Closing the Loop

Towards a theory for High Confidence Cyber Physical Systems for Societal Systems

Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro Cardenas (Fuji Res.), Luca Schenato (Padova),

Bruno Sinopoli (CMU), and Shankar Sastry

University of California

Berkeley CA 94720

Outline

• Tech Push and Applications Pull: instrumenting the World

• Expanding the Vision: Heterogeneous Sensor Webs and Societal Scale Cyber Physical Systems

• Closing the loop for Societal Scale Cyber Physical Systems (fault tolerant and robust)

– Industrial Automation

– Buildings

• Trustworthy Cyber Physical Systems

Tech Push: Major Recent Progress

Philips Sand module

UCB mm3 radio

UCB PicoCube

UCB Telos Mote

[Ref: Ambient Intelligence, W. Weber Ed., 2005]

IIMEC e-Cube

Ubiquitous Instrumentation

• Understanding phenomena:– Data collection for offline analysis

» Environmental monitoring, habitat monitoring

» Structural monitoring

Great Duck Island

Redwoods Wind ResponseOf Golden Gate Bridge

Soil monitoring

25 Motes onDamaged sidewall

Soil monitoring

Vineyards

Sensor Webs Everywhere

• Understanding phenomena:– Data collection for offline analysis

» Environmental monitoring, habitat monitoring

» Structural monitoring

• Detecting changes in the environment:– Thresholds, phase transitions, anomaly detection

» Security systems, surveillance, health care

» Wildfire detection

» Fault detection, threat detection

Fire Response

Health Care

Intel Research

Sensor Web Applications Taxonomy

• Understanding phenomena:– Data collection for offline analysis

» Environmental monitoring, habitat monitoring

» Structural monitoring

• Detecting changes in the environment:– Thresholds, phase transitions, anomaly detection

» Security systems, traffic surveillance

» Wildfire detection

» Fault detection, threat detection

• Real-time estimation and control:– Traffic control, building control, environmental control

– Manufacturing and plant automation, power grids, SCADA networks

– Service robotics, pursuit evasion games, active surveillance, search-and-rescue, and search-and-capture, telesurgery

– Multiple Target Tracking and Pursuit Evasion games

Building Comfort,Smart Alarms

Easier

Difficult

Heterogeneous Sensor Webs

•Low-bandwidth, high-bandwidth, & mobile sensors•Built on Intel Vision Library

UCB/ITRI CITRIC Mote

Major Progress but True Immersion not yet in Reach

Artificial Skin

Smart Objects“Microscopic” Health Monitoring

Interactive Surfaces

Courtesy of Jan Rabaey

“Societal Scale Cyber Physical Systems ”

• Characteristics– Ubiquitous, Pervasive, Disappearing, Perceptive, Ambient

– Always Connectable, Reliable, Scalable, Adaptive, Flexible

• The Emerging Service Models– Intelligent data access and extraction

– Immersion-based work and play

– Environmental control, energy management and safety in “high-performance” homes

– Automotive and avionic safety and control

– Management of metropolitan traffic flows

– Distributed health monitoring

– Power distribution with decentralized energy generation

Industrial Automation

• Motivation: Cost reduction– More than 85% reduction in cost

compared to wired systems (case study by Emerson)

– SCADA (Supervisory Control And Data Acquisition)

• Reliability is the number one issue– Robust estimation: Estimation of

parameters of interest from noisy measurements with high fidelity in the presence of unreliable communication

– Real-time control: A must for mission-critical systems

Random losses in the feedback loop

Sinopoli Schenato Franceschetti

Poolla Sastry Jordan IEEE Trans-AC (2004)

SystemSensor

web

ControllerState

estimator

WirelessMulti-hop

• What happens to the Kalman filter when some sensor readings are lost?

• Can we bound the error covariance

Optimal estimation with intermittent observations

PlantAggregate

SensorState

estimatorCommunication

Network

• Kalman Filter is still the optimal estimator

• We proved the existence of a threshold phenomenon:

maxmin

cmax

cPt

ctt

PtMPE

PPE

|)2| (

11

0condition initialany and 1for ][

0condition initial some and 0for ][lim

0

0

0

Kalman FilterKalman FilterSinopoli Schenato Franceschetti

Poolla Sastry Jordan IEEE Trans-AC (2004)

Optimal control with both intermittent observations and control packets

• What is the minimum arrival probability that guarantees “acceptable” performance of estimator and controller?

• How is the arrival rate related to the system dynamics?

• Can we design estimator and controller independently?

• Are the optimal estimator and controllers still linear?

• Can we provide design guidelines?

PlantAggregate

Sensor

ControllerState

estimator

CommunicationNetwork

CommunicationNetwork

LQG control with intermittent observations and control

PlantAggregate

Sensor

ControllerState

estimator

CommunicationNetwork

CommunicationNetwork

Ack is always

present Ack is

relevant

We’ll group all communication protocols in two classes: TCP-like (acknowledgement is available) UDP-like (acknowledgement is absent)

UDP-like and TCP-like optimal static LQG design

unbounded

1

1bounded

estimator controller

OPTIMAL LQG CONTROL w/ CONSTANT GAINS

Much better performanceof TCP compared to UDP

Diagram of U.S. EnergyUnits: US quads/year

Energy: Supply & DemandDemandSupply

Buildings

Industry

Transportation

3 Major Demand Sectors

Building Operating Platform (BOP) Sensors, Communication, Controls,

Real-Time Optimization for Cost, Energy Use, CO2 Footprint

Building Design Platform (BDP)Tool for Architects to Design New Buildings

With Embedded Energy Analysis

Windows & Lighting

HVAC

Onsite Power & Heat

Natural Ventilation, Indoor Environment

Building Materials

Appliances

Thermal & ElectricalStorage

University of California • Berkeley

Building Operating System

Courtesy of Arun Majumdar

University of California • Berkeley

Autocad + DoE-2 = Building-EDA?

