1 / 65

Security Solutions for Cyber-Physical Systems

PhD Dissertation Defense . Security Solutions for Cyber-Physical Systems. By Krishna Kumar Venkatasubramanian Committee: Dr. Sandeep Gupta (Chair) Dr. Rida Bazzi Dr. Partha Dasgupta Dr. Dijiang Huang. Sponsors: . Outline. Cyber-Physical Systems (CPS ) & Security

nikita
Download Presentation

Security Solutions for Cyber-Physical Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PhD Dissertation Defense Security Solutions for Cyber-Physical Systems By Krishna Kumar Venkatasubramanian Committee: Dr. Sandeep Gupta (Chair) Dr. RidaBazzi Dr. ParthaDasgupta Dr. Dijiang Huang Sponsors:

  2. Outline • Cyber-Physical Systems (CPS) & Security • Securing Communication in Body Area Network CPS • Criticality Aware Access Control in Smart-Infrastructure CPS • Conclusions /Future Research Directions

  3. Cyber-Physical Systems Traffic congestion, Energy Scarcity, Climate Change, Medical Cost … Heterogeneity Safety Need Security Environment-coupled Issues Cyber-Physical Systems Properties Sustainability Interoperability Actuation Networked Design Validation Benefits Physical Interaction Modeling Smart-Systems Smart-Health Management Smart-Auto Smart-Grid

  4. CPS Security Characteristics • Application specific – e.g. confidentiality, integrity, availability, authenticated communication…. • Underlying Requirements • Usability Essential • Diverse deployment scenarios & user population • Need to make security provision as transparent as possible • Deep embedding makes system update difficult • Adaptivity and Proactivity Essential • Tight-coupling between C and P makes it essential to be able to adjust security to changes in P, in a timely manner • Major Aspects • Communication • For secure coordinated data collection and management • Actuation • For authorized adjustment of physical process function

  5. Example Rig Tower Rig Office • Oil-Rig platform • Remote location, long work-hours • Most common issues: health hazard and operational management • Oil-rig CPS can alleviate problems using • Body Area Network CPS for automated worker health monitoring • Smart-Infrastructure CPS for automating platform operation monitoring and control • Imperative to: • Secure BAN inter-sensor communication • Facilitate (authorize) response actions for criticality (emergency) management within window-of-opportunity (Wo) • Other aspects can be secured using available mechanisms Rig Cabin Flare Tower Auditorium Admin Cabin Control Room BAN security Power Generator Solutions Solutions Critical Event (blocked artery) sensor1 Infirmary sensor2 Normal Situation Criticality (Cardiac Arrest) • No Response • Wo expires • Response failed Response within Wo Criticality Defibrillation (Exceptional) Disaster (Congestive Heart Failure) Response Facilitation

  6. Research Contributions • This work presents a new security paradigm called Cyber-Physical Security (CYPSec) which uses the environmentally-coupled nature of CPS to address these two problems *Funded in parts by NSF, Consortium of Embedded Systems, and Mediserve Info Systems.

  7. Outline • Cyber-Physical Systems (CPS) & Security • Securing Communication in Body Area Network CPS • Criticality Aware Access Control in Smart-Infrastructure CPS • Conclusions/Future Research Directions

  8. Problem: Secure Inter-Sensor Communication in BANs EEG EKG BP SpO2 Base Station Motion Sensor Symmetric Key • BANs use wireless network of health & environmental monitoring sensors deployed on a person managing their health • Wireless channels prone eavesdropping and if unsecured can lead to • Privacy loss - sensitive data • Potential exploitation • Physical harm • Secure communication requirements • Confidentiality • Integrity • Authenticated communication

  9. Related Work • Use environmental characteristics of a CPS for automating key establishment • Secure key pre-deployment required • Rekeying/Adjustments difficult • Need additional authentication mechanism • How to enable secure, automated, and authenticated pair-wise key establishment using environmental-characteristics of BANs?

