Secure Control Against Replay Attacks

Similar documents
False Data Injection Attacks in Control Systems

Coding Sensor Outputs for Injection Attacks Detection

Lecture 5: Control Over Lossy Networks

False Data Injection Attacks in Control Systems

Detecting Integrity Attacks on SCADASystems

Stochastic Game Approach for Replay Attack Detection

Cyber Attacks, Detection and Protection in Smart Grid State Estimation

Networked Control Systems: Estimation and Control over Lossy Networks

Kalman Filter Computer Vision (Kris Kitani) Carnegie Mellon University

Cyber Physical Attacks with Control Objectives

Kalman filtering with intermittent heavy tailed observations

LQG CONTROL WITH MISSING OBSERVATION AND CONTROL PACKETS. Bruno Sinopoli, Luca Schenato, Massimo Franceschetti, Kameshwar Poolla, Shankar Sastry

A Stochastic Online Sensor Scheduler for Remote State Estimation with Time-out Condition

Networked Sensing, Estimation and Control Systems

CYBER-Physical Systems (CPS) are systems that smoothly

Here represents the impulse (or delta) function. is an diagonal matrix of intensities, and is an diagonal matrix of intensities.

Cross Directional Control

Online monitoring of MPC disturbance models using closed-loop data

Lecture 3: Functions of Symmetric Matrices

Time Varying Optimal Control with Packet Losses.

ANOMALY DETECTION IN LIQUID PIPELINES USING MODELING, CO-SIMULATION AND DYNAMICAL ESTIMATION

ELEC4631 s Lecture 2: Dynamic Control Systems 7 March Overview of dynamic control systems

Detecting Integrity Attacks on SCADA Systems

ONGOING WORK ON FAULT DETECTION AND ISOLATION FOR FLIGHT CONTROL APPLICATIONS

Lecture 10 Linear Quadratic Stochastic Control with Partial State Observation

Quantifying Cyber Security for Networked Control Systems

6 OUTPUT FEEDBACK DESIGN

Dynamic State Estimation in the Presence of Compromised Sensory Data

Contents lecture 5. Automatic Control III. Summary of lecture 4 (II/II) Summary of lecture 4 (I/II) u y F r. Lecture 5 H 2 and H loop shaping

Using Theorem Provers to Guarantee Closed-Loop Properties

EL 625 Lecture 10. Pole Placement and Observer Design. ẋ = Ax (1)

Sporadic Data Integrity for Secure State Estimation

Dynamic Attack Detection in Cyber-Physical. Systems with Side Initial State Information

Real-Time Detection of Hybrid and Stealthy Cyber-Attacks in Smart Grid

1 Kalman Filter Introduction

LQR, Kalman Filter, and LQG. Postgraduate Course, M.Sc. Electrical Engineering Department College of Engineering University of Salahaddin

CALIFORNIA INSTITUTE OF TECHNOLOGY Control and Dynamical Systems. CDS 110b

Every real system has uncertainties, which include system parametric uncertainties, unmodeled dynamics

THe 21 st century could well be the era of large-scale. Dynamic Watermarking: Active Defense of Networked Cyber-Physical Systems

Estimation for Nonlinear Dynamical Systems over Packet-Dropping Networks

Distributed Detection of Cyber Attacks and Faults for Power Systems

Exam in Automatic Control II Reglerteknik II 5hp (1RT495)

Exam. 135 minutes, 15 minutes reading time

Lecture 7 : Generalized Plant and LFT form Dr.-Ing. Sudchai Boonto Assistant Professor

Attack-Resilient Supervisory Control of Discrete-Event Systems

Dynamic Attacks on Power Systems Economic Dispatch

Time and Event-based Sensor Scheduling for Networks with Limited Communication Resources

Set-valued Observer-based Active Fault-tolerant Model Predictive Control

Numerical atmospheric turbulence models and LQG control for adaptive optics system

Comparison of four state observer design algorithms for MIMO system

Industrial Model Predictive Control

Battery Level Estimation of Mobile Agents Under Communication Constraints

Data Fusion Kalman Filtering Self Localization

CALIFORNIA INSTITUTE OF TECHNOLOGY Control and Dynamical Systems. CDS 110b

Optimal Polynomial Control for Discrete-Time Systems

Role of Synchronized Measurements In Operation of Smart Grids

arxiv: v1 [cs.it] 10 Feb 2015

Distributed l 1 -state-and-fault estimation for Multi-agent systems

Horizontal Integration based upon: Decentralized Data Fusion (DDF), NetCentric Architecture (NCA), and Analysis Collaboration Tools (ACT)

