Yilin Mo,Sean Weerakkody,Bruno Sinopoli

DOI: https://doi.org/10.1109/mcs.2014.2364724

2015-01-01

Abstract:Cyberphysical systems (CPSs) refer to the embedding of widespread sensing, networking, computation, and control into physical spaces with the goal of making them safer, more efficient, and reliable. Driven by the miniaturization and integration of sensing, communication, and computation in cost-efficient devices, CPSs are bound to transform industries such as aerospace, transportation, built environments, energy, health care, and manufacturing, to name a few. This great opportunity, unfortunately, is matched by even greater challenges. Taming the complexity of design and analysis of these systems poses a fundamental problem as a new paradigm is needed to bridge various scientific domains, which, through the years, have developed significantly different formalisms and methodologies. In addition, while the use of dedicated communication networks has so far sheltered systems from the outside world, use of off-the-shelf networking and computing, combined with the unattended operation of a plethora of devices, provides several opportunities for malicious entities to inject attacks on CPSs. A wide variety of motivations exists for launching an attack on CPSs, ranging from economic reasons, such as obtaining a financial gain, all the way to terrorism, for instance, threatening an entire population by manipulating life-critical resources. Any attack on safety-critical CPSs may significantly hamper the economy and lead to the loss of human lives. While the threat of attacks on CPSs tends to be underplayed at times, the Stuxnet worm provided a clear example of the possible future to come. This malware, targeting a uranium enriching facility in Iran, managed to reach the supervisory control and data acquisition (SCADA) system controlling the centrifuges used in the enrichment process. Stuxnet modified the control system, increasing pressure in the centrifuges in a first version of the worm and spinning centrifuges in an erratic fashion in a second version. As a result, Stuxnet caused significant damage to the plant [1]. For details, see "The Stuxnet Attack".

Chongrong Fang,Yifei Qi,Peng Cheng,Wei Xing Zheng

DOI: https://doi.org/10.1109/ascc.2017.8287297

2017-01-01

Abstract:Security issues of Cyber-Physical Systems (CPS) are of great significance since cyber attacks may cause catastrophic effects on such systems. Due to the events of Stuxnet, replay attacks have gained increasing attention in recent years. To counter for the replay attacks, it has been proposed to impose additional watermarking signals to nominal control inputs. However, such detector may result in the waste of control cost especially when the attack is absent. In this paper, we firstly formulate an attack duration model for the replay attack. By exploiting the attack model, we propose a periodic watermarking strategy which aims to reduce the costs while guaranteeing the detection performance. Furthermore, we obtain an optimal periodic watermarking strategy for the approximated detection performance. Extensive simulations over quadruple water tank are conducted to demonstrate the system performance.

Bharadwaj Satchidanandan,P. R. Kumar

DOI: https://doi.org/10.48550/arXiv.1606.08741

2016-06-27

Abstract:The coming decades may see the large scale deployment of networked cyber-physical systems to address global needs in areas such as energy, water, healthcare, and transportation. However, as recent events have shown, such systems are vulnerable to cyber attacks. Being safety critical, their disruption or misbehavior can cause economic losses or injuries and loss of life. It is therefore important to secure such networked cyber-physical systems against attacks. In the absence of credible security guarantees, there will be resistance to the proliferation of cyber-physical systems, which are much needed to meet global needs in critical infrastructures and services. This paper addresses the problem of secure control of networked cyber-physical systems. This problem is different from the problem of securing the communication network, since cyber-physical systems at their very essence need sensors and actuators that interface with the physical plant, and malicious agents may tamper with sensors or actuators, as recent attacks have shown. We consider physical plants that are being controlled by multiple actuators and sensors communicating over a network, where some sensors could be "malicious," meaning that they may not report the measurements that they observe. We address a general technique by which the actuators can detect the actions of malicious sensors in the system, and disable closed-loop control based on their information. This technique, called "watermarking," employs the technique of actuators injecting private excitation into the system which will reveal malicious tampering with signals. We show how such an active defense can be used to secure networked systems of sensors and actuators.

