textTest.txt

Toward a Cyber-Physical Security Framework for Autonomous Laboratories

Principal Investigator Prof. Tonio Buonassisi, Mechanical Engineering, MIT, buonassisi@mit.edu , 617-324-5130
Co-Investigator Prof. John Williams, Civil & Environmental Engineering, MIT, jrw@mit.edu , 857-998-0033
Co-Investigator Prof. Navid Azizan, Mechanical Engineering, MIT, azizan@mit.edu , XXX-XXX-XXXX

Lead Institution Authorized Organizational Representative: Marissa Clarkson, Team Manager, Grant & Contract Administration, MIT, 77 Mass. Ave. NE18-901, Cambridge, MA 02139 mclarkso@mit.edu, 617-324-5382.
Lead Institution Grant Administrator: Sagena Shaba, Financial Officer, MIT, 77 Mass. Ave. 1-107, Cambridge, MA 02139, sshaba@mit.edu, 617-324-3874

Abstract[TB1]: 

Project Description:[TB2]

Background & Motivation: So-called Òself-driving laboratoriesÓ are accelerating research by >10x in both industrial and academic settings [REF[TB3]]. Self-driving labs achieve this acceleration factor by combining hardware (e.g., high-throughput experimentation) and software (e.g., ML-guided acquisition function) into a closed loop Ñ effectively removing the human decision-maker from the loop for many cycles of learning. These laboratories can synthesize a diverse array of small molecules, polymers, nanoparticles, and inorganic compounds, making them ideal platforms for drug and materials discovery.
	As their capabilities increase and the technology proliferates, we predict that such platforms will increasingly become targets for attackers using both traditional and AI-based adversarial attacks. A recent experiment  at http://geospatial.mit.edu  found that a virgin computer placed on the MIT network will attract over 25,000 portscans in twelve hours, and several thousand more serious intrusion attempts. Bots such as Kalilinux can now scan every IP address connected to the internet within minutes. When such interconnected cyber systems are empowered to drive physical hardware that can synthesize custom organic and inorganic materials upon command, we need to think carefully about the cyber-physical security of such systems.
	Research and development systems, as well as larger manufacturing systems, have been past targets of cyberattacks including (1) espionage (e.g., Gary Min from DuPont), (2) machine-in-the-middle (MITM) attacks (e.g., shaDII attack on ), (3) ransomware attacks (e.g., DoppelPaymer attack on Visser Precision resulting in the theft of a Lockheed Martin schematic for missile antenna, or LockerGoga ransomware attack on Norsk Hyrdo resulting in an estimated $75M cost), and (4) sabotage (e.g., Stuxnet attack on the Iranian nuclear program).

Goal: The goal of this proposal, is to develop a cyber-physical security framework for autonomous laboratories.

Project Relevance to AI to Transform Cybersecurity and Secure:
	AI is woven into this project in two ways: First, the targets of attack are autonomous labs, which contain a hierarchy of ML-driven control systems. Second, the vectors of attack may be partly or wholly guided by AI, given the speed of decision-making and computation-enabled autonomy of such systems. The proposed team have already have significant experience in developing ML driven intrusion detection systems for both IT and OT networks. 

The presence of human Òslow-tickÓ decision-makers in these Òfast-tickÓ environments is clearly necessary but it is also clear that Òfast-tickÓ ML defenders will be necessary in the ÒKill ChainÓ. 

	The findings of this work may more broadly benefit autonomous labs, preventing intentional misuse (e.g., an authorized user attempts to synthesize a controlled substance) and unintentional accidents (e.g., an authorized user sets in motion a materials-discovery effort that unintentionally creates a poison or explosive).

Critical Infrastructure:
	The class of critical infrastructure to be studied in this project includes autonomous laboratories. These are closely related to other ML-guided systems, including ML-guided manufacturing (including mass customized manufacturing) and autonomous vehicles (land, sea, and air).
	The specific testbed to be used in this project is an autonomous laboratory at MIT. This system, code-named ÒArcherfish,Ó is an inkjet printing device capable of creating 600 droplets of unique composition per minute. This platform works with liquids over a range of viscosities; to minimize risk of human harm, it is envisioned that two modes of operation will be studied: (1) for formulation chemistry (i.e., simple linear, non-reactive precursor mixing), water with colored food dyes will be used; (2) for reaction chemistry (i.e., non-linear chemical reactions, where new compounds are created), we envision combining simple FDA-approved edible ingredients (e.g., vinegar and baking soda). The goal is to use these harmless reactions as proxies for real scientific discovery process.



Figure 1. CAD (left) and photo (right) of the ÒArcherfishÓ autonomous lab at MIT, which mixes multiple precursors together at an ink-jet-like head onto a platen and optically measures the results. Both linear (formulation) and non-linear (chemical reaction) precursor mixing can be explored with this system. Only safe (food dyes, FDA-approved) ingredients will be explored in this study.

The decision-making agent within an autonomous laboratory is often a machine-learning algorithm, or a hybrid ML-human agent. An example of ArcherfishÕs control loop is shown below, optimizing for droplet uniformity and spacing.


Figure 2. Example control loop for autonomous research laboratory, from [REF[TB4]]. The decision policy (shown in red), an ML algorithm, tunes input liquid precursor ratios and processing parameters (pressure, speedÉ) to maximize a given user-specified output (usually a camera-based measurement, e.g., droplet shape and size distribution, optical propertyÉ).



