Zong-Syun Lin
†, Alvaro A. Cárdenas
‡, Saurabh Amin
‡, Hsin-Yi Tsai
†, Yu-Lun Huang
†and Shankar Sastry
‡†
National Chiao Tung University, Taiwan
‡
University of California, Berkeley
ABSTRACT
We present security analysis of process control systems (PCS) when an attacker can compromise sensor measurements that are critical for maintaining the operational goals. We present the general sensor attack model that can represent a wide variety of DoS and deception attacks. By taking example of a well studied process control system, we discuss the con-sequences of sensor attacks on the performance of the sys-tem and important implications for designing defense ac-tions. We develop model-based detection methods that can be tuned to limit the false-alarm rates while detecting a large class of sensor attacks. From the attacker’s viewpoint, we show that when the detection mechanisms and control sys-tem operations are understood by the attacker, it can carry stealth attacks that maximize the chance of missed detec-tion. From the defender’s viewpoint, we show that when an attack is detected, the use of model-based outputs maintains safety under compromised sensor measurements.
1. INTRODUCTION
Control systems are computer-based systems that moni-tor and control physical processes. These systems represent a wide variety of networked information technology (IT) sys-tems connected to the physical world. Depending on the ap-plication, these control systems are also called Process Con-trol Systems (PCS), Supervisory ConCon-trol and Data Acquisi-tion (SCADA) systems, or Cyber-Physical Systems (CPS).
The overall objectives of these control systems are: (1) to maintain safe operational goals by limiting the probability of undesirable behavior, (2) to meet the production demands by keeping certain process values within prescribed limits, (3) to maximize production profit.
Control systems are more vulnerable today than in the past due to the increased standardization of technologies, the increased connectivity of control systems to other com-puter networks and the Internet, insecure connections, etc.
Because of the increasing risk to computer attacks, there has been a significant effort in recent years to discuss and
iden-Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
Copyright 200X ACM X-XXXXX-XX-X/XX/XX ...$5.00.
tify the security issues of control systems [1, 2, 4–7, 9–11, 13–15].
In this proposal we focus on attacks on the regulatory layer. The regulatory control layer has direct access to the sensors that measure the process variables and is responsi-ble for nominal safety and operation of the processes in the system. Since the regulatory layer controllers are required to demonstrate faster response, they are traditionally based on the classic proportional-integral-derivative (PID) algo-rithms.
2. OUR APPROACH
We believe that most of the previous work in the secu-rity of control systems has three goals: (1) create aware-ness of security issues with control systems, (2) help control systems operators and IT security officers design a security policy, and (3) recommend basic security mechanisms for prevention (authentication, access controls, etc), detection, and response to security breaches.
While these recommendations and standards have placed significant importance in the survivability of control systems;
we argue that they have not considered new research prob-lems that arise when control systems are under attack. In particular, researchers have not considered how attacks af-fect the estimation and control algorithms -and ultimately, how attacks affect the physical world.
In this work we argue that the major distinction of control systems with respect to other IT systems is the interaction of the control system with the physical world. We propose to incorporate the physical process dynamics in the secu-rity analysis of the control system and focus on an attacker that compromises sensor readings. We have two major goals (1) to develop a threat assessment methodology, and (2) to design attack detection and response mechanisms.
3. ATTACK MODELS
In this proposal we focus on attacks on sensor networks and the effects they can have on the process control sys-tem. We consider the case when the state of the system is measured by a sensor network of 𝑝 sensors that observes the measurement vector 𝑦(𝑘) = {𝑦1(𝑘), . . . , 𝑦𝑝(𝑘)}, where 𝑦𝑖(𝑘) denotes the measurement by sensor 𝑖 at time 𝑘. All sensors have a dynamic range that defines the domain of 𝑦𝑖 for all 𝑘. That is, all sensors have defined minimum and maxi-mum values ∀𝑘, 𝑦𝑖(𝑘) ∈ [𝑦min𝑖 , 𝑦𝑖max]. Let 𝒴𝑖= [𝑦𝑖min, 𝑦max𝑖 ].
We assume each sensor has a unique identity protected by a cryptographic key.