  10. Approach, Challenge, and System Model • System Model • Sensors worn or implanted on subject • Use wireless medium to communicate • All sensors can measure our physiological signal • Threat Assumptions • Active adversaries – eavesdrop, replay, spoof • Passive adversaries - eavesdrop • Physical compromise of BAN nodes UNLIKELY • Denial of service attacks not considered • Trust Assumptions • Wireless medium not trusted • Nodes on the BAN assumed legitimate • Our Approach: Collect synchronously measured physiological signals at two sensors in a BAN, derive features from them and use it to perform key establishment • Challenges: How to: • Generate signals features which are: • Distinctive– features uniquely identify a person at a give time • Time Variant – features vary with time (unlike biometric) • Simple –minimal overhead in feature generation • Establish symmetric keys with them?

  11. Time Domain vs. Frequency Domain • Two ways to generate features: • Time-domain (measure signal, quantize) • Frequency-domain (measure signal, group, perform transformation, quantize) • Time domain • Simple to implement • Signals at two sensors correlated but sufficient lack entropy • Actual signal values negligibly common for key generation or commitment purposes • Frequency domain • Relatively expensive • Strongly correlated - frequency components more in common irrespective of measurement • Signal spectra similar enough to distinguish people but not identical for key generation

  12. Physiological Signal based Key Agreement • Performs key agreement by combining cryptographic primitives with signal processing • Signals used Photoplethysmogram(PPG) and Electrocardiogram (EKG) • Two step process • Generate simple physiological signal features at the sensors (Fs and Fr, respectively) • Use Fs and Fr for secret key transport: • Generate a key at one sensor • Hide it using Fs • Transport it to other sensor • Unhide it at the Fr (this also authenticates the sender) Physiological signal Physiological signal features features key f f key Un-hide hide Sender Receiver • Advantages: • Usability – plug-n-play, transparent • Authenticated key agreement • Easy to rekey and network re-configuration

  13. Feature Generation Signal Measurement • Measure signal –loosely synchronized for pre-defined time at both sensors • Perform windowed FFT (256 point) • # of windows signal dependent • Take first 32 features in each window • Identify peak values (kxb) and peak indexes (kyb) , and 1  b  n is the peak number and n is the total number of peaks observed • Quantize and concatenate to form a feature point Fi = (kxi| kyi) , • Final Feature vector at: • Sensor 1 Fs = [fs1fs2…….. fsn] • Sensor 2 Fr = [fr1 fr2 …….. frn] FFT + Peak Detection Peak Values Peak Index Feature Point 8 bit 5 bit

  14. PSKA Key Agreement RECEIVER SENDER Fr = [fr1 fr2 …….. frn] Features Fs = [fs1 fs2 …….. fsn] Features p(x) = cv xv + cv-1 xv-1 + … + c0 Polynomial Generation where Key = cv|cv-1|…|c0 and ci, 1  i  v+1,is random, v is pre-chosen Receive Vault p(fs1) p(x) p(fs2) P = {fsi, p(fsi)}, fsiFs Choose v+1 points p(fsn) Polynomial Evaluation fs1 fsn fs2 Vault Unlocking Vault Locking Lagrangian Interpolation C = {cfj, dj}, cfjFs, dj p(cfj) Adding Chaff p'(x) Transmit Vault IDs, IDr, R, No, MAC(Key, R|No|IDs) R = Permute(P  C) Transmit Acknowledgement Receive Acknowledgement MAC(Key, No|IDs| IDr)

  15. Data Collection & Feature Statistics Measurement Parameters PPG/EKG Feature Statistics • Implemented a benchmark of PSKA in Matlab • PPG data • Collected using Smith Medical oximeter • From 10 volunteers at IMPACT lab. • EKG data • Collected from PhysioBank database • 10 patient data used from MIMIC database

  16. Feature Properties • Features distinctive • False positive - # of common features greater than v for two different people • False negative - # of common features lesser than v for the same people • PPG optimal point: v = 6 • EKG optimal point: v = 14 • Features temporally variant • Metric – average violations: number of times common features at two different time stamps > v averaged over all subjects May choose different values for practical reasons Temporal Variation Distinctiveness

