Abstract
In this paper, we shall formulate and address a problem of covert actuator attacker synthesis for cyber-physical systems that are modeled by discrete-event systems. We assume the actuator attacker partially observes the execution of the closed-loop system and is able to modify each control command issued by the supervisor on a specified attackable subset of controllable events. We provide straightforward but in general exponential-time reductions, due to the use of subset construction procedure, from the covert actuator attacker synthesis problems to the Ramadge-Wonham supervisor synthesis problems. It then follows that it is possible to use the many techniques and tools already developed for solving the supervisor synthesis problem to solve the covert actuator attacker synthesis problem for free. In particular, we show that, if the attacker cannot attack unobservable events to the supervisor, then the reductions can be carried out in polynomial time. We also provide a brief discussion on some other conditions under which the exponential blowup in state size can be avoided. Finally, we show how the reduction based synthesis procedure can be extended for the synthesis of successful covert actuator attackers that also eavesdrop the control commands issued by the supervisor.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
There is in fact an exception. In sensor insertion scenario, Carvalho et al. (2018) assumes the attacker knows the model of the supervisor.
The supervisor could be designed in such a way that either every disabled event is non-attackable, which makes (enablement) attack impossible, or every disabled attackable event cannot bring the system to damage, which makes attack futile.
We write δ(q, σ)! to mean δ(q, σ) is defined and write ¬δ(q, σ)! to mean δ(q, σ) is undefined. As usual, δ is naturally extended to the partial transition function \(\delta : Q \times {\varSigma }^{*} \rightarrow Q\) such that, for any q ∈ Q, any s ∈ Σ∗ and any σ ∈ Σ, δ(q, 𝜖) = q and δ(q, sσ) = δ(δ(q, s), σ). We define \(\delta (Q^{\prime } ,\sigma )=\{\delta (q, \sigma ) \mid q \in Q^{\prime }\}\) for any \(Q^{\prime }\subseteq Q\).
This assumption may be removed, by imposing the constraint that the attacker does not change its attack decision whenever σ ∈ Σuo is executed in the plant, even when the execution of σ may be observed by the attacker, if σ ∈ Σuo ∩ Σo, A, and thus may lead to state change in the attacker. The analysis of this general case is left to the future work.
The supervisor is not sure whether σ has been disabled by an attacker, even if disabling σ may result in deadlock, as the supervisor is never sure whether: 1) deadlock has occurred due to actuator attack, or 2) σ will possibly fire soon (according to the internal mechanism of the plant).
The requirement \({\varSigma }_{c, A} \subseteq {\varSigma }_{c}\) is not essential, as it is only used in Remark 2, i.e., used in the discussion of when the reduction can be carried out in polynomial time.
The relaxation of this requirement makes our synthesis approach incomplete in general.
In Lima et al. (2017), when the supervisor detects the presence of an attacker, all controllable events will be disabled, while uncontrollable events can still occur (i.e., immediate halt by reset is impossible). This is not difficult to accommodate, by working on the damage automaton H that defines the set of damage-inflicting strings Lm(H). In particular, if uncontrollable events can still occur after the detection, then we only need to use the new damage automaton \(H^{\prime }\) with \(L_{m}(H^{\prime })=L_{m}(H) \cup L_{m}(H)/{\varSigma }_{uc}^{*}\), where \(L_{m}(H)/{\varSigma }_{uc}^{*}:=\{s \in {\varSigma }^{*} \mid \exists s^{\prime } \in {\varSigma }_{uc}^{*}, ss^{\prime } \in L_{m}(H)\}\), as the renewed set of damage-inflicting strings. An alternative approach is to add self-loops of each uncontrollable event at the state xhalt of SA and at the state \(\varnothing \) of \(P_{{\varSigma }_{o}}(S\lVert G)\) to allow execution of uncontrollable events after the detection; the definition of these two components will be explained soon.
The same monitoring mechanism indeed works for both covert attackers and risky attackers (Lin et al. 2019b).
Alternatively, we can use the equivalent set \(\{(q, x, D, y, w) \in Q \times (X \cup \{x_{halt}\}) \times 2^{X \times Q} \times Y \times W \mid D=\varnothing \wedge w \notin W_{m}\}\) for specifying the violation of covertness.
Theorem 1 requires the synthesis of a safe and nonblocking supervisor, while Theorem 2 only requires the synthesis of a safe and nonempty supervisor. The maximally permissive supervisor synthesis algorithm in Yin and Lafortune (2016) is of exponential time complexity and can be adapted for both scenarios.
In another setup (Lin et al. 2019b), the supervisor sends a control command each time when it fires an observable transition \(\zeta (x, \sigma )=x^{\prime }\) satisfying \(\varGamma (x) \neq \varGamma (x^{\prime })\). To solve the (covert) actuator attacker synthesis problem for this setup requires the concept of dynamic observation (Arnold et al. 2003) that is beyond the scope of this work.
