Covert Channels in Stochastic Cyber-Physical Systems

A covert channel is a communication channel that is not intended to exist, and that can be used to transfer information in a manner that violates the system security policy. Attackers can abuse such channel to exfiltrate sensitive information from cyber-physical systems (CPSs), e.g., to leak the confidential or proprietary parameters in a control system. Furthermore, attacks against CPSs can exploit the leaked information about the implementation of the control system, e.g., to determine optimal false data injection attack values that degrade the system performance while remaining undetected. In this paper, we present a control theoretic approach for establishing covert channels in stochastic CPSs. In particular, we consider a scenario where an attacker is able to inject malware into the networked controller and arbitrarily alter the control logic. By exploiting such capability, an attacker can establish an illegitimate communication channel, e.g., to transmit sensitive plant parameters, between the networked controller and an eavesdropper intercepting the sensor measurements. We show that such a channel can be established by exploiting the closed-loop system operations, a decoding mechanism based on an unknown input observer, and an error-correcting coding scheme that exploits the control loop to obtain an implicit acknowledgement. A simple proof of concept implementation of the covert channel is presented, and its performance is evaluated by resorting to a numerical example. Finally, we propose some defences and countermeasures against the proposed covert channel.


Introduction
The development of cyber-physical systems (CPSs) aims to improve the capabilities of traditional engineering systems by introducing advanced computational capacity and communications among system entities. On the other hand, the adoption of such technologies introduces a threat and exposes the system to cyber-attacks. Given the unique properties of CPSs, e.g., physically interacting with its environment, malicious parties might be interested in exploiting the physical properties of the system in the form of a cyber-physical attacks [1]. Attacks on CPSs have been investigated from different angles [2]. Since in a large class of CPSs the physical systems are controlled using a feedback control loop, the majority of previous research works have investigated control theoretic techniques to detect and mitigate cyber-attacks occurrences affecting the communication channels between the plant and the controller [3,4].
Recently, the privacy of cyber-physical systems has received increasing attention and different privacy preserving solutions against eavesdropping attacks have been proposed [5][6][7]. On the other hand, the problem of securing CPSs against intruders targeting the control algorithm operations to covertly leak sensitive information from CPSs, such as confidential/proprietary gains in a control system, has not received sufficient attention. This leaked information can be exploited by attackers to launch further attacks against CPSs, e.g., to determine optimal false data injection attack values that degrade the system performance while remaining undetected.
In this paper, we take a step towards this direction and we investigate the existence of covert channels in stochastic CPSs. This problem is of particular interest for the CPS community because it can potentially enable an internal adversary (e.g., malware in the controller) to transmit sensible plant information to an external entities while bypassing existing attack detection mechanisms and privacy preserving solutions.

Related works
A covert channel is an evasion technique that aims to illicitly transfer information in an unauthorized and secretive manner that violates the existing security policy. While encryption can be used to protect communication from being decoded by an unauthorized party [8], a covert channel aims to hide the very existence of such communication. During the investigation of monolithic systems, Lampson [9] introduced covert channels as a mechanism by which a process at a high-security level can leak information to a process at a low-security level. In particular, Lampson defined covert channels as "channels not intended for information transfer at all". Similarly, the US Department of Defence (DoD) define covert channels as "any communication channels that can be exploited by a process to transfer information in a manner that violates the system's security policy" [10]. According to the "Orange Book" [11] of the US DoD, system developers shall conduct a thorough search for covert channels and make a determination, either by actual measurement or by engineering estimation, of the maximum bandwidth of each identified channel. Also, the continued existence of identified covert channels in the system must be justified.
In the context of Information Technology networks, covert channels can be established by abusing different communication protocols and shared computing/storage resources. Different methodologies have been proposed to establish covert channels, e.g. see the timing-based covert channels and storage-based covert channels in [12]. As the name entails, timing based channels utilize delay to separate bits of information shared between two malicious parties. On the other hand, storage-based channels utilize shared storage or memory resources that are not designed to transfer data. Covert channels have also been used to send information from air-gapped machines, by encoding information over physical infrastructures that cannot be noticed with naked senses such as inaudible speaker sounds, acoustical mesh, and optical emanations [13][14][15][16][17][18].

