Heterogeneous Approaches to Secure Discrete-Event Systems

Abstract

In the architectures of current networked systems, multiple components are potential targets under multiple types of attacks. Thus, this thesis proposes heterogeneous approaches to design secure controllers by employing three security notions in discrete-event systems (DES): secret protection, opacity, and actuator/sensor attacks. First, this thesis extends secret protection in DES from monolithic systems consisting only of one agent to distributed systems comprising more than one agent. The work presented in the thesis was motivated by the architecture of distributed databases and access control. The thesis addresses a problem of protecting secret information against intruders, supposing that secret information is separated into pieces and stored in local agents. The thesis approaches this problem by ensuring that at least one piece of distributed secret information is secured by a prescribed number of protections, preventing intruders from retrieving entire secret information. Next, this thesis tackles a problem of securing secret information in the system under two common attack types: eavesdropping and infiltration, by employing the existing methodologies of degree of opacity and secret protection. Given a prescription of required security levels against eavesdropping and infiltration for each secret in the system, the thesis develops algorithms to determine which event transitions in the system should be concealed and which ones should be protected. The main challenge in this problem is a constraint that transitions cannot be protected if they are concealed, and vice versa, modelling a limitation of practical security mechanisms. Finally, this thesis addresses the setting where all actuators and sensors in the system are subject to attack, called indefinite attacks. This setting captures a practical situation in which system designers do not know potential attack targets a priori. The thesis shows not only that even one sensor attack can make it impossible to find a supervisor that is resilient against indefinite actuator attacks, but also that sensor attacks can be prevented by disabling actuators equipped with sensors which the attacker targets. Taking these new challenges into account, the thesis proposes an extended methodology to compute a partial-observation supervisor which provides prescribed resilience against both indefinite actuator attacks and indefinite sensor attacks.