Neel Bhaskar, Jawad Ahmed, Rahat Masood, Nadeem Ahmed, Stephen Kerr, Sanjay K. Jha
The exponential rise in popularity of Distributed Energy Resources (DERs) is attributed to their numerous benefits within the power sector. However, the risks that new DERs pose to the power grid have not yet been closely assessed, exposing a gap in the literature. This paper addresses this gap by presenting a comprehensive threat model of the DER architecture, combining the MITRE ATT&CK catalogue for Industrial Control Systems (ICS), and the IDDIL/ATC threat model, to create a hybrid approach. Our first contribution is to propose criteria derived from seven metrics to evaluate and compare the efficacy and usability of threat modelling frameworks for DER systems, allowing more informed framework selection. Our second contribution is to develop a comprehensive hybrid threat modelling approach based on IDDIL/ATC and MITRE ATT&CK and organise attack paths chronologically using the Cyber Kill Chain methodology to categorise attacker techniques. Our third contribution is to perform a comprehensive DER architecture system decomposition, elaborating assets, trust levels, entry points, data, protocols, and entity relations to identify the threat landscape. Our final contribution is to apply the proposed approach to the Distribution System Operator (DSO), mapping potential attacker techniques and illustrating a ransomware attack chain on the DSO’s Energy Management System, with proposed mitigations.
分布式能源资源(DER)的指数式增长归功于其在电力行业中的众多优势。然而,新的 DER 对电网构成的风险尚未得到仔细评估,这暴露了文献中的空白。本文结合 MITRE ATT&CK 工业控制系统 (ICS) 目录和 IDDIL/ATC 威胁模型,提出了 DER 架构的综合威胁模型,创建了一种混合方法,从而填补了这一空白。我们的第一个贡献是提出了从七个指标中衍生出来的标准,用于评估和比较 DER 系统威胁建模框架的有效性和可用性,从而可以更明智地选择框架。我们的第二个贡献是基于 IDDIL/ATC 和 MITRE ATT&CK 开发了一种全面的混合威胁建模方法,并使用网络杀伤链方法按时间顺序组织攻击路径,对攻击者的技术进行分类。我们的第三个贡献是进行全面的 DER 架构系统分解,详细说明资产、信任级别、入口点、数据、协议和实体关系,以确定威胁状况。我们的最后一个贡献是将建议的方法应用于配电系统运营商 (DSO),映射潜在的攻击者技术,并说明 DSO 能源管理系统的勒索软件攻击链,以及建议的缓解措施。
{"title":"A Comprehensive Threat Modelling Analysis for Distributed Energy Resources","authors":"Neel Bhaskar, Jawad Ahmed, Rahat Masood, Nadeem Ahmed, Stephen Kerr, Sanjay K. Jha","doi":"10.1145/3678260","DOIUrl":"https://doi.org/10.1145/3678260","url":null,"abstract":"The exponential rise in popularity of Distributed Energy Resources (DERs) is attributed to their numerous benefits within the power sector. However, the risks that new DERs pose to the power grid have not yet been closely assessed, exposing a gap in the literature. This paper addresses this gap by presenting a comprehensive threat model of the DER architecture, combining the MITRE ATT&CK catalogue for Industrial Control Systems (ICS), and the IDDIL/ATC threat model, to create a hybrid approach. Our first contribution is to propose criteria derived from seven metrics to evaluate and compare the efficacy and usability of threat modelling frameworks for DER systems, allowing more informed framework selection. Our second contribution is to develop a comprehensive hybrid threat modelling approach based on IDDIL/ATC and MITRE ATT&CK and organise attack paths chronologically using the Cyber Kill Chain methodology to categorise attacker techniques. Our third contribution is to perform a comprehensive DER architecture system decomposition, elaborating assets, trust levels, entry points, data, protocols, and entity relations to identify the threat landscape. Our final contribution is to apply the proposed approach to the Distribution System Operator (DSO), mapping potential attacker techniques and illustrating a ransomware attack chain on the DSO’s Energy Management System, with proposed mitigations.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-07-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141829680","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Cyber-physical systems interact with the world through software controlling physical effectors. Carefully designed controllers, implemented as safety-critical control software, also interact with other parts of the software suite, and may be difficult to separate, verify, or maintain. Moreover, some software changes, not intended to impact control system performance, do change controller response through a variety of means including interaction with external libraries or unmodeled changes only existing in the cyber system (e.g., exception handling). As a result, identifying safety-critical control software, its boundaries with other embedded software in the system, and the way in which control software evolves could help developers isolate, test, and verify control implementation, and improve control software development. In this work we present an automated technique, based on a novel application of machine learning, to detect commits related to control software, its changes, and how the control software evolves. We leverage messages from developers (e.g., commit comments), and code changes themselves to understand how control software is refined, extended, and adapted over time. We examine three distinct, popular, real-world, safety-critical autopilots – ArduPilot, Paparazzi UAV, and LibrePilot to test our method demonstrating an effective detection rate of 0.95 for control-related code changes.
