Available online at www.sciencedirect.com

www.elsevier.com/locate/ijcip

i n t e r n a t i o n a l j o u r n a l o f c r i t i c a l i n f r a s t r u c t u r e p r o t e c t i o n 1 1 ( 2 0 1 5 ) 3 9 – 5 0

http://dx.doi.org/101874-5482/& 2015 El

nCorresponding aE-mail address:

A multi-layered and kill-chain based securityanalysis framework for cyber-physical systems

Adam Hahna,n, Roshan K. Thomasb, Ivan Lozanob, Alvaro Cardenasc

aSchool of Electrical Engineering and Computer Science, Washington State University, Pullman, Washington 99164, USAbThe MITRE Corporation, MS T340, 7515 Colshire Drive, McLean, VA 22102, USAcErik Jonsson School of Engineering and Computer Science, University of Texas at Dallas, 800 West Campbell Road, EC31,Richardson, TX 75080, USA

a r t i c l e i n f o

Article history:

Received 13 January 2015

Received in revised form

9 August 2015

Accepted 15 August 2015

Available online 29 August 2015

Keywords:

Cyber-physical system security

Kill-chain

Cyber reconnaissance

Controllability

Observability

.1016/j.ijcip.2015.08.003sevier B.V. All rights res

uthor.ahahn@eecs.wsu.edu (A

a b s t r a c t

This paper introduces a novel framework for understanding cyber attacks and the related

risks to cyber-physical systems. The framework consists of two elements, a three-layered

logical model and reference architecture for cyber-physical systems, and a meta-model of

cyber-physical system attacks that is referred to as the cyber-physical system kill-chain.

The layered reference architecture provides a systematic basis for studying how the causal

chain associated with cyber perturbations can be traced all the way to physical perturba-

tions. The cyber-physical system kill-chain describes the progressive stages of attacks to

illuminate the steps required for an attacker to launch a successful attack against a cyber-

physical system. The proposed framework offers a novel approach for comprehensively

studying the elements of cyber-physical system attacks, including the attacker objectives,

cyber exploitation, control-theoretic properties and physical system properties. The

framework is evaluated using a simulated unmanned aerial system and the results of

the evaluation are discussed. The longer-term goal is to use the framework as a means to

deduce cyber-physical system security properties and to enumerate the principles for

designing systems that are resilient to cyber attacks.

& 2015 Elsevier B.V. All rights reserved.

1. Introduction

Attacks on cyber-physical systems (CPSs) have been observedwith increasing frequency and have attracted the attention ofthe research community and industry. However, a commonattack analysis framework and related design principles forresilient cyber-physical systems have not yet emerged. Orga-nizations such as NIST have emphasized that accuratesecurity threat models are critical to designing secure cyber-physical systems [17].

This paper introduces a novel framework for analyzing

cyber attacks against cyber-physical systems. The framework

erved.

. Hahn).

provides a foundation for understanding cyber attacks and

the related risks to cyber-physical systems, and for articulat-

ing design principles that will help engineer resilient cyber-

physical systems.The framework incorporates two elements. The first ele-

ment comprises a logical system model and reference archi-tecture that express the architectural composition of cyber-physical systems in terms of three interrelated layers. Thebottom physical layer models the physical dynamics andproperties of a control system, including its sensors andactuators. The middle control layer embodies a mathematicalmodel of the control logic and various control algorithms, state

Fig. 1 – Cyber-physical system attacks.

Fig. 2 – Logical cyber-physical system model.

i n t e r n a t i o n a l j o u r n a l o f c r i t i c a l i n f r a s t r u c t u r e p r o t e c t i o n 1 1 ( 2 0 1 5 ) 3 9 – 5 040

estimators, error correction and sensor feedback mechanismsthat are used to observe and manipulate the physical system.Finally, the top cyber layer expresses the control system in acomputerized platform, such as a programmable logic control-ler. The cyber layer utilizes the Architecture Analysis andDesign Language (AADL) to model communications buses,data, messages, processes and systems.

The second element of the framework is a cyber-physicalsystem kill-chain for analyzing attacks and threat models inthe cyber-physical system domain. This meta-model of cyberattacks helps understand the various lifecycle phases thatmake up an attack. It is analogous to the cyber kill-chainoriginally proposed by Hutchins et al. [10]. It clarifies thevalue of intelligence-driven defenses that emphasizes anunderstanding of adversarial tactics, techniques and proce-dures as the basis for designing system defenses. Theintelligence-driven defense approach has been used to pre-dict the vulnerabilities that could be exploited to launchattacks [8]. Meanwhile, the U.S. Department of Defense hasused the kill-chain to design cyber security testing andevaluation activities [18].

By combining a layered reference model with the cyber-physical system kill-chain, the proposed framework supportsthe systematic analysis of causal chains and perturbationsthat emanate from the cyber layer all the way to the physicalimpact on the cyber-physical system. The utility of theframework is demonstrated using a case study involvingthe control system of a simulated unmanned aerial system(UAS). A number of cyber attacks were launched againstvarious unmanned aerial system components and the result-ing physical system impacts were evaluated. The simulationswere then used to explore how the cyber, control andphysical properties influence attack impacts. The analysisprovides insights into defensive strategies that are effectiveduring the various cyber-physical kill-chain phases.

2. Previous work

The last few years have seen the publication of numerousresearch papers that analyze cyber vulnerabilities in cyber-physical systems. Cardenas et al. [2] have demonstrated howattacks can impact different elements of a control loop in acyber-physical system. Several research efforts have exploredtheoretical and real-world attacks against cyber-physicalsystems; these attacks have used a broad range of attackvectors and have targeted various elements of the controlloop. Fig. 1 identifies the control loop components that can beimpacted by cyber attacks, including measurements, actuatorsignals, controllers and reference signals.

By manipulating sensor signals, an attacker can corruptthe state estimates computed by a controller and thenchange the resulting control signals sent to actuators. Liuet al. [15] have shown that cyber attackers can manipulatepower system state estimation algorithms by sending frau-dulent measurements to state estimators. Other researchershave demonstrated that unmanned autonomous vehicles canbe hijacked by spoofing GPS signals that cause controllers tosend incorrect control actions [21]. Additionally, researchers

have demonstrated that wireless signals can be used tomanipulate medical devices and cause drug overdoses [14,19].

