Supervisory Control of Discrete-event Systems under Attacks

TL;DR

This paper addresses supervisory control in discrete-event systems under cyber attacks, proposing conditions for control and methods for designing robust supervisors that account for adversaries tampering with sensor data.

Contribution

It introduces a novel observability concept considering adversaries and provides efficient algorithms for supervisor synthesis under insertion and removal attacks.

Findings

Supervisory control is feasible if the language is controllable and observable under attack.

Automata-based methods can test observability and synthesize supervisors without exponential complexity.

Robust observers are constructed to ensure control despite sensor tampering.

Abstract

We consider a multi-adversary version of the supervisory control problem for discrete-event systems, in which an adversary corrupts the observations available to the supervisor. The supervisor's goal is to enforce a specific language in spite of the opponent's actions and without knowing which adversary it is playing against. This problem is motivated by applications to computer security in which a cyber defense system must make decisions based on reports from sensors that may have been tampered with by an attacker. We start by showing that the problem has a solution if and only if the desired language is controllable (in the Discrete event system classical sense) and observable in a (novel) sense that takes the adversaries into account. For the particular case of attacks that insert symbols into or remove symbols from the sequence of sensor outputs, we show that testing the existence of a supervisor and building the supervisor can be done using tools developed for the classical DES supervisory control problem, by considering a family of automata with modified output maps, but without expanding the size of the state space and without incurring on exponential complexity on the number of attacks considered., we construct observers that are robust against attacks and lead to an automaton representation of the supervisor. We also develop a test for observability under such replacement-removal attacks by using the so-called product automata.