Systems and Control,Dynamical Systems

Pedro Hespanhol,Matthew Porter,Ram Vasudevan,Anil Aswani

DOI: https://doi.org/10.48550/arXiv.1709.08617

2017-09-26

Abstract:Watermarking can detect sensor attacks in control systems by injecting a private signal into the control, whereby attacks are identified by checking the statistics of the sensor measurements and private signal. However, past approaches assume full state measurements or a centralized controller, which is not found in networked LTI systems with subcontrollers. Since generally the entire system is neither controllable nor observable by a single subcontroller, communication of sensor measurements is required to ensure closed-loop stability. The possibility of attacking the communication channel has not been explicitly considered by previous watermarking schemes, and requires a new design. In this paper, we derive a statistical watermarking test that can detect both sensor and communication attacks. A unique (compared to the non-networked case) aspect of the implementing this test is the state-feedback controller must be designed so that the closed-loop system is controllable by each sub-controller, and we provide two approaches to design such a controller using Heymann's lemma and a multi-input generalization of Heymann's lemma. The usefulness of our approach is demonstrated with a simulation of detecting attacks in a platoon of autonomous vehicles. Our test allows each vehicle to independently detect attacks on both the communication channel between vehicles and on the sensor measurements.

Optimization and Control,Systems and Control

Hanxiao Liu,Yilin Mo,Jiaqi Yan,Lihua Xie,Karl H. Johansson

DOI: https://doi.org/10.1109/cdc.2018.8619632

IF: 6.549

2020-01-01

IEEE Transactions on Automatic Control

Abstract:This article considers the problem of designing physical watermark signals in order to optimally detect possible replay attack in a linear time-invariant system, under the assumption that the system parameters are unknown and need to be identified online. We first provide a replay attack model, where an adversary replays the previous sensor data in order to fool the system. A physical watermarking scheme, which leverages a random input as a watermark to detect the replay attack, is then introduced. The optimal watermark signal design problem is cast as an optimization problem, which aims to achieve the optimal trade-off between control performance and intrusion detection. An online watermarking design and system identification algorithm is provided to deal with systems with unknown parameters. We prove that the proposed algorithm converges to the optimal one and characterize the almost sure convergence rate. An industrial process example is provided to illustrate the effectiveness of the proposed strategy.

Chongrong Fang,Yifei Qi,Peng Cheng,Wei Xing Zheng

DOI: https://doi.org/10.1016/j.automatica.2019.108698

IF: 6.4

2019-01-01

Automatica

Abstract:We consider periodic watermarking scheduling for detecting discontinuous replay attacks in Cyber–Physical Systems (CPSs). The existing methods of imposing continuous watermarks on the nominal control inputs may result in the waste of control cost when system detectors are not sensitive to the added watermarks, since the attacker may be absent for a considerably long time. For example, in the famous Stuxnet event, the attacker only launches the attack for a short period each month in order to avoid being detected. In this paper, we firstly formulate a one-time attack duration model for such discontinuous replay attacks. Then, by exploiting the attack model, we propose a periodic watermarking strategy which aims to reduce the control cost. Furthermore, we obtain an optimal periodic watermarking strategy for the approximate detection performance. Extensive simulations over a quadruple water tank system are provided to demonstrate the effectiveness of the proposed strategy.

Xudong Zhao,Wei Xing,Junfeng Zhang,Xinyu Wang,Guangdeng Zong,Ning Zhao

DOI: https://doi.org/10.1109/ticps.2024.3510654

2024-01-01

Abstract:Cyber-physical systems (CPSs) are of great importance in various applications and have garnered significant attention. Ensuring their security is a crucial concern, while this paper focuses on the security of CPSs against replay attacks during the transmission of sensor measurements over a wireless network. It is widely recognized that incorporating physical watermark signals is an effective approach to mitigate replay attacks. However, traditional physical watermarks are time-based and result in a notable degradation in the performance of Linear Quadratic Gaussian systems. With this in mind, a novel event-based physical watermarking technique is devised to address the performance degradation and detect replay attacks. The approach involves a deterministic physical watermark schedule that utilizes the innovation sequence to determine whether to incorporate physical watermarks or not. We provide evidence that the probability of successfully embedding physical watermarks increases when the system is targeted by malicious attacks. Additionally, we demonstrate that the deterministic event-based watermarking approach is more effective than the traditional time-based watermarking method. Finally, simulation examples are included to validate and illustrate the theoretical results.

Pedro Hespanhol,Matthew Porter,Ram Vasudevan,Anil Aswani

DOI: https://doi.org/10.48550/arXiv.1703.07760

2017-09-26

Abstract:Detecting attacks in control systems is an important aspect of designing secure and resilient control systems. Recently, a dynamic watermarking approach was proposed for detecting malicious sensor attacks for SISO LTI systems with partial state observations and MIMO LTI systems with a full rank input matrix and full state observations; however, these previous approaches cannot be applied to general LTI systems that are MIMO and have partial state observations. This paper designs a dynamic watermarking approach for detecting malicious sensor attacks for general LTI systems, and we provide a new set of asymptotic and statistical tests. We prove these tests can detect attacks that follow a specified attack model (more general than replay attacks), and we also show that these tests simplify to existing tests when the system is SISO or has full rank input matrix and full state observations. The benefit of our approach is demonstrated with a simulation analysis of detecting sensor attacks in autonomous vehicles. Our approach can distinguish between sensor attacks and wind disturbance (through an internal model principle framework), whereas improperly designed tests cannot distinguish between sensor attacks and wind disturbance.

Optimization and Control,Systems and Control

Hengye Zhu,Mengxiang Liu,Chongrong Fang,Ruilong Deng,Peng Cheng

DOI: https://doi.org/10.1109/tifs.2023.3269919

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The watermarking method, which adds unique watermarks to data, has been widely used for integrity attack detection in industrial control systems (ICSs). Existing literature generally designs watermarking mechanisms without considering the existence of noises, which cannot be trivially applied to realistic ICS scenarios in the presence of strong noise interference. On one hand, the low-intensity watermarking will be ineffective under the strong noise environment; while on the other hand, the oversized watermarking can possibly degrade the control performance or even destabilize the system. Therefore, the intensity of watermarks plays a fundamental role in balancing the tradeoff between detection effectiveness and control performance, which, to the best of our knowledge, has never been thoroughly analyzed yet. To this end, in this paper, we for the first time propose an optimal watermarking design method for ICSs considering the detection-performance tradeoff. To begin with, we shift the watermark container from data points to segments and update the detection metrics to reduce the noise impact. Then, we formulate an optimization problem to determine the strength of watermarks to balance the detection-performance tradeoff. Meanwhile, the detection effectiveness and control performance metrics are analytically modeled and theoretically analyzed considering the discrepancy between added watermarks and noises, signal quality, detection latency, as well as estimation of detection metrics. Finally, extensive numerical simulations and systematical experiments based on a practical Ethanol Distillation ICS are conducted to validate the theoretical analysis and demonstrate the outperformance of our proposed watermarking method in comparison with related works.

Somayeh Salimi,Subhrakanti Dey,Anders Ahlen

DOI: https://doi.org/10.48550/arXiv.1803.00170

2018-03-01

Abstract:In this paper, we investigate the role of a physical watermarking signal in quickest detection of a deception attack in a scalar linear control system where the sensor measurements can be replaced by an arbitrary stationary signal generated by an attacker. By adding a random watermarking signal to the control action, the controller designs a sequential test based on a Cumulative Sum (CUSUM) method that accumulates the log-likelihood ratio of the joint distribution of the residue and the watermarking signal (under attack) and the joint distribution of the innovations and the watermarking signal under no attack. As the average detection delay in such tests is asymptotically (as the false alarm rate goes to zero) upper bounded by a quantity inversely proportional to the Kullback-Leibler divergence(KLD) measure between the two joint distributions mentioned above, we analyze the effect of the watermarking signal variance on the above KLD. We also analyze the increase in the LQG control cost due to the watermarking signal, and show that there is a tradeoff between quick detection of attacks and the penalty in the control cost. It is shown that by considering a sequential detection test based on the joint distributions of residue/innovations and the watermarking signal, as opposed to the distributions of the residue/innovations only, we can achieve a higher KLD, thus resulting in a reduced average detection delay. Numerical results are provided to support our claims.

Optimization and Control,Systems and Control

Lei Ma,Zhong Chu,Chunyu Yang,Guoqing Wang,Wei Dai

DOI: https://doi.org/10.1109/tifs.2023.3251857

IF: 7.231

2023-03-11

IEEE Transactions on Information Forensics and Security

Abstract:The subject of attack detection for industrial cyber-physical systems (IPCSs) is covered in this paper, which addresses threats from transient covert attacks (TCAs), also referred to as the second version of replay attacks with a specific frequency and short duration. A comprehensive model of the TCAs is built using the active instant and period of the attacks, as well as the dynamics of a virtual system to replicate IPCS function and produce attack signals. Though watermarking-based detection algorithms have been shown to be effective in detecting TCAs, the induced system performance loss is too significant, and as such, our primary goal is to minimize system performance degradation while maintaining the detection rate. Because the active periods of TCAs are substantially shorter than their sleep ones, or even because they are practically always silent, it makes sense that reducing superfluous watermarking will facilitate system performance. So, using an "event-triggered" strategy, a unique recursive watermarking-based detection algorithm is proposed. Here, the trigger modes of watermarking are divided into three types: forced, high probability, and low probability. The design principles are proven via algorithms and criteria, and a theoretical analysis of the detection rate and the system performance loss is also supplied. The advantages of the suggested algorithms are finally demonstrated by numerical simulations of a quadruple-water-tank system and experiments with a permanent magnet synchronous motor on the dSpace platform.

computer science, theory & methods,engineering, electrical & electronic

Christoforos Somarakis,Raman Goyal,Erfaun Noorani,Shantanu Rane

2024-04-01

Abstract:A state-feedback watermarking signal design for the detection of replay attacks in linear systems is proposed. The control input is augmented with a random time-delayed term of the system state estimate, in order to secure the system against attacks of replay type. We outline the basic analysis of the closed-loop response of the state-feedback watermarking in a LQG controlled system. Our theoretical results are applied on a temperature process control example. While the proposed secure control scheme requires very involved analysis, it, nevertheless, holds promise of being superior to conventional, feed-forward, watermarking schemes, in both its ability to detect attacks as well as the secured system performance.

Systems and Control,Cryptography and Security

Zhe-Ming Lu,Xin-Wu Liao

2006-01-01

Abstract:In this paper, we present two attacking methods aiming at two robust water- marking schemes respectively. It is shown that these two robust watermarking schemes have some security problems and are vulnerable to the counterfeiting attack. Specifi- cally, given a watermarked image, one can make a statistical analysis on it to estimate the key parameters used for watermark insertion and forge the corresponding watermark into another image without knowing the secret key and even without explicitly knowing the watermark. In the simulation experiment, we successfully implement the attacks on these two robust watermarking schemes and demonstrate the effectiveness of the proposed counterfeiting attacking schemes.

Jiacheng Tang,Jiguo Song,Abhishek Gupta

DOI: https://doi.org/10.48550/arXiv.2111.04952

2021-11-09

Abstract:Dynamic watermarking, as an active intrusion detection technique, can potentially detect replay attacks, spoofing attacks, and deception attacks in the feedback channel for control systems. In this paper, we develop a novel dynamic watermarking algorithm for finite-state finite-action Markov decision processes and present upper bounds on the mean time between false alarms, and the mean delay between the time an attack occurs and when it is detected. We further compute the sensitivity of the performance of the control system as a function of the watermark. We demonstrate the effectiveness of the proposed dynamic watermarking algorithm by detecting a spoofing attack in a sensor network system.

Systems and Control

Hao Liu,Yuzhe Li,Qing-Long Han,Tarek Rassi,Tarek Ra

DOI: https://doi.org/10.1109/tac.2022.3184396

IF: 6.549

2022-01-01

IEEE Transactions on Automatic Control

Abstract:In this article, a novel proactive attack defense strategy is proposed to deal with the secure remote estimation issue in cyber-physical systems with unknown-but-bounded noises in the presence of man-in-the-middle attacks. It is assumed that the residue calculated by the smart sensor is sent to the remote estimator and the abnormal intrusion detector via a wireless network, and the watermark is assumed to belong to a zonotope. In order to guarantee the detection rate, the data processes and the watermark are time-varying and secret to an adversary. Moreover, the effect on system performance caused by the watermark can be removed when the system is attack free. Furthermore, four different attack scenarios are discussed to analyze the detection ability of the proposed defense approach, and the designed strategy can be applied to detect replay attacks. Finally, an unmanned aircraft system subject to malicious attacks is leveraged to illustrate the effectiveness of the proposed proactive defense strategy.

automation & control systems,engineering, electrical & electronic

Yilin Mo,Rohan Chabukswar,Bruno Sinopoli

DOI: https://doi.org/10.3182/20110828-6-it-1002.03712

IF: 4.8

2013-01-01

IEEE Transactions on Control Systems Technology

Abstract:Ensuring security of systems based on supervisory control and data acquisition is a major challenge. The goal of this paper is to develop the model-based techniques capable of detecting integrity attacks on the sensors of a control system. In this paper, the effect of integrity attacks on the control systems is analyzed and countermeasures capable of exposing such attacks are proposed. The main contributions of this paper, beyond the novelty of the problem formulation, lies in enumerating the conditions of the feasibility of the replay attack, and suggesting countermeasures that optimize the probability of detection by conceding control performance. The methodologies are shown and the theoretical results are validated using several sets of simulations.

Tao Chen,Lei Wang,Xiaoqiang Ren,Zhitao Liu,Hongye Su

DOI: https://doi.org/10.1109/cdc49753.2023.10383555

2023-01-01

Abstract:In cyber-physical systems, replay attacks are a type of deception attacks that involve replaying previously recorded sensor data while injecting attack signals into the physical plant. The replay attacks are difficult to detect because the data being replayed is normal. To detect replay attacks, authentication signals are commonly used. However, injecting authentication signals may affect the performance of system states that are sensitive to noise or disturbance. To address this issue, the effect of authentication signals on sensitive states is measured in the sense of mean square error, and conditions that the authentication signal has a limited effect or even no effect on sensitive states are presented. Combining these conditions, optimization problems are constructed to design the authentication signal. Finally, the proposed method is validated through simulation results.

