Cyber-Physical System Checkpointing and Recovery

Transcription

1 Cyber-Physical System Checkpointing and Recovery Fanxin Kong, Meng Xu, James Weimer, Oleg Sokolsky, Insup Lee Department of Computer and Information Science University of Pennsylvania

2 Cyber-Physical System Checkpointing and Recovery Fanxin Kong, Meng Xu, James Weimer, Oleg Sokolsky, Insup Lee Department of Computer and Information Science University of Pennsylvania

3 Security 2

4 CPS Attack Surfaces Cyber attack surfaces - e.g., communication, networks, computers,... Environmental attack surfaces - e.g., GPS signal, electromagnetic interference,... Physical attack surfaces - e.g., locks, casings, cables, Human attack surfaces - e.g., phishing, blackmail, Smart Power Grid 3

5 Outline What we study Our idea: checkpointing and recovery Design for recovery Checkpointing protocol design Evaluation 4

6 What we study and why? Target: Sensor Attacks The attacker can arbitrarily change sensor measurements - environmental attack surfaces - cyber attack surfaces Malicious signals Malicious packets Physical system Sensor Actuator Network 30mi/h 100mi/h Controller 5

7 What we study and why? Target: Sensor Attacks The attacker can arbitrarily change sensor measurements - environmental attack surfaces - cyber attack surfaces Goal: Resilience To ensure control performance with sensor attacks Malicious signals Malicious packets Physical system Sensor Actuator Network Controller 6

8 Ideally Speed sensor attack Ideally, the system performs (almost) the same as if there is no attack - Example: cruise control under a speed sensor attack 7

9 How sensor attacks affect control? Controller Sensor Physical system Actuator 1. A sensor attack or fault occurs 4. The actuator performs the misled actuation 5. The physical system drifts off 8

10 Limitations of Existing Approaches Existing approaches rely on sensor redundancy - Multiple sensors (partially) measure the same physical variables Existing approaches limit the number of compromised sensors - E.g., less than half of the total number of sensors In question: how to handle the case that violates these limitations? 9

11 Outline What we study Our idea: checkpointing and recovery Design for recovery Checkpointing protocol design Evaluation 10

12 My idea: checkpointing and recovery Controller Sensor Physical system Actuator Recovery: restore the system so that state estimations / predictions correctly reflect the system s physical states Advantage: no need to modify the controller 11

13 Can we apply roll-back recovery directly? It is often infeasible to roll back a CPS system - e.g., power flow in the power grid - irreversible processes 12

14 Can we apply roll-back recovery directly? It is often infeasible to roll back a CPS system - e.g., power flow in the power grid - irreversible processes Physically rolling back physical states incurs considerable overhead and usually unnecessary - e.g., speed sensor attack Roll-back -- desired speed Better 13

15 Outline What we study Our idea: checkpointing and recovery Design for recovery Checkpointing protocol design Evaluation 14

16 Propose roll-forward recovery Physical-State Recovery: Rolling the system to the current time by starting from a consistent global physical-state. Prediction using historical state Estimated speed 15

17 How does it work? Idea: model-based prediction E.g., A linear time-invariant system By prediction (step 1, 2) Unchanged Step 1: predict the current state Step 2: recover the faulty state 16

18 Outline What we study Our idea: checkpointing and recovery Design for recovery Checkpointing protocol design Evaluation 17

19 What kind of states is used? Cyber state: logical consistency Message send-receive Physical state: timed consistency Difference of timestamp 18

20 Which consistent state is used? detection window?? used for recovery pending detection States that pass detection can be used for recovery Attack detection usually has substantial delay States during the detection interval may be incorrect Idea: use states outside detection window for recovery 19

21 Checkpointing CPS A sliding window based protocol detection window???? deleted deleted states states buffered buffered states states the stored the state stored state Step 1: states are buffered, before passing the detection Step 2: the state is stored, after passing the detection Step 3: stored states are discarded, if no longer needed 20

22 The overall system design Physical system checkpointing attacked YES recovered NO YES NO? prediction recovery Controller Recovery-based control: predict future states based on the recovered state time Normal operation Recovery Recovery-based control 21

23 Outline What we study Our idea: checkpointing and recovery Design for recovery Checkpointing protocol design Evaluation 22

24 Scenario: lane keep Testbed: an unmanned vehicle. Each front wheel is driven by a motor, and each motor has a speed sensor Goal: to keep a vehicle travel in a straight line, i.e., the two front wheels have the same speed Controller: a PID controller supervises and controls the speed difference of the two front wheels Attack: the attacker modifies a speed sensor s measurements to a constant value 23

25 How well does it work? No protection speed difference large The vehicle keeps turning speed difference recovery With protection small The vehicle travels almost straightly 24

26 Summary Goal: Securing Cyber-Physical Systems CPS Checkpointing and Recovery A Roll-forward Recovery A Sliding-Window Based Checkpointing Protocol Case Study: Sensor Attacks on Automobiles Thank you! 25