Transcript Network Embedded Systems: Sensor webs and beyond

Closing the Loop
Towards a theory for High Confidence Cyber
Physical Systems for Societal Systems
Songhwai Oh (Seoul Natl.), Saurabh Amin, Alvaro
Cardenas (Fuji Res.), Luca Schenato (Padova),
Bruno Sinopoli (CMU), and Shankar Sastry
University of California
Berkeley CA 94720
Outline
• Tech Push and Applications Pull: instrumenting
the World
• Expanding the Vision: Heterogeneous Sensor
Webs and Societal Scale Cyber Physical
Systems
• Closing the loop for Societal Scale Cyber
Physical Systems (fault tolerant and robust)
– Industrial Automation
– Buildings
• Trustworthy Cyber Physical Systems
Tech Push: Major Recent Progress
UCB Telos Mote
Philips Sand module
UCB PicoCube
IIMEC e-Cube
UCB mm3 radio
[Ref: Ambient Intelligence, W. Weber Ed., 2005]
Ubiquitous Instrumentation
• Understanding phenomena:
– Data collection for offline analysis
» Environmental monitoring, habitat monitoring
» Structural monitoring
25 Motes on
Damaged sidewall
Soil monitoring
Soil monitoring
Great Duck Island
Redwoods
Wind Response
Of Golden Gate Bridge
Vineyards
Sensor Webs Everywhere
• Understanding phenomena:
– Data collection for offline analysis
» Environmental monitoring, habitat monitoring
» Structural monitoring
• Detecting changes in the environment:
– Thresholds, phase transitions, anomaly detection
» Security systems, surveillance, health care
» Wildfire detection
» Fault detection, threat detection
Intel Research
Health Care
Fire Response
Sensor Web Applications Taxonomy
• Understanding phenomena:
– Data collection for offline analysis
» Environmental monitoring, habitat monitoring
» Structural monitoring
• Detecting changes in the environment:
Easier
Building Comfort,
Smart Alarms
– Thresholds, phase transitions, anomaly detection
» Security systems, traffic surveillance
» Wildfire detection
» Fault detection, threat detection
• Real-time estimation and control:
– Traffic control, building control, environmental control
– Manufacturing and plant automation, power grids, SCADA
networks
– Service robotics, pursuit evasion games, active
surveillance, search-and-rescue, and search-and-capture,
telesurgery
– Multiple Target Tracking and Pursuit Evasion games
Difficult
Heterogeneous Sensor Webs
•Low-bandwidth, high-bandwidth, & mobile sensors
•Built on Intel Vision Library
UCB/ITRI CITRIC Mote
Major Progress but True Immersion not yet in Reach
Artificial Skin
Smart Objects
Interactive Surfaces
“Microscopic” Health Monitoring
Courtesy of Jan Rabaey
“Societal Scale Cyber Physical Systems ”
•
Characteristics
– Ubiquitous, Pervasive, Disappearing, Perceptive, Ambient
– Always Connectable, Reliable, Scalable, Adaptive, Flexible
•
The Emerging Service Models
– Intelligent data access and extraction
– Immersion-based work and play
– Environmental control, energy management and safety in “highperformance” homes
– Automotive and avionic safety and control
– Management of metropolitan traffic flows
– Distributed health monitoring
– Power distribution with decentralized energy generation
Industrial Automation
• Motivation: Cost reduction
– More than 85% reduction in cost
compared to wired systems (case study
by Emerson)
– SCADA (Supervisory Control And Data
Acquisition)
• Reliability is the number one issue
– Robust estimation: Estimation of
parameters of interest from noisy
measurements with high fidelity in the
presence of unreliable communication
– Real-time control: A must for missioncritical systems
Random losses in the feedback loop
Sinopoli Schenato Franceschetti
Poolla Sastry Jordan IEEE Trans-AC (2004)
System
Controller
Sensor
web
Wireless
Multi-hop
State
estimator
• What happens to the Kalman filter when some sensor
readings are lost?
• Can we bound the error covariance
Optimal estimation with intermittent
observations
Plant
Aggregate
Sensor
State
estimator
Communication
Network
Kalman Filter
Sinopoli Schenato Franceschetti
Poolla Sastry Jordan IEEE Trans-AC (2004)
• Kalman Filter is still the optimal estimator
• We proved the existence of a threshold phenomenon:
lim E[ Pt ] =  for 0  g  g c and some initial condition P0  0
t 
E[ Pt ]  M P0 "t for g c < g  1 and any initial condition P0  0
1-
1
( |l max|)2
= gmin  gc  gmax
Optimal control with both intermittent
observations and control packets
Plant
Aggregate
Sensor
Communication
Network
Communication
Network
Controller
State
estimator
• What is the minimum arrival probability that guarantees
“acceptable” performance of estimator and controller?
• How is the arrival rate related to the system dynamics?
• Can we design estimator and controller independently?
• Are the optimal estimator and controllers still linear?
• Can we provide design guidelines?
LQG control with intermittent
observations and control
Plant
Aggregate
Sensor
Communication
Network
Communication
Network
Controller
State
estimator
Ack is
relevan
t
We’ll group all communication protocols in two classes:
TCP-like (acknowledgement is available)
UDP-like (acknowledgement is absent)
Ack is
always
present
UDP-like and TCP-like optimal
static LQG design
1
bounded
unbounded
1
OPTIMAL LQG CONTROL
w/ CONSTANT GAINS
estimator
controller
Much better performance
of TCP compared to UDP
Energy: Supply & Demand
Supply
Demand
Buildings
3 Major
Demand
Sectors
Industry
Transportation
Diagram of U.S. Energy
Units: US quads/year
Windows &
Lighting
HVAC
Appliances
Building Materials
Natural Ventilation,
Indoor Environment
Onsite Power
& Heat
Building Design Platform (BDP)
Tool for Architects to Design New Buildings
With Embedded Energy Analysis
Thermal &
Electrical
Storage
Building Operating Platform (BOP)
Sensors, Communication, Controls,
Real-Time Optimization for Cost, Energy Use, CO2 Footprint
Building Operating System
University of California • Berkeley
Courtesy of Arun Majumdar
Autocad + DoE-2 = Building-EDA?
