Bruce H. Krogh

Raffaele Romagnoli, Bruce H. Krogh, Bruno Sinopoli

Software rejuvenation has been proposed as a strategy to protect cyber-physical systems (CSPs) against unanticipated and undetectable cyber attacks. The basic idea is to refresh the system periodically with a secure and trusted copy of the online software so as to eliminate all effects of malicious modifications to the run-time code and data. Following each software refresh a safety controller assures the CPS is driven to a safe state before returning to the mission control mode when the CPS is again vulnerable attacks. This paper considers software rejuvenation design from a control-theoretic perspective. Invariant sets for the Lyapunov function for the safety controller are used to derive bounds on the time that the CPS can operate in mission control mode before the software must be refreshed and the maximum time the safety controller will require to bring the CPS to a safe operating state. With these results it can be guaranteed that the CPS will remain safe under cyber attacks against the run-time system and will be able to execute missions successfully if the attacks are not persistent. The general approach is illustrated using simulation of the nonlinear dynamics of a quadrotor system. The concluding section discusses directions for further research.

Raffaele Romagnoli, Bruce H. Krogh, Dionisio de Niz et al.

Software rejuvenation protects cyber-physical systems (CSPs) against cyber attacks on the run-time code by periodically refreshing the system with an uncorrupted software image. The system is vulnerable to attacks when it is communicating with other agents. Security is guaranteed during the software refresh and re-initialization by turning off all communication. Although the effectiveness of software rejuvenation has been demonstrated for some simple systems, many problems need to be addressed to make it viable for real applications. This paper expands the scope of CPS applications for which software rejuvenation can be implemented by introducing architectural and algorithmic features to support trajectory tracking. Following each software refresh, while communication is still off, a safety controller is executed to assure the system state is within a sufficiently small neighborhood of the current point on the reference trajectory. Communication is then re-established and the reference trajectory tracking control is resumed. A protected, verified hypervisor manages the software rejuvenation sequence and delivers trusted reference trajectory points, which may be received from untrusted communication, but are verified using an authentication process. We present the approach to designing the tracking and safety controllers and timing parameters and demonstrate the secure tracking control for a 6 DOF quadrotor using the PX4 jMAVSim quadrotor simulator. The concluding section discusses directions for further research.