Visible to the public Cyber-Physical System Security and Privacy, 2014, Part 2

SoS Newsletter- Advanced Book Block


SoS Logo

Cyber-Physical System

Security and Privacy, 2014

Part 2

Cyber-Physical systems generally are systems where computers control physical entities. They exist in areas as diverse as automobiles, manufacturing, energy, transportation, chemistry, and computer appliances. In this bibliography, the primary focus of published research is in smart grid technologies—the use of cyber-physical systems to coordinate the generation, transmission, and use of electrical power and its sources. Because of its strategic importance and the consequences of intrusion, smart grid is of particular importance to the Science of Security. The work presented here was published in 2014.

Francisco Javier Acosta Padilla, Frederic Weis, Johann Bourcier. “Towards a Model@Runtime Middleware for Cyber Physical Systems.” MW4NG '14 Proceedings of the 9th Workshop on Middleware for Next Generation Internet Computing, December 2014, Article No. 6. doi:10.1145/2676733.2676741
Abstract: Cyber Physical Systems (CPS) or Internet of Things systems are typically formed by a myriad of many small interconnected devices. This underlying hardware infrastructure raises new challenges in the way we administrate the software layer of these systems. Indeed, the limited computing power and battery life of each node combined with the very distributed nature of these systems, greatly adds complexity to distributed software layer management. In this paper we propose a new middleware dedicated to CPS to enable the management of software deployment and the dynamic reconfiguration of these systems. Our middleware is inspired from the Component Based Systems and the model@runtime paradigm which has been adapted to the context of Cyber Physical Systems. We have conducted an initial evaluation on a typical Cyber Physical Systems hardware infrastructure which demonstrates the feasibility of providing a model@runtime middleware for these systems.
Keywords: MDE, adaptive systems, cyber physical systems, middleware, models (ID#: 15-5856)


Mohammad Ashiqur Rahman, Ehab Al-Shaer, Rakesh B. Bobba. “Moving Target Defense for Hardening the Security of the Power System State Estimation.” MTD '14 Proceedings of the First ACM Workshop on Moving Target Defense, November 2014, Pages 59-68. doi:10.1145/2663474.2663482
Abstract: State estimation plays a critically important role in ensuring the secure and reliable operation of the electric grid. Recent works have shown that the state estimation process is vulnerable to stealthy attacks where an adversary can alter certain measurements to corrupt the solution of the process, but evade the existing bad data detection algorithms and remain invisible to the system operator. Since the state estimation result is used to compute optimal power flow and perform contingency analysis, incorrect estimation can undermine economic and secure system operation. However, an adversary needs sufficient resources as well as necessary knowledge to achieve a desired attack outcome. The knowledge that is required to launch an attack mainly includes the measurements considered in state estimation, the connectivity among the buses, and the power line admittances. Uncertainty in information limits the potential attack space for an attacker. This advantage of uncertainty enables us to apply moving target defense (MTD) strategies for developing a proactive defense mechanism for state estimation. In this paper, we propose an MTD mechanism for securing state estimation, which has several characteristics: (i) increase the knowledge uncertainty for attackers, (ii) reduce the window of attack opportunity, and (iii) increase the attack cost. In this mechanism, we apply controlled randomization on the power grid system properties, mainly on the set of measurements that are considered in state estimation, and the topology, especially the line admittances. We thoroughly analyze the performance of the proposed mechanism on the standard IEEE 14- and 30-bus test systems.
Keywords: false data injection attack, moving target defense, power grid, state estimation (ID#: 15-5857)


