disconnection aware attack detection in
play

Disconnection-aware Attack Detection in Networked Control Systems - PowerPoint PPT Presentation

IF IFAC World Congress 2020 July ly 12-17 17 Disconnection-aware Attack Detection in Networked Control Systems Hampei mpei Sasahar ahara*, *, Takayuk uki i Ish shiz izak aki**, **, Jun-ic ichi hi Imur ura**, a**, Henrik nrik


  1. IF IFAC World Congress 2020 July ly 12-17 17 Disconnection-aware Attack Detection in Networked Control Systems Hampei mpei Sasahar ahara*, *, Takayuk uki i Ish shiz izak aki**, **, Jun-ic ichi hi Imur ura**, a**, Henrik nrik Sandber andberg* g* (* KTH Roy oyal al Insti stitut tute of Tec echno hnolo logy, ** Tokyo o Ins nstit titute ute of tec echn hnology) ology)

  2. Cyb Cyber-Phy Physi sical cal Sy Syst stem m Se Security urity 1/15 malware programs targeting control systems Uranium Plant Power Grid Industrial System - Stuxnet (2010) - BlackEnergy 3 (2015) - Hatman (2017) increasing vulnerability - high connectivity - standard protocol - cyber/physical attack surfaces Information System (IS) Security Control System (CS) Security - cryptography - model-based attack detection interest in this talk - firewall - physical watermarking - authorization - heterogeneous redundant devices

  3. Mo Mode del-based based Attac tack k De Detection ection 2/15 idea: to create a dynamical model and check if the observed data coincide with the model observed data networked system local measurement residual alarm dynamical model attack detector residual generator one of the most fruitful product in CPS security techniques provided by our control community its role in more general security workflow?

  4. In Incident ident Ha Hand ndling ling 3/15 incident handling during an adverse event guideline provided by NIST (National Institute of Standard and Technology) [1] 1. detection 2. analysis 3. containment 4. eradication/recovery model-based detection disconnection of suspected components attack potential problem in CPS IS: static interaction/operation CPS: dynamic interaction/operation through feedback containment process may cause loss of dynamic function (e.g., stability) [1] P . Cichonski, et al., Computer Security Incident Handling Guide, NIST, 2012.

  5. Resear search h Obj bjectiv ctive 4/15 possible solution for CPS itself: proper segmentation segmentation: design parameter possible to choose so as to cope with disconnection segmentation: not design parameter tracking capability?? Objective designing disconnection-aware attack detectors

  6. Resear search h Obj bjectiv ctive 4/15 possible solution for CPS itself: proper segmentation segmentation: design parameter possible to choose so as to cope with disconnection segmentation: not design parameter tracking capability?? Objective designing disconnection-aware attack detectors naive approach: no feedback to the residual generator drawback: detection time depends on the time constant of the component

  7. Ma Mathema hematical tical De Desc scription iption 5/15 th subsystem : reference : measurement : interaction : interaction : attack interaction : the remaining subsystem’s indices

  8. Ma Mathema hematical tical De Desc scription iption 5/15 the entire system with remaining subsystems distributed residual generator : residual : estimated interactions

  9. Ma Mathema hematical tical De Desc scription iption 5/15 the entire system with remaining subsystems + residual generator distributed residual generator : residual : estimated interactions commonly used residual generator Luenberger-type observer in a distributed form residual feedback with a static gain

  10. Ex Example: ple: Lo Low-Volta oltage e Di Dist strib ibution ution Ne Netw twor ork 6/15 false data injection attack commonly used model (LinDistFlow) DG DG DG - power flow (at each node) node disconnection - voltage drop (at each branch) - Distributed Generation (DG) edge distributed attack detector (Luenberger) voltage (first-order system) 230 [V] (setpoint) keep around setpoint keep around setpoint (> 229 [V]) properly segmented 229 [V] disconnection at

  11. Example: Ex ple: Lo Low-Volta oltage e Di Dist strib ibution ution Ne Netw twor ork 6/15 false data injection attack commonly used model (LinDistFlow) DG DG DG - power flow (at each node) node disconnection - voltage drop (at each branch) - Distributed Generation (DG) edge distributed attack detector (Luenberger) residual (first-order system) perfect tracing (zero residual) diverge loss of tracking capability by disconnection disconnection at

