Volume 15 Number 3
June 2018
Article Contents
Taouba Rhouma, Karim Chabir and Mohamed Naceur Abdelkrim. Resilient Control for Networked Control Systems Subject to Cyber/Physical Attacks. International Journal of Automation and Computing, vol. 15, no. 3, pp. 345-354, 2018. doi: 10.1007/s11633-017-1059-x
Cite as: Taouba Rhouma, Karim Chabir and Mohamed Naceur Abdelkrim. Resilient Control for Networked Control Systems Subject to Cyber/Physical Attacks. International Journal of Automation and Computing, vol. 15, no. 3, pp. 345-354, 2018. doi: 10.1007/s11633-017-1059-x

Resilient Control for Networked Control Systems Subject to Cyber/Physical Attacks

Author Biography:
  • Karim Chabir  received the B.Eng.degree in electrical engineering and automatic engineering from The Higher School of Sciences and Technology of Tunis (ESSTT), Tunisia in 2003, the M.Sc.degree in automatic and intelligent techniques from the National Engineering School of Gabes, Tunisia in 2006, and the Ph.D.degree in automatic control from Henri Poincare University, France in 2011.The research works were carried out at the Research Centre for Automatic Control of Nancy (CRAN) and at the Research Unit of Modelling, Analysis and Control Systems of the National Engineering School of Gabes.He was a member of the dependability and system diagnosis group (SURFDIAG).He was a secondary school teacher of Gabes from 2003 to 2007, where he was also an assistant professor in the Faculty of Science of Gabes from 2007 to 2011.He is now assistant professor at the National Engineering School of Gabes (ENIG), Tunisia.
       His research interests include model-based fault diagnosis and fault-tolerant control with emphasis on networked control systems.
       E-mail:karim.chabir@yahoo.fr
       ORCID iD:0000-0002-2377-7205

    Mohamed Naceur Abdelkrim  received the B.Sc.degree in electrical construction in 1980, and the M.Sc.degree in electrical construction in 1981 from the High Normal School of Technical Education of Tunis, Tunisia.He also received the Ph.D.degree in automatic control from the National School of Engineers of Tunis, Tunisia in 2003.He began teaching in 1981 at the National School of Engineers of Tunis and since 2003, he has been a professor of automatic control at the National School of Engineers of Gabes, Tunisia.He is currently the head of the research unit on Modeling, Analysis and Control of Systems (MACS), Tunisia.
       His research interests include diagnosis, optimal control, robust control and robotics.
       E-mail:naceur.abdelkrim@enig.rnu.tn

  • Corresponding author: Taouba Rhouma  received B.Eng.degree in electrical-automatic engineering from the National Engineering School of Gabes (ENIG), Tunisia in 2013.Since that, she is a Ph.D.candidate in electrical engineering at Modeling, Analysis and Control of Systems Laboratory (MACS), Tunisia.
       Her research interests include fault detection and diagnosis of networked control systems.
       E-mail:taouba.rhouma@gmail.com (Corresponding author)
       ORCID iD:0000-0002-3763-212X
  • Received: 2016-02-24
  • Accepted: 2016-07-08
  • Published Online: 2017-08-07
Fund Project:  This work was supported by the Ministry of the Higher Education and Scientific Research in Tunisia
通讯作者: 陈斌, bchen63@163.com
  • 1. 