Control Design. Lecture 9: State Feedback and Observers. Two Classes of Control Problems. State Feedback: Problem Formulation

X. F. Wang, J. F. Chen, Z. G. Shi *, and K. S. Chen Department of Information and Electronic Engineering, Zhejiang University, Hangzhou , China

= m(0) + 4e 2 ( 3e 2 ) 2e 2, 1 (2k + k 2 ) dt. m(0) = u + R 1 B T P x 2 R dt. u + R 1 B T P y 2 R dt +

Technical work in WP2 and WP5

Nonlinear Model Predictive Control Tools (NMPC Tools)

FIR Filters for Stationary State Space Signal Models

Deadlines misses and their Implication on Feedback Control Loops. Dip Goswami Eindhoven University of Technology (TU/e) The Netherlands

Architectures and Algorithms for Distributed Generation Control of Inertia-Less AC Microgrids

Robust Control 5 Nominal Controller Design Continued

Seminar Course 392N Spring2011. ee392n - Spring 2011 Stanford University. Intelligent Energy Systems 1

State Estimation with Finite Signal-to-Noise Models

Steady State Kalman Filter

Simple criteria for controller performance monitoring

Discrete-Time H Gaussian Filter

Distributed and Real-time Predictive Control

L06. LINEAR KALMAN FILTERS. NA568 Mobile Robotics: Methods & Algorithms

Adaptive Dynamic Inversion Control of a Linear Scalar Plant with Constrained Control Inputs

Consistent Triangulation for Mobile Robot Localization Using Discontinuous Angular Measurements

Robust Actuator Fault Detection and Isolation in a Multi-Area Interconnected Power System

A CUSUM approach for online change-point detection on curve sequences

Secure Dynamic State Estimation via Local Estimators

Electrical Engineering Written PhD Qualifier Exam Spring 2014

INTEGRATED ARCHITECTURE OF ACTUATOR FAULT DIAGNOSIS AND ACCOMMODATION

State estimation and the Kalman filter

Foundations of Control and Estimation over Lossy Networks

Intro. Computer Control Systems: F9

A Quantum Computing Approach to the Verification and Validation of Complex Cyber-Physical Systems

SPERIMENTAZIONE DI STRUTTURE AEROSPAZIALI TESTING OF AEROSPACE STRUCTURES

Predictive Control of Gyroscopic-Force Actuators for Mechanical Vibration Damping

Efficient robust optimization for robust control with constraints Paul Goulart, Eric Kerrigan and Danny Ralph

Feedback Control of Turbulent Wall Flows

DESIGNING A KALMAN FILTER WHEN NO NOISE COVARIANCE INFORMATION IS AVAILABLE. Robert Bos,1 Xavier Bombois Paul M. J. Van den Hof

Optimal LQG Control Across a Packet-Dropping Link

Optimization-Based Control

Effects of Various Uncertainty Sources on Automatic Generation Control Systems

Data-Injection Attacks in Stochastic Control Systems: Detectability and Performance Tradeoffs

Quantifying Cyber-Security for Networked Control Systems

A Crash Course on Kalman Filtering

Output-based Event-triggered Control with Performance Guarantees

Revealing Stealthy Attacks in Control Systems

An Optimization Approach In Information Security Risk Management

Transcription:

Secure Control Against Replay Attacks Bruno Sinopoli, Yilin Mo Department of Electrical and Computer Engineering, Carnegie Mellon Trust Autumn 2009 Conference Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 1 / 25

Today s Infrastructure is... unsafe aging inefficient insecure Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 2 / 25

Monitoring, assessment and control Public and private sector enterprises today are highly dependent on information systems to carry out their missions and business functions Technological developments have seen these traditionally closed systems become open and internet-connected, thus putting national services critical infrastructure at risk Physical infrastructures are poorly monitored and loosely controlled Cost of sensing, computing and communication have been major inhibitors Management of large scale, distributed spaces is complex There is a need for design methodologies to address integrated design of the physical and the cyber system Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 3 / 25

