Encrypted control for networked systems An illustrative introduction and current challenges Moritz Schulze Darup1; , Andreea B. Alexandru2; , Daniel E. Quevedo3, and George J. Pappas2 ∗ ∗ Cloud computing and distributed com- Summary. Control systems are rapidly evolving puting are becoming ubiquitous in many to utilize modern computation and communication modern control systems such as smart grids, tools, such as cloud computing and geographically building automation, robot swarms or intel- distributed networks, in order to improve perfor- ligent transportation systems. Compared mance, coverage and scalability. However, control to \isolated" control systems, the advan- loops that outsource the computation over privacy- tages of cloud-based and distributed control sensitive data to third-party platforms via public net- systems are, in particular, resource pool- works are already the subject of cyberattacks involv- ing and outsourcing, rapid scalability, and ing eavesdropping and data manipulation. Encrypted high performance. However, these capabil- control addresses this security gap and provides con- ities do not come without risks. In fact, fidentiality of the processed data in the entire control the involved communication and processing loop, by encrypting the data at each level of transmis- of sensitive data via public networks and sion (over the network) and of computation (on cor- on third-party platforms promote, among rupted computing platforms). This paper presents a other cyberthreats, eavesdropping and ma- tutorial-style introduction to this young but emerg- nipulation of data. That these threats are ing field in the framework of secure control for net- relevant to real-world applications is appar- worked dynamical systems with encrypted data. We ent from an increasing number of cyberat- focus on the steps of deriving the encrypted formu- tacks explicitly addressing industrial con- lations of some specific control algorithms from the trol systems [90]. Prominent examples are standard formulations and discuss the challenges aris- the malwares Stuxnet, Duqu, Industroyer, ing in this process, ranging from privacy-aware con- or Triton (see, e.g., [16]) as well as infer- ceptualizations to changes in the computation flows ence attacks arising from smart meters used and quantization issues. In conclusion, we provide a as surveillance devices (see, e.g. [60, 39]). list of open problems and new directions to explore Clearly, cyberattacks on control systems can in order to consolidate the area of encrypted control. be highly critical. In particular, unlike at- tacks on classical IT systems, attacks on control systems may influence physical processes through digital manipulations [88]. Moreover, networked control systems are the backbone of critical infras- tructure such as electric power, transportation, and water distribution networks, with further appli- cations illustrated in the sidebar \Prospective uses of encrypted control in industry". Hence, future control schemes should counteract privacy and security threats and ensure confidentiality, integrity, arXiv:2010.00268v1 [eess.SY] 1 Oct 2020 and availability (see [11] or [88, Fig. S1] for details on these traditional security goals) of the involved process data. Secure control for networked systems has been intensively studied in the literature during the last decade. Comprehensive surveys can be found in [15, 68, 51, 20] and in the special issue of the IEEE Control Systems Magazin on \Cyberphysical Security" from 2015 (especially [88]). Two observations 1M. Schulze Darup is with the Department of Mechanical Engineering, TU Dortmund University, Germany. 2A. B. Alexandru and G. J. Pappas are with the Department of Electrical and Systems Engineering, University of Pennsylvania, USA. 3D. E. Quevedo is with the School of Electrical Engineering & Robotics, Queensland University of Technology, Australia. These two authors contributed equally to this work and share the first authorship. Correspondence to: ∗[email protected] or [email protected]. 1 are particularly important for the scope of this paper. First, analogously to cyberattacks on IT systems, there exists a variety of different attacks and tailored defense mechanisms. For instance, stealth, false- data injection, replay, covert, and denial-of-service (DoS) attacks can be distinguished [68]. Second, interdisciplinary solutions are required to secure control systems. In fact, standard information- theoretic or cryptographic tools on their own are often not sufficient (see, e.g., [15, Sect. 3] or [95]). Most existing works focus on the integrity and availability of networked control schemes using various defense mechanisms. For example, control-related concepts such as detectability and identifiability of deception attacks are investigated in [68]. Moreover, game-theoretic approaches to deal with DoS attacks are, e.g., considered in [40, 55]. Prospective uses of encrypted control in industry. The emerging field of encrypted con- Recent years saw the emergence of \Control-as-a- trol primarily aims for confidential- Service" [37] with companies offering personalized opti- ity of sensitive system states, con- mized control algorithms for a better power consumption trol actions, controller parameters, or and economic efficiency. Encrypted control, which deals model data in the entire control loop. with privately computing control decisions while process- More generally, an encrypted con- ing encrypted data, is an appealing solution to the types troller can be defined as a networked of attacks mentioned in the Introduction. Control-as-a- control scheme that simultaneously en- Service is mainly used in building automation and smart sures control performance and privacy grids, but took off also in automation systems for man- of the client system(s) through special- ufacturing and chemical industries, food service, trans- ized cryptographic tools. In the frame- portation systems, water supply, and sewage waste main- work of networked control, attacks tenance. The inertia of such systems makes encrypted compromising confidentiality such as control (which has an overhead compared to standard eavesdropping might seem less critical control due to encryption) particularly amenable. Fur- since they do not immediately cause thermore, given the criticality of some of these indus- physical misbehavior. However, \pas- trial systems, control schemes that simultaneously take sive" spying often precedes \active" at- into account security, safety, and constraints, such as tacks compromising data integrity and encrypted model predictive control, are recommended. availability (see, e.g., [20, Sect. III.A]). Apart from these examples, lighter-weight distributed en- Abstractly speaking, encrypted con- crypted control could be adequate in exploration and trol is realized by modifying conven- surveillance swarms of robots deployed in hazardous en- tional control schemes such that they vironments, where the capture of one robot that operates are capable of computing encrypted in- an encrypted control scheme would not jeopardize the puts based on encrypted states (or en- other robots in the swarm. crypted controller parameters) without intermediate decryptions by the con- troller. The basic concept is illustrated in Figure 1.(b) for a cloud-based controller. In this context, it is important to note that encrypted control goes beyond secure communication channels as in Fig- ure 1.(a) that could be realized using classical encryption, such as AES. In fact, encrypted control additionally provides security against curious cloud providers or neighboring agents that, during con- troller evaluations, would have access to unsecured data for solely secured communications. In this context, the consideration of so-called honest-but-curious platforms is the key difference to existing secure control schemes focusing on confidentiality (such as, e.g., [94, 54]) and it is part of the attack model underlying most encrypted control schemes as specified in the sidebar \Security against what? Security goals and attack models". Meeting these privacy demands under real-time restrictions is non-trivial and requires a co-design of controllers and suitable cryptosystems. In fact, identifying controller formulations that can be efficiently combined with capable cryptosystems can be seen as the central task for encrypted control and will be a recurring theme throughout this paper. 2 Security against what? Security goals and attack models. In modern cryptography, the con- cept of \security" is always related to a security goal and certain attacks. Roughly speaking, an encryption scheme is considered secure against disclosure attacks if an attacker gets no new infor- mation about a plaintext (i.e., the unencrypted data) from a ciphertext (i.e., the encrypted data) { regardless of its previous knowledge [47, p. 19]. The knowledge and capabilities of an attacker are the basis for the attack model. For example, one can distinguish between ciphertext-only attacks, where the attacker just observes ciphertexts and attempts to obtain information about the underlying plaintexts, and known-plaintext attacks, where the attacker has access to some plaintext-ciphertext tuples [47, p. 20]. Further variants of the latter attack are chosen-plaintext attacks, where the attacker gets access to ciphertexts for plaintexts of its choice, and chosen- ciphertext attacks, where the attacker gets access to plaintexts for ciphertexts of its choice. We next specify some popular security goals. In