# IFAC blog page

#### Category: Transportaition

Remote control and sensing over wireless communication has been continuously increasing. This trend will not slow down with so much expectation for the Internet of Things. However, the spread of wireless communication can create vulnerability to various control systems as it can easily be disrupted by Denial-of-Service attacks through jamming of transmissions. In this article, we provide a brief overview on this new critical issue and the current efforts made by researchers in IFAC.

Cyber security has become an important issue for the society. Information and communication technologies are heavily incorporated in many fields and yet they are exposed to cyber-attacks that threaten financial losses, environmental damages, and disruption of services used in daily life.

Recent research indicates that industrial control systems are no exception being under threats by malicious attackers. Communication channels used for transmission of measurement and control data are vulnerable against various types of attacks.

In this article, we focus on the so-called jamming attacks, which are Denial-of-Service attacks on wireless channels. Jamming attacks are perhaps the simplest types of attacks a control system may face, but they can be very dangerous. Generating a jamming attack does not require information about the internals of the control system. By simply emitting an interference signal, a jamming attacker can effectively block the communication on a wireless channel, disrupt the normal operation, cause performance issues, and even damage the control system.

Typically jamming attacks are classified in two categories: active jamming and reactive jamming 1. An active jammer’s goal is to keep the channel busy regardless of whether the channel is being used or not. For example, the attacker can continuously send strong radio signals to increase the signal-to-noise-plus-interference ratio at the receiver side. A reactive jammer on the other hand observes the channel activity and starts jamming only when the channel is being used.

One of the key issues that make jamming attacks a big threat is that they are easy to launch. As a recent survey2 indicates, jamming devices that can target various wireless technologies including GPS, mobile communications, and Wi-Fi are already available for purchasing. It is mentioned that in the case of Wi-Fi, even special devices may not be needed as computers can be turned into jammers.

On top of this, increasing security against jamming may not always be easy. Certain types of stealthy jamming attacks can cause significant amount of failures in packet delivery on a wireless channel without being detected. One of the ways of mitigating jamming attacks is to use frequency hopping methods, where transmissions are made over a random sequence of different frequencies. But a powerful attacker can still overcome such methods3,4.

There are a few cases of jamming incidents that indicate the criticality of the issue. In 2015, cars parked near a retail store could not be unlocked remotely using key fobs, which indicated the presence of a jammer that interrupted the key fob signals5. Another much more concerning case involves an explosion of an oil pipeline. A recent report6 on the explosion of Baku-Tbilisi-Ceyhan oil pipeline in 2008 hints the possibility of cyber-attacks that involved jamming of satellite communications to prevent transmission of alerts.

It appears that jamming will remain to be a major issue. Researchers point out that the next generation air traffic communication systems7, vehicle platoons8, the satellite navigation, and the power market9 are all susceptible to jamming attacks. With the expansion of the Internet of Things, the use of wireless communications is rapidly increasing in many fields and jamming is becoming a bigger threat. This prompts an important question: How can we be prepared for jamming attacks?

Within IFAC, researchers are addressing this question from the perspective of control engineering. These efforts include:

• evaluation of the performance of existing control systems under jamming attacks, and,
• development of new systems that are resilient to jamming attacks.

We briefly introduce these lines of research below. It is interesting that these researches deal with cyber attacks, but the approaches are not based on information technology oriented methods.

In a typical wireless networked control system setup, remotely located components exchange data with each other over wireless medium. Some researchers evaluate the performance of wireless networked control systems by investigating the level of jamming that they can tolerate without having major issues such as disruption of operation. Since emitting jamming signals requires energy, it is costly to the attacker. It would be ideal if a control system can operate even under attacks from an attacker with large resources.

The challenge in evaluating the performance of a control system under jamming attacks is that we cannot know exactly when jamming attacks may start/end. Another issue is that the power of the jamming signal used by the attacker may be changing each time there is an attack. Therefore, it is also not clear how likely a transmission failure might occur when there is jamming. One of the approaches to understand the effects of jamming even in this uncertainty is to consider the worst-case scenarios that may happen.

To identify the worst case, it is of interest to explore the question: What would be the optimal strategy of the attacker? The attacker would want to disrupt the normal operation of a system without using excessive resources. For instance, in several research articles, jamming energy is considered as a constraint in the problem, and it is assumed that the attacker tries to make as much damage as possible within specified energy limits. Another approach is to consider jamming energy as a part of the attacker’s cost function in an optimization problem where the attacker tries to minimize the energy usage. Some researchers also use game-theoretic methods for understanding how optimal strategies of the attacker would relate to the optimal strategy for the transmission of the measurement and the control data.

Designing control systems that are resilient to jamming attacks is also an important research theme within IFAC. For instance, some researchers studied control systems that incorporate mechanisms to detect the presence of an attack. Furthermore, recently researchers also developed so-called event-triggered controllers to pick times of data transmissions so as to reduce the effect of jamming on the operation. If a particular transmission attempt faces a jamming attack, a new transmission time can be scheduled based on the performance requirements.

Literature on the cyber security of control systems indicates that as an attacker becomes more knowledgeable about the system, in addition to jamming, more sophisticated attacks may also become an option. The attacker can alter the data being transmitted, and in certain cases inject false data into the system without being noticed. In addition, control systems may also face replay attacks, where the attacker intercepts the transmissions and sends a valid but old measurement/control data to cause damages while still following the communication protocol.

As the risk of jamming and other types of attacks is increasing rapidly, ensuring cyber security of control systems will be a challenge of growing importance.