{"title":"Carving out Control Code: Automated Identification of Control Software in Autopilot Systems","authors":"Balaji Balasubramaniam, Iftekhar Ahmed, Hamid Bagheri, Justin Bradley","doi":"10.1145/3678259","DOIUrl":"https://doi.org/10.1145/3678259","url":null,"abstract":"Cyber-physical systems interact with the world through software controlling physical effectors. Carefully designed controllers, implemented as safety-critical control software, also interact with other parts of the software suite, and may be difficult to separate, verify, or maintain. Moreover, some software changes, not intended to impact control system performance, do change controller response through a variety of means including interaction with external libraries or unmodeled changes only existing in the cyber system (e.g., exception handling). As a result, identifying safety-critical control software, its boundaries with other embedded software in the system, and the way in which control software evolves could help developers isolate, test, and verify control implementation, and improve control software development. In this work we present an automated technique, based on a novel application of machine learning, to detect commits related to control software, its changes, and how the control software evolves. We leverage messages from developers (e.g., commit comments), and code changes themselves to understand how control software is refined, extended, and adapted over time. We examine three distinct, popular, real-world, safety-critical autopilots – ArduPilot, Paparazzi UAV, and LibrePilot to test our method demonstrating an effective detection rate of 0.95 for control-related code changes.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":null,"pages":null},"PeriodicalIF":2.0,"publicationDate":"2024-07-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141830558","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Connected Autonomous Vehicles (CAVs) are expected to enable reliable, efficient, and intelligent transportation systems. Most motion planning algorithms for multi-agent systems implicitly assume that all vehicles/agents will execute the expected plan with a small error and evaluate their safety constraints based on this fact. This assumption, however, is hard to keep for CAVs since they may have to change their plan (e.g., to yield to another vehicle) or are forced to stop (e.g., A CAV may break down). While it is desired that a CAV never gets involved in an accident, it may be hit by other vehicles and sometimes, preventing the accident is impossible (e.g., getting hit from behind while waiting behind the red light). Responsibility-Sensitive Safety (RSS) is a set of safety rules that defines the objective of CAV to blame, instead of safety. Thus, instead of developing a CAV algorithm that will avoid any accident, it ensures that the ego vehicle will not be blamed for any accident it is a part of. Original RSS rules, however, are hard to evaluate for merge, intersection, and unstructured road scenarios, plus RSS rules do not prevent deadlock situations among vehicles. In this paper, we propose a new formulation for RSS rules that can be applied to any driving scenario. We integrate the proposed RSS rules with the CAV’s motion planning algorithm to enable cooperative driving of CAVs. We use Control Barrier Functions to enforce safety constraints and compute the energy optimal trajectory for the ego CAV. Finally, to ensure liveness, our approach detects and resolves deadlocks in a decentralized manner. We have conducted different experiments to verify that the ego CAV does not cause an accident no matter when other CAVs slow down or stop. We also showcase our deadlock detection and resolution mechanism using our simulator. Finally, we compare the average velocity and fuel consumption of vehicles when they drive autonomously with the case that they are autonomous and connected.