References
Amin S, Litrico X, Sastry SS, Bayen AM (2010) Stealthy deception attacks on water SCADA systems. HSCC: 161–170
Arnold A, Vincent A, Walukiewicz I (2003) Games for synthesis of controllers with partial observation. Theor Comp Sci 303(1):7–34
Bergeron A (1993) A unified approach to control problems in discrete event processes. RAIRO-Theoretical Informatics and Applications 27(6):555–573
Carvalho LK, Wu YC, Kwong R, Lafortune S (2016) Detection and prevention of actuator enablement attacks in supervisory control systems. WODES: 298–305
Carvalho LK, Wu YC, Kwong R, Lafortune S (2018) Detection and mitigation of classes of attacks in supervisory control systems. Automatica 97:121–133
Cassandras C, Lafortune S (1999) Introduction to discrete event systems. Kluwer, Boston
Forejt V, Kwiatkowska M, Norman G, Parker D (2011) Automated verification techniques for probabilistic systems. SFM: 53–113
Goes RM, Kang E, Kwong R, Lafortune S (2017) Stealthy deception attacks for cyber-physical systems. Conference on Decision and Control: 4224–4230
Hélouët L, Marchand H, Ricker L (2018) Opacity with powerful attackers. IFAC 51(7):464–471
Hopcroft JE, Ullman JD (1979) Introduction to automata theory, languages, and computation. Addison-Wesley, Reading
Jones A, Kong Z, Belta C (2014) Anomaly detection in cyber-physical systems: a formal methods approach. Conference on Decision and Control: 848–853
Kang E, Adepu S, Mathur A, Jackson D (2016) Model based security analysis of a water treatment system. SEsCPS: 22–28
Lanotte R, Merro M, Muradore R, Vigano L (2017) A formal approach to cyber-physical attacks. IEEE Computer Security Foundations Symposium: 436–450
Lei F, Wonham WM (2010) On the computation of natural observers in discrete-event systems. Discrete Event Dynamic Systems 20(1):63–102
Lima PM, Alves MVS, Carvalho LK, Moreira MV (2017) Security against network attacks in supervisory control systems. IFAC 50(1):12333–12338
Lima PM, Carvalho LK, Moreira MV (2018) Detectable and undetectable network attack security of cyber-physical systems. IFAC 51(7):179–185
Lin L, Thuijsman S, Zhu Y, Ware S, Su R, Reniers M (2019a) Synthesis of successful normal actuator attackers on normal supervisors. American Control Conference: 5614–5619
Lin L, Zhu Y, Su R (2019b) Towards bounded synthesis of resilient supervisors. Conference on Decision and Control, accepted
Mo Y, Kim HJ, Brancik K, Dickinson D, Lee H, Perrig A, Sinopoli B (2012) Cyber-physical security of a smart grid infrastructure. Proc. IEEE: 195–209
Pasqualetti F, Dorfler F, Bullo F (2013) Attack detection and identification in cyber-physical systems. IEEE Trans. Autom. Control 58(11):2715–2729
Rashidinejad A, Lin L, Wetzels BHJ, Zhu Y, Reniers M, Su R (2019) Supervisory control of discrete-event systems under attacks: an overview and outlook. European Control Conference, accepted
Rocchetto M, Tippenhauer NO (2017) Towards formal security analysis of industrial control systems. ACM Asia Conference on Computer and Communications Security: 114–126
Smith RS (2011) A decoupled feedback structure for covertly appropriating networked control systems. IFAC: 90–95
Su R (2018) Supervisor synthesis to thwart cyber-attack with bounded sensor reading alterations. Automatica 94:35–44
Teixeira A, Shames I, Sandberg H, Johansson KH (2012) Revealing stealthy attacks in control systems. 50th Annual Allerton conference on communication, control and computing
Wakaiki M, Tabuada P, Hespanha JP (2017) Supervisory control of discrete-event systems under attacks. arXiv:1701.00881v1
Wang Y, Bozkurt AK, Pajic M (2019) Attack-resilient supervisory control of discrete-event systems. arXiv:1904.03264
Wonham WM, Cai K (2018) Supervisory control of discrete-event systems. Monograph Series Communications and Control Engineering, Springer
Yin X, Lafortune S (2016) Synthesis of maximally permissive supervisors for partially observed discrete event systems. IEEE Trans Autom Control 61(5):1239–1254
Yin X, Li S (2018) Verification of opacity in networked supervisory control systems with insecure control channels. Conference on Decision and Control: 4851–4856
Zhu Y, Lin L, Su R (2018) Supervisor obfuscation against actuator enablement attack. European Control Conference: 1732–1739
Zhu Y, Lin L, Ware S, Su R (2019) Supervisor synthesis for networked discrete event systems with communication delays and lossy channels. Conference on decision and control, accepted
Acknowledgements
This work is financially supported by Singapore Ministry of Education Academic Research Grant RG91/18-(S)-SU RONG (VP), which is gratefully acknowledged.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This article belongs to the Topical Collection: Smart Manufacturing - A New DES Frontier
Guest Editors: Rong Su and Bengt Lennartson
Rights and permissions
About this article
Cite this article
Lin, L., Zhu, Y. & Su, R. Synthesis of covert actuator attackers for free. Discrete Event Dyn Syst 30, 561–577 (2020). https://doi.org/10.1007/s10626-020-00312-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10626-020-00312-2