    沈阳化工大学材料科学与工程学院 沈阳 110142

  1. 本站搜索
  2. 百度学术搜索
  3. 万方数据库搜索
  4. CNKI搜索

Figures (16)

Metrics

Abstract Views (474) PDF downloads (8) Citations (0)

Resilient Control for Networked Control Systems Subject to Cyber/Physical Attacks

  • Corresponding author: Taouba Rhouma  received B.Eng.degree in electrical-automatic engineering from the National Engineering School of Gabes (ENIG), Tunisia in 2013.Since that, she is a Ph.D.candidate in electrical engineering at Modeling, Analysis and Control of Systems Laboratory (MACS), Tunisia.
       Her research interests include fault detection and diagnosis of networked control systems.
       E-mail:taouba.rhouma@gmail.com (Corresponding author)
       ORCID iD:0000-0002-3763-212X
Fund Project:  This work was supported by the Ministry of the Higher Education and Scientific Research in Tunisia

Abstract: In this paper, we investigate a resilient control strategy for networked control systems (NCSs) subject to zero dynamic attacks which are stealthy false-data injection attacks that are designed so that they cannot be detected based on control input and measurement data. Cyber resilience represents the ability of systems or network architectures to continue providing their intended behavior during attack and recovery. When a cyber attack on the control signal of a networked control system is computed to remain undetectable from passive model-based fault detection and isolation schemes, we show that the consequence of a zero dynamic attack on the state variable of the plant is undetectable during attack but it becomes apparent after the end of the attack. A resilient linear quadratic Gaussian controller, having the ability to quickly recover the nominal behavior of the closed-loop system after the attack end, is designed by updating online the Kalman filter from information given by an active version of the generalized likelihood ratio detector.

Taouba Rhouma, Karim Chabir and Mohamed Naceur Abdelkrim. Resilient Control for Networked Control Systems Subject to Cyber/Physical Attacks. International Journal of Automation and Computing, vol. 15, no. 3, pp. 345-354, 2018. doi: 10.1007/s11633-017-1059-x
Citation: Taouba Rhouma, Karim Chabir and Mohamed Naceur Abdelkrim. Resilient Control for Networked Control Systems Subject to Cyber/Physical Attacks. International Journal of Automation and Computing, vol. 15, no. 3, pp. 345-354, 2018. doi: 10.1007/s11633-017-1059-x
  • With the rapid advancements of technology and novel control strategies, networked control systems (NCSs) have been at the core of infrastructure systems and industrial plants[1]. NCSs are spatially distributed systems consisting of actuators, sensors, and controllers, the operations of which are coordinated by the exchange of information passed over a communication network as illustrated in Fig. 1.

    Figure 1.  Block diagram of cyber-physical systems

    Several results on estimation, analysis and controller synthesis for NCSs have been discussed in [2]. Transport systems, electrical power systems, chemical processes, water and gas distribution networks, manufacturing and transportation networks can be considered as examples of application areas of cyber-physical systems (CPSs). CPS is an integration of communication capabilities, computational resources and physical processes. Such systems are often considered as large scale distributed physical processes but not necessarily always large and can be monitored and controlled by using a supervisory control and data acquisition (SCADA) software which can be critical to system operation[3] in various infrastructures.

    The design of control systems taking into account the effects of packet losses and packet delays for NCS have been presented in [4]. Besides several network-induced effects such as time-delays and packet losses, NCSs become vulnerable to cyber physical attacks incorporating cyber and physical activities into a malicious attack. Recently, a sharp rise in the number of cyber attacks has been reported. Consequently, many researchers have shown a great concern for the analysis of vulnerabilities of NCS integrating physical processes, computational resources, and communication capabilities to external attacks[5, 6]. For instance, in [7] denial of service (DoS) attacks against a networked control system are defined when the adversary prevents the controller from receiving sensor measurement or the plant from receiving control law. In [8-10], deception attacks (also called false data injection attacks) are introduced when the adversary sends false information on sensors or actuators. Replay attacks are discussed in [11] when the adversary generates artificial measurement delays. The effects of covert attacks against control systems are investigated in [12] when the adversary takes the control of the plant. Direct physical attacks on the plant (including sensors and actuators) close to traditional faults are taken into account by fault detection and isolation (FDI) techniques.

