J Hardw Syst Securhttps://doi.org/10.1007/s41635-017-0027-9

Cross-Level Detection Framework for Attackson Cyber-Physical Systems

Brien Croteau1 ·Deepak Krishnankutty1 ·Kiriakos Kiriakidis2 ·Tracie Severson2 ·Chintan Patel1 ·Ryan Robucci1 ·Erick Rodriguez-Seda2 ·Nilanjan Banerjee1

Received: 4 November 2017 / Accepted: 10 November 2017© Springer International Publishing AG (outside the US) 2017

Abstract Anomaly detection is critical in thwarting mali-cious attacks on Cyber-Physical Systems. This workpresents a novel inference engine that integrates two het-erogeneous anomaly detectors, working at different levelsof the system architecture, in order to produce a cross-level detector more effective than either one separately. Themacro- or process-level detector uses a bank of observersof the physical plant that estimate the state of the pro-cess suspected to be under attack, specifically for its sensorto be compromised, from data gathered by available net-worked sensors. The estimates are then combined using a

� Brien Croteaucroteau1@umbc.edu

Deepak Krishnankuttydeepakk1@umbc.edu

Kiriakos Kiriakidiskiriakid@usna.edu

Tracie Seversonseverson@usna.edu

Chintan Patelcpatel2@umbc.edu

Ryan Robuccirobucci@umbc.edu

Erick Rodriguez-Sedarodrigue@usna.edu

Nilanjan Banerjeenilanb2@umbc.edu

1 Computer Science and Electrical Engineering Department,University of Maryland Baltimore County, Baltimore, MD,USA

2 Weapons and Systems Engineering Department, U.S. NavalAcademy, Annapolis, MD, USA

consensus algorithm to determine if the suspect sensor isreporting false readings. The micro-level detector uses time-sampled side-channel power measurements of an integratedcircuit on the suspect sensor. By comparing power measure-ments against those from a known good state, differencesindicate the code running inside has been altered. The cross-level detector performs a two-dimensional Neyman-Pearsonhypothesis test that declares the presence of an attack on thesensor node. The cross-level detector is shown to be moreaccurate and less latent than its constituent parts. Detectionwas tested against a range of False Data Injection attackson a hardware prototype and the detector performance wasmeasured experimentally. The cross-level detector on aver-age achieved a 93% rate of correct detection, comparedwith 72 and 85% for the macro- and micro-level detectors,respectively; and a 50% reduction in latency compared tothe macro-level detector.

Keywords Cyber-physical systems · Internet of things ·Hardware security

1 Introduction

With the tighter integration of computing devices intosensors, actuators, and communication networks, Cyber-Physical Systems (CPS) are poised to shape the design ofnew technologies such as the Internet-of-Things [1–3]. Theproliferation of the number and scope of CPS-based inno-vations has granted users increased power and convenience,but has also made them vulnerable to cyber-borne threats [4,5]. A notable example is the attack against the electric powergrid in the Ukraine during December 2015. Power was lostfor approximately 225,000 customers for several hours. Theattack began with spear phishing emails that gained Virtual

J Hardw Syst Secur

Private Network (VPN) credentials [6]. In turn, key loggerswere employed to help grant entry into the Supervisory Con-trol and Data Acquisition (SCADA) network. Access to theSCADA network permitted the attackers to load modifiedfirmware onto local devices allowing the remote openingof substation breakers. This attack was followed a longperiod of reconnaissance and when executed was highlysynchronized at multiple layers [7].

The multifaceted complexity of modern cyber-physicalsystems make comprehensive defense challenging. Con-sider a networked industrial control system comprisingsensors, actuators, and controllers, as shown in Fig. 1.Designing a system-wide security solution requires cross-layer approaches that provide security at the computinglayer, the network layer, and the application layer. Unfortu-nately, most solutions either focus on making the network-ing layer robust through secure distributed algorithms [8,9] or securing the sensors using techniques such as trustedplatform modules [10, 11] or robustness to side-channelattacks [12].

This work argues that disjoint solutions at the differentlayers are insufficient to safeguard the physical componentsof CPS. As with the engineering of these components intoan integrated system, security and safety solutions are moreeffective if drawn upon both the microchip-level computinglayer (“micro-level”) and the process-level communicationlayer (“macro-level”). The general approach presented hereis based on joint statistical inference operating simultane-ously at the aforementioned micro- and macro-levels, asshown in Fig. 1. To the best of the authors’ knowledge, thereare no published works of any kind on a detection schemethat combines evidence across the layers of a CPS. The

Fig. 1 Example of a typical CPS comprising multiple sensors, actu-ators, and controllers connected via a communication network. Themacro-level detector gathers observations from physically intercon-nected processes transmitted via the communication network; themicro-level detectors monitor the power signal of the microchip withina sensor node

efficacy of such a vertically integrated approach is demon-strated experimentally on a prototype system comprising,necessarily, ad hoc hardware and software pieces. Neverthe-less, the key contribution presented herein is a blueprint foranomaly detection applicable to all CPS irrespective of theirmake up at the component level.

The novel outcomes of the present work are summarizedas follows:

1. A framework for a cross-level detection infrastruc-ture that includes micro-level and macro-level monitorsalong with an inference engine that processes macro-and micro-level evidence jointly.

2. Design and analysis of a micro- and a macro-leveldetectors. The presented micro-level detector collectslocal, fast evidence related to physical propertiesof computational hardware. The macro-level detec-tor assembles global physical evidence at a largertimescale. The heterogeneous evidence combined withpredictive models covers multiple CPS levels andtimescales, resulting in responsive and effective detec-tion.

3. A comprehensive experimental study that demonstratesthe superiority of cross-level detection against dis-jointed detectors. The cross-level detector performanceis analyzed and compared to isolated macro- and micro-level detector performance under a range of False DataInjection (FDI) attacks on a single sensor.

The precursor of the present work is found in [13].Therein, the authors presented the unified framework forcombining the micro- and macro-level detectors, whosefeasibility was illustrated in simplified experiments, respec-tively.

2 Related Work

This work builds on previous efforts on CPS security ingeneral, and macro-level and micro-level attack detectorsin particular. This section compares and contrasts the mostrelevant literature.

Cyber-Physical System Security There is extensiveresearch on CPS and security [14, 15] focusing on: SmartPower Grids [16, 17], Industrial Control Systems (ICS)[18], and SCADA [19, 20] systems. The majority of thisresearch proposes defending attacks at the network or pro-cess level. The basis for the attack model used for thephysical experiment described in Section 8 was the FDI con-cept introduced in [21]. One form of FDI attack known asa replay attack [22] shows that attackers can mislead tradi-tional fault detectors while still providing arbitrary input tocontrollers.

J Hardw Syst Secur

Process-Level Detection When a control system operatesat its desired steady state condition and receives an arbitraryinput, vice the correct feedback, it will move to a lower-performing or unsafe state. The work in [22] demonstratedthat replay attacks eluded conventional χ2 tests and pro-posed a new Linear Quadratic Gaussian (LQG) controller toprocess the residuals which eventually led to detection. [23]investigated the statistical consistency of residuals usingthe CUSUM procedure. Other researchers [24, 25] haveproposed ways to estimate state parameters under cyber-attacks. These methods were focused on using sensor dataavailable at the network level.