Fahad Javed, Usman Ali, Muhammad Nabeel, Qasim Khalid, Naveed Arshad, Jahangir Ikram. “SmartDSM: A Layered Model for Development of Demand Side Management in Smart Grids.” SE4SG 2014 Proceedings of the 3rd International Workshop on Software Engineering Challenges for the Smart Grid, June 2014, Pages 15-20. doi:10.1145/2593845.2593848
Abstract: Growing power demand and carbon emissions is motivating utility providers to introduce smart power systems. One of the most promising technology to deliver cheaper and smarter electricity is demand side management. A DSM solution controls the devices at user premises in order to achieve overall goals of lower cost for consumer and utility. To achieve this various technologies from different domains come in to play from power electronics to sensor networks to machine learning and distributed systems design. The eventual system is a large, distributed software system over a heterogeneous environment and systems. Whereas various algorithms to plan the DSM schedule have been proposed, no concerted effort has been made to propose models and architectures to develop such a complex software system. This lack of models provides for a haphazard landscape for researchers and practitioners leading to confused requirements and overlapping concerns of domains. This was observed by the authors in developing a DSM system for their lab and faculty housing. To this end in this paper we present a model to develop software systems to deliver DSM. In addition to the model, we present a road map of software engineering research to aid development of future DSM systems. This is based on our observations and insights of the developed DSM systems.
Keywords: Smart grids, demand side management, model driven design, software engineering (ID#: 15-5858)


Rafael Oliveira Vasconcelos, Igor Vasconcelos, Markus Endler. “A Middleware for Managing Dynamic Software Adaptation.” ARM '14 Proceedings of the 13th Workshop on Adaptive and Reflective Middleware, December 2014, Article No. 5. doi:10.1145/2677017.2677022
Abstract: The design and development of adaptive systems brings new challenges since the dynamism of such systems is a multifaceted concern that range from mechanisms to enable the adaptation on the software level to the (self-) management of the entire system using adaptation plans or system administrator, for instance. Networked and mobile embedded systems are examples of systems where dynamic adaptation become even more necessary as the applications must be capable of discovering the computing resources in their near environment. While most of the current research is concerned with low-level adaptation techniques (i.e., how to dynamically deploy new components or change parameters), we are focused in providing management of distributed dynamic adaptation and facilitating the development of adaptation plans. In this paper, we present a middleware tailored for mobile embedded systems that supports distributed dynamic software adaptation, in transactional and non-transactional fashion, among mobile devices. We also present results of initial evaluation.
Keywords: adaptability, dynamic adaptation, middleware, mobile communication, self-adaptive systems (ID#: 15-5859)


Wei Gong, Yunhao Liu, Amiya Nayak, Cheng Wang. “Wise Counting: Fast and Efficient Batch Authentication for Large-Scale RFID Systems.” MobiHoc '14 Proceedings of the 15th ACM International Symposium on Mobile Ad Hoc Networking and Computing, August 2014, Pages 347-356. doi:10.1145/2632951.2632963
Abstract: Radio Frequency Identification technology (RFID) is widely used in many applications, such as asset monitoring, e-passport and electronic payment, and is becoming one of the most effective solutions in cyber physical system. Since the identification alone does not provide any guarantee that tag corresponds to genuine identity, authentication of tag information is needed in most RFID systems. Meanwhile, as the number of tags is rapidly growing in recent years, per-tag based methods suffer from severely low efficiency and thus give way to probabilistic batch authentication. Most previous methods, however, share a common drawback from statistical perspective: they fail to explore correlation information, i.e., they do not comprehensively utilize all the information in authentication data structures. In addition, those schemes are not scalable well when multiple tag sets need to be verified simultaneously. In this paper, we propose a fast and efficient batch authentication scheme, Wise Counting (WIC), for large-scale RFID systems. We are the first to formally introduce the general batch authentication problem with multiple tag sets and give counterfeits estimation scheme with high efficiency. By employing a novel hierarchical authentication structure, we show that WIC is able to fast and efficiently authenticate both a single tag set and multiple tag sets in an easy, intuitive way. Through detailed theoretical analysis and extensive simulations, we validate the design of WIC and demonstrate its large superiority over state-of-the art approaches.
Keywords: RFID tags, batch authentication, counterfeits estimation, hierarchical data structure (ID#: 15-5860)