Numerous attacks have demonstrated the ability tomanipulate control algorithms executing on controllers byabusing administrative rights or exploiting software vulner-abilities. By manipulating a controller, an attack can directlyinfluence the control signals sent to actuators. The Stuxnetworm is an excellent example of an attack on a controller – itmanipulated ladder logic device configuration code in aprogrammable logic controller to send malicious commandsto frequency converters that directly controlled centrifugerotors [4]. Similarly, the Aurora attack demonstrated thatelectric power generators could be physically damaged iftheir frequency control is made out-of-sync with the fre-quency control of the power grid [22]. Additionally, Halperinet al. [9] have demonstrated that controllers in implantedcardiac devices can be remotely reprogrammed to causeincorrect treatments and/or dosages to be given to patients.

An attacker can manipulate control actions by directlysending commands to actuators. For example, researchershave directly injected packets into the CAN buses of modernautomobiles, resulting in malicious control actions being sentto critical actuators (e.g., engines and brakes) [3,13].

3. Cyber-physical system model

This section introduces a three-layer representation of acyber-physical system S as demonstrated in Fig. 2. The modellayers include the physical layer Sphy, control layer Scnt andcyber layer Scyb. Each layer is defined in detail below.

i n t e r n a t i o n a l j o u r n a l o f c r i t i c a l i n f r a s t r u c t u r e p r o t e c t i o n 1 1 ( 2 0 1 5 ) 3 9 – 5 0 41

3.1. Physical layer

The physical layer represents the physical rendering of thecyber-physical system. It captures the physical propertiesof the system and the physical architecture, including thedecisions involving the process variables that are measuredusing sensors and the manipulated variables that are con-trolled using actuators.

The physical properties of a system are characterized bythe plant dynamics, which can be linear or nonlinear,deterministic or stochastic, time varying or time-invariant,hybrid or non-hybrid, and fast changing or slow changing(e.g., power grid voltages and currents can change andpropagate in milliseconds while chemical processes can takehours to change their states).

The architectural properties of the physical layer dependon the numbers of measurements and actuation signals, andthe specific level of the architectural hierarchy. For example,the massive scale of the electric power grid makes it impos-sible for a single authority to autonomously control the grid;as such, the power grid is controlled as a federated system,where each component subsystem is controlled by a singleauthority, but in a decentralized manner. In contrast, thewater level in a tank can be maintained via centralizedcontrol using a single sensor and actuator. Physical andarchitectural decisions also consider the dimension of thesystem of interest. Basic control algorithms are single-input–single-output (SISO); however, most real-world industrialcontrol problems are complex and rely on multiple-input–multiple-output (MIMO) algorithms.

Most physical processes can be represented by differentialequations of the form

_xðtÞ ¼ f ðxðtÞ;uðtÞÞ þwðtÞ ð1Þ

and

yðtÞ ¼ gðxðtÞ;uðtÞÞ þ vðtÞ ð2Þ

where xðtÞARn is a vector of physical quantities that repre-sents the system state at time t, uðtÞARp is the control input attime t and yðtÞARq is a vector of sensor measurements at timet. The physical process is modeled by a (possibly nonlinear)function f ðÞ that depends on the current state x(t) and actuatorsignals u(t). Similarly, sensor measurements are modeled by a(possibly nonlinear) function gðÞ. Finally, w(t) and v(t) modelstochastic variables representing the process and measure-ment uncertainties, respectively; these are useful for modelingthe fact that the functions f ðÞ and gðÞ may not be accurate andit is, therefore, necessary to incorporate statistical estimates ofthe uncertain or unknown parameters.

A common, generic model of a physical system is linearand time-invariant. Even if a system is nonlinear or it hastime-varying parameters, the physical system can always beapproximated by linear dynamics in and around the operat-ing region.

A control algorithm (discussed below) attempts to achievespecific properties guided by operational requirements. Justas confidentiality, integrity and availability are core securityproperties that must be preserved in the face of cyber attacks,there are equivalent control-theoretic properties that must be

assured in the physical system. These properties includestability, safety and efficiency.

The most important property of a control system isstability. Several notions of stability have been proposed,including asymptotic stability, Lyapunov stability andbounded-input–bounded-output stability. However, all thesenotions intuitively express the fact that the system state x(t)will converge (or remain relatively close) to a desired setpointxn after disturbances.

Another important property in control system design issafety, the ability to prevent accidents that harm humans ordamage equipment. In control theory, the notion of safety isusually translated to the ability to keep the system state in adesired (i.e., safe) region.

Finally, the efficiency of a control system is the degree towhich it achieves its purpose or mission. The optimality of acontrol algorithm is usually measured as its ability to followreference signals that minimize the costs involved in runningthe system (e.g., fuel costs and operational costs).

3.2. Control layer

The control layer takes sensor measurements y(t) and pro-duces actuator signals u(t) that manipulate the system state x(t). The control action u(t) is typically a function of the systemstate, i.e., uðtÞ ¼ hðxðtÞÞ. The system state is computed by anobserver kðÞ as an estimated state xðtÞ based on the sensormeasurements. The observer usually has knowledge of thesystem parameters f ðÞ and gðÞ, the statistics of the noisesignals w(t) and v(t), and has access to the control input andthe sensed variables.

Controllability and observability are properties that do notdirectly affect the output, but are useful for analyzing controlalgorithms. These notions were originally defined for linear,time-invariant systems, but they have intuitive interpreta-tions for general control systems. Note that observability andcontrollability are mathematical duals.

�

Controllability: This is the ability of an external input todrive the internal system state from an initial state toanother state in a finite time interval. A similar notion isoutput controllability, which describes the ability of anexternal input to drive the output from an initial conditionto a final condition in a finite time interval. A system iscontrollable if it is possible to execute a control algorithmthat can make the system stable.

