N), (x, Y )} X V suh tht x Xf M, where x N X N nd x X M. (2) There exists {x d V, (x, Y )} X T suh tht x d V = A nd x Xf M, where xd V Xd V nd x X M. Proof: Given in Appendix. Exmple 3 Returning gin to exmple 1, the losed-loop system subjet to tutor enblement ttks is shown in Figure 3(e) where the sets of observble, ontrollble, nd vulnerble tutor events re E o = E, E = {b}, nd E,v = {b}, respetively. The norml nd the fulty/ttked behvior of the system G N nd G F re depited in Figures 7() nd 6, respetively, nd verifier G V is shown in Figure 7(b). Aording to Step 5 of Algorithm 3, it is neessry to dd new stte A. All sttes of G V re onneted to A using observble events, b, b nd (when these events re in the tive event set of the stte). Also, it is neessry to dd self-loops t stte A for unontrollble events, b nd, s shown in Figure 7(). After tht, G T is built by omputing G d V G F s depited in Figure 7(d). The system is not AEsfe ontrollble ording to step 7 of Algorithm 3, beuse Algorithm 3 AE-sfe ontrollbility test using verifier Inputs: G M = (X M, E, f M, x 0,M ): losed-loop system subjet to tutor enblement ttks X f : set of unsfe sttes E,v : set of ttked tutor events Output: SfeControllbility {true, f lse} 1: Build G l = G M A l, where the lbel utomton A l is shown in Figure 5 2: Build verifier utomton G V = (X V, E R E, f V, x 0,V ) ssuming E,v the set of fult events ording to Algorithm 1 in Moreir et l. (2011) 3: if there exists {(x N, N), (x, Y )} of G V suh tht x then SfeControllbility = flse X M f 4: else 5: Build G d V X d V = (Xd V, E R E, fv d, x 0,V ), where = X V {A} f V (x V, e), if e Γ V (x V ) f d V (x V, e) = A, if e E,o e / Γ V (x V ) fv d(a, e) = A for ll e E u E,v 6: Build G T = G d V G F, where G F is defined in Algorithm 1 in (Moreir et l., 2011) 7: if there exists {x d V, (x, l)} in G T suh tht x d V = A nd x Xf M then SfeControllbility = flse 8: else SfeControllbility = true stte {A, ((2, 4), Y )} in G T hs, s omponents, stte A nd (2, 4) Xf M. Thus, the supervisor nnot prevent the system from rehing n unsfe stte fter the system is sure tht n ttk hs ourred. 5.5 Disussion Rell from Algorithm 1 tht we model AE-ttks by dding in the supervisor reliztion H self-loop for every σ E,v (unless the ompression of σ is lredy in the tive event set of the stte). The resulting utomton H thus models n ll-out ttker tht lwys ttks the vulnerble tutors. Subsequently, AE-sfe ontrollbility is property of whether the system n be proteted under suh n ll-out ttker. Now, we onsider the question of whether it is possible under smller ttks, i.e., when the ttker does not ttk t ll times, to inflit dmge on the system when AE-sfe ontrollble holds. The following proposition proves tht AE-sfe ontrollbility with respet to the ll-out ttker implies AE-sfe ontrollbility with respet to ny ttker. Hene, testing AE-sfe ontrollbility with respet to the ll-out ttker is suffiient. Proposition 3 Let L AA be the lnguge of the losed-loop system under the ll-out ttker nd L SA be tht under n ttker tht does not ttk t ll times. If L AA is AE-sfe ontrollble with respet to P o, E,v nd Xf M, then L SA is AE-sfe ontrollble with respet to P o, E,v nd Xf M. 8