  17. Security Analysis (1/2) Security of the Vault for different Polynomial Order and Vault Sizes 160 Vault Size = 300 Vault Size = 600 140 Vault Size = 1000 Vault Size = 2000 Vault Size = 5000 120 Security o Vault (Bits) 100 80 60 # of Common features at two measurement points on one person # of Common features at two different people 40 Brute-force Complexity 6 8 10 12 14 Order of Polynomial • Security of the vault depends upon number of points (R) and order of polynomial (v) • Number of combinations needed for Adversary = RC(v+1) • Choosing v is a balancing act between: • Number of chaff points • Feature length • Number of common features • Choose max v and max R s.t. 1. |Fs  Fr|  v+1 > |Fs  F’r| 2. Sensor computation requirements manageable 3. Required level of security is provided

  18. Security Analysis (2/2) • Given: • Distinctiveness: |Fi Fj| < v+1, where i, j are subject, and i j • Time Variance:|Fj(t)  Fj(t’)| < v+1, |t-t’| >  , j is a subject, t and t’ are signal measurement start-times • Assume |R| and v are large enough to be • Secure against brute-force attacks • Sensor node not over-whelmed • Attackers cannot measure physiological signal from the subject of choice • Vault communication transaction freshness maintained • Attack: Man-in-the-middle • Analysis: • Attacker cannot pretend to be sender as it: • Cannot generate a legitimate vault - (1) and (4) • Cannot replay an old vault– (2) • Attacker cannot pretend to be a receiver as it: • Cannot generate a legitimate acknowledgement – (3) • Cannot replay an old acknowledgement – (5) • Result: Attack thwarted (as are others which use spoofing and replay attacks)

  19. Implementation on Ayushman* Test-bed * Sanskrit for long life Environmental Sensors (Temperature etc) • Project @ IMPACT Lab, Arizona State University • To provide a dependable, non-intrusive, secure, real-time automated health monitoring. • PPG-based PSKA implemented on TelosB mote platform using TinyOS on Ayushman • Overall computation, communication, memory footprint manageable but high Internet Stargate Gateway External Gateway Central Server Medical Sensors (EKG, BP) controlled By Mica2/TelosBmotes Medical Professional Home/Ward Based Intelligence Body Based Intelligence Medical Facility Based Intelligence Overhead

  20. Summary of Contributions • K. Venkatasubramanian, A. Banerjee, S. K. S. Gupta, "PSKA: Usable and Secure Key Agreement Scheme for Body Area Networks", In. Proc. of IEEE Transactions on Information Technology in Biomedicine Special Issue on Wireless Health (Under Minor Revision). • K. Venkatasubramanian, S. K.S. Gupta, "Physiological Value Based Efficient Usable Security Solutions for Body Sensor Networks", In. Proc. of ACM Transactions on Sensor Network (Under Minor Revision). • K. Venkatasubramanian, A. Banerjee, S. K. S. Gupta, "Green and Sustainable Cyber Physical Security Solutions for Body Area Networks", In Proc of 6th Workshop on Body Sensor Networks (BSN'09), Berkeley, CA, June 2009 • A. Banerjee, K. Venkatasubramanian, S. K. S. Gupta, "Challenges of Implementing Cyber-Physical Security Solutions in Body Area Networks", In Proc of 4th International Conference on Body Area Networks (BodyNets 2009), Los Angeles, CA, April 2009 • K. Venkatasubramanian, A. Banerjee, S. K. S. Gupta, "Plethysmogram-based Secure Inter-Sensor Communication in Body Area Networks", In Proc of IEEE Military Communications Conference (MILCOM) 2008, San Diego, CA, November 2008. • K. Venkatasubramanian, A. Banerjee, S. K. S. Gupta, "EKG-based Key Agreement in Body Sensor Networks", In Proc of 2nd Mission Critical Networks Workshop, Phoenix, AZ, April 2008 • K. Venkatasubramanian, S. K. S. Gupta, "Security For Pervasive Health Monitoring Sensor Applications", In Proc of 4th International Conference on Intelligent Sensing and Information Processing (ICISIP), Bangalore, India, December 2006.(Best Paper Award) • K. Venkatasubramanian, G. Deng, T. Mukherjee, J. Quintero, V. Annamalai and S. K. S. Gupta, "Poster - Ayushman: A Wireless Sensor Network Based Health Monitoring Infrastructure and Testbed", In Proc. IEEE International Conference on Distributed Computing in Sensor Systems, Marina Del Ray, CA, June 2005. • S. Cherukuri, K. Venkatasubramanian, S. K. S. Gupta, "BioSec: A Biometric Based Approach for Securing Communication in Wireless Networks of Biosensors Implanted in the Human Body", In Proc. 1st International Workshop on Wireless Security and Privacy, IEEE ICPP Workshops, Kaohsiung, Taiwan, October 2003. • Viability • PPG and EKG signal features based secure key agreement for BANs • Implementation • Matlab based benchmark • TinyOS based implementation • Performance Measurement • Security analysis • Energy analysis • Power profiling • Potential Applications • Cluster formation • NSF Cyber-Trust Grant $400,000 • Featured in Discovery Channel Website http://tinyurl.com/crqgy7 • Best Paper Award

