Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems...

45
Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas (Fuji Res.), Luca Schenato (Padova), Bruno Sinopoli (CMU), and Shankar Sastry University of California Berkeley CA 94720
  • date post

    21-Dec-2015
  • Category

    Documents

  • view

    213
  • download

    1

Transcript of Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems...

Page 1: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Closing the Loop

Towards a theory for High Confidence Cyber Physical Systems for Societal Systems

Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas (Fuji Res.), Luca Schenato (Padova),

Bruno Sinopoli (CMU), and Shankar Sastry

University of California

Berkeley CA 94720

Page 2: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Outline

• Tech Push and Applications Pull: instrumenting the World

• Expanding the Vision: Heterogeneous Sensor Webs and Societal Scale Cyber Physical Systems

• Closing the loop for Societal Scale Cyber Physical Systems (fault tolerant and robust)

– Industrial Automation

– Buildings

• Trustworthy Cyber Physical Systems

Page 3: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Tech Push: Major Recent Progress

Philips Sand module

UCB mm3 radio

UCB PicoCube

UCB Telos Mote

[Ref: Ambient Intelligence, W. Weber Ed., 2005]

IIMEC e-Cube

Page 4: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Ubiquitous Instrumentation

• Understanding phenomena:– Data collection for offline analysis

» Environmental monitoring, habitat monitoring

» Structural monitoring

Great Duck Island

Redwoods Wind ResponseOf Golden Gate Bridge

Soil monitoring

25 Motes onDamaged sidewall

Soil monitoring

Vineyards

Page 5: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Sensor Webs Everywhere

• Understanding phenomena:– Data collection for offline analysis

» Environmental monitoring, habitat monitoring

» Structural monitoring

• Detecting changes in the environment:– Thresholds, phase transitions, anomaly detection

» Security systems, surveillance, health care

» Wildfire detection

» Fault detection, threat detection

Fire Response

Health Care

Intel Research

Page 6: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Sensor Web Applications Taxonomy

• Understanding phenomena:– Data collection for offline analysis

» Environmental monitoring, habitat monitoring

» Structural monitoring

• Detecting changes in the environment:– Thresholds, phase transitions, anomaly detection

» Security systems, traffic surveillance

» Wildfire detection

» Fault detection, threat detection

• Real-time estimation and control:– Traffic control, building control, environmental control

– Manufacturing and plant automation, power grids, SCADA networks

– Service robotics, pursuit evasion games, active surveillance, search-and-rescue, and search-and-capture, telesurgery

– Multiple Target Tracking and Pursuit Evasion games

Building Comfort,Smart Alarms

Easier

Difficult

Page 7: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Heterogeneous Sensor Webs

•Low-bandwidth, high-bandwidth, & mobile sensors•Built on Intel Vision Library

UCB/ITRI CITRIC Mote

Page 8: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Major Progress but True Immersion not yet in Reach

Artificial Skin

Smart Objects“Microscopic” Health Monitoring

Interactive Surfaces

Courtesy of Jan Rabaey

Page 9: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

“Societal Scale Cyber Physical Systems ”

• Characteristics– Ubiquitous, Pervasive, Disappearing, Perceptive, Ambient

– Always Connectable, Reliable, Scalable, Adaptive, Flexible

• The Emerging Service Models– Intelligent data access and extraction

– Immersion-based work and play

– Environmental control, energy management and safety in “high-performance” homes

– Automotive and avionic safety and control

– Management of metropolitan traffic flows

– Distributed health monitoring

– Power distribution with decentralized energy generation

Page 10: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Industrial Automation

• Motivation: Cost reduction– More than 85% reduction in cost

compared to wired systems (case study by Emerson)

– SCADA (Supervisory Control And Data Acquisition)

• Reliability is the number one issue– Robust estimation: Estimation of

parameters of interest from noisy measurements with high fidelity in the presence of unreliable communication

– Real-time control: A must for mission-critical systems

Page 11: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.
Page 12: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.
Page 13: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Random losses in the feedback loop

Sinopoli Schenato Franceschetti

Poolla Sastry Jordan IEEE Trans-AC (2004)

SystemSensor

web

ControllerState

estimator

WirelessMulti-hop

• What happens to the Kalman filter when some sensor readings are lost?