9 ((1,1),N) ((2,2),N) () Non-fult utomton G N {((1,1),N),((1,1),N)} {((2,2),N),((2,2),N)} (b) Verifier utomton G V {((1,1),N),((1,1),N)} {((2,2),N),((2,2),N)} b, b, A, b, b, () Verifier utomton G d V {{((1,1),N),((1,1),N)},((1,1),N)} {{((2,2),N),((2,2),N)},((2,2),N)} Proof: Given in Appendix. b {A,((2,3),Y)} {A,((2,4),Y)} (d) Automton G T Fig. 7. Figures of Exmple Atutor disblement ttks, b, We briefly disuss tutor disblement ttks (ADttks), whih orrespond to the se where the fusion blok +/ in Figure 2 is the onjuntion of the enbled events of S P with those of A; tht is, vulnerble tutor events tht re enbled by the supervisor n be disbled by the ttker. In this se, the losed-loop behvior is further restrited to subset of K, sine no new behvior of G n be generted. Hene, no stte in X f is rehble. However, bloking my our, even if the losed-loop system S P /G is nonbloking; n exmple n be esily onstruted nd is omitted here. Clerly, the only motivtion for A to selet suh n ttk is to use bloking. We will not further disuss this type of ttk sine it nnot led to violtion of sfety, s desribed by X f. 6 Sensor ersure ttks In this nd the next two setions, we disuss ttks on vulnerble sensors. We first onsider the se of sensor ersure ttks, or SE-ttks. As illustrted in Figure 2, in SE-ttks, the ttker A n erse n ourrene of n observble event σ E o,v to S P nd G d. Thus, enbled observble events in E o,v n be subsumed by orresponding unobservble events tht we lbel s the set E o,v, thereby using onfusion for both S P nd G D. Hene, using E o,v, the modeling of SE-ttks follows similr proedure s for AE-ttks in Algorithm 1, with some minor djustments. For the ske of lrity, the modified form of Algorithm 1 is given in Algorithm 4. Note tht the events in E o,v re neessrily unobservble nd tht their ontrollbility properties re inherited from the orresponding ones in E o,v. Algorithm 4 Algorithm for SE-ttk model Inputs: G = (X, E, f, x 0 ): plnt H = (X H, E, f H, x 0,H ) : supervisor reliztion E o, E nd E o,v : sets of observble, ontrollble, nd vulnerble sensor events Output: G M = (X M, E, f M, x 0,m ): losed-loop system subjet to SE-ttks 1: Compute Eo,v = D(E o,v )\E o,v 2: Define E = E Eo,v nd ssign: E,o = E o E,uo = E uo Eo,v E, = E D(E o,v E ) E,u = E u D(E o,v E u ) 3: Build G = (X, E, f, x 0 ), where f (x, σ ) = f(x, C(σ )) if f(x, C(σ )) is defined, σ E, x X 4: Build H = (X H, E, f H, x 0,H ), where f H (x H, σ) = f H (x H, σ), if f H (x H, σ) is defined, x H, if (σ Eo,v f H (x H, C(σ)) is defined) (σ E,u f H (x H, σ) is undefined) 5: Compute G M = H G To explin the resoning behind step 3 of the lgorithm, we mke the following observtions. The ersure of (enbled) observble events mens tht the supervisor nd G my beome out of syn from the originl design of H; this is why ll unontrollble events in E u must be dded t ll sttes of H, if they re not lredy there, to mke sure tht ontrollbility is never violted. The sme resoning pplies to ll events in E o,v tht re unontrollble, s the ourrene of n unontrollble vulnerble event ould be ersed by A. However, ontrollble event in E o,v will only be ersed, i.e., repled by its orresponding event in E o,v, if it is enbled by H. In ll ses, fesibility in G of the selfloops dded in H will be ptured by the prllel om- 9

