On Cyber Security for Networked Control Systems

The instrumentation of infrastructure systems by embedded sensors, computation, and communication networks has enabled significant advances in their management. Examples include monitoring of structural health, traffic congestion, environmental hazards, and energy usage. The use of homogeneous (especially, commercially available off-the-shelf) information technology (IT) solutions makes infrastructure systems subject to correlated hardware malfunctions and software bugs. Over the past decade, many concerns have been raised about the vulnerabilities of infrastructure systems to both random failures and security attacks. Cyber-security of Supervisory Control and Data Acquisition (SCADA) systems is especially important, because these systems are employed for sensing and control of large physical infrastructures. So far, the existing research in robust and fault-tolerant control does not account for cyber attacks on networked control system (NCS) components. Also, the existing research in computer security neither considers the attacks targeting NCS components nor accounts for their interactions with the physical system. The goal of this thesis is to bridge this gap by focusing on (1) security threat assessment, (2) model-based attack diagnosis, and (3) resilient control design. First, cyber-security assessment for SCADA systems is performed based on well-defined attacker and defender objectives. The mathematical model of SCADA systems considered in this work has two control levels: regulatory control using distributed proportional-integral (PI) controllers, and supervisory fault diagnosis based on approximate dynamical system models. The performance of a PI control based regulatory scheme and a model-based supervisory diagnostic scheme is studied under a class of deception attacks. In order to test the system resilience, a class of stealthy attacks which can evade detection by SCADA systems is presented. Second, design of attack diagnosis schemes that incorporate the knowledge of physical dynamics of the system is presented. For SCADA systems used to manage water canal networks, an observer-based attack diagnostic scheme, in which each observer estimates the state of a reduced-order flow model, is presented. The observer parameters are computed using a convex optimization method, and the performance of this scheme is tested on a number of attack scenarios. An application of the theoretical results is illustrated by a field operational test performed on the SCADA system of the Gignac water canal system, located in Montpellier, France. A successful experimental cyber-attack on the sensors and actuators of this canal network revealed new vulnerabilities of the current SCADA system implementation. Another illustration includes security analysis of two benchmark scenarios: the Tennessee Eastman process control system (TE-PCS) and a power system state estimator (PSSE). In both these cases, model-based statistical detection schemes are used to study stealthy deception attacks. For the case of TE-PCS, design of practically implementable attack-detection and response mechanisms to maintain operational safety is presented. For the case of PSSE, it is assumed that the attacker only has a partial knowledge of the actual system model. For a set of attacker objectives, the trade-off between the attacker knowledge and possible impact of a successful attack on the performance of false data detection schemes is studied. Third, the stability of linear hyperbolic systems of PDEs when the boundary control actions and the system parameters switch discontinuously between a finite set of modes is studied. Switched PDE models can describe a class of fault and attack scenarios resulting from intermittent withdrawals through offtake nodes and compromise of sensor-control data. Motivated by such scenarios, a new condition for stability of linear hyperbolic systems of PDEs under arbitrary switching of boundary control actions and system parameters is derived. A class of switching attack strategies is presented, which violate the stability condition and result in unstable flow dynamics.Fourth, the problem of controlling stochastic linear systems for networked control settings is considered when the sensor-control data is prone to packet loss and jamming. For a class of packet drop models, feedback control policies which minimize a given objective function subject to safety constraints are synthesized. For marginally stable systems, under mild hypotheses on the noise introduced by the control channel and large enough control authority, the synthesis of a control policy that render the state of the closed-loop system mean-square bounded is presented.Finally, a class of games involving discrete interdependent risks is considered when each player is a NCS, and their security is interdependent due to the exposure to network induced risks. The problem of security decisions of individual players is formulated as a two-stage non-cooperative game defined as follows: in the first stage, the players decide whether to invest in security or not; and in the second stage, they apply control inputs to minimize the average operational costs. The characterization of the equilibria of the game is presented, which includes the determination of the individually optimal security levels. The presence of interdependent security causes a negative externality, and the individual players tend to under invest in security relative to the social optimum. From these results, for a wide parameter range, public policy incentivising higher security investments is desirable.

