(452d) A Model-Based Approach for the Analysis and Mitigation of Cyber-Attacks in Networked Process Control Systems

With the significant growth in communication and networking capabilities in recent years, and the concomitant advances in sensor and actuator manufacturing technologies, process operations have become increasingly reliant on sensor, actuator and control systems that are accessed over real-time shared communication networks (wired and/or wireless) rather than dedicated, point‐to‐point links. The integration of a communication network in the sensor‐controller and controller‐actuator links gives rise to a networked control system and can substantially improve the flexibility and fault‐tolerance capabilities of an industrial control system, in addition to reducing the installation, reconfiguration and maintenance time and costs. In addition to the economic and operational benefits of networked control architectures, networked control systems are an important enabling technology for realizing the vision of smart plant operations where advanced cyber-infrastructure and communication technologies are used to tightly integrate, in real-time, process control and operations with business decision making and sustainable environmental, health and safety performance [1].

The increased reliance on networked control systems, while beneficial from a plant performance point of view, poses a host of fundamental challenges due to the inherent limitations on the transmission and processing capabilities of the communication medium. Issues such as network resource constraints, real-time scheduling constraints, data losses and communication delays, may degrade the overall closed-loop performance and even lead to instability if not accounted for in the control system design. This realization has motivated significant research work on the analysis and design of networked control systems, and the literature on this topic is quite extensive (e.g., [2]–[4]).

Another key challenge with networked control systems, especially when dedicated local area control networks are integrated with wireless real‐time sensor networks, is the cybersecurity challenge owing to the open nature of wireless networks. Recently, the security of control systems has become the focus of increasing attention due to the deployment of large sensor and actuator networks, as well as the increased use of wireless communication. With these advances, control systems are becoming increasingly vulnerable to cyberattacks, which are a series of computer actions that can compromise the stability and safety of control systems. Cyberattacks generally aim to perturb the process inputs and alter them from what they would have otherwise been under normal operation. Some of these attacks take the form of falsifying sensor measurements sent to the feedback controller, providing incorrect signals to the control actuators, or manipulating stored process data [5].

The communication network and cyber‐infrastructure security challenge spans the entire global chemicals industry and petroleum production representing nearly $3 trillion in economic impact. In recent times, cyber-attackers have been successful in causing damage to a uranium enrichment plant, causing power outages, and contaminating a wastewater treatment plant (e.g., [6]-[7]). If left unchecked, these cyber-security risks can potentially lead to physical damage, injury, or death and therefore are a critical problem to address.

Typical approaches for handling control system cyber-security risks are based on computer science, information technology, computer hardware, or networking solutions (e.g., [5], [8]-[10]). More recently, efforts within the process control community have been initiated to address this problem from a control point of view, including the development of frameworks for detecting cyber-attacks and preventing their damage within the context of economic model predictive control [11]-[12].

An approach to reduce the risk of cyber-attacks in a networked control system is to minimize the control system’s reliance on the network as much as possible. This idea has been pursued in earlier works (e.g., [13]-[14]) in the context of handling resource constraints. Specifically, a model-based networked plant-wide control structure that enforces closed-loop stability with minimal communication was developed. A set of predictive models were embedded within each local control system and, in conjunction with the local state measurements, the local control action was generated at times when communication between the plant subsystems was suspended, and the states of the models were updated when communication was permitted at discrete times. In doing so, a minimum communication rate that guarantees closed-loop stability could be determined.

While this approach is appealing in that it helps reduce the susceptibility of the control system to network-induced cyber-attacks, it does not provide robustness guarantees against random cyber-attacks. An assessment of the robustness of the networked control system to cyber-attacks is important to identify the fundamental limits within which the system can passively tolerate a cyber-attack, and through this assessment one can also identify the key parameters that can be used to actively mitigate the effects of these attacks when they arise.

