(392a) Designing Difficult-to-Cyberattack Process Control Systems

Cybersecurity of chemical process control systems is critical because attacks on these processes can harm physical equipment as well as people [1]. Cyberattacks can take many forms, including sending false sensor measurements to operators in an attempt to make them think that the process is operating normally when it is not [2] or manipulating the control actions applied to the process [3]. In [4], it is noted that physical attacks on plants may be prevented by making the plants less attractive to attack by reducing the consequences of an attack by making a plant more inherently safe (e.g., using less hazardous materials); a similar concept should apply in the context of cybersecurity.

Motivated by the above considerations, we develop an implementation strategy for model predictive control (MPC) that seeks to make the control system more difficult to cyberattack, when the specific type of attack considered is one in which the attacker provides false state measurements to the MPC. We develop an implementation strategy in which a variety of control designs with stability-based constraints (e.g., constraints based on Lyapunov and Control Lyapunov-Barrier functions) are developed and one is randomly selected at every sampling time. Each controller on its own can guarantee closed-loop stability and recursive feasibility for initial states within a well-characterized region of state-space, and the implementation strategy ensures that the only controllers available at a given sampling time to be selected between are those which would be feasible, such that the implemented control actions guarantee closed-loop stability even when randomly selected. The goal of the random selection is to make it difficult for a cyberattacker to determine which incorrect value of the measured state to provide to the controller at a given sampling time to achieve a certain goal since the controller which will be used with that measurement, and therefore the input to be applied when the state measurement is provided, is difficult to discern a priori. A chemical process example demonstrates the use of this randomized MPC implementation strategy.

[1] A. A. Cárdenas, S. Amin, Z.-S. Lin, Y.-L. Huang, C.-Y. Huang and S. Sastry, “Attacks against process control systems: Risk assessment, detection, and response,” In Proceedings of the ACM Asia Conference on Computer & Communications Security, Hong Kong, China, 2011.

[2] O. Linda, M. Manic and M. McQueen, “Improving control system cyber-state awareness using known secure sensor measurements,” In Proceedings of the International Conference on Critical Information Infrastructures Security, Lillehammer, Norway, 2012.

[3] A. Roisch, H. Voos, Y. Li and M. Darouach, “A model predictive approach for cyber-attack detection and mitigation in control systems,” In Proceedings of the IEEE Conference on Decision and Control, pages 6621-6626, Florence, Italy, 2013.

[4] S. Bajpai and J. P. Gupta, “Site security for chemical process industries,” Journal of Loss Prevention in the Process Industries, 18, 301-309, 2005.