�

Observability: This is a measure of how well the dynamicbehavior of a system (i.e., internal system states) can beinferred based on information about its external outputs(i.e., sensor measurements). In practice, a system isobservable if it is possible to create an observer (alsoknown as a state estimator) that can accurately track thesystem state given sensor measurements.

Each control architecture has unique security considera-tions. For example, in a linear system, an attacker can have asimple attack strategy to destabilize the system; however, ina nonlinear system, an attacker might be able to explorecomplex dynamics such as finding a resonant frequency ofthe system. Similarly, a centralized architecture may have a

Fig. 3 – AADL-based control layer mapping.

i n t e r n a t i o n a l j o u r n a l o f c r i t i c a l i n f r a s t r u c t u r e p r o t e c t i o n 1 1 ( 2 0 1 5 ) 3 9 – 5 042

single point of failure that an adversary could target, while adistributed architecture would allow an adversary to com-promise a subset of agents, and any security model wouldhave to incorporate the interdependencies of these agentsand the overall system.

3.3. Cyber layer

The cyber layer is where the control aspects of a cyber-physical system are implemented as computerized controlsystems. This is typically realized through special-purposehardware platforms. The hardware interfaces with electrical,communications and mechanical subsystems and must beoptimized to satisfy real-time computing constraints.

The Architecture Analysis and Design Language (AADL) isused to model the cyber layer because it can capture thehardware and software architectures of embedded real-timesystems. At a high level, AADL decomposes a system intohardware components and software components that corre-spond to the cyber components of a cyber-physical system[5]. The execution platform comprises hardware componentssuch as devices, memory, buses and processors. Thesecomponents represent the physical aspects of the system.

Software components, which model code execution,include processes, threads, data and subprograms needed tosupport execution. The properties of software components aswell as hardware components are defined in the AADLstandard [6].

AADL provides modeling constructs for expressing anumber of descriptive and runtime properties of the softwareand execution platform (hardware) components of a system.For example, the execution properties that can be assigned tothreads include timing, dispatch protocols, memory size andprocessor binding.

Of special interest with regard to the cyber layer is howconfidentiality, integrity and availability attacks can nega-tively impact execution, access and other cyber systemattributes. In the context of AADL, confidentiality attacksinvolve unauthorized access to memory and data whileintegrity attacks involve tampering with memory and data.Availability attacks perturb the execution characteristics ofprocesses and threads, such as disrupting transmission andthe data transfer characteristics of buses or delaying memoryaccesses.

By mapping the cyber layer to the control layer, this modelprovides the ability to evaluate how cyber attacks can perturbthe control system and ultimately the physical system. Fig. 3shows how various components of the AADL model of a

system are mapped to the control layer. AADL subprogramsare used to execute various observer and control actionfunctions, while control variables are modeled as AADL dataobjects. These components represent the physical aspects ofthe system. The AADL model representation of the cyberlayer is denoted by Scyb.

3.4. Characterizing the attack space

The Cartesian product of cyber security properties, controlproperties, physical outcomes and extent characterizes theattack space of a cyber-physical system. The Cartesianproduct of these sets

AS¼ SECPROP� CNTPROP� EXTENT� OUTCOME ð3Þ

enumerates all possible (but not necessarily viable) combina-tions of how a cyber attack vector may perturb controlproperties. The three sets are defined as follows:

�

SECPROP: Cyber security properties, i.e., {confidentiality,integrity, availability}.

�

CNTPROP: Control-theoretic properties, i.e., {controllability,observability}.

�

EXTENT: Extent of the control properties gained by theattacker, i.e., {partial, full}.

�

OUTCOME: Physical outcomes in terms of system effects,i.e., {stability, safety, efficiency}.

4. Cyber-physical kill-chain

This section presents a cyber-physical kill-chain that assistsdefenders in understanding and describing the cyber-physical system attack lifecycle and how attackers can carryout attacks. Fig. 4 compares the cyber-physical kill-chain withthe traditional cyber kill-chain. The cyber-physical kill-chainspecifies how the various kill-chain phases map to the cyber,control and physical properties of the targeted system.

4.1. Reconnaissance phase

The reconnaissance phase starts with a target system S aboutwhich the attacker must gain information in order to performthe attack. Information about the system can be acquired byvarious means, including collecting publicly-available data,performing cyber exploitations or conducting physical obser-vations. Reconnaissance can be modeled in each of the threelayers of the framework.

Fig. 4 – Comparing the cyber and cyber-physical kill-chains.

i n t e r n a t i o n a l j o u r n a l o f c r i t i c a l i n f r a s t r u c t u r e p r o t e c t i o n 1 1 ( 2 0 1 5 ) 3 9 – 5 0 43

4.1.1. Cyber reconnaissanceReconnaissance in the cyber layer focuses on the operationaland security attributes of a cyber system. Operational attri-butes describe how a system communicates and processesinformation to support the activities of the cyber-physicalsystem. Security attributes describe the vulnerabilities of asystem to attack and inform an attacker about the types ofattacks that may be possible against the system. Operationalattributes include the hardware and software platforms,communications protocols and processes. Security attributesinclude hardware and software vulnerabilities, cryptographicalgorithms, authentication mechanisms and attack detectioncapabilities.

4.1.2. Control reconnaissanceReconnaissance in the control layer seeks to understand thecontrol model of the targeted system. The goal is to acquireinformation about the control algorithms, sensors and actua-tors and how they are used to monitor and control the cyber-physical system. This information is necessary to understandhow a cyber attack can perturb the critical system based oninformation about the system state that may be available tothe attacker and the attacker's ability to influence thephysical operations of the system.

Information about sensors and actuators is very valuable,especially the types of devices, the degree of redundancy andhow the data provided can be used to infer the system state.The control algorithms, topology and dimensions are ofinterest as well; these provide insights into the attacks thatare possible, how they might progress and if the system hassynchronization constraints in the case of multiple interac-tive control loops (that can lead to cascading effects). If asystem has multiple controllers, then understanding control-ler coordination is important to the attacker as well. Thisinformation allows the attacker to construct a view of thecontrol algorithm that describes the behavior of the controlleroutput u(t) given sensor values y(t).

