Werner Damm, David Hess, Mark Schweda, Janos Sztipanovits, Klaus Bengler, Bianca Biebl, Martin Fränzle, Willem Hagemann, Moritz Held, Klas Ihme, Severin Kacianka, Alyssa J. Kerscher, Sebastian Lehnhoff, Andreas Luedtke, Alexander Pretschner, Astrid Rakow, Rieger Jochem, Daniel Sonntag, Maike Schwammberger, Benedikt Austel, Anirudh Unni, Eric Veith
We propose a reference architecture of safety-critical or industry-critical human cyber-physical systems (CPSs) capable of expressing essential classes of system-level interactions between CPS and humans relevant for the societal acceptance of such systems. To reach this quality gate, the expressivity of the model must go beyond classical viewpoints such as operational, functional, and architectural views and views used for safety and security analysis. The model does so by incorporating elements of such systems for mutual introspections in situational awareness, capabilities, and intentions in order to enable a synergetic, trusted relation in the interaction of humans and CPSs, which we see as a prerequisite for their societal acceptance. The reference architecture is represented as a metamodel incorporating conceptual and behavioral semantic aspects. We illustrate the key concepts of the metamodel with examples from cooperative autonomous driving, the operating room of the future, cockpit-tower interaction, and crisis management.
{"title":"A Reference Architecture of Human Cyber-Physical Systems – PART I: Fundamental Concepts","authors":"Werner Damm, David Hess, Mark Schweda, Janos Sztipanovits, Klaus Bengler, Bianca Biebl, Martin Fränzle, Willem Hagemann, Moritz Held, Klas Ihme, Severin Kacianka, Alyssa J. Kerscher, Sebastian Lehnhoff, Andreas Luedtke, Alexander Pretschner, Astrid Rakow, Rieger Jochem, Daniel Sonntag, Maike Schwammberger, Benedikt Austel, Anirudh Unni, Eric Veith","doi":"10.1145/3622879","DOIUrl":"https://doi.org/10.1145/3622879","url":null,"abstract":"We propose a reference architecture of safety-critical or industry-critical human cyber-physical systems (CPSs) capable of expressing essential classes of system-level interactions between CPS and humans relevant for the societal acceptance of such systems. To reach this quality gate, the expressivity of the model must go beyond classical viewpoints such as operational, functional, and architectural views and views used for safety and security analysis. The model does so by incorporating elements of such systems for mutual introspections in situational awareness, capabilities, and intentions in order to enable a synergetic, trusted relation in the interaction of humans and CPSs, which we see as a prerequisite for their societal acceptance. The reference architecture is represented as a metamodel incorporating conceptual and behavioral semantic aspects. We illustrate the key concepts of the metamodel with examples from cooperative autonomous driving, the operating room of the future, cockpit-tower interaction, and crisis management.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-09-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"136263822","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Uncrewed Aerial Vehicles (UAVs) have been used in mission-critical scenarios such as Search and Rescue (SAR) missions. In such a mission-critical scenario, flight autonomy is a key performance metric that quantifies how long the UAV can continue the flight with a given battery charge. In a UAV running multiple software applications, flight autonomy can also be impacted by faulty application processes that excessively consume energy. In this paper, we propose FA-Assure (Fight Autonomy assurance) as a framework to assure the autonomy of a UAV considering faulty application processes through performability modeling and analysis. The framework employs hierarchically-configured stochastic Petri nets (SPNs), evaluates the performability-related metrics, and guides the design of mitigation strategies to improve autonomy. We consider a SAR mission as a case study and evaluate the feasibility of the framework through extensive numerical experiments. The numerical results quantitatively show how autonomy is enhanced by offloading and restarting faulty application processes.
