In the past, the design of cyber physical systems (CPS) required a model based engineering approach -- a design methodology consisting of physics based mathematical modeling of the physical system, and a control theoretic modeling of the control system put together in a formal or semi-formal framework. The designers would start from an abstract model, and refine it down to an implementation model in several steps, either formally or informally. The implementation model is then validated for functional correctness, and satisfaction of performance, real-time schedulability goals. Functional Safety, robustness to input assumptions, reliability under fault assumptions, and resilience to unknown adversities were considered as important design goals for safety-critical CPS. 

With the increased use of networked distributed control of large and geographically distributed critical infrastructures such as smart grid and the exposure to cyber-attacks ushered in by the IP-convergence phenomenon -- designers must now consider cyber-security and cyber defense as first class design objectives. However, in order to do so, designers have to don a dual personality -- while designing for robustness, reliability, functional safety -- a model driven engineering approach would work -- for designing for cyber-security and defense, the designer has to enter the mindset of a malicious attacker. For instance, one has to consider the various observations or sampling points of the system (e.g. sensors to read or sample the physical environment), and think how an attacker might compromise the unobservability of those points without authentication, and what knowledge of the system dynamics or the control mechanism of the system might be actually reconstructed by the attacker. One also has to consider the actuation points of the system, and ponder the least number of such actuation points the attacker has to take over in order to disrupt the dynamics of the system enough to create considerable damage. One has to envision how to obfuscate the dynamics of the system even when certain sensing or actuation points are compromised. Also, it is known that a large percentage of attacks are induced by insider or a collusion of internal and external agents. 

Thus perimeter defense alone cannot defend the system. In such cases, the symptoms of an ongoing attack in the dynamics of the system itself has to be discerned continually. This approach to viewing the system from an adversarial position requires us to topple the design paradigm over its head, and we will need to build models from data, and not just generate data from models. The designer has to observe a system in action – even through partial observations, and construct a model close enough to the real system model – and then use the partial access to create damages to the because the approximate model allows her to do so. Almost like a schizophrenic duality, the engineer also has to wear the designers hat, and consider a game in which the observations are obfuscated enough to render it impossible for an attacker to build any useful model to induce clever attacks. The designer has to worry if she can construct from unobfuscated observations a dynamics quickly enough so that the difference between the expected dynamics and the real dynamics can trigger alarms to alert the system administrators. 

In this talk, while discussing this view of system design, we will also talk about VSCADA -- a virtual distributed SCADA lab we created for modeling SCADA systems for critical infrastructures, and how to use such a virtual lab completely implemented in simulation -- to achieve the cyber security and cyber defense objectives of critical infrastructures -- through attack injections, attack detection, and experiments on new defense mechanisms. We will also discuss the real SCADA test bed we are building at our center for cyber security of critical infrastructures at IIT Kanpur.