In the authors’ earlier work [26], an anomaly detec-tion method was developed for attacks of deception onCPS. Using graph theory, an observable spanning tree wasconstructed identifying processes connected to the one pro-cess whose sensor was suspected to be compromised. Datafrom the sensors of these far-flung processes were sentto observers producing estimates of the process with thesuspicious sensor at the root of the tree. For built-in redun-dancy, state estimates from a bank of three or more far-flungobservers were fused using a weighted average consen-sus algorithm. These algorithms were selected because theydemonstrate excellent convergence [9] and are robust tonetwork delays [27]. Next, the problem of statistical con-sistency associated with local residuals was circumventedby computing the difference between the suspect data andthe consensus output. The authors’ companion work [28]also investigates stability and safety while striving for per-formance recovery after attack.

IC-Level Detection Side-channel analysis is a well-studiedtopic in computer security circles [29, 30], the traditionalfocus has been on extracting and defending secret infor-mation (such as encryption keys) from these unintendedoutputs. A different perspective is to use these side-channelmeasurements to determine if malware has been insertedinto a circuit, either in hardware or software. Numer-ous side-channel techniques have been proposed [31–35]to detect the presence of malicious hardware in commer-cial ICs. In [36], the authors demonstrated the abilityto determine the class of instructions, based on hard-ware usage, from power supply side-channel measurements.Other researchers [37–40] have proposed similar methods todetermine anomalies using power measurements, but gen-erally cover a much smaller instruction set or a simplerarchitecture.

3 Security Model

This section summarizes the assumptions made about theadversary carrying out the attack. As a threat model, the

adversary desires to drive the state of a process to anarbitrary level causing physical harm to the plant whileremaining undetected.

Furthermore, the adversary can (i) change code on acomputing device of the sensor used to regulate a process ofthe physical plant, (ii) replay past collected data, (iii) senddata to the controller that is indistinguishable from that ofuncompromised sensors, (iv) monitor and communicate tocompromised sensors, and (v) use multiple compromisedsensors to collude. The adversary cannot (i) compromisethe micro-level side-channel monitor and (ii) prevent thereceipt of data from uncompromised sensors.

4 System Architecture

The proposed framework is envisioned to be added to exist-ing or new networked CPS such as buildings, factory floors,and smart cities. For clarity, note that the term “sensors”herein refers to a node comprising a transducer and accom-panying computing devices and electronics, which includessupport for communication.

The macro-level detector leverages a physical model ofthe plant being observed by networked sensors. It comprisesa collection of sensor measurements that are examined usinga consensus algorithm to determine if one sensor is sendingfalse data. It can be implemented in a distributed fashion byaugmenting code within sensors (executed by the comput-ing device) or, if present, a compute-capable fault diagnosticdevice.

The micro-level detector utilizes a side-channel signal todetermine if the code being executed inside a sensor hasbeen changed. The micro-level monitor would be a hard-ware module that could replace or shim a legacy sensorcomputing device. It would be capable of measuring side-channel signals (e.g., device power-consumption, sound,light, temperature, or humidity), processing the measure-ments locally, and sending minimal results to the cross-layerdetector.

The cross-level detector combines evidence from thedetectors at various levels to make a more informed deter-mination of the presence of a cyber-attack, using a statis-tically based hypothesis test. It could reside on hardwarealready provided for control functions (e.g., ProgrammableLogic Controllers (PLC), Remote Terminal Units (RTU),or Personal Computers (PC)) existing at one or more lev-els above the sensors in the control architecture. If space orresources are available on existing platforms, the code canbe retrofitted; otherwise, new hardware would be required.The present work contributes a method for anomaly detec-tion in CPS that can be realized at the cost of additional soft-ware and hardware. Resource management is an importantissue, although it is not addressed in this paper.

J Hardw Syst Secur

5 Macro-level Detection

This section presents the model of the physical plant,the generation of multiple estimates using Luenbergerobservers or Kalman Filters, the coalescing of these esti-mates using a consensus algorithm, and the Neyman-Pearson hypothesis test used for decision-making. Thearchitecture of the macro-level detector follows the frame-work of quantitative model-based fault detection [41]. Thedecision engine, however, departs from the existing frame-work as it does not employ residuals between local esti-mates and sensor data. Because FDI is suspected, it relieson far-flung estimates generated by observers of intercon-nected processes. The consensus of these estimates is usedfor detection.

5.1 The Physical Plant and the Process-Level Observers

The physical plant comprises multiple processes Pi ,i = 1, . . . , Np, where Np denotes their total number of pro-cesses. The state of Pi is assessed by the state variablexi , which evolves according to the following equation (allvariables are functions �+→�):

Pi : dxi

dt= aixi + biui + vi +

n∑

j �=i

aij xj . (1)

On the right hand side, the first term captures the inter-nal dynamics of the ith process, the second channels thecontrol input ui , and the third represents a disturbance vi .The fourth termmodels the dependences between processes.These interconnections are critical to the authors’ method.From the point of view of a receiving process Pj , the subjectterm quantifies the influence of xi on xj .

Two interconnected processes Pi and Pj and their respec-tive control systems are depicted in Fig. 2. Sensor SX pro-duces yX, a measurement of the state; controllerCX produces

Fig. 2 Representation of two interconnected processes of the CPSeach with their own sensor (SX), controller (CX), and actuator (AX).One sensor, Si , is suspected of sending false data. The macro-leveldetector relies on estimates of far-flung observers such as O

(i)j , to

determine the presence of a deception attack

the action uX; and actuator AX implements the controlinput. Figure 2 also indicates a “vector of attack” throughsensor Si highlighted in red. The authors’ method leveragesthe influence of Pi on Pj to extract information about xi

from the data yj by means of the Luenberger observer O(i)j .

5.2 Controlling a Process of the Physical Plant

The goal of the control system Si→Ci→Ai is twofold: (1)to regulate yi about a desired operating point, OPi and (2)to reduce sensitivity to the disturbance vi . Under closed loopcontrol, the control input is a function �→�: ui = ui(yi),for example, consider the controller with proportional gainki below:

Ci : ui ={

ki(OPi − yi), yi > OPi

0, yi≤OPi ,

If the measurement yi exceeds OPi , actuator Ai is turnedon in order to drive it toward OPi . In the event of FDI fromsensor Si , however, the loop would be opened and, with theeffect of the disturbance vi unchecked, yi would likely moveaway from OPi .

5.3 Deception Attack Through the Process Sensor

Since the occurrence of FDI attack is of binary nature, asingle parameter θ is used to reflect the presence of an attackas follows:

θ ={

θ1 : attack presentθ0 : attack not present .

