Detecting Integrity Attacks on Control Systems using a Moving Target Approach
Sean Weerakkody, Bruno Sinopoli

TL;DR
This paper proposes a moving target approach with unknown time-varying dynamics and external states to detect and prevent integrity attacks on control systems, even when adversaries have extensive access.
Contribution
It introduces a novel moving target method using unknown linear time-varying dynamics and external states to enhance attack detection in control systems.
Findings
The approach can detect stealthy attacks with bounded performance.
External states improve detection of adversaries attempting system identification.
The method is robust against adversaries with full access to sensors and actuators.
Abstract
Maintaining the security of control systems in the presence of integrity attacks is a significant challenge. In literature, several possible attacks against control systems have been formulated including replay, false data injection, and zero dynamics attacks. The detection and prevention of these attacks may require the defender to possess a particular subset of trusted communication channels. Alternatively, these attacks can be prevented by keeping the system model secret from the adversary. In this paper, we consider an adversary who has the ability to modify and read all sensor and actuator channels. To thwart this adversary, we introduce external states dependent on the state of the control system, with linear time-varying dynamics unknown to the adversary. We also include sensors to measure these states. The presence of unknown time-varying dynamics is leveraged to detect an…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
\IEEEoverridecommandlockouts\overrideIEEEmargins
Detecting Integrity Attacks on Control Systems using a Moving Target Approach
Sean Weerakkody Bruno Sinopoli S. Weerakkody and B. Sinopoli are with the Department of Electrical and Computer Engineering, Carnegie Mellon University, Pittsburgh, PA, USA 15213. Email: [email protected], [email protected]. Weerakkody is supported in part by the Department of Defense (DoD) through the National Defense Science & Engineering Graduate Fellowship (NDSEG) Program. The work by S. Weerakkody, and B. Sinopoli is supported by NSF grant CNS-1329936 CPS: Synergy: Collaborative Research: Event-Based Information Acquisition, Learning, and Control in High-Dimensional Cyber-Physical Systems
Abstract
Maintaining the security of control systems in the presence of integrity attacks is a significant challenge. In literature, several possible attacks against control systems have been formulated including replay, false data injection, and zero dynamics attacks. The detection and prevention of these attacks may require the defender to possess a particular subset of trusted communication channels. Alternatively, these attacks can be prevented by keeping the system model secret from the adversary. In this paper, we consider an adversary who has the ability to modify and read all sensor and actuator channels. To thwart this adversary, we introduce external states dependent on the state of the control system, with linear time-varying dynamics unknown to the adversary. We also include sensors to measure these states. The presence of unknown time-varying dynamics is leveraged to detect an adversary who simultaneously aims to identify the system and inject stealthy outputs. Potential attack strategies and bounds on the attacker’s performance are provided.
1 Introduction
Cyber-Physical systems (CPSs), referring to the tight interconnection of sensing, communication, and control in physical spaces, are becoming widespread in today’s society. Indeed, these systems will serve a significant role in several applications including transportation, water distribution, medical technologies, manufacturing, and of course the smart grid. Due to the proliferation of CPSs in critical infrastructures, their safety and security are of paramount importance. There have already been several powerful attacks against CPSs. One major example is Stuxnet, which targeted Supervisory Control and Data Acquisition (SCADA) systems at uranium enrichment facilities in Iran [1, 2]. Here, the adversary was able to appropriate controllers running centrifuges at the plant, and avoid detection by replaying previous measurements to the system operator. An additional example is the Maroochy Shire incident where a disgruntled employee performed an attack on a SCADA based sewage control system [3].
Previous work [4] has suggested that existing tools in cyber security are insufficient to address attacks on CPSs due to the underlying physical system. Two main classes of attacks defined by [4] are denial of service attacks where an attacker restricts the flow of information between the plant and control center, and integrity attacks where an adversary can alter control inputs and sensor outputs. An intelligent adversary can potentially cause physical damage to a system using access to control inputs while manipulating sensor measurements to avoid detection. As such, integrity attacks are the main focus of this paper.
Several integrity attacks have been investigated in the literature. For instance, [5, 6] analyze zero dynamics attacks where an adversary injects inputs into both the actuators and sensors so as to bias the state without inserting a net bias on the sensor measurements. False data injection attacks on measurements, where an adversary alters a subset of sensor measurements to induce destabilizing control inputs from the defender have also been studied. Liu et. al. [7] first studied false data injection attacks in the context of electricity grids. Furthermore, in [8], the authors consider false data injection in control systems, providing sufficient and necessary conditions for an attacker to destabilize a system while introducing a bounded bias on measurement residues. Finally, replay attacks where an adversary repeats a sequence of past measurements are analyzed in [9, 10].
