Secure Sensor Design for Cyber-Physical Systems Against Advanced Persistent Threats

Abstract

We introduce a new paradigm to the field of control theory: “secure sensor design”. Particularly, we design sensor outputs cautiously against advanced persistent threats that can intervene in cyber-physical systems. Such threats are designed for the very specific target systems and seeking to achieve their malicious goals in the long term while avoiding intrusion detection. Since such attacks can avoid detection mechanisms, the controller of the system could have already been intervened in by an adversary. Disregarding such a possibility and disclosing information without caution can have severe consequences. Therefore, through secure sensor design, we seek to minimize the damage of such undetected attacks in cyber-physical systems while impacting the ordinary operations of the system at minimum. We, specifically, consider a controlled Markov-Gaussian process, where a sensor observes the state of the system and discloses information to a controller that can have friendly or adversarial intentions. We show that sensor outputs that are memoryless and linear in the state of the system can be optimal, in the sense of game-theoretic hierarchical equilibrium, within the general class of strategies. We also provide a semi-definite programming based algorithm to design the secure sensor outputs numerically.

This research was supported by the U.S. Office of Naval Research (ONR) MURI grant N00014-16-1-2710.

A Appendix: Proof of Lemma 4

Let \(\pmb {y}_1 = h(\pmb {x})\) and \(\pmb {y}_2 = h(\pmb {x}+c)\) be random variables, where c is a deterministic shift vector of the same dimension as \(\pmb {x}\). Then, for any \(B \in \mathsf {B}^p\), we have \(\pmb {y}_1^{-1}(B) = \{\omega \in \varOmega : \pmb {y}_1(\omega ) \in B\} = \{\omega \in \varOmega : h(\pmb {x})(\omega )\in B\} = \{\omega \in \varOmega : \pmb {x}(\omega ) \in h^{-1}(B)\}\). Correspondingly, we also have \(\pmb {y}_2^{-1}(B) = \{\omega \in \varOmega : \pmb {y}_2(\omega ) \in B\} = \{\omega \in \varOmega : h(\pmb {x}+ c)(\omega )\in B\} = \{\omega \in \varOmega : \pmb {x}(\omega ) \in h^{-1}(B) - c\}\). Note that the \(\sigma \)-algebras generated by the random variables \(\pmb {y}_1\) and \(\pmb {y}_2\) are given by \(\sigma (\pmb {y}_i) = \{\pmb {y}_i^{-1}(B): B \in \mathsf {B}^p\}\), for \(i=1,2\) [3]. This implies that \(\sigma (\pmb {y}_1) = \{\{\omega \in \varOmega : \pmb {x}(\omega ) \in h^{-1}(B)\}: B\in \mathsf {B}^p\}\) and \(\sigma (\pmb {y}_2) = \{\{\omega \in \varOmega : \pmb {x}(\omega ) \in h^{-1}(B)-c\}: B\in \mathsf {B}^p\}\). Furthermore, for each \(B \in \mathsf {B}^p\), there exists \(B_2 \in \mathsf {B}^p\) such that

$$ h^{-1}(B) = h^{-1}(B_2) - c \in \mathsf {B}^p $$

since Borel sets are shift invariant [3]. Therefore, we have

$$\begin{aligned} \sigma (\pmb {y}_1) = \sigma (\pmb {y}_2) \end{aligned}$$

(51)

and correspondingly, we obtain (41).