Cyber Physical System Cyber Physical System (CPS) refer to the embedding of widespread sensing, computation, communication and control into physical space. CPS will transform how we interact with the physical world just like the Internet transformed how we interact with one another. Typical applications of CPS: aerospace, chemical processes, civil infrastructure, energy, manufacturing and transportation. Lots of safety-critical applications. Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 4 / 25

Challenges Robust design, verification and analysis of performance Design time Compositional analysis Cross layer design tools Software verification Run time Distributed Event Detection Reconfiguration, adaptability Security Attack definition Attack detection Operational continuity Remediation / Reconfiguration Restoration Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 5 / 25

Information Security Key properties of information security: 1 Confidentiality: attacker cannot read data packets. 2 Integrity: attacker cannot modify data packets. 3 Availability: data packets are available for estimation and control purpose. 4... Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 6 / 25

Information Security Key properties of information security: 1 Confidentiality: attacker cannot read data packets. 2 Integrity: attacker cannot modify data packets. 3 Availability: data packets are available for estimation and control purpose. 4... Is information security enough? Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 6 / 25

Attack on Availability Observation and control packet are sent to the estimator and controller through networks. Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 7 / 25

Attack on Availability Figure: Stability Regions Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 8 / 25

Cyber-Physical Attacks How to get sensors readings? Attacker can place a sensor besides CPS sensor. How to modify sensors readings? Attacker can place an actuator besides CPS sensor. By monitoring and affecting the environment around CPS sensors, the attack can get and modify the sensors reading without interfering the communication. Example: Using thermometer and ice to monitor and control a temperature sensor without breaking confidentiality and integrity. Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 9 / 25

Attack Model The attacker can 1 record and modify the sensors readings y k 2 inject malicious control input Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 10 / 25

Attack Model The attacker can 1 record and modify the sensors readings y k 2 inject malicious control input Replay Attack 1 Record sufficient number of y k s without adding control inputs. 2 Inject malicious control input and replay the previous y k s. We denote the replayed measurements as y k. Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 10 / 25

Attack Model The attacker can 1 record and modify the sensors readings y k 2 inject malicious control input Replay Attack 1 Record sufficient number of y k s without adding control inputs. 2 Inject malicious control input and replay the previous y k s. We denote the replayed measurements as y k. When replay begins, there is no information from the systems to the controller. As a result, the controller cannot guarantee any close-loop control performance. The only chance is to detect the replay. Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 10 / 25

Example: Load Frequency Control in Power System P 12 P 21 Area #1 Area #2 Tie line power flow System Description d f 1 = α 1 ( P m1 P l1 P 12 ) + β 1 f 1, dt d f 2 = α 2 ( P m2 P l2 P 21 ) + β 2 f 2, dt d ϕ = 2π( f 1 f 2 ) dt P 12 = P 21 = P T sin( ϕ) Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 11 / 25

Example: Load Frequency Control in Power System f i is the frequency in area #i and f i denotes the deviation from nominal value; ϕ is the difference in phase angle of two areas; P mi and P li are the generated and consumed power in area #i, and operator denotes the deviation from nominal value; P ij is the power transmitted from area #i to area #j; α i, β i are system constants. 1 States (frequency and phase angle): f 1, f 2, ϕ; 2 Control (generated power): P m1, P m2 ; 3 Disturbance (load): P l1, P l2. Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 12 / 25

Classical control and failure detection strategy System Model We consider the CPS is monitoring the following LTI(Linear Time-Invariant) system System Description x k+1 = Ax k + Bu k + w k, y k = Cx k + v k. (1) x k R n is the state vector. y k R m is the measurements from the sensors. u k R p is the control inputs. w k, v k, x 0 are independent Gaussian random variables, and x 0 N ( x 0, Σ), w k N (0, Q) and v k N (0, R). Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 13 / 25

Classical control and failure detection strategy Kalman Filter and LQG Controller Kalman filter (Assume already in steady states) ˆx 0 1 = x 0, ˆx k+1 k = Aˆx k k +Bu k, ˆx k+1 k+1 = ˆx k+1 k +K(y k+1 C ˆx k+1 k ). The LQG controller tries to minimize [ J = min lim E 1 T 1 ] (xk T T T Wx k + uk T Uu k). k=0 The solution is a fixed gain controller u k = (BT SB + U) 1 B T SAˆx k k = Lˆx k k, where S = A T SA + W A T SB(B T SB + U) 1 B T SA. Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 14 / 25