Loop 1
Figure 1: Architecture of the Simplified TE Plant
Let ˜𝑦(𝑘) ∈ ℝ𝑝 denote the received measurements by the controller at time 𝑘. Based on these measurements the con-trol system defines concon-trol actions to maintain certain oper-ational goals. If some of the sensors are under attack, ˜𝑦(𝑘) may be different from the real measurement 𝑦(𝑘); however, we assumed that the attacked signals ˜𝑦𝑖(𝑘) also lie within 𝒴𝑖
(signals outside this range can be easily detected by fault-tolerant algorithms).
Let 𝒦𝑎= {𝑘𝑠, . . . , 𝑘𝑒} represent the attack duration; be-tween the start time 𝑘𝑠 and stop time 𝑘𝑒 of an attack. A general model for the observed signal is the following:
˜ This general sensor attack model can be used to represent a variety of attacks such as additive injection, multiplicative scaling, replay attacks and DoS attacks.
4. PROCESS DESCRIPTION
To test our attacks, we use the Tennessee-Eastman process control system (TE-PCS) model and the associated multi-loop PI control law as proposed by Ricker [12]. The process architecture and the control loops are described in Figure 1.
The control objective is to regulate 𝐹4, the rate of production of the product 𝐷, at a set-point 𝐹4𝑠𝑝, while maintaining 𝑃 , the operating pressure of the reactor, below the shut-down limit of 3000 𝑘𝑃 𝑎 as dictated safety considerations, such that 𝐶, the operating cost is minimized.
There are four input variables, denoted as 𝑢1, 𝑢2, 𝑢3 and 𝑢4, available to achieve the above control objective. Ricker [12]
suggests the input-output pairings (or control loops) as seen in Figure 1. The PI control law for the loop−𝑖 controller for the 𝑘𝑡ℎsampling period is given by
𝑢𝑖(𝑘) = 𝑢𝑖(𝑘 − 1) + 𝐾𝑖 where 𝑒𝑖(𝑘) = setpoint − measured value of controlled vari-able for loop−𝑖 controller at 𝑘𝑡ℎsampling period. The
con-+
Figure 2: The proposed detection module.
troller settings 𝐾𝑖and 𝜅𝑖are pre-tuned and given [12]. The control input vector for 𝑘𝑡ℎ sampling period is denoted as 𝑢(𝑘) = (𝑢1(𝑘), . . . , 𝑢4(𝑘))⊤. We also add a Gaussian distur-bance to the control inputs 𝑢(𝑘) so that the system is never in a complete steady state.
5. THREAT ASSESSMENT
We study the security issues of control systems by exper-imenting and simulating cyber attacks on sensor signals in the TE-PCS model. Because operating the chemical reac-tor with a pressure larger than 3000 kPa is unsafe, it may lead to an explosion or damage of the equipment. Assume that the goal of the attacker is to raise the pressure level of the tank to a value larger than 3000 kPa, we attack a single sensor or a single controller at a given time. From the ex-perimental results, we found that the most effective of these attacks were the max / min attacks (make the forged signals the extreme values, i.e, 𝑦max or 𝑦min); however, not all of them were able to drive the pressure to unsafe levels. We found out that, in general, the DoS attacks do not affect the plant. We conclude that if the plant operator wants to pre-vent an attack from making the system operate in an unsafe state, it should prioritize the integrity of the sensors rather than their availability.
6. MODEL-BASED ATTACK DETECTION
Detecting attacks to control systems can be formulated as anomaly-based intrusion detection systems [3]. Our pro-posed attack detection system is presented in Figure 2. The control input sequence 𝑢(𝑘) is fed to the physical system af-ter being perturbed by an additive Gaussian process noise sequence 𝑤(𝑘). The process noise sequence can be thought as unmodeled factors that affect the evolution of system state. The input sequence 𝑢(𝑘) is also fed to a system model that is representative of the physical system and is internal to the detection system. The internal model will produce an output sequence ˆ𝑦(𝑘). The anomaly detection module (ADM) will compare the two measurement sequences: the sequence ˜𝑦(𝑘) that is received from the sensor measurements and may have been influenced by the attacker with the se-quence ˆ𝑦(𝑘) that is obtained from the internal model. The ADM raises an alert if the deviation between the two se-quences is significant.
