-
Design Methodologies for Securing Cyber-PhysicalSystems
Mohammad Al FaruqueDept. of Electrical Engineering
& Computer ScienceUniversity of California
Irvine, CA, [email protected]
Francesco RegazzoniALaRI Institute
University of LuganoLugano, Switzerland
[email protected]
Miroslav PajicDept. of Electrical andComputer Engineering
Duke UniversityDurham, NC, USA
[email protected]
ABSTRACTCyber-Physical Systems (CPS) are in most cases safety-
andmission-critical. Standard design techniques used for secur-ing
embedded systems are not suitable for CPS due to therestricted
computation and communication budget availablein the latter. In
addition, the sensitivity of sensed data andthe presence of
actuation components further increase thesecurity requirements of
CPS. To address these issues, itis necessary to provide new design
methods in which secu-rity is considered from the beginning of the
whole designflow and addressed in a holistic way. In this paper, we
fo-cus on the design of secure CPS as part of the completeCPS
design process, and provide insights into new require-ments on
platform-aware design of control components, de-sign methodologies
and architectures posed by CPS design.We start by discussing
methods for the multi-disciplinarymodeling, simulation, tools, and
software synthesis chal-lenges for CPS. We also present a framework
for design ofsecure control systems for CPS, while taking into
accountproperties of the underlying computation and communica-tion
platforms. Finally, we describe the security challengesin the
computing hardware that is used in CPS.
1. INTRODUCTIONCyber-Physical Systems (CPS) feature tight
integration of
computational nodes, communication networks, and physi-cal
environment that might include human users. CPS haveto fulfill a
number of strict requirements in terms of powerand energy
consumption, while providing real-time interac-tion with (i.e.,
control of) the physical world using reducedcommunication and
computation resources. Nevertheless,the sensitivity of sensed data
and the presence of actua-tion components further increase the
security requirementsof CPS. Standard design techniques used for
securing em-bedded systems are not suitable for CPS, due to the
con-strained computation and communication budget availablein the
latter. To address these issues, we require a new
design approach in which security is considered from the
be-ginning of the whole design flow and addressed in a
holisticway.
Recently, there have been high-profile attacks against
CPS,exploiting the tight integration between physical,
compu-tational, and networking aspects of CPS, and
illustratingvulnerabilities of these systems. In [24, 12], several
simplemethods to disrupt the operation of a vehicle were
presented.Additional incidents that have raised the attention
aboutsecurity problems in CPS, include Maroochy Water inci-dent
[49] and Stuxnet virus attack on a SCADA system usedin industrial
processes control [13, 25, 14]. Furthermore, re-cent studies have
found that a large number of widely-usedsoftware based medical
devices have been compromised [52].For example, in a VA hospital a
virus infected 104 medi-cal devices such as X-rays, causing
interruption of patientcare [61]. Also, methods to perform attacks
on a widely usedglucose monitoring and insulin delivery system [26]
and at-tack vectors on a networked PCA pump in a system of
in-teroperable medical devices [53] have been reported.
In this paper, we address the issues related to the designof
secure CPS. Existing methods for securing embedded sys-tems have
proven to not be completely effective in this do-main. For
instance, recent attacks demonstrated that con-sidering security as
an afterthought has not been the bestway to address physical
attacks, such as sensor spoofing;recent examples include GPS
spoofing attacks to misguidea yacht off route [2], while [59, 16,
55] present steps andequipment required for GPS spoofing.
It is thus of crucial importance that designers of futureCPS are
aware of the most important security challengeswhich needs to be
addressed during the design. In addition,they have to have the
proper basic blocks and tools to solvethem in a correct and
reliable way. We describe the mainchallenges and opportunities
related to security of CPS andprovide an updated overview of design
tools, methodologies,and basic blocks currently used to address
them. Note thatwe present the design of secure CPS as part of the
com-plete design process for CPS, in order to provide a
betterinsight into the new requirements on platform-aware designof
control components, design methodologies and architec-tures posed
by CPS design.
Specifically, we start by discussing challenges in the
multi-disciplinary modeling, simulation, tools, and software
syn-thesis for secure CPS (Section 2). We then present a de-sign
framework for secure control of CPS, which takes intoaccount
properties of the underlying computation and com-
-
munication platforms. Finally, we describe the security
chal-lenges in the computing hardware used in CPS.