Ze Ni, Avenir Kobetski, Jakob Axelsson. “Design and Implementation of a Dynamic Component Model for Federated AUTOSAR Systems.”  DAC '14 Proceedings of the 51st Annual Design Automation Conference, June 2014, Pages 1-6. doi:10.1145/2593069.2593121
Abstract: The automotive industry has recently agreed upon the embedded software standard AUTOSAR, which structures an application into reusable components that can be deployed using a configuration scheme. However, this configuration takes place at design time, with no provision for dynamically installing components to reconfigure the system. In this paper, we present the design and implementation of a dynamic component model that extends AUTOSAR with the possibility to add plug-in components at runtime. This opens up for shorter deployment time for new functions; opportunities for vehicles to participate in federated embedded systems; and involvement of third-party software developers.
Keywords: AUTOSAR, Dynamically Reconfigurable Software, Federated Embedded Systems, Software Components (ID#: 15-5861)


Stefan Wagner. “Scrum for Cyber-Physical Systems: A Process Proposal.” RCoSE 2014 Proceedings of the 1st International Workshop on Rapid Continuous Software Engineering, June 2014, Pages 51-56. doi:10.1145/2593812.2593819
Abstract: Agile development processes and especially Scrum are changing the state of the practice in software development. Many companies in the classical IT sector have adopted them to successfully tackle various challenges from the rapidly changing environments and increasingly complex software systems. Companies developing software for embedded or cyber-physical systems, however, are still hesitant to adopt such processes. Despite successful applications of Scrum and other agile methods for cyber-physical systems, there is still no complete process that maps their specific challenges to practices in Scrum. We propose to fill this gap by treating all design artefacts in such a development in the same way: In software development, the final design is already the product, in hardware and mechanics it is the starting point of production. We sketch the Scrum extension Scrum CPS by showing how Scrum could be used to develop all design artefacts for a cyber physical system. Hardware and mechanical parts that might not be available yet are simulated. With this approach, we can directly and iteratively build the final software and produce detailed models for the hardware and mechanics production in parallel. We plan to further detail Scrum CPS and apply it first in a series of student projects to gather more experience before testing it in an industrial case study.
Keywords: Agile, Cyber-physical, Scrum (ID#: 15-5862)


Kasper Luckow, Corina S. Păsăreanu, Matthew B. Dwyer, Antonio Filieri, Willem Visser. “Exact and Approximate Probabilistic Symbolic Execution for Nondeterministic Programs.” ASE '14 Proceedings of the 29th ACM/IEEE International Conference on Automated Software Engineering, September 2014, Pages 575-586. doi:10.1145/2642937.2643011
Abstract: Probabilistic software analysis seeks to quantify the likelihood of reaching a target event under uncertain environments. Recent approaches compute probabilities of execution paths using symbolic execution, but do not support nondeterminism. Nondeterminism arises naturally when no suitable probabilistic model can capture a program behavior, e.g., for multithreading or distributed systems. In this work, we propose a technique, based on symbolic execution, to synthesize schedulers that resolve nondeterminism to maximize the probability of reaching a target event. To scale to large systems, we also introduce approximate algorithms to search for good schedulers, speeding up established random sampling and reinforcement learning results through the quantification of path probabilities based on symbolic execution. We implemented the techniques in Symbolic PathFinder and evaluated them on nondeterministic Java programs. We show that our algorithms significantly improve upon a state-of-the-art statistical model checking algorithm, originally developed for Markov Decision Processes.
Keywords: nondeterministic programs, probabilistic software analysis, symbolic execution (ID#: 15-5863)