The detection and prevention of integrity attacks on control systems against adversaries who are aware of the system model rely on the presence of one or more secure communication channels between the operator and the plant. For instance, [6] provides sufficient and necessary conditions for zero dynamics attacks based on the actuators and sensors in possession of the adversary. If the adversary has access to all sensors and actuators, a trivial zero dynamics attack is to subtract ones influence from the true measurements. To prevent false data injection attacks in control systems, a particular subset of measurements must be secure from the adversary [8]. Moreover, [11] proposes assigning security indices to each sensor to quantify the effort required for an adversary to introduce a successful false data injection attack. Physical watermarking, used to detect replay attacks in [9, 10] and robust attacks defined in [12], relies on the ability to inject secret noisy inputs into the control system. Also, [13] which considers the problem of robust estimation and control in the presence of integrity attacks, relies on the assumption that the attacker is only able to manipulate less than half the sensors.
In this paper, we consider the scenario where an adversary has access to all communication channels. Thus, to prevent an attack, an adversary must not be aware of the full system model. [14] considers the problem of altering system matrices to avoid zero dynamics attacks. However, in practice an adversary can use his access to both inputs and outputs to identify the system. Moreover, a malicious insider such as the attacker in the Maroochy Shire incident might be aware of the system model. Consequently, we propose introducing extraneous states correlated to the ordinary states of the system so that modification of the original states will impact the extraneous states. The extraneous states will have linear time-varying dynamics, known to the system operator and hidden from the adversary. The dynamics act as a moving target, changing fast enough so the adversary does not have adequate opportunity to identify the extraneous system. In this scenario, we propose attacks for the adversary and obtain detection bounds.
The rest of the paper is organized as follows. In Section II, we introduce our system model and control strategy. In Section III, we propose the moving target approach to detect integrity attacks on control systems. In Section IV, we summarize the attacker’s capabilities and propose two attack models. In Section V, we analyze bounds on the attacker’s performance. Section VI concludes the paper.
2 System Model
In this section, we introduce the model for our system. In particular, we assume our cyber-physical system can be modeled as a discrete time control system where
[TABLE]
Here is the state vector at time and is a collection of control inputs. A suite of sensors are used to monitor the state. Here is a vector of sensor measurements taken at time . is the independent and identically distributed (IID) process noise with probability distribution given by where . Meanwhile, is the IID measurement noise with distribution given by where . We assume that is detectable. Additionally, and are assumed to be stabilizable.
The set of measurements are sent to the SCADA center in order to compute the optimal control input. For our purposes, we assume that the operator wishes to minimize a quadratic function of the states and inputs as follows
[TABLE]
where are positive definite matrices defining the relative cost of each state and input. The optimal control input for the given cost function is a combination of a Kalman filter and a linear state feedback controller [15].
The Kalman filter computes the minimum mean squared error state estimate 111The superscript is used to distinguish the ordinary state estimate from the state estimate obtained through the moving target model. given the previous set of measurements up to denoted by . We assume that the system has been running for a long time so that the Kalman filter has converged to a fixed gain linear estimator.
[TABLE]
The optimal control input with respect to (3) is given by
[TABLE]
and satisfies the following Riccati equation
[TABLE]
A bad data detector can be utilized to determine whether a malicious attack is occurring. Typically, the bad data detector can be written as a threshold-based detector where
[TABLE]
Here, is the information available to the defender. The null hypothesis is that the system is operating normally while the alternate hypothesis is that the system is under attack. A more specific detector will be discussed later in the article. We furthermore define the probability of detection and false alarm as
[TABLE]
Observe that is independent of since the system is stationary under . Regardless of the information available to a system operator, an attacker with knowledge of the input to output model as well as the ability to manipulate sensor measurements and control inputs, can generate undetectable attacks [16].
For instance, an adversary can simply subtract the influence he inserts through the control inputs from the system outputs as follows
[TABLE]
where is given by
[TABLE]
In this case, the attack has zero net effect on the outputs and as a result .
3 The Moving Target
As discussed in the previous section, an adversary who is both aware of the system model and has access to all channels can generate undetectable attacks. In this work, we propose introducing linear time-varying dynamics, unknown to the adversary, but known to the defender, into the system. The defender can leverage his knowledge of the system to detect integrity attacks by the adversary. Moreover, by introducing time-varying dynamics, the defender limits the adversary’s ability to identify the system using his access to measurements and inputs. The time-varying dynamics act as a moving target.