Article provided by:
Ahmet Cetinkaya
Ahmet Cetinkaya, Postdoctoral Research Fellow
Hideaki Ishii, Associate Professor
Tokyo Institute of Technology
IFAC TC 1.5 on Networked Systems


Traffic Control Centres (TCC) are expensive pieces of infrastructure tasked with the problem of sensing, surveying, monitoring, and actively interfering with traffic flow in road networks.

Figure 1 provides a broad overview of how a TCC operates. The controlled system is
a network of roads equipped with sensors and control effectors. Two-way flow of information from and to the field is effectuated by the IT infrastructure maintained by the TCC. Network operators are managing traffic in real time based on streams of information converging to the traffic control room. They have to decide which objectives and policies to support and how to implement them by managing the available control device.

Figure 1: schematic of a TCC.

This is a most challenging and highly complicated task, encompassing diverse hardware and software systems, which have to be operated following specific regulations and procedures, in support of policies and objectives defined by network operators or wider political bodies. The complexity of the traffic flow management problem is due to the often chaotic nature of human behaviour, the diverse needs generating the individual trips, the constraints imposed by regulations, e.g. safety, and the objectives TCC pursue, e.g. delay minimization or emissions reduction.

Different control architectures can be conceptualised for performing the same tasks. Currently, the most common architecture adopted by TCC owners is that of a centralised control structure, allowing room for decentralised operations under strong supervision. A lot of money have been invested in this kind of infrastructure resulting mostly in static networks of sensors (loop detectors, CCTV etc.) and control effectors (traffic lights, variable message signs etc.). Usually, it is within this framework that control systems for particular traffic management applications are designed.

With the advent of highly equipped vehicles and vehicle automation, Vehicle Automation and Communication Systems (VACS) are changing the system architecture of traffic management. VACS are treasure coves of information as a lot of data can be extracted that can help address a variety of needs, e.g. commercial, infotainment and traffic management. From the control engineering approach such information is of little help unless it is explicitly used for positively interfering with traffic in real time.

In this sense, VACS are becoming both the sensor and the control device. They are both the means of information collection and transmission, and of actively interfering with traffic. Operating within a highly robust, secure and high-performance communication network, static sensors and control systems will become obsolete and a memory from the past or at a best a fall-back system. Fundamentally different operational requirements are in effect compared to those of centralised architectures posing new challenges for control design of network-wide vehicular flow.

The control technology for completely automating a vehicle is largely available.
Of course there are challenges, see e.g. a previous entry in IFAC’s blog (Link here). However, going from the individual vehicle to the aggregate behaviour of several thousands of vehicles and control of their collective interaction, is an entirely different control problem and in many respects more difficult to address. A fundamental change in thinking tailored for this new road / communications infrastructure / vehicle / driver system is necessary.

Many different scenarios can be envisaged, including:

• The compulsory intervention by a TCC authority to vehicle controls. This implies that full control of the vehicle is delegated to a traffic authority. Acceleration, speed and position trajectories are decided by a higher level system supervising an area and deciding on the optimal, according to some societal notion of cost, vehicle operation. Dedicated lanes for segregating manual and autonomous vehicles could be used as well, although this is very difficult particularly for urban environments.
• Partial intervention by a TCC authority. In this case vehicle control is assumed (or partially assumed) by a traffic authority should certain conditions arise, e.g. a congested road section or around an area near the approaches of an intersection.
• Freely acting informed drivers. In this case, it is the drivers’ intelligence that takes over as a regulator of traffic under the influence of information communicated to them through an appropriate human machine interface. This scenario does not exclude the use of autonomous vehicles, but the decision of allowing a traffic authority access and control of a vehicle is left at the driver’s discretion.

#### Are you ready to give up control of your car for the sake of traffic management? Are you willing to delegate your vehicle’s control to a different authority, other than you?

Although the answer seems to be “yes” when this question arises in the context of the individual vehicle platforms, it may not be so when it is posed in the context of everyday commuting and travelling. Leaving aside institutional and legal issues, there is this question of whether people will accept losing their freedom of action operating their own car. There are situations where a “yes” or a “no” seem to be clear. When you are stuck in a solid block of congestion and you are immersed in a stop-and-go situation, it seems much preferable to either use the car as an office and work on the computer or as a TV set and watch a movie, leaving the vehicle to crawl its way to the destination. When riding in the countryside, a lot of people would respond with a “no” as they would drive manually themselves just for enjoying the experience.

But what happens when while commuting to work you believe that what is suggested or the way your vehicle is operated (lets say by a TCC) is not the best for you? It may be the best on a societal benefit level (although not necessarily so), i.e. the “common good”, but not on an individual level. Many people will answer “no” to this question, irrespective of whether we think of this as an egoistic response. Furthermore, the very notion of been forced to allow access and delegate control of an object considered private may be unacceptable by a lot of people from the general population. They cannot be neglected nor their choice be banned since they are legitimate road users. Their existence shapes the properties of the traffic flow process and hence they affect control design. In other words, there are strong cultural issues involved, which affect the efficiency of any large area traffic control design.

Designing vehicle based control systems supporting autonomous operations requires focusing primary on the individual vehicle; but designing network-wide traffic management controllers requires focusing on the broader picture of spatio-temporal traffic dynamics and on the way individual vehicles interact with other vehicles and the infrastructure. All three scenarios outlined pose daunting challenges from the technical side, even if autonomous vehicles allow us to treat them as “ballerinas” in the daily commuting dance. The scenario of freely acting informed drivers, although the most challenging of the three, seems the most appropriate, politically rewarding and easier to promote to the public.

Article provided by:
IFAC TC 7.4 (Transportation Systems)