Philipp Diebold, Constanza Lampasona, Sergey Zverlov, Sebastian Voss. “Practitioners' and Researchers' Expectations on Design Space Exploration for Multicore Systems in the Automotive and Avionics Domains: A Survey.” EASE '14 Proceedings of the 18th International Conference on Evaluation and Assessment in Software Engineering, May 2014, Article No. 1. doi:10.1145/2601248.2601250
Abstract: Background: The mobility domains are moving towards the adoption of multicore technology. Appropriate methods, techniques, and tools need to be developed or adapted in order to fulfill the existing requirements. This is a case for design space exploration methods and tools. Objective: Our goal was to understand the importance of different design space exploration goals with respect to their relevance, frequency of use, and tool support required in the development of multicore systems from the point of view of the ARAMiS project members. Our aim was to use the results to guide further work in the project. Method: We conducted a survey regarding the current state of the art in design space exploration in industry and research and collected the expectations of project members regarding design space exploration goals. Results: The results show that design space exploration is an important topic in industry as well as in research. It is used very often with different important goals to optimize the system. Conclusions: Current tools provide only partial solutions for design space exploration. Our results can be used for improving them and guiding their development according to the priorities explained in this contribution.
Keywords: automotive, avionics, design space exploration, industry, multicore, research, survey (ID#: 15-5864)


Sandeep Neema, Gabor Simko, Tihamer Levendovszky, Joseph Porter, Akshay Agrawal, Janos Sztipanovits. “Formalization of Software Models for Cyber-Physical Systems.” FormaliSE 2014 Proceedings of the 2nd FME Workshop on Formal Methods in Software Engineering, June 2014, Pages 45-51. doi:10.1145/2593489.2593495
Abstract: The involvement of formal methods is indispensable for modern software engineering. This especially holds for Cyber-Physical Systems (CPS). In order to deal with the complexity and heterogeneity of the design, model-based engineering is widely used. The complexity of detailed verification in the final source code makes it imperative to introduce formal methods earlier in the design process. Because of the widespread use of customized modeling languages (domain-specific modeling languages, DSMLs), it is crucial to formally specify the DSML, and verify if the model meets fundamental correctness criteria. This is achieved by specifying behavioral and structural semantics of the modeling language. Significant model-driven tools have emerged incorporating advanced model checking methods that can provide some assurance regarding the quality and correctness of the models. However, the code generated from these models, using auto code generators remains circumspect, since the correctness of the code generators cannot be assumed as a given, and remains intractable to prove. Therefore, we propose a pragmatic approach, instead of verifying explicit implementation of code generator, verifies the correctness of the generated code with respect to a specific set of user-defined properties to establish that the code-generators are property-preserving. In order to make the verification workflow conducive to domain engineers, who are not often trained in formal methods, we include a mechanism for high-level specification of temporal properties using pattern-based verification templates. The presented toolchain leverages state-of-the-art verification tools, and a small case-study illustrates the approach.
Keywords: Cyber-Physical Systems, Model-Integrated Computing, Semantic Specification (ID#: 15-5865)


Ivan Ruchkin, Dionisio De Niz, David Garlan, Sagar Chaki. “Contract-Based Integration of Cyber-Physical Analyses.” EMSOFT '14 Proceedings of the 14th International Conference on Embedded Software, October 2014, Article No. 23. doi:10.1145/2656045.2656052
Abstract: Developing cyber-physical systems involves multiple engineering domains, e.g., timing, logical correctness, thermal resilience, and mechanical stress. In today's industrial practice, these domains rely on multiple analyses to obtain and verify critical system properties. Domain differences make the analyses abstract away interactions among themselves, potentially invalidating the results. Specifically, one challenge is to ensure that an analysis is never applied to a model that violates the assumptions of the analysis. Since such violation can originate from the updating of the model by another analysis, analyses must be executed in the correct order. Another challenge is to apply diverse analyses soundly and scalably over models of realistic complexity. To address these challenges, we develop an analysis integration approach that uses contracts to specify dependencies between analyses, determine their correct orders of application, and specify and verify applicability conditions in multiple domains. We implement our approach and demonstrate its effectiveness, scalability, and extensibility through a verification case study for thread and battery cell scheduling.
Keywords: analysis, analysis contracts, battery scheduling, cyber-physical systems, model checking, real-time scheduling, thermal runaway, virtual integration (ID#: 15-5866)