If θ = θ0 (the null hypothesis), sensor Si sends a true mea-surement of the state xi to controller Ci , that is, Si : yi =xi + wi where wi represents thermal noise N(0, σ 2

w). Then,the control ui regulates the process based on the presentvalue of yi and the state xi eventually settles about OPi .

Under θ = θ1 (the alternate hypothesis), the compro-mised sensor Si reports false data, ya

i . For the duration ofthe attack, the sensor signal is Si : yi = ya

i . With result-ing control input ui = ui(y

ai ), the loop is more sensitive

to the disturbance vi and less stable. Table 1 indicates thedetrimental impact of the control action, if the controller inSection 5.2 is supplied with false data.

The primary effect of the deception attack causes thestate xi to deviate from its operating point disrupting thenormal operation of process Pi . Through the interactionsof process Pi with other processes, however, the secondaryeffect can be far-reaching. An undetected FDI attack maydrive interconnected state variables outside their respectivesafety limits causing actual damage to the physical plant. Totest whether the sensor Si has deceived the controller Ci bymeans of misleading data ya

i , the present method turns tothe aforementioned far-reaching effect of the attack.

J Hardw Syst Secur

Table 1 Impact of control action based on false data

Data Control

False True Action Impact

yai > OPi yi > OPi ki (OPi − ya

i ) Disproportionate

yai > OPi yi ≤ OPi ki (OPi − ya

i ) Opposite

yai ≤OPi yi ≤ OPi 0 Asymptomatic

yai ≤OPi yi > OPi 0 Opposite

5.4 Assessing Evidence of Attack from Far-flungObservers

In the literature [41], fault detection generates residualsbetween the data yi supplied by Si and estimates basedon the model of process Pi . If the mean value of resid-uals becomes non-zero or another statistical inconsistencyoccurs, then a fault is declared. The approach, however, isnot appropriate for detecting anomalies due to maliciousagents. For example, the replay attack uses prior recordingsas false data ya

i to elude conventional fault detectors, sincepast data pass the test of statistical consistency [22].

Following the method of [26], instead of estimates basedon the model of Pi , the present approach uses model-basedestimates of xi from far-flung processes interconnected withPi such as Pj in Fig. 2. The dynamics of the physical plantin Eq. 1 are rendered as a directed graph. Subject to discov-ery of an observable sub-graph or spanning tree, estimatesof xi can be obtained from models of processes that areend-nodes on a path starting at xi and, more importantly,from the measurements of their respective sensors. If thespanning tree includes more than three branches (the mini-mum required for redundancy), selection criteria such as theobservability Gramian can be employed. Let Pj , Pk , and Pl

be processes connected to Pi via an observable sub-grapheach measured by sensors Sj , Sk and Sl , respectively. From

themain result in [26], far-flung observersO(i)j ,O(i)

k , andO(i)l

can be constructed to estimate independently the state xi .

5.5 Reaching Consensus on Global State Estimates

State estimates of the suspect node are generated by eachremote node as discussed in Section 5.4. These estimatesare exchanged over a connected and directed consensus net-work as discussed in Section 4 where each node implementsa distributed average consensus algorithm [42] based onneighboring estimates to reach agreement on a global esti-mate of the suspect state, yc

i , of xi . An example of whichis shown in Fig. 3. Consensus is reached when all nodesconverge to the same value.

Let yij be the estimate of xi by node Sj . A sample ofthe signal yij is used to initialize the consensus algorithm,

Fig. 3 Directed and connected consensus network for n = 4 sensornodes. Each sensor node exchanges its estimate of process xi on thenetwork to reach the global estimate yc

i

which evolves faster than the process dynamics accordingto the following model [42]:

dyij

dt=

∑

k∈Nj

(yik − yij ) , (2)

where Nj is the set of nodes within the geographic vicinityof Pj . By virtue of the consensus network being connected

and directed, the consensus value, yci , is an average of the

initial states estimates [13]

yci = 1

card(Ni )

∑

j∈Ni

yij ,

where Ni is the set of sensor-nodes on the observable sub-graph and card(·) denotes the cardinality of a set. yc

i theglobal estimate of state xi .

5.6 Testing the Attack Hypothesis

In the field of detection theory, there are the following twomain approaches: (1) the Bayesian decision theory and (2)the Neyman-Pearson (N-P) theory. Here, the authors employN-P theory as the problem at hand is binary detection, thatis, an attack is present or not. In the N-P approach, the sizeof the hypothesis test (or false alarm rate) is selectable whileits power (or probability of detection) is optimized.

Based upon the observation xH = yci , the macro-level

(using the H subscript for high level) hypothesis test acceptsor rejects θ1. Given that variance is due to the sensor noisewi , the null and alternate hypotheses correspond with twoGaussian populations N(mH(θ0), σ 2

H) and N(mH(θ1), σ 2H)

having different medians, but the same standard deviation,σH = σw. The center of the null distribution is mH(θ0) =E[yi], where E[yi] denotes the expected value of the datafrom sensor Si . The alternative distribution’s center is mH

(θ1) = mH(θ0) + dH, where the distance between, dH, deter-mines the Signal-to-Noise Ratio (SNR) of the detector, dH

σH.

The alternate hypothesis θ1 is accepted if the evidencexH = yc

i is ν-times more likely to be an event from the

J Hardw Syst Secur

alternative than the null distribution. Equivalently [43], θ1 isaccepted if xH ≥ τH where the threshold is defined as

τH = E[yi] + dH

2+ σ 2

Hη

dH(3)

and η = ln ν. Figure 4 shows an overview of the entiremacro-detector.

5.7 Detection Epoch

The detection epoch, Tepoch, is the total length of the follow-ing three intervals: the time for (1) the far-flung observersto produce estimates, plus (2) the consensus network to coa-lesce, and (3) for the hypothesis test to declare or reject anattack. The processes of the physical plant change slowlywithin the observation epoch, which affords the collec-tion of multiple samples from the process sensors includingthe suspect one. Therefore, the ensemble average E[yi] isapproximated by the following temporal average:

E[yi(pTepoch)] ≈ 1

Tepoch

∫ pTepoch

(p−1)Tepochyi(t)dt ,

where p = 1, 2, . . . , Ne and Ne is the total number ofepochs collected.

6 Micro-Level Detection

To detect whether code running on a sensor’s computingdevice is generating FDI, a low-level, non-intrusive tech-nique using side-channel data in the form of power leakagefrom the sensor’s processor was employed.

Power analysis was chosen as the basis for this workbecause of its fundamental relation to circuit operation ascompared to electro-magnetic, acoustic, or differential faultsignals. While it does require physical access to the powersupply of a target integrated circuit or device, only theaddition of a resistor and some way to measure the volt-age over it are necessary. This relates software execution

Fig. 4 Block diagram of Macro-Level Anomaly Detector. Estimatesof the state xi , respectively, yij , yik, yil are combined to form a singleglobal state estimate of process Pi . The global estimate, yc

i is thencompared with E[yi ] in the macro-level hypothesis test to determinewhether or not an attack is present

to hardware operation in order to monitor execution. Everymicro-controller has a fixed set of machine-level instruc-tions that are the building blocks of all the functions it canperform. Figure 5 shows a set of three instructions from theTI MSP430. Based on a visual comparison of their powertrace measurements, it appears that different instructionscan be distinguished. Similar instructions have signaturesthat are closer together that would likely take more measure-ments to differentiate as opposed to the third instruction thathas larger amplitude deviations. Here “instr1” and “instr2”were two AND logical operations that utilized a similar setof hardware resources, while “instr3” was an ADD operationthat utilized the arithmetic unit within the micro-controllerwhich accounts for its higher amplitude.

