Dynamic Watermarking: Active Defense of Networked Cyber-Physical Systems


The coming decades may see the large scale deployment of networked cyber-physical systems to address global needs in areas such as energy, water, healthcare, and transportation. However, as recent events have shown, such systems are vulnerable to cyber attacks.

Being safety critical, their disruption or misbehavior can cause economic losses or injuries and loss of life. It is therefore important to secure such networked cyberphysical systems against attacks. In the absence of credible security guarantees, there will be resistance to the proliferation of cyber-physical systems, which are much needed to meet global needs in critical infrastructures and services.

This paper addresses the problem of secure control of networked cyber-physical systems. This problem is different from the problem of securing the communication network, since cyberphysical systems at their very essence need sensors and actuators that interface with the physical plant, and malicious agents may tamper with sensors or actuators, as recent attacks have shown.

We consider physical plants that are being controlled by multiple actuators and sensors communicating over a network, where some sensors could be “malicious,” meaning that they may not report the measurements that they observe. We address a general technique by which the actuators can detect the actions of malicious sensors in the system, and disable closed loop control based on their information.

This technique, called “watermarking,” employs the technique of actuators injecting private excitation into the system which will reveal malicious tampering with signals. We show how such an active defense can be used to secure networked systems of sensors and actuators. Index Terms—Dynamic Watermarking, Networked CyberPhysical Systems, Networked Control Systems, Secure Control, Cyber-Physical Systems (CPS).


T He 21st century could well be the era of large-scale system building. Such large-scale systems are envisioned to be formed by the interconnection of many embedded devices communicating with each other, and interacting with the physical world. Their operation requires tight integration of communication, control, and computation, and they have been termed broadly as Cyber-Physical Systems (CPS).

The smart energy grid, intelligent transportation systems, internet of things, telesurgical systems, and robotics are examples of such cyber-physical systems. While the importance and benefits of cyber-physical systems require no emphasis, their sustained proliferation is contingent on some key challenges being addressed, security being a primary one.

Since CPSs have many applications in safetycritical scenarios, security breaches of these systems can haveadverse consequences including economic loss, injury and death. There have been many instances of demonstrated attacks on cyber-physical systems in the recent past [1], [2]. In Maroochy-Shire, Australia, in the year 2003, a disgruntled ex-employee of a sewage treatment corporation hacked into the computers controlling the sewage system and issued commands which led to a series of faults in the system [1], [3]. This is an insider attack, where the adversary has the necessary credentials to access and issue control commands to the system.

We will return to this point shortly. Another example is the attack on computers controlling the DavisBesse nuclear power plant in Ohio. In the year 2003, the Slammer worm, which infected about 75000 hosts in the internet in under ten minutes, also infected the computers controlling the nuclear power plant, disabling the safety monitoring systems [1]. While the Slammer worm was not designed to target the nuclear power plant, the use of commodity IT software in control systems made them vulnerable to such attacks [1]. Another pertinent example is the Stuxnet worm which, in the year 2010, exploited a vulnerability in Microsoft Windows to subvert critical computers controlling centrifuges in Iran’s uranium enrichment facility [4].

Having subverted the computers, it issued control commands that caused the centrifuges to operate at abnormally high speeds, causing them to tear themselves apart. In order to keep the attacks undetected by software-implemented alarm routines and officials in the control room, Stuxnet recorded the sensor values in the facility for twenty-one seconds before carrying out each attack, and replayed those twenty-one seconds in a constant loop during the attack. Stuxnet has been claimed to be the first known digital weapon [4], and since then, cyberwarfare has emerged as a serious concern for cyber-physical systems due to the many advantages it offers to the attacker such as allowing it to remain anonymous, attack without geographical constraints, etc. Today, the resources required to carry out such attacks on critical infrastructures are generally available [5], underlining the urgent need for the research community to pay attention to this problem.


Read the paper here