Tomas Bures, Petr Hnetynka, Frantisek Plasil. “Strengthening Architectures of Smart CPS by Modeling Them as Runtime Product-Lines.” CBSE '14 Proceedings of the 17th International ACM Sigsoft Symposium on Component-Based Software Engineering, June 2014, Pages 91-96. doi:10.1145/2602458.2602478
Abstract: Smart Cyber-Physical Systems (CPS) are complex distributed decentralized systems of cooperating mobile and stationary devices which closely interact with the physical environment. Although Component-Based Development (CBD) might seem as a viable solution to target the complexity of smart CPS, existing component models scarcely cope with the open-ended and very dynamic nature of smart CPS. This is especially true for design-time modeling using hierarchical explicit architectures, which traditionally provide an excellent means of coping with complexity by providing multiple levels of abstractions and explicitly specifying communication links between component instances. In this paper we propose a modeling method (materialized in the SOFA NG component model) which conveys the benefits of explicit architectures of hierarchical components to the design of smart CPS. Specifically, we base our method on modeling systems as reference architectures of Software Product Lines (SPL). Contrary to traditional SPL, which is a fully design-time approach, we create SPL configurations at runtime. We do so in a decentralized way by translating the configuration process to the process of establishing component ensembles (i.e. dynamic cooperation groups of components) of our DEECo component model.
Keywords: component model, component-based development, cyber-physical systems, software architecture, software components (ID#: 15-5867)


Ashish Tiwari, Bruno Dutertre, Dejan Jovanović, Thomas de Candia, Patrick D. Lincoln, John Rushby, Dorsa Sadigh, Sanjit Seshia. “Safety Envelope for Security.” HiCoNS '14 Proceedings of the 3rd International Conference on High Confidence Networked Systems, April 2014, Pages 85-94. doi:10.1145/2566468.2566483
Abstract: We present an approach for detecting sensor spoofing attacks on a cyber-physical system. Our approach consists of two steps. In the first step, we construct a safety envelope of the system. Under nominal conditions (that is, when there are no attacks), the system always stays inside its safety envelope. In the second step, we build an attack detector: a monitor that executes synchronously with the system and raises an alarm whenever the system state falls outside the safety envelope. We synthesize safety envelopes using a modifed machine learning procedure applied on data collected from the system when it is not under attack. We present experimental results that show effectiveness of our approach, and also validate the several novel features that we introduced in our learning procedure.
Keywords: hybrid systems, invariants, safety envelopes, security (ID#: 15-5868)


Zhi Li, Lu Chen. “System-Level Testing of Cyber-Physical Systems Based on Problem Concerns.” EAST 2014 Proceedings of the 2014 3rd International Workshop on Evidential Assessment of Software Technologies, May 2014, Pages 60-62. doi:10.1145/2627508.2627511
Abstract: In this paper we propose a problem-oriented approach to system-level testing of cyber-physical systems based on Jackson’s notion of problem concerns. Some close associations between problem concerns and potential faults in the problem space are made, which necessitates system-level testing. Finally, a research agenda has been put forward with the goal of building a repository of system faults and mining particular problem concerns for system-level testing.
Keywords: Problem Frames, problem concerns, system-level testing (ID#: 15-5869)


Carlos Barreto, Alvaro A. Cárdenas, Nicanor Quijano, Eduardo Mojica-Nava. “CPS: Market Analysis of Attacks Against Demand Response in the Smart Grid.” ACSAC '14 Proceedings of the 30th Annual Computer Security Applications Conference, December 2014, Pages 136-145. doi:10.1145/2664243.2664284
Abstract: Demand response systems assume an electricity retail-market with strategic electricity consuming agents. The goal in these systems is to design load shaping mechanisms to achieve efficiency of resources and customer satisfaction. Recent research efforts have studied the impact of integrity attacks in simplified versions of the demand response problem, where neither the load consuming agents nor the adversary are strategic. In this paper, we study the impact of integrity attacks considering strategic players (a social planner or a consumer) and a strategic attacker. We identify two types of attackers: (1) a malicious attacker who wants to damage the equipment in the power grid by producing sudden overloads, and (2) a selfish attacker that wants to defraud the system by compromising and then manipulating control (load shaping) signals. We then explore the resiliency of two different demand response systems to these fraudsters and malicious attackers. Our results provide guidelines for system operators deciding which type of demand-response system they want to implement, how to secure them, and directions for detecting these attacks.
Keywords: (not provided) (ID#: 15-5870)