The architecture of the micro-level detector is based on adata-driven approach. After a large number of power tracemeasurements are collected, statistical information is calcu-lated to determine an estimate of the inner state of an ICinside a sensor’s computing device. A training set of data iscreated when the micro-controller is operating in a knowngood configuration. Later measurements are compared withthe training set to determine if the controller is still oper-ating in the known good state or if an attack has modifiedthe code and it is now performing different functions thanintended.

6.1 Forming the Training Data

To determine a parameter of detection to combine withthe macro-level detector, a simplified method utilizing thesame FPGA hardware and collection method as [36] wasproposed and verified [13]. A set of power supply cur-rent waveforms bk(n), where 0 < n < Nmax for Nmax

observations over a certain window of clock cycles is col-lected when the sensor Si is operating in a known good(baseline) state and averaged together to form a reference

Fig. 5 Example of several power transient traces collected from themicro-level monitor. Two copies each of three different two-cycleinstructions from the MSP430 are plotted

J Hardw Syst Secur

waveform, bgw(n) = 1M

∑Mk=1 bk(n),where bgw(n) is the

“golden waveform” generated from the point-wise averageover the training set of M waveforms.

The scope instrument that captures power profile obser-vations has a buffer size Bosc > Nmax. Since Nmax, whichis tied to the length of the specific sequence of instruc-tions being executed, is not an exact divisor of Bosc, thepower supply current waveforms are offset within every col-lection of Bosc observations. A pattern detection schemebased on cross-correlating a window of power data obser-vations is performed to determine the offset which thenallows subsequent waveform measurements to be alignedfor comparison.

6.2 Assessing Evidence of Attack

After deployment, new power supply traces a(n) are col-lected and compared to the golden waveform by first remov-ing their direct current (dc) components (the mean over theentire sequence) aac(n) = a(n) − adc(n) then calculating acorrelation metric,

ρi =∑Nmax

n=1 aac(n) · bac(n)√∑Nmax

n=1 a2ac(n) · ∑Nmaxn=1 b2ac(n)

. (4)

The micro-level detector compares the calculated corre-lation coefficient metric, xL = ρi from sensor Si , between atest sample and a golden waveform to a threshold, declaresthe presence or absence of an anomaly. Per [13], ρi fol-lows Gaussian PDF N(mL, σ 2

L). The median and varianceof the metric for the null hypothesis was experimentallydetermined based on a large number of measurements ofthe correlation metric for test samples collected before thesensor node is deployed.

The SNR dLσL

can be selected to determine dL to place thealternative hypothesis median using mL(θ1) = mL(θ0)−dL.Here, the displacement is negative since the power profilescollected during a deceptive attack are less correlated to thegolden waveform.

The threshold τL is then determined based on the multi-plication factor ν, similar to (Eq. 3) τL = E[ρi]− dL

2 −σ 2L

ηdL.

Figure 6 shows an overview of the micro-level detector.

6.3 Performance Parameters of the Micro-detector

The FPGA-based testbed was designed to be an emula-tion platform paired with a very capable measurement tool,the high-speed and large sample size oscilloscope. Thisarrangement allows for the capture of more precise datawhich can then processed to represent lower quality data,but starting with lower quality data there is no way to dothe reverse. In this work, to simulate the performance of adeployable system described in Section 4, the high-fidelity

Fig. 6 Block diagram of micro-level anomaly detector. Power-supplyobservations on sensor Si , that form the reference waveform b(n) areprocessed through a training phase to generate the golden waveform,bgw(n). As part of the testing phase, new waveforms staged a(n) arecollected from sensor Si and compared to bgw(n) using the correla-tion metric, ρi , defined in Eq. 4 which is then used in the micro-levelhypothesis test to determine whether or not an attack is present

data collected is transformed using MATLAB routines tomimic that of a lower cost Analog-to-Digital Converter(ADC) running at a slower rate and with fewer bits ofmeasurement precision. Once transferred to a computer,the discrete samples are decimated by a factor of five andquantized to levels that represented ten-bit resolution. Anexample of this process is shown in Fig. 7. The top plotshows the raw signal and the bottom shows the decimatedand quantized signal that is used to calculate the correlationmeasurements.

One parameter that affects the performance of the micro-detector is the number of waveforms that form the goldenwaveform. Additionally, instead of comparing each sampleto the golden waveform, multiple measurements can be firstaveraged together before calculating the correlation met-ric. This will have the effect of increasing the SNR, withthe trade-off of requiring a longer time to calculate eachresult. As expected, when larger number of signals wereaveraged together, the micro-level detector performed moreaccurately in that it had a higher true positive pate (definedin Section 8) when measuring a system under attack.

a

b

c

Fig. 7 Example of the effects of sampling the input signal (a), lessoften after decimation (b), and with fewer bits of precision afterquantization (c)

J Hardw Syst Secur

7 Cross-Level Detection

The macro- and micro-level detectors are related throughthe underlying hypotheses represented by the parameter θ .As described in Section 5, θ0 indicates that the system isnot under attack, while θ1 indicates that an attack is present.This section combines the disparate data of the precedingthreshold tests using a two-dimensional hypothesis test.

The following is the vector of macro- and micro-levelevidence, respectively, xH and xL, defined in the precedingsections:

X =[

xHxL

]=

[yci

ρi

].

Consider the random variableX (whichX is a value of) withtwo-dimensional Gaussian probability density fX(X|θ),parametrized in θ . As mentioned earlier, [13] establishes thesuitability of Gaussian PDF for these values. The null andalternate hypotheses correspond to fX(X|θ0) and fX(X|θ1),respectively. The two probability densities have differentmedians, respectively, M(θ0) and M(θ1), where

M(θ) =[

mH(θ)

mL(θ)

]

and the same covariance matrix:

R =[

σ 2H σHL

σHL σ 2L

].

The diagonal entries are respectively the variances of themacro- and the micro-level observations. On the cross-diagonal, the entries are σHL = E[xH · xL] − mH · mL.

The parameters of this model depend on the type ofattack, but the interest of this work in combining the detec-tors is to improve performance for the cases in which themicro- and macro-detectors present weakly correlated evi-dence, and particularly when one detector would not haveany ability to determine the presence of an attack at all.For example, when code has changed but the sensor stillreporting true values. This means that the component cor-responding to the detector which is unable to detect thisattack in the two-dimensional probability density fX(X|θ)

is insensitive to θ . To cover these possibilities, the cross-level detector is designed on the assumption that xH doesnot provide any information on xL (also vice versa) andσHL = 0. This does not preclude the use of the detec-tor against attacks when there is correlation between theindividual detectors.

