Relaxing Integrity Requirements for Attack-Resilient Cyber-Physical Systems

TL;DR

This paper demonstrates that intermittent data integrity enforcement in cyber-physical systems can significantly limit attack impact, ensuring bounded estimation errors and maintaining control performance with minimal overhead.

Contribution

It introduces a framework for evaluating and designing intermittent integrity policies that limit attack effects and guarantees estimation error bounds in cyber-physical systems.

Findings

Intermittent integrity enforcement bounds estimation errors under stealthy attacks.

Less than 10% authenticated messages suffice for control performance.

Proposed policies effectively limit attack impact in automotive case studies.

Abstract

The increase in network connectivity has also resulted in several high-profile attacks on cyber-physical systems. An attacker that manages to access a local network could remotely affect control performance by tampering with sensor measurements delivered to the controller. Recent results have shown that with network-based attacks, such as Man-in-the-Middle attacks, the attacker can introduce an unbounded state estimation error if measurements from a suitable subset of sensors contain false data when delivered to the controller. While these attacks can be addressed with the standard cryptographic tools that ensure data integrity, their continuous use would introduce significant communication and computation overhead. Consequently, we study effects of intermittent data integrity guarantees on system performance under stealthy attacks. We consider linear estimators equipped with a general type of residual-based intrusion detectors (including $\chi^2$ and SPRT detectors), and show that even when integrity of sensor measurements is enforced only intermittently, the attack impact is significantly limited; specifically, the state estimation error is bounded or the attacker cannot remain stealthy. Furthermore, we present methods to: (1) evaluate the effects of any given integrity enforcement policy in terms of reachable state-estimation errors for any type of stealthy attacks, and (2) design an enforcement policy that provides the desired estimation error guarantees under attack. Finally, on three automotive case studies we show that even with less than 10% of authenticated messages we can ensure satisfiable control performance in the presence of attacks.