Bader Alwasel, Stephen D. Wolthusen. “Reconstruction of Structural Controllability over Erdős-Rényi Graphs via Power Dominating Sets.” CISR '14 Proceedings of the 9th Annual Cyber and Information Security Research Conference, April 2014, Pages 57-60. doi:10.1145/2602087.2602095
Abstract: Controllability, or informally the ability to force a system into a desired state in a finite time or number of steps, is a fundamental problem studied extensively in control systems theory with structural controllability recently gaining renewed interest. In distributed control systems, possible control relations are limited by the underlying network (graph) transmitting the control signals from a single controller or set of controllers. Attackers may seek to disrupt these relations or compromise intermediate nodes, thereby gaining partial or total control.  For a defender to re-gain full or partial control, it is therefore critical to rapidly reconstruct the control graph as far as possible. Failing to achieve this may allow the attacker to cause further disruptions, and may --- as in the case of electric power networks --- also violate real-time constraints leading to catastrophic loss of control. However, as this problem is known to be computationally hard, approximations are required particularly for larger graphs. We therefore propose a reconstruction algorithm for (directed) control graphs of bounded tree width embedded in Erdős-Rényi random graphs based on recent work by Aazami and Stilp as well as Guo et al.
Keywords: power dominating sets, recovery from attacks, robustness of control systems and networks, structural controllability (ID#: 15-5871)


Der-Yeuan Yu, Aanjhan Ranganathan, Thomas Locher, Srdjan Capkun, David Basin. “Short Paper: Detection of GPS Spoofing Attacks in Power Grids.” WiSec '14 Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless & Mobile Networks. July 2014, Pages 99-104. doi:10.1145/2627393.2627398
Abstract: Power companies are deploying a multitude of sensors to monitor the energy grid. Measurements at different locations should be aligned in time to obtain the global state of the grid, and the industry therefore uses GPS as a common clock source. However, these sensors are exposed to GPS time spoofing attacks that cause misaligned aggregated measurements, leading to inaccurate monitoring that affects power stability and line fault contingencies. In this paper, we analyze the resilience of phasor measurement sensors, which record voltages and currents, to GPS spoofing performed by an adversary external to the system. We propose a solution that leverages the characteristics of multiple sensors in the power grid to limit the feasibility of such attacks. In order to increase the robustness of wide-area power grid monitoring, we evaluate mechanisms that allow collaboration among GPS receivers to detect spoofing attacks. We apply multilateration techniques to allow a set of GPS receivers to locate a false GPS signal source. Using simulations, we show that receivers sharing a local clock can locate nearby spoofing adversaries with sufficient confidence.
Keywords: clock synchronization, gps spoofing, power grids (ID#: 15-5872)

Ayan Banerjee, Sandeep K. S. Gupta. “Model Based Code Generation for Medical Cyber Physical Systems.” MMA '14 Proceedings of the 1st Workshop on Mobile Medical Applications, November 2014, Pages 22-27. doi:10.1145/2676431.2676646
Abstract: Deployment of medical devices on human body in unsupervised environment makes their operation safety critical. Software errors such as unbounded memory access or unreachable critical alarms can cause life threatening consequences in these medical cyber-physical systems (MCPSes), where software in medical devices monitor and control human physiology. Further, implementation of complex control strategy in inherently resource constrained medical devices require careful evaluation of runtime characteristics of the software. Such stringent requirements causes errors in manual implementation, which can be only detected by static analysis tools possibly inflicting high cost of redesigning. To avoid such inefficiencies this paper proposes an automatic code generator with assurance on safety from errors such as out-of-bound memory access, unreachable code, and race conditions. The proposed code generator was evaluated against manually written code of a software benchmark for sensors BSNBench in terms of possible optimizations using conditional X propagation. The generated code was found to be 9.3% more optimized than BSNBench code. The generated code was also tested using static analysis tool, Frama-c, and showed no errors.
Keywords: code synthesis, model based code generation, sensor networks, software errors, static analysis for sensors (ID#: 15-5873)