{"title":"Assuring Autonomy of UAVs in Mission-critical Scenarios by Performability Modeling and Analysis","authors":"Ermeson Andrade, Fumio Machida","doi":"10.1145/3624572","DOIUrl":"https://doi.org/10.1145/3624572","url":null,"abstract":"Uncrewed Aerial Vehicles (UAVs) have been used in mission-critical scenarios such as Search and Rescue (SAR) missions. In such a mission-critical scenario, flight autonomy is a key performance metric that quantifies how long the UAV can continue the flight with a given battery charge. In a UAV running multiple software applications, flight autonomy can also be impacted by faulty application processes that excessively consume energy. In this paper, we propose FA-Assure (Fight Autonomy assurance) as a framework to assure the autonomy of a UAV considering faulty application processes through performability modeling and analysis. The framework employs hierarchically-configured stochastic Petri nets (SPNs), evaluates the performability-related metrics, and guides the design of mitigation strategies to improve autonomy. We consider a SAR mission as a case study and evaluate the feasibility of the framework through extensive numerical experiments. The numerical results quantitatively show how autonomy is enhanced by offloading and restarting faulty application processes.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-09-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135307706","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Qiushi Liang, Shengjie Zhao, Jiangfan Zhang, Hao Deng
Electricity theft can cause economic damage and even increase the risk of outage. Recently, many methods have implemented electricity theft detection on smart meter data. However, how to conduct detection on the dataset without any label still remains challenging. In this paper, we propose a novel unsupervised two-stage approach under the assumption that the training set is contaminated by attacks. Specifically, the method consists of two stages: 1) A Gaussian mixture model (GMM) is employed to cluster consumption patterns with respect to different habits of electricity usage, and with the goal of improving the accuracy of the model in the posterior stage; 2) An attention-based bidirectional Long Short-Term Memory (BLSTM) encoder-decoder scheme is employed to improve the robustness against the non-malicious changes in usage patterns leveraging the process of encoding and decoding. Quantifying the similarity of consumption patterns and reconstruction errors, the anomaly score is defined to improve detection performance. Experiments on a real dataset show that the proposed method outperforms the state-of-the-art unsupervised detectors.
{"title":"Unsupervised BLSTM Based Electricity Theft Detection with Training Data Contaminated","authors":"Qiushi Liang, Shengjie Zhao, Jiangfan Zhang, Hao Deng","doi":"10.1145/3604432","DOIUrl":"https://doi.org/10.1145/3604432","url":null,"abstract":"Electricity theft can cause economic damage and even increase the risk of outage. Recently, many methods have implemented electricity theft detection on smart meter data. However, how to conduct detection on the dataset without any label still remains challenging. In this paper, we propose a novel unsupervised two-stage approach under the assumption that the training set is contaminated by attacks. Specifically, the method consists of two stages: 1) A Gaussian mixture model (GMM) is employed to cluster consumption patterns with respect to different habits of electricity usage, and with the goal of improving the accuracy of the model in the posterior stage; 2) An attention-based bidirectional Long Short-Term Memory (BLSTM) encoder-decoder scheme is employed to improve the robustness against the non-malicious changes in usage patterns leveraging the process of encoding and decoding. Quantifying the similarity of consumption patterns and reconstruction errors, the anomaly score is defined to improve detection performance. Experiments on a real dataset show that the proposed method outperforms the state-of-the-art unsupervised detectors.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2023-09-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135396381","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
F. Tiausas, K. Yasumoto, J. P. Talusan, H. Yamana, H. Yamaguchi, Shameek Bhattacharjee, Abhishek Dubey, Sajal K. Das
Route Planning Systems (RPS) are a core component of autonomous personal transport systems essential for safe and efficient navigation of dynamic urban environments with the support of edge-based smart city infrastructure, but they also raise concerns about user route privacy in the context of both privately-owned and commercial vehicles. Numerous high profile data breaches in recent years have fortunately motivated research on privacy-preserving RPS, but most of them are rendered impractical by greatly increased communication and processing overhead. We address this by proposing an approach called Hierarchical Privacy-Preserving Route Planning (HPRoP) which divides and distributes the route planning task across multiple levels, and protects locations along the entire route. This is done by combining Inertial Flow partitioning, Private Information Retrieval (PIR), and Edge Computing techniques with our novel route planning heuristic algorithm. Normalized metrics were also formulated to quantify the privacy of the source/destination points (endpoint location privacy) and the route itself (route privacy). Evaluation on a simulated road network showed that HPRoP reliably produces routes differing only by (le 20% ) in length from optimal shortest paths, with completion times within ∼ 25 seconds which is reasonable for a PIR-based approach. On top of this, more than half of the produced routes achieved near-optimal endpoint location privacy (∼ 1.0) and good route privacy (≥ 0.8).
