Risk assessment and optimal allocation of security measures under stealthy false data injection attacks

TL;DR

This paper develops a risk assessment framework for stealthy false data injection attacks on uncertain control systems, and proposes an optimal security measure allocation strategy to minimize risk under budget constraints.

Contribution

It introduces a novel risk assessment method using Value-at-Risk and output-to-output gain, and proposes an algorithm for optimal security allocation considering attack impact.

Findings

Risk assessment is approximated by convex optimization with probabilistic guarantees.

Optimal security allocation reduces attack impact within budget constraints.

Using risk metrics influences security decisions and system impact.

Abstract

This paper firstly addresses the problem of risk assessment under false data injection attacks on uncertain control systems. We consider an adversary with complete system knowledge, injecting stealthy false data into an uncertain control system. We then use the Value-at-Risk to characterize the risk associated with the attack impact caused by the adversary. The worst-case attack impact is characterized by the recently proposed output-to-output gain. We observe that the risk assessment problem corresponds to an infinite non-convex robust optimization problem. To this end, we use dissipative system theory and the scenario approach to approximate the risk-assessment problem into a convex problem and also provide probabilistic certificates on approximation. Secondly, we consider the problem of security measure allocation. We consider an operator with a constraint on the security budget. Under this constraint, we propose an algorithm to optimally allocate the security measures using the calculated risk such that the resulting Value-at-risk is minimized. Finally, we illustrate the results through a numerical example. The numerical example also illustrates that the security allocation using the Value-at-risk, and the impact on the nominal system may have different outcomes: thereby depicting the benefit of using risk metrics.