Sabine Theis, Thomas Alexander, Matthias Wille. “The Nexus of Human Factors in Cyber-Physical Systems: Ergonomics of Eyewear for Industrial Applications.” ISWC '14 Adjunct Proceedings of the 2014 ACM International Symposium on Wearable Computers: Adjunct Program, September 2014, Pages 217-220. doi:10.1145/2641248.2645639
Abstract: Smart eyewear devices may serve as advanced interfaces between cyber-physical systems (CPS) and workers by integrating digital information into the visual field. We have addressed ergonomic issues related to the use of a ruggedized head-mounted display (HMD) (Liteye 750A, see-through and look-around mode) and a conventional screen during a half-day day working shift (N=60). We only found minor physiological effects of the HMD, resulting into inflexible head posture, higher muscle activity over time of the left M. Splenius capitis and low performance given its look-around mode.
Keywords: cyber-physical systems (CPS), wearable computing (ID#: 15-5874)


Radha Poovendran. “Passivity Framework for Modeling, Mitigating, and Composing Attacks on Networked Systems.” HiCoNS '14 Proceedings of the 3rd International Conference on High Confidence Networked Systems, April 2014, Pages 29-30. doi:10.1145/2566468.2566470
Abstract: Cyber-physical systems (CPS) consist of a tight coupling between cyber (sensing and computation) and physical (actuation and control) components. As a result of this coupling, CPS are vulnerable to both known and emerging cyber attacks, which can degrade the safety, availability, and reliability of the system. A key step towards guaranteeing CPS operation in the presence of threats is developing quantitative models of attacks and their impact on the system and express them in the language of CPS. Traditionally, such models have been introduced within the framework of formal methods and verification. In this talk, we present a control-theoretic modeling framework. We demonstrate that the control-theoretic approach can capture the adaptive and time-varying strategic interaction between the adversary and the targeted system. Furthermore, control theory provides a common language in which to describe both the physical dynamics of the system, as well as the impact of the attack and defense. In particular, we provide a passivity-based approach for modeling and mitigating jamming and wormhole attacks. We demonstrate that passivity enables composition of multiple attack and defense mechanisms, allowing characterization of the overall performance of the system under attack. Our view is that the formal methods and the control-based approaches are complementary.
Keywords: cyber physical systems, network security, passivity (ID#: 15-5875)


Ye Li, Richard West, Eric Missimer. “A Virtualized Separation Kernel for Mixed Criticality Systems.” VEE '14 Proceedings of the 10th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, March 2014, Pages 201-212. doi:10.1145/2674025.2576206
Abstract: Multi- and many-core processors are becoming increasingly popular in embedded systems. Many of these processors now feature hardware virtualization capabilities, such as the ARM Cortex A15, and x86 processors with Intel VT-x or AMD-V support. Hardware virtualization offers opportunities to partition physical resources, including processor cores, memory and I/O devices amongst guest virtual machines. Mixed criticality systems and services can then co-exist on the same platform in separate virtual machines. However, traditional virtual machine systems are too expensive because of the costs of trapping into hypervisors to multiplex and manage machine physical resources on behalf of separate guests. For example, hypervisors are needed to schedule separate VMs on physical processor cores. In this paper, we discuss the design of the Quest-V separation kernel, which partitions services of different criticalities in separate virtual machines, or sandboxes. Each sandbox encapsulates a subset of machine physical resources that it manages without requiring intervention of a hypervisor. Moreover, a hypervisor is not needed for normal operation, except to bootstrap the system and establish communication channels between sandboxes.
Keywords: chip-level distributed system, separation kernel (ID#: 15-5876)