  21. Outline • Cyber-Physical Systems (CPS) & Security • Securing Communication in Body Area Network CPS • Criticality Aware Access Control in Smart-Infrastructure CPS • Conclusions/Future Research Directions

  22. Problem: Criticality Response Facilitation Response Action Facilitation Approaches High Risk Managed Risk Open System • Allow anyone to access any information/services in the system • Unauthorized access possible Closed System • Do not allow anyone to access the system except the entities authorized by default • Chances of criticality expiration. Limited Opening • Open the system just enough for executing response actions • The opening is temporary How to facilitate the Right set of response (possible exceptional) actions, to the Right Subjects, at the Right Time for the Right Duration to control existing criticalities within the system ? • Response actions is system dependent, may involve: • Taking physical action • Accessing specific information • Providing services • Response actions may be exceptional (not allowed normally) in nature • Exceptional actions require facilitation – enabling/authorization of some form

  23. Approach & Challenges • Our Approach: • Use access control mechanism for response action facilitation in a proactive (without explicit access request) and adaptive (aware of system’s current state) manner • Challenges: • Identify and facilitate potentially exceptional response actions for criticalities within the system (Responsiveness) • Facilitate response actions only in during criticalities (Correctness) & temporarily (Liveness) • Handle • Multiple simultaneous occurrences of criticalities • Dynamically varying criticality types and combinations • Stochastic nature of criticality occurrence and associated response actions

  24. Criticality Aware Access Control Change in Criticalities • Uses well known access control constructs in a new way by combining them with stochastic systems modeling. • Operational Stages • Response action generation • Subject selection • Proactive response action facilitation • Rescind previous facilitations • Advantages : • Proactive & Adaptive emergency management • Usability in facilitation of response actions Identify Response Actions Rescind Previous Facilitations Identify Subjects Facilitate Actions Record Actions

  25. Related Work Context Aware RBAC Policy-based SI Management Context-based Access Control Role-based Access Control Usage Control Optimistic Security Policy Spaces • Traditional access control models not designed for criticality response • They are largely: • Static – do not inherently support enabling exceptional response actions • Reactive – subject request based access determination, may introduce arbitrary delays

  26. System-Model SPR Subjects ROLE PR r1 r ACL r3 rw … … rn rwx SUB ROLE Manager S1 r1 S2 r2 Sn rn Objects • Assumptions • System can monitor its current state accurately and securely • Strong subject authentication infrastructure • All criticalities can be responded to by subjects using objects in the system • System logs and auditing mechanism secure • Constituents • Subjects (Requestors) • Objects (Resources) • Manager (Arbitrator) • Normal (Basic) Operation • Subjects assigned Roles (characterize their duties) • Objects maintain Access Control List (ACL) mapping roles to privileges (PR) • Subjects request privileges for accessing objects • Success if subject’s role is allowed requested privileges in object ACL

  27. Response Action Generation CL N Normal state 1 6 RL 2 3 7 8 10 5 4 9 Critical States Represents particular combination of criticality in the system • Aim: identify response actions for a given set of criticalities within the system • Action Generation Model (AGM) • State-based Approach • Normal state – system working correctly • Critical State–system is experiencing uncontrolled criticality • Transition Links • Critical Link (CL) – Increases criticalities within the system (associated with probability) • Response Link (RL) – decreases criticalities within a system. Associated with: • Response action (<Object-Privileges>) • Time to execute response • Probability of success of response action • Given a critical state identify best RL which can be taken

