Invest or not invest? That is the question, for a Networked Control Systems security operator…

In this week’s study group Theodoros S. presented a paper on securing interdependent and identical Networked Control Systems (NCS) (http://www.sciencedirect.com/science/article/pii/S0005109812004682).

The very nature of those systems that can manage the operational part within Critical Infrastructure Systems (CIS), along with the use of commercial off-the-shelf devices, such as sensors and actuators, which often bear software and hardware vulnerabilities, renders them an attractive cyber-attack target.

The authors of the paper identify two types of risks in such systems; the risks associated with the technology of the utilised devices, resulting in a probability of reliability failure, and the risks that result from the vulnerabilities of the shared network on which plants and controllers are being attached, resulting in a probability of security failure. They utilise a probabilistic failure model to model the packet loss in both the sensor and control communication channel of the NCS. In their model they introduce the idea of security interdependencies as the result of an individual’s security decision on the other players, which in its turn affects the probability of security failure. The overall failure probability constitutes a sum of reliability failure and security failure.

In order to analyze the emerging security interdependencies among the NCS operators the authors introduce a game theory model that offers optimal solutions to the operators based on the aforementioned probabilistic failure model. They form their model as a two-stage non-cooperative game. In the first stage the operators, mentioned as players, have to select their security status, modeled as a binary choice between investing in security or not, while in the second stage they have to decide upon the optimal control inputs for their respective plants. Each player’s goal is to minimize the average long-term cost, which encompasses the cost of security and the cost of operating the plant.

Considering that V is the set of player security choices V := { V¹, … ,V^m} and U is the set of player control inputs U := {U¹,… U^m}, where m is the number of the operators/players they model each plant as a discrete-time stochastic linear system:

xⁱ_t+1 = Axⁱ_t + vⁱ_tBuⁱ_t + wⁱ_t

yⁱ_t = γⁱ_tCxⁱ_t + υⁱ_t

where xⁱ_t denotes the system’s state,  uⁱ_t is the control input, yⁱ_t stands for the measured output, and wⁱ_t and υⁱ_t represent the process and the sensor noise respectively. The vⁱ_t and γⁱ_t variables represent tha packet loss in the control and sensor communication channel respectivelly, and depend on V in the way that each player’s packet loss (failure) depends upon both his own security decision and the other players’ choises. Thus Both vⁱ_t and γⁱ_t incorporate the probability of failure due to the player’s own decision (reliability failure) and the probability of failure due to every players’ decision (security failure).

The total cost is calculated as a sum of the security cost and the control cost. The security cost, computed in stage 1 of the game, depends solely on the security choice of the player and it’s not affected by the other players’ choices. On the other hand, the control cost is given by the average Linear Quadratic Gaussian (LQG) cost and depends on both V and U. The objective of each player is to minimize his total cost, thus the Hash Equilibria of the game are described as the strategies (U and V) that give the minimum security cost while in parallel preserve security.

The authors distinguish two cases depending on how the player perceives security. In the first case the player’s objective is to minimize his own individual security cost, whilst in the second case the player, mentioned as social planner, aims at minimizing the aggregate cost of all players. By applying their model on two cases, a two-player and a m-player game, they conclude that the players tend to under-invest when playing for their own individual benefit compared to when they play as social planners. For higher values of security costs they tend not to invest in security when they follow the “individual interest” strategy, while for the same values they choose to invest when they follow the “social planner” approach.

All in all, this paper presents a thorough mathematical analysis of the problem of security investments when interdependencies affect the system. The authors have successfully modeled the actions of the operators and the emerging security interdependencies, inferring from their findings that operators tend to under-invest in security when they consider security as a matter of the individual rather than acting as a social planner for the good of the system. However, the model considers a state where the presence of security in the system dictates the failure of the attack (perfect security), omitting intermediate situations. Taking into account the attacker’s choice and intermediate states where the level of security determines the probability of attack failure could lead to a more complex yet more accurate and realistic security model.