{"title":"HPRoP: Hierarchical Privacy-Preserving Route Planning for Smart Cities","authors":"F. Tiausas, K. Yasumoto, J. P. Talusan, H. Yamana, H. Yamaguchi, Shameek Bhattacharjee, Abhishek Dubey, Sajal K. Das","doi":"10.1145/3616874","DOIUrl":"https://doi.org/10.1145/3616874","url":null,"abstract":"Route Planning Systems (RPS) are a core component of autonomous personal transport systems essential for safe and efficient navigation of dynamic urban environments with the support of edge-based smart city infrastructure, but they also raise concerns about user route privacy in the context of both privately-owned and commercial vehicles. Numerous high profile data breaches in recent years have fortunately motivated research on privacy-preserving RPS, but most of them are rendered impractical by greatly increased communication and processing overhead. We address this by proposing an approach called Hierarchical Privacy-Preserving Route Planning (HPRoP) which divides and distributes the route planning task across multiple levels, and protects locations along the entire route. This is done by combining Inertial Flow partitioning, Private Information Retrieval (PIR), and Edge Computing techniques with our novel route planning heuristic algorithm. Normalized metrics were also formulated to quantify the privacy of the source/destination points (endpoint location privacy) and the route itself (route privacy). Evaluation on a simulated road network showed that HPRoP reliably produces routes differing only by (le 20% ) in length from optimal shortest paths, with completion times within ∼ 25 seconds which is reasonable for a PIR-based approach. On top of this, more than half of the produced routes achieved near-optimal endpoint location privacy (∼ 1.0) and good route privacy (≥ 0.8).","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":null,"pages":null},"PeriodicalIF":2.3,"publicationDate":"2023-08-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49155088","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
There is a trend towards communication of larger data objects in wireless vehicle communication. In many cases, communication uses publish-subscribe protocols. Data rate requirements of such protocols are best addressed by wireless multicast protocols, but the existing protocols lack an error protection that is suitable for real-time and safety-critical applications. We present an application-aware protocol that supports the popular DDS (Data Distribution Service) middleware. By exploiting data object deadlines and slack for retransmissions and employing an adaptable, multicast-aware prioritization mechanism the reliable exchange of large data objects is enabled. The protocol is sufficiently general to be used on top of different communication standards such as 802.11- and cellular-based V2X (Vehicle-to-Everything) technologies. The protocol was implemented in an OMNeT++ simulation model and evaluated against recent state-of-the-art alternatives using parameters and constraints taken from a motivational truck platooning example. Furthermore, the protocol was implemented using an open-source DDS implementation as the basis and tested on a physical wireless demonstrator setup. The evaluation shows that the presented multicast protocol substantially outperforms the alternatives keeping streaming applications operational even under high frame error rates.
{"title":"An Error Protection Protocol for the Multicast Transmission of Data Samples in V2X Applications","authors":"Alex Bendrick, Jonas Peeck, Rolf Ernst","doi":"10.1145/3617126","DOIUrl":"https://doi.org/10.1145/3617126","url":null,"abstract":"There is a trend towards communication of larger data objects in wireless vehicle communication. In many cases, communication uses publish-subscribe protocols. Data rate requirements of such protocols are best addressed by wireless multicast protocols, but the existing protocols lack an error protection that is suitable for real-time and safety-critical applications. We present an application-aware protocol that supports the popular DDS (Data Distribution Service) middleware. By exploiting data object deadlines and slack for retransmissions and employing an adaptable, multicast-aware prioritization mechanism the reliable exchange of large data objects is enabled. The protocol is sufficiently general to be used on top of different communication standards such as 802.11- and cellular-based V2X (Vehicle-to-Everything) technologies. The protocol was implemented in an OMNeT++ simulation model and evaluated against recent state-of-the-art alternatives using parameters and constraints taken from a motivational truck platooning example. Furthermore, the protocol was implemented using an open-source DDS implementation as the basis and tested on a physical wireless demonstrator setup. The evaluation shows that the presented multicast protocol substantially outperforms the alternatives keeping streaming applications operational even under high frame error rates.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":null,"pages":null},"PeriodicalIF":2.3,"publicationDate":"2023-08-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"46740464","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Cooperative Adaptive Cruise Control (CACC) based vehicle platooning can increase safety and efficiency of traffics. This work looks into the communication and control problems of vehicle platooning, and proposes a control and communication co-design for CACC. First, an integrated radar system is presented. This system integrates sensing of relative position, speed, and communication between a predecessor and its follower. Second, a working scheme for the integrated radar system is presented. This scheme allows the radar systems to switch periodically between different working modes without interferences from other modes. Therefore, the relative position, speed, and communication can be asynchronously periodically updated to the controller. Third, a periodic event-triggered control approach is presented. This approach allows asynchronous periodic sampling of the output, and is deeply co-designed with the radar system and its working scheme. Delays are also considered in the control approach. The co-design CACC approach can guarantee the vehicle platoons to be string stable. Numerical example has shown the feasibility of the approach.
