A cyber-physical system (CPS) is a system having one or more interacting networks of nodes (e.g., physical components and software components). A modern CPS is often built with network connectivity, e.g., connection to the Internet. The CPS can range from Industrial Control Systems (ICS) to Internet of Things (IoT) systems and encompass a wide variety of protocols, buses, and networks. Examples of CPS may include smart grid, autonomous vehicles, medical monitoring devices, automatic pilot avionics, scientific instruments, etc.
To detect potential vulnerabilities of the CPS and to defend against potential cyber threats, system operators rely on CPS tools for assessing a network of the CPS. These CPS tools, however, often rely on a priori knowledge of the application processes implemented by the CPS, which is not always available to the system operators. Even when a priori knowledge of application processes is available, such knowledge may not be reliable and may be inaccurate. Additionally, many CPS tools rely on the information provided by one or more nodes in the CPS to evaluate the CPS. Such reliance on high-level observation of the CPS network from a CPS node may render these CPS tools more vulnerable to a malfunctioning or hacked CPS node that may produce false or erroneous data. Therefore, there is a need to evaluate the CPS based on the low-level network traffic without relying on specific CPS nodes and without knowledge of how the CPS operates.
Additionally, under typical operation, the CPS can generate many hundreds or thousands of network messages on the CPS network when performing a process of interest to a system operator. Deriving the underlying model of computation for the CPS may be difficult because these network messages may correspond to overlapping processes concurrently being executed by a plurality of nodes in the CPS.
Further, a broadcast message-based communication protocol, such as the Controller Area Network (CAN) protocol, does not specify explicit “from” and “to” device addresses or IDs in network messages. Instead, each network message may include a group ID (e.g., an arbitration ID in the CAN protocol) that specifies a data type of the network message. The use of the group ID allows network messages belonging to the same process or role to be assigned to the same group and allows network nodes to operate on processes instead of device addresses. While group IDs are useful for enabling multi-master broadcast systems, in which multiple nodes may operate on the same network message having an assigned group ID, the lack of device addresses or IDs makes deriving a model of computation of the CPS difficult. In some embodiments, the group ID may also be associated with a priority level. The use of group IDs being associated with respective priority levels further enables a multi-master, broadcast system where one node wins transmission priority if multiple nodes attempt to transmit their messages concurrently.
The overlapping processes and lack of device addresses (in certain CPS networks) contribute to the reasons that many CPS tools rely on information provided by one or more CPS nodes in the network. By observing network messages processed or transmitted by specific CPS nodes, these CPS tools may be capable of deriving the underlying model of computation for that CPS with respect to a process of interest being executed by the CPS. As explained above, however, there is a need for CPS tools to evaluate CPS based on the low-level network traffic without relying on information provided by specific CPS nodes.