3.1 Extended Model
We extend the state to include extraneous states as follows
[TABLE]
where
[TABLE]
Moreover, we introduce additional sensors to measure the extraneous states.
[TABLE]
The matrices are assumed to be IID random variables which are independent of the sensor and process noise with distribution
[TABLE]
Furthermore, we also assume that
[TABLE]
where
[TABLE]
Remark 1
While we assume the structure of the system introduced above with IID matrices , the moving target design can still be effective in other scenarios. For instance, the dynamics need not be linear as long as the defender can accurately model the system. Moreover, the system parameters do not have to evolve at each time step, though the longer the target remains in place, the easier it is for the adversary to identify the system. In addition, the matrices , or may be sparse, as long as there exists adequate coupling between and .
Remark 2
The defender must be able to introduce extraneous states with time-varying dynamics correlated to the original state of the system. The extraneous states are application dependent and are to be decided by the system operator. Nonetheless, the system operator can leverage existing waste products of the system, for instance the heat dissipated by a reaction or process. The dynamics can be made time-varying by changing conditions at the plant. Alternatively, the defender can introduce dynamics into the system. For instance, the defender can introduce RLC circuits which measure the states. Time varying dynamics can be incorporated by including variable resistors or capacitors. By varying the components of the circuit according to some IID distribution at each time step, the defender can generate IID system matrices.
Remark 3
In the above formulation we assume that the defender is aware of the real time system matrices although they are random. In general, this information should not be sent over the network since doing so amounts to the existence of a secure communication channel. The secure communication channel could be leveraged to detect an attack without considering a moving target approach, for instance through physical watermarking [12]. Alternatively, we can generate pseudo random system matrices using a pseudo random number generator (PRNG). In this case, the seed of the PRNG will be known to the defender and kept hidden from the attacker.
3.2 Estimation and Detection
The presence of additional sensors allows us to improve our estimate of the state. In particular, we can incorporate an additional Kalman filter to estimate the state as follows.
[TABLE]
Observe that we use the state estimate to compute the input as opposed to an estimate derived from (22). We assume the defender does not care about controlling . In this case, adding the moving target does not change . Such a strategy also prevents the attacker from using information from the input to learn about the system model. In fact, we have the following result.
Theorem 1
The input is independent from the system matrices for all .
Proof 3.2**.**
The input is given by
[TABLE]
where is some deterministic function of variables which by assumption are independent from for all . The result immediately follows.
A similar result can be obtained under attack where is conditionally independent of the system matrices for all , given the adversary’s attack inputs.
We assume that a residue based detector is incorporated where the residue is given by
[TABLE]
We can leverage knowledge of the distribution of under normal operation to design a detector. In particular we consider a detector where in (10) is given by
[TABLE]
where . Under normal operation has a distribution. In general, the window for the detector can be extended to consider past measurements. In Figure 1, we include a diagram of the moving target system operating normally.
4 Attack Model
In this section we describe a near omnipotent attacker in terms of his capabilities, access to information, and potential strategies. On one hand, the adversary may acquire his knowledge and resources through a highly sophisticated attack strategy as done in Stuxnet. On the other hand, an adversary can obtain his resources through insider information and access as done in the Maroochy Shire incident.
4.1 Attack Capabilities
- The attacker can insert arbitrary inputs into the system and can arbitrarily alter the sensor measurements. As a result, when under attack, the system has dynamics given by
[TABLE]
[TABLE]
where is the attacker’s control input and and are the biases injected on the extraneous sensors and ordinary sensors respectively.
- The attacker can read the true outputs of the system and the inputs being sent by the defender to the plant for all time .
Remark 4.3**.**
The attacker essentially performs a man in the middle attack between the plant and system operator so that he can manipulate and read all communication channels arbitrarily. A malicious insider can do this by breaking encryption schemes. Furthermore, physical attacks can be used to change sensor measurements and control inputs. For instance, locally heating or cooling a temperature sensor would change the sensor measurements without violating the integrity or authenticity of data from a cyber perspective.
- The attacker has full knowledge of the system model . Moreover, the adversary knows the probability density function (pdf) of random matrices .
Remark 4.4**.**
While conservative, the adversary can obtain his knowledge of the system model by observing the communication channels for an extended period of time and performing system identification. Moreover, observe that since the attacker is aware of the original system model and all outputs, he can asymptotically predict the state estimate if the matrix is stable [9].
Remark 4.5**.**
The attacker can leverage his probabilistic knowledge of the system model as well as the true outputs of the system to generate stealthy attack inputs . In particular, the adversary can attempt to simultaneously identify the moving target and generate convincing counterfeit sensor outputs.