Covert Channels in CPSs:
The existence of covert channels in CPSs and its associated vulnerabilities have been investigated by many authors. In [19,20], Chhetri et al. demonstrated how CPSs are prone to covert information leakage from the physical domain. In particular, they explained how analog emissions such as vibration, acoustic, magnetic, and power could allow attackers (monitoring these analog emissions) to determine the correlation between the observed phenomena and the cyber-domain data. As a consequence, the attackers can leverage this relation to breach the confidentiality of the system. The authors also presented a 3D-Printer proof of concept case study where they demonstrated how acoustic analog emissions could reveal parameters such as speed, direction, axis, and extrusion. Uluagac et al. [21] showed that using sensory channels such as light, temperature, and infrared, an adversary can trigger existing malware, transfer malware, or combine malicious use of different sensory channels to increase the impact of the attack on CPS devices. They also introduced the design of a sensory channel-aware intrusion detection system as a protection mechanism against sensory channel threats for CPSs. Another example of covert channels in CPS, that borrows the idea of an air-gapped receiver, is described in [22] where the adversary is assumed to be able to load a malicious code onto a Programmable Logic Controller (PLC) to change actuation signals being output to the motors. The actuation signal is then perturbed to transmit sensitive information covertly by creating analog acoustic channel signatures without changing the closed-loop process characteristics. In [23], a covert channel specifically designed against power grid cyber-physical critical infrastructures through physical substrates, e.g., line loads, is proposed. Using this approach, two compromised controllers that are miles apart can coordinate their efforts by manipulating relays to modify the power network's topology. In [24], Wendzel et al. studied the threat of covert channels in building automation systems (BAS) protocols. The authors presented network covert storage and network covert timing channels in the network and application layer of the BACnet protocol stack to show that protocol-level covert channels in BAS are feasible. In [25], Alcaraz et al. addressed the security issues related to covert channels applied to industrial networks, identifying new vulnerability points when ITs converge with operational technologies such as edge computing infrastructures. Specifically, the authors defined two signalling strategies where they exploit the Modbus/transmission control protocol (TCP) as the target to set up a covert channel. The authors also discussed some possible mitigation and defensive measures. In [26], [27], information flow analysis techniques were used to analyze covert channels in CPSs. In particular, Gamage et al. [26] presented a general theory of event compensation as an information flow security enforcement mechanism for CPSs. The fundamental research problem being investigated is that externally observable events in modern CPSs have the propensity to covertly divulge sensitive settings to adversaries, resulting in a confidentiality violation. To mitigate such violations, the authors proposed to use information flow security-based enforcement mechanisms since access control-based security models cannot impose restrictions on information propagation. The proposed framework unifies cyber and physical aspects of security through the shared semantics of information flow. Along a similar line of research, Akella et al. [27] applied classical models of non-deducibility and non-inference to CPSs to determine information flow in the coupled cyber and physical worlds. The presented results demonstrate that the combined physical and cyber properties of a CPS can both protect and divulge information. The authors also presented a semantic model for information flow analysis in a CPS and described an approach to perform the analysis, including both trace-based analysis and automated analysis through process algebra specification. In [28,29], the authors turned upside-down the originally malicious concept of covert channels and utilized it to build defensive mechanisms. Specifically, Ying et al. [28] presented TACAN (Transmitter Authentication in insecure Controller Area Network (CAN)), which provides secure authentication of Electronic Control Units (ECUs) by exploiting the covert channels without introducing CAN protocol modifications or traffic overheads. Similarly, Taylor et al. [29] demonstrated the use of covert channels as a method of secure communication that would prevent a number of attacks, including man-in-the-middle., against the Modbus protocol.
Of particular interest for this work are covert channels solutions leveraging control theory models [30][31][32]. In [30], Herzberg and Kfir presented a unidirectional covert channel from a malicious sensor to a malicious actuator. The covert traffic is encoded within the output noise of the covertly transmitting sensor, whose distribution is indistinguishable from that of a benign sensor with comparable specifications. In [31], the same authors presented a malicious actuator that receives commands from a threshold controller. The corrupt actuator uses the response time to send signals to a corrupt sensor, by encoding the signals using different response times of the actuator. In [32], the authors presented a covert channel technique utilizing a robust control-theoretic approach for CPSs with bounded disturbances (also see [33]). The presented technique enables a compromised networked controller to leak information to an eavesdropper who has access to the measurement channel by properly altering the control logic and exploiting robust reachability arguments.