[1]  Mario Sigalotti,et al.  Converse Lyapunov Theorems for Switched Systems in Banach and Hilbert Spaces , 2010, SIAM J. Control. Optim..

[2]  Alvaro A. Cárdenas,et al.  Attacks against process control systems: risk assessment, detection, and response , 2011, ASIACCS '11.

[3]  John Lygeros,et al.  Attaining Mean Square Boundedness of a Marginally Stable Stochastic Linear System With a Bounded Control Input , 2009, IEEE Transactions on Automatic Control.

[4]  Vinay M. Igure,et al.  Security issues in SCADA networks , 2006, Comput. Secur..

[5]  Alexandre M. Bayen,et al.  Robust feasibility for control of water flow in a reservoir-canal system , 2007, 2007 46th IEEE Conference on Decision and Control.

[6]  M. Darouach,et al.  Full-order observers for linear systems with unknown inputs , 1994, IEEE Trans. Autom. Control..

[7]  N. Lawrence Ricker,et al.  Model predictive control of a continuous, nonlinear, two-phase reactor , 1993 .

[8]  Xavier Litrico,et al.  Automatic Tuning of PI Controllers for an Irrigation Canal Pool , 2007 .

[9]  S. Shankar Sastry,et al.  Research Challenges for the Security of Control Systems , 2008, HotSec.

[10]  R. Pemantle,et al.  Moment conditions for a sequence with negative drift to be uniformly bounded in Lr , 1999, math/0404093.

[11]  Robert J. Turk Cyber Incidents Involving Control Systems , 2005 .

[12]  Georges Bastin,et al.  Leak detection in open water channels , 2008 .

[13]  Nicolas Christin,et al.  Secure or insure?: a game-theoretic analysis of information security games , 2008, WWW.

[14]  Erik Weyer,et al.  Algorithms for leak detection, estimation, isolation and localization in open water channels☆ , 2011 .

[15]  Tamer Basar,et al.  Optimal control of LTI systems over unreliable communication links , 2006, Autom..

[16]  Xavier Litrico,et al.  Modeling and Control of Hydrosystems , 2009 .

[17]  Hassan Nafaa Cracks in the System , 2006 .

[18]  Gene F. Franklin,et al.  Feedback Control of Dynamic Systems , 1986 .

[19]  Ye Sun,et al.  Stability analysis of discontinuous dynamical systems determined by semigroups , 2005, IEEE Transactions on Automatic Control.

[20]  Tong Heng Lee,et al.  A less conservative robust stability test for linear uncertain time-delay systems , 2006, IEEE Trans. Autom. Control..

[21]  Peng Ning,et al.  False data injection attacks against state estimation in electric power grids , 2009, CCS.

[22]  Falk M. Hante,et al.  Modeling and Analysis of Modal Switching in Networked Transport Systems , 2009 .

[23]  Georges Bastin,et al.  Methods for the localization of a leak in open water channels , 2009, Networks Heterog. Media.

[24]  Marc Lelarge,et al.  Economics of malware: Epidemic risks model, network externalities and incentives , 2009, 2009 47th Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[25]  James A. Primbs Stochastic Receding Horizon Control of Constrained Linear Systems with State and Control Multiplicative Noise , 2007, ACC.

[26]  Iven M. Y. Mareels,et al.  Control of Large-Scale Irrigation Networks , 2007, Proceedings of the IEEE.

[27]  Xavier Litrico,et al.  Static and Dynamic Data Reconciliation for an Irrigation Canal , 2008 .

[28]  Henrik Sandberg,et al.  The VIKING project: An initiative on resilient control of power networks , 2009, 2009 2nd International Symposium on Resilient Control Systems.

[29]  Guenter Leugering,et al.  On the Modelling and Stabilization of Flows in Networks of Open Canals , 2002, SIAM J. Control. Optim..