2. FUNCTIONAL LEVEL DESIGN FOR SE-CURITY
The increasing deployment of software and communica-tion is
making CPS more vulnerable to cyber attacks [21,42]. However, there
lacks the design automation supportfor the CPS security. For this
reason, researchers are cur-rently trying to solve the CPS security
challenge at the sys-tem level. In [60], the authors propose a
Model-Based De-sign (MBD) method to assess the security of CPS with
fourarchitecture-level attack models. Authors in [34] have
dis-cussed a MBD technique to quantify the security metricsat the
early design stage. Some researchers have proposedand used
graph-based modeling methods to solve many se-curity problems.
Authors in [62] have proposed a system-atic method for analyzing
cyber-attacks on CPS using anextended Data Flow Diagram (xDFD)
approach. Lastly,in [31] the authors have offered an attack
tree-based ap-proach for system level security design.
Unfortunately, themajority of these existing approaches to CPS
security arelimited to modeling the software used in security
analysis.For this reason, the group at UCI has proposed a design
au-tomation model and tool to formulate and solve the
securityproblem(s) before the system is built.
The work proposed by the UCI group exploits the observa-tion
that identifying and fixing problems at the early stagesis
economically beneficial. They proposes to formulate thesecurity
problem before the system is built. They model cy-bersecurity
attacks and countermeasure functionalities usinga novel
security-aware functional modeling language imple-mented in the
commercial design and simulation tools. Andthey create a design
automation tool that uses simulation tovalidate cybersecurity
vulnerabilities at the system-level.
Existing functional models include two types of
functions:physical and cyber [9, 10, 11, 57]. Functions interact
witheach other through energy, material, and signal flows.
Theseflows carry real physical and cyber properties such as
me-chanical, electrical, thermal energy, and data. Thus, exist-ing
functional models naturally leak information that can beused to
attack the system via the signal flows in the cyber do-main or
energy/material flows in the physical domain. TheUCI group extends
the functional modeling concept with cy-bersecurity functions.
Their proposed security-aware func-tional models provide the means
to both analyze the effectof cybersecurity attack functions on the
system, and refinethe design using cybersecurity countermeasure
functions.
An example of a security aware functional model for a caris
shown in Figure 1. In this example, both cyber and physi-cal
attacks are modeled. The blue arrows in the flows repre-sent the
cyber attack vectors, while the red arrows representthe physical
attack vectors. The purpose of the analysis is toquantify the
effects of these attacks to the Export TME func-tion that maps to
the velocity of the car. In other words,we want to determine if the
velocity controls are vulnerableto any cyber physical attacks.
In order to evaluate the security level of the Export
TMEfunction, we simulate the model and analyze the impactof the
attack at the system-level. This step is importantto identify
functions that are vulnerable to attacks. Theselow-security
functions can then be protected by refining the
functional model and adding cybersecurity
countermeasurefunctions. This iterative approach facilitates the
analysisof different scenarios. An important benefit of the
iterativeapproach is that more complex scenarios can be
modeled.
Import Store
Convert Human E.
People People
Braking control
Convert Human E.
Steering control
Convert EE
Convert control
Store EE
BMS
Vehicle controller
Convert EE
Convert control
Convert
Convert control
Convert
Convert control
Import
Electricity Electricity
Store Chem. E.
Import
FuelConvertChem. E.
Engine control
RME
Air
Fuel
Air
Fuel
Air
ConvertEE
Motor control
RME
Transmit RME
Transmit control
Convert RME
Wheel control
Export TME
ExportHot Air
Export T.E.
TME
T.E.
BCC
Steering system
Braking system
ExportT.E.
ExportT.E.
Human E.
RME
RME
T.E.
T.E.
RME
RME
Cyber attack
Physical attack
Secu
rity
imp
ort
ance
Legend
Target function
RME
TE
EE
EE
EE
Hot Air
Figure 1: Security aware functional level model ofautomotive
[58].
From the analysis of this security-aware functional model,a
system-level simulation model can be directly generatedusing the
synthesis technology provided in the existing works [9,10, 11,
57].
To validate the presented methodology, we implemented adesign
automation tool using commercial off-the-shelf soft-ware as shown
in Figure 2. Taking advantage of its sub-system libraries, we
utilized Amesim to model the systemfunctions (multi-physics),
cybersecurity functions, and sce-narios (e.g., environmental
conditions). In addition, we usedMatlab/Simulink for its
mathematical capabilities to modelthe cybersecurity attacks. Six
types of attack models areintegrated in our current design
automation tool.
Figure 2: The design automation tool developed bythe UCI group
[58].
To demonstrate the proposed design automation tool andthe attack
models during the early design stage, we usedthe design of an
Electric Vehicle (EV) as a case study . We
-
instantiate an attack model interface using an attack modelfrom
the library and insert it between the motor and
themotor-controlling ECU. Figure 3, we see that the fuzzy at-tack
successfully destabilizes the motor behavior by addingnoise to the
control signals.