Contribution
The approach in [32] leverages robust reachability arguments to show the existence of covert channels for constrained CPSs subject to bounded disturbances. However, this approach cannot be applied to the class of stochastic CPSs where only the distribution of the disturbance is known. In the present work, we address this limitation and design a covert channel in stochastic CPSs by leveraging, as decoding mechanism, an Unknown Input Observer (UIO) coupled with an error correcting code. Moreover, differently from [30,31], the covert channel considered in this work is established without any assumption on the sensors and actuators' hardware characteristics. To the best of the authors' knowledge, this paper shows for the first time that it is possible to establish a covert channel by combining an UIO and error-correcting code schemes. Finally, a proof-of-concept implementation of the proposed covert channel is presented with the aim to evaluate its information rate for a numerical testbed.
The rest of the paper is organized as follows. The system setup, adversary model and problem formulation are described in section 2. The proposed covert channel is described in section 3 where we also present an error-correcting coding scheme that exploits the control loop to obtain an implicit acknowledgement to improve the covert channel capacity. A proof of concept implementation and numerical example are described in in section 4 and section 5, respectively. Defences and countermeasures against the proposed covert channel are discussed in section 6. Finally, the paper is concluded in section 7.

Problem Formulation
In this section, first the considered CPS and the adversary model are presented. Then, the considered covert channel problem is formally stated.

System Setup
State estimator Controller Plant Networked Controller Consider the following Linear Time Invariant (LTI) stochastic system where k ∈ Z + := {0, 1, . . .} denotes the discrete sampling time instants, x(k) ∈ IR nx the plant state vector, u(k) ∈ IR mu the control input vector, A ∈ IR nx×nx , B ∈ IR nx×mu , C ∈ IR p×nx , Moreover, w(k) ∼ N (0, W) and v(k) ∼ N (0, V) are mutually independent and identically distributed (i.i.d) Gaussian noises with zero mean and covariance matrix W and V, respectively. By referring to Fig. 1, we consider a CPS where the plant is regulated by a networked controller consisting of a steady-state Kalman predictor (state estimator) and a state-feedback controller. The Kalman predictor is described by the following dynamical system The state feedback controller is designed to stabilize the closedloop system and its actions are generically modeled as follows:

Adversary Model
State estimator We consider an attacker aiming to establish an illegitimate covert channel to leak information between a sender located inside the controller and a receiver having access to the transmitted measurements (see Fig. 2). To perform such an attack, we assume that the attacker possesses the following assets [34]: -Model Knowledge: the attacker has knowledge of the plant's model (1); -Disruptive resources: the attacker is capable of injecting malware in the networked controller and arbitrarily changing the control logic (3); -Disclosure resources: the attacker can read the transmitted sensor measurement y(k).

Problem Formulation
The covert channel design problem can be stated as follows: Given the LTI stochastic plant model (1), design the sender and receiver actions such that a binary vector M = [m 1 , . . . , m l ] T ∈ IR l , m i ∈ {0, 1}, 1 ≤ i ≤ l, can be sequentially encoded in the control action u(k) and decoded from the sensor measurements y(k).
In this paper, a solution to the above problem is given under the assumption that an unknown input observer for (1) can be defined to simultaneously estimate the state x(k) and the input signal u(k) from the sensor measurement y(k).

Covert Channels Design
This section first shows how, in the considered stochastic setup, a simple covert channel can be established by exploiting an UIO as a decoding mechanism. It is then shown that the robustness of the obtained solution can be improved by adding an error-correcting code on top of the UIO operations. Finally, we show that the sender can exploit the control loop to obtain an implicit acknowledge (Ack) message about the decoding performed by the receiver and retransmit the same bit message whenever the decoding operations are unsuccessful. Fig. 3 shows a graphical illustration of the proposed covert channel.
where f 0 (x(k)) and f 1 (x(k)) are two stabilizing control laws. It should be noted that regardless of the switching logic used by the sender, the sensor measurements y(k) and the control signal u(k) evolution will be coherent with the system model (1). As a consequence, any standard anomaly detector leveraging the system dynamics (1)-(2) (e.g., χ 2 detector) will fail to detect the control logic alteration. The latter finds explanation in the fact that existing physics-based anomaly detectors focus their attention only on false data injection attacks affecting the communication channels, see e.g. the survey paper [3].
Then, at each time instant k, givenxr(k), the receiver can predict the future admissible inputs, namelyû 0 (k) andû 1 (k), aŝ u 0 (k) = f 0 (xr(k)), u 1 (k) = f 1 (xr(k)), and estimate the previously transmitted bit according to the following ruleb are the distances between the predicted and estimated inputs.

Using ECC to improve the covert channel capacity
The above-proposed encoding (using (4)) and decoding (using (7)) mechanisms show the existence of a covert channel in stochastic CPSs. However, such implementation is not robust against bit decoding errors that might arise due to noise realizations. To mitigate such a drawback, an error correcting code scheme can be utilized to correct a finite number of decoding errors that might be obtained using (7). For example, an (nc, kc, dc) block error correcting code C where kc message bits are encoded to nc code bits with minimum distance dc between code words (i.e., it can correct up to (dc − 1)/2 errors) [38] can be used on top of the UIO-based scheme (4)- (7) following the procedure below: -Receiver (R)-1: At each time instant, the UIO-based bit decoder (5)-(8) is used to obtain an estimation of the transmitted bit, namelyĉ i . Such bit is appended in the received codewordc. 2: Every time a stringc of length nc is obtained, the ECC decoder is used to estimatem andc is reset, i.e.c = ∅, to receive a new codeword.