4.1.3. Physical reconnaissanceReconnaissance in the physical layer focuses on understand-ing the physical process f ðÞ, gðÞ that is being controlled. Inorder to achieve a particular objective, an attacker mustunderstand how the physical process is influenced by variouscontrol actions as well as the physical properties anddynamics that govern the process. Also, an attacker musthave a strong understanding of the stability, safety, efficiencyand resource constraints. This enables the attacker to

determine if the system is inherently stable, the degree ofstability, the safety bounds and the resources required by thesystem to fulfill its mission at a given level of efficiency.

4.2. Weaponization phase

The goal of the weaponization phase is to develop a weaponbased on the information about the three layers obtained inthe earlier reconnaissance phase. The weapon designerswould have to decide on the specific vulnerabilities to beexploited in the cyber and control layers based on thephysical properties that need to be perturbed. They need todetermine if the goal is to degrade some aspect of thephysical operation of the cyber-physical system or to disrupt,or even completely destroy, the cyber-physical system. Otherconsiderations include the quality and quantity of informa-tion about the internal workings of the cyber and controllayers, the degree of precision of the physical effects and theavailable weapon delivery mechanisms. These considera-tions collectively determine the specific exploits at the cyberand control layers.

A weapon W employs one or more cyber exploitationvectors. Each cyber exploitation vector is an action thatexploits a vulnerability in pursuit of a target at the cyberlayer, with the end goal of perturbing the control and physicallayers. Each cyber exploitation vector has a cyber impact thatprovides an attacker with some influence over the controllayer of the system, resulting in a new control function forthe system. An individual cyber exploitation vector is a tupleCEV¼ ⟨cybexp, cybtar, secprop, cntexp⟩ whose elements aredefined as follows:

�

Cyber exploit (cybexp): The cyber exploit is the part of theweapon that provides the attacker with the ability tomanipulate the operation of the cyber layer. The cyberexploit leverages a system weakness (e.g., software vul-nerability or inadequate authentication) to gain influenceover the cyber layer. Sources such as the Common AttackPattern Enumeration and Classification (CAPEC) provide acomprehensive set of possible cyber exploits [16].

�

Cyber Target (cybtar): The cyber target can be any cybercomponent in the system architecture (e.g., bus, message,process or data) that contains an exploitable vulnerability.This ultimately determines how the attacker can impactthe control of the system. Although the cyber exploit isapplied to the cyber target, the particular target andvulnerability constrain the affected security property.

i n t e r n a t i o n a l j o u r n a l o f c r i t i c a l i n f r a s t r u c t u r e p r o t e c t i o n 1 1 ( 2 0 1 5 ) 3 9 – 5 044

�

T

C

S

M

S

CC

Security property (secprop): By exploiting a cyber target, anattacker is able to compromise its confidentiality, integrityand/or availability. A successful attack on confidentialityenables the attacker to gather information about thesystem. A successful attack on integrity or availabilityenables the attacker to directly impact the control layer.

�

Control exploit (cntexp): The control exploit determines howthe weapon will manipulate the control layer of thesystem; this control layer manipulation is derived fromcybexp, cybtar and secprop. A control exploit manipulatesthe control layer by injecting a function, cðt;uðtÞ; yðtÞ; xðtÞÞ,which takes a set of control variables to perform theattacker-defined function. The inputs to the functiondepend on the information obtained by the attacker bydegrading confidentiality. An attack against availability ofa cyber component is equivalent to denying input/outputand can be defined as cðt;u; y; xÞ-f0; 1g, which returnszero when the attack is enabled and one otherwise.Similarly, an attack that degrades integrity can be definedas cðt;u; y; xÞ-fua; ya; xag, where the function outputfua; ya; xag is dependent on the control loop componentthat is manipulated. Table 1 provides examples of cyberexploitation vectors.

4.3. Delivery phase

The delivery phase encompasses all the actions that move aweapon from an attacker to a target. Examples includewireless transmission, supply chain infiltration or physicalaccess to a dataport. A weapon may first have to be spread inunrelated networks in order to gain access to the targetedcyber-physical system. This spreading, and any cyber exploitsrequired to achieve it, occurs during the delivery phase. Thedelivery phase ends and the subsequent cyber executionphase begins after the weapon begins to act directly on thecyber-physical system.

4.4. Cyber execution phase

The cyber execution phase focuses on how the cyber layer ofthe system Scyb is degraded by W:cybexp, W:cybtar andW:secprop. This phase results in a modified cyber layer S

0cyb

in which the components have degraded confidentiality,integrity or availability (CIA) properties based on cybexp,cybtar and secprop.

As mentioned in Section 3.3, the cyber layer can be describedusing an AADL model of the cyber components comprising thecyber-physical system. A cyber weapon contains an exploitagainst a particular target component that has a confidentiality,

able 1 – Examples of cyber exploitation vectors.

yber exploit Cyber target

oftware exploit Process, thread

an-in-the middle Bus, data

poofing Bus, data

ommunication flooding Bus, dataPU consumption Processor, process, thread

integrity or availability impact on the cyber layer. This impactleads to some effect on the control layer. Therefore, the cyberexploitation phase is modeled as a function that takes thecurrent AADL model Scyb and the weapon W, and computes theimpact of the weapon on the system model by degrading itsconfidentiality, availability or integrity properties to produce theattacked system model S

0cyb.