Components and their model Interconnection of all the components External drivers Observe behavior over time, validate, “what-if”, …

Electricity

Water

Supply Air

People

Waste Water

Return Air

Heat

University of California • Berkeley

Cooperative Continuous Reduction

Automated Control

Facility Mgmt

User Demand

Supervisory Control

Community Feedback

High-fidelity visibility

50% reduction over 4 years across the Campus

Closing the Loop!

LochNess*: A Real-Time Sensor Network-Based Control System

Multiple layers of data fusion for robustness and to reduce communication load

* LochNess (Large-scale “On-time” Collaborative Heterogeneous Networked Embedded SystemS). [Oh, Schenato, Chen, Sastry, PIEEE, 2007]

Hierarchical architecture for real-time operation

Multi-Target Tracking (MTT) Problem

• Given– Multiple dynamics and measurement models

– Sensor and clutter (false alarms) models

– Target appearance and disappearance models

– Set of noisy unlabeled observations Y

• Find– Number of targets

– States of all targets

• Requires solutions to both– Data association

– State estimation

Joint Work with Songhwai Oh and Stuart Russell

Fully Polynomial Randomized Approximation Scheme

[Oh, Sastry, ACC 2005]

First data association algorithm with guaranteed error bounds !

Simulation ResultsRobustness against Transmission Failure

• Each single-hop transmission fails with probability (transmission failure rate)

• Tolerates up to 50% lost-to-total packet ratio

Simulation ResultsRobustness against Communication Delay

• Each single-hop transmission gets delayed with probability (communication delay rate)

• Tolerates up to 90% delayed-to-total packet ratio

Sensor Webs in Air Traffic Control

Air Traffic Control*

* [Oh, Hwang, Roy, Sastry AIAA and Oh, Schenato, Chen, and Sastry, Journal of Guidance, Control, and Dynamics (to appear), Hwang, Balakrishnan, Tomlin, IEE

Proceedings]

Vulnerabilities of Cyber-physical systems

• Controllers are computers

• Networked

• Commodity IT solutions

• New functionalities (smart infrastructures)

• Many devices (sensor webs)

• Highly skilled IT global workforce (creating attacks is easier)

• Cybercrime

Jt work with Saurabh Amin and Alvaro Cardenas

Vulnerabilities can be Exploited

2008 Huntington Beach offshore oil platforms

2000 Maroochy Shire sewage control system.

2007 Tehama-Colusa Canal2007 Cal-ISO power

marketing operations

Vulnerabilities can be Exploited

Attacks

Secure Control: What is New and Fundamentally Different?

• So security is important; but are there new research problems, or can problems be solved with – Traditional IT security?

– Fault-tolerant control? Trust and Adversary Model

• Prevention– Authentication, access control, software security, trusted computing,

white listing

• Detection– Intrusion detection systems, anomaly detection

• Resiliency– Separation of duty, least privilege principle

CPS Security vs. Traditional Security

• What is new and fundamentally different in control systems security?

– Model interaction with the physical world

• By modeling the interaction with the physical world we can obtain 3 new research directions

– Threat assessment: how attacker may manipulate control variables to achieve goals and study consequences to the physical system

– Attack-detection by using models of the physical system: Study stealthy attacks (undetected attacks), Ensure safety of any automated response mechanism

– Attack-resilient control algorithms

Our Results in these 3 New Research Topics

• Threat assessment of control systems– Ad Hoc Networks 2009

– Journal of Critical Infrastructure Protection 2009

• Detecting attacks to control systems– Work in progress

– Power grid, chemical reactor etc.

• Resilient control algorithms– HSCC 2009

We focus on “Detection” in the remaining part of this presentation

4 Key Problems

• Estimate model of the physical process

• Propose a detection scheme

• Study stealthy attacks

• Ensure safety of automated response

Case Study: Tennessee Eastman Chemical Reactor

A+B+C

A D

Pressure

A in purge

Product Flow

Detection algorithm: nonparametric CUSUM

Measure the difference between expected and observed behavior:

b is chosen such that

Non-parametric CUSUM:

We work with

nonparametric change detection statistics

because of plant

nonlinearities

Tuning CUSUM parameters to ensure low false alarm rate and fast detection time

How can an attacker remain undetected?

• Attacker – Wants to be undetected for n time steps

– Wants to maximize the pressure in the tank

• Surge attack

• Bias attack

• Geometric attack

Even Geometric Attacks Cannot Drive the System to An Unsafe State

Conclusion: If an attacker

wants to remain

undetected, she cannot damage the

system

DoS Attack Signatures for Secure Control Problem

Key Ideas from Robust Control

High Confidence CPS Systems:Research Taxonomy

• Robust Inferencing for Control

• Closing the Loop with fault tolerant networked control systems

• Effects of Mobility on Loop Closure

• Graceful Degradation Under Attack: Trustworthy systems

• Key Applications– Process Control and SCADA systems

– Action Webs for Energy Efficient Buildings