In this
week’s study group Theodoros S. presented a paper on securing interdependent
and identical Networked Control Systems (NCS) (http://www.sciencedirect.com/science/article/pii/S0005109812004682).
The very
nature of those systems that can manage the operational part within Critical
Infrastructure Systems (CIS), along with the use of commercial off-the-shelf devices,
such as sensors and actuators, which often bear software and hardware vulnerabilities,
renders them an attractive cyber-attack target.
The
authors of the paper identify two types of risks in such systems; the risks associated with
the technology of the utilised devices, resulting in a probability of reliability failure, and the risks that
result from the vulnerabilities of the shared network on which plants and
controllers are being attached, resulting in a probability of security failure. They utilise a
probabilistic failure model to model the packet loss in both the sensor and control
communication channel of the NCS. In their model they introduce the idea of
security interdependencies as the result of an individual’s security decision
on the other players, which in its turn affects the probability of security
failure. The overall failure probability constitutes a sum of reliability
failure and security failure.
In order to analyze the emerging
security interdependencies among the NCS operators the authors introduce a game
theory model that offers optimal solutions to the operators based on the aforementioned
probabilistic failure model. They form their model as a two-stage non-cooperative game. In the first stage the operators, mentioned
as players, have to select their security status, modeled as a binary choice
between investing in security or not, while in the second stage they have to
decide upon the optimal control inputs for their respective plants. Each
player’s goal is to minimize the average long-term cost, which encompasses the
cost of security and the cost of operating the plant.
Considering that V is the set of
player security choices V := { V1, … ,Vm} and U is the
set of player control inputs U := {U1,… Um}, where m is
the number of the operators/players they model each plant as a discrete-time
stochastic linear system:
xit+1 = Axit
+ vitBuit + wit
yit = γitCxit + υit
where xit
denotes the system’s state, uit
is the control input, yit stands for the measured output,
and wit and υit represent the
process and the sensor noise respectively. The vit and γit variables represent tha packet loss in the control and sensor communication channel
respectivelly, and depend on V in the way that each player’s packet loss (failure)
depends upon both his own security decision and the other players’ choises. Thus
Both vit
and γit
incorporate the
probability of failure due to the player’s own decision (reliability failure)
and the probability of failure due to every players’ decision (security failure).
The total cost is calculated as a
sum of the security cost and the control cost. The security cost, computed in
stage 1 of the game, depends solely on the security choice of the player and it’s
not affected by the other players’ choices. On the other hand, the control cost
is given by the average Linear Quadratic Gaussian (LQG) cost and depends on
both V and U. The objective of each player is to minimize his total cost, thus
the Hash Equilibria of the game are described as the strategies (U and V) that give
the minimum security cost while in parallel preserve security.
The authors distinguish two cases depending
on how the player perceives security. In the first case the player’s objective
is to minimize his own individual security cost, whilst in the second case the
player, mentioned as social planner, aims at minimizing the aggregate cost of
all players. By applying their model on two cases, a two-player and a m-player
game, they conclude that the players tend to under-invest when playing for
their own individual benefit compared to when they play as social planners. For
higher values of security costs they tend not to invest in security when they
follow the “individual interest” strategy, while for the same values they
choose to invest when they follow the “social planner” approach.
All in all, this paper presents a thorough
mathematical analysis of the problem of security investments when interdependencies
affect the system. The authors have successfully modeled the actions of the operators
and the emerging security interdependencies, inferring from their findings that
operators tend to under-invest in security when they consider security as a
matter of the individual rather than acting as a social planner for the good of
the system. However, the model considers a state where the presence of security
in the system dictates the failure of the attack (perfect security), omitting intermediate
situations. Taking into account the attacker’s choice and intermediate states
where the level of security determines the probability of attack failure could
lead to a more complex yet more accurate and realistic security model.
No comments:
Post a Comment