Classical control and failure detection strategy χ 2 Failure Detector The innovation of Kalman filter y k C ˆx k k 1 is i.i.d. Gaussian distributed with zero mean. χ 2 Detector g k = k i=k T +1 (y i C ˆx i i 1 ) T P 1 (y i C ˆx i i 1 ) threshold, where P is the covariance of the innovation. Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 15 / 25

Classical control and failure detection strategy System Diagram Actuator Plant Sensor u a k Attacker z 1 monitor/control u k 1 y k /y k u k u k Controller ˆx k k Estimator Detector y k C ˆx k k 1 Figure: System Diagram Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 16 / 25

Simulation Secure Control Suppose the attacker records from time T and replay begins at time 0. For some systems, the χ 2 detector cannot distinguish system under replay and system without replay. Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 17 / 25

Secure Control Detection of Replay Attack When replay begins, the update equation of Kalman filter is ˆx k+1 k = (A + BL)(I KC)ˆx k k 1 + (A + BL)Ky k = Aˆx k k 1 + (A + BL)Ky k Since the attacker records from time T, y k = y k T. The Kalman filter at time k T satisfies: ˆx k T +1 k T = Aˆx k T k T 1 + (A + BL)Ky k T = Aˆx k T k T 1 + (A + BL)Ky k. Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 18 / 25

Secure Control Detection of Replay Attack Hence, ˆx k k 1 ˆx k T k T 1 = A k (ˆx 0 1 ˆx T T 1 ). and the innovation y k C ˆx k k 1 satisfies y k C ˆx k k 1 = (y k T C ˆx k T k T 1 ) innovation under replay innovation without replay + CA k (ˆx 0 1 ˆx T T 1 ), converges to 0 if A < 1 If A k converges fast, it is hard to distinguish innovation under replay and innovation without replay!! (They converge in distribution.) Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 19 / 25

Secure Control Countermeasures Replay is feasible because the optimal estimator and controller are deterministic: ˆx k+1 k = Aˆx k k 1 + (A + BL)Ky k If we add a random control input to the system: 1 If the system respond to this input, then there is no replay attack 2 If the system does not respond, then there is a replay attack 3 Random control inputs act like time stamps 4 Cost: The controller is not optimal any more Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 20 / 25

Countermeasures Secure Control Let control input to be u k = u k + u k, where u k is the LQG control input, u k is a Gaussian random control input with 0 mean and covariance of Q. Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 21 / 25

Countermeasures Secure Control Let control input to be u k = u k + u k, where u k is the LQG control input, u k is a Gaussian random control input with 0 mean and covariance of Q. Increase in LQG cost: trace[(u + B T SB)Q]. Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 21 / 25

Secure Control Countermeasures Let control input to be u k = u k + u k, where u k is the LQG control input, u k is a Gaussian random control input with 0 mean and covariance of Q. Increase in LQG cost: trace[(u + B T SB)Q]. Kalman filtering equation: and ˆx k+1 k = Aˆx k k 1 + (A + BL)Ky k + B u k ˆx k T +1 k T = Aˆx k T k T 1 + (A + BL)Ky k + B u k, y k C ˆx k k 1 = y k T C ˆx k T k T 1 + CA k (ˆx 0 1 ˆx T T 1 ) k 1 + C A k i 1 B( u i u T +i ) Can be detected!. i=0 Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 21 / 25

New System Diagram Secure Control Actuator Plant Sensor u a k Attacker z 1 monitor/control u k 1 y k /y k u k u k Controller ˆx k k Estimator u k Detector y k C ˆx k k 1 Figure: System Diagram Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 22 / 25

Simulation Simulation Result 1 One dimensional system, single sensor x k+1 = x k + u k + w k y k = x k + v k 2 Parameters: R = 0.1, Q = 1. W = U = 1. Detector window size T = 5, false alarm rate 5%. K = 0.9161, L = 0.6180, A = 0.0321. Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 23 / 25

Simulation Simulation Result Blue: Q = 0.6 Brown: Q = 0.4 Red: Q = 0.2 Dark Blue: Q = 0 Figure: Detection Rate of Different Random Signal Strength Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 24 / 25

Conclusion Conclusion While infrastructure is getting smarter, it also becomes more vulnerable. We need to develop a methodology to Model attacks Analyze the effects of an attack on CPS Develop countermeasures to ensure: graceful degradation, reconfiguration, remediation. Bruno Sinopoli (Carnegie Mellon) Secure Control Trust Autumn Conference 25 / 25

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback