Autonomous Cyber Defense for Resilient Cyber-Physical Systems

Zhang, Qisheng

09 January 2024

In this dissertation research, we design and analyze resilient cyber-physical systems (CPSs) under high network dynamics, adversarial attacks, and various uncertainties. We focus on three key system attributes to build resilient CPSs by developing a suite of the autonomous cyber defense mechanisms. First, we consider network adaptability to achieve the resilience of a CPS. Network adaptability represents the network ability to maintain its security and connectivity level when faced with incoming attacks. We address this by network topology adaptation. Network topology adaptation can contribute to quickly identifying and updating the network topology to confuse attacks by changing attack paths. We leverage deep reinforcement learning (DRL) to develop CPSs using network topology adaptation. Second, we consider the fault-tolerance of a CPS as another attribute to ensure system resilience. We aim to build a resilient CPS under severe resource constraints, adversarial attacks, and various uncertainties. We chose a solar sensor-based smart farm as one example of the CPS applications and develop a resource-aware monitoring system for the smart farms. We leverage DRL and uncertainty quantification using a belief theory, called Subjective Logic, to optimize critical tradeoffs between system performance and security under the contested CPS environments. Lastly, we study system resilience in terms of system recoverability. The system recoverability refers to the system's ability to recover from performance degradation or failure. In this task, we mainly focus on developing an automated intrusion response system (IRS) for CPSs. We aim to design the IRS with effective and efficient responses by reducing a false alarm rate and defense cost, respectively. Specifically, We build a lightweight IRS for an in-vehicle controller area network (CAN) bus system operating with DRL-based autonomous driving. / Doctor of Philosophy / In this dissertation research, we design and analyze resilient cyber-physical systems (CPSs) under high network dynamics, adversarial attacks, and various uncertainties. We focus on three key system attributes to build resilient CPSs by developing a suite of the autonomous cyber defense mechanisms. First, we consider network adaptability to achieve the resilience of a CPS. Network adaptability represents the network ability to maintain its security and connectivity level when faced with incoming attacks. We address this by network topology adaptation. Network topology adaptation can contribute to quickly identifying and updating the network topology to confuse attacks by changing attack paths. We leverage deep reinforcement learning (DRL) to develop CPSs using network topology adaptation. Second, we consider the fault-tolerance of a CPS as another attribute to ensure system resilience. We aim to build a resilient CPS under severe resource constraints, adversarial attacks, and various uncertainties. We chose a solar sensor-based smart farm as one example of the CPS applications and develop a resource-aware monitoring system for the smart farms. We leverage DRL and uncertainty quantification using a belief theory, called Subjective Logic, to optimize critical tradeoffs between system performance and security under the contested CPS environments. Lastly, we study system resilience in terms of system recoverability. The system recoverability refers to the system's ability to recover from performance degradation or failure. In this task, we mainly focus on developing an automated intrusion response system (IRS) for CPSs. We aim to design the IRS with effective and efficient responses by reducing a false alarm rate and defense cost, respectively. Specifically, We build a lightweight IRS for an in-vehicle controller area network (CAN) bus system operating with DRL-based autonomous driving.

Cyber-physical systems

network resilience

network security

network adaptation

software diversity

deep reinforcement learning

fault-tolerance

recoverability

intrusion prevention

intrusion response

INTERNET CONGESTION CONTROL: COMPLETE STABILITY REGION FOR PI AQM AND BANDWIDTH ALLOCATION IN NETWORKED CONTROL

Al-Hammouri, Ahmad Tawfiq

January 2008

No description available.

Computer Science

Sensor-Actuator networks

SANETs

Active Queue Management

Time-delay systems

Steady-state backlogs

Utility functions

Cyber-Physical Systems

Networked control systems

Queue controller

TOWARDS SECURE AND RELIABLE ROBOTIC VEHICLES WITH HOLISTIC MODELING AND PROGRAM ANALYSIS

Hong Jun Choi (13045434)

08 August 2022

<p>Cyber-Physical Systems (CPS) are integrated systems that consist of the computational and physical components with network communication to support operation in the physical world. My PhD dissertation focuses on the security and reliability of autonomous cyber-physical systems, such as self-driving cars, drones, and underwater robots, that are safety-critical systems based on the seamless integration of cyber and physical components. Autonomous CPS are becoming an integral part of our life. The market for autonomous driving systems is expected to be more than $65 billion by 2026. The security of such CPS is hence critical. Beyond traditional cyber-only computing systems, these complex and integrated CPS have unique characteristics. From the security perspective, they open unique research opportunities since they introduce additional attack vectors and post new challenges that existing cyber-oriented approaches cannot address well. <em>The goal of my research is to build secure and reliable autonomous CPS by bridging the gap between the cyber and physical domains.</em> To this end, my work focuses on fundamental research questions associated with cyber-physical attack and defense, vulnerability discovery and elimination, and post-attack investigation. My approach to solving the problems involves various techniques and interdis- ciplinary knowledge, including program analysis, search-based software engineering, control theory, robotics, and AI/machine learning.</p>

System and network security

Cyber-Physical Systems

CPS

Robotic Vehicle

Security

Reliability

Software Testing

Software Engineering

Attack Detection

Attack Resilience

Vulnerability Analysis

Attack Investigation

Forensics

Covert Cognizance: Embedded Intelligence for Industrial Systems

Arvind Sundaram (13883201)

07 October 2022

<p>Can a critical industrial system, such as a nuclear reactor, be made self-aware and cognizant of its operational history? Can it alert authorities covertly to malicious intrusion without exposing its  defense  mechanisms?  What  if  the  intruders  are  highly  knowledgeable  adversaries,  or  even  insiders that may have designed the system? This thesis addresses these research questions through a novel physical process defense called Covert Cognizance (C2). </p> <p>C2  serves  as  a  last  line  of  defense  to  industrial  systems  when  existing  information  and  operational technology defenses have been breached by advanced persistent threat (APT) actors or insiders. It is an active form of defense that may be embedded in an existing system to induce intelligence,  i.e.,  self-awareness,  and  make  various subsystems  aware  of  each  other.  It  interacts with the system at the process level and provides an additional layer of security to the process data therein without the need of a human in the loop. </p> <p>The C2 paradigm is  founded on two core requirements – zero-impact and zero-observability. Departing from contemporary active defenses, zero-impact requires a successful implementationto leave no footprint on the system ensuring identical operation while zero-observability requires that the embedding is immune to pattern-discovery algorithms.  In other words, a third-party such as  a  malicious  intruder  must  be  unable  to  detect  the  presence  of  the  C2  defense  based  on  observation of the process data, even when augmented by machine learning tools that are adept at pattern discovery. </p> <p>In the present work, nuclear reactor simulations are embedded with the C2 defense to induce awareness across subsystems and defend them against highly knowledgeable adversaries that have bypassed existing safeguards such as model-based defenses.  Specifically, the subsystems are made aware  of  each  other  by  embedding  critical information from  the  process  variables  of  one sub-module  along  the  noise of  the  process  variables  of  another,  thus  rendering  the  implementation  covert and  immune  to  pattern  discovery.   The  implementation  is  validated  using  generative adversarial  nets,  representing  a  state-of-the-art  machine  learning  tool,  and  statistical  analysis  of  the  reactor  states,  control  inputs,  outputs  etc. The  work  is  also  extended  to  data  masking  applications  via  the  deceptive  infusion  of  data  (DIOD)  paradigm.  Future  work  focuses  on  the  development of automated C2 modules for “plug ‘n’ play” deployment onto critical infrastructure and/or their digital twins.</p>

Covert Cognizance

Operational Technology

Cyber-physical Systems

Cybersecurity

Artificial Intelligence

Embedded Systems

Autonomous Control in Advanced Life Support Systems : Air Revitalisation within the Micro-Ecological Life Support System Alternative / Autonom styrning i avancerade livsuppehållande system : Återupplivning av luft inom det Micro-Ecological Life Support System Alternative

Demey, Lukas

January 2023

In recent years international space agencies have become more and more explicit about long term lunar and Martian space missions. With the space program Terrae Novae, the European Space Agency puts forward a focus on the development of Human &amp; Robotic Exploration technologies essential in enabling such long term missions. An integral component of this program is the focus on Advanced Life Support Systems. Life support systems are operated to provide astronauts with life necessities like oxygen, water and food. Currently, conventional Life Support System often have a linear supply design, relying on resources shipped from Earth, with limited onboard re-usage. However, for extended space missions, this linear supply model becomes impractical due to the constraints of dry mass during space travel. Given this need, the European Space Agency initiated the MELiSSA (Micro-Ecological Life Support System Alternative) project aimed at the development of a bioregenerative life support systems. In previous works, the MELiSSA Loop has been proposed: a system design inspired by terrestial ecosystems, that consists of multiple compartments that perform specific biological functions like nitrification and biosynthesis. Due to the complex interdependence of the individual compartments and general space system requirements, the control of such this cyber-physical system forms a significant challenge. This thesis proposes a previously undescribed architecture for the MELiSSA Loop controller design that coordinates the resource distribution between the compartments and establishes atmosphere revitalisation. The architecture meets control objectives specified at high level, and at the same time satisfies the physical and operational constraints. / Under de senaste åren har internationella rymdorganisationer blivit mer och mer tydliga om långsiktiga mån- och rymduppdrag på mars. Med rymdprogrammet Terrae Novae lägger Europeiska rymdorganisationen fram ett fokus på utvecklingen av Human &amp; Robotic Exploration-teknik som är nödvändig för att möjliggöra sådana långsiktiga uppdrag. En integrerad del av detta program är fokus på Advanced Life Support Systems. Livsuppehållande system används för att förse astronauter med livsnödvändigheter som syre, vatten och mat. För närvarande har konventionella livsuppehållande system ofta en linjär försörjningsdesign som förlitar sig på resurser som skickas från jorden, med begränsad återanvändning ombord. Men för utökade rymduppdrag blir denna linjära försörjningsmodell opraktisk på grund av begränsningarna av torr massa under rymdresor. Med tanke på detta behov initierade Europeiska rymdorganisationen MELiSSA-projektet (MicroEcological Life Support System Alternative) som syftade till att utveckla ett bioregenerativt livsuppehållande system. I tidigare arbeten har MELiSSA Loop föreslagits: en systemdesign inspirerad av terrestiska ekosystem, som består av flera fack som utför specifika biologiska funktioner som nitrifikation och biosyntes. På grund av det komplexa ömsesidiga beroendet mellan de enskilda avdelningarna och allmänna krav på rymdsystem, utgör kontrollen av sådana detta cyberfysiska system en betydande utmaning. Denna avhandling föreslår en tidigare obeskriven arkitektur för MELiSSA Loopkontrollerdesignen som koordinerar resursfördelningen mellan avdelningarna och etablerar återupplivning av atmosfären. Arkitekturen uppfyller styrmål som anges på hög nivå, och uppfyller samtidigt de fysiska och operativa begränsningarna.

Advanced Life Support Systems

Cyber-Physical Systems

Control Architecture

Distributed Software Architecture

Space Exploration

Avancerade livsuppehållande system

cyberfysiska system

kontrollarkitektur

distribuerad mjukvaruarkitektur

rymdutforskning

Computer and Information Sciences

Data- och informationsvetenskap

AI-based Detection Against Cyberattacks in Cyber-Physical Distribution Systems

Sahani, Nitasha

05 June 2024

Integration of a cyber system and communication systems with the traditional power grid has enabled better monitoring and control of the smart grid making it more reliable and resilient. This empowers the system operators to make informed decisions as a result of better system visibility. The grid has moved from a completely air-gapped structure to a well-connected network. However, this remote-control capability to control distributed physical components in a distribution system can be exploited by adversaries with malicious intent to disrupt the power supply to the customers. Therefore, while taking advantage of the cyber-physical posture in the smart grid for improved controllability, there is a critical need for cybersecurity research to protect the critical power infrastructure from cyberattacks. While the literature regarding cybersecurity in distribution systems has focused on detecting and mitigating the cyberattack impact on the physical system, there has been limited effort towards a preventive approach for detecting cyberattacks. With this in mind, this dissertation focuses on developing intelligent solutions to detect cyberattacks in the cyber layer of the distribution grid and prevent the attack from impacting the physical grid. There has been a particular emphasis on the impact of coordinated attacks and the design of proactive defense to detect the attacker's intent to predict the attack trajectory. The vulnerability assessment of the cyber-physical system in this work identifies the key areas in the system that are prone to cyberattacks and failure to detect attacks timely can lead to cascading outages. A comprehensive cyber-physical system is developed to deploy different intrusion detection solutions and quantify the effect of proactive detection in the cyber layer. The attack detection approach is driven by artificial intelligence to learn attack patterns for effective attack path prediction in both a fully observable and partially observable distribution system. The role of effective communication technology in attack detection is also realized through detailed modeling of 5G and latency requirements are validated. / Doctor of Philosophy / The traditional power grid was designed to supply electricity from the utility side to the customers. This grid model has shifted from a one-directional supply of power to a bi-directional one where customers with generation capacity can provide power to the grid. This is possible through bi-directional data flow which ensures the complete power system observability and allows the utility to monitor and control distributed power components remotely. This connectivity depends on the cyber system and efficient communication for ensuring stable and reliable system operations. However, this also makes the grid vulnerable to cyberattacks as the traditional air-gapped grid has evolved into a highly connected network, thus increasing the attack surface for attackers. They might pose the capability to intrude on the network by exploiting network vulnerability, move laterally through different aspects of the network, and cause operational disruption. The type of disruption can be minor voltage fluctuations or even widespread power outages depending on the ultimate malicious attack goal of such adversaries. Therefore, cybersecurity measures for protecting critical power infrastructure are extremely important to ensure smooth system operations. There has been recent research effort for detecting such attacks, isolating the attacked parts in the grid, and mitigating the impact of the attack, however, instead of a passive response there is a need for a preventive or proactive detection mechanism. This can ensure capturing the attack at the cyber layer before intruders can impact the physical grid. This is the primary motivation to design an intrusion detection system that can detect different coordinated attacks (where different attacks are related and directed towards a specific goal) and can predict the attack path. This dissertation focuses on first identifying the vulnerabilities in the distribution system and a comprehensive cyber-physical system is developed. Different detection algorithms are developed to detect cyberattacks in the distribution grid and have the intelligence to learn the attack patterns to successfully predict the attack path. Additionally, the effectiveness of advanced communication such as 5G is also tested for different system operations in the distribution system.

Abductive Reasoning

Artificial Intelligence

Cause-effect Correlation

Coordinated Cyberattacks

Cyber-physical Systems

Cybersecurity

Distribution Systems

Intrusion Detection

Machine Learning

Model-based Reinforcement Learning

A Risk Based Approach to Intelligent Transportation Systems Security

Bakhsh Kelarestaghi, Kaveh

11 July 2019

Security threats to cyber-physical systems are targeting institutions and infrastructure around the world, and the frequency and severity of attacks are on the rise. Healthcare manufacturing, financial services, education, government, and transportation are among the industries that are the most lucrative targets for adversaries. Hacking is not just about companies, organizations, or banks; it also includes critical infrastructure. Wireless Sensors Networks, Vehicle-to-everything communication (V2X), Dynamic Message Signs (DMS), and Traffic Signal Controllers are among major Intelligent Transportation Systems (ITS) infrastructure that has already been attacked or remain vulnerable to hacking. ITS has been deployed with a focus on increasing efficiency and safety in the face of dramatic increases in travel demand. Although many studies have been performed and many security primitives have been proposed, there are significant concerns about flawless performance in a dynamic environment. A holistic security approach, in which all infrastructure performs within the satisfactory level of security remains undiscovered. Previously, hacking of road infrastructure was a rare event, however, in recent years, field devices such as DMS are hacked with higher frequency. The primary reason that transportation assets are vulnerable to cyber-attacks is due to their location. A more dramatic scenario occurs when hackers attempt to convey tampered instructions to the public. Analyzing traveler behavior in response to the hacked messages sign on the basis of empirical data is a vital step toward operating a secure and reliable transportation system. There may be room for improvement by policymakers and program managers when considering critical infrastructure vulnerabilities. With cybersecurity issues escalating every day, road users' safety has been neglected. This dissertation overcomes these challenges and contributes to the nascent but growing literature of Intelligent Transportation System (ITS) security impact-oriented risk assessment in threefold. • First, I employ a risk-based approach to conduct a threat assessment. This threat assessment performs a qualitative vulnerability-oriented threat analysis. The objective is to scrutinize safety, security, reliability, and operation issues that are prompted by a compromised Dynamic Message Signs (DMS). • Second, I examine the impact of drivers' attitudes and behaviors on compliance, route diversion behavior, and speed change behavior, under a compromised DMS. We aim to assess the determinants that are likely to contribute to drivers' compliance with forged information. To this extent, this dissertation evaluates drivers' behavior under different unauthentic messages to assess in-depth the impact of an adversarial attack on the transportation network. • Third, I evaluate distracted driving under different scenarios to assess the in-depth impact of an adversarial attack on the transportation network. To this extent, this dissertation examines factors that are contributing to the manual, visual, and cognitive distractions when drivers encountering fabricated advisory information at a compromised DMS. The results of this dissertation support the original hypothesis and indicate that with respect to the forged information drivers tend to (1) change their planned route, (2) become involved in distracting activities, and (3) change their choice speed at the presence of a compromised DMS. The main findings of this dissertation are outlined below: 1. The DMS security vulnerabilities and predisposing conditions allow adversaries to compromise ITS functionality. The risk-based approach of this study delivers the impact-likelihood matrix, which maps the adverse impacts of the threat events onto a meaningful, visual, matrix. DMS hacking adverse impacts can be categorized mainly as high-risk and medium-risk clusters. The safety, operational (i.e., monetary losses) and behavioral impacts are associated with a high-risk cluster. While the security, reliability, efficiency, and operational (i.e., congestion) impacts are associated with the medium-risk cluster. 2. Tech friendly drivers are more likely to change their route under a compromised DMS. At the same time, while they are acquiring new information, they need to lowering their speed to respond to the higher information load. Under realistic-fabricated information, about 65% of the subjects would depart from their current route. The results indicate that females and subjects with a higher driving experience are more likely to change their route. In addition, those subjects who are more sensitive to the DMS's traffic-related messages and those who use DMS under congested traffic condition are more likely to divert. Interestingly, individuals with lower education level, Asians, those who live in urban areas, and those with trouble finding their direction in new routes are less likely to pick another route rather the one they planned for. 3. Regardless of the DMS hacking scenarios, drivers would engage in at least one of the distractive activities. Among the distractive activities, cognitive distraction has the highest impact on the distracted driving likelihood. Meaning, there is a high chance that drivers think of something other than driving, look at surrounding traffic and scenery, or talk to other passengers regarding the forged information they saw on the DMS. Drivers who rely and trust in technology, and those who check traffic condition before starting their trips tend to become distracted. In addition, the result identified that at the presence of bogus information, drivers tend to slow down or stop in order to react to the DMS. That is, they would either (1) become involved in activities through the means of their phone, (2) they would mind wander, look around, and talk to a passenger about the sign, and (3) search for extra information by means of their vehicle's radio or internet. 4. Females, black individuals, subjects with a disability, older, and those with high trust in DMS are less likely to ignore the fabricated messages. In contrary, white, those who drive long hours, and those who see driving as a tedious task are more likely to ignore the bogus messages. Drivers who comply with traffic regulations and have a good driving record are likely to slow down under the tampered messages. Furthermore, female drivers and those who live in rural areas are more likely to slow down under fabricated advisory information. Furthermore, this dissertation identifies that planning for alternative route and involvement in distractive activities cause speed variation behaviors under the compromised DMS. This dissertation is the first to investigate the adverse impact of a compromised DMS on the road users and operators. I attempt to address the current gap in the literature by assessing and evaluating the impact of ITS security vulnerabilities. Broader impacts of this study include (1) to systematically raising awareness among policy-makers and engineers, (2) motivating further simulations and real-world experiments to investigate this matter further, (3) to systematically assessing the adverse impact of a security breach on transportation reliability and safety, and drivers' behavior, and (4) providing insights for system operators and decision-makers to prioritize the risk of a compromised DMS. Additionally, the outcome can be integrated with the nationwide connected vehicle and V2X implementations and security design. / Doctor of Philosophy / Security threats are targeting institutions and infrastructure around the world, and the frequency and severity of security attacks are on the rise. Healthcare manufacturing, financial services, education, government, and transportation are among the industries that are the most lucrative targets for adversaries. Hacking is not just about companies, organizations, or banks; it also includes critical infrastructure. Intelligent Transportation Systems have been deployed with a focus on increasing efficiency and safety in the face of dramatic increases in traffic volume. Although many studies have been performed and many security primitives have been proposed, there are significant concerns about flawless performance in a dynamic environment. A holistic security approach, in which all infrastructure performs within the satisfactory level of security remains undiscovered. Previously, hacking of road infrastructure was a rare event, however, in recent years, field devices, such as dynamic message signs, are hacked with higher frequency. The primary reason that transportation assets are vulnerable to cyber-attacks is that of their location in public. A more dramatic scenario occurs when hackers attempt to convey tampered instructions to the public. Analyzing traveler behavior in response to the hacked messages sign on the basis of empirical data is a vital step toward operating a secure and reliable transportation system. This study is the first to investigate the adversarial impact of a compromised message sign on the road users and operators. I attempt to address the current gap in the literature by assessing and evaluating the impact of ITS security vulnerabilities.

Intelligent Transportation Systems

Cyber Security

Cyber-Physical Systems

Vulnerability Assessment

Attack Tree

Dynamic Message Sign

Risk Assessment

Impact Assessment

Travelers Behavior

Distracted Driving

Speed Variation

Route Divergence

Systems Health Management for Resilient Extraterrestrial Habitation

Murali Krishnan Rajasekharan Pillai (18390546)

17 April 2024

<p dir="ltr">Deep-space extraterrestrial missions require operating, supporting, and maintaining complex habitat systems at light minutes from Earth.</p><p dir="ltr">These habitation systems operate in harsh, unforgiving environments, will be sparsely crewed, and must be more autonomous than current space habitats, as communication delays will severely constrain Earth-based support.</p><p dir="ltr">Long-duration missions, limited knowledge of the extraterrestrial environment, and the need for self-sufficiency make these habitats vulnerable to a wide range of risks and failures, many of which are impossible to premeditate.</p><p dir="ltr">Therefore, it is necessary to design these systems to be resilient to faults and failures, thoughtfully designed to be situationally aware of their operational state and engage control mechanisms that maintain safe operations when migrating towards unsafe regions of operation.</p><p dir="ltr">Resilience-oriented design of such systems requires a holistic systems approach that represents the system's dynamic behavior, its control-oriented behaviors, and the interactions between them as it navigates through regions of safe and unsafe operations.</p><p dir="ltr">Only through this integrated approach can we fully understand how the system will behave under various conditions and design controls to prevent performance loss and ensure resilient operations.</p><p dir="ltr">Systems health management (SHM) is a key component for the resilience-oriented design of extraterrestrial habitats.</p><p dir="ltr">SHM capabilities enable intelligent autonomous control capabilities that can:</p><p dir="ltr">a) sense, diagnose, and isolate the root causes of anomalies,</p><p dir="ltr">b) predict how the system's behavior may evolve, and</p><p dir="ltr">c) select and execute recovery actions to restore system performance when appropriate.</p><p dir="ltr">Modern SHM technologies increasingly rely on intelligent autonomous control capabilities to manage system health and adapt behavior to maintain system performance.</p><p dir="ltr">This is achieved through complex nonlinear informational dependencies and control feedback loops that are difficult to design and verify using traditional risk assessment and resilience engineering methods.</p><p dir="ltr">This research contributes to enhancing the conceptual and preliminary design phases for developing resilient complex systems with embedded intelligent control-oriented behaviors.</p><p dir="ltr">It presents the required systems engineering tools and frameworks, enabling us to study the dynamic behavior of systems as they approach and recover from unsafe operations.</p><p dir="ltr">Further, it demonstrates how these tools and frameworks can quantify and gain insights into system resilience and support engineering decisions.</p><p dir="ltr">The work is contextualized within the broader systems engineering approach for designing complex, resilient extraterrestrial habitation systems.</p>

Systems engineering

Health management

Deep Space Missions

Habitation

Health Management system

Cyber Physical Systems (CPS)

Complex systems engineering

Design, Implementation and Validation of Resource-Aware and Resilient Wireless Networked Control Systems

Araújo, José

January 2014

Networked control over wireless networks is of growing importance in many application domains such as industrial control, building automation and transportation systems. Wide deployment however, requires systematic design tools to enable efficient resource usage while guaranteeing close-loop control performance. The control system may be greatly affected by the inherent imperfections and limitations of the wireless medium and malfunction of system components. In this thesis, we make five important contributions that address these issues.  In the first contribution, we consider event- and self-triggered control and investigate how to efficiently tune and execute these paradigms for appropriate control performance. Communication strategies for aperiodic control are devised, where we jointly address the selection of medium-access control and scheduling policies. Experimental results show that the best trade-off is obtained by a hybrid scheme, combining event- and self-triggered control together with contention-based and contention-free medium access control. The second contribution proposes an event-based method to select between fast and slow periodic sampling rates. The approach is based on linear quadratic control and the event condition is a quadratic function of the system state. Numerical and experimental results show that this hybrid controller is able to reduce the average sampling rate in comparison to a traditional periodic controller, while achieving the same closed-loop control performance. In the third contribution, we develop compensation methods for out-of-order communications and time-varying delays using a game-theoretic minimax control framework. We devise a linear temporal coding strategy where the sensor combines the current and previous measurements into a single packet to be transmitted. An experimental evaluation is performed in a multi-hop networked control scenario with a routing layer vulnerability exploited by a malicious application. The experimental and numerical results show the advantages of the proposed compensation schemes. The fourth contribution proposes a distributed reconfiguration method for sensor and actuator networks. We consider systems where sensors and actuators cooperate to recover from faults. Reconfiguration is performed to achieve model-matching, while minimizing the steady-state estimation error covariance and a linear quadratic control cost. The reconfiguration scheme is implemented in a room heating testbed, and experimental results demonstrate the method's ability to automatically reconfigure the faulty system in a distributed and fast manner. The final contribution is a co-simulator, which combines the control system simulator Simulink with the wireless network simulator COOJA. The co-simulator integrates physical plant dynamics with realistic wireless network models and the actual embedded software running on the networked devices. Hence, it allows for the validation of the complete wireless networked control system, including the study of the interactions between software and hardware components. / <p>QC 20140929</p>

wireless networked control systems

NCS

wireless communications

control

distributed reconfiguration

resilient

fault-tolerant control

IEEE 802.15.4

resource-aware

WNCS

aperiodic control

event-triggered

self-triggered

event-based

co-simulator

estimation

GISOO

MAC

scheduling

routing

RPL

delay

out-of-order communications

CPS

Cyber Physical Systems

Wireless Cyber Physical Systems

Wireless Cyber Physical Control Systems

Prise en compte des risques de cyber-attaques dans le domaine de la sécurité des systèmes cyber-physiques : proposition de mécanismes de détection à base de modèles comportementaux / Addressing cyber-attack risks for the security of cyber-physical systems : proposition of detection mechanisms based on behavioural models

Sicard, Franck

11 October 2018

Les systèmes de contrôle-commande industriels (Industrial Control System, ICS) sont des infrastructures constituées par un ensemble de calculateurs industriels reliés en réseau et permettant de contrôler un système physique. Ils assurent le pilotage de réseaux électriques (Smart Grid), de systèmes de production, de transports, de santé ou encore de systèmes d’armes. Pensés avant tout pour assurer productivité et respect de la mission dans un environnement non malveillant, les ICS sont, depuis le 21ème siècle, de plus en plus vulnérables aux attaques (Stuxnet, Industroyer, Triton, …) notamment avec l’arrivée de l’industrie 4.0. De nombreuses études ont contribué à sécuriser les ICS avec des approches issues du domaine de la sécurité (cryptographie, IDS, etc…) mais qui ne tiennent pas compte du comportement du système physique et donc des conséquences de l’acte de malveillance en lui-même. Ainsi, une sécurisation se limitant exclusivement à l’analyse des informations qui transitent sur un réseau industriel n’est pas suffisante. Notre approche amène un changement de paradigme dans les mécanismes de détection en y intégrant la modélisation du comportement du système cyber-physique.Cette thèse propose des mécanismes de détection d’attaques en se positionnant au plus proche de la physique. Ils analysent les données échangées entre le système de contrôle-commande et le système physique, et filtrent les échanges au travers de modèles déterministes qui représentent le comportement du système physique soumis à des lois de commande. A cet effet, une méthodologie de conception a été proposée dans laquelle l’ensemble des ordres est identifié afin de détecter les attaques brutales. Pour faire face aux autres attaques, en particulier celles plus sournoises, comme les attaques par séquences, nous proposons une stratégie de détection complémentaire permettant d’estimer l’occurrence d’une attaque avant que ses conséquences ne soient destructives. A cet effet, nous avons développé des concepts de distance d’un état caractérisé comme critique auquel nous avons adjoint un second mécanisme dit de trajectoire dans le temps permettant de caractériser une intention de nuire.L’approche proposée hybride ainsi deux techniques orientées sécurité (sonde IDS) et sûreté (approche filtre) pour proposer une stratégie de détection basée sur quatre mécanismes lié :• A la détection de contexte : basé sur l’état courant de l’ICS, un ordre émis par l’API peut être bloqué s’il conduit vers un état critique (attaque brutale).• Aux contraintes combinatoires (attaque par séquences) : vérifiées par les concepts de distance et de trajectoire (évolution de la distance).• Aux contraintes temporelles (attaque temporelle) : vérifiées par des fenêtres temporelles sur l’apparition d’évènements et d’indicateurs surveillant la durée moyenne d’exécution.• Aux sur-sollicitations basées sur un indicateur surveillant les commandes envoyées afin de prévenir un vieillissement prématuré (attaque sur les équipements).L’approche proposée a été appliquée sur différents exemples de simulation et sur une plateforme industrielle réelle où la stratégie de détection a montré son efficacité face à différents profils d’attaquant. / Industrial Control Systems (ICSs) are infrastructures composed by several industrial devices connected to a network and used to control a physical system. They control electrical power grid (Smart Grid), production systems (e.g. chemical and manufacturing industries), transport (e.g. trains, aircrafts and autonomous vehicles), health and weapon systems. Designed to ensure productivity and respect safety in a non-malicious environment, the ICSs are, since the 21st century, increasingly vulnerable to attacks (e.g. Stuxnet, Industroyer, Triton) especially with the emergence of the industry 4.0. Several studies contributed to secure the ICS with approaches from the security field (e.g. cryptography, IDS) which do not take into account the behavior of the physical system and therefore the consequences of the malicious act. Thus, a security approach limited exclusively to the analysis of information exchanged by industrial network is not sufficient. Our approach creates a paradigm shift in detection mechanisms by integrating the behavioral modeling of the cyber-physical system.This thesis proposes detection mechanisms of attacks by locating detection closer to physical system. They analyze the data exchanged between the control system and the physical system, and filter the exchanges through deterministic models that represent the behavior of the physical system controlled by control laws. For this purpose, a design methodology has been proposed in which all actions are identified in order to instantly detect brutal attacks. To deal with other attacks, especially the more sneaky, such as sequential attacks, we propose a complementary detection strategy to estimate the occurrence of an attack before its consequences are destructive. To this end, we have developed the concepts of distance of a state identified as critical to which we have added a second mechanism called trajectory which leads to a temporal notion that characterize an intention to harm.As part of this thesis, the proposed approach combines two techniques oriented security (IDS probe) and safety (filter approach) to propose a detection strategy based on four mechanisms related to:• Context detection: based on the current state of the system, an order sent by the PLC can be blocked by the control filter if it leads to a critical state (brutal attack).• Combinatorial constraints (sequential attack): verified by the concepts of distance (risk indicator for the current state) and trajectory (indicator of the intention to harm by studying the evolution of the distance on a sequence).• Temporal constraints (temporal attack): verified by time windows on the appearance of events and an indicator monitoring the average duration of execution.• Over-solicitation monitoring mechanism: based on an indicator monitoring orders sent to the actuators to prevent premature ageing of the production equipment (attack on the equipment).The proposed approach has been applied to various simulation examples and an industrial platform where the detection strategy has shown its effectiveness against different scenarios corresponding to attacker profiles.

Détection à base de modèles

Surveillance

Contrôle-Commande

Systèmes à évènements discrets

Cybersécurité

Systèmes Cyber-Physiques

Model-Based Detection

System Monitoring

Industrial Control Systems

Discrete-Event Systems

Cybersecurity

Cyber-Physical Systems

004