10 position H G. In this mnner, the onstrution of G M gin ptures the se where A my ttk t every possible opportunity, i.e., it my erse every event output by vulnerble sensor. Exmple 4 The stte trnsition digrms of system G nd supervisor reliztion H re shown in Figures 8() nd 8(b), respetively, where E = {, } nd E = E o = {, b, }. Let E o,v = {b} be the set of vulnerble (to ersure) sen- b () G 1 2 (b) H 3 b 1 2 b () G b, b b 1 2 b (d) H b, b b, b (4,4) b (1,1) (2,2) (3,3) b (e) G M (2,4) (3,5) Fig. 8. Figures of Exmple 4 sor events. The set of unsfe sttes is X f = {5}, mrked with squre in Figure 8(). The ersed sensor event set is Eo,v = {b }, thus the new set of events is E = {, b,, b }. Following Algorithm 4, we build utomton G by dding trnsition lbeled by b in prllel with every trnsition b, s shown in Figure 8(). The reliztion of the supervisor under SE-ttks is depited in Figure 8(d). The losed-loop system under SE-ttks is omputed s G M = H G, nd it is shown in Figure 8(e). After the ourrene of event, the ttker erses the ourrene of event b nd it beomes unobservble to the supervisor. Beuse of tht, the supervisor thinks tht the plnt is in stte 2, but the plnt is tully in stte 4. Then, the supervisor llows event to our nd the plnt rehes n unsfe stte. The next exmple shows tht SE-ttks n led to bloking, when mrked sttes re onsidered in G. Exmple 5 Consider G nd H in Figures 9() nd 9(b), respetively, where E = E o = E. Let E o,v = {b} nd let (1,1) 7 1 b () G 1 b (b) H b (4,4) (5,5) (6,6) b (2,2) (3,3) () G M (4,5) Fig. 9. Figures of Exmple 5 X f = {7}. Following Algorithm 4, the losed-loop system subjet to SE-ttks is shown in Figure 9(). When the ttker erses event b, the plnt gets stuk in stte 5 s the supervisor ssumes the plnt is in stte 4. 7 Sensor insertion ttks Sensor insertion ttks, or SI-ttks for short, n insert fititious ourrene of n observble event σ E o to the observtion strem of supervisor S P nd intrusion detetion module G D. In order to model SI-ttks, let E i o,v = {σ i : σ E o,v } denote the set of ttks by A on the vulnerble sensors, whih we will refer to s SI-ttk onset events. The se of SI-ttks is somewht different from the ttks previously onsidered in this pper, in tht we need to be more speifi bout the ttk strtegy of A. Nmely, if A inserts fititious event ourrene tht is not defined t the urrent stte of H, either beuse the event is not urrently fesible in the stte H thinks the system is in or beuse it is urrently disbled by S P, then A immeditely revels its presene without gining ny benefit. Hene, it is only dvntgeous for A to insert fititious event ourrenes when H expets suh observtions. The gol of A in this

11 se is to use hnge of ontrol tion for S P tht would, for instne, enble n event tht ws not urrently enbled in order to steer G towrds n unsfe stte. To resolve the bove issue, we will ssume tht in the se of SI-ttks, A hs model of H nd moreover A hs the sme observtion pbilities s S P ; hene, A knows t ny time the ext stte of S P. Under this ssumption, A will only insert fititious event ourrenes when H expets tht suh n event ould hve ourred. The modeling of the losed-loop system under the bove onsidertions is obtined by exeuting Algorithm 5. Consider plnt G nd supervisor reliztion H. First, we onstrut G by reting new stte x j σfor eh event σ E o,v t every stte j of G, nd new event σ i E i o,v tht represents the onset of n SI-ttk t tht stte of G. Next, for eh dded stte, we dd two trnsitions: one from stte j to the new stte x j σ lbeled by σ i E i o,v, nd the other from the new stte x j σ to stte j lbeled by σ; the former represents the onset of n SI-ttk on the vulnerble sensor of the plnt wheres the ltter represents the fititious event inserted by the SI-ttk. This inserted fititious event is ssumed to be indistinguishble from genuine one by S P nd G D, whih is why the ltter trnsition is lbeled