Perimeter security and air gap approaches to preventing malware disruption of industrial and infrastructure processes are challenged by the complexity of modern control systems incorporating networked heterogeneous and software-updatable components such as personal computers and programmable logic controllers. Global supply chains and proprietary third-party hardware components, tools, and software limit the reach of static design verification techniques. As a consequence, attacks such as Stuxnet have demonstrated that these systems can be surreptitiously compromised. We are developing a run-time method for process control violation prediction to enhance system resilience against configuration attacks on embedded controllers. This approach copes with either malicious or unintentional errors in any software layer of any programmable component. The run-time system includes a second instance of the active controller connected to a model of the plant, giving a short-term projection of future controller actions and process state. To maintain convergence with the physical system, the model's state is periodically synchronized with the plant's state. The predictor is combined with run-time guards implemented in a configurable hardware-anchored root-of-trust to quickly detect when the projected process state violates specifications. Aberrant event- or time-triggered controller behavior is anticipated before it affects the physical process, allowing preemptive switchover to a minimal and static stability-preserving controller. A productive model-based design flow is being extended to synthesize the active and backup controllers, prediction module, and specification guards into a single commercially-available chip. The root-of-trust can be formally verified due to its hardware implementation and independence.