Siddhartha Deb Roy,Ankush Sharma,Saikat Chakrabarti,Sanjoy Debbarma

DOI: https://doi.org/10.1109/tsg.2024.3370892

IF: 10.275

2024-01-01

IEEE Transactions on Smart Grid

Abstract:Modern power systems rely on Wide Area Network (WAN) for real-time data transmission and control. However, integrating WAN introduces vulnerabilities that adversaries can exploit, leading to inaccurate information, compromised decisions, and potential grid instability. The Automatic Generation Control (AGC) system, responsible for maintaining power balance, is an attractive target for attackers due to its reliance on WANs for critical signal transmission. Traditional security mechanisms like encryption, multi-factor authentication, antivirus, etc., may not be suitable for power systems due to system priorities, processing limitations, and compatibility issues. To address this, we propose a novel digital text watermarking-based approach that ensures data integrity and detects replay attacks. The watermarking technique dynamically embeds a unique timestamped watermark into sensor data, enabling detection of unauthorised modifications. The algorithm confirms data integrity by comparing the extracted and expected watermark utilizing Damerau-Levenshtein index. Timestamp analysis is employed to assist in identifying replay attacks. Notably, our technique is independent of system scale, making it practical for real-world implementation. Furthermore, the framework can be extended to secure other power system applications, enhancing overall cyber resilience. Experimental results demonstrate the efficacy of our algorithm in AGC systems while ensuring almost zero performance loss to system operations.

engineering, electrical & electronic

Mengxiang Liu,Xin Zhang,Hengye Zhu,Zhenyong Zhang,Ruilong Deng

DOI: https://doi.org/10.1109/tifs.2024.3447235

IF: 7.231

2024-09-04

IEEE Transactions on Information Forensics and Security

Abstract:The physics-aware watermarking-based detection method has shown great potential in detecting stealthy False Data Injection Attacks (FDIAs) by adding appropriate watermarks to control commands or sensor measurements, especially in industrial control systems and grid-tied Distributed Energy Resources (DERs). However, existing watermarking-based detection methods have limitations in either handling the intricate physical couplings among DERs or characterising the fast changing power electronics dynamics, and thus cannot be directly applied to microgrids. Inspired by the methodology of Unknown Input Observer (UIO), which can be employed for the distributed anomaly monitoring in cyber-physical microgrids but would be easily bypassed once the adversary has the knowledge of certain electrical parameters, this paper makes the first attempt to investigate the physics-aware watermarking embedded in UIOs such that the stealthy FDIAs would be intentionally disrupted by the watermarking scheme. Based on the theoretical analysis of the detection enhancement and performance degradation under watermarking-enhanced UIOs, the watermark strengths, UIO parameters, and control gains are optimally co-designed to significantly enhance the detection effectiveness while not degrading the control performance. The robustness of the watermarking-enhanced UIO to Time Synchronisation Errors (TSEs) is improved by employing a sliding time window with appropriate length. The performance of the proposed method is validated through Matlab/Simulink studies and cyber-physical co-simulation experiments, and the sensitivities of the detection latency and TSE robustness to watermark strength and detection window's length are comprehensively studied.

computer science, theory & methods,engineering, electrical & electronic

Jiayu Zhou,Wen Yang,Wenjie Ding,Wei Xing Zheng,Yong Xu

DOI: https://doi.org/10.1109/tac.2022.3171422

IF: 6.549

2022-01-01

IEEE Transactions on Automatic Control

Abstract:This article studies the security of distributed state estimation under data integrity attacks. Each sensor is equipped with a KullbackLeibler (KL) divergence detector to diagnose the authenticity of the received data. A necessary and sufficient condition for the insecurity of the distributed estimator is derived, in which the stealthy attack can evade the detector and degrade the estimation performance. Furthermore, an algorithm is proposed to generate stealthy attack sequences. To overcome the vulnerability, a data transmission strategy based on watermarking is proposed. The effect of the watermarking parameters on the attack in different scenarios is subsequently analyzed. It is proved that the KL divergence detector can effectively distinguish the stealthy attack with the help of the proposed strategy, thereby ensuring the security of the distributed state estimator. Compared with traditional encryption mechanisms, the proposed strategy neither increases the computational complexity nor sacrifices the estimation performance in the absence of attacks. A simulation example is presented to demonstrate the effectiveness of the developed approach.

automation & control systems,engineering, electrical & electronic