Algorithm 1. Cyber impact algorithm.

function SystemImpact(System Scyb, Weapon W)List⟨Component c; CIA� effect e⟩totalImpacts¼ ½�for all component, ciAScyb do

totalImpacts.addCyberImpact(ci, W)end for

return S0cyb-Scyb⧹totalImpacts

end function

function CyberImpact(Component c, Weapon W)List⟨ Component c; CIA� effect e⟩impacts¼ ½�for all CEViAW doif c¼ CEVi:cybtar thenimpacts: add(IsVulnerable(c, CEVi:cybexp))

else if c has Subcomponents thenfor all cjAc do

impacts.add(CyberImpact(cj, W))end for

end ifend for

return impactsend function

Algorithm 1 demonstrates how the cyber exploitationimpact is computed using the system model. The CyberIm-pact function recursively explores all the subcomponents ofthe system to determine the cyber components that aretargeted. When a target is found, function IsVulnerabledetermines the impact of the cyber exploit, taking intoconsideration the attack mitigation mechanisms that maybe implemented for the component. For example, an attackagainst an encrypted bus enables an attacker to read data onthe bus, but confidentiality is preserved because of encryp-tion as long as the attacker does not have the decryption key.The impacts are then returned to the parent component andthe full impact list is eventually returned to SystemImpact.The function SystemImpact, after calling function CyberIm-pact in the top-level AADL component (system itself), usesthe resulting impact list to generate a post-exploit cybermodel S

0cyb. The IsVulnerable function is not defined here

Security property Control exploit

{Conf., Int., Avail.} cðt;u; y; xÞ-fua; ya; xag{Conf., Int., Avail.} cðt;u; y; xÞ-fua; ya; xag{Int.} cðtÞ-fua ; ya; xag{Avail.} cðtÞ-f0;1g{Avail.} cðtÞ-f0;1g

i n t e r n a t i o n a l j o u r n a l o f c r i t i c a l i n f r a s t r u c t u r e p r o t e c t i o n 1 1 ( 2 0 1 5 ) 3 9 – 5 0 45

because it is specific to the security protections available tothe system (e.g., encryption and encapsulation) that mayprotect subcomponents although the parent component wassuccessfully attacked.

4.5. Control perturbation phase

The input to the control perturbation phase is the degradedcyber model S

0cyb (output of the previous phase) and the

control exploit of the cyber weapon cntexp. This phaseattempts to assess the impact of a cyber attack based onhow observable and controllable the system is to the defen-der and to the attacker, and then applies the control exploitcntexp to Scnt. This results in the attacker-manipulated controllayer S

0cnt.

During this phase, the weapon begins to have an effect onthe control layer by degrading integrity or availability in thecyber layer, which influences the operation of the controlloop in the control layer. As demonstrated in Fig. 5, an attackthat degrades the data and subprograms in the cyber modelenables the attacker to manipulate the variables and func-tions defined in the control model. Additionally, this phasedescribes how an attack that degrades confidentiality, integ-rity or availability enables the attacker to gain observabilityand controllability, and whether the attack also degrades thedefender's observability and controllability.

As explained above, the security properties perturbed by acyber attack determine the controllability and observability ofthe system to the attacker. However, the weapon's controlfunction cðÞ determines exactly how the control layer ismanipulated by an attack to achieve its objective. An attackthat targets a subprogram in Scyb is modeled by encapsulatingthe control function in the subprogram within the function cðÞand adding the control logic specified in the weapon's controlfunction. Similarly, an attack that targets data is modeled byencapsulating the data in function cðÞ.

In this setting, a forced (i.e., non-homogeneous) system oflinear differential equations is considered:

_xðtÞ ¼AxðtÞ þ BuðtÞ yðtÞ ¼ CxðtÞ þ DuðtÞ ð4Þ

where xðtÞARn is a vector of physical quantities representingthe system state at time t, uðtÞARp is the control input at timet, yðtÞARq is a vector of sensor measurements at time t and A,B, C and D are matrices representing the system dynamics.

Assume that an attacker has access to a subset of controlsignals ua (it does not matter which signals). Because theordering of the vector x is arbitrary, it is always possible to

Fig. 5 – Control impacts d

partition the system as

_x ¼AxþB11 B12

B21 B22

" #us

ua

" #

_x ¼Axþ Bsus þ Baua ð5Þwhere Bs ¼ ½B11B21�T, Ba ¼ ½B12B22�, us represents the first s rowsof the vector u and ua the remaining rows (which areassumed to be under the control of the adversary).

This model can be used to answer questions about thevulnerability of a system under attack. In particular, the cyber-physical system security axioms described in [1] are examined.

4.5.1. CPS security axiom #1: integrity – controllabilityWhile obtaining a general result for controllability of ageneral system under attack is difficult, a common controlalgorithm that is representative of the majority of practicalcontrol systems is one that uses a state-feedback controlsignal, where the original control signal (control signal with-out an attack) is given by u¼Kx.

Given that a state-feedback controller is used, if thesystem is under attack as described by Eq. (5), only a portionof the control signals maintain their integrity. Thus

u¼us

ua

" #¼

Ksx

ua

" #ð6Þ

where Ks denotes the first s rows of the original matrix K.With state-feedback, the dynamical system under attackbecomes

_x ¼Axþ BsKsxþ Baua; _x ¼Asxþ Baua ð7Þwhere As ¼ ðAþ BsKsÞ. Therefore, an attacker can obtaincomplete state controllability of the system iff

rankð½Ba AsBa ⋯ An�1s Ba�Þ ¼ n ð8Þ

In some other cases, the attacker can disrupt systemcontrollability via a simple state-feedback attack with anappropriate attack gain matrix Ka. Replacing this state-feedback attack in Eq. (5) yields

_x ¼Axþ BsKaxþ Bsus; _x ¼Aaxþ Bsus: ð9ÞIn this setting, an attacker can completely disrupt system

controllability via state-feedback integrity attacks iff

rankð½Bs AaBs ⋯ An�1a Bs�Þon ð10Þ

4.5.2. CPS security axiom #2: integrity – observabilityThis section shows that, when the system defender usesstate-feedback control, the attacker can use sensor measure-ments to reduce the problem to that of Eq. (5).

ue to cyber attacks.

i n t e r n a t i o n a l j o u r n a l o f c r i t i c a l i n f r a s t r u c t u r e p r o t e c t i o n 1 1 ( 2 0 1 5 ) 3 9 – 5 046

In a general linear, time-invariant system, the sensormeasurements y(t) are functions of the state and inputs. Inorder to deal with an attacker who compromises the integrityof the sensors, it is necessary to consider observability andthe design of state estimators. This work assumes thatyðtÞ ¼ xðtÞ (a valid assumption in many cases) and leaves themore general problem of attacks on system observability forfuture research.

