[31]   

Distributed control systems represent several of our nation's key infrastructures such as power generation and distribution. In this position paper, we examine 3 basic techniques that can be used to develop survivable distributed control systems, which

• utilize public networks for normal control operations

• are resistant to attacks on public network based subsystems

• have a guaranteed baseline performance that cannot be compromised by attacks from public networks.

Technique 1: Real time dynamic component binding: This technology allows us to easily and reliably "hot swap" software components while they are being used. It is a fundamental technology for a survivable system. It can be used to perform:

a) "frequency hopping": Legal applications use interfaces exported by a system, intrusions explore specific "holes" in the design and implementation. This characteristic of intrusions can be explored by defense as follows. Use real time dynamic component binding technology to randomly change components without altering user level service. From a user's perspective, nothing has changed, from an intruder's perspective, the system is constantly "mutating".

b) System reconfiguration: dynamically change both the application system architecture and the trade-off between security and functionality as needed. Provide services that are realizable by remaining functional components.

Technique 2: Analytic redundancy: Different components that provide different but complementary functions, and yet they both satisfy some same basic requirement. This allows us to fine tune the degree of redundancy for back up and the diversity for functionality and intrusion protection. As an everyday example, power assisted steering device and the core mechanical steering device are examples of analytic redundancy. A simple core mechanical steering mechanism provides the basic function. The power assistance device can enhance the mechanical steering function but cannot jeopardize it. Analytic redundancy can be explored to provide:

a) analytically redundant controllers. A secured control kernel running on a separated hardware and an Internet enhanced operational control that can enhance the functions of the secured control kernel but cannot jeopardize the basic function provided by the control kernel. The unsecured public network plays the role of the "power assisted steering".

b) safe online upgrade of hardware and software components in spite of the errors in the new components.

Technique 3: Model based cooperation: Communication workload generated by denial of service attack on the net takes time to turn-off, but control applications have mathematical models for the plants. When communications are interrupted, the mode of cooperation can be changed into model based distributed cooperation, like a fleet operated under radio silence.

All these 3 technologies and other related supporting technologies can be readily implemented to construct survivable distributed control systems. In fact, the first two technologies have already been used by SEI's Simplex architecture, which was originally developed to support the online upgrade of COTS component based fault tolerant control systems, in spite of arbitrary faults that can be introduced by the upgrade activities. Prototype system are available.

Back to the Table of Contents
   [31]