{"title":"Periodic Event-Triggered Cooperative Adaptive Cruise Control and Communication Co-Design for Vehicle Platooning","authors":"A. Fu, Sijia Chen, Jun-Li Qiao, Chengpu Yu","doi":"10.1145/3617125","DOIUrl":"https://doi.org/10.1145/3617125","url":null,"abstract":"Cooperative Adaptive Cruise Control (CACC) based vehicle platooning can increase safety and efficiency of traffics. This work looks into the communication and control problems of vehicle platooning, and proposes a control and communication co-design for CACC. First, an integrated radar system is presented. This system integrates sensing of relative position, speed, and communication between a predecessor and its follower. Second, a working scheme for the integrated radar system is presented. This scheme allows the radar systems to switch periodically between different working modes without interferences from other modes. Therefore, the relative position, speed, and communication can be asynchronously periodically updated to the controller. Third, a periodic event-triggered control approach is presented. This approach allows asynchronous periodic sampling of the output, and is deeply co-designed with the radar system and its working scheme. Delays are also considered in the control approach. The co-design CACC approach can guarantee the vehicle platoons to be string stable. Numerical example has shown the feasibility of the approach.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":null,"pages":null},"PeriodicalIF":2.3,"publicationDate":"2023-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"45757904","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Cyber-Physical Systems (CPS) are increasingly used in many complex applications, such as autonomous delivery drones, the automotive CPS design, power grid control systems, and medical robotics. However, existing programming languages lack certain design patterns for CPS designs, including temporal semantics and concurrency models. Future research directions may involve programming language extensions to support CPS designs. On the other hand, JSF++, MISRA, and MISRA C++ are providing specifications intended to increase the reliability of safety-critical systems. This article also describes the development of rule checkers based on the MISRA C++ specification using the Clang open-source tool, which allows for the annotation of code and the easy extension of the MISRA C++ specification to other programming languages and systems. This is potentially useful for future CPS language research extensions to work with reliability software specifications using the Clang tool. Experiments were performed using key C++ benchmarks to validate our method in comparison with the well-known Coverity commercial tool. We illustrate key rules related to class, inheritance, template, overloading, and exception handling. Open-source benchmarks that violate the rules detected by our checkers are also illustrated. A random graph generator is further used to generate diamond case with multiple inheritance testdata for our software validations. The experimental results demonstrate that our method can provide information that is more detailed than that obtained using Coverity for nine open-source C++ benchmarks. Since the Clang tool is widely used, it will further allow developers to annotate their own extensions.