Following the Neyman-Pearson approach [43], the log-likelihood ratio function, based upon the observation X, is

(X) = (M(θ1) − M(θ0))T R−1(X − X0) , (5)

where X0 the midpoint between the medians

X0 =[

xH0

xL0

]= 1

2(M(θ1) + M(θ0)) .

With σHL = 0, the log-likelihood ratio in Eq. 5 becomes

(X) = dH(yci − xH

0 )

σ 2H

+ (−dL)(ρi − xL0 )

σ 2L

, (6)

where the distances dH and dL are defined in preceding sec-tions. Using the same threshold, η = ln ν, as for the macro-and micro-level detectors, one performs the hypothesis testbelow:

if (X) ≥ η, accept θ1if (X) < η, reject θ1.

The test accepts θ1 if the observation is ν-times morelikely to be an event from the alternative than the nulldistribution.

8 Laboratory Experiment

The experimental set models a multi-compartment serverroom with a single-loop HVAC system. The temperaturefeedback to the controller will actuate fans to keep the com-partment below a safe operating temperature. In this work,two separate open-loop experiments were conducted to col-lect data from each anomaly detector. The data were thencombined and the output of the cross-level detector wascalculated.

8.1 Experimental Setup

To simulate the multi-compartment server room, the sim-plified 2-D macro-level experiment shown in Fig. 8, iscomprised of six Texas Instrument (TI) LM34 Fahrenheittemperature sensors spaced diagonally on a 8” × 8” × 1

8”aluminum plate which was thermally isolated on its under-side by a 10” × 10” piece of foam. Sensor S1 lay directlyon top of a 2” × 2” thermoelectric heating device, whichsimulates a heating load, which was mounted underneaththe upper left corner of the plate. When a load is applied,a Plexiglas isolation box is placed over the plate to min-imize convection effects due to ambient air flow from anair duct above the plate. The remaining sensors, S2, ..., S6,are mounted at 1”, 3”, 5”, 7”, and 9” from sensor S1.Each temperature sensor is connected to an LPC1768 ARMmicro-controller (mbed) which reads the analog output fromthe sensor and sends the temperature measurements every50 ms to a controller-area network (CAN) bus connectedin a daisy chain arrangement. An additional mbed monitorsthe CAN bus and communicates these temperatures over a

J Hardw Syst Secur

Fig. 8 Macro-level experimental setup showing the sensors posi-tioned on the aluminum plate and the mbed sensor nodes

serial connection to a laptop PC running MATLAB for dataprocessing.

At the micro-level, the micro-controller of a singlesuspect sensor is replicated by an instantiation of a TIMSP430 chip on an FPGA testbed (Fig. 9) which is acustom designed board that was connected to a TektronixDPO7354C Oscilloscope sampling at 200 Mega-samplesper second (MSPS) that measures the current passingthrough four shunt resistors in series with the power supplypins of the test FPGA chip. These data are transferred to aPC to be post-processed using custom MATLAB functionsto calculate the correlation coefficients (Eq. 4) as describedin Section 6.

Fig. 9 Custom differential power measurement board consisting ofan instrumented FPGA that can be configured to represent multiplemicro-controller architectures [13, 36]

The MSP430 was chosen as a representative low-powermicro-controller that is widely deployed in sensor nodes. Italso offers the advantage of an open source compatible core[44]. This experiment was conducted on two separate hard-ware platforms due to logistical limitations. Nevertheless,the authors believe there is value in using diverse micro-controllers which shows the combined method is applicableto a wide assortment of platforms.

In [36], the authors demonstrate the applicability ofa technique to detect instruction-level changes in controlcodes being executed on the micro-controller instance. Fur-ther research on this work has led to achieving similarresults on actual MSP430 micro-controllers, thereby show-ing a lot of promise on the applicability of the micro-leveldetector.

8.2 Experimental Design

At the start of the experiment, 2.25W (6V, 2.7A) wasapplied directly to the thermoelectric heating element andthe temperature field was allowed to heat up. Data was col-lected at each of the temperature sensors and sent to themaster node in groups of ten samples.

The temperature values y2, ..., y5 recorded at distantnodes S2, ..., S5 were used to estimate the reading of S1as y1X having been processed by a bank of observers. Theauthors have developed a dynamic finite-difference modelbased on the heat conduction equation. For the purposesof the present study, however, a second order polynomialregression model was employed instead. The regressionmodel was developed using temperature data gathered ateach sensor node over a large number of experiments runat 2.25 W with no replay attack. Compared to the high-fidelity finite-difference model, the regression model wasshown to sufficiently estimate the state under attack. Theestimates from each observer were the inputs for the consen-sus algorithm in Eq. 2 to predict yc

1, the global estimate ofthe temperature at the position of the suspect sensor S1. Dur-ing all experimental runs, sensor S1 (on top of the heatingelement) was the corrupted node.

For the micro-level experiment, two different codesequences were constructed that simulated a portion of thecode being run on the mbed sensor nodes. Two incrementinstructions were added to the deception code sequence,which represent the changes necessary to replay data, thatare read from memory instead of the ADC register location.Over 50,000 samples were collected for each code sequence(nominal and replay).

In order to elude detection, the attacker had the abilityto control how often the replay or false data was transmit-ted instead of sending the actual temperature measurement.An attacker who wanted to mask their presence would onlysend false data a few times out of a group of temperature

J Hardw Syst Secur

samples. In this experiment, the ratio of false to true datawas reported as a pair of numbers where the first value rep-resents the number of false data samples and the secondrepresents the number of true readings sent. For example,the ratio 4:6 (replay:nominal) represents that for every groupof ten sensor measurements, four report a false (lower) tem-perature reading from memory while the other six readingsare coming from the ADC connected to the temperature sen-sor reading the correct value. This approach allowed theauthors to vary the stealth effect of the attack to measure thedetectors’ performance in controlled but varying conditions.

Experiments for both the macro- and micro-level setupwere run for both the no attack (θ = θ0) and attack present(θ = θ1) cases. For the attack present cases, the ratio ofthe number of data samples corrupted versus true varied asa fraction of the ten total samples. This was carried out atthe macro-level by sending a parameter to the compromisednode that would change how many samples it would storethen later read from memory during each group of ten sam-ples sent. At the micro-level the mixture was constructed byforming different collections of nominal or replay samplesat the proper ratio.

Because the two experiments ran at two different timescales, a conversion between them was made to ensureconsistency. Each sample represented a single temperaturereading at the macro-level, and one loop through the sam-ple code at the micro-level. As described in Section 5.7,the macro-level detector cycled every epoch (which wasset to Tepoch = 2.7s and comprised ten samples) and pro-duced a consensus temperature value yc

i . Time-sequencedmicro-level data were mapped to match this rate and a singlecorrelation value, ρi , was calculated for each epoch. Cross-level detection results were calculated based on the matchedconsensus temperature estimate and correlation value foreach epoch using Eq. 6 as it applied to sensor S1.