Based on the above definitions we can define the private information available to the attacker and defender at time and the public information available to both as
[TABLE]
In Figure 2, we include a diagram of the system under attack.
4.2 Attack Strategy
In this subsection we propose two main attack strategies. Without loss of generality we assume any attack begins at .
4.2.1 Attack 1: Subtract Influence
In the first attack strategy the attacker aims to estimate his influence on the control system and subtract it. Define . Observe that if
[TABLE]
with initial state and , an attack is completely stealthy. As the adversary does not know the time varying matrices, we assume he computes an estimate of and uses that to subtract his influence on the sensor measurements. Thus, we would have
[TABLE]
Remark 4.6**.**
Observe that the adversary can exactly subtract his influence from measurements due to his knowledge of the system model. However, the adversary should be unable to completely subtract his bias from the extraneous sensors .
Optimal Theoretical Estimation Define , , and . The adversary’s observations can be formulated through the following linear time-varying system,
[TABLE]
To estimate at time , assume the adversary has access to the following distribution where Then we have
[TABLE]
We show that the pdf can be recursively computed at each step. Letting we have
[TABLE]
The second equality follows from the conditional independence of and given and . The last equality follows from Bayes rule and the conditional independence of and given . We note that this distribution can be theoretically computed given the attacker’s information. That is, we know that
[TABLE]
Moreover, and are deterministic functions of , , and random variables , , , , , which are independent of given . Thus, theoretically, can be recursively computed from .
Remark 4.7**.**
If the attacker subtracts his influence, he might be susceptible to a growing cancellation error if he attempts to excite the system’s unstable dynamics. Instead of subtracting his influence the attacker can instead directly estimate what the defender expects to see as summarized in the next section.
4.2.2 Attack 2: Estimate Expected Measurement
In the next strategy, the adversary aims to track the system operator’s state estimate. Using the system operator’s state estimate, the adversary attempts to generate stealthy outputs. Let . The attacker’s observations and strategy can be formulated as follows
[TABLE]
[TABLE]
The attacker wishes to track . The use of the preceding attack design is motivated by the ensuing result which states that the chosen attack vector minimizes a fixed quadratic function of the measurement residues.
Theorem 4.8**.**
Let be a positive semidefinite matrix.
[TABLE]
Proof 4.9**.**
Observe that
[TABLE]
Taking the gradient with respect to and setting the resulting expression equal to 0, we obtain
[TABLE]
Solving gives
[TABLE]
and the result holds.
To determine at time assume the adversary has access to the following distribution . As done before, the attacker can theoretically compute by taking a conditional expectation. Additionally, similar to (38) we have
[TABLE]
Moreover, by similar analysis as in attack 1, we can demonstrate that can be recursively computed from . The main difference here is that the adversary must also estimate . Note that in practice the proposed attacks are difficult to execute for an adversary since it is likely a challenge to compute the necessary distribution functions and expected values. As a result, in the next section we aim to provide bounds on the attacker’s estimation performance in terms of mean square error matrices.
5 Bounds on Attacker’s Performance
5.1 Bounds on Attacker’s State Estimation
In this section we attempt to characterize lower bounds on the error matrices associated with the states defined in attack strategy 1 and 2. From there, we can attempt to characterize how well the adversary can design to fool the bad data detector.
We leverage conditional posterior Cramer-Rao lower bounds for Bayesian sequences derived by [17]. The authors here make use of the Bayesian Cramer-Rao lower bound or Van Trees bound derived in [18] which states that for observations and states the mean squared error matrix is bounded by the Fisher information as follows
[TABLE]
where the Fisher information matrix is given by
[TABLE]
Note that
[TABLE]
In [17], this result is extended to nonlinear Bayesian sequences with dynamics given by
[TABLE]
where and are independent process and sensor noise respectively. In our case, we slightly adapt these results to account for the fact there is feedback in our system so that
[TABLE]
The inputs , and are incorporated into the definition of , while uncertainty in the model can be incorporated in the process noise . It can shown that the following posterior Cramer-Rao lower bound holds
[TABLE]
where
[TABLE]
Remark 5.10**.**
We remark that since is defined by inputs , and , is implicitly conditioned on . Moreover, is defined given the adversary’s knowledge of .
Observe that (51) gives us an expected lower bound for the error matrix associated with the entire state history with knowledge of measurements . This expectation is taken over the state history as well the measurement so that is a function of the measurement . Observe that unlike the traditional Cramer-Rao bound which is limited to unbiased estimators, the Bayesian Cramer-Rao bound here considers both biased and unbiased estimators .