Project Methodology: 
	In this project, we ask the question: ÒHow to detect and neutralize the threat of intentional or unintentional misuse of autonomous research equipment, from within or outside the organization?Ó We propose to test methods to increase these toolsÕ immunity to such adversarial attacks, recognize patterns indicative of misuse or attack, and prevent harmful recipe suggestions from being synthesized in practice.[TB5] Then, we intend to apply inductive reasoning to develop a framework for detection & prevention of cyberattacks against autonomous laboratories more generally.
The kinds of adversarial attacks include:
1) FGSM (Fast Gradient Signed Method
2) BIM(Basic Iterative Method)
3) PGD(Projected Gradient Descent) 
4) DeepFool
5) C&W(Carlini and Wagner)
6) ZOO (ZeroÕth Order Optimization)
7) EAD (Elastic-net)
8) Universal
9) Houdini
10) UPSET & ANGRI.
There is a taxonomy of attacks, such as ÒWhite boxÓ andÊÒBlack boxÓ. Even Black box attacks are surprising easy to execute given the ability to sends inputs and monitor outputs. Of course defenses are getting better too.
Ê


Suggested directions to pursue:
Themes:
¥ Safeguard autonomous research equipment (both industrial and academic/natlab facilities) from adversarial attacks, which could involve both data theft as well as hijacking (e.g., synthesis of explosives, poisons, or narcotics).
¥ Safeguarding intentional and unintentional misuse of autonomous research equipment (e.g., synthesis of explosives, poisons, or narcotics).
¥ Adding an ethics dimension to any of the above (including monitoring and prevention of bias, in various forms).

Tools / Methods / Approaches:
¥ "Attack-augmentation" as a learning strategy: To generate adversarial attacks, explore using customized generative-design tools (e.g., GA, VAE latent-space samplingÉ) to evolve / hybridize known adversarial strategies into new approaches, most of which will probably fail miserably but some of which may succeed. Ethics note: this isÊnotÊintended to develop new adversarial strategies, but to boost the immunity of existing systems through a form of attack-augmentation.
¥ Leverage "similarity indices" to identify unseen attack strategies or patterns of behaviour
¥ Development of Òrisk parametersÓ and Òanomaly detection methodsÓ computed in parallel with performance-enhancing parameters, which trigger human review of potentially hazardous compounds.

Expected Research Accomplishments:
	Develop a cybersecurity framework for autonomous labs

Criteria for Success: 
	Depends on our focus in the Òproject methodologyÓ section; but successful detection and defense against a certain sets of attacks seems like the most obvious criterion.

Approach Novelty and Likelihood of Success:
	To our knowledge, no systematic cyber-physical-security investigation for autonomous labs has been conducted.

Research Team Related Prior Accomplishments:
	Suggestions
MIT Geospatial Data Center http://geospatial.mit.edu 
SAFFRON: Situational Awareness Framework for Cyber Security Event Prediction and Quantification


Computational Challenges and Resources Needed:
	Azure Cloud 

Suggested Reviewers: 
	Suggestions 
Hai Ning - AWS Technical Program Managers and Big Data/ML Solution Architects in our Cambridge, MA office.  https://www.linkedin.com/in/ninghai 
Previously with Microsoft 

Ted Wagner, vice president and chief information security officer atÊSAP National Security Services,Ê
 

C3 AI Suite and Computing Platform Plan: 1 page[TB6]

Bibliography: 3 pages[TB7]


John Williams MIT Applied Cyber Security Summer Course 
https://professional.mit.edu/programs/faculty-profiles/john-r-williams
 

Key Personnel: 3 pages[TB8]
* List of key people
* 100-word biosketches for each key person
* Links to full CV

Budget and Budget Justification: 2 pages[TB9]
* Research personnel & E&B
* Administrative support & E&B
* Travel
* Materials & Supplies
* Other & Miscellaneous

C3DTI DevOps Support (optional): 1 page[TB10]
[TB1](maximum 250 words)
Max [TB2]5 pages
[TB3]https://www.cell.com/matter/pdf/S2590-2385(21)00306-4.pdf
[TB4]https://doi.org/10.1021/acsami.1c19276
[TB5]Colleagues, I suggested these because they seem the most obvious attack vectors that are unique to autonomous labs (and systems). But IÕm no expert. Your thoughts?
[TB6]Please provide a plan for how the C3 AI Suite tools and the Azure cloud computing platform will be used to solve the computational challenges on your proposed project.
[TB7]Please provide citations to all references in your proposal. There is no set format for citations.
[TB8]Please provide a list of Key Personnel and brief (~100 word)
biographical sketches for each person. Key Personnel should include the Principal Investigator, Co-Investigators, and other Senior Researchers. Links to full CVs for Key Personnel are allowed.
[TB9]Please provide a budget and a short (one page maximum) budget justification. Research Awards made from this solicitation must be used for direct costs only and no indirect costs or institutional overhead may be charged. The following budget items should be included:

This should include the cost and amount of time for faculty, students, postdoctoral scholars, and technical staff. Benefit costs are allowable.

A modest amount of project-related administrative support may be included if it is needed to conduct the proposed work. This should include the cost and time of administrative staff. Benefit costs are allowable.
[TB10]This section is optional. If relevant, please provide information on expected requests for assistance from the C3DTI Development Operations (DevOps) staff on the proposed project.



1