(419g) Limitations of Control-Theoretic Control System Cyberattack Detection for Distributed Control Leading to Cost/Benefit Analysis for Control System Cybersecurity

In recent years, there have been growing concerns regarding the cybersecurity of chemical plants in the wake of numerous successful attacks on control and information technology (IT) systems, resulting in loss of profits and destruction of property [2], as well as the potential for casualties if potentially dangerous processes are targeted in the future. The obstacles for cybersecurity of industrial control systems (ICS) are twofold: the sheer amount of potential attack surfaces (e.g. hardware components, software, and communication networks [3]) requires careful integration and strategies for each type of attack, while process operation is considered very high priority, whereas in many other cases the security of the system takes precedence over operational availability [1]. Therefore, it is of interest to develop secure ICS architectures capable of handling cyberattacks on all system components with the interest of sufficiently guaranteeing safe continuous process operation at the lowest possible cost. In this talk, we will discuss cyberattack handling for attacks on ICS hardware components (e.g. sensors) as well as IT considerations for network communication security.

Cyberattacks targeting hardware components and software have potential to cause adverse events resulting in the loss of control of a process. Detection and removal of a cyberattack is critical for keeping processes online. In the case of centralized control, where a single controller operates the process, detection methods have been developed to flag cyberattacks on a system, however to direct attack removal methods it is important to diagnose which specific components are being attacked (e.g. a compromised thermocouple which is sending false temperature readings). Distributed control frameworks, which utilize communicating networks of controllers operating on process subsystems and are potentially attractive for reducing computation time of control actions for large scale processes, have an increased number of components and communication links that could facilitate their attack. However, distributed control also has potential to operate processes safely in the event that a controller or subsystem must be taken offline (due to, for example, an attack diagnosed on a certain part of the system), making cyberattack diagnosis critical for continuous operation. Thus, distributed control seems as though it may be attractive for applications in cyberattack resilient ICS frameworks.

Despite the seeming promise of distributed control architectures for handling cyberattacks on control systems, we discuss how the extension of the integrated cyberattack detection and control strategies in [4] can proceed in a straightforward manner. We discuss a variety of concepts for attempting to cause the larger number of controllers to cross-check one another to attempt to obtain a degree of agreement among controllers that the system appears to be functioning appropriately. However, attempts to diagnose and validate the operation of the system through cross-checking can add cost due to redundancy and complexity, and showcase the value in seeking solutions to the cyberattack diagnosis problem that go beyond breaking the system up into many cross-validating components. We also discuss closed-loop stability considerations which govern when removal of attacked distributed control components may be feasible, and what those conditions imply about how attackers could gain the upper hand over the distributed detection system by taking control of it when it is in a condition from which removal of a component does not permit stabilization by the remaining controllers when the attacked actuators have a certain policy. We conclude by discussing how our work fits within the context of information technology-based approaches, and how one might begin to think about comparing the use of control-theoretic cybersecurity measures with information technology approaches, with cost/benefit analyses for pairings of different technologies.

[1] Candell, Richard, et al. "A cybersecurity testbed for industrial control systems." Proceedings of the 2014 Process Control and Safety Symposium. (2014).

[2] Iaiani, Matteo, et al. "Analysis of past cybersecurity-related incidents in the process industry and the like." Chemical Engineering Transactions 82 (2020): 163-168.

[3] McLaughlin, Stephen, et al. "The cybersecurity landscape in industrial control systems." Proceedings of the IEEE 104.5 (2016): 1039-1057.

[4] Oyama, Henrique, and Durand, Helen. "Integrated cyberattack detection and resilient control strategies using Lyapunov‐based economic model predictive control." AIChE Journal 66.12 (2020): e17084.