{"title":"Cooperative Driving of Connected Autonomous Vehicles using Responsibility Sensitive Safety Rules: A Control Barrier Functions Approach","authors":"M. Khayatian, Mohammadreza Mehrabian, I-Ching Tseng, Chung-Wei Lin, Calin Belta, Aviral Shrivastava","doi":"10.1145/3648004","DOIUrl":"https://doi.org/10.1145/3648004","url":null,"abstract":"Connected Autonomous Vehicles (CAVs) are expected to enable reliable, efficient, and intelligent transportation systems. Most motion planning algorithms for multi-agent systems implicitly assume that all vehicles/agents will execute the expected plan with a small error and evaluate their safety constraints based on this fact. This assumption, however, is hard to keep for CAVs since they may have to change their plan (e.g., to yield to another vehicle) or are forced to stop (e.g., A CAV may break down). While it is desired that a CAV never gets involved in an accident, it may be hit by other vehicles and sometimes, preventing the accident is impossible (e.g., getting hit from behind while waiting behind the red light). Responsibility-Sensitive Safety (RSS) is a set of safety rules that defines the objective of CAV to blame, instead of safety. Thus, instead of developing a CAV algorithm that will avoid any accident, it ensures that the ego vehicle will not be blamed for any accident it is a part of. Original RSS rules, however, are hard to evaluate for merge, intersection, and unstructured road scenarios, plus RSS rules do not prevent deadlock situations among vehicles. In this paper, we propose a new formulation for RSS rules that can be applied to any driving scenario. We integrate the proposed RSS rules with the CAV’s motion planning algorithm to enable cooperative driving of CAVs. We use Control Barrier Functions to enforce safety constraints and compute the energy optimal trajectory for the ego CAV. Finally, to ensure liveness, our approach detects and resolves deadlocks in a decentralized manner. We have conducted different experiments to verify that the ego CAV does not cause an accident no matter when other CAVs slow down or stop. We also showcase our deadlock detection and resolution mechanism using our simulator. Finally, we compare the average velocity and fuel consumption of vehicles when they drive autonomously with the case that they are autonomous and connected.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":null,"pages":null},"PeriodicalIF":2.3,"publicationDate":"2024-04-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140689135","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Enrico Casella, Simone Silvestri, D. A. Baker, Sajal K. Das
Extreme outside temperatures resulting from heat waves, winter storms, and similar weather-related events trigger the Heating Ventilation and Air Conditioning (HVAC) systems, resulting in challenging, and potentially catastrophic, peak loads. As a consequence, such extreme outside temperatures put a strain on power grids and may thus lead to blackouts. In order to avoid the financial and personal repercussions of peak loads, demand response and power conservation represent promising solutions. Despite numerous efforts, it has been shown that the current state-of-the-art fails to consider: i) the complexity of human behavior when interacting with power conservation systems; and ii) realistic home-level power dynamics. As a consequence, this leads to approaches that are i) ineffective due to poor long-term user engagement; and ii) too abstract to be used in real-world settings. In this paper, we propose an auction-theory-based power conservation framework for HVAC designed to address such individual human component through a three-fold approach: personalized preferences of power conservation, models of realistic user behavior , and realistic home-level power dynamics . In our framework, the System Operator (SO) sends Load Serving Entities (LSEs) the required power saving to tackle peak loads at the residential distribution feeder. Each LSE then prompts its users to provide bids , i.e., personalized preferences of thermostat temperature adjustments, along with corresponding financial compensations. We employ models of realistic user behavior by means of online surveys to gather user bids and evaluate user interaction with such system. Realistic home-level power dynamics are implemented by our machine-learning-based Power Saving Predictions (PSP) algorithm, calculating the individual power savings in each user’s home resulting from such bids. A machine-learning-based Power Saving Predictions (PSP) algorithm is executed by the users’ Smart Energy Management System (SEMS). PSP translates temperature adjustments into the corresponding power savings. Then, the SEMS sends bids back to the LSE, which selects the auction winners through an optimization problem called POwer Conservation Optimization (POCO). We prove that POCO is NP-hard, and thus provide two approaches to solve this problem. One approach is an optimal pseudo-polynomial algorithm called DYnamic programming Power Saving (DYPS), while the second is a heuristic polynomial-time algorithm called Greedy Ranking Allocation (GRAN). EnergyPlus, the high-fidelity and gold-standard energy simulator funded by the U.S. Department of Energy, was used to validate our experiments, as well as to collect data to train PSP. We further evaluate the results of the auctions across several scenarios, showing that, as expected, DYPS finds the optimal solution, while GRAN outperforms recent state-of-the-art approaches.