To formalize this problem, we need (1) a linear model that is representative of the physical system, and (2) an anomaly detection algorithm. We use the linear model, character-ized by the matrices 𝐴, 𝐵, and 𝐶, obtained by linearizing the non-linear TE-PCS model about the steady-state oper-ating conditions. The model dynamics that are linear in
state 𝑥(𝑘) ∈ ℝ𝑛 and control input 𝑢(𝑘) ∈ ℝ𝑚are
𝑥(𝑘 + 1) = 𝐴𝑥(𝑘) + 𝐵𝑢(𝑘) (2) Assume that the system (2) is monitored by a sensor network with 𝑝 sensors. We can obtain the representative measure-ment sequence, ˆ𝑦(𝑘) ∈ ℝ𝑝, from the observation equations
ˆ
𝑦(𝑘) = 𝐶𝑥(𝑘), (3)
For our anomaly detection algorithm we use a change de-tection formulation [8]. The problem formulation is: given a time series sequence 𝑧(1), 𝑧(2), . . . , 𝑧(𝑁 ), determine the min-imum number of samples, 𝑁 , the anomaly detection scheme should observe before making a decision 𝑑𝑁 between two hypotheses: 𝐻0 (normal behavior) and 𝐻1 (attack). Let
𝑧𝑖(𝑘) := ∣˜𝑦𝑖(𝑘) − ˆ𝑦𝑖(𝑘)∣ − 𝑏𝑖 (4) where 𝑏𝑖is a small positive constant chosen such that
𝔼𝐻0[∣˜𝑦𝑖(𝑘) − ˆ𝑦𝑖(𝑘)∣ − 𝑏𝑖] < 0 (5) The nonparametric CUSUM statistic for sensor 𝑖 is
𝑆𝑖(𝑘) = (𝑆𝑖(𝑘 − 1) + 𝑧𝑖(𝑘))+, 𝑆𝑖(0) = 0 (6) and the corresponding decision rule is
𝑑𝑁,𝑖≡ 𝑑𝜏(𝑆𝑖(𝑘)) =
{ 𝐻1 if 𝑆𝑖(𝑘) > 𝜏𝑖
𝐻0 otherwise (7) where 𝜏𝑖 is the threshold selected based on the false alarm rate for sensor 𝑖.
Our response strategy (shown in Fig 2) can be summarized as follows: For sensor 𝑖, if 𝑆𝑖(𝑘) > 𝜏𝑖, the ADM replaces the sensor measurements ˜𝑦𝑖(𝑘) with measurements generated by the linear model ˆ𝑦𝑖(𝑘) (that is the controller will receive as input ˆ𝑦𝑖(𝑘) instead of ˜𝑦𝑖(𝑘)). Otherwise, it treats ˜𝑦𝑖(𝑘) as the correct sensor signal.
7. EXPERIMENTS
In this section, we briefly discuss how our defense system works under attacks. We omit the details for determining the two parameters (𝑏 and 𝜏 ) of the nonparametric CUSUM statistic. We also have to make sure that if there is a false alarm, controlling the system by using the estimated values from the linear system will not cause any safety concerns.
We found that while a false response mechanism increases the pressure of the tank, it never reaches dangerous levels.
We now test the detection and response performance of the ADM for certain attacks. Because operating the chem-ical reactor with a pressure larger than 3000 kPa is unsafe, all our attacks attempt to raise the pressure in the tank. In order to quantify the magnitude of the attack we use multi-plicative scaling attacks with parameter 𝜆𝑚and attack each sensor. Our attacks start at time 𝑇 = 10 hours. We only re-port attacks on 𝑦5here. The results for 𝑦4and 𝑦7are similar.
Sensor 𝑦5 monitors pressure of the reactor. Attacking sen-sor 𝑦5 by lowering the value makes controller turn down the purge valve to increase pressure. In an unprotected system the safety of the system is compromised at time 𝑇 = 23.5 (hr) if we set parameter of scaling attack 𝜆𝑚𝑦5 to 0.5. With ADM enabled, the attack can be detected at time 𝑇 = 10.7 (hr) and the plant remains stable.