{"title":"The Support of MISRA C++ Analyzer for Reliability of Embedded Systems","authors":"Che-Chia Lin, Wei-Hsu Chu, Chia-Hsuan Chang, Hui-Hsin Liao, Chun-Chieh Yang, Jenq-Kuen Lee, Yi-Ping You, Tien-Yuan Hsieh","doi":"10.1145/3611390","DOIUrl":"https://doi.org/10.1145/3611390","url":null,"abstract":"Cyber-Physical Systems (CPS) are increasingly used in many complex applications, such as autonomous delivery drones, the automotive CPS design, power grid control systems, and medical robotics. However, existing programming languages lack certain design patterns for CPS designs, including temporal semantics and concurrency models. Future research directions may involve programming language extensions to support CPS designs. On the other hand, JSF++, MISRA, and MISRA C++ are providing specifications intended to increase the reliability of safety-critical systems. This article also describes the development of rule checkers based on the MISRA C++ specification using the Clang open-source tool, which allows for the annotation of code and the easy extension of the MISRA C++ specification to other programming languages and systems. This is potentially useful for future CPS language research extensions to work with reliability software specifications using the Clang tool. Experiments were performed using key C++ benchmarks to validate our method in comparison with the well-known Coverity commercial tool. We illustrate key rules related to class, inheritance, template, overloading, and exception handling. Open-source benchmarks that violate the rules detected by our checkers are also illustrated. A random graph generator is further used to generate diamond case with multiple inheritance testdata for our software validations. The experimental results demonstrate that our method can provide information that is more detailed than that obtained using Coverity for nine open-source C++ benchmarks. Since the Clang tool is widely used, it will further allow developers to annotate their own extensions.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":null,"pages":null},"PeriodicalIF":2.3,"publicationDate":"2023-07-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"44241995","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
To realize the grand vision of automated driving in smart vehicle cyber-physical systems (CPS), one important task is to support the merging of connected automated vehicles (CAVs) from a metered-ramp to highway. Certain safety rules must be guaranteed. However, this demand is complicated by the inherently unreliable wireless communications. In this paper, we focus on the well adopted constant-time-headway (CTH) safety rule. We propose a highway and metered-ramp CAV collaborative merging protocol, and formally prove its guarantee of the CTH safety and liveness under arbitrary wireless data packet losses. These theoretical claims are further validated by our simulations. Furthermore, the simulation results also show significant improvements on the merging efficiency over other solution alternatives. Particularly, the merging success rates are more than (99% ) better in 11 out of 18 comparison pairs, and (0% ) (i.e. tied) (sim 71% ) better in the remaining 7 comparison pairs.
{"title":"A Reliable Wireless Protocol for Highway and Metered-Ramp CAV Collaborative Merging with Constant-Time-Headway Safety Guarantee","authors":"Xueli Fan, Qixin Wang, Jie Liu","doi":"10.1145/3609227","DOIUrl":"https://doi.org/10.1145/3609227","url":null,"abstract":"To realize the grand vision of automated driving in smart vehicle cyber-physical systems (CPS), one important task is to support the merging of connected automated vehicles (CAVs) from a metered-ramp to highway. Certain safety rules must be guaranteed. However, this demand is complicated by the inherently unreliable wireless communications. In this paper, we focus on the well adopted constant-time-headway (CTH) safety rule. We propose a highway and metered-ramp CAV collaborative merging protocol, and formally prove its guarantee of the CTH safety and liveness under arbitrary wireless data packet losses. These theoretical claims are further validated by our simulations. Furthermore, the simulation results also show significant improvements on the merging efficiency over other solution alternatives. Particularly, the merging success rates are more than (99% ) better in 11 out of 18 comparison pairs, and (0% ) (i.e. tied) (sim 71% ) better in the remaining 7 comparison pairs.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":null,"pages":null},"PeriodicalIF":2.3,"publicationDate":"2023-07-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"47616394","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Ertem Esiner, Utku Tefek, D. Mashima, Binbin Chen, Z. Kalbarczyk, D. Nicol
Successful attacks against industrial control systems (ICS) often exploit insufficient checking mechanisms. While firewalls, intrusion detection systems, and similar appliances introduce essential checks, their efficacy depends on the attackers’ ability to bypass such middleboxes. We propose a provenance solution to enable the verification of end-to-end message delivery path and the actions performed on a message. Fast and flexible provenance verification (F2-Pro) provides cryptographically verifiable evidence that a message has originated from a legitimate source and gone through the necessary checks before reaching its destination. F2-Pro relies on lightweight cryptographic primitives and flexibly supports various communication settings and protocols encountered in ICS thanks to its transparent, bump-in-the-wire design. We provide formal definitions and cryptographically prove F2-Pro ’s security. For human interaction with ICS via a field service device, F2-Pro features a multi-factor authentication mechanism that starts the provenance chain from a human user issuing commands. We compatibility tested F2-Pro on a smart power grid testbed and reported a sub-millisecond latency overhead per communication hop using a modest ARM Cortex-A15 processor.