热浪、冬季风暴和类似天气事件导致的极端室外温度会触发暖通空调(HVAC)系统,从而产生具有挑战性的、可能是灾难性的峰值负荷。因此,这种极端的室外温度会对电网造成压力,从而可能导致停电。为了避免高峰负荷对经济和个人造成的影响,需求响应和节约用电是很有前途的解决方案。尽管做出了许多努力,但事实证明,当前的先进技术未能考虑到:i) 人类与节电系统互动时行为的复杂性;ii) 现实的家庭电力动态。因此,这导致了以下问题:i) 由于用户长期参与度不高而无效;ii) 过于抽象,无法在现实环境中使用。在本文中,我们提出了一个基于拍卖理论的暖通空调节电框架,旨在通过三方面的方法来解决这种个人人为因素:个性化的节电偏好、现实的用户行为模型和现实的家庭电力动态。在我们的框架中,系统运营商(SO)向负载服务实体(LSE)发送所需的节电信息,以解决住宅配电馈线的峰值负载问题。然后,每个 LSE 提示其用户提供出价,即恒温器温度调节的个性化偏好,以及相应的经济补偿。我们通过在线调查采用现实用户行为模型来收集用户出价,并评估用户与该系统的互动情况。我们基于机器学习的节电预测(PSP)算法实现了真实的家庭级电力动态,计算出每个用户家庭因这些出价而节省的电量。基于机器学习的节电预测 (PSP) 算法由用户的智能能源管理系统 (SEMS) 执行。PSP 将温度调整转化为相应的节电效果。然后,SEMS 将出价反馈给 LSE,LSE 通过一个名为 POwer Conservation Optimization (POCO) 的优化问题选出拍卖获胜者。我们证明了 POCO 的 NP 难度,因此提供了两种解决该问题的方法。一种方法是最优伪多项式算法,称为动态编程节电(DYPS);另一种方法是启发式多项式时间算法,称为贪婪排序分配(GRAN)。EnergyPlus 是由美国能源部资助的高保真黄金标准能源模拟器,用于验证我们的实验,并收集数据以训练 PSP。我们进一步评估了几种情况下的拍卖结果,结果表明,正如预期的那样,DYPS 找到了最优解,而 GRAN 则优于最近最先进的方法。
{"title":"A Human-Centered Power Conservation Framework based on Reverse Auction Theory and Machine Learning","authors":"Enrico Casella, Simone Silvestri, D. A. Baker, Sajal K. Das","doi":"10.1145/3656348","DOIUrl":"https://doi.org/10.1145/3656348","url":null,"abstract":"\u0000 Extreme outside temperatures resulting from heat waves, winter storms, and similar weather-related events trigger the Heating Ventilation and Air Conditioning (HVAC) systems, resulting in challenging, and potentially catastrophic, peak loads. As a consequence, such extreme outside temperatures put a strain on power grids and may thus lead to blackouts. In order to avoid the financial and personal repercussions of peak loads, demand response and power conservation represent promising solutions. Despite numerous efforts, it has been shown that the current state-of-the-art fails to consider: i) the complexity of human behavior when interacting with power conservation systems; and ii) realistic home-level power dynamics. As a consequence, this leads to approaches that are i) ineffective due to poor long-term user engagement; and ii) too abstract to be used in real-world settings. In this paper, we propose an auction-theory-based power conservation framework for HVAC designed to address such individual human component through a three-fold approach:\u0000 personalized preferences\u0000 of power conservation,\u0000 models of realistic user behavior\u0000 , and\u0000 realistic home-level power dynamics\u0000 . In our framework, the System Operator (SO) sends Load Serving Entities (LSEs) the required power saving to tackle peak loads at the residential distribution feeder. Each LSE then prompts its users to provide\u0000 bids\u0000 , i.e.,\u0000 personalized preferences\u0000 of thermostat temperature adjustments, along with corresponding financial compensations. We employ\u0000 models of realistic user behavior\u0000 by means of online surveys to gather user bids and evaluate user interaction with such system.\u0000 Realistic home-level power dynamics\u0000 are implemented by our machine-learning-based Power Saving Predictions (PSP) algorithm, calculating the individual power savings in each user’s home resulting from such bids. A machine-learning-based Power Saving Predictions (PSP) algorithm is executed by the users’ Smart Energy Management System (SEMS). PSP translates temperature adjustments into the corresponding power savings. Then, the SEMS sends bids back to the LSE, which selects the auction winners through an optimization problem called POwer Conservation Optimization (POCO). We prove that POCO is NP-hard, and thus provide two approaches to solve this problem. One approach is an optimal pseudo-polynomial algorithm called DYnamic programming Power Saving (DYPS), while the second is a heuristic polynomial-time algorithm called Greedy Ranking Allocation (GRAN). EnergyPlus, the high-fidelity and gold-standard energy simulator funded by the U.S. Department of Energy, was used to validate our experiments, as well as to collect data to train PSP. We further evaluate the results of the auctions across several scenarios, showing that, as expected, DYPS finds the optimal solution, while GRAN outperforms recent state-of-the-art approaches.\u0000","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":null,"pages":null},"PeriodicalIF":2.3,"publicationDate":"2024-04-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140736855","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Systems offering fault-resilient, energy-efficient, soft real-time data communication have wide applications in Industrial Internet-of-Things (IIoT). While there have been extensive studies for fault resilience in real-time embedded systems, investigations from cyber-physical systems (CPS) perspective are still much needed, as CPS faults occur not just from abnormal conditions in the software/hardware of the system, but also from the physical environment in which the system operates. At the same