Heat
People
Supply Air
Water
Electricity




Components and their model
Interconnection of all the components
External drivers
Observe behavior over time, validate, “what-if”, …
University of California • Berkeley
Return Air
Waste Water
Cooperative Continuous Reduction
User Demand
High-fidelity
visibility
Facility Mgmt
Automated Control
Supervisory Control
Community Feedback
50% reduction over 4 years across the Campus
University of California • Berkeley
Closing the Loop!
LochNess*:
A Real-Time Sensor Network-Based Control System
Hierarchical
architecture
for real-time
operation
Multiple layers
of data fusion
for robustness
and to reduce
communication
load
* LochNess (Large-scale “On-time” Collaborative Heterogeneous Networked Embedded SystemS).
[Oh, Schenato, Chen, Sastry, PIEEE, 2007]
Multi-Target Tracking (MTT) Problem
• Given
–
–
–
–
Multiple dynamics and measurement models
Sensor and clutter (false alarms) models
Target appearance and disappearance models
Set of noisy unlabeled observations Y
• Find
– Number of targets
– States of all targets
• Requires solutions to both
– Data association
– State estimation
Joint Work with Songhwai Oh
and Stuart Russell
Fully Polynomial
Randomized Approximation Scheme
First data association algorithm with guaranteed error bounds !
[Oh, Sastry, ACC 2005]
Simulation Results
Robustness against Transmission Failure
• Each single-hop transmission fails with probability
(transmission failure rate)
• Tolerates up to 50% lost-to-total packet ratio
Simulation Results
Robustness against Communication Delay
• Each single-hop transmission gets delayed with
probability (communication delay rate)
• Tolerates up to 90% delayed-to-total packet ratio
Sensor Webs in Air Traffic Control
Air Traffic Control*
* [Oh,
Hwang, Roy, Sastry AIAA and Oh, Schenato, Chen, and Sastry, Journal of
Guidance, Control, and Dynamics (to appear), Hwang, Balakrishnan, Tomlin, IEE
Vulnerabilities of Cyber-physical systems
•
•
•
•
•
•
•
Controllers are computers
Networked
Commodity IT solutions
New functionalities (smart
infrastructures)
Many devices (sensor
webs)
Highly skilled IT global
workforce (creating attacks
is easier)
Cybercrime
Jt work with Saurabh Amin and
Alvaro Cardenas
Vulnerabilities can be Exploited
2008 Huntington Beach
offshore oil platforms
2007 Tehama-Colusa Canal
2000 Maroochy Shire sewage
control system.
2007 Cal-ISO power
marketing operations
Vulnerabilities can be Exploited
Attacks
Secure Control: What is New and
Fundamentally Different?
•
•
•
•
So security is important; but are there new research
problems, or can problems be solved with
–
–
Traditional IT security?
Fault-tolerant control? Trust and Adversary Model
Prevention
–
Authentication, access control, software security, trusted computing,
white listing
Detection
–
Intrusion detection systems, anomaly detection
Resiliency
–
Separation of duty, least privilege principle
CPS Security vs. Traditional Security
•
•
What is new and fundamentally different in control
systems security?
–
Model interaction with the physical world
By modeling the interaction with the physical world we
can obtain 3 new research directions
–
–
–
Threat assessment: how attacker may manipulate control
variables to achieve goals and study consequences to the
physical system
Attack-detection by using models of the physical system: Study
stealthy attacks (undetected attacks), Ensure safety of any
automated response mechanism
Attack-resilient control algorithms
Our Results in these 3 New Research
Topics
•
•
•
Threat assessment of control systems
–
–
Ad Hoc Networks 2009
Journal of Critical Infrastructure Protection 2009
Detecting attacks to control systems
–
–
Work in progress
Power grid, chemical reactor etc.
Resilient control algorithms
–
HSCC 2009
We focus on
“Detection” in the
remaining part of this
presentation
4 Key Problems
•
•
•
•
Estimate model of the physical
process
Propose a detection scheme
Study stealthy attacks
Ensure safety of automated response
Case Study:
Tennessee Eastman Chemical Reactor
A+B+C
A
Pressure
D
Product Flow
A in purge
Detection algorithm: nonparametric CUSUM
We work with
nonparametric
change
detection
statistics
because of
plant
nonlinearities
Measure the difference between
expected and observed behavior:
b is chosen such that
Non-parametric CUSUM:
Tuning CUSUM parameters to ensure low
false alarm rate and fast detection time
How can an attacker remain
undetected?
•
•
•
•
Attacker
–
–
Wants to be undetected for n time steps
Wants to maximize the pressure in the tank
Surge attack
Bias attack
Geometric attack
Even Geometric Attacks Cannot Drive the
System to An Unsafe State
Conclusion: If
an attacker
wants to
remain
undetected,
she cannot
damage the
system
DoS Attack Signatures for Secure Control
Problem
Key Ideas from Robust Control
High Confidence CPS Systems:
Research Taxonomy
• Robust Inferencing for Control
• Closing the Loop with fault tolerant networked
control systems
• Effects of Mobility on Loop Closure
• Graceful Degradation Under Attack: Trustworthy
systems
• Key Applications
– Process Control and SCADA systems
– Action Webs for Energy Efficient Buildings