Again, in order to obtain tractable results, it is assumedthat the defender uses a state-feedback control law, i.e.,uðtÞ ¼ KxðtÞ. Therefore, if the sensors are not compromised,the evolution of the system follows the equation:

_x ¼ ðAþ BKÞx ð11Þ

However, if some sensors are compromised yaðtÞ ¼ xaðtÞ,then the evolution of the dynamical system is given by

_x ¼AxþB11K11 B12K12

B21K21 B22K22

" #xsxa

" #

_x ¼AxþB11K11 0

B21K21 0

" #xþ

B12K12

B22K22

" #xa

_x ¼ ðAþ ðBKÞsÞxþ ðBKÞaxa_x ¼Asxþ Baua ð12Þ

Note that Eq. (12) has the same form as Eq. (5). However, inthis case, the following equation holds:

As ¼AþB11K11 0

B21K21 0

" #; Ba ¼

B12K12

B22K22

" #ua ¼ xa ð13Þ

where the fake sensor measurements xa(t) become, in prac-tice, the control signal of the attacker ua(t).

4.6. Physical objective realization phase

This phase deals with the physical impact that an attackerintends to have on a system. In a traditional informationtechnology system, the objective is generally to degradesystem confidentiality, integrity and/or availability. Potentialattack objectives are well defined in the military sphere andinclude deny, destroy, degrade and disrupt [11]. The objec-tives with regard to a cyber-physical system differ becausethey result in some impact to the physical system or x asdefined in Section 3.1. This section identifies multiple cyber-physical system objectives and specifies their impacts on thesystem state.

Let t0 and tf denote the starting and ending times,respectively, let Xa and Xd denote the attacker's and defen-der's objective states, respectively, and let ϵ denote a smallallowable error in the objective. As described above, thecontrol system objectives are system stability, safety andefficiency. Hence, the following four physical attack objec-tives are considered:

�

Usurp: Take complete control of the system such that anattacker can direct the system to the intended trajectoryXa within some value ϵ. This objective is defined as

jxðtf Þ�Xajoϵ ð14Þ

�

Destroy: Damage the system to ensure that it cannotfunction properly because it becomes unstable or operates

outside of the safe bounds. This objective is defined as

xsafe_minoxðtÞoxsafe_max3x0 ðtÞ is unstable ð15Þ

�

Disrupt: Prevent the system from achieving its intendedterminal state (e.g., mission) Xd. This objective is definedas

jxðtf Þ�Xdj4ϵ ð16Þ

�

Degrade: Prevent the system from achieving its intendedterminal state Xd with optimal cost cost(U). This objectiveis defined as

jxðtf Þ�Xdjoϵ4costðUaÞ4costðUÞ ð17Þ

The properties specified above determine whether or not

an attack would successfully realize the associated physicalobjective. For example, a less stable system may be morelikely to meet the destroy objective than a more stablesystem. The following section demonstrates how differentweapons can achieve the objectives.

5. Kill-chain evaluation

This section conducts a test case analysis of the cyber-physicalsystem kill-chain. The model used for the analysis is based onan unmanned aerial system simulation developed by Goppertet al. [7]. Various cyber weapons are identified, applied to thetest system and their physical impacts are then analyzed.

5.1. Test system

This section describes the unmanned aerial system modelused in the evaluation.

5.1.1. Physical layerA physical model was created of a MultiPlex Easy Star, arecreational unmanned aerial system with a small airframe.The control dynamics were modeled and simulated using theJSBSim flight dynamics engine [12], which was intercon-nected to a control system simulation component thatreceived actuation signals and implemented the resultingchanges in the physical simulation. The updated state infor-mation was sent back to the control simulation in order tocompute the corresponding control actions. The actuatorsused by the unmanned aerial system included a throttle,rudder and elevators. The sensors included a GPS, inertialnavigation system and magnetometer.

5.1.2. Control layerThe control system for the unmanned aerial system wassimulated in ScicosLab [20]. The state of the unmanned aerialsystem was obtained from JSBSim and was sent to an extendedKalman filter that computed the estimated unmanned aerialsystem state. The estimated state was sent to a waypointguidance controller that determined the appropriate referencesignal for the unmanned aerial system and computed thecontrol error based on its current state. The error was thensent to a feedback control function that computed the

Fig. 6 – Unmanned aerial system AADL model.

i n t e r n a t i o n a l j o u r n a l o f c r i t i c a l i n f r a s t r u c t u r e p r o t e c t i o n 1 1 ( 2 0 1 5 ) 3 9 – 5 0 47

appropriate actuator signal using a separate PID controller foreach of the three actuators mentioned above.

5.1.3. Cyber layerThe test system defined in [7] provided the control algorithmsand physical system specifications, but did not provide thecyber components. Therefore, the AADL model shown in Fig. 6was developed for the unmanned aerial system. Two pro-cesses were used to execute the unmanned aerial system, Navand Fdbk. Both the processes had threads that executed thesubprograms of the control algorithms discussed above. Addi-tionally, both processes were executed on the same processorand resided in the same memory component. A bus wasassumed to transmit messages between the components.

5.1.4. ObjectivesIn the simulation, the unmanned aerial system had a missiongoal to reach a specified waypoint. The unmanned aerialsystem began the simulation at latitude–longitude (0.0, 0.0)and an altitude of 1000 feet. The objective was to fly to thewaypoint at latitude–longitude (1:2� 10�4, 1:2� 10�4) withthe same altitude of 1000 feet. The unmanned aerial systemwas also required to operate within a defined flight envelopeto ensure safe operation.

The flight envelope was defined as JαJoπ, where α is theunmanned aerial system angular velocity. The cost of oper-ating the unmanned aerial system was assumed to be equalto its fuel consumption cost. The unmanned aerial systemattempted to meet its objective while minimizing fuelconsumption.