time, in addition to conventional fault tolerance strategies embedded in the software/hardware of the target system, CPS faults could be mitigated via some strategic systems re-configuration made available by the physical environment. This paper presents a design and implementation for CPS fault-resilient data communication, in the context of IIoT networks running LoRaWAN, a low-power wide-area networking standard. The proposed design combines collaborative IIoT end devices plus a network gateway piggybacked on a third-party cruising object that is part of the environment. With the focus on data communication, the study illustrates challenges and opportunities to address CPS fault resilience while meeting the needs for energy efficiency and communication timeliness that are common to IIoT systems. The implementation of the design is based on ChirpStack, a widely used open source framework for LoRaWAN. The results from experiment and simulation both show that the proposed scheme can tolerate limited errors of data communication while saving operating energy and maintaining timeliness of data communication to some extent.
{"title":"On Cyber-Physical Fault Resilience in Data Communication: A Case From A LoRaWAN Network Systems Design","authors":"Chao Wang, Cheng-Hsun Chuang, Yu-Wei Chen, Yun-Fan Chen","doi":"10.1145/3639571","DOIUrl":"https://doi.org/10.1145/3639571","url":null,"abstract":"Systems offering fault-resilient, energy-efficient, soft real-time data communication have wide applications in Industrial Internet-of-Things (IIoT). While there have been extensive studies for fault resilience in real-time embedded systems, investigations from cyber-physical systems (CPS) perspective are still much needed, as CPS faults occur not just from abnormal conditions in the software/hardware of the system, but also from the physical environment in which the system operates. At the same time, in addition to conventional fault tolerance strategies embedded in the software/hardware of the target system, CPS faults could be mitigated via some strategic systems re-configuration made available by the physical environment. This paper presents a design and implementation for CPS fault-resilient data communication, in the context of IIoT networks running LoRaWAN, a low-power wide-area networking standard. The proposed design combines collaborative IIoT end devices plus a network gateway piggybacked on a third-party cruising object that is part of the environment. With the focus on data communication, the study illustrates challenges and opportunities to address CPS fault resilience while meeting the needs for energy efficiency and communication timeliness that are common to IIoT systems. The implementation of the design is based on ChirpStack, a widely used open source framework for LoRaWAN. The results from experiment and simulation both show that the proposed scheme can tolerate limited errors of data communication while saving operating energy and maintaining timeliness of data communication to some extent.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":null,"pages":null},"PeriodicalIF":2.3,"publicationDate":"2024-01-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139384661","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
M.F.H. Sagor, Amran Haroon, R. Stoleru, S. Bhunia, A. Altaweel, M. Chao, Liuyi Jin, M. Maurice, R. Blalock
Mobile Edge Computing (MEC) has been gaining a major interest for use in Cyber-Physical Systems (CPS) for Disaster Response and Tactical applications. These CPS generate a very large amount of mission-critical and personal data that require resilient and secure storage and sharing. In this article, we present the design, implementation, and evaluation of a framework for resilient data storage and sharing for MEC in CPS targeting the aforementioned applications. Our framework is built on the resiliency of three main components: EdgeKeeper, which ensures resilient coordination of the framework’s components; RSock, which provides resilient communication among CPS’s nodes; and R-Drive/R-Share which, leveraging EdgeKeeper and RSock, provides resilient data storage and sharing. EdgeKeeper employs a set of replicas and a consensus protocol for storing critical meta-data and ensuring fast reorganization of the CPS; RSock decides an optimal degree for replicating data that is communicated over lossy links. R-Drive employs an adaptive erasure-coded and encrypted resilient data storage; R-Share, leveraging RSock provides resilient peer-to-peer data sharing. We implemented our proposed framework on rapidly deployable systems (e.g. manpacks, testMobile Edge Clouds) and on Android devices, and integrated it with existing MEC applications. Performance evaluation results from three real-world deployments show that our framework provides resilient data storage and sharing in MEC for CPS.