Fuzzy attack on the control signal
Attacked motor behavior
Figure 3: Simulation results with the proposed at-tack
models.
In this work, the UCI group developed a functional modelto
analyze security challenges during the early design stage.In the
future, the UCI group will explore the capability ofthe functional
model to not only help the security analysis,but also to
automatically generate/synthesize system-levelsimulation models in
response to the analysis. Moreover, fordemonstration purposes, they
included six different attackmodels in their library but in the
future, they may developadditional attack models that can capture
both cyber andphysical domain attacks. Lastly, the group plans on
devel-oping security cost metrics to integrate with the
proposedsecurity-aware functional models.
3. PLATFORM-AWARE CONTROL DESIGNFOR SECURE CPS
There is a need to change the way we reason about con-trol in
CPS, and to start designing attack-resilient controlschemes and
architectures capable of dealing with cyber-physical attacks on the
environment of the controller (e.g.,sensors, actuators, and
communication media). Recent at-tacks on control component of CPS
have clearly revealedthat relying exclusively on cyber-security
techniques for se-curing CPS is insufficient. Consequently, they
have spannedresearch into control-level techniques that address the
prob-lem of state estimation and intrusion detection under
attackson the environment of the controller, i.e., attacks on
sensors,actuators and communication networks (e.g., [50, 54, 39,
15,51, 35, 18, 17, 30, 29]).
In this section, we present recent efforts by the Duke re-search
group, to exploit the knowledge of the system dynam-ics for
attack-resilient control of CPS. The goal of our workhas been to
develop tools and techniques to ensure that CPSmaintain a degree of
control even when the system is undercyber and/or physical
attack.
We propose adding security-awareness to the control sys-tem
design that allows control systems to recover the infor-
Figure 4: The proposed design framework for securecontrol of
cyber-physical systems.
mation about the state of the controlled process despite
theattacks. Our approach to building attack-resilient
controlsystems is to combine secure-detection and
attack-identificationwith added logical redundancy in system design
(see Fig-ure 4). Here, we assume that control design for
no-attackcase has been developed and concentrate on techniques
forstate estimation and sensor fusion under external attacks.Note
that since previously developed methods for attack-resilient state
estimation (e.g., [15, 39, 48]) require the un-practical assumption
of the exact knowledge of the con-trolled plant’s dynamics,
resilience-to-attack guarantees donot hold when these assumptis are
violated.
From the perspective of controlling CPS, the main ideahas been
to exploit knowledge of the system’s dynamics forstate estimation
and attack detection and identification inthe presence of sensor
and actuator attacks and attacks oncontrol resources. For instance,
in [37], we introduced amethod for attack-resilient state
estimation for systems withmodeling errors and illustrated its use
on a real-world casestudy – design of attack-resilient cruise
control on an un-manned ground robot (Figure 5(a)). To obtain the
state ofa controlled physical process when the attacker
compromisessystem sensors and actuators, we introduced an Integer
Pro-gramming (IP) based procedure that utilizes a window ofprevious
sensor measurement vectors and (limited) knowl-edge of the system’s
dynamics.
Furthermore, we showed how to capture effects of the uti-lized
computation and communication platforms on the ac-curacy of the
dynamical model and described how implemen-tation issues including
jitter, latency, and synchronizationerrors can be captured by the
model. This has allowed forthe mapping of attack-resilient control
objectives into real-time performance requirements from the
utilized platform,which facilitates reasoning about
attack-resilience across dif-ferent implementation layers as
illustrated in Figure 5(b).
As shown in [24, 12], the lack of understanding betweencontrol
design assumptions and system implementation canbe heavily
exploited to compromise system’s functionality.For example, by
changing scheduling sequence for controland sensing
actions/computations, we could dramatically
-
Figure 5: (a) The LandShark ground robot running
attack-resilient cruise control, (b) Zoomed on Z3 executiontimes
for verification of TF invariants – note that this approach does
not scale well because controllers withsize greater than two can
not be verified with this type of invariants.
affect the stability and safety of the controlled process
[33].Consequently, to facilitate design of secure control for CPSwe
have developed a framework for cross-layer analysis ofplatform
effects on security properties of employed controlalgorithms. For
illustration, in time-triggered architectures [23]we can rigorously
quantify the modeling and performancegap between the model-level
semantics of linear dynamiccontrollers and their
implementation-level semantics [33].Thus, we could analyze the
effect and provide performanceguarantees when a malicious adversary
imposes the worstcomputing sequence from control’s perspective. In
[17, 19]we reported preliminary work on this topic, focused on
im-pacts of communication schedule on attack-resilient sensorfusion
when the system model is not known. In addition, weproposed methods
for attack-detection and identification formore complex system
models. For example, motivated bysensor fault models in some CPS
applications (e.g., GPS) weconsidered attack-resilient sensor
fusion that exploits knowl-edge of temporal sensor fault-models
without conservativelytreating them as compromised [38].
