1
Trigger Action Integrity for Cyber-Physical Systems Doug Everson 1 , Long Cheng 1 , Danfeng (Daphne) Yao 2 1 Clemson University, 2 Virginia Tech Motivation Cyber-Physical Systems (CPS) Event Identification and Dependence Analysis Advanced Manufacturing ICS-CERT report (https://ics-cert.us-cert.gov) 0 100 200 300 400 2010 2011 2012 2013 2014 2015 Number of Reported Incidents in ICS Event-Aware Finite-State Automaton (eFSA) Model <label>:5 call void (...)* @actuator_signal() ... ... %3 = load i32* @steps, align 4 %4 = icmp sle i32 %2, %3 br i1 %4, label %5, label %9 True False <label>:9 ret void Data dependence Any sensor reading API Control dependence Any actuation API <label>:15 %16 = call i32 @E2() %17 = icmp ne i32 %16, 0 br i1 %17, label %18, label %27 <label>:0 ... %3 = call i32 @E1() %4 = icmp ne i32 %3, 0 br i1 %4, label %5, label %15 True False <label>:5 Actuation1... <label>:27 … <label>:18 Actuation2... True False ! 1 dependent ! 1 ⋀ ! 2 dependent ! 1 ⋀! 2 dependent S 0 ; while(…){ S 1 ; if(E 1 ()){ for(…humidity…){ S 2 ; S 3 ;}} else if(E 2 ()){ for(…){S 4 ;}} S 5 ; S 6 ;} 1 3 2 4 6 5 7 8 10 9 11 Binary event Non-binary event Binary event 3 9 6 S 3 S 0 S 1 S 1 S 5 1 S 6 S 2 11 S 4 S 0 ,…,S 6 denote system calls 7 10 S 3 S 1 S 4 [ % & ' % ( ) ]|! 1 [ % ( ) % ' + ]|{-.-/0-123 454-6} [ % & ' % 8 9 ]| ! 1 ⋀! 2 [ % & ' % : &; ]| ! 1 ⋀ ! 2 Event Identification Event Dependence Analysis Limitation of eFSA Enforcing Trigger-Actuation Integrity Security policies Identify Security Checkpoints Event-Actuation Dependency Analysis 1 3 2 5 4 6 Actuation-Physical Dependency Analysis 1 3 2 4 3 6 4 6 Program Instrumentation 1 3 2 4 Execution Monitor Checking Event Triggering Integrity Checking Control Actuation Integrity 5 Security policies √ √ √ √ System Overview Hardware Normal World Secure World Execution Monitor Instrumented Program call void @Actuation() call void @__ETI_CALL(context) … Event Triggering Integrity Control Actuation Integrity call void @__CAI_CALL(context) … On-going Work Training Phase Monitoring Phase Detect whether a control action should really happen before triggering a sensitive actuation Detect whether a control actuation has properly happened after it is triggered Sensors Physical Process Actuators Events Control System Electrical distribution, manufacturing, industrial control, automobile systems, … Control Actuation Breakers, switches, pumps, motors, valves, … Event Triggering Adversary Event Triggering Attacks Control Command Replacing Attacks Actual Inside Temperature Actual HVAC Status Actual Outside Temperature Physics Runtime Actuator Thermostat Controller TAI Execution Monitor and Sensor Suite Mod/Sim Live Testbed Autonomous Vehicle Systems Controller TAI Execution Monitor and Sensor Suite - Multiple Data Sources - Wired Networks (CAN, Automotive Ethernet) - Wireless Networks (DSRC, 5G) - Physical Environment (Gyroscopes) - Sensors (Radar, Throttle Position, Speedometer) - Controls (Brake Pedal, Accelerator, Steering) - Learn, correlate, monitor, respond - Identify security policy - Identify unexpected inputs - Alert and/or respond for occupant safety • Finer granularity of integrity checking (Basic-Block level) • Prevent from damaging the physical system before sending control actuations • Detect control command replacing attacks in CPS • Minimum code instrumentation • CPS field devices may send control signals by directly writing registers without calling system calls • Passive monitoring detects attacks only after they have occurred with predictable and severe consequences • Timing-compliance • Secure reference monitor Design Objectives