    After having represented, a NCS under attack as a linear time-invariant system subject to target and nuisance faults[13, 14], the detection problem of coordinated attacks in CPS seems to be closely related to the detection problem of multiple component, sensor or actuators faults from traditional model-based FDI schemes[15-18], but there exists a significant difference: multiple faults are considered as a phenomenon which occurs randomly on actuators, sensors or communication channels while a coordinated attack is an intentional action designed by adversaries to remain undetectable. In this new context, it is necessary to design an active FDI scheme as explained in [19] having the ability to detect the presence of coordinated attacks. This paper considers a special covert attack called zero dynamic attack[20] designed by using the output-nulling controlled invariant subspace in geometric control theory. In other words, zero dynamic attacks are stealthy false-data injection attacks that are constructed so that they cannot be detected based on control input and measurement data. Keller et al.[21, 22] presented a detection scheme to destroy the stealthy attack strategy of the adversary by modifying the system$'$s structure or by triggering data losses on the control signals due to unreliable communication networks. When the attacker and the defender both consider the same model of the plant, the only chance to detect the attack is to assume the existence of defensive actions forcing the adversary to perform the malicious activity in a limited period of time[23]. After having represented a cyber-physical system under zero dynamic attack of finite duration as a linear time-invariant system subject to two sequential pulses, this paper shows that the attack end cannot remain stealthy and proposes to detect this event from an active version of the generalized likelihood ratio (GLR) test developed in [24].

    Conventional active fault-tolerant control systems (FTCS) have the ability to accommodate component failures automatically from a controller reconfiguration mechanism driven by the FDI results, see [25] and references therein. Consequences of undetected coordinated attacks on active FTCS are potentially catastrophic in safety-critical systems. Nuclear power plants and chemical plants can be considered as examples of these safety-critical systems. Consequently, it is also necessary to design active FTCS capable of tolerating potential coordinated attacks to enforce the overall system stability and survivability at the occurrence of such attacks. A zero dynamic attack is designed to be stealthy to any anomaly detectors with respect to any observer-based controllers. This paper presents an active FTCS having the ability to quickly recover the behavior of the nominal linear quadratic gaussian (LQG) controller after the end of the attack. The obtained controller, including the nominal LQG controller, the active GLR test and the Kalman filter working in closed-loop with the FDI results will be called resilient LQG controller in reference with various definitions of resilience used in different areas of the science. Resilience in computing science represents the ability of a system or network architecture to recover normal operation after a brutal crash. Recently, the concept of resilient control of NCS against denial-of-service attacks has been proposed in [26-28], but only few work has tackled cyber resilience for NCSs under zero dynamic attacks.

    The paper is organized as follows: Section 2 presents a stealthy attack scheme close to covert attack that a malicious agent can use to successfully realize the attack without being detected. Section 3 investigates a resilient defense strategy that a defender can use to quickly recover the nominal behavior of the NCS. Obtained results are proved through an illustrative example presented in Section 4. Conclusion follows in Section 5.

  • In this Section, we formulate the cyber/physical attack detection problem in networked control systems described by a physical plant and communication network, an LQG controller and an anomaly detector as illustrated in Fig. 2.

    Figure 2.  NCS under attack with LQG controller

    The plant is represented by the following linear discrete-time stochastic system

    $ {x_{k + 1}} = A{x_k} + Bu_k^{} + {w_k} $

    (1a)

    $ y_k^{} = C{x_k} + {\varepsilon_k} $

    (1b)

    where ${x_k} \in {\textbf{R} ^n}$, $u_k^{} \in {\textbf{R} ^q}$ and $y_k^{} \in {\textbf{R} ^m}$ are the state, input and measurement vectors, ${w_k} \in {\textbf{R} ^n}$ and ${\varepsilon_k} \in {\textbf{R} ^m}$ are zero mean uncorrelated Gaussian random sequences with