Finally, in the context of CPS, resource constraints mightimpose
an insurmountable obstacle for the use of developedcontrol
techniques. Hence, it is necessary to provide non-optimal methods
for attack-resilient control with formal re-silience guarantees.
For example, in [36] we show how toexploit techniques from
compressed sensing to investigateconditions that will enable the
use of convex estimators forattack-identification while providing
formal resiliency guar-antees. Note that since extracting
accurate-enough dynam-ical models for some CPS (e.g., patient
modeling in MedicalCPS) is quite challenging (if at all possible),
there are limita-tions to the use of model-driven methods for
attack-resilientcontrol. To overcome this weakness, an avenue of
our fu-ture work is on data-driven methods for attack-detection
andidentification when some of the sensors are potentially
cor-rupted.
4. SECURING CPS FROM THE HARDWAREPOINT OF VIEW
The main difference between Cyber-physical and othersystems is
probably the interaction that CPS have withthe physical world. CPS,
in fact, integrate sensing, com-
putations and actuation capabilities, and they are used
tointeract and to control critical infrastructure or critical
ap-plications. Applications range from automotive to indus-trial
control systems or medical devices, and for many ofthem, safety is
of utmost importance, as a failure of the sys-tem could have
catastrophic consequences. Often, CPSs aredeployed in an harsh
environment, thus requiring reliabil-ity and tolerance to faults,
and they are characterized byvery strict constraints in terms of
battery and computationpower.
Low power, reliability and safety however are not the
onlyproperties which designers have to provide to CPSs. Theuse of
CPSs in critical applications makes them an attrac-tive target for
cyber-attacks. The most famous example ofattack to cyber-physical
system is probably STUXNET [13],but several other works demonstrate
the severity of the prob-lem also for automotive industry [47] and
smart grids [63].In this section we discuss Lightweight
cryptography [41] isa branch of cryptography aiming at implementing
cypto-graphic algorithms using an extremely limited amount
ofresources. This goal is achieved following two main ap-proaches
[3]. The first approach consists in minimizing theamount of
resources needed for implementing standard algo-rithms (AES for
instance can be implemented using approx-imately 2500 Gate
Equivalent [32]). The second approach isto design novel algorithms
considering since the beginningthat they have to be implemented
using a limited amount ofresources. The most successful examples of
the second ap-proach are PRESENT [8] and CLEFIA [46], which
recentlybecome ISO standard for lightweight cryptography.
Furthersuitable algorithms can be identified also among the
candi-dates recently submitted to the CAESAR contest [1] whichhas
the goal of selecting a portfolio of algorithms for provid-ing
authenticate encryption. The designer has to select theappropriate
hardware block according to the needs of the ap-plication,
considering also that, in particular for control sys-tems, CPSs
might have extremely strict legacy requirements.Furthermore,
designers should be aware that in lightweightcryptography usually
trade resources with performance. AsCPSs, due to their nature of
being a controlling systems,often have strict real time
requirements, it should be guar-anteed that the included security
primitives are capable ofmeeting them.
-
CPSs, as several other embedded systems can be deployedin an
hostile environment, thus they are potentially in thehand of the
attacker. For this reason, designer of securehardware for
cyber-physical systems have to implement itin such a way that is
robust against physical attacks. Whencarrying out physical attacks,
the adversary, instead of at-tacking the mathematical structure of
a cryptographic prim-itive, tries to exploit weaknesses of its
implementation foraccessing secret information. Physical attacks
are usuallydivided in active or passive [27]. During active
attacks, theadversary tampers with the device in order to modify
itsbehavior. Example of these attacks are fault attacks [4],in
which an adversary induce a fault into a device, for in-stance by
underfeeding the power supply [5], and extractthe secret key by
exploiting the differences between correctand faulty output. In
passive attacks, usually called sidechannel attacks, the adversary
extracts secret informationby analyzing a physical observable and
exploiting its corre-lation with the secret which is computed. The
most commonside channel attack is power analysis [20], which
extract thesecret key by relating it to the power consumed during
en-cryption. However, also other channels such as timing [22]or
electromagnetic emission [45] were successfully used inthe
past.