Two specific metrics were defined that assessed accuracyof the detectors based on the observations of the combinedexperiment over 150 epochs. The first metric is the cumu-lative number of rejections, (#rejX), where X representedeither the macro-level detector (H), micro-level detector (L),or combined detector (C). This metric counts the numberof false negative determinations (also known as a Type IIerror) that the detector incorrectly rejected the alternativehypothesis when the system was in fact under attack. TheTrue Positive Rate (TPRX) was also calculated based onthe number of correct determinations of an anomaly present(the N-P test decided the alternative hypothesis was true)when the system was under attack. The second metric is thecumulative number of accepts which is the running tally ofthe false positive determinations (also known as a Type Ierror) when the system was not under attack. The False Pos-itive Rate (FPRX) was calculated based on the number ofincorrect determinations of an anomaly present when in fact

the system was not under attack. The percentages reportedare not an estimate of expected future performance, but ameasure of the observed rates.

To assess detector latency, the authors defined the met-ric, TX, time until detection, which represents the number ofepochs required to reach three consecutive determinationsof the presence of an attack and corresponds to the firstplateau of the plot of Cumulative Rejects vs Epochs (shownin Figs. 11 and 12). The subjective rule used three consec-utive detections was based on the need for the detector toreach a level of stability before determining the presence (orabsence) of an attack. TX was determined by inspection ofthe Cumulative Rejects plots.

9 Results

Two performance criteria form the basis for comparison ofthe cross-level detector with the individual detectors. First,detector accuracy how often the detector correctly deter-mined the presence of an attack. Second, detector latencyhow quickly it reached a stable result.

9.1 Accuracy Results

As described in Section 8.2, the number of rejects (#rejX)is the total number false negative determinations over theentire experiment. The True Positive Rate (TPR) is thepercentage of correct identifications when the system wasunder five different attacks with varying ratios of false:truedata within each epoch.

Table 2 shows the cross-level detector demonstrates bet-ter accuracy than either individual detector. It also highlightsthat the smaller the false to true ratio of the attack, the lowerthe rate of correct detection (TPR). The trend is observedacross the micro-, macro-, and cross-level decision-making.The cross-level detection rate, however, decreases by a smalleramount and thus is less sensitive to the false to true ratio.

It is expected that an attack with lower false to true ratiowill have a smaller impact on the process. The experiment is

Table 2 Accuracy Comparison, the Cross-level Detector outperformsboth the macro- and micro-level detectors by achieving a higher TPRthan the individual detectors in all cases

Ratio #rejH TPRH #rejL TPRL #rejC TPRC

False:true

3:7 82 45.3% 31 79.3% 25 83.3%

4:6 67 55.3% 31 79.3% 20 86.7%

5:5 34 77.3% 32 78.7% 10 93.3%

6:4 11 92.7% 10 93.3% 0 100%

7:3 12 92.0% 8 94.7% 1 99.3%

J Hardw Syst Secur

not designed to assess impact due to misled control action.The case of all-false data, however, does simulate the sys-tem’s response to the feedback signal incorrectly below theoperating temperature; refer to Table 1. Such an attack aimsat maximum impact and both micro- and macro-level detec-tors demonstrated excellent performance with TPR nearly100% after repeated trials.

Figure 10 shows one trial when the system was not underattack, that is, all sensors were reporting normally. Thegraph shows the demonstrated FPR of both detectors. Overseveral runs, the macro-level detector was consistently 0%and micro-level averaged 6%.

9.2 Latency Results

As described in Section 8.2, time until detection (TX) wasthe number of epochs before three consecutive detectionswere reported when the system was under five differentattacks.

Table 3 shows that the combined detector in all casesreaches the correct decision faster than the macro-leveldetector. While the latency of the combined detector in thecase of 5:5, 4:6, and 3:7 is slightly larger than the micro-level detector, this increase in latency is mitigated by theincrease in accuracy for these three cases as discussed inSection 9.1 and shown in Table 2.

9.3 Analysis of Results

The detection rate at the macro-level rises as the impactof the attack results in a higher SNR. Although the micro-level detector works independently of the macro-level SNR,cross-level detection benefits from the improved perfor-mance of its macro component. Conversely, the macro-level detection rate decreases with a lower SNR. With themicro-level detector being independent of the macro impact,

Fig. 10 Detection results when no attack is present. The combinedanomaly detector never reports a false attack on the system as com-pared to the micro-level detector which periodically reports a falseattack

Table 3 Latency comparison, the cross-level detector always declaresan anomaly prior to the macro-level detector

Ratio TH TL TC

False:true (Epochs) (Epochs) (Epochs)

3:7 46 11 23

4:6 27 4 11

5:5 17 6 10

6:4 11 4 4

7:3 11 3 3

cross-level detection relies on its micro component todeclare an attack that seems asymptomatic.

The initial portion of Fig. 11 shows that while the falsedata being reported is close in value to the true value beingestimated from the other sensors, the macro-level detectorshows worse performance as signified by a large numberof rejects. Once the heating dynamics have taken place andthe replay temperatures are further from the actual temper-ature, the actual SNR has increased and the macro-leveldetector, designed for low SNR, performs excellently. Theseresults demonstrate a key difference between the two detec-tors, in that although it takes longer for the macro-level toreach its conclusion, once it does so it is very accurate.The micro-level detector does not have this delay, but sinceit is not taking advantage of the additional information ofthe physical system and measurements, its overall aggregatedetection rate will show occasional missed detections whichwill result in a lower TPR as time increases compared to thecross-level detector.

Figure 12 shows the results when presented with a morestealthy attack. Within each epoch, only three false valuesare sent. This has the effect of all three detectors takinglonger to successfully identify the attack.

Fig. 11 Detection performance with attack ratio 7:3. The cross-level detector correctly flags the attack at the start of the experimentleveraging the micro-level data. The combined detector consistentlyrecognizes the presence of an attack, after one miss in the first epoch,whereas the macro- and micro-level detectors periodically miss attacks

J Hardw Syst Secur

Fig. 12 Detection performance with attack ratio 3:7. All three detec-tors take longer to detect the attack. The blue shaded region representsthe macro-level detector’s period of transition before the false tem-perature has moved far enough away from the real temperature to bedetected

After detection, the feedback signal is considered com-promised. The defender has the option to close the loop bysupplying the consensus estimate to the controller albeit at alower rate. Although beyond its scope, the presented methodprovides all the information needed to have such utility.

If the micro-level detector could be deployed to all of thesensors and operated with a judicious energy budget, then itsability to provide a quick and localized result would be ben-eficial to the macro-level detector. The macro-level detectorwould then already know which sensor was under suspicion,greatly simplifying the number of calculations required oth-erwise. If the macro-level detector could be implementedat a server site with greater computing resources and limit-less power, it could trigger a dormant micro-level detectorwhose data could be part of a more secure control mode.This mode could communicate via an alternate channel andonly trust measurements accompanied by a valid powersignature.