[30]  D. Bernstein Matrix Mathematics: Theory, Facts, and Formulas , 2009 .

[31]  Ulf Lindqvist,et al.  Using Model-based Intrusion Detection for SCADA Networks , 2006 .

[32]  Thomas C. Reed At the Abyss: An Insider's History of the Cold War , 2004 .

[33]  Giuseppe Carlo Calafiore,et al.  Linear Programming with Probability Constraints - Part 2 , 2007, 2007 American Control Conference.

[34]  Robert Shorten,et al.  Stability Criteria for Switched and Hybrid Systems , 2007, SIAM Rev..

[35]  D. Bernstein,et al.  A chronological bibliography on saturating actuators , 1995 .

[36]  James B. Rawlings,et al.  Tutorial overview of model predictive control , 2000 .

[37]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[38]  Cheng-Zhong Xu,et al.  Exponential Stability of a Class of Hyperbolic PDE Models from Chemical Engineering , 2006, Proceedings of the 45th IEEE Conference on Decision and Control.

[39]  Stephen P. Boyd,et al.  Design of Affine Controllers via Convex Optimization , 2010, IEEE Transactions on Automatic Control.

[40]  Hai Lin,et al.  Stability and Stabilizability of Switched Linear Systems: A Survey of Recent Results , 2009, IEEE Transactions on Automatic Control.

[41]  Karl Johan Åström,et al.  PID Controllers: Theory, Design, and Tuning , 1995 .

[42]  Sean W. Smith,et al.  YASIR: A Low-Latency, High-Integrity Security Retrofit for Legacy SCADA Systems , 2008, SEC.

[43]  E. Weyer,et al.  Reconfiguration schemes to mitigate faults in automated irrigation channels , 2005, Proceedings of the 44th IEEE Conference on Decision and Control.

[44]  Felix F. Wu,et al.  Detection of Topology Errors by State Estimation , 1989, IEEE Power Engineering Review.

[45]  A. B. Kurzhanskii,et al.  Attainability problems under stochastic perturbations , 2004 .

[46]  Karl Henrik Johansson,et al.  On Security Indices for State Estimators in Power Networks , 2010 .

[47]  Herve Plusquellec,et al.  Modernization of large‐scale irrigation systems: is it an achievable objective or a lost cause , 2009 .

[48]  Krishnendu Chatterjee,et al.  Termination criteria for solving concurrent safety and reachability games , 2009, SODA.

[49]  Manuel Rijo,et al.  Supervision and Water Depth Automatic Control of an Irrigation Canal , 2010 .

[50]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[51]  Xavier Litrico,et al.  Analytical approximation of open-channel flow for controller design , 2004 .

[52]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[53]  Stephen D. Wolthusen,et al.  Critical Infrastructure Protection , 2012, Lecture Notes in Computer Science.

[54]  D. Koenig,et al.  Unknown Input Observers Design for Time-Delay Systems Application to An Open-Channel , 2005, Proceedings of the 44th IEEE Conference on Decision and Control.

[55]  Ernesto Damiani,et al.  Composite Intrusion Detection in Process Control Networks , 2008 .

[56]  W. M. Wonham,et al.  A computational approach to optimal control of stochastic saturating systems. , 1969 .

[57]  Bruno Sinopoli,et al.  Secure control against replay attacks , 2009, 2009 47th Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[58]  L. Shampine Solving Hyperbolic PDEs in MATLAB , 2005 .

[59]  Emanuele Garone,et al.  LQG control over lossy TCP-like networks with probabilistic packet acknowledgements , 2008, 2008 47th IEEE Conference on Decision and Control.

[60]  S. Hurd,et al.  Tutorial: Security in Electric Utility Control Systems , 2008, 2008 61st Annual Conference for Protective Relay Engineers.

[61]  Robin J. Evans,et al.  Stabilizability of Stochastic Linear Systems with Finite Feedback Data Rates , 2004, SIAM J. Control. Optim..

[62]  David Geer Security of critical control systems sparks concern , 2006, Computer.