by σ E o. Afterwrds, we build utomton H tht models the reliztion of the supervisor under SI-ttk. For this purpose, we dd self-loop for (unobservble) event x σ t eh stte x tht hs event σ E o,v in its tive event set. This ensures tht the ttker n insert ny ourrene of ny event in E o,v when suh n event is fesible ording to the originl design of H, whih is onsistent with the bove-desribed ttk model. Moreover, to ensure ontrollbility, we lso dd t eh stte x self-loop for every unontrollble event in E u tht is not lredy in the tive event set of stte x. Finlly, the losed-loop system subjet to SI-ttks is obtined by the prllel omposition of H nd G. Remrk 1 The events in E i o,v re unobservble nd unontrollble, s they represent the onset of n SI-ttk. Hene, we hve tht: (i) E M,o = E o ; (ii) E M,uo = E uo E i o,v; nd (iii) E M,u = E u E i o,v. Exmple 6 Consider system G nd of supervisor reliztion H shown in Figures 10() nd 10(b), respetively, where E = E o = E. Let E o,v = {b} nd X f = {5}. Following Algorithm 5, utomton G is built by dding new sttes nd trnsitions lbeled by b i nd b s shown in Figure 10(). The ide behind this proedure is tht when the SI-ttk ours, whih is represented by event b i, the ttker emultes the ourrene of event b in the plnt G; hene G does not reh new stte. The new set of events is E = {, b,, b i }, where E,uo = {b i }. The reliztion of the supervisor subjet to SI-ttks is shown in Figure 10(d). Supervisor H does not see the differene between the fititious inserted event b (fter b i ) nd the rel ourrene of b (with no b i ), hene it hnges stte in both ses. The Algorithm 5 Algorithm for SI-ttk model Inputs: G = (X, E, f, x 0 ) nd H = (X H, E, f H, x 0,H ) : plnt nd supervisor reliztions, respetively E o, E, nd E o,v : sets of observble, ontrollble, nd vulnerble sensor events Output: G M = (X M, E M, f M, x 0,m ): losed-loop system subjet to SI-ttks 1: G BUILD-GA(G) 2: H BUILD-HA(H) 3: Compute G M = H G 4: funtion BUILD-GA(G) 5: G G 6: E E Eo,v i 7: for every j X do 8: for every σ E o,v do 9: X X {x j σ} 10: Add f (j, σ i ) = x j σ 11: Add f (x j σ, σ) = j return G = (X, E, f, x 0 ) 12: funtion BUILD-HA(H) 13: H H 14: E H E Eo,v i 15: for ll x X H do 16: Add f H (x, σ i ) = x for ll σ (Γ H (x) E o,v ) 17: Add f H (x, σ) = x for ll σ E u \ Γ H (x) return H = (X H, E H, f H, x 0,H ) losed-loop system under SI-ttks is omputed s G M = H G nd it is shown in Figure 10(e). After the onset ttk event b i followed by inserted event b, the supervisor thinks tht the system is in stte 3; however, the system is in stte 2. Then, the supervisor enbles event nd the plnt n reh n unsfe stte. 8 Generl pproh for detetion of ttks Our strtegy for detetion nd mitigtion of sensor ttks is the sme s tht for AE-ttks, desribed in Setion 5. The intrusion detetion module monitors the output from the plnt nd notifies the supervisor when n ttk hs been deteted. The supervisor, upon reeiving n ttk report from the intrusion detetion module, swithes to sfe mode of opertion where it disbles ll ontrollble events. Herefter, we generlize the property of AE-sfe ontrollbility to generl form tht ptures, in unified mnner, AE-, SE-, nd SI-ttks. Then we disuss its verifition. 8.1 Generl form of sfe ontrollbility We defined in Setion 5.2 AE-sfe ontrollbility, whih ensures tht AE-ttks n be deteted in time to void rehing n unsfe stte, under the ttk nd defense strtegies onsidered in this pper. We now generlize AE-sfe ontrollbility to Generl Form termed GF-Sfe Controllbil- 11