The cross-level detector on average, across all five replayratios, achieved a 93% rate of correct detection, comparedwith 72 and 85% for the macro- and micro-level detectorsrespectively; and a 50% reduction in latency compared tothe macro-level detector.

10 Discussion

The previous section described the performance of eachdetector subject to one replay-based deception attack. Themacro-level detector is driven by the values of the dataand is thus both more reliable and accurate in the longterm, although it takes longer to reach the correct deci-sion. Complementing that, the micro-level detector works

independently of the data being sent out of the sensor so ityields a faster result, but does not reach the same level ofaggregate accuracy of the macro-detector. Other attacks thatwill be exposed when employing the cross-level detector arediscussed below.

Spoofing the measurement, which is the signal receivedby the sensor, is one example of an attack that would notbe detected at the micro-level, since no changes to the codeneeds to take place. The macro-level detector should beable to detect this attack as the actual SNR increases. Sus-pected false GPS signals [45] caused US Navy vessels tounknowingly venture into Iranian waters.

Sybil Attacks [46] are effective against distributed or adhoc networks. It is an attack where a node or an attackeron the communication network takes on multiple identitiesin an attempt to overwhelm or out-vote normal redundancyprotection methods. If the attack is staged solely at the net-work level, a micro-detector will not be able to detect it.The macro-level detector may also be fooled if there is nota fixed limit on the number and placement of sensor nodesthat can report. A combined system could use the existenceof micro-detector data as an authentication method requiredfor nodes to report sensor values. Synthetic nodes wouldneed to also produce false power measurements if such acombined system was employed, a task that would be muchharder if the micro-data were passed via a separate and moresecure channel.

An attacker cognizant that a consensus algorithm is beingemployed to detect intrusions and injection of false data willattempt to send specifically targeted sensor values that needto work in concert with the other sensor values to eludedetection. If this kind of attack is launched from within acompromised sensor, the amount of code that would needto be changed will necessarily have a large power signa-ture difference when compared to an unmodified sensornode, and thus be easy for a micro-level detector to correctlyidentify.

11 Conclusion

This paper demonstrated the utility of the combined micro-and macro-level approaches and showed how both lev-els complimented each other in a hardware based physicalexperiment. The cross-level detector on average achieveda 93% rate of correct detection, compared with 72% and85% for the macro- and micro-level detectors respectively;and a 50% reduction in latency compared to the macro-leveldetector. The authors believe that the framework presentedcan be used to solve several security problems in dis-tributed cyber-physical systems which would otherwise bechallenging.

J Hardw Syst Secur

Funding Information This work was supported by the U.S.Office of Naval Research under Awards N00014-15-1-2179 andN0001417WX01442.

References

1. Kim KD, Kumar PR (2012) Cyber-physical systems: a perspectiveat the centennial. Proc IEEE 100:1287–1308

2. National Science Foundation (2017) Cyber-Physical Systems(CPS) Program Solicitation. https://www.nsf.gov/pubs/2017/nsf17529/nsf17529.htm, accessed 26 June 2017

3. Ray S, Jin Y, Raychowdhury A (2016) The changing computingparadigm with internet of things: a tutorial introduction. IEEE DesTest 33(2):76–96. https://doi.org/10.1109/MDAT.2016.2526612

4. Khorrami F, Krishnamurthy P, Karri R (2016) Cybersecurityfor control systems: a process-aware perspective. IEEE Des Test33(5):75–83. https://doi.org/10.1109/MDAT.2016.2594178

5. (2016). ICS-CERT (Industrial Control Systems Cyber Emer-gency Response Team) Year in Review 2016. Tech. rep., NationalCybersecurity and Communications Integration Center (NCCIC).https://ics-cert.us-cert.gov/sites/default/files/Annual Reports/Year in Review FY2016 Final S508C.pdf

6. Liang G, Weller SR, Zhao J, Luo F, Dong ZY (2017)The 2015 Ukraine blackout: implications for false data injec-tion attacks. IEEE Trans on Power Syst 32(4):3317–3318.https://doi.org/10.1109/TPWRS.2016.2631891

7. Lee RM, Assante MJ, Conway T (2016) Analysis of the cyberattack on the Ukrainian power grid. SANS Ind Control Syst.https://ics.sans.org/media/E-ISAC SANS Ukraine DUC 5.pdf

8. Castro M, Liskov B (1999) Practical byzantine fault tolerance. In:Proceedings of the Third Symposium on Operating System Designand Implement (OSDI), pp 173–186. http://dl.acm.org/citation.cfm?id=296806.296824

9. Ren W, Beard RW (2005) Consensus seeking in multiagent sys-tems under dynamically changing interaction topologies. IEEETrans on Autom Control 50(5):655–661. https://doi.org/10.1109/TAC.2005.846556

10. Parno B (2008) Bootstrapping trust in a “Trusted” platform. In:Proceedings of the 3rd Conference on Hot Topics in Security,pp 9:1–9:6. http://dl.acm.org/citation.cfm?id=1496671.1496680

11. Gollmann D (2012) Veracity, plausibility, and reputation. In: Pro-ceedings of Information Security Theory and Practice, pp 20–28.https://doi.org/10.1007/978-3-642-30955-7 3

12. Kocher P, Jaffe J, Jun B, Rohatgi P (2011) Introductionto differential power analysis. J of Cryptogr Eng 1(1):5–27.https://doi.org/10.1007/s13389-011-0006-y

13. Croteau B, Krishnankutty D, Robucci R, Patel C, Banerjee N,Kiriakidis K, Severson T, Rodriguez-Seda E (2017) Cross-leveldetection of sensor-based deception attacks on cyber-physicalsystems. In: Proceedings of the 7th Annual IEEE InternationalConference on CYBER Technology in Autonomous, Control, andIntelligent System

14. Rajkumar RR, Lee I, Sha L, Stankovic J (2010) Cyber-physicalsystems: the next computing revolution. In: Proceedings ofthe 47th Design Automation Conference (DAC), pp 731–736.https://doi.org/10.1145/1837274.1837461

15. Cardenas AA, Amin S, Sastry S (2008) Research challenges forthe security of control systems. In: Proceedings of the 3rd Con-ference on Hot Topics in Security, pp 6:1–6:6. http://dl.acm.org/citation.cfm?id=1496671.1496677

16. Liu J, Xiao Y, Li S, Liang W, Chen CLP (2012) Cyber secu-rity and privacy issues in smart grids. IEEE Commun Surv Tutor14(4):981–997. https://doi.org/10.1109/SURV.2011.122111.00145

17. He H, Yan J (2016) Cyber-physical attacks and defences in thesmart grid: a survey. IET Cyber-Phys Syst: Theory Appl 1(1):13–27. https://doi.org/10.1049/iet-cps.2016.0019

18. Stouffer K, Lightman S, Pillitteri V, Abrams M, Hahn A (2014)NIST Special Publication 800-82 Revision 2, Guide to IndustrialControl Systems (ICS) Security. Natl Inst of Stand and Technol.https://doi.org/10.6028/NIST.SP.800-82r2

