(245d) Detectability-Based Controller Design Screening for Multiplicative Sensor-Controller Attacks

Increasing reliance on wireless communication and complexity of cyberattacks have rendered industrial control systems vulnerable to cyberattacks by malicious agents [1]. Traditionally, cyberattack threats to industrial control systems have been viewed as an information technology (IT) issue and addressed through IT infrastructure-based approaches. However, over the past decade, several highly sophisticated cyberattacks (e.g., Stuxnet virus (2010), German steel mill attack (2014), Ukrainian power grid attack (2015), TRITON (2017) [2]) have demonstrated that IT infrastructure-based solutions to handling cyberattacks on industrial control systems are insufficient on their own. This realization has led to research on several approaches for handling cyberattacks from a process control perspective. Examples range from designing process control systems (PCSs) that are inherently attack-resilient to developing cyberattack detection, identification and mitigation schemes (e.g., [3]-[6]).

One way an attack may affect a PCS is by manipulating data sent over communication links between the PCS components. While detectability of cyberattacks affecting the PCS communication links may be considered a systems-theoretic property, it is possible for certain controller design parameters to mask the impact of cyberattacks from certain detection schemes. These cyberattacks, called zero-alarm attacks, keep the alarm rate at zero and are particularly challenging to address. However, based on the knowledge of the impact that controller design parameters have on the detectability of an attack, it may be possible to design a controller that does not result in a zero-alarm attack.

Existing control system design criteria typically account for aspects such as closed-loop stability of the process, process economics and robustness to uncertainty [7,8]. However, they do not account for cybersecurity considerations. In this work, we present a novel approach to incorporating the detectability of a cyberattack into the control system design. Specifically, we present a controller screening methodology intended to aid a control designer in identifying and discarding controller and observer design parameters that lead to a multiplicative zero-alarm sensor-controller attack of a certain magnitude on a PCS. We establish the definitions of undetectable (zero-alarm) and potentially detectable attacks for a particular class of residual-based detection schemes. Then, for a given magnitude of multiplicative attack and choice of controller design parameters, we characterize a minimum invariant residual set-based condition that can be used to determine whether the multiplicative attack is undetectable. Leveraging the developed condition, we then present a controller design screening methodology that aids in the identification of controller design parameters leading to undetectable attacks of a certain magnitude. Thus, a controller design that is selected based on the screening methodology ensures that an attack of the chosen magnitude is potentially detectable with respect to the class of residual-based detection schemes considered. Finally, we demonstrate the application of the detectability-based controller screening methodology using a chemical process example.

References:

[1] K. E. Hemsley, E. Fisher et. al., “History of industrial control system cyber incidents”, Idaho National Laboratory (INL), Idaho Falls, ID (United States), Tech. Rep. INL/CON-18-44111, 2018.

[2] H. Kayan, M. Nunes, O. Rana, P. Burnap, and C.Perera, “Cybersecurity of industrial cyber-physical systems: A review”, arXiV:2101.03564.2021.

[3] S. Chen, Z. Wu and P.D. Christofides, “A cyber-secure control-detector architecture for nonlinear processes”, AIChE Journal, vol. 66, no. 5, p. e16907, 2020.

[4] H. Durand and M. Wegener, “Mitigating cyberattack impacts using Lyapunov-based economic model predictive control”, in Proceedings of the American Control Conference, Virtual, 1-3 July 2020, pp. 1894-1899.

[5] J. Giraldo, D. Urbina, A. Cárdenas, J. Valente, M. Faisal, J. Ruths, N. O. Tippenhauer, H. Sandberg and R. Candell, “A survey of physics-based attack detection in cyber-physical systems”, ACM Computer Surveys, vol. 51, no. 4, pp. 76:1 – 76:36, 2018.

[6] N. Hashemi and J. Ruths, “Co-design for security and performance: LMI tools”, arXiv:1909.12452, 2019.

[7] P.D. Christofides, N. H. El-Farra, “Control of nonlinear and hybrid process systems: Designs for uncertainty, constraints and time-delays”, Vol. 324, Springer Science & Business Media, 2005.

[8] J.A. Romagnoli, A. Palazoglu, “Introduction to process control”, CRC press, 2020.