Towards Cyber-Physical Vetting of Critical Infrastructures

Modeling and analyzing complex, dynamical architecture of the UAS
Identifying cyber, physical, and control vulnerabilities in the UAS
Demonstrating concrete cyber attacks to confirm discovered vulnerabilities and quantify their risks and impacts
Monitoring and mitigating the impact of cyber attacks

Construct and demonstrate realistic attacks to assess their impact and risk using software/hardware-in-the-Loop testbeds

Component-wise View of UAS Autopilot Security
- Sensor Data Security
- Control System Security
- Communication Security

The current autopilot and ground control software are designed with little thought for security
Despite this, the autopilot software (e.g., PX4, ArduPilot, etc.) itself has no apparent vulnerabilities that can be exploited on the fly, and the ground station is likewise difficult to exploit during operation
The wireless communication protocol (MAVlink) was originally completely unsecured, but has since added security features

=> All these factors mean that it is quite challenging to compromise the system in the air without some preparation before takeoff

Potential Threat of Trojan Attack
- Humans are generally very bad at following security practices, and the aircraft setup process requires downloading software from the internet → possibility for trojan

Attackers modify some of the software used in UAS operation (autopilot, GCS, communication) to include malicious attack payload in the autopilot firmware
The autopilot behaves normally until some attacker-defined condition is met
Then the attack payload performs the attack, causing unwanted behavior from the perspective of the operator

Case Study: Trojan Attack on the State Estimator in Autopilot
- Assuming trojan insertion into the autopilot state estimator, the compromised UAS estimate will be easily recognized by the ground operator if the attack does too much
- An intelligent attacker can inject attacks making his presence hard to detect from the ground observation without having perfect access / knowledge of the UAS

=> Stealthy Cyber Attack Problem!

Previously implemented and demonstrated human observer-based monitoring system model uses only visual information available through the ground station
Can detect attacks that cause visually apparent deviations
- Cross-track error in following the planned trajectory (left figure)
- Apparent sideslip: mismatch between the direction the aircraft is pointing and the direction of its velocity (left figure)
- Difference between apparent speed and normal cruise speed (right figure)

Because only a small amount of the available information is displayed visually, it is possible for an attacker to circumvent human detection
- In the figure below, trajectory looks normal to an observer, concealing the attack

Calculates scalar detection statistic using difference between expected measurements and actual measurements
Detection occurs when the statistic exceeds the detection threshold
Relies on information from the estimator
Detects attacks that the human observer cannot (e.g., the example above)

Detection statistic plotted over several different trajectories with no attacks, compared to the detection threshold

Cyber Attack Mitigation Problem
- Design a feedback gain history (K) which minimizes the effect of cyber attacks over all the possible energy-bounded attack sequences:

Previous Research
- Attack is assumed to be known a prior => the control performances could degrade if the actual attack deviates from the one assumed by a controller
Our Approach: Hybrid Switching Control Framework
- Design of the switching logic to switch the hybrid controllers to the most secure/safe sub-controller against unpredictable arbitrary cyber attacks

Cost Comparison

Switching Sequence