    $ \begin{align}&{\textrm{E}\left\{ {\left[ {\begin{array}{*{20}{c}} {{w_k}} \\ {{\varepsilon_k}} \\ \end{array} } \right]{{\left[{\begin{array}{*{20}{c}} {{w_j}} \\ {{\varepsilon_j}} \\ \end{array} } \right]}^{\textrm{T}}}} \right\} = \left[{\begin{array}{*{20}{c}} W&0 \\ 0&V \\ \end{array} } \right]{\delta _{k, j}}} \nonumber\\&\qquad \qquad\qquad \qquad {W\succeq0, ~~{V>0}}. \end{align} $

    (2)

    The initial state $ {x_0} $, assumed to be uncorrelated with $ {w_k} $ and $ {\varepsilon_k} $, is a Gaussian random variable with $ \textrm{E}\left\{ {{x_0}} \right\} = {\bar x_0} $ and $ {P_0} = \textrm{E}\left\{ {({x_0} - {{\bar x}_0}){{({x_0} - {{\bar x}_0})}^{\textrm{T}}}} \right\} \succeq 0 $. The pair $(A, C)$ is detectable, $(A, B)$ is stabilizable and rank$(\left[{\begin{array}{*{20}{c}} {Iz-A} & {-B} \\ C & 0 \\ \end{array} } \right]) = n + q$ for almost all $z$.

    Under no attack (${u_k} = \bar u_k^{}$), the model of the plant viewed by the controller is described by

    $ {\bar x_{k + 1}} = A{\bar x_k} + B{\bar u_k} + {w_k} $

    (3a)

    $ y_k^{} = C{\bar x_k} + {\varepsilon_k} \label{eq101} $

    (3b)

    and the nominal control law of the infinite horizon LQG controller solution to

    $ \begin{gather} J = \min \mathop {\lim }\limits_{T \to \infty } \textrm{E}\left\{ {\frac{1}{ T}\left[{\sum\limits_{k = 0}^{T-1} {\bar x_k^{\rm T}Q{{\bar x}_{{k_k}}} + \bar u_k^{\rm T}R\bar u_k^{}} } \right]} \right\} \label{eq4} \end{gather} $

    (4a)

    where the controller design parameters $Q\succeq0$ and $R>0$, is given by

    $ \bar u_k^{} = - L{\widehat{\overline{x}}_{k/k}} $

    (4b)

    with

    $ L = {({B^{\rm T}}SB + R)^{ - 1}}{B^{\rm T}}SA $

    (4c)

    $ S = {A^{\rm T}}SA + Q - {A^{\rm T}}SB{({B^{\rm T}}SB + R)^{ - 1}}{B^{\rm T}}SA $

    (4d)

    where ${\widehat{\overline{x}}_{k/k}}$ is the minimum variance unbiased state estimate of the plant under no attack generated by the Kalman filter

    $ \widehat{\overline{x}}_{k/k}^{} = \widehat{\overline{x}}_{k/k - 1}^{} + K_k^{}({y_k} - C\widehat{\overline{x}}_{k/k - 1}^{}) $

    (5a)

    $ \bar P_{k/k}^{} = (I - K_k^{}C)\bar P_{k/k - 1}^{}{(I - K_k^{}C)^{\rm T}} + K_k^{}VK_k^{\rm T} \label{eq9} $

    (5b)

    $ K_k^{} = \bar P_{k/k - 1}^{}{C^{\rm T}}{(C\bar P_{k/k - 1}^{}{C^{\rm T}} + V)^{ - 1}} \label{eq10} $

    (5c)

    $ \widehat{\overline{x}}_{k + 1/k}^{} = A\widehat{\overline{x}}_{k/k}^{} + B\overline{u}_k \label{eq11} $

    (5d)

    $ \bar P_{k + 1/k}^{} = A\bar P_{k/k}^{}{A^{\rm T}} + W $

    (5e)

    with $\widehat{\overline{x}}_{0/ - 1}^{} = {\bar x_0}$ and $\bar P_{0/ - 1}^{} = {P_0}$.

