UC Irvine

The definition of cyber-physical systems (CPSs) is that they integrate sensing, actuation, storage, computation, control, decision-making, and networking into physical systems and objects, connecting them to the Internet and to each other. With the advancement of complex hardware and software technologies and the prevalence of the Internet of Things (IoTs), interactions of cyber and physical components open a “Pandora’s Box” of unknown threats that can come from unconventional ways. CPSs have tight integration of cyber and physical components, and complex interactions happen between this cyber and physical layer which may affect the safety and controllability of closed-loop control from sensing to actuation. In most cases, researchers put significant efforts into improving the efficiency and responsiveness of the cyber and physical interactions in CPSs. However, the CIA triad - confidentiality, integrity, and availability, is often absent while designing the interactions between cyber and physical parts. As a result, attacks and vulnerabilities are lurking between cyber and physical intersections. The cyber and physical layers in CPSs are termed Cross-layers in this thesis. Most attacks on CPSs can be propagated into this cross-layer, i.e., from the physical domain to the cyber domain or vice-versa, and hence, can be termed as cross-domain attacks. To understand these cross-domain attacks and to address the challenges that exist in the cross-layer, a very different set of methodologies and tools are needed. Moreover, as these cross-domain attacks involve hardware and software layers, defenses against these vulnerabilities also demand new hardware/software co-design approaches to detect, contain and isolate vulnerabilities in CPSs.

The first half of the thesis addresses some interesting and unconventional attack models and vulnerabilities in CPSs, particularly focusing on the smart power grid systems, bio-safety labs, and industrial control systems (ICSs). This thesis addresses how attacking a single hall-effect sensor of a solar inverter using an attack signal from the magnetic spectrum can compromise a weak microgrid in smart grid systems. Next, this thesis explores the use of a different attack signal other than the magnetic spectrum. In doing so, this thesis investigates how the use of simple music as an attack signal can fool a building management system of a bio-safety lab and can facilitate the leaking of deadly pathogens from the bio-research facilities. Next, this thesis explores the vulnerabilities of industrial control systems (ICSs) in cloud settings and provides how combining memory deduplication and rowhammer attack can compromise a programmable logic controller (PLC) in ICSs.

The remaining half of the thesis provides defenses for the unconventional vulnerabilities discussed in the first half of the thesis. This part of the thesis focuses on different sensor defense techniques working against false data injection and spoofing attacks in CPSs. Please note that the defense techniques that exist in the literature have the following limitations: (i) they don't work against attack signals having a frequency equal to the frequency of original signals, (ii) they don't work against attack signals having zero frequency, and (iii) they don't work in the saturation region of the sensor. This thesis begins to fill this gap by providing defense techniques against false data injection into sensors using hardware-software co-design techniques. At first, we demonstrate a defense named HALC, which can detect and contain all types of strong and weak magnetic attack fields, such as constant, sinusoidal, and pulsating magnetic fields, injected into hall sensors in real-time. Next, this thesis provides another defense named PreMSat, which can work in the saturation region of the hall sensors. Last, we present MagHop, which can prevent electromagnetic interference (EMIs) from being injected into magnetic sensors. All three defense techniques proposed here achieve better performance compared to state-of-the-art works and can contain the attack in real-time without hampering the normal data processing speed of sensors.