Resistance against timing attacks can be achieved by
guar-anteeing that all the operations depending on secret data
arecarried out in the same amount of time. This approach
issuccessfully used in servers and in embedded systems, thuscan be
used also by CPSs designers. Resistance againstpower analysis
attacks can be obtained by breaking the linkbetween the data
computed and the actual data (this ap-proach is called masking
[28]) or by breaking the correlationbetween the data being
processed and the power consump-tion (this approach is called
hiding [56]). Hardware blocksresistant against power analysis
attacks are usually designedand tested by well trained engineers
which manually applya countermeasure or a number of them to a
cryptographicblock []. However, there have been several attempts to
auto-matically realize hardware resistant against power
analysisattacks [56, 43, 44, 40]. Similar approaches, can be used
bythe cyber-physical systems designers for securing their de-vices
against physical attacks. It is important to underlinehowever that
design of secure hardware is still an open prob-lem. These
countermeasures are only protecting only thecyber part of the
device, not the physical one. A hardwaredesign flow which considers
security also for the physicalpart of the CPS, to date, still does
not exist.
The overall security of a CPS depends from the securityof its
building blocks. CPS as other systems, are subjectto hardware
Trojans, which, potentially, is one of the mostserious threat for
hardware security. Hardware Trojans canbe defined as a deliberate
and malicious modification of ahardware component carried out with
the goal of alteringits correct behavior. Possible example of
alteration can bethe leak of secret data or a denial of service.
Hardware Tro-jans received a lot of attention from the community
due tothe potential devastating effects which they can have on
se-curity [6]. Trojans can be inserted at several points of
thedesign flow: by malicious designer or IP provider, by a
ma-licious foundry, or by malicious tool. Several technique
todetect hardware Trojans were proposed in the past, rang-ing from
testing, analysis of side channel, or optical inspec-tion [7],
nevertheless, none of them is perfect, and several
of them require a gold model to be effective. Hardware de-signer
of CPS has to be aware of this threat and apply theappropriate
detection techniques to identify hardware Tro-jans or to adopt the
appropriate approach at system level totolerate the presence of
Trojans.
Finally, as mentioned, in addition to security
requirements,cyber-physical systems needs to provide safety and
reliabil-ity, whose needs might be in contrast with the ones of
se-curity. For instance, it is important to consider the
effectswhich redundancy, added to provide fault tolerance,
mighthave on security. Designers of secure cyber-physical
systemsshould always keep a global vision of all the
requirementsand evaluate the effects which each design choice has
on theothers. This is a difficult and error prone task, which
wouldbe dramatically simplified by the eventual coming of
dedi-cated design tools.
5. CONCLUSIONIn this paper, we have focused on the design
challenges for
securing Cyber-Physical Systems. Specifically, we have
pre-sented an overview of tools, design methods, and buildingblocks
used to design secure CPS. We have considered threecomplementary
approaches for ensuring security in CPS.First, we have described
methods for multi-domain model-ing, simulation, and software
synthesis for secure CPS. Sec-ond, we have presented a
control-aware design framework toensure attack-resiliency in CPS.
Third, we have addressedthe security challenges related to the
design and use of com-puting hardware in CPS. Finally, potential
avenues for fu-ture work have been discussed.
6. REFERENCES[1] http://competitions.cr.yp.to/caesar.html.
[2] Spoofers Use Fake GPS Signals to Knock a Yacht
OffCourse.
[3] C. Alippi, A. Bogdanov, and F. Regazzoni.Lightweight
cryptography for constrained devices. InIntegrated Circuits (ISIC),
2014 14th InternationalSymposium on, pages 144–147. IEEE, 2014.
[4] H. Bar-El, H. Choukri, D. Naccache, M. Tunstall, andC.
Whelan. The sorcerer’s apprentice guide to faultattacks.
Proceedings of the IEEE, 94(2):370–382, 2006.
[5] A. Barenghi, C. Hocquet, D. Bol, F.-X. Standaert,F.
Regazzoni, and I. Koren. Exploring the feasibilityof low cost fault
injection attacks on sub-thresholddevices through an example of a
65nm aesimplementation. In RFID. Security and Privacy, pages48–60.
Springer, 2012.
[6] G. T. Becker, F. Regazzoni, C. Paar, and W. P.Burleson.
Stealthy dopant-level hardware trojans. InCryptographic Hardware
and Embedded Systems-CHES2013, pages 197–214. Springer, 2013.