{"title":"Message Authentication and Provenance Verification for Industrial Control Systems","authors":"Ertem Esiner, Utku Tefek, D. Mashima, Binbin Chen, Z. Kalbarczyk, D. Nicol","doi":"10.1145/3607194","DOIUrl":"https://doi.org/10.1145/3607194","url":null,"abstract":"Successful attacks against industrial control systems (ICS) often exploit insufficient checking mechanisms. While firewalls, intrusion detection systems, and similar appliances introduce essential checks, their efficacy depends on the attackers’ ability to bypass such middleboxes. We propose a provenance solution to enable the verification of end-to-end message delivery path and the actions performed on a message. Fast and flexible provenance verification (F2-Pro) provides cryptographically verifiable evidence that a message has originated from a legitimate source and gone through the necessary checks before reaching its destination. F2-Pro relies on lightweight cryptographic primitives and flexibly supports various communication settings and protocols encountered in ICS thanks to its transparent, bump-in-the-wire design. We provide formal definitions and cryptographically prove F2-Pro ’s security. For human interaction with ICS via a field service device, F2-Pro features a multi-factor authentication mechanism that starts the provenance chain from a human user issuing commands. We compatibility tested F2-Pro on a smart power grid testbed and reported a sub-millisecond latency overhead per communication hop using a modest ARM Cortex-A15 processor.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":null,"pages":null},"PeriodicalIF":2.3,"publicationDate":"2023-07-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"41797627","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
T. Zoppi, Innocenzo Mungiello, A. Ceccarelli, Alberto Cirillo, Lorenzo Sarti, Lorenzo Esposito, G. Scaglione, Sergio Repetto, A. Bondavalli
The railway domain is regulated by rigorous safety standards to ensure that specific safety goals are met. Often, safety-critical systems rely on custom hardware-software components that are built from scratch to achieve specific functional and non-functional requirements. Instead, the (partial) usage of Commercial Off-The-Shelf (COTS) components is very attractive as it potentially allows reducing cost and time to market. Unfortunately, COTS components do not individually offer enough guarantees in terms of safety and security to be used in critical systems as they are. In such a context, RFI (Rete Ferroviaria Italiana), a major player in Europe for railway infrastructure management, aims at equipping track-side workers with COTS devices to remotely and safely interact with the existing interlocking system, drastically improving the performance of maintenance operations. This paper describes the first effort to update existing (embedded) railway systems to a more recent cyber-physical system paradigm. Our Remote Worker Dashboard (RWD) pairs the existing safe interlocking machinery alongside COTS mobile components, making cyber and physical components cooperate to provide the user with responsive, safe, and secure service. Specifically, the RWD is a SIL4 cyber-physical system to support maintenance of actuators and railways in which COTS mobile devices are safely used by track-side workers. The concept, development, implementation, verification and validation activities to build the RWD were carried out in compliance with the applicable CENELEC standards required by certification bodies to declare compliance with specific guidelines.
{"title":"Safe Maintenance of Railways using COTS Mobile Devices: The Remote Worker Dashboard","authors":"T. Zoppi, Innocenzo Mungiello, A. Ceccarelli, Alberto Cirillo, Lorenzo Sarti, Lorenzo Esposito, G. Scaglione, Sergio Repetto, A. Bondavalli","doi":"10.1145/3607193","DOIUrl":"https://doi.org/10.1145/3607193","url":null,"abstract":"The railway domain is regulated by rigorous safety standards to ensure that specific safety goals are met. Often, safety-critical systems rely on custom hardware-software components that are built from scratch to achieve specific functional and non-functional requirements. Instead, the (partial) usage of Commercial Off-The-Shelf (COTS) components is very attractive as it potentially allows reducing cost and time to market. Unfortunately, COTS components do not individually offer enough guarantees in terms of safety and security to be used in critical systems as they are. In such a context, RFI (Rete Ferroviaria Italiana), a major player in Europe for railway infrastructure management, aims at equipping track-side workers with COTS devices to remotely and safely interact with the existing interlocking system, drastically improving the performance of maintenance operations. This paper describes the first effort to update existing (embedded) railway systems to a more recent cyber-physical system paradigm. Our Remote Worker Dashboard (RWD) pairs the existing safe interlocking machinery alongside COTS mobile components, making cyber and physical components cooperate to provide the user with responsive, safe, and secure service. Specifically, the RWD is a SIL4 cyber-physical system to support maintenance of actuators and railways in which COTS mobile devices are safely used by track-side workers. The concept, development, implementation, verification and validation activities to build the RWD were carried out in compliance with the applicable CENELEC standards required by certification bodies to declare compliance with specific guidelines.","PeriodicalId":7055,"journal":{"name":"ACM Transactions on Cyber-Physical Systems","volume":null,"pages":null},"PeriodicalIF":2.3,"publicationDate":"2023-07-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"46807799","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}