{"title":"DistressNet-NG: A Resilient Data Storage and Sharing Framework for Mobile Edge Computing in Cyber-Physical Systems","authors":"M.F.H. Sagor, Amran Haroon, R. Stoleru, S. Bhunia, A. Altaweel, M. Chao, Liuyi Jin, M. Maurice, R. Blalock","doi":"10.1145/3639057","DOIUrl":"https://doi.org/10.1145/3639057","url":null,"abstract":"Mobile Edge Computing (MEC) has been gaining a major interest for use in Cyber-Physical Systems (CPS) for Disaster Response and Tactical applications. These CPS generate a very large amount of mission-critical and personal data that require resilient and secure storage and sharing. In this article, we present the design, implementation, and evaluation of a framework for resilient data storage and sharing for MEC in CPS targeting the aforementioned applications. Our framework is built on the resiliency of three main components: EdgeKeeper, which ensures resilient coordination of the framework’s components; RSock, which provides resilient communication among CPS’s nodes; and R-Drive/R-Share which, leveraging EdgeKeeper and RSock, provides resilient data storage and sharing. EdgeKeeper employs a set of replicas and a consensus protocol for storing critical meta-data and ensuring fast reorganization of the CPS; RSock decides an optimal degree for replicating data that is communicated over lossy links. R-Drive employs an adaptive erasure-coded and encrypted resilient data storage; R-Share, leveraging RSock provides resilient peer-to-peer data sharing. We implemented our proposed framework on rapidly deployable systems (e.g. manpacks, testMobile Edge Clouds) and on Android devices, and integrated it with existing MEC applications. Performance evaluation results from three real-world deployments show that our framework provides resilient data storage and sharing in MEC for CPS.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":null,"pages":null},"PeriodicalIF":2.3,"publicationDate":"2024-01-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139451639","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Stephen Kirkman, Steven Fulton, Jeffrey Hemmes, Christopher Garcia, Justin C. Wilson
The motivation of this research (and also one of the nation’s cyber goals) is enhancing the resilience of Industrial Control Systems (ICS)/Supervisory Control and Data Acquisition (SCADA) systems against ransomware attacks. ICS and SCADA systems run some of the most important networks in the country: our critical infrastructure (i.e. water flow, power grids, etc.). Disruption of these systems causes confusion, panic, and in some cases loss of life. We propose a SCADA architecture that uses blockchain to help protect ICS data from ransomware. We focus on the historian. In a SCADA system, the historian collects events from devices in the control network for real-time and future analysis. We choose to use Ethereum and its Proof of Stake (PoS) consensus protocol. The other goal of this research focuses on the resilience of blockchain. There is very little research in protecting the blockchain itself. By performing encryption testing on an Ethereum private network, we explore how vulnerable blockchain is and discuss potential ways to make a blockchain client more resilient.