[63]  Robin J. Evans,et al.  Feedback Control Under Data Rate Constraints: An Overview , 2007, Proceedings of the IEEE.

[64]  Georges Bastin,et al.  Dissipative Boundary Conditions for One-Dimensional Nonlinear Hyperbolic Systems , 2008, SIAM J. Control. Optim..

[65]  Ali Saberi,et al.  Control of Linear Systems with Regulation and Input Constraints , 2000 .

[66]  Annette Hofmann,et al.  Internalizing externalities of loss prevention through insurance monopoly: an analysis of interdependent risks , 2007 .

[67]  Martin Gugat,et al.  Optimal switching boundary control of a string to rest in finite time , 2008 .

[68]  E. Byres,et al.  The Myths and Facts behind Cyber Security Risks for Industrial Control Systems , 2004 .

[69]  Michèle Basseville,et al.  Detection of abrupt changes: theory and application , 1993 .

[70]  Orest V. Iftime,et al.  Optimal control of switched distributed parameter systems with spatially scheduled actuators , 2009, Autom..

[71]  Georges Bastin,et al.  Using hyperbolic systems of balance laws for modeling, control and stability analysis of physical networks , 2009 .

[72]  Jay H. Lee,et al.  State estimation based model predictive control applied to shell control problem: a case study , 1994 .

[73]  Jianhong Wu,et al.  Introduction to Functional Differential Equations , 2013 .

[74]  Amol Sasane Stability of switching infinite-dimensional systems , 2005, Autom..

[75]  Juan C. Meza,et al.  Optimization Strategies for the Vulnerability Analysis of the Electric Power Grid , 2010, SIAM J. Optim..

[76]  Jonathan de Halleux,et al.  Boundary feedback control in networks of open channels , 2003, Autom..

[77]  Andrew K. Wright,et al.  Low-Latency Cryptographic Protection for SCADA Communications , 2004, ACNS.

[78]  J. Salmeron,et al.  Analysis of electric grid security under terrorist threat , 2004, IEEE Transactions on Power Systems.

[79]  T. Başar,et al.  Dynamic Noncooperative Game Theory , 1982 .

[80]  Jeffery E. Dagle,et al.  Metrics for the National SCADA Test Bed Program , 2008 .

[81]  Bruno Sinopoli,et al.  Foundations of Control and Estimation Over Lossy Networks , 2007, Proceedings of the IEEE.

[82]  Joseph W. Weiss,et al.  Protecting Industrial Control Systems from Electronic Threats , 2010 .

[83]  Günter Leugering,et al.  An augmented BV setting for feedback switching control , 2010, J. Syst. Sci. Complex..

[84]  S. Sastry,et al.  Zeno hybrid systems , 2001 .

[85]  Tyler Moore,et al.  Security Economics and European Policy , 2008, WEIS.

[86]  Axel Klar,et al.  Gas flow in pipeline networks , 2006, Networks Heterog. Media.

[87]  Jeffrey L. Hieb,et al.  Cyber security risk assessment for SCADA and DCS networks. , 2007, ISA transactions.

[88]  A. N. Other A demonstration of the L A T E X2ε class file for the International Journal of Robust and Nonlinear Control , 2010 .

[89]  Huseyin Cavusoglu,et al.  The Value of Intrusion Detection Systems in Information Technology Security Architecture , 2005, Inf. Syst. Res..

[90]  Jeffrey Rauch,et al.  Exponential Decay of Solutions to Hyperbolic Equations in Bounded Domains , 1974 .

[91]  S. Joe Qin,et al.  A survey of industrial model predictive control technology , 2003 .

[92]  Richard Courant,et al.  Methods of Mathematical Physics, Vol. II: Partial Differential Equations. , 1964 .

[93]  Ole Morten Aamo,et al.  OBSERVER DESIGN USING BOUNDARY INJECTIONS FOR PIPELINE MONITORING AND LEAK DETECTION , 2006 .

[94]  Heng Yin,et al.  An effective defense against email spam laundering , 2006, CCS '06.

