Distributed and Automated Security Analysis of Critical Energy Delivery Controller Software

Summary Statement

Our solution is able to learn and approximate more advanced control algorithms (e.g., high-order and non-linear portion), which are usually represented as linear components in control state estimation research without adequate attention to comprehensive examination of this representation. Our solution is designed to create a lightweight replica of an actual control software snippet with respect to the explainable model construction (i.e., transparency), which is not emphasized enough in previous learning-based intrusion detectors. Meanwhile, the precise model definition and compression in our solution successfully respond to the “data hunger” in training an accurate and converged model and the practical challenges of the model deployment on those resource-constrained embedded systems.

Our solution first investigates the control loops and identifies the control algorithms associated with the underlying physical dynamics. Then our solution utilizes the dataflow analysis to determine the state variable changes and their mutual dependencies in the targeted controller software segment. Based on the collected information, our solution collects the training dataset in benign experiments and trains an adaptive neural network model to approximate the logic behaviors of the target controller snippet, which embodies identical semantics but different syntaxes. Our solution simplifies and prunes the trained model to inject the online monitoring framework into the main loop of the cyber-physical platform and detect the malicious abnormality by validating the deviation of the expected state outputs from the approximate model and the perceived outputs from the running control logic.

Energy Delivery System (EDS) Gap Analysis

Trustworthy operation of the critical infrastructures requires secure protections against potential adversarial attacks. Our focus has been onprogramable logic controllers (PLCs) that are commonly used in critical cyber-physical platforms to monitor and control the underlying physical processes such as energy delivery systems. Building on previous CREDC work we have proposed a runtime solution based on artificial intelligence (AI) such as deep neural networks (DNN) and programming language techniques to monitor end-to-end control logic execution on the programming logic controllers through its state variable changes (i.e., from control state inputs to calculated actuation outputs).

Our solution can detect data-oriented exploits, which include the external physical attacks (e.g., sensor/signal spoofing attacks) and internal control parameter manipulations (e.g., deciding control variables in essential control logic) leading to unsafe physical states of the underlying physical processes. The attackers may leverage these attack surfaces by spoofing communication channels, sensor readings, and tampering with memory operations. Our solution protects the cyber-physical platform against these attacks by running a machine-learning-based approximate computing model to compare the expected control state outputs and the actual measured ones. The figure below shows an example of a real controller where the signal shows the difference between the actual and the expected values. During the attack the difference exceeds the threshold and triggers the intrusion detection alert automatically.

Figure 1: estimation error and real-time detection in practical attack cases

More Information