[7] S. Bhasin and F. Regazzoni. A survey on hardwaretrojan
detection techniques. In IEEE InternationalSymposium on Circuits
and Systems (ISCAS 2015),2015.
[8] A. Bogdanov, L. R. Knudsen, G. Leander, C. Paar,A.
Poschmann, M. J. Robshaw, Y. Seurin, andC. Vikkelsoe. PRESENT: An
ultra-lightweight blockcipher. Springer, 2007.
[9] A. Canedo, A. Faruque, M. Abdullah, and J. H.Richter.
Multi-disciplinary integrated design
-
automation tool for automotive cyber-physicalsystems. In
Proceedings of the conference on Design,Automation & Test in
Europe, page 315. EuropeanDesign and Automation Association,
2014.
[10] A. Canedo, E. Schwarzenbach, and M. A. Al
Faruque.“Context-sensitive synthesis of executable functionalmodels
of cyber-physical systems”. ACM/IEEEInternational Conference on
Cyber-Physical Systems(ICCPS), pages 99–108, 2013.
[11] A. Canedo, J. Wan, and M. A. A. Faruque.“Functional
Modeling Compiler for System-LevelDesign of Automotive
Cyber-Physical Systems”. InProceedings of the ACM/IEEE
InternationalConference on Computer-Aided Design (ICCAD),2014.
[12] S. Checkoway, D. McCoy, B. Kantor, D. Anderson,H. Shacham,
S. Savage, K. Koscher, A. Czeskis,F. Roesner, and T. Kohno.
Comprehensiveexperimental analyses of automotive attack surfaces.In
SEC’11: Proceedings of the 20th USENIXconference on Security, pages
1–16. USENIXAssociation, Aug. 2011.
[13] N. Falliere, L. O. Murchu, and E. Chien. W32.
stuxnetdossier. White paper, Symantec Corp., SecurityResponse,
2011.
[14] J. P. Farwell and R. Rohozinski. Stuxnet and thefuture of
cyber war. Survival, 53(1):23–40, 2011.
[15] H. Fawzi, P. Tabuada, and S. Diggavi. Secureestimation and
control for cyber-physical systemsunder adversarial attacks. arXiv
preprintarXiv:1205.5073, 2012.
[16] T. E. Humphreys, B. M. Ledvina, M. L. Psiaki, B.
W.OŠHanlon, and P. M. Kintner Jr. Assessing thespoofing threat:
Development of a portable gpscivilian spoofer. In Proceedings of
the ION GNSSinternational technical meeting of the satellite
division,volume 55, page 56, 2008.
[17] R. Ivanov, M. Pajic, and I. Lee. Attack-resilient
sensorfusion. In DATE’14: Design, Automation and Test inEurope,
2014.
[18] R. Ivanov, M. Pajic, and I. Lee. Resilientmultidimensional
sensor fusion using measurementhistory. In HiCoNS’14: High
Confidence NetworkedSystems, 2014.
[19] R. Ivanov, M. Pajic, and I. Lee. Resilient sensor fusionfor
safety-critical cyber-physical systems. 2014.Submitted.
[20] P. Kocher, J. Jaffe, and B. Jun. Differential
poweranalysis. In Advances inCryptologyâĂŤCRYPTOâĂŹ99, pages
388–397.Springer, 1999.
[21] P. Kocher, R. Lee, G. McGraw, A. Raghunathan, andS.
Moderator-Ravi. Security as a new dimension inembedded system
design. In Proceedings of the 41stannual Design Automation
Conference, pages 753–760.ACM, 2004.
[22] P. C. Kocher. Timing attacks on implementations
ofdiffie-hellman, rsa, dss, and other systems. InAdvances in
CryptologyâĂŤCRYPTOâĂŹ96, pages104–113. Springer, 1996.
[23] H. Kopetz and G. Bauer. The time-triggeredarchitecture.
PROCEEDINGS OF THE IEEE,
91(1):112–126, 2003.
[24] K. Koscher, A. Czeskis, F. Roesner, S. Patel,T. Kohno, S.
Checkoway, D. McCoy, B. Kantor,D. Anderson, H. Shacham, and S.
Savage.Experimental security analysis of a modernautomobile. In
2010 IEEE Symposium on Security andPrivacy (SP), pages 447 –462,
2010.
[25] R. Langner. Stuxnet: Dissecting a cyberwarfareweapon.
Security Privacy, IEEE, 9(3):49–51, 2011.
[26] C. Li, A. Raghunathan, and N. Jha. Hijacking aninsulin
pump: Security attacks and defenses for adiabetes therapy system.
