Relaxing Integrity Requirements for Attack-Resilient Cyber-Physical Systems

Abstract

The increase in network connectivity has also resulted in several high-profile attacks on cyber-physical systems. An attacker that manages to access a local network could remotely affect control performance by tampering with sensor measurements delivered to the controller. Recent results have shown that with network-based attacks, such as man-in-the-middle attacks, the attacker can introduce an unbounded state estimation error if measurements from a suitable subset of sensors contain false data when delivered to the controller. While these attacks can be addressed with the standard cryptographic tools that ensure data integrity, their continuous use would introduce significant communication and computation overhead. Consequently, we study effects of intermittent data integrity guarantees on system performance under stealthy attacks. We consider linear estimators equipped with a general type of residual-based intrusion detectors (including, e.g., widely used $\chi ^2$ detectors) and show that even when integrity of sensor measurements is enforced only intermittently, the attack impact is significantly limited; specifically, the state estimation error is bounded or the attacker cannot remain stealthy. Furthermore, we present methods to: 1) evaluate the effects of any given integrity enforcement policy in terms of reachable state estimation errors for any type of stealthy attacks; and 2) design an enforcement policy that provides the desired estimation error guarantees under attack. Finally, on three automotive case studies, we show that even with less than 10% of authenticated messages, we can ensure satisfiable control performance in the presence of attacks.