5.2. Simulation results

The analysis of the kill-chain examines various cyber-physical system weapons and evaluates their control andphysical impacts on the test system. The weapons attemptedto achieve each of the physical objectives identified in Section4.6. In the case of the usurp objective, the attacker's goal wasto drive the unmanned aerial system to latitude–longitude(0.0, 1:2� 10�4) at 1500 feet instead of the defender's way-point (1:2� 10�4, 1:2� 10�4) at 1000 feet.

Fig. 7 presents the results obtained for each weapon. Attackswith the usurp, disrupt and degrade objectives are demon-strated by the latitude–longitude values of the flight trajectoriesand are shown as blue lines. Note that (0, 0) is the origin and thecrosshairs indicate the intended waypoint. Fig. 7(a) shows abase run with no attack. Attacks with the destroy objective aregraphed with their yaw, roll and pitch as a function of time.Fig. 7(b) also shows a base run with no attack.

Table 2 lists the various weapons launched against theunmanned aerial system and their physical objectives. Threeweapons are evaluated – the first consumes CPU cycles andthe other two are software exploits that target differentunmanned aerial system processes.

The CPU consumption weapon prevents control algo-rithms in the unmanned aerial system from executing.However, because this attack only impacts availability, theattacker does not gain any controllability or observability ofthe system as demonstrated by the control impact column inTable 2. The control exploit is defined as

u0 ðtÞ ¼ uðtÞcðtÞ ð18Þ

where c(t) is defined as

cðtÞ ¼ 0 if tsotote1 otherwise

�ð19Þ

where ts and te are the starting and ending times of the attack,respectively. The extent of the attack determines whether theattack results in a degrade, disrupt or destroy objective (Fig. 7(c), (d) and (e)). A usurp attack is not possible because theattack lacks controllability and observability.

The second weapon targets the Nav process in the unmannedaerial system. The Nav process contains data about the currentestimated state xðtÞ and the desired waypoint Xd. Since thesoftware exploit on the Nav process degrades confidentially, theattack can achieve full observability of the system. Additionally,by degrading the integrity of xðtÞ-x

0 ðtÞ, the attack can gain fullcontrollability over the system. Thus, cðt; xðtÞÞ is defined as

x0 ðtÞ ¼ xðtÞ þ ðXd�XaÞα ð20Þ

where the difference between the defender's and attacker'swaypoints is added to the estimated state, causing the estimatedstate and the actual state to diverge until the unmanned aerialsystem ends at the attacker's objective state as demonstrated in

Table 2 – Unmanned aerial system kill-chain analysis.

Weapon (Cyber) Control impact Weapon (Control) Physical impact objective

Attack vector Target SecProp Observ. Control. Control exploit

CPU consumption Processor Avail None None ts ¼ 20, te ¼ 22 Degradets ¼ 20, te ¼ 28 Disruptts ¼ 20, te ¼ 35 Destroy

Software exploit Nav Conf./Int. Full(x) Full(x) α¼ ttf � t0

, ts ¼ 10, te ¼ tf Usurp

α¼ ttf � t0

, ts ¼ 10, te ¼ 16:5 Degrade

α¼ ttf � t0

, ts ¼ 10, te ¼ 17 Disrupt

α¼ 1, ts ¼ 10, te ¼ tf Destroy

Software exploit Fdbk Conf./Int. None Full(u) α¼ :5, ts ¼ 10, te ¼ 27 Degradeα¼ :5, ts ¼ 10, te ¼ 50 Disruptα¼ :8, ts ¼ 10, te ¼ 50 Destory

Fig. 7 – Attack simulation results. (a) No attack, (b) No attack (stability), (c) CPU DoS degrade, (d) CPU DoS disrupt, (e) CPU DoSdestroy, (f) Navigation usurp, (g) Navigation degrade, (h) Navigation disrupt, (i) Navigation destroy, (j) Feedback degrade,(k) Feedback disrupt and (l) Feedback destroy. (For interpretation of the references to color in this figure caption, the reader isreferred to the web version of this paper).

i n t e r n a t i o n a l j o u r n a l o f c r i t i c a l i n f r a s t r u c t u r e p r o t e c t i o n 1 1 ( 2 0 1 5 ) 3 9 – 5 048

Fig. 7(f). Note that the variable α is introduced to control howquickly the attack scales and is initially defined as

α¼ ttf �t0

ð21Þ

so that the scale of the attack gradually increases.The degrade and disrupt objectives can be achieved by

utilizing the same control exploit as for the usurp objective,but for a shorter period of time (Fig. 7(g) and (h)). Note that

these attack objectives could also be carried out with partialobservability and controllability. A destroy attack can beperformed by setting α¼1 to prevent gradual scaling, causingthe unmanned aerial system to over-respond to the attackand become unstable (Fig. 7(i)).

The third weapon targets the Fdbk process, which does nothave any state information, so the attacker does not haveobservability of the current system state. However, the attackerhas full controllability because he can manipulate the integrity

i n t e r n a t i o n a l j o u r n a l o f c r i t i c a l i n f r a s t r u c t u r e p r o t e c t i o n 1 1 ( 2 0 1 5 ) 3 9 – 5 0 49

of all the actuator signals. Consequently, the usurp objectivecannot be achieved reliably because it requires the attacker toprobabilistically guess the state of the unmanned aerial system.However, the degrade, disrupt and destroy objectives can beachieved as demonstrated in Fig. 7(j), (k) and (l). To performthese attacks, the control exploit cðt;uðtÞÞ is defined as

u0 ðtÞ ¼ uðtÞ þ αuðtÞ ð22Þ

which scales the actuator signal by α for some period of time. Inthe case of the degrade and disrupt attacks, α¼0.5 was used,but with a longer attack time for the disrupt objective. Thedestroy attack used a large value of α¼0.8.

6. Conclusions

Developing and implementing successful cyber-physical sys-tem attacks require careful attention to the subtleties of howthe cyber, control and physical layers interact and influenceeach other as well as how the various attack stages perturbthese three layers. This paper lays the groundwork for amuch-needed systematic and unified framework for analyz-ing attacks on cyber-physical systems. The frameworkenables the holistic analysis of cyber-physical system secur-ity because attacks against these systems require the manip-ulation of cyber, control and physical system properties.