12 b i b x 1 b () G b x 2 b (b) H x3 b 5 5 x 4 b b b i b b i b b i b b () G b i b x 5 b b i 1 2 b 3 4 (d) H b (1,1) (2,2) (3,3) (4,4) b i (2, x b b) (3,2) (4,5) (e) G M Fig. 10. Figures of Exmple 6 ity. To void mbiguity, we denoted the event set of G M s E M nd speify it in eh se. Definition 3 (GF-Sfe Controllbility) Consider G M = (X M, E M, f M, x 0,M ) model of one type of ttks (AE, SE, or SI). Lnguge L M = L(G M ) is GF-sfe ontrollble with respet to projetion Po M : EM E o, set of vulnerble events E f, nd unsfe sttes Xf M if ( s Ψ(E f ))( t L M /s, t EM ) [(f M (x o, st) Xf M ) ( s < st, f M (x o, s ) Xf M = )] ( t 1, t 2 EM )[(t = t 1t 2 ) ( ( ω LM )[Po M (st 1 ) = Po M (ω) Eo,v / ω] ) (E t 2 )]. Compring Definitions 1 nd 3, we see tht by repling Po M nd E f by Po nd E,v, respetively, then GF-sfe ontrollbility redues to AE-sfe ontrollbility. GF-sfe ontrollbility llows us to ddress SE-ttks nd SI-ttks s well. For SE-ttks, G M is obtined using Algorithm 4, s shown in Setion 6, where E M = E Eo,v, projetion Po M is Po M : (E Eo,v) EM,o, nd E f is the set of ersed sensor events Eo,v. For SE-ttks, G M is obtined using Algorithm 5, where E M = E Eo,v, i projetion Po M is Po M : (E Eo,v) i EM,o, nd E f is the set of onset ttk events Eo,v. i We will refer to GF-sfe ontrollbility for SE- nd SI-ttks s SE-sfe ontrollbility nd SI-sfe ontrollbility, respetively. Clerly, Theorem 1 generlizes to the se of SE- nd SIttks, using SE-sfe ontrollbility nd SI-sfe ontrollbility, respetively, sine one the modified model G M tht ounts for ttks hs been built, then the onditions for voiding unsfe sttes boil down to the sme ses in eh ttk type. 8.2 Test of GF-Sfe Controllbility To test if system is GF-sfe ontrollble, we generlize Algorithm 2 to Algorithm 6. This lgorithm verifies if the intrusion detetion module n detet ny ttk before the plnt rehes n unsfe stte nd if the supervisor n disble events to prevent the plnt from rehing X f. Here, the lbel utomton to use for building the dignoser is prmetrized by E f, s shown in Figure 11. In step 1 of Algorithm 6, N E f E f Fig. 11. Lbel utomton A GF l we selet whih ttk we wnt to nlyze. After tht, we follow the sme steps s in Algorithm 2. For the ske of brevity, we omit explining eh step. We note tht in the lgorithm, q x := {x : ( l)[(x, l) q]} is the projetion of q to the set of orresponding G M sttes. Proposition 4 Let G M = (X M, E, f M, x 0,M ) be obtined from one of Algorithms 1, 4, 5 presented erlier, nd let utomton G d be the dignoser built in Algorithm 6. Lnguge L M is not GF-sfe ontrollble with respet to Po M, E f, nd Xf M if nd only if one of the following onditions holds true: (1) There exists q Y N = {(x i1, l i1 ),..., (x in, l in )} Q Y N suh tht j {1,..., n}, x ij X M f nd l ij = Y. (2) There exists q Y = {(x i1, Y ),..., (x in, Y )} FC suh tht j {1,..., n}, x ij X M f. (3) There exists x M X u suh tht x M X M f, where X u is defined in Algorithm 6. Proof: The proof follows the sme steps s the proof of Proposition 1. Remrk 2 A test of GF-sfe ontrollbility using verifiers n be obtined in strightforwrd mnner by suitbly dpting Algorithm 3 to the different ttk ses. We omit the detils. Exmple 7 Let us onsider gin Exmple 4, whose dignoser G d built ording to Algorithm 6 is drwn in Figure 12 onsidering E o,v = {b }. By exmining the dignoser sttes, we see tht the ttk guides the system to unsfe stte Y 12