• Can we bound the error covariance

Page 14: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Optimal estimation with intermittent observations

PlantAggregate

SensorState

estimatorCommunication

Network

• Kalman Filter is still the optimal estimator

• We proved the existence of a threshold phenomenon:

maxmin

cmax

cPt

ctt

PtMPE

PPE

|)2| (

11

0condition initialany and 1for ][

0condition initial some and 0for ][lim

0

0

0

Kalman FilterKalman FilterSinopoli Schenato Franceschetti

Poolla Sastry Jordan IEEE Trans-AC (2004)

Page 15: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Optimal control with both intermittent observations and control packets

• What is the minimum arrival probability that guarantees “acceptable” performance of estimator and controller?

• How is the arrival rate related to the system dynamics?

• Can we design estimator and controller independently?

• Are the optimal estimator and controllers still linear?

• Can we provide design guidelines?

PlantAggregate

Sensor

ControllerState

estimator

CommunicationNetwork

CommunicationNetwork

Page 16: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

LQG control with intermittent observations and control

PlantAggregate

Sensor

ControllerState

estimator

CommunicationNetwork

CommunicationNetwork

Ack is always

present Ack is

relevant

We’ll group all communication protocols in two classes: TCP-like (acknowledgement is available) UDP-like (acknowledgement is absent)

Page 17: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

UDP-like and TCP-like optimal static LQG design

unbounded

1

1bounded

estimator controller

OPTIMAL LQG CONTROL w/ CONSTANT GAINS

Much better performanceof TCP compared to UDP

Page 18: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Diagram of U.S. EnergyUnits: US quads/year

Energy: Supply & DemandDemandSupply

Buildings

Industry

Transportation

3 Major Demand Sectors

Page 19: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Building Operating Platform (BOP) Sensors, Communication, Controls,

Real-Time Optimization for Cost, Energy Use, CO2 Footprint

Building Design Platform (BDP)Tool for Architects to Design New Buildings

With Embedded Energy Analysis

Windows & Lighting

HVAC

Onsite Power & Heat

Natural Ventilation, Indoor Environment

Building Materials

Appliances

Thermal & ElectricalStorage

Page 20: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

University of California • Berkeley

Building Operating System

Courtesy of Arun Majumdar

Page 21: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

University of California • Berkeley

Autocad + DoE-2 = Building-EDA?

Components and their model Interconnection of all the components External drivers Observe behavior over time, validate, “what-if”, …

Electricity

Water

Supply Air

People

Waste Water

Return Air

Heat

Page 22: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

University of California • Berkeley

Cooperative Continuous Reduction

Automated Control

Facility Mgmt

User Demand

Supervisory Control

Community Feedback

High-fidelity visibility

50% reduction over 4 years across the Campus

Page 23: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Closing the Loop!

Page 24: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

LochNess*: A Real-Time Sensor Network-Based Control System

Multiple layers of data fusion for robustness and to reduce communication load

* LochNess (Large-scale “On-time” Collaborative Heterogeneous Networked Embedded SystemS). [Oh, Schenato, Chen, Sastry, PIEEE, 2007]

Hierarchical architecture for real-time operation

Page 25: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Multi-Target Tracking (MTT) Problem

• Given– Multiple dynamics and measurement models

– Sensor and clutter (false alarms) models

– Target appearance and disappearance models

– Set of noisy unlabeled observations Y

• Find– Number of targets

– States of all targets

• Requires solutions to both– Data association

– State estimation

Joint Work with Songhwai Oh and Stuart Russell

Page 26: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Fully Polynomial Randomized Approximation Scheme

[Oh, Sastry, ACC 2005]

First data association algorithm with guaranteed error bounds !