David Formby, Sang Shin Jung, John Copeland, Raheem Beyah. “An Empirical Study of TCP Vulnerabilities in Critical Power System Devices.” SEGS '14 Proceedings of the 2nd Workshop on Smart Energy Grid Security, November 2014, Pages 39-44. doi:10.1145/2667190.2667196
Abstract: Implementations of the TCP/IP protocol suite have been patched for decades to reduce the threat of TCP sequence number prediction attacks. TCP, in particular, has been adopted to many devices in the power grid as a transport layer for their applications since it provides reliability. Even though this threat has been well-known for almost three decades, this does not hold true in power grid networks; weak TCP sequence number generation can still be found in many devices used throughout the power grid. Although our analysis only covers one substation, we believe that this is without loss of generality given: 1) the pervasiveness of the flaws throughout the substation devices; and 2) the prominence of the vendors. In this paper, we show how much TCP initial sequence numbers (ISNs) are still predictable and how time is strongly correlated with TCP ISN generation. We collected power grid network traffic from a live substation for six months, and we measured TCP ISN differences and their time differences between TCP connection establishments. In the live substation, we found three unique vendors (135 devices, 68%) from a total of eight vendors (196 devices) running TCP that show strongly predictable patterns of TCP ISN generation.
Keywords: dnp3, power grid, scada, tcp sequence number, tcp sequence prediction (ID#: 15-5877)


Gerold Hoelzl, Alois Ferscha, Peter Halbmayer, Welma Pereira. “Goal Oriented Smart Watches for Cyber Physical Superorganisms.” UbiComp '14 Adjunct Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing: Adjunct Publication, September 2014, Pages 1071-1076. doi:10.1145/2638728.2659395
Abstract: We didn't start the fire. It was always burning since technology became integrated into wearable things that can be traced back to the early 1500s. This earliest forms of wearable technology were manifested as pocket watches. Of course technology changed and evolved, but again it might be the watch, now in form of a wrist worn smart watch, that could carve the way towards an always on, large scale, planet spanning, body sensor network. The challenge arises on how to handle this enormous scale of upcoming smart watches and the produced data. This work highlights a strategy on how to make use of the massive amount of smart watches in building goal oriented, dynamically evolving network structures that autonomously adapt to changes in the smart watch ecosystem like cells do in the human organism.
Keywords: (Not provided) (ID#: 15-5878)


Zhenqi Huang, Yu Wang, Sayan Mitra, Geir E. Dullerud. “On the Cost of Differential Privacy in Distributed Control Systems.” HiCoNS '14 Proceedings of the 3rd International Conference on High Confidence Networked Systems, April 2014, Pages 105-114. doi:10.1145/2566468.2566474
Abstract: Individuals sharing information can improve the cost or performance of a distributed control system. But, sharing may also violate privacy. We develop a general framework for studying the cost of differential privacy in systems where a collection of agents, with coupled dynamics, communicate for sensing their shared environment while pursuing individual preferences. First, we propose a communication strategy that relies on adding carefully chosen random noise to agent states and show that it preserves differential privacy. Of course, the higher the standard deviation of the noise, the higher the cost of privacy. For linear distributed control systems with quadratic cost functions, the standard deviation becomes independent of the number agents and it decays with the maximum eigenvalue of the dynamics matrix. Furthermore, for stable dynamics, the noise to be added is independent of the number of agents as well as the time horizon up to which privacy is desired. Finally, we show that the cost of ε-differential privacy up to time T, for a linear stable system with N agents, is upper bounded by O(T3/Nε2).
Keywords: cyber-physical security, differential privacy, distributed control (ID#: 15-5879)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.