{"title":"A Blockchain Architecture to Increase the Resilience of Industrial Control Systems from the Effects of a Ransomware Attack: A Proposal and Initial Results","authors":"Stephen Kirkman, Steven Fulton, Jeffrey Hemmes, Christopher Garcia, Justin C. Wilson","doi":"10.1145/3637553","DOIUrl":"https://doi.org/10.1145/3637553","url":null,"abstract":"The motivation of this research (and also one of the nation’s cyber goals) is enhancing the resilience of Industrial Control Systems (ICS)/Supervisory Control and Data Acquisition (SCADA) systems against ransomware attacks. ICS and SCADA systems run some of the most important networks in the country: our critical infrastructure (i.e. water flow, power grids, etc.). Disruption of these systems causes confusion, panic, and in some cases loss of life. We propose a SCADA architecture that uses blockchain to help protect ICS data from ransomware. We focus on the historian. In a SCADA system, the historian collects events from devices in the control network for real-time and future analysis. We choose to use Ethereum and its Proof of Stake (PoS) consensus protocol. The other goal of this research focuses on the resilience of blockchain. There is very little research in protecting the blockchain itself. By performing encryption testing on an Ethereum private network, we explore how vulnerable blockchain is and discuss potential ways to make a blockchain client more resilient.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":null,"pages":null},"PeriodicalIF":2.3,"publicationDate":"2023-12-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"138953282","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Kejing Zhao, Zhiyong Zhang, K. Choo, Zhongya Zhang, Tiantian Zhang
Industrial Internet plays an important role in key critical infrastructure sectors and is the target of different security threats and risks. There are limitations in many existing attack detection approaches, such as function redundancy, overfitting and low efficiency. A combinatorial optimization method Lagrange multiplier is designed to optimize the underlying feature screening algorithm. The optimized feature combination is fused with random forest and XG-Boost selected features to improve the accuracy and efficiency of attack feature analysis. Using both the UNSW-NB15 and Natural gas pipeline datasets, we evaluate the performance of the proposed method. It is observed that the influence degrees of the different features associated with the attack behavior can result in the binary classification attack detection increases to 0.93, and the attack detection time reduces by 6.96 times. The overall accuracy of multi-classification attack detection is also observed to improve by 0.11. We also observe that nine key features of attack behavior analysis are essential to the analysis and detection of general attacks targeting the system, and by focusing on these features one could potentially improve the effectiveness and efficiency of real-time critical industrial system security. In this paper, CICDDoS2019 dataset and CICIDS2018 dataset are used to prove the generalization. The experimental results show that the proposed method has good generalization and can be extended to the same type of industrial anomaly data sets.
{"title":"A Combinatorial Optimization Analysis Method for Detecting Malicious Industrial Internet Attack Behaviors","authors":"Kejing Zhao, Zhiyong Zhang, K. Choo, Zhongya Zhang, Tiantian Zhang","doi":"10.1145/3637554","DOIUrl":"https://doi.org/10.1145/3637554","url":null,"abstract":"Industrial Internet plays an important role in key critical infrastructure sectors and is the target of different security threats and risks. There are limitations in many existing attack detection approaches, such as function redundancy, overfitting and low efficiency. A combinatorial optimization method Lagrange multiplier is designed to optimize the underlying feature screening algorithm. The optimized feature combination is fused with random forest and XG-Boost selected features to improve the accuracy and efficiency of attack feature analysis. Using both the UNSW-NB15 and Natural gas pipeline datasets, we evaluate the performance of the proposed method. It is observed that the influence degrees of the different features associated with the attack behavior can result in the binary classification attack detection increases to 0.93, and the attack detection time reduces by 6.96 times. The overall accuracy of multi-classification attack detection is also observed to improve by 0.11. We also observe that nine key features of attack behavior analysis are essential to the analysis and detection of general attacks targeting the system, and by focusing on these features one could potentially improve the effectiveness and efficiency of real-time critical industrial system security. In this paper, CICDDoS2019 dataset and CICIDS2018 dataset are used to prove the generalization. The experimental results show that the proposed method has good generalization and can be extended to the same type of industrial anomaly data sets.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":null,"pages":null},"PeriodicalIF":2.3,"publicationDate":"2023-12-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139001339","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Uncertainty in safety-critical cyber-physical systems can be modeled using a finite number of parameters or parameterized input signals. Given a system specification in Signal Temporal Logic (STL), we would like to verify that for all (infinite) values of the model parameters/input signals, the system satisfies its specification. Unfortunately, this problem is undecidable in general. Statistical model checking (SMC) offers a solution by providing guarantees on the correctness of CPS models by statistically reasoning on model simulations. We propose a new approach for statistical verification of CPS models for user-provided distribution on the model parameters. Our technique uses model simulations to learn surrogate models, and uses conformal inference to provide probabilistic guarantees on the satisfaction of a given STL property. Additionally, we can provide prediction intervals containing the quantitative satisfaction values of the given STL property for any user-specified confidence level. We compare this prediction interval with the interval we get using risk estimation procedures. We also propose a refinement procedure based on Gaussian Process (GP)-based surrogate models for obtaining fine-grained probabilistic guarantees over sub-regions in the parameter space. This in turn enables the CPS designer to choose assured validity domains in the parameter space for safety-critical applications. Finally, we demonstrate the efficacy of our technique on several CPS models.
