Security analysis of a wireless quadruple tank control system

Abstract

Consulta en la Biblioteca ETSI Industriales (8715)

[EN] In recent times, the application of wireless communications in processes control is increasing due to clear advantages as the ease of installation, the modularity, the possibility of controlling a remote process or the versatility of a not-wired moving control panel for a worker, for example. However, this technology has some other problems, among which the possibility of a malicious attack taking advantage of the open communication channel that this technology presents is remarkable. This fact shows the importance of raising the issue of security in wireless networks. The two main kinds of malicious attacks that can be applied to a controlled process by a wireless network are denial-of-service and deception attacks. The first of them consists in a blocking of the delivered data, in a way that destination modules don¿t receive it. The second one consists in a modification of the sensors or actuators delivered data by the attacker. The effect of these attacks, mainly of deception ones, has not been deeply analyzed, therefore the consequences or the detection of them are an interesting field of investigation. The main emphasis of this Master Thesis is the analysis of the effect of malicious deception attacks applied to a real process, in this case a scale model of a water distribution system made up of four interconnected water tanks and two pumps to control the water levels. The process model is derived, followed by the design and test of three kinds of controllers: LQG, PI and PI robustified with the Glover-McFarlane method. Later, the performance of the closed loop system with these controllers is tested against a series of deception attacks, including the introduction of offset in the process inputs and in inputs and outputs at the same time, an output freezing, a replay of a series of output values and a zeroing output attack, using transmission zeros of the system and its properties. Some conclusions about the performance of Kalman filters, controls with integrators and the control robustification under attack have been achieved: there¿s no remarkable difference of behaviour between the different controllers under attack, just little differences depending on the design with or without integrator; there¿s neither difference of performance under attack in the case of PI and PI robustified control, and the residue of estimations with Kalman filters can be useful to detect any kind of attack. Finally, some detection solutions have been suggested, leaving generalised solutions for future work.