Implicit Acknowledgment channel
The effectiveness of the ECC scheme, and hence the capacity of the underlying covert channe, can be further improved by noting that the networked control systems' closed-loop structure can be leveraged to establish an implicit acknowledgment message between the sender and the receiver. In particular, the feedback loop allows the controller (sender) to deterministically emulate the receiver operations by locally implementing the UIO (5) and the ECC decoding operations (steps 1-2 of Algorithm 1-Receiver), also see Fig. 3. Therefore, both the sender and receiver can estimate the number of bit errors during the transmission of each coding block. Then, the receiver, in accordance with the sender, can accept a received word only if it can make a very reliable decision about the codeword sent by the networked controller. For instance, the latter can be achieved by accepting codewordsĉ whose Hamming distance dc from the closest codeword in C is much smaller than the number of errors correctable by an optimal decoder for C.

Proof-of-concept implementation
This section provides a simple proof of concept covert channel implementation that will be used in the next section to numerically evaluated the covert channel effectiveness.

Infected control logic
By assuming that the controller logic (3) is a stabilizing linear statefeedback controller with control gain K ∈ IR mu×nx , i.e.
the sender can obtain a switching control logic as in (4) by simply introducing a shift δ > 0 in the current state, i.e., 10) A lower bound on the the probability of error at the receiver as function of δ can be analytically derived if the entire state vector can be measured or estimated perfectly, i.e.x(k) = x(k), ∀ k. Let's consider, for simplicity, the case where no ECC is implemented, and denote with y 0 (k + 1) and y 1 (k + 1) the measurements obtained when applying the controller input u 0 (k), and u 0 (k), respectively. Then, the distance D between y 0 (k + 1) and y 1 (k + 1) is given by D = y 1 (k + 1) − y 0 (k + 1) = 2CB(u 1 (k) − u 0 (k)) = 2CBKδ . Thus the probability of bit error at the receiver is lower bounded by where N 0 = CW C T + V , and Q(·) denotes the Q function given 39]. This shows that increasing δ can improve the decoding performance of the underlying covert channel.

UIO algorithm
Since the considered plant model (1) does not contain a direct feedthrough term, the attacker is capable of implementing the UIO solution developed in [35]. Under standard UIO assumptions: rank(C) = p, rank(B) = mu, mu ≤ p, rank(CB) = mu, -C(zI − A) −1 B is left invertible and strictly minimum phase, i.e.
both the sender and receiver can obtain the optimal inputûr(k − 1) and statexr(k) estimations by means of the stable recursive algorithm described by the equations (13)- (22) : whereP IET Research Journals, pp. 1-7 4 c The Institution of Engineering and Technology 2015 Remark 1. If the plant model contains a feedthrough term, then the UIO developed in [37] can be used instead, and the same methodology still holds.

ECC scheme
In what follows, we utilize a repetition code where every bit of the message m i of M is encoded nc times in the channel before moving to the next bit. The receiver decodes the message bits accordingly. Note that the repetition code is the simplest form of ECC, which we is chosen in here for ease of exposition but in practice a more efficient coding scheme, i.e., one with a better coding rate, can be utilized. When using repetition code, the implicit acknowledgment can thus be implemented as follows. Let τ denote the number of error bits within each block as estimated by both the sender and receiver. The sender and receiver offline agree to acceptmr if and only if τ << (dc − 1)/2 = (nc − 1)/2, otherwise the decoded messagê mr is discarded by the receiver and the sub-string mr re-transmitted by the sender.

