- Christoforos Hadjicostis, University of Cyprus, Cyprus
- Joao Carlos Basilio, Universidade Federal do Rio de Janeiro, Brazil
- Thomas Moor, Friedrich-Alexander Universität Erlangen-Nürnberg, Germany
- Stephane Lafortune, University of Michigan, Ann Arbor, USA
- Rong Su, Nanyang Technological University, Singapore
Resilience has emerged as a property of major interest for the design and analysis of a complex system. It describes the ability of the system to continue providing its designed services or functions, even after possibly disruptive changes in the system (caused either by faults, or other naturally occurring phenomena, or by malicious actions). Resilience has been enjoying a spotlight in many different fields, including the Discrete Event Systems (DES) community. This workshop aims to report recent research achievements related to resilience of DES and to identify relevant challenges. It will focus on two main themes: cyber security and information confidentiality, which include opacity analysis and synthesis of attack-resilient supervisors, and fault tolerance, which include robust fault diagnosis, and fault tolerant control for discrete-event systems.
Notions of Opacity for Privacy and Security in Discrete Event Systems
This talk discusses how notions of opacity can be used to capture, analyse, and enforce privacy/security properties in emerging interconnected discrete event systems. More specifically, we start with an overview language and state-based opacity, as well as extensions to probabilistic and timed systems. To illustrate these formulations, we focus on systems that are described by (nondeterministic) nite automata and assume that a passive intruder observes system activity through some natural projection mapping, using knowledge of the system model in order to make inferences about the possible state of the system. The talk discusses methods to verify state-based notions of opacity (including current-state opacity, initial-state opacity, K-step opacity, and infinite-step opacity) using various types of state estimators. Several examples are used to illustrate how such notions can be used to characterise privacy and security requirements in many applications of interest, including encryption using pseudo-random generators, coverage of mobile agents in sensor networks, and anonymity requirements in protocols for web transactions.
Resilience to Sensor Deception Attacks in Supervisory Control
We consider feedback control systems where sensor readings may be compromised by a malicious attacker intent on causing damage to the system. We study this problem at the supervisory layer of the control system, using discrete transition models of the underlying plant dynamics. We assume that the attacker can edit the (discrete) outputs from the sensors of the system before they reach the supervisory controller. In this context, we discuss two research problems: (i) synthesis of stealthy or non-stealthy edit attacks; and (ii) synthesis of a supervisor that is robust against a class of edit attacks. The attack synthesis problem is analyzed under both logical and stochastic models of the plant. Then, two solution methodologies of the problem of robust supervisor synthesis are discussed. The results presented leverage concepts and algorithmic techniques from supervisory control theory and from logical and stochastic games on automata. This is a joint work with Romulo Meira-Goes, Eunsuk Kang, Raymond Kwong, and Herve Marchand.
Supervisory Control for Cyber Security of Discrete-Event Systems
One of the major challenges about cyber physical systems is how to protect system integrity from cyber attacks. There has been a large number of different types of attacks discussed in the literature. In this talk I will discuss several types of attacks in the discrete-event system framework, namely covert sensor attacks, where an attacker can arbitrarily alter sensor readings after intercepting them from a target system, aiming to trick a given supervisor to issue improper control commands, which can drive the system to an undesirable state; covert actuator attacks, where an attacker intercepts control commands and alter their contents to trigger damages to the plant without being detected by the supervisor; and covert channel delay attacks, where an attacker deliberately delays (but not change) sensor readings to alter the sequence of observations to inflict damages to the plant without being detected by the supervisor. I will first describe relevant attack models, and present the key concepts of attackability associated with different attacks. Then I will present specific algorithms to synthesise covert attack models. Finally, I will address the resilience issue, and present results about existence of attack-resilient supervisors.
Robust Failure Diagnosis of Discrete Event Systems and Its Applications
Diagnosability is a property of discrete event systems (DES) that ensures that the occurrence of an unobservable failure event is detect after the occurrence of a nite number of events after the failure. Failures in DES are detected online by using a so-called diagnoser automaton, which is actually an observer automaton that not only keeps track of the system state evolution but also has labels that inform whether the system is working within its normal or faulty behavior. However, diagnosers are built assuming exact knowledge of the model of the real plant, and, when, for some reason, the model does not correspond to the actual system behaviour, diagnosers may either issue wrong information regarding the failure occurrence or halt in some state; even though the real system continues evolving. In order to overcome these problems, robust diagnosers have been proposed, whose central idea is to ensure the correct functioning of the diagnosis system by taking in consideration not only the plant nominal behaviour but also additional information regarding the system functioning and its components. In this talk we address the problem of robust failure diagnosis under the following perspectives: (i) assuming that the communication between local sites and coordinator is not reliable in decentralised systems; (ii) assuming intermittent and permanent sensor failures; (iii) assuming communication delays between measurements sites and local diagnosers in networked DES. We end this talk by also considering decentralised diagnosis of networked DES subject to denial of service attacks, a problem of current interest, being motivated by the increase in the use of communication network for supervision and control of physical system, which increases the vulnerability of these cyber-physical systems since an outsider may interfere in the desired behaviour of the system.
Fault-Tolerant Supervisory Control in Terms of Formal Languages
A fault-tolerant supervisory controller maintains a prescribed closed-loop performance even when the plant is subject to certain faults. In this workshop, we discuss fault-tolerant supervisory control in terms of formal languages. Doing so, we obtain a general framework in which we can re-interpret established approaches like passive fault tolerance and active fault tolerance. Moreover, a synthesis algorithm for fault-tolerant supervisory controllers can be derived by minor variations of the base algorithms commonly used in the context of supervisory control. For the workshop format, we can present the approach in considerable detail and, hence, provide a technical introduction to fault-tolerant supervisory control.