Spotlight on Lablet Research #7 - Foundations of Cyber-Physical Systems Resilience
Spotlight on Lablet Research #7 -
Project: Foundations of Cyber-Physical Systems Resilience
Lablet: Vanderbilt University
The goal of this project is to develop the principles and methods for designing and analyzing resilient Cyber-Physical Systems (CPS) architectures that deliver required service in the face of compromised components. A fundamental challenge is understanding the basic tenets of CPS resilience and how they can be used in developing resilient architectures. CPS are ubiquitous in critical application domains, which necessitates that systems demonstrate resiliency under cyber-attacks. The researchers’ proposed approach integrates redundancy, diversity, and hardening methods for designing both passive resilience methods that are inherently robust against attacks and active resilience methods that allow responding to attacks.
As CPS becomes more prevalent in critical application domains, ensuring security and resilience in the face of cyber-attacks is becoming an issue of paramount importance. Cyber-attacks against critical infrastructures, smart water-distribution, and transportation systems, for example, pose serious threats to public health and safety. Owing to the severity of these threats, a variety of security techniques are available. However, no single technique can address the whole spectrum of cyber-attacks that may be launched by a determined and resourceful attacker. In light of this, the research team, led by Principal Investigator (PI) Xenefon Koutsoukos, adopted a multi-pronged approach for designing secure and resilient CPS, which integrates redundancy, diversity, and hardening techniques for designing either passive resilience methods that are inherently robust against attacks and active resilience methods that allow responding to attacks. They also introduced a framework for quantifying cyber-security risks and optimizing the system design by determining security investments in redundancy, diversity, and hardening. To demonstrate the applicability of the framework, they used a modeling and simulation integration platform for experimentation and evaluation of resilient CPS using CPS application domains such as power, transportation, and water distribution systems.
Adversaries may cause significant damage to smart infrastructure using malicious attacks. To detect and mitigate malicious attacks before they can cause physical damage to smart infrastructure, operators can deploy Anomaly Detection Systems (ADS), which can alarm operators to suspicious activities. However, detection thresholds of ADS need to be configured properly, as an oversensitive detector raises a prohibitively large number of false alarms, while an undersensitive detector may miss actual attacks. Using a game-theoretic approach, researchers formulated the problem of computing optimal detection thresholds, which minimize both the number of false alarms and the probability of missing actual attacks as a two-player Stackelberg security game.
The research team seeks to improve the structural robustness in networks using the notions of diversity and trustiness. Diversity means that nodes in a network are of different types and have many variants. Trustiness means that a small subset of nodes is immune to failures and attacks. They have shown that by combining diversity and trustiness within the network, they can significantly limit the attacker’s ability to change the underlying network structure by strategically removing nodes.
Non-control data attacks have become widely popular for circumventing authentication mechanisms in websites, servers, and personal computers. In the context of CPS, attacks can be executed against not only authentication but also safety. Moving Target Defense (MTD) techniques such as Data Space Randomization (DSR) can be effective for protecting against various types of memory corruption attacks, including non-control data attacks. The team’s work addressed the problem of maintaining system stability and security properties of a CPS in the face of non-control data attacks by developing a DSR approach for randomizing binaries at runtime, creating a variable redundancy-based detection algorithm for identifying variable integrity violations, and integrating a control reconfiguration architecture for maintaining safe and reliable operation.
With the increasingly connected nature of CPS, new attack vectors are emerging that were previously not considered in the design process. Specifically, autonomous vehicles are one of the most at risk CPS applications, including challenges such as a large amount of legacy software, non-trusted third-party applications, and remote communication interfaces. With zero-day vulnerabilities constantly being discovered, an attacker can exploit such vulnerabilities to inject malicious code or even leverage existing legitimate code to take over the cyber part of a CPS. Due to the tightly coupled nature of CPS, this can lead to altering physical behavior in an undesirable or devastating manner. Therefore, it is no longer effective to harden systems reactively, but a more proactive approach must be taken. MTD techniques such as Instruction Set Randomization (ISR), and Address Space Randomization (ASR) have been shown to be effective against code injection and code reuse attacks. However, these MTD techniques can result in control system crashing, which is unacceptable in CPS applications since such crashing may cause catastrophic consequences. Therefore, it is crucial for MTD techniques to be complemented by control reconfiguration to maintain system availability in the event of a cyber-attack. Recent work addressed the problem of maintaining system and security properties of a CPS under attack by integrating MTD techniques, as well as detection and recovery mechanisms to ensure safe, reliable, and predictable system operation. Specifically, the researchers are considering the problem of detecting code injection as well as code reuse attacks, and reconfiguring fast enough to ensure the safety and stability of autonomous vehicle controllers are maintained. By using MTD such as ISR, and ASR, their approach provides the advantage of preventing attackers from obtaining the reconnaissance knowledge necessary to perform code injection and code reuse attacks, making sure attackers can’t find vulnerabilities in the first place. The system implementation includes a combination of runtime MTD utilizing AES 256 ISR and fine-grained ASR, as well as control management that utilizes attack detection and reconfiguration capabilities. They evaluated the developed security architecture in an autonomous vehicle case study, utilizing a custom-developed hardware-in-the-loop testbed.
Technological advancements in today’s electrical grids give rise to new vulnerabilities and increase the potential attack surface for cyber-attacks that can severely affect the grid’s resilience. Cyber-attacks are increasing both in number as well as sophistication. These attacks can be strategically organized in chronological order (dynamic attacks), where they can be instantiated at different time instants. The chronological order of attacks enables the uncovering of those attack combinations that can cause severe system damage, but this concept remained unexplored due to the lack of dynamic attack models. Motivated by the idea, researchers considered a game-theoretic approach to design a new attacker-defender model for power systems. Here, the attacker can strategically identify the chronological order in which the critical substations and their protection assemblies can be attacked in order to maximize the overall system damage. However, the defender can intelligently identify the critical substations to protect such that the system damage can be minimized. The research team applied the developed algorithms to the IEEE-39 and 57 bus systems with finite attacker/defender budgets. Their results show the effectiveness of these models in improving the system resilience under dynamic attacks.
Additional details on the project can be found here.