Numerical Results
In this section, the performance of the covert channel is evaluated by considering a single area Automatic Generation Control (AGC) system. Such a choice is mainly motivated by the fact that AGC systems are core components of any smart grid. Moreover, differently from other CPS applications (e.g., smart transportation's system), smart grids have already a great diffusion in our society, and their security is of a great concern. It should be noted, however, that the proposed covert channel is based on a control-theoretical approach. Therefore, the proposed solution does not depend on the specific example, but instead on its mathematical abstraction. In other words, as long as the mathematical model of the CPS can be abstracted as a stochastic linear time-invariant system, see (1), then the proposed approach can be used. The AGC dynamics are here approximated by means of a LTI model. By considering a sampling time Ts = 0.02 sec, the AGC system matrices (1) are [40]: has been obtained by using Q = 0.2I 3 and R = 1 as state and input LQ weight matrices, respectively.
To evaluate the effectiveness of the proposed covert channel, the bit error rate (BER) characterizing the fraction of errors in the bits decoded by the receiver, as a function of the number of transmitted bits, is of interest. In particular, the BER is evaluated for δ ∈ {0, 0.5, 0.6, 0.7, 0.8, 0.9, 1}.
By numerical substitution the different values of δ in (11), we obtain BER is lower bounded by {0.50, 1.62 × 10 −2 , 5.1 × 10 −3 , 1.4 × 10 −3 , 3.11 × 10 −04 , 5.91 × 10 −5 ,9.45 × 10 −6 }, for δ ={0, 0.5, 0.6, · · · , 1.0}, respectively. For the proposed UIObased covert channel implementation, to obtain a more accurate estimate of the BER, it is instead evaluated numerically. In particular, we have conducted a set of simulations to compute the BER for different initial state conditions and values of nc ∈ {1, 3, 5, 7, 9, 11} in the repetition code. Moreover, a randomly generated message M of 100, 000 bits is considered and a threshold τ = 0 is used for the ECC with implicit acknowledgment. The obtained simulations results are depicted in the Tables 1-2, and Figs. 4-6. In Fig. 4, by considering the time interval t ∈ [50, 55] sec, it is possible to observe how the UIO is capable of estimating the input used by the attacker from the available sensor measurements. Table 1 reports the bit error rate (BER) characterizing the fraction of errors in the bits decoded by the receiver, as a function of the number of transmitted bits. The obtained results indicate that either increasing the state shift δ or the number of repetition nc, the BER decreases. Repeating the experiment with the same parameters shown in Table 1, all the bits were decoded correctly when using the implicit Ack scheme with τ = 0.
In Fig. 6, we report the percentage of accepted codewords satisfying the ECC decoding rule. If only the majority rule is considered, then any received codeword will satisfy the decoding rule in spite of the number of repetitions and state shift δ. On the other hand, if the ECC with consensus is considered, then the number of accepted codewords decreases with both the number of repetitions nc and state shift δ.  As discussed in section 4.1 and confirmed by the numerical results in Fig. 6 and Table 1, the bit error rate of the considered covert channel improves (i.e., decreases) when we increase δ. However, it is also important that the covert channel does not alter, in a significant way, the performance of the plant. To this end, the following normalized LQ cost has been evaluated where N is the number of simulation steps. From Table 2, it is possible to notice that although the control cost remains relatively small, its value increases with δ. The latter finds justification in the fact that state trajectory oscillations around the equilibrium are directly proportional to the state shift δ. This finds confirmation in Fig. 5, where, by considering the time interval t ∈ [0, 50] sec, the state components evolution is reported in the presence and in the absence of the covert channel.

Defences and Countermeasures
Given our threat model, CPSs can be vulnerable to such covert channels if the attacker is able to inject malware into the networked controller and arbitrarily alter the control logic. Thus the root cause of such covert channel can be prevented by ensuring the security of the supply-chain of the CPS equipment and software (e.g., see [41]) in order to avoid the risk of malicious, compromised, or infected suppliers who alter the control logic of the controller. In order to prevent malware infection after installing the controller, a defence technique would be to use behavioural monitoring with anomaly detection to detect reconnaissance by adversaries prior to data exfiltration. These intrusion detection systems should provide alarms whenever it detects any unauthorized controller programming, or suspicious traffic going to/from ICS devices. The use of Trusted Execution Environment (TEE) such as Trusted Platform Module (TPM), Intel Software Guard Extensions (SGX) and ARM TrustZone can also help ensure the integrity of the code execution within the controller (e.g., see [42]). In addition to the above defence techniques, the specific covert channel we present may be foiled by specific countermeasures. For example, an effective solution is to deploy a smart actuator that applies, to the plant, a randomized version of the controller's output signal, hence reducing the attacker's capability to predict the expected plant's evolution given the available model of the plant. However, such solution should be carefully implemented in order to avoid reducing the performance of the control-loop.

Conclusions and Future Works
In this paper, a covert channel for stochastic cyber-physical systems was presented. In particular, first, an unknown input observer is used to allow the receiver to decode, from the sensor measurement, the binary messages encoded in the control signal by a sender manipulating the control logic. Then, such a channel's reliability is improved jointly leveraging the control system feedback loop and standard ECC schemes. Finally, by considering a numerical testbed and a simple ECC implementation, the covert channel's capacity has been investigated. Future works include the development of methods for detection, capacity limitation, and elimination of such covert channels in CPSs.