Tutorial on Resilient Control Systems, CPS Week, Beijing, China, 2012
Monday April 16, 2012
09:00 – 09:05 Overview and Opening
09:05 – 10:00 Talk by Tamer Başar
10:00 – 10:15 Coffee Break
10:15 – 11:15 Talk by Karl Johansson
11:15 – 12:15 Talk by Miles McQueen
Lunch is at Friendship Palace 1st Floor
Resilient control systems refer to ones that maintain the state awareness of threats and anomalies and assure an accepted level of operational normalcy in response to disturbances, including threats of an unexpected and malicious nature such as natural disasters, human errors, and device malfunctions. Traditional concepts of robustness, reliability and defense need to be broadened to include the consideration of cyber and physical security and threats stemming from malicious behavior.
Research on resilient control systems is a multidisciplinary one which has commonalities with computer science, engineering, and social sciences. This tutorial aims at introducing this emerging topic to a larger audience and facilitating collaboration between people in different fields.
This tutorial provides an overview of cyber security issues related to software vulnerabilities and human factors in control systems, and surveys the methods for assessing the security and resilience of control systems, found in the literature as well as in practice.
The tutorial is organized into three modules. Each speaker addresses one aspect of resilient control systems. Module 1 of the tutorial provides a general overview on the foundation and applications of resilient control systems, which focuses on the security interplay between cyber and physical layers of critical infrastructures. Module 2 discusses the human factor of cyber security in control systems and addresses human decision-making and human vulnerabilities as an intrinsic part of each system’s security posture. Module 3 discusses quantitative metrics assessing the resilience and security of control systems, and provides analytical and design methods and tools for resilient control systems.
Module 1: Quantitative methods for resilient control systems (Tamer Başar):
The integration of cyber-computing with physical control systems in many critical infrastructures brings along a multitude of security and resilience issues at the cyber and physical interface. This module covers the emerging quantitative methods used to study these issues, which are fundamental and essential for the analysis and design of resilient systems. The module surveys the proposed metrics and heuristic methods for assessing the resilience and security metrics of control systems, found in the literature as well as in practice. Security is a pivotal aspect of resilience. Concepts from game theory will be introduced, and their applications in network security and privacy will be discussed. The game-theoretic modeling provides insights into optimal defense mechanisms, attacker incentives, and performance limits. Recent developments from the game-theoretical perspective point to emerging opportunities for a system-wide assessment of large-scale systems. The module concludes with a brief discussion of recent results and identification of future work.
1. Q. Zhu, H. Tembine and T. Başar, "Hybrid learning in stochastic games and its application in network security," In F. L. Lewis and D. Liu (Eds.), Reinforcement Learning and Approximate Dynamic Programming for Feedback Control, IEEE Press Computational Intelligence Series, 2012. [PDF]
2. Q. Zhu and T. Başar, "A hierarchical security architecture for smart grid," In E. Hossain, Z. Han and H. V. Poor (Eds.), Smart Grid Communications and Networking, Cambridge University Press, 2012. [PDF]
3. M. H. Manshaei, Q. Zhu, T. Alpcan, T. Başar, J.-P. Hubaux, "Game theory meets network security and privacy," Accepted and to appear in ACM Computing Surveys, 2012. [PDF]
4. Z. Han, D. Niyato, W. Saad, T. Başar, and A. Hjorungnes. Game Theory in Wireless and Communication Networks: Theory, Models, and Applications. Cambridge University Press, October 2011.
5. T. Alpcan and T. Başar. Network Security: A Decision and Game Theoretic Approach. Cambridge University Press, January 2011.
Safe and reliable operation of cyber-physical systems and critical infrastructures is of major societal importance. These systems need to be engineered in such a way so that they can be continuously monitored, coordinated, and controlled despite a variety of possible cyber-attacks and system disturbances. Unlike other IT systems where cyber-security mainly involves encryption and protection of data, attacks on cyber-physical systems may influence the physical processes through the digital controllers or the communication infrastructure. Therefore focusing on encryption of data alone may not be enough to guarantee the security of the overall system, especially not for its physical component. In order to increase the resilience of these systems, one needs appropriate tools to first understand and then to protect against such attacks. In this module, we will present some recently developed methods to analyze and design cyber-secure control systems. Motivating applications from the power grid and the process industry will be discussed in some detail. It will be shown that the power system state estimator can be vulnerable to malicious deception attacks on the measurements resulting in biased estimates, which can have severe consequences for the output of the optimal power flow algorithm. How to formalize such sensor attacks and how to protect against them will be discussed. Vulnerabilities in wireless sensor networks used in control systems in the process industry will also be presented.
Module 3: Human factors in cyber security of control systems(Miles McQueen):
The purpose of this module is to help one think more deeply and better understand the realities of software and human aspects of cyber security and, in particular, the use and abuse of deception in security. This should lead to a modified approach for thinking about security and spark ideas for new research directions.
The module will focus on a variety of cyber security issues related to the prevalence of software vulnerabilities and the need to understand the human as an intrinsic component of each system. The first half of the module will address the current security posture of systems relative to their associated software vulnerabilities. A vulnerability life cycle will be presented and important security measurements will be supplied for each portion of the life cycle. A few of the security measures which will be discussed include, but are not limited to, the average time to patch for various critical infrastructure sectors; the number of vulnerabilities announced which have a patch immediately available; and a conservative estimate of the number of vulnerabilities which someone has discovered but is not public knowledge. The second half of the module will address human decision- making and human vulnerabilities as an intrinsic part of each system’s security posture. Attendees will be introduced to the notion of human lies and deception which will be concepts used throughout the second half of the module. This will be followed by discussions related to formal logic and probabilistic models which will naturally lead into an inquiry and demonstration of unbounded and boundedly rational decision making, and methods for influencing human behavior. Using a bounded rationality model for human decision-making, various techniques in social engineering will be explored and the associated difficulties for security policy, implementation, and measurement will be analyzed. A case study presenting previous experimental results will be presented and an improved, more structured, approach currently implemented at INL will be discussed. The module will conclude with a discussion of resilience and make the case that resilience is needed because actual deployed systems will continue to have both software and human vulnerabilities for decades to come, and thus be susceptible to cyber attacks.
The tutorial provides a perspective for resilience and the need for integration of cyber security protections within the next generation of control system designs. The material and the level of coverage are appropriate for the practitioner and the researcher alike, and should be of interest to basic, medium and advanced researchers in cyber-physical systems.