(15g) Enabling Cyberattack Detection in Process Control Systems Via Randomized Controller Switching

Process control systems (PCS) are cyber-physical systems that integrate mechanical equipment (e.g., pressure vessels and pumps) and software components (e.g., control logic and data historians) to operate chemical processes. In the past decade, an uptick in cybersecurity breaches targeting the chemical process industry [1] has motivated research on operational technology-based approaches to enhance the cybersecurity of PCSs [2]. The design of cyberattack detection schemes, which monitor a process for anomalies based on the deviation of the monitoring variable from its expected attack-free value, has received extensive attention in the literature [3]-[10]. Passive detection schemes monitor a process for attacks based on regular operating data [4], [7], [8]. Active detection schemes actively probe for attacks by applying external interventions or perturbations to the process [4], [5], [10].

Control system parameters influence the ability (or the inability) to detect an attack [4]. Stealthy attacks may evade detection by a passive detection scheme. To enable the detection of stealthy attacks, it may be preferable to operate the process under the so-called “attack-sensitive” control system parameters chosen such that an attack on the process destabilizes it [5]. However, there may exist a tradeoff between the ability to detect an attack and closed-loop performance from operating the process under attack-sensitive parameters compared to the closed-loop performance from operating under parameters chosen based on conventional performance-based tuning approaches. To manage this tradeoff, a control system parameter switching-enabled active detection strategy was proposed to enhance the detection capabilities of a passive detection scheme [5]. Under the proposed detection method, the control system parameters occasionally switch to attack-sensitive parameters. Control system parameter switching on the attack-free process may excite the process dynamics and cause process states to evolve briefly outside a neighborhood of the steady-state, triggering false alarms in the detection scheme. For a PCS with (full) state measurements, a state-dependent switching condition was proposed to minimize false alarms [6]. However, state measurements may not always be available, and the switching method does not eliminate false alarms.

This work proposes a randomized control system parameter switching strategy for detecting attacks on processes for which full state measurements are not available. The proposed active detection strategy utilizes a reachable set-based cyberattack detection scheme that monitors a variable according to its expected evolution as defined by the reachable sets of the monitoring variable. This detection scheme can monitor the process during dynamic operation, accounting for potential excitement in the dynamics after switching. Therefore, the reachable set-based detection scheme does not generate false alarms even when a control parameter switch is implemented on the attack-free process at any randomly chosen time step. Randomly choosing the time step at which to implement the control parameter switch may aid in preserving the confidentiality of the active detection strategy, as an attacker may not have access to the control parameter switching schedule to design an attack that evades detection. The proposed strategy is applied to a chemical process to demonstrate that no false alarms are raised under attack-free operation and its ability to detect attacks.

References:

[1] M. Iaiani, A. Tugnoli, S. Bonvicini, and V. Cozzani, “Analysis of cybersecurity-related incidents,” Process Industry, Reliability Engineering & System Safety, volume 209, pp. 107485, 2021.

[2] S. Parker, Z. Wu, and P.D. Christofides, “Cybersecurity in process control, operations, and supply chain,” Computers & Chemical Engineering, volume 171, pp. 108169, 2023.

[3] D. Zhang, Q. G. Wang, G. Feng, Y. Shi, and A. V. Vasilakos, “A survey on attack detection, estimation and control of industrial cyber–physical systems,” ISA transactions, vol. 116, pp. 1-16, 2021.

[4] S. Narasimhan, N. H. El-Farra, and M. J. Ellis, “Detectability-based controller design screening for processes under multiplicative cyberattacks,” AIChE Journal, volume 68, pp. e17430, 2022.

[5] S. Narasimhan, N. H. El-Farra, and M. J. Ellis. “Active multiplicative cyberattack detection utilizing controller switching for process systems,” Journal of Process Control, volume 116, pp. 64-72, 2022.

[6] S. Narasimhan, N. H. El-Farra, and M. J. Ellis. “A control‐switching approach for cyberattack detection in process systems with minimal false alarms,” AIChE Journal, volume 68, pp. e17875, 2022.

[7] H. Oyama, D. Messina, K. K. Rangan, and H. Durand, “Lyapunov-based economic model predictive control for detected and handling actuator and simultaneous sensor/actuator cyberattacks on process control systems,” Frontiers in Chemical Engineering, volume 5, pp. 810129, 2022.

[8] S. Narasimhan, N. H. El-Farra, and M. J. Ellis. “A reachable set-based cyberattack detection scheme for dynamic processes,” Proceedings of the American Control Conference, In Press, 2023.

[9] C. Kwon and I. Hwang, “Reachability analysis for safety assurance of cyber-physical systems against cyberattacks”, IEEE Transactions on Automatic Control, volume 63, pp. 2272-2279, 2018.

[10] C. Trapiello and V. Puig, “Input design for active detection of integrity attacks using set-based approach,” Proceedings of the IFAC World Congress, Berlin, Germany, pp. 11094-11099, 11-17 July, 2020.