Motivated by these considerations, the objective of this contribution is twofold. The first is to develop a framework for the design and analysis of model-based networked process control systems that have well-characterized robustness margins in the presence of certain types of cyber-attacks, and the second is to devise active strategies for mitigating the impact of such attacks. To meet these objectives, we initially construct a model-based plant-wide networked control system in which the local control systems communicate over a shared communication medium. The communication strategy aims to reduce network utilization by embedding predictive models within each local controller and updating the model states by exchanging state measurements over the network periodically at a certain minimum rate.

We consider cyber-attacks in the form of falsified sensor measurements and analyze the impact of using falsified measurements to perform the model state updates at the communication times. By modeling the cyber-attacks explicitly in the closed-loop system formulation, the stability of the networked closed-loop system can be assessed, and an explicit characterization of the stability region in terms of the attack-induced measurement errors, the communication rate and the controller design parameters can be obtained. This characterization then yields the feasible operating range for each system parameter within which robust stability is guaranteed under cyber-attacks, and also reveals the key parameters that can be adjusted in order to mitigate such attacks. Active mitigation strategies are then devised on the basis of the stability region characterization. Finally, the analysis and design results are illustrated using a representative chemical process example.

References:

[1] Christofides PD, Davis JF, El-Farra NH, Clark D, Harris KRD, Gipson JN. Smart Plant Operations: Vision, Progress and Challenges. AIChE Journal. 2007; 53(11):2734–2741.

[2] Hespanha JP, Naghshtabrizi P, Xu Y. A survey of recent results in networked control systems. Proceedings of the IEEE. 2007; 95:138–162.

[3] Christofides PD, Liu J, Munoz de la Pena D. Networked and Distributed Predictive Control: Methods and Nonlinear Process Network Applications. London: Springer-Verlag, 2011.

[4] You KY, Xie LH. Survey of recent progress in networked control systems. Acta Automatica Sinica. 2013; 39:101–117.

[5] Khorrami F, Krishnamurthy P, Karri R. Cybersecurity for Control Systems: A Process-Aware Perspective. IEEE Design and Test. 2016; 33:75–83.

[6] Langner R. Stuxnet: Dissecting a Cyberwarfare Weapon. IEEE Security and Privacy. 2011; 9:49–51.

[7] Clark RM, Panguluri S, Nelson TD, Wyman RP. Protecting drinking water utilities from cyberthreats. Journal of American Water Works Association. 2017; 109:50–58.

[8] Pang ZH, Liu GP. Design and Implementation of Secure Networked Predictive Control Systems under Deception Attacks. IEEE Transactions on Control Systems Technology. 2011; 20:1334–1342.

[9] Ten CW, Liu CC, Manimaran G. Vulnerability Assessment of Cybersecurity for SCADA Systems. IEEE Transactions on Power Systems. 2008; 23:1836–1846.

[10] Linda O, Manic M, McQueen M. Improving Control System Cyber-State Awareness using Known Secure Sensor Measurements. In: Critical Information Infrastructures Security, edited by Hämmerli BM, Kalstad Svendsen N, Lopez J. Berlin, Heidelberg: Springer Berlin Heidelberg. 2013; pp. 46–58.

[11] Durand H. A Nonlinear Systems Framework for Cyberattack Prevention for Chemical Process Control Systems. Mathematics. 2018; 6(9).URL http://www.mdpi.com/2227-7390/6/9/169

[12] Wu Z, Albalawi F, Zhang J, Zhang Z, Durand H, Christofides PD. Detecting and Handling Cyber-Attacks in Model Predictive Control of Chemical Processes. Mathematics. 2018; 6(10). URL http://www.mdpi.com/2227-7390/6/10/173

[13] Sun Y, El-Farra NH. Quasi-Decentralized Model-Based Networked Control of Process

Systems. Computers & Chemical Engineering. 2008; 32(9):2016–2029.

[14] Sun Y, El-Farra NH. Resource-Aware Quasi-Decentralized Control of Networked Process Systems over Wireless Sensor Networks. Chemical Engineering Science. 2012; 69:93-106.