  28. Response Action Selection N MaxQ c N MP x z y p1 p2 pn c max N x z y t1 t2 tn MT c min [MG09] Tridib Mukherjee, and Sandeep K. S. Gupta, CRET: A Crisis Response Evaluation Tool to improve Crisis Preparedness , 2008 IEEE International Conference on Technologies for Homeland Security (HST'09), Waltham, MA, USA, May 2009. • Selection metric • Highest aggregate probability (MaxQ) • Choose RL with max probability of reaching normal state considering all possible paths from a critical state • Highest probability (MP) • Choose RL with max value at a critical state • Fastest response time (MT) • Choose RL with minimum response time at a critical state • Use metric only when Wo not expired • Criticality Response Tool (CRET) [MG09] • Input: AGM state, probability specification in XML format • Default Output: Probability of reaching normal state from each critical state based on selection criteria • Extension: Specify response action for each RL, return actions for each critical state • Offline execution

  29. Subject Selection Example: Static List (SS) Example: Dynamic List (DS) • Basis: Criticality • Static • Pre-decided • Maintained as a list indexed by criticality • Example: patient’s family members getting access to health data in the event of a specific emergency • Dynamic • Context-based decision • Maintained as a list indexed by criticality which describes context which subjects have to meet • Example: doctor on call for medical emergency when associated doctor not present.

  30. Enabling Response Actions SUB ROLE ROLE PR ACL of OBJ SPR S1 r1 r1 r S2 r2 r3 rw … … … … rn rwx Sn rn NORMAL SITUATIONS ROLE PR SUB ROLE r1 r SPR S1 CAAC-Role ACL of OBJ r3 rw S2 CAAC-Role … … … … rn x CAAC-Role rwx Sn rn SUB ROLE OL S1 r1 S2 r2 CRITICALITIES • Given: • TS = {a1,a2,… an} be actions associated with chosen RL, where ai is <Object, Privileges> tuple • SUB = {s1,s2,…sn} be set of chosen subjects • e  TS • AddACL(e.Object, CAAC-Role, e. Privileges) • d  SUB • AddRoleOL(d,currentRole(d)) • AddRole(d,CAAC-ROLE) • Inform(d) • Record all response actions taken for accountability • All normal access requests are curtailed • If criticalities change: • e  TS, RemoveACL(e.Object, CAAC-Role) • d  SUB, AddRole(d, OLRole(d)) • d  SUB, RemoveRoleOL(d) • Identify best RL, subjects and repeat

  31. CAAC Execution Flow Responsiveness Correctness Liveness Start • Generate Response Actions using AGM. • Store values in set TS Identify System State no TS == 0 ? no • Set mode = CAAC, if needed • Rescind any existing privileges Change in System State ? System in Normal State ? no yes yes yes • Set mode = Normal • Rescind existing privileges • Rescind existing privileges • Enforce auditing • Identify Subjects • Enable Privileges • Inform Subjects Wait for ∆ • Log Actions

