Trigger Action Integrity for Cyber-Physical Systems Doug Everson1, Long Cheng1, Danfeng (Daphne) Yao2

1Clemson University, 2Virginia Tech

Motivation

Cyber-Physical Systems (CPS)

Event Identification and Dependence Analysis

Advanced Manufacturing

ICS-CERT report (https://ics-cert.us-cert.gov)

0

100

200

300

400

2010 2011 2012 2013 2014 2015

Number of Reported Incidents in ICS

Event-Aware Finite-State Automaton (eFSA) Model

<label>:5 call void (...)* @actuator_signal() ...

...%3 = load i32* @steps, align 4%4 = icmp sle i32 %2, %3 br i1 %4, label %5, label %9

True False

<label>:9 ret void

Data dependence

Any sensor reading API

Control dependenceAny

actuation API

<label>:15 %16 = call i32 @E2()%17 = icmp ne i32 %16, 0br i1 %17, label %18, label %27

<label>:0 ...%3 = call i32 @E1()%4 = icmp ne i32 %3, 0br i1 %4, label %5, label %15

True False

<label>:5 Actuation1...

<label>:27 …

<label>:18 Actuation2...

True False

!1dependent

!1⋀!2dependent

!1⋀!2dependent

S0;while(…){S1;if(E1()){for(…humidity…){S2; S3;}}

else if(E2()){for(…){S4;}}

S5;S6;}

1

32

4

65

78

109

11

Binary eventNon-binary

event

Binary event3

9

6 S3S0S1S1 S51

S6

S211S4

S0,…,S6 denote system calls

710

S3S1

S4

[%&'%() ]|!1

[%()%'+ ]|{-.-/0-123 454-6}

[%&'%89 ]|!1⋀!2

[%&'%:&;]|!1⋀!2

Event Identification EventDependence

Analysis

Limitation of eFSA

Enforcing Trigger-Actuation Integrity

Security policies

Identify Security Checkpoints

Event-Actuation Dependency Analysis

13

25

4

6

Actuation-Physical Dependency Analysis

1 3

2 4

3 6

4 6

Program Instrumentation

1

32

4

Execution Monitor

Checking Event Triggering Integrity

Checking Control Actuation Integrity

5

Security policies

√ √√

√

System Overview

Hardware

Normal World Secure World

Execution MonitorInstrumented Program

call void @Actuation()

call void @__ETI_CALL(context)

…

Event Triggering Integrity

Control Actuation Integrity call void @__CAI_CALL(context)

…

On-going Work

Training Phase

Monitoring Phase

Detect whether a control action should really happen before triggering a sensitive actuation

Detect whether a control actuation has properly happened after it is triggered

Sensors

Physical Process

Actuators

Events

Control System

Electrical distribution, manufacturing, industrial control, automobile systems, …

Control Actuation

Breakers, switches,pumps, motors, valves, …

Event Triggering

Adversary Event Triggering Attacks

Control Command Replacing Attacks

Actual Inside Temperature

Actual HVAC Status

Actual Outside

Temperature

Physics Runtime

ActuatorThermostat

Controller

TAIExecution

Monitor and Sensor Suite

Mod/Sim Live Testbed

Autonomous Vehicle Systems

Controller

TAIExecution

Monitor and Sensor Suite

- Multiple Data Sources- Wired Networks (CAN, Automotive Ethernet)- Wireless Networks (DSRC, 5G)- Physical Environment (Gyroscopes)- Sensors (Radar, Throttle Position, Speedometer)- Controls (Brake Pedal, Accelerator, Steering)

- Learn, correlate, monitor, respond- Identify security policy- Identify unexpected inputs- Alert and/or respond for occupant safety

• Finer granularity of integrity checking (Basic-Block level)• Prevent from damaging the physical system before

sending control actuations• Detect control command replacing attacks in CPS• Minimum code instrumentation

• CPS field devices may send control signals by directly writing registers without calling system calls

• Passive monitoring detects attacks only after they have occurred with predictable and severe consequences

• Timing-compliance • Secure reference monitor

Design Objectives