In e-Health NetworkingApplications and Services (Healthcom), 2011
13thIEEE International Conference on, pages 150–156,2011.
[27] S. Mangard, E. Oswald, and T. Popp. Power analysisattacks:
Revealing the secrets of smart cards,volume 31. Springer Science
& Business Media, 2008.
[28] T. S. Messerges. Securing the aes finalists againstpower
analysis attacks. In Fast Software Encryption,pages 150–164.
Springer, 2001.
[29] F. Miao, M. Pajic, and G. J. Pappas. Stochastic
gameapproach for replay attack detection. In Decision andControl
(CDC), 2013 IEEE 52nd Annual Conferenceon, pages 1854–1859,
2013.
[30] Y. Mo, T.-J. Kim, K. Brancik, D. Dickinson, H. Lee,A.
Perrig, and B. Sinopoli. Cyber–physical security ofa smart grid
infrastructure. Proceedings of the IEEE,100(1):195–209, 2012.
[31] A. P. Moore, R. J. Ellison, and R. C. Linger.
Attackmodeling for information security and survivability.Technical
report, DTIC Document, 2001.
[32] A. Moradi, A. Poschmann, S. Ling, C. Paar, andH. Wang.
Pushing the limits: A very compact and athreshold implementation of
aes. In Advances inCryptology–EUROCRYPT 2011, pages 69–88.Springer,
2011.
[33] T. Nghiem, G. J. Pappas, R. Alur, and A.
Girard.Time-triggered implementations of dynamiccontrollers. ACM
Transactions on EmbeddedComputing Systems (TECS), 11(S2):58,
2012.
[34] D. M. Nicol, W. H. Sanders, and K. S. Trivedi.Model-based
evaluation: from dependability tosecurity. Dependable and Secure
Computing, IEEETransactions on, 1(1):48–65, 2004.
[35] M. Pajic, N. Bezzo, J. Weimer, R. Alur,R. Mangharam, N.
Michael, G. J. Pappas, O. Sokolsky,P. Tabuada, S. Weirich, et al.
Towards synthesis ofplatform-aware attack-resilient control
systems. InProceedings of the 2nd ACM international conferenceon
High confidence networked systems, 2013.
[36] M. Pajic, P. Tabuada, I. Lee, and G.
Pappas.Attack-Resilient State Estimation in the Presence ofNoise.
Technical report, 2015. Under review.
[37] M. Pajic, J. Weimer, N. Bezzo, P. Tabuada,O. Sokolsky, I.
Lee, and G. Pappas. Robustness ofattack-resilient state estimators.
In Cyber-PhysicalSystems (ICCPS), 2014 ACM/IEEE
InternationalConference on, pages 163–174, 2014.
[38] J. Park, R. Ivanov, J. Weimer, M. Pajic, and I. Lee.Sensor
attack detection in the presence of transientfaults. In Proceedings
of the ACM/IEEE Sixth
-
International Conference on Cyber-Physical Systems(ICCPS), pages
1–10, 2015.
[39] F. Pasqualetti, F. Dorfler, and F. Bullo. Attackdetection
and identification in cyber-physical systems.Automatic Control,
IEEE Transactions on,58(11):2715–2729, 2013.
[40] T. Popp and S. Mangard. Masked dual-rail pre-chargelogic:
Dpa-resistance without routing constraints. InCryptographic
Hardware and EmbeddedSystems–CHES 2005, pages 172–186. Springer,
2005.
[41] A. Poschmann. Lightweight cryptography -cryptographic
engineering for a pervasive world.Cryptology ePrint Archive, Report
2009/516, 2009.
[42] S. Ravi, A. Raghunathan, P. Kocher, andS. Hattangady.
Security in embedded systems: Designchallenges. ACM Transactions on
EmbeddedComputing Systems (TECS), 3(3):461–491, 2004.
[43] F. Regazzoni, S. Badel, T. Eisenbarth, J. Grobschadl,A.
Poschmann, Z. Toprak, M. Macchetti, L. Pozzi,C. Paar, Y. Leblebici,
et al. A simulation-basedmethodology for evaluating the
dpa-resistance ofcryptographic functional units with application
tocmos and mcml technologies. In Embedded ComputerSystems:
Architectures, Modeling and Simulation,2007. IC-SAMOS 2007.
International Conference on,pages 209–214. IEEE, 2007.
[44] F. Regazzoni, A. Cevrero, F.-X. Standaert, S. Badel,T.
Kluter, P. Brisk, Y. Leblebici, and P. Ienne. Adesign flow and
evaluation framework for dpa-resistantinstruction set extensions.