  32. Smart Rig Example Rig Tower Rig Office Rig Cabin Auditorium Flare Tower Admin Criticalities & Properties [DF*05,CK*08,HM*04,KK*03,PA*00] Cabin Control Room Power Generator Infirmary [DF*05] DiMattia, G. D., Faisal, I. K., and Amyotte, P. R. 2005. Determination of human error probabilities for o®shore platform musters. Journal of Loss Prevention in the Process Industries 18, 488-501. [CK*08] Chan, P. S., Krumholz, H. M., Nichol, G., and Nallamothu, B. K. 2008. Delayed Time to Defibrillation after In-Hospital Cardiac Arrest. The New England Journal of Medicine 358, 1(January), 9-17. [HM*04] Hendrix, K., Mayhan, S., Lackland, D., and Egan, B. 2004. Prevalence, Treatment, and Control of Chest Pain Syndromes and Associated Risk Factors in Hypertensive Patients. American Journal of Hypertension 18, 8 (May), 1026-1032. [KK*03] Khot, U. N., Khot, M. B., Bajzer, C. T., Sapp, S. K., Ohman, E. M., Brener, S. J., Ellis, S. G., Lincodd, A. M., and Topol, E. J. 2003. Prevalence of Conventional Risk Factors in Patients With Coronary Heart Disease. The Journal of American medical Association 290, 7 (August). [PA*00] Pope, J. H., Aufderheide, T. P., Ruthazer, R.,Woolard, R. H., Feldman, J. A., Beshansky, J. R., Griffith, J. L., and Selker, H. P. 2000. Missed Diagnoses of Acute Cardiac Ischemia in the Emergency Department. The New England Journal of Medicine 342, 16 (April), 1163-1170 • Criticalities Considered: • Health emergency • Fire Accident • Criticalities Considered • C1 - A worker on the rig with a chronic hypertension having a heart attack in the control room. • C2 - Fire alarm in the control room of the rig. • C3 - A worker on the rig with a chronic hypertension having unstable angina in the control room. • C4 - People trapped in control room needing immediate assistance.

  33. Example: AGM Response Action Success Probability for each state AGM [DF*05,CK*08,HM*04,KK*03,PA*00] Probability Chosen RL for each state

  34. Example: Facilitation New Role Objects ACLs Objects ACLs Normal State Old Role Table (OL) Normal State Subject-Role Mapping Subject Selection (SS + DS) Subject Context Critical State after C1

  35. Summary of Contributions • Emergency management in smart-infrastructures • Proactive and adaptive access control • Response action facilitation • Action identification • Subject identification • Temporary authorization • Oil Rig based case study • Medical and fire emergencies • K. Venkatasubramanian, S. K. S. Gupta, "CAAC - An Adaptive and Proactive Access Control Approach for Emergencies for Smart Infrastructures", In Proc. ACM Transactions on Autonomous and Adaptive Systems Special Issue on Adaptive Security (Accepted). • K. Venkatasubramanian, S. K. S . Gupta, "Chapter 15: Security for Pervasive Healthcare", pp 443-464, In Security in Distributed, Grid, Mobile, and Pervasive Computing, eds. Yang Xiao, Auerbach Publications, CRC Press, April 2007. • T. Mukherjee, K. Venkatasubramanian, S. K. S. Gupta, "Performance Modeling of Critical Event Management for Ubiquitous Computing Applications", In Proc of ACM Conference on Modeling and Simulation of Wireless and Mobile Systems (MSWiM), Terromolinos, Spain, October 2006. • S. K. S. Gupta, T. Mukherjee, K. Venkatasubramanian, "Criticality Aware Access Control Model for Pervasive Applications", In Proc of 4th IEEE Conf on Pervasive Computing (PERCOM), Pisa, Italy, March 2006.

  36. Outline • Cyber-Physical Systems (CPS) & Security • Securing Communication in Body Area Network CPS • Criticality Aware Access Control in Smart-Infrastructure CPS • Conclusions/Future Research Directions

  37. Conclusions • Security for cyber-physical systems particularly important • Environmentally coupled security for CPS introduced • Two solutions in new paradigm presented • Using physiological signals for authenticated, secure and usable key agreement between sensors in a BAN • Proactive and adaptive response facilitation in smart infrastructures for emergency management • Brand new area, considerable potential for research and funding (NSF ($30-$40M), ONR ($14M), DHHS, NIH)

  38. Future Research Directions • CPS Security • Develop holistic security solutions for CPS systems considering Sensing, Communication, Actuation, Feedback • Physiological Signal based Key Distribution • Find More Signals: The current need for use of a common physiological signal across all sensors goes against the of the technique usability. • Reduce Effect of Measurement Artifacts: We assume idealized measurement for this work, and try to minimize artifacts. This is not accurate in real life settings. • Criticality Aware Access Control • Consider probabilistic nature of detection : False positives and negatives, and malicious acts on detection infrastructure has to be considered • Reduce strictness: • Should allow normal system function in unaffected parts • Manage conflict between authorization for criticality response and normal operations