{"title":"Statistical Verification using Surrogate Models and Conformal Inference and a Comparison with Risk-aware Verification","authors":"Xin Qin, Yuan Xia, Aditya Zutshi, Chuchu Fan, Jyotirmoy V. Deshmukh","doi":"10.1145/3635160","DOIUrl":"https://doi.org/10.1145/3635160","url":null,"abstract":"Uncertainty in safety-critical cyber-physical systems can be modeled using a finite number of parameters or parameterized input signals. Given a system specification in Signal Temporal Logic (STL), we would like to verify that for all (infinite) values of the model parameters/input signals, the system satisfies its specification. Unfortunately, this problem is undecidable in general. Statistical model checking (SMC) offers a solution by providing guarantees on the correctness of CPS models by statistically reasoning on model simulations. We propose a new approach for statistical verification of CPS models for user-provided distribution on the model parameters. Our technique uses model simulations to learn surrogate models, and uses conformal inference to provide probabilistic guarantees on the satisfaction of a given STL property. Additionally, we can provide prediction intervals containing the quantitative satisfaction values of the given STL property for any user-specified confidence level. We compare this prediction interval with the interval we get using risk estimation procedures. We also propose a refinement procedure based on Gaussian Process (GP)-based surrogate models for obtaining fine-grained probabilistic guarantees over sub-regions in the parameter space. This in turn enables the CPS designer to choose assured validity domains in the parameter space for safety-critical applications. Finally, we demonstrate the efficacy of our technique on several CPS models.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":null,"pages":null},"PeriodicalIF":2.3,"publicationDate":"2023-12-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"138598245","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Dionisio de Niz, Bjorn Andersson, Mark H. Klein, J. Lehoczky, Amit Vasudevan, Hyoseung Kim, Gabriel Moreno
Verifying complex Cyber-Physical Systems (CPS) is increasingly important given the push to deploy safety-critical autonomous features. Unfortunately, traditional verification methods do not scale to the complexity of these systems and do not provide systematic methods to protect verified properties when not all the components can be verified. To address these challenges, this article proposes a real-time mixed-trust computing framework that combines verification and protection. The framework introduces a new task model, where an application task can have both an untrusted and a trusted part. The untrusted part allows complex computations supported by a full OS with a real-time scheduler running in a VM hosted by a trusted hypervisor. The trusted part is executed by another scheduler within the hypervisor and is thus protected from the untrusted part. If the untrusted part fails to finish by a specific time, the trusted part is activated to preserve safety (e.g., prevent a crash) including its timing guarantees. This framework is the first allowing the use of untrusted components for CPS critical functions while preserving logical and timing guarantees, even in the presence of malicious attackers. We present the framework its schedulability analysis and the coordination protocol between the trusted and untrusted parts. Our implementation on a Raspberry Pi 3 is also discussed along with experiments showing the behavior of the system under failures of untrusted components, and a drone application to demonstrate its practicality.
{"title":"Mixed-Trust Computing: Safe and Secure Real-Time Systems","authors":"Dionisio de Niz, Bjorn Andersson, Mark H. Klein, J. Lehoczky, Amit Vasudevan, Hyoseung Kim, Gabriel Moreno","doi":"10.1145/3635162","DOIUrl":"https://doi.org/10.1145/3635162","url":null,"abstract":"Verifying complex Cyber-Physical Systems (CPS) is increasingly important given the push to deploy safety-critical autonomous features. Unfortunately, traditional verification methods do not scale to the complexity of these systems and do not provide systematic methods to protect verified properties when not all the components can be verified. To address these challenges, this article proposes a real-time mixed-trust computing framework that combines verification and protection. The framework introduces a new task model, where an application task can have both an untrusted and a trusted part. The untrusted part allows complex computations supported by a full OS with a real-time scheduler running in a VM hosted by a trusted hypervisor. The trusted part is executed by another scheduler within the hypervisor and is thus protected from the untrusted part. If the untrusted part fails to finish by a specific time, the trusted part is activated to preserve safety (e.g., prevent a crash) including its timing guarantees. This framework is the first allowing the use of untrusted components for CPS critical functions while preserving logical and timing guarantees, even in the presence of malicious attackers. We present the framework its schedulability analysis and the coordination protocol between the trusted and untrusted parts. Our implementation on a Raspberry Pi 3 is also discussed along with experiments showing the behavior of the system under failures of untrusted components, and a drone application to demonstrate its practicality.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":null,"pages":null},"PeriodicalIF":2.3,"publicationDate":"2023-12-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"138607343","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}