Page 27: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Simulation ResultsRobustness against Transmission Failure

• Each single-hop transmission fails with probability (transmission failure rate)

• Tolerates up to 50% lost-to-total packet ratio

Page 28: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Simulation ResultsRobustness against Communication Delay

• Each single-hop transmission gets delayed with probability (communication delay rate)

• Tolerates up to 90% delayed-to-total packet ratio

Page 29: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Sensor Webs in Air Traffic Control

Air Traffic Control*

* [Oh, Hwang, Roy, Sastry AIAA and Oh, Schenato, Chen, and Sastry, Journal of Guidance, Control, and Dynamics (to appear), Hwang, Balakrishnan, Tomlin, IEE

Proceedings]

Page 30: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Vulnerabilities of Cyber-physical systems

• Controllers are computers

• Networked

• Commodity IT solutions

• New functionalities (smart infrastructures)

• Many devices (sensor webs)

• Highly skilled IT global workforce (creating attacks is easier)

• Cybercrime

Jt work with Saurabh Amin and Alvaro Cardenas

Page 31: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Vulnerabilities can be Exploited

2008 Huntington Beach offshore oil platforms

2000 Maroochy Shire sewage control system.

2007 Tehama-Colusa Canal2007 Cal-ISO power

marketing operations

Page 32: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Vulnerabilities can be Exploited

Page 33: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Attacks

Page 34: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Secure Control: What is New and Fundamentally Different?

• So security is important; but are there new research problems, or can problems be solved with – Traditional IT security?

– Fault-tolerant control? Trust and Adversary Model

• Prevention– Authentication, access control, software security, trusted computing,

white listing

• Detection– Intrusion detection systems, anomaly detection

• Resiliency– Separation of duty, least privilege principle

Page 35: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

CPS Security vs. Traditional Security

• What is new and fundamentally different in control systems security?

– Model interaction with the physical world

• By modeling the interaction with the physical world we can obtain 3 new research directions

– Threat assessment: how attacker may manipulate control variables to achieve goals and study consequences to the physical system

– Attack-detection by using models of the physical system: Study stealthy attacks (undetected attacks), Ensure safety of any automated response mechanism

– Attack-resilient control algorithms

Page 36: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Our Results in these 3 New Research Topics

• Threat assessment of control systems– Ad Hoc Networks 2009

– Journal of Critical Infrastructure Protection 2009

• Detecting attacks to control systems– Work in progress

– Power grid, chemical reactor etc.

• Resilient control algorithms– HSCC 2009

We focus on “Detection” in the remaining part of this presentation

Page 37: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

4 Key Problems

• Estimate model of the physical process

• Propose a detection scheme

• Study stealthy attacks

• Ensure safety of automated response

Page 38: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Case Study: Tennessee Eastman Chemical Reactor

A+B+C

A D

Pressure

A in purge

Product Flow

Page 39: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Detection algorithm: nonparametric CUSUM

Measure the difference between expected and observed behavior:

b is chosen such that

Non-parametric CUSUM:

We work with

nonparametric change detection statistics

because of plant

nonlinearities

Page 40: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Tuning CUSUM parameters to ensure low false alarm rate and fast detection time

Page 41: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

How can an attacker remain undetected?

• Attacker – Wants to be undetected for n time steps

– Wants to maximize the pressure in the tank

• Surge attack

• Bias attack

• Geometric attack

Page 42: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Even Geometric Attacks Cannot Drive the System to An Unsafe State

Conclusion: If an attacker

wants to remain

undetected, she cannot damage the

system

Page 43: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

DoS Attack Signatures for Secure Control Problem

Page 44: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

Key Ideas from Robust Control

Page 45: Closing the Loop Towards a theory for High Confidence Cyber Physical Systems for Societal Systems Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas.

High Confidence CPS Systems:Research Taxonomy

• Robust Inferencing for Control

• Closing the Loop with fault tolerant networked control systems

• Effects of Mobility on Loop Closure

• Graceful Degradation Under Attack: Trustworthy systems

• Key Applications– Process Control and SCADA systems

– Action Webs for Energy Efficient Buildings