The framework also supports the comprehensive analysisof the robustness of a cyber-physical system to cyber attackswith different objectives. The first element of the frameworkis a multi-layered reference architecture of the cyber, controland physical layers of a cyber-physical system. Cyber securityand control-theoretic properties are leveraged to help analyzethe interactions between these layers. The second element isa meta-model of cyber attacks called the cyber-physicalsystem kill-chain. The kill-chain provides a basis for thesystematic study of how the various cyber attack steps andphases can perturb the three system layers and eventuallyimpact physical operations. Each phase in the kill-chaindemands varying degrees of knowledge, precision and cap-abilities on the part of an attacker. Furthermore, dependingon the specific security properties exploited, various control-theoretic properties are modulated differently.

The case study involving an unmanned aerial systemdemonstrates the effectiveness of the framework. In particular,the unmanned aerial system was subjected to a number ofcyber exploit vectors; the framework was then used to decom-pose and analyze the threats, and assess the physical impacts.

Future research will examine various architectural designsand mitigation strategies to counter the threats discoveredusing the framework. This research will contribute to thelong-term goal of articulating design principles for engineer-ing secure and resilient cyber-physical systems.

r e f e r e n c e s

[1] C. Barreto, A. Cardenas and N. Quijano, Controllability ofdynamical systems: Threat models and reactive security,Proceedings of the Fourth International Conference on Decision andGame Theory for Security, pp. 45–64, 2013.

[2] A. Cardenas, S. Amin and S. Sastry, Secure control: Towardssurvivable cyber-physical systems, Proceedings of the Twenty-Eighth International Conference on Distributed Computing SystemsWorkshops, pp. 495–500, 2008.

[3] S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H.Shacham, S. Savage, K. Koscher, A. Czeskis, F. Roesner andK. Tadayoshi, Comprehensive experimental analyses ofautomotive attack surfaces, Proceedings of the TwentiethUSENIX Conference on Security, 2011.

[4] N. Falliere, L. O’Murchu and E. Chien, W32.Stuxnet Dossier,version 1.4, Symantec, Mountain View, California, 2010.

[5] P. Feiler, SAE AADL V2: An Overview, Software EngineeringInstitute, Carnegie Mellon University, Pittsburgh,Pennsylvania, 2010.

[6] P. Feiler, D. Gluch and J. Hudak, The Architecture Analysisand Design Language (AADL): An Introduction, CMU/SEI-2006-TN-011, Software Engineering Institute, CarnegieMellon University, Pittsburgh, Pennsylvania, 2006.

[7] J. Goppert, W. Liu, A. Shull, V. Sciandra, I. Hwang and H.Aldridge, Numerical analysis of cyberattacks on unmannedaerial systems, presented at the Infotech@AerospaceConference, 2012.

[8] D. Guido, A case study of intelligence-driven defense, IEEESecurity and Privacy, vol. 9(6), pp. 67–70, 2011.

[9] D. Halperin, T. Heydt-Benjamin, B. Ransford, S. Clark, B.Defend, W. Morgan, K. Fu, T. Kohno and W. Maisel,Pacemakers and implantable cardiac defibrillators: Softwareradio attacks and zero-power defenses, Proceedings of the IEEESymposium on Security and Privacy, pp. 129–142, 2008.

[10] E. Hutchins, M. Cloppert and R. Amin, Intelligence-drivencomputer network defense informed by analysis ofadversary campaigns and intrusion kill-chains, Proceedings ofthe Sixth International Conference on Information Warfare andSecurity, pp. 113–125, 2010.

[11] Joint Chiefs of Staff, Information Operations, JointPublication 3-13, U.S. Department of Defense, Washington,DC (http://www.dtic.mil/doctrine/new_pubs/jp3_13.pdf),2014.

[12] JSBSim, Open Source Flight Dynamics Software Library(http://jsbsim.sourceforge.net), 2015.

[13] K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S.Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shachamand S. Savage, Experimental security analysis of a modernautomobile, Proceedings of the IEEE Symposium on Security andPrivacy, pp. 447–462, 2010.

[14] C. Li, A. Raghunathan and N. Jha, Hijacking an insulin pump:Security attacks and defenses for a diabetes therapy system,Proceedings of the Thirteenth IEEE International Conference on e-Health Networking Applications and Services, pp. 150–156, 2011.

[15] Y. Liu, P. Ning and M. Reiter, False data injection attacksagainst state estimation in electric power grids, Proceedings ofthe Sixteenth ACM Conference on Computer and CommunicationsSecurity, pp. 21–32, 2009.

[16] MITRE, Common Attack Pattern Enumeration andClassification (CAPEC), Bedford, Massachusetts (http://capec.mitre.org), 2014.

[17] National Institute of Standards and Technology, Foundationsfor Innovation: Strategic R&D Opportunities for 21st CenturyCyber-Physical Systems – Connecting Computer andInformation Systems with the Physical World, Gaithersburg,Maryland, 2013.

[18] Office of the Deputy Assistant Secretary of Defense forDevelopmental Test & Evaluation, Guidelines forCybersecurity DT&E, version 1.0, U.S. Department ofDefense, Washington, DC, 2013.

[19] J. Radcliffe, Hacking medical devices for fun and insulin:Breaking the human SCADA system, presented at the BlackHat Technical Security Conference USA, 2011.

i n t e r n a t i o n a l j o u r n a l o f c r i t i c a l i n f r a s t r u c t u r e p r o t e c t i o n 1 1 ( 2 0 1 5 ) 3 9 – 5 050

[20] ScicosLab, ScicosLab 4.4.1 (http://www.scicoslab.org), 2013.[21] D. Shepard, J. Bhatti and T. Humphreys, Drone hack: Spoofing

attack demonstration on a civilian unmanned aerial vehicle,GPS World, August 1, 2012.

[22] M. Zeller, Myth or reality – Does the Aurora vulnerabilitypose a risk to my generator? Proceedings of the Sixty-FourthAnnual Conference for Protective Relay Engineers, pp. 130–136,2011.