[95]  Jill Slay,et al.  Lessons Learned from the Maroochy Water Breach , 2007, Critical Infrastructure Protection.

[96]  Georges Bastin,et al.  A second order model of road junctions in fluid models of traffic networks , 2007, Networks Heterog. Media.

[97]  Eduardo Sontag,et al.  Global stabilization of linear discrete-time systems with bounded feedback , 1997 .

[98]  John Lygeros,et al.  Reachability Analysis for Controlled Discrete Time Stochastic Hybrid Systems , 2006, HSCC.

[99]  Ross J. Anderson,et al.  On the Security Economics of Electricity Metering , 2010, WEIS.

[100]  Andreas Krause,et al.  Optimizing Sensing: From Water to the Web , 2009, Computer.

[101]  Tansu Alpcan,et al.  Dynamic Control and Mitigation of Interdependent IT Security Risks , 2010, 2010 IEEE International Conference on Communications.

[102]  X. Litrico,et al.  H∞ observer for time-delay systems Application to FDI for irrigation canals , 2006, Proceedings of the 45th IEEE Conference on Decision and Control.

[103]  Thomas I. Seidman,et al.  Feedback Modal Control of Partial Differential Equations , 2009 .

[104]  Pierre-Olivier Malaterre,et al.  SCADA INTERFACE OF THE SIC SOFTWARE FOR EASY REAL TIME APPLICATION OF ADVANCED REGULATION ALGORITHMS , 2007 .

[105]  A. Bressan Hyperbolic systems of conservation laws : the one-dimensional Cauchy problem , 2000 .

[106]  Günter Leugering,et al.  Optimal Boundary Control of Convention-Reaction Transport Systems with Binary Control Functions , 2009, HSCC.

[107]  Bart De Schutter,et al.  A non-iterative cascaded predictive control approach for control of irrigation canals , 2009, 2009 IEEE International Conference on Systems, Man and Cybernetics.

[108]  Herbert S. Lin,et al.  Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities , 2009 .

[109]  X. Litrico,et al.  Design of Structured Multivariable Controllers for Irrigation Canals , 2005, Proceedings of the 44th IEEE Conference on Decision and Control.

[110]  A. Morse Supervisory control of families of linear set-point controllers Part I. Exact matching , 1996, IEEE Trans. Autom. Control..

[111]  E. Poster,et al.  Cracks in the system: professional and continuing education under scrutiny. , 2003, Journal of child and adolescent psychiatric nursing : official publication of the Association of Child and Adolescent Psychiatric Nurses, Inc.

[112]  R. Muirhead Aspects of Multivariate Statistical Theory , 1982, Wiley Series in Probability and Statistics.

[113]  Marc Lelarge,et al.  Network externalities and the deployment of security features and protocols in the internet , 2008, SIGMETRICS '08.

[114]  A. Galántai Subspaces, angles and pairs of orthogonal projections , 2008 .

[115]  Rainer Böhme,et al.  Modeling Cyber-Insurance: Towards a Unifying Framework , 2010, WEIS.

[116]  Joseph J. Winkin,et al.  Robust boundary control of systems of conservation laws , 2008, Math. Control. Signals Syst..

[117]  Xavier Litrico,et al.  Conversion from Discharge to Gate Opening for the Control of Irrigation Canals , 2008 .

[118]  Ta-Tsien Li Global classical solutions for quasilinear hyperbolic systems , 1994 .

[119]  Tansu Alpcan,et al.  A Decentralized Bayesian Attack Detection Algorithm for Network Security , 2008, SEC.

[120]  Eric C. Kerrigan,et al.  Optimization over state feedback policies for robust control with constraints , 2006, Autom..

[121]  S. Shankar Sastry,et al.  Safe and Secure Networked Control Systems under Denial-of-Service Attacks , 2009, HSCC.

[122]  Charles R. Johnson,et al.  Matrix analysis , 1985, Statistical Inference for Engineers and Data Scientists.

