Disconnection-aware Attack Detection in Networked Control Systems - - PowerPoint PPT Presentation
IF IFAC World Congress 2020 July ly 12-17 17 Disconnection-aware Attack Detection in Networked Control Systems Hampei mpei Sasahar ahara*, *, Takayuk uki i Ish shiz izak aki**, **, Jun-ic ichi hi Imur ura**, a**, Henrik nrik
al Insti stitut tute of Tec echno hnolo logy, ** Tokyo
nstit titute ute of tec echn hnology)
1/15
Information System (IS) Security
Control System (CS) Security
Uranium Plant Power Grid Industrial System
interest in this talk
2/15 idea: to create a dynamical model and check if the observed data coincide with the model
residual alarm attack detector residual generator local measurement networked system dynamical model
3/15
[1] P . Cichonski, et al., Computer Security Incident Handling Guide, NIST, 2012.
model-based detection
attack
guideline provided by NIST (National Institute of Standard and Technology) [1] disconnection of suspected components
4/15
not design parameter
segmentation: design parameter possible to choose so as to cope with disconnection segmentation:
4/15
not design parameter
segmentation: design parameter possible to choose so as to cope with disconnection segmentation:
5/15
: reference : interaction : attack : measurement : interaction th subsystem interaction : the remaining subsystem’s indices
5/15
the entire system with remaining subsystems
distributed residual generator
: residual : estimated interactions
5/15
commonly used residual generator Luenberger-type observer in a distributed form
the entire system with remaining subsystems
distributed residual generator
: residual : estimated interactions residual feedback with a static gain + residual generator
6/15
DG
distributed attack detector
false data injection attack DG DG
commonly used model (LinDistFlow)
disconnection at
voltage keep around setpoint properly segmented
disconnection
node edge
(first-order system) keep around setpoint (> 229 [V])
229 [V] 230 [V] (setpoint)
(Luenberger)
6/15
disconnection at
diverge loss of tracking capability by disconnection
perfect tracing (zero residual)
residual
DG
distributed attack detector
false data injection attack DG DG disconnection
commonly used model (LinDistFlow)
node edge
(first-order system) (Luenberger)
7/15
notation: Assumption (proper segmentation) remaining subsystems is internally stable for any Problem Design a residual generator such that for any when internally stable for any Remark: naive approach is possible solution drawback: detection time depends on time constant of late detection we will seek for and
8/15
consider the particular residual generator
Remark: Luenberger-type observer
the error dynamics is the design parameters Reformulated Problem Design such that the closed-loop system is internally stable for any
where (interaction errors) internally stable for any
block-diagram
with
9/15
Retrofit Control: modular design method of a decentralized controller Crucial Premise the preexisting system is internally stable fundamental idea design such that the interaction relation is kept to be invariant preserving stability
system of interest intended situation multiple subcontroller designers : designer of : designer of
10/15
Retrofit Control: modular design method of a decentralized controller
system of interest intended situation multiple subcontroller designers : designer of : designer of
the th subcontroller designer’s viewpoint interaction relation is invariant
10/15
Retrofit Control: modular design method of a decentralized controller
system of interest intended situation multiple subcontroller designers : designer of : designer of
the th subcontroller designer’s viewpoint the entire system is stable Youla parameter interaction relation is invariant ( holds when other models are completely unknown)
Assumption: is measurable in addition to 11/15
is difficult to handle in general (i) output-rectifying retrofit controllers: (ii) input-rectifying retrofit controllers: Existing Result on (i) : locally stabilizing controller :rectified output Assumption can be satisfied by introducing abundant sensors
(ii) has not received much attention because the condition is on “control inputs” requiring modification of actuators relatively difficult to address in physical systems condition
Lemma (dual) 12/15
back to our problem: disconnection-aware attack detector design approach: applying retrofit control so as to key observation: control inputs in residual generator: cyber signals physical actuators are not required idea: introducing an additional input for rectifying the original input th sub-closed-loop with designing such that Solution with the structured Remark: no requirements on input/output ports of residual generator broad applicability
13/15
DG false data injection attack DG DG disconnection
CIGRE benchmark model
[V] commonly used model (LinDistFlow)
node edge
(first-order system) (European residential network) , for any
measurement signal: (reactive power) controller design: linear quadratic regulator
14/15
the normalized residual response (for decision making) proposed decision line decisions are made at and
threat model: step function from at the 4th customer’s reference voltage (0.95 DC gain) naive (no feedback)
14/15
naive (no feedback) proposed disconnection disconnection the voltage response (should be regulated)
14/15
stability under disconnection
disconnection at
residuals Luenberger-type proposed
15/15
(i) point out importance of disconnection awareness in the context of incident handling
(ii) propose a solution based on retrofit control theory (iii) show that a particular form of retrofit controllers is appropriate for our problem, which leads to broad applicability of our method
(i) attack detector design with a given ROC (receiver operating characteristic) curve residual alarm attack detector residual generator (ii) analysis for sophisticated attacks thank you for your kind attention