  12. Pr Prob oblem lem Form ormula ulation tion 7/15 notation: remaining subsystems internally stable for any Assumption (proper segmentation) is internally stable for any Problem Design a residual generator such that Remark: naive approach is possible solution drawback: detection time depends on time constant of for any and when late detection we will seek for

  13. Pr Prob oblem lem Reform ormula ulation tion 8/15 consider the particular residual generator the error dynamics with where Luenberger-type observer (interaction errors) Remark: block-diagram internally stable for any is the design parameters Reformulated Problem Design such that the closed-loop system is internally stable for any Our approach: Retrofit Control

  14. Brief ief Revie view w of of Retr trof ofit it Co Cont ntrol ol 9/15 Retrofit Control: modular design method of a decentralized controller system of interest intended situation multiple subcontroller designers : designer of only with model knowledge of : designer of only with model knowledge of Crucial Premise the preexisting system is internally stable fundamental idea design such that the interaction relation is kept to be invariant preserving stability

  15. Brief Review of Retrofit Control (cont’d) 10/15 Retrofit Control: modular design method of a decentralized controller system of interest intended situation multiple subcontroller designers : designer of only with model knowledge of : designer of only with model knowledge of the th subcontroller designer’s viewpoint interaction relation is invariant

  16. Brief Review of Retrofit Control (cont’d) 10/15 Retrofit Control: modular design method of a decentralized controller system of interest intended situation multiple subcontroller designers : designer of only with model knowledge of : designer of only with model knowledge of the th subcontroller designer’s viewpoint interaction relation is invariant Youla parameter the entire system is stable ( holds when other models are completely unknown)

  17. Tracta ctable le Cl Classe sses of s of Retr trof ofit it Co Cont ntroller ollers 11/15 condition is difficult to handle in general (i) output-rectifying retrofit controllers: (ii) input-rectifying retrofit controllers: Existing Result on (i) Assumption: is measurable in addition to : locally stabilizing controller :rectified output Assumption can be satisfied by introducing abundant sensors on the other hand, (ii) has not received much attention because the condition is on “control inputs” requiring modification of actuators relatively difficult to address in physical systems

  18. Pr Prop opose osed d So Solu lution ion vi via Retr trof ofit it Co Cont ntrol ol 12/15 back to our problem: disconnection-aware attack detector design approach: applying retrofit control so as to key observation: control inputs in residual generator: cyber signals physical actuators are not required th sub-closed-loop idea: introducing an additional input for rectifying the original input with designing such that Solution Lemma (dual) with the structured Remark: no requirements on input/output ports of residual generator broad applicability

  19. Simula Si ulation tion 13/15 false data injection attack commonly used model (LinDistFlow) DG DG DG - power flow (at each node) node disconnection - voltage drop (at each branch) - Distributed Generation (DG) edge CIGRE benchmark model (European residential network) (first-order system) [V] for any , - residual generator measurement signal: (reactive power) confirmation controller design: linear quadratic regulator 1. early detection 2. attack impact mitigation 3. preservation of tracking capability

  20. Si Simula ulation tion 14/15 threat model: step function from at the 4 th customer’s reference voltage the normalized residual response (for decision making) naive (no feedback) proposed decision line (0.95 DC gain) decisions are made at and Result 1: early detection is achieved by the proposed method

  21. Si Simula ulation tion 14/15 the voltage response (should be regulated) disconnection naive (no feedback) disconnection proposed Result 2: voltage drop is significantly reduced

  22. Si Simula ulation tion 14/15 stability under disconnection residuals Luenberger-type proposed disconnection at Result 3: tracking capability is preserved under disconnection

  23. Co Conc nclusion lusion 15/15 summary of contributions (i) point out importance of disconnection awareness in the context of incident handling 1. detection 2. analysis 3. containment 4. eradication/recovery (ii) propose a solution based on retrofit control theory (iii) show that a particular form of retrofit controllers is appropriate for our problem, which leads to broad applicability of our method possible future directions (i) attack detector design with a given ROC (receiver operating characteristic) curve residual residual generator attack detector alarm (ii) analysis for sophisticated attacks thank you for your kind attention

Recommend


More recommend