[123]  João Pedro Hespanha,et al.  A Survey of Recent Results in Networked Control Systems , 2007, Proceedings of the IEEE.

[124]  O. Bosgra,et al.  A full solution to the constrained stochastic closed-loop MPC problem via state and innovations feedback and its receding horizon implementation , 2003, 42nd IEEE International Conference on Decision and Control (IEEE Cat. No.03CH37475).

[125]  J. Andel Sequential Analysis , 2022, The SAGE Encyclopedia of Research Design.

[126]  John Lygeros,et al.  Stochastic Receding Horizon Control With Bounded Control Inputs: A Vector Space Approach , 2009, IEEE Transactions on Automatic Control.

[127]  Alexandre M. Bayen,et al.  Adjoint-based control of a new eulerian network model of air traffic flow , 2006, IEEE Transactions on Control Systems Technology.

[128]  G. Hamoud,et al.  Risk assessment of power systems SCADA , 2003, 2003 IEEE Power Engineering Society General Meeting (IEEE Cat. No.03CH37491).

[129]  B. Brodsky,et al.  Nonparametric Methods in Change Point Problems , 1993 .

[130]  Valentina E. Balas,et al.  On the Switching Control , 2009 .

[131]  A. Perdon,et al.  Unknown Input Observers and Residual Generators for Linear Time Delay Systems , 2006 .

[132]  H. Kreiss,et al.  Initial boundary value problems for hyperbolic partial differential equations , 1975 .

[133]  Ross J. Anderson,et al.  Security Economics and Critical National Infrastructure , 2009, WEIS.

[134]  Mark W. Spong,et al.  Bilateral teleoperation: An historical survey , 2006, Autom..

[135]  H. T. Toivonen Suboptimal control of discrete stochastic amplitude constrained systems , 1983 .

[136]  A. Gattami,et al.  Optimal Decisions with Limited Information , 2007 .

[137]  Panagiotis D. Christofides,et al.  Coordinating feedback and switching for control of spatially distributed processes , 2004, Comput. Chem. Eng..

[138]  Hilbert,et al.  Methods of Mathematical Physics, vol. II. Partial Differential Equations , 1963 .

[139]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[140]  Nicola Elia,et al.  Remote stabilization over fading channels , 2005, Syst. Control. Lett..

[141]  David Q. Mayne,et al.  Constrained model predictive control: Stability and optimality , 2000, Autom..

[142]  Felix F. Wu,et al.  Power system state estimation: a survey , 1990 .

[143]  Timothy Grance,et al.  Guide to Supervisory Control and Data Acquisition (SCADA) and Other Industrial Control System Security , 2006 .

[144]  Xavier Litrico,et al.  Frequency Modeling of Open-Channel Flow , 2004 .

[145]  Larry Samuelson,et al.  Choosing What to Protect: Strategic Defensive Allocation Against an Unknown Attacker , 2005 .

[146]  Stephen P. Boyd,et al.  Performance bounds for linear stochastic control , 2009, Syst. Control. Lett..

[147]  Deborah A. Frincke,et al.  CONCERNS ABOUT INTRUSIONS INTO REMOTELY ACCESSIBLE SUBSTATION CONTROLLERS AND SCADA SYSTEMS , 2000 .

[148]  Stuart E. Schechter,et al.  Fast Detection of Scanning Worm Infections , 2004, RAID.

[149]  Tansu Alpcan,et al.  Network Security , 2010 .

[150]  Xavier Litrico,et al.  Stealthy deception attacks on water SCADA systems , 2010, HSCC '10.

[151]  Xavier Litrico,et al.  Boundary control of hyperbolic conservation laws using a frequency domain approach , 2006, Proceedings of the 45th IEEE Conference on Decision and Control.

[152]  H. Vincent Poor,et al.  Detection of Stochastic Processes , 1998, IEEE Trans. Inf. Theory.

[153]  Arkadi Nemirovski,et al.  Control of Uncertainty-Affected Discrete Time Linear Systems via Convex Programming , 2006 .