  39. Questions ?? Impact Lab (http://impact.asu.edu) Creating Humane Technologies for Ever-Changing World

  40. Extra Slides

  41. CPS Security: Motivation & Requirements Motivation Requirements • Often mission critical deployment • Any malicious act has serious consequences • More prone to malicious acts • Availability of detailed information about physical process • Privacy loss an issue – e.g. health information • Exploitation, abuse, discrimination • Actuation capability • Denial of Service • Physical harm • System specific legal requirements • Health Information Portability & Accountability Act (HIPAA) for medical data • Awareness of fundamentally different threat model • Traditional - point of entry is essentially cyber • CPS – point of entry may be cyber as well as physical • Need to address all aspects CPS • Authenticated sensing • Secure communication link • Tamper proof storage • Authorized actuation • Feedback/Control-loop security • Need for usable security solutions • Diverse deployment scenarios & user population • Need to make security provision as transparent as possible

  42. Frequency Domain Processing • Signal used PPG and EKG • Measured as average coherence - normalized area under the coherence (Cxy2/ CxxCyy) curve over all combination of subjects (10 subjects) over 100 start times • Cxy = cross-correlation of power spectra of two signals • Cxx and Cyy = auto-correlation of power-spectra of same signal

  43. Fuzzy Vault • [JS02] A. Juels and M. Sudan. A Fuzzy Vault Scheme. page 408, 2002. In Proc. of IEEE Intl. Symp. on Inf. Theory. • Locks secrets S using a set of values A and can be unlocked with another set B, only if A  B >  [JS02] • The construction and locking of the vault is done by: • Generating a vth order polynomial p over the variable x that encodes the secret S, • Computing the value of the polynomial at different values of x from set A and creating a set R = {ai, p(ai)}, where 1  i  |A| • Adding randomly generated points called chaff to R which do not lie on the polynomial. • Unlocking of the vault can be done by: • Identifying a set B with significant overlap with A • Build a set Q = {(u, v)|(u, v)  R, u  B} • Polynomial reconstructed using points in Q using Lagrangian interpolation - Knowledge of v+1 points on a polynomial {(x0,y0),(x1,y1)….(xn,yn)} can reconstruct vth order polynomial

  44. Sample Features for PPG and EKG Signals Average Feature Length = 30 Common Features = 12 PPG Common Features = 2 EKG Common Features = 40 Common Features = 8 Average Feature Length = 87

  45. TinyOS Implementation Diagram Sender • Successful implementation on Mote platform • Trade-off accuracy for space and computation • Fixed point arithmetic • Single non-parallelzed FFT butterfly • Chaff point storage expensive so they are sent as they are generated • For 1000 points – 100, 80 byte packets sent, takes about 10 seconds – Major bottleneck Receiver

  46. TinyOS Implementation • PPG-based PSKA implemented in Crossbow mote platform using TinyOS • Overall memory footprint small enough for Crossbow mote environment • The FFT coefficient values for Matlab and Mote very close identical • FFT and communication consumes most RAM

  47. Result Analysis (TinyOS) Measurement Parameters

  48. Energy Analysis (TinyOS) Mote Oscilloscope (Executing PSKA) 2.7 ohms (Measures current pulses and duty cycle) Multi-meter Energy Measurement Setup (Ammeter) • PSKA executed on a pair of TelosB motes. • Across the two power leads of the mote, 2.7 ohm resistance was connected in series with an Ammeter. • An oscilloscope was connected across the resistance to measure duty cycle. • Each stage of PSKA is executed in 2 modes– Radio Off/On • Radio-Off • Sender: FFT, Peak Detection, Quantize, Poly gen, Chaff gen. • Receiver: FFT, Peak Detection, Quantize • Radio-On: • All stages of PSKA for Sender and Receiver

  49. Energy Model current draw from processor exec. time current drawn from processor exec. current drawn by other components time current drawn by other components supply voltage current draw from processor idle. time current drawn from processor idle current draw for each Tx. time current drawn for each Tx. current drawn with transceiver off time current drawn when transceiver off supply voltage current draw for each Rx Measured based on current draw and associated time Computational Model Communication Model time current drawn for each Rx

  50. PSKA Operational Overhead

More Related