In Cryptographic Hardwareand Embedded Systems-CHES 2009, pages
205–219.Springer, 2009.
[45] P. Rohatgi. Electromagnetic attacks andcountermeasures. In
Cryptographic Engineering, pages407–430. Springer, 2009.
[46] T. Shirai, K. Shibutani, T. Akishita, S. Moriai, andT.
Iwata. The 128-bit blockcipher clefia. In Fastsoftware encryption,
pages 181–195. Springer, 2007.
[47] Y. Shoukry, P. D. Martin, P. Tabuada, and M. B.Srivastava.
Non-invasive spoofing attacks for anti-lockbraking systems. In G.
Bertoni and J. Coron, editors,Cryptographic Hardware and Embedded
Systems -CHES 2013 - 15th International Workshop, SantaBarbara, CA,
USA, August 20-23, 2013. Proceedings,volume 8086 of Lecture Notes
in Computer Science,pages 55–72. Springer, 2013.
[48] Y. Shoukry and P. Tabuada. Event-triggered stateobservers
for sparse sensor noise/attacks. arXivpreprint arXiv:1309.3511,
2013.
[49] J. Slay and M. Miller. Lessons learned from themaroochy
water breach. In Critical Infrast. Protection,pages 73–82,
2007.
[50] R. Smith. A decoupled feedback structure for
covertlyappropriating networked control systems. Proc. IFACWorld
Congress, pages 90–95, 2011.
[51] S. Sundaram, M. Pajic, C. Hadjicostis,R. Mangharam, and G.
Pappas. The Wireless ControlNetwork: Monitoring for malicious
behavior. InProceedings of the 49th IEEE Conference on Decisionand
Control, pages 5979–5984, 2010.
[52] D. Talbot. Computer viruses are ŞrampantŤ onmedical
devices in hospitals. MIT Technology Review,
Oct, 17:19, 2012.
[53] C. R. Taylor, K. Venkatasubramanian, and C. A.Shue.
Understanding the security of interoperablemedical devices using
attack graphs. In Proceedings ofthe 3rd International Conference on
High ConfidenceNetworked Systems, HiCoNS ’14, pages 31–40,
2014.
[54] A. Teixeira, D. Pérez, H. Sandberg, and K. H.Johansson.
Attack models and scenarios for networkedcontrol systems. In
Proceedings of the 1st internationalconference on High Confidence
Networked Systems,HiCoNS ’12, pages 55–64, 2012.
[55] N. O. Tippenhauer, C. Pöpper, K. B. Rasmussen, andS.
Capkun. On the requirements for successful gpsspoofing attacks. In
Proceedings of the 18th ACMConference on Computer and
CommunicationsSecurity, CCS ’11, pages 75–86, 2011.
[56] K. Tiri and I. Verbauwhede. A logic level designmethodology
for a secure dpa resistant asic or fpgaimplementation. In
Proceedings of the conference onDesign, automation and test in
Europe-Volume 1, page10246. IEEE Computer Society, 2004.
[57] J. Wan, A. Canedo, and M. A. A. Faruque.“Functional
Model-based Design Methodology forAutomotive Cyber-Physical
Systems”. IEEE SystemsJournal (ISJ), 2014.
[58] J. Wan, A. Canedo, and M. A. A. Faruque.“Security-Aware
Functional Modeling ofCyber-Physical Systems”. 20th IEEE
InternationalConference on Emerging Technology &
FactoryAutomation (ETFA’15), 2015.
[59] J. S. Warner and R. G. Johnston. A simpledemonstration that
the global positioning system(gps) is vulnerable to spoofing.
Journal of SecurityAdministration, 25(2):19–27, 2002.
[60] A. Wasicek, P. Derler, and E. A. Lee.
Aspect-orientedmodeling of attacks in automotive
cyber-physicalsystems. In Design Automation Conference (DAC),2014
51st ACM/EDAC/IEEE, pages 1–6. IEEE, 2014.
[61] C. Weaver. Patients put at risk by computer viruses.The
Wall Street Journal, 2013.
[62] M. Yampolskiy, P. Horvath, X. D. Koutsoukos,Y. Xue, and J.
Sztipanovits. Systematic analysis ofcyber-attacks on cps-evaluating
applicability ofdfd-based approach. In Resilient Control
Systems(ISRCS), 2012 5th International Symposium on, pages55–62.
IEEE, 2012.
[63] Z. Zhang, S. Gong, A. D. Dimitrovski, and H. Li.
Timesynchronization attack in smart grid: Impact andanalysis. IEEE
Trans. Smart Grid, 4(1):87–98, 2013.