While the lower bound given here applies to the entire state history , in practice we care about estimating a lower bound on the current state . Nonetheless, it can be easily shown that
[TABLE]
where is the lower right submatrix of . In practice, computing from is impractical since it requires computing and taking the inverse of a Fisher information matrix which grows in dimension at each time step. As a result, we would like a recursion to compute . From [17] we have the following result,
[TABLE]
where
[TABLE]
In addition,
[TABLE]
where
[TABLE]
We observe that it is still difficult to obtain matrices so [17] introduces the following approximate recursion
[TABLE]
where
[TABLE]
We observe that in practice it may still be difficult to compute the exact expectations because high dimensional integration is generally involved. Nonetheless, particle filters as described in [19] can be used to approximate these expectations. Alternative approximations for the conditional posterior Cramer-Rao lower bound can be found in [20]. Unconditional bounds can be found in [21].
5.2 Bounds on Detection
The algorithm described allows us to compute an approximate lower bound on the mean square error matrix of the attacker’s state for a given set of inputs and observation history . This allows us to obtain a lower bound on the value of as follows.
Theorem 5.11**.**
Consider the special case that is known to the adversary for all . Suppose an attacker attempts to estimate as in attack strategy 2. Let be an estimate of as a function of given and . Suppose a lower bound on the error matrix of is obtained so that
[TABLE]
Then we have
[TABLE]
where .
Proof 5.12**.**
First, observe from remark 5.10
[TABLE]
We now have the following.
[TABLE]
The first two equalities follow from properties of the trace and expectation. The third equality follows from monotonicity properties of the trace function and the fact that is constant with respect to . The fourth equality is based on the fact that given , a minimizer lies in the range space of . The fifth equality is due to (61). The final inequality follows from (59).
Remark 5.13**.**
In general, the adversary’s ability to estimate is dependent on the inputs . For instance, the more the adversary biases the state away from its expected region of operation, the more challenging it is to perform estimation. Thus, if the system operator wishes to analyze how well an adversary can generate stealthy outputs, he must consider a particular sequence of attack inputs .
Remark 5.14**.**
In practice, it may be difficult to perform performance analysis when assuming is an unknown state. However, one can still approximate a lower bound on the error matrix by assuming that the adversary has an oracle which allows him to know , , .
6 Conclusion
In this paper, we have considered attacks on control systems where an adversary has access to all channels in a communication network. In order to counter such an adversary, we propose introducing time-varying dynamics into the system which are unknown to the adversary and can in turn be leveraged to detect attacks. Future work will consider sufficient conditions for the design of these matrices to prevent zero-dynamic attacks and the analysis of optimal identification techniques for the adversary.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] T. M. Chen, “Stuxnet, the real start of cyber warfare? [editor’s note],” IEEE Network , vol. 24, no. 6, pp. 2–3, 2010.
- 2[2] R. Langner, “To kill a centrifuge: A technical analysis of what Stuxnet’s creators tried to achieve,” Langner Communications, Tech. Rep., November 2013. [Online]. Available: www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf
- 3[3] J. Slay and M. Miller, “Lessons learned from the Maroochy water breach,” in Critical Infrastructure Protection . Springer US, 2008, pp. 73–82.
- 4[4] A. A. Cárdenas, S. Amin, and S. S. Sastry, “Secure Control: Towards Survivable Cyber-Physical Systems,” in Distributed Computing Systems Workshops, 2008. ICDCS ’08. 28th International Conference on DOI - 10.1109/ICDCS.Workshops.2008.40 . IEEE, 2008, pp. 495–500.
- 5[5] A. Teixeira, D. Perez, H. Sandberg, and K. H. Johannson, “Attack models and scenarios for networked control systems,” in Proceedings of the 1st international conference on High Confidence Networked Systems , Beijing, China, 2012, pp. 55–64.
- 6[6] F. Pasqualetti, F. Dorfler, and F. Bullo, “Attack detection and identification in cyber-physical systems,” IEEE Transactions on Automatic Control , vol. 58, no. 11, pp. 2715–2729, 2013.
- 7[7] Y. Liu, M. Reiter, and P. Ning, “False data injection attacks against state estimation in electric power grids,” in Proceedings of the 16th ACM conference on computer and communications security , Chicago, IL, 2009.
- 8[8] Y. Mo and B. Sinopoli, “False data injection attacks in cyber physical systems,” in First Workshop on Secure Control Systems , Stockholm, Sweden, April 2010.
