| NSF Org: |
CNS Division Of Computer and Network Systems |
| Recipient: |
|
| Initial Amendment Date: | August 27, 2012 |
| Latest Amendment Date: | August 27, 2012 |
| Award Number: | 1222656 |
| Award Instrument: | Standard Grant |
| Program Manager: |
Ralph Wachter
rwachter@nsf.gov (703)292-8950 CNS Division Of Computer and Network Systems CSE Directorate for Computer and Information Science and Engineering |
| Start Date: | September 1, 2012 |
| End Date: | August 31, 2016 (Estimated) |
| Total Intended Award Amount: | $500,000.00 |
| Total Awarded Amount to Date: | $500,000.00 |
| Funds Obligated to Date: |
|
| History of Investigator: |
|
| Recipient Sponsored Research Office: |
300 TURNER ST NW BLACKSBURG VA US 24060-3359 (540)231-5281 |
| Sponsor Congressional District: |
|
| Primary Place of Performance: |
302 Whittemore Hall (0111) Blacksburg VA US 24061-0001 |
| Primary Place of
Performance Congressional District: |
|
| Unique Entity Identifier (UEI): |
|
| Parent UEI: |
|
| NSF Program(s): | Secure &Trustworthy Cyberspace |
| Primary Program Source: |
|
| Program Reference Code(s): |
|
| Program Element Code(s): |
|
| Award Agency Code: | 4900 |
| Fund Agency Code: | 4900 |
| Assistance Listing Number(s): | 47.070 |
ABSTRACT
Perimeter security and air gap approaches to preventing malware disruption of industrial and infrastructure processes are challenged by the complexity of modern control systems incorporating networked heterogeneous and software-updatable components such as personal computers and programmable logic controllers. Global supply chains and proprietary third-party hardware components, tools, and software limit the reach of static design verification techniques. As a consequence, attacks such as Stuxnet have demonstrated that these systems can be surreptitiously compromised. We are developing a run-time method for process control violation prediction to enhance system resilience against configuration attacks on embedded controllers. This approach copes with either malicious or unintentional errors in any software layer of any programmable component. The run-time system includes a second instance of the active controller connected to a model of the plant, giving a short-term projection of future controller actions and process state. To maintain convergence with the physical system, the model's state is periodically synchronized with the plant's state. The predictor is combined with run-time guards implemented in a configurable hardware-anchored root-of-trust to quickly detect when the projected process state violates specifications. Aberrant event- or time-triggered controller behavior is anticipated before it affects the physical process, allowing preemptive switchover to a minimal and static stability-preserving controller. A productive model-based design flow is being extended to synthesize the active and backup controllers, prediction module, and specification guards into a single commercially-available chip. The root-of-trust can be formally verified due to its hardware implementation and independence.
PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH
Note:
When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external
site maintained by the publisher. Some full text articles may not yet be available without a
charge during the embargo (administrative interval).
Some links on this page may take you to non-federal websites. Their policies may differ from
this site.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
Cyberattacks usually bring to mind cyber crime, which ultimately seeks money (e.g. ransomware), hactivism, which seeks to disrupt an entity’s IT systems, or espionage, which seeks corporate and government information. A less frequent association is cyber conflict, which seeks to degrade or destroy physical infrastructure such as power, petrochemical, and manufacturing plants. What was accomplished by aerial bombing campaigns in WWII can now be done by malicious code introduced through networks to the embedded computers controlling physical processes. This type of attack has great potential for widespread economic disruption as demonstrated by the December 2015 power disruption in Ukraine that left more than 230,000 residents in the dark. While the response to cyber crime, hactivism, and espionage is usually reactive (software patching and/or updating virus signatures), cyber warfare defenses need to be proactive since there may be nothing left to defend after the initial attack or it may not be possible to return processes to stability beyond a certain degree of disturbance. Despite being networked, the simple microcontrollers bridging the cyber and physical worlds generally have few internal protections against malware. Network exploits developed in the IT realm carry over to process control systems. We therefore seek to add a last line of defense beyond conventional network protections such as firewalls.
One option, inspired by the movie Minority Report, is prediction and pre-emption. Rather than have psychics see what will occur in the future, the physical world is mirrored by a predictive virtual world that connects a copy of the (possibly compromised) plant control software to a computer model of the physical plant. The virtual world can be fast forwarded to see what latent malware in the microcontroller may attempt to do in the near future. Even a short preview may help to avoid process instability and permit an orderly transfer to a simple, trusted backup controller. A second option is to use machine learning to classify the possible states of the plant into safe and unsafe states. When the classifier detects the plant moving into an unsafe region it assumes that the controller has been compromised and transitions to the trusted backup controller. In both options, it is important that the monitoring, prediction, switchover, and backup components be isolated from any and all microcontroller software, which is accomplished by using programmable system-on-chip platforms that integrate microcontrollers and configurable hardware on the same chip. The configurable hardware, which cannot be modified over the network, implements the trusted components.
In the cybersecurity realm, workforce education is as important as technical solutions. Designing protections for cyber-physical systems requires a knowledge of two fields that traditionally have little intersection: network security, which is traditionally associated with computer engineering and computer science programs, and control system engineering, which is normally part of electrical, mechanical, and aerospace engineering programs. Lab modules created in this project incorporate cyber-physical security concepts into learning modules that highlight real-world technical issues. This approach helps students understand control system architectures and their vulnerabilities to cyber-attacks via experiential learning, and acquire practical skills through actively participating in the hands-on exercises. The goal of these lab modules is to show how an adversary could destabilize a computer-controlled process by exploiting vulnerabilities in network, supervisory, and process controller layers. A mock testbed environment is created with low cost commercial-off-the-shelf hardware suiting undergraduate embedded system, control system design, or cybersecurity courses. The ultimate goal is to have students appreciate the awesome responsibilities of embedded microcontrollers.
Last Modified: 09/20/2016
Modified by: Cameron D Patterson
Please report errors in award information by writing to: awardsearch@nsf.gov.