If an attacker compromises two more sensors then he can mount multiple attacks; however these attacks can also be
0 10 20 30 40
(a) Without ADM
0 10 20 30 40
(b) ADM detects and re-sponds to the attack at 𝑇 = 10.7 (hr)
Figure 3: ˜𝑦5= 𝑦5∗ 0.5
detected independently by each statistic 𝑆𝐼(𝑘). As an anec-dote we attack 𝑦5with a replay attack and 𝑦7with a scaling attack. In the original plant system (without ADM), Fig 4 shows that plant goes to an unsafe state at time 𝑇 = 16.2 (hr). Compared with just launching an scaling attack on 𝑦7, the combined attack takes much less time to drive the pres-sure past safety levels. The reason is that the replay attack on 𝑦5, gives an erroneous information to the controller that tries to prevent an increase in pressure.
If we have an ADM the attack is detected by 𝑆𝑦5(𝑘) at
(a) without ADM the pressure grows past safety levels.
0 10 20 30 40
(b) The statistics for 𝑦5 and 𝑦7 independently detect the at-tack.
Figure 4: ˜𝑦5(𝑡) = 𝑦5(𝑡 − 10) & ˜𝑦7 = 𝑦7∗ 1.2
8. STEALTH ATTACKS
Although the proposed ADM can detect a wide range of attacks, we consider a more powerful adversary that knows about the detection scheme. We take a conservative ap-proach in our models by assuming a very powerful attacker with knowledge of: (1) the exact linear model that we use, the parameters of the ADM, and (3) the control command signals. Such a powerful attacker may be unrealistic in some scenarios, but one may want to test the resiliency of our sys-tem to such an attacker to guarantee safety for a wide range of attack scenarios. The goal of a stealth attacker is to raise the pressure in the tank without being detected. We define and analyze three such attacks in our work.
9. REFERENCES
[1] E. Byres. Designing Secure Networks for Process Control. IEEE Industry Applications Magazine, 6:33–39, 2000.
[2] E. Byres and J. Lowe. The myths and facts behind cyber security risks for industrial control systems. In VDE Congress, 2004.
[3] D. Denning. An intrusion-detection model. Software Engineering, IEEE Transactions on,
SE-13(2):222–232, Feb. 1987.
[4] J. Falco, N. I. of Standards, and T. (US). IT Security for Industrial Control Systems. US Dept. of
Commerce, Technology Administration, National Institute of Standards and Technology, 2002.
[5] GAO. Critical infrastructure protection. Multiple efforts to secure control systems are under way, but challenges remain. Technical Report GAO-07-1036, Report to Congressional Requesters, September 2007.
[6] E. Goetz and S. Shenoi. Critical Infrastructure Protection, Proceedings of the First Annual IFIP Working Group 11.10 International Conference on Critical Infrastructure Protection. Springer,
Dartmouth College, Hanover, New Hampshire, USA, March 2007.
[7] V. Igure, S. Laughter, and R. Williams. Security issues in SCADA networks. Computers & Security,
25(7):498–506, 2006.
[8] T. Kailath and H. V. Poor. Detection of stochastic processes. IEEE Transactions on Information Theory, 44(6):2230–2258, October 1998.
[9] T. Kilpatrick, J. Gonzales, R. Chandia, M. Papa, and S. Shenoi. Forensic analysis of SCADA systems and networks. International Journal of Security and Networks, 2:95–102, 2008.
[10] P. Oman, E. Schweitzer, and J. Roberts. Safeguarding IEDs, Substations, and SCADA Systems Against Electronic Intrusions. In Proceedings of the 2001 Western Power Delivery Automation Conference, pages 9–12, 2001.
[11] M. Papa and S. Shenoi. Critical Infrastructure Protection II, Proceedings of the Second Annual IFIP Working Group 11.10 International Conference on Critical Infrastructure Protection. Springer, March 2008.
[12] N. Ricker. Model predictive control of a continuous, nonlinear, two-phase reactor. JOURNAL OF PROCESS CONTROL, 3:109–109, 1993.
[13] P. Tsang and S. Smith. YASIR: A Low-Latency, High-Integrity Security Retrofit for Legacy SCADA Systems. Proceedings of the IFIP TC 11 23rd International Information Security Conference, 2008.
[14] US-CERT. Control Systems Security Program. US Department of Homeland Security, http:
//www.us-cert.gov/control_systems/index.html, 2008.
[15] A. Wright, J. Kinast, and J. McCarty. Low-Latency Cryptographic Protection for SCADA
Communications. LECTURE NOTES IN COMPUTER SCIENCE, 3089:263–277, 2004.