Intrusion Detection and Localization for Networked Embedded Control Systems

TL;DR

This paper presents a physics-based, context-aware intrusion detection system for networked control systems, capable of detecting and localizing cyberattacks to enhance safety in critical applications like automotive control.

Contribution

It introduces a novel IDS that combines process and controller state estimation with context-awareness through adaptive thresholding and filtering, enabling attack detection and localization.

Findings

Successfully detected and localized attacks on a DC motor control system.

Demonstrated effectiveness on simulated automated lane keeping system.

Enhanced security measures for safety-critical control systems.

Abstract

Closed-loop control systems employ continuous sensing and actuation to maintain controlled variables within preset bounds and achieve the desired system output. Intentional disturbances in the system, such as in the case of cyberattacks, can compromise reachability of control goals, and in several cases jeopardize safety. The increasing connectivity and exposure of networked control to external networks has enabled attackers to compromise these systems by exploiting security vulnerabilities. Attacks against safety-critical control loops can not only drive the system over a trajectory different from the desired, but also cause fatal consequences to humans. In this paper we present a physics-based Intrusion Detection System (IDS) aimed at increasing the security in control systems. In addition to conventional process state estimation for intrusion detection, since the controller cannot be trusted, we introduce a controller state estimator. Additionally, we make our detector context-aware by utilizing sensor measurements from other control loops, which allows to distinguish and characterize disturbances from attacks. We introduce adaptive thresholding and adaptive filtering as means to achieve context-awareness. Together, these methodologies allow detection and localization of attacks in closed-loop controls. Finally, we demonstrate feasibility of the approach by mounting a series of attacks against a networked Direct Current (DC) motor closed-loop speed control deployed on an ECU testbed, as well as on a simulated automated lane keeping system. Among other application domains, this set of approaches is key to support security in automotive systems, and ultimately increase road and passenger safety.