19. Amin S, Litrico X, Sastry S, Bayen AM (2013) Cyber securityof water SCADA systems-part I: analysis and experimentation ofstealthy deception attacks. IEEE Trans on Control Syst Technol21(5):1963–1970. https://doi.org/10.1109/TCST.2012.2211873

20. Zhu B, Joseph A, Sastry S (2011) A taxonomy of cyber attackson SCADA systems. In: Proceedings of 2011 IEEE Interna-tional Conference on Internet of Things and Cyber, Phys and SocComput, pp 380–388. https://doi.org/10.1109/iThings/CPSCom.2011.34

21. Liu Y, Ning P, Reiter MK (2011) False data injection attacksagainst state estimation in electric power grids. ACM Trans InfSyst Secur 14(1):13:1–13:33. https://doi.org/10.1145/1952982.1952995

22. Mo Y, Sinopoli B (2009) Secure control against replay attacks.In: 47th Annual Allerton Conference on Communication, Control,and Computing, pp 911–918. https://doi.org/10.1109/ALLERTON.2009.5394956

23. Murguia C, Ruths J (2016) CUSUM and chi-squared attack detec-tion of compromised sensors. In: 2016 IEEE Conference onControl Applications (CCA), pp 474–480. https://doi.org/10.1109/CCA.2016.7587875

24. Fawzi H, Tabuada P, Diggavi S (2014) Secure estimation and con-trol for cyber-physical systems under adversarial attacks. IEEETrans on Autom Control 59(6):1454–1467. https://doi.org/10.1109/TAC.2014.2303233

25. Ivanov R, Pajic M, Lee I (2016) Attack-resilient sensor fusionfor safety-critical cyber-physical systems. ACM Trans EmbedComput Syst 15(1):21:1–21:24. https://doi.org/10.1145/2847418

26. Kiriakidis K, Severson T, Connett B (2016) Detecting and Isolat-ing Attacks of Deception in Networked Control Systems. In: 2016IEEE International Conference on Autonomic Computing (ICAC),pp 269–274. https://doi.org/10.1109/ICAC.2016.14

27. Olfati-Saber R, Murray RM (2004) Consensus problems in net-works of agents with switching topology and time-delays. IEEETrans on Autom Control 49(9):1520–1533. https://doi.org/10.1109/TAC.2004.834113

28. Rodriguez-Seda EJ, Severson T, Kiriakidis K (2016) Recov-ery after attacks of deception on networked control systems. In:Proceedings of the 9th International Symposium on Resilient Con-trol Systems, pp 109–114. https://doi.org/10.1109/RWEEK.2016.7573316

29. Kocher P, Jaffe J, Jun B (1999) Differential power analysis. In:Advances in cryptolog – CRYPTO’99. Springer, pp 789–789

30. Standaert FX, Malkin TG, Yung M (2009) A Unified Frameworkfor the Analysis of Side-Channel Key Recovery Attacks, pp 443–461. https://doi.org/10.1007/978-3-642-01001-9 26

31. Lee J, Tehranipoor M, Patel C, Plusquellic J (2007) Securingdesigns against scan-based side-channel attacks. IEEE Trans onDepend and Secur Comput 4(4):325–336. https://doi.org/10.1109/TDSC.2007.70215

32. Lin L, Kasper M, Guneysu T, Paar C, Burleson W (2009) Trojanside-channels: lightweight hardware Trojans through side-channelengineering, pp 382–395. https://doi.org/10.1007/978-3-642-04138-9 27

33. Tehranipoor M, Koushanfar F (2010) A survey of hardware trojantaxonomy and detection. IEEE Des Test of Comput 27(1):10–25.https://doi.org/10.1109/MDT.2010.7

J Hardw Syst Secur

34. Narasimhan S, Du D, Chakraborty RS, Paul S, Wolff FG,Papachristou CA, Roy K, Bhunia S (2013) Hardware trojandetection by multiple-parameter side-channel analysis. IEEETrans on Comput 62(11):2183–2195. https://doi.org/10.1109/TC.2012.200

35. Bhunia S, Hsiao MS, Banga M, Narasimhan S (2014) Hard-ware trojan attacks: threat analysis and countermeasures. ProcIEEE 102(8):1229–1247. https://doi.org/10.1109/JPROC.2014.2334493

36. Krishnankutty D, Robucci R, Banerjee N, Patel C (2017) Fis-cal: firmware identification using side-channel power analysis.In: 2017 IEEE 35th VLSI Test Symposium (VTS), pp 1–6.https://doi.org/10.1109/VTS.2017.7928948

37. Eisenbarth T, Paar C, Weghenkel B (2010) Building a side chan-nel based disassembler. In: Gavrilova ML, Tan CJK, MorenoED (eds) Transactions on Computational Science X: Special Issueon Security in Computing, Part I. Berlin Heidelberg, SpringerBerlin, pp 78–99. ISBN: 978-3-642-17499-5. https://doi.org/10.1007/978-3-642-17499-5 4

38. Msgna M, Markantonakis K, Mayes K (2014) Precise Instruction-Level Side Channel Profiling of Embedded Processors, pp 129–143. In: 26th USENIX Security Symposium (USENIX Security17). https://doi.org/10.1007/978-3-319-06320-1 11

39. McCann D, Oswald E, Whitnall C (2017) Towards practical toolsfor side channel aware software engineering: ‘Grey Box’ modelling

for instruction leakages. In: 26th USENIX Security Symposium(USENIX Security 17). USENIX Association, Vancouver, BC,pp 199–216. ISSN: 978-1-931971-40-9. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/mccann

40. Park J, Tyagi A (2017) Using power clues to hack IoT devices:the power side channel provides for instruction-level disassembly.IEEE Consum ElectronMag 6(3):92–102. https://doi.org/10.1109/MCE.2017.2684982

41. Astrom K, Albertos P, Blanke M, Isidori A, Schaufelberger W,Sanz R (2001) Control of complex systems. https://doi.org/10.1007/978-1-4471-0349-3

42. Olfati-Saber R, Fax JA, Murray RM (2007) Consensus and coop-eration in networked multi-agent systems. Proc IEEE 95(1):215–233. https://doi.org/10.1109/JPROC.2006.887293

43. Moon TK, Stirling WC (2000) Mathematical methods and algo-rithms for signal processing. ISBN 978-0201361865

44. opencoresorg (2016) openMSP430 Overview. https://opencores.org/project,openmsp430, accessed 18 Oct 2017

45. Psiaki ML, Humphreys TE, Stauffer B (2016) Attackers can spoofnavigation signals without our knowledge. IEEE Spectr 53(8):26–53. https://doi.org/10.1109/MSPEC.2016.7524168

46. Newsome J, Shi E, Song D, Perrig A (2004) The Sybil attackin sensor networks: analysis & defenses. In: Proceedings of the3rd International Symposium on Information Process in SensorNetwork, pp 259–268. https://doi.org/10.1145/984622.984660