    Assume for simplicity that the plant has one real unstable invariant zero $\lambda$ so that

    $ \begin{equation}\label{eq21} ~~~~\textrm{rank}\left(\left[ {\begin{array}{*{20}{c}} {I\lambda - A}&{ - B} \\ C&0 \\ \end{array} } \right]\right) = n + q - 1\begin{array}{*{20}{c}} {\begin{array}{*{20}{c}} \!\!\!\;\;\;{\rm with}\;\;\; \\ \end{array} } {\left| \lambda \right| > 1} \\ \end{array} \end{equation} $

    (6)

    and $\lambda \notin sp(A)$ where $sp(A)$ represents the eigenvalues of $A$. The false data injection $a_k$ can cause catastrophic damage the plant while remaining undetectable from standard FDI scheme applied on the Kalman filter$'$s innovation sequence $\gamma _k^{} = {y_k} - C\hat{\bar{x}}_{k/k - 1}^{}$.

    The attacker may prefer to perform the malicious activities within a short period of time due to the resource limit. Assume that the attack window of the adversary can be limited to a false data injection during $\tau$ periods of time. Let us assume that the adversary launches the attack during the period $\tau=[k_0, k_f]$, where $k_0$ is the attack begin instant and $k_f$ is the attack end instant. By representing the begin and the end of a stealthy zero dynamic attack as two sequential pulses acting on the attack-free system (3), we show that the begin of the attack is undetectable but its end can be detected. To quickly recover the nominal behavior of the LQG controller after the end time of the attack, Section3.2 proposes an autonomous resilient LQG control strategy obtained by updating online the Kalman filter (5) from information given by a GLR detector designed on the Kalman filter$'$s innovation sequence.

  • Let us assume that the malicious agent can realise a particular deception attack $a_k$, called zero dynamic attack[20] on the control signals, at the intrusion time $k_0$. We suppose that to compute the appropriate attack policy, the attacker has access to the detailed model of the system.

    Definition 1. In deception attacks, the adversary attempts to prevent the actuator or the sensor from receiving a data integrity. The goal is to modify the control signals or the sensor measurements from their real values by sending false information from controllers or sensors. The false information can be a wrong sender identity, an incorrect sensor measurement, a false control input or an untrue time when a measurement is observed.

    When the false data sequences ${a_k} \ne 0$, $\forall k \succeq k_0$, are added by the attacker on the control signal transmitted by the controller to the plant, the control signal received by the plant is ${u_k} = \bar u_k^{} + {a_k}$, and the model of the plant viewed by the controller becomes

    $ {x_{k + 1}} = A{x_k} + B\bar u_k^{} + B{a_k} + {w_k} $

    (7a)

    $ y_k^{} = C{x_k} + {\varepsilon_k}. $

    (7b)

    The model of the plant under no attack is expressed as ${x_k} = {\bar x_k} + \Delta x_k^a$ and ${y_k} = C{\bar x_k} + \Delta y_k^a$, where the additive consequence of the attack $\Delta x_k^a$ and $\Delta y_k^a$, $\forall k\succeq k_0$, are described by

    $ \Delta x_{k + 1}^a = A\Delta x_k^a + B{a_k} $

    (8a)

    $ \Delta y_k^a = C\Delta x_k^a $

    (8b)

    with $\Delta x_{k_0}^a = 0$.

    When the adversary knows the state model of the plant, a particular deception attack ${a_k} = - \Sigma \Delta \tilde x_k^a$, called zero dynamic attack, can be designed from the following autonomous system:

    $ \Delta \tilde x_{k + 1}^a = (A - B \Sigma)\Delta \tilde x_k^a $

    (9a)

    $ \Delta \tilde y_k^a = C\Delta \tilde x_k^a $

    (9b)

    initialised with $\Delta \tilde x_{k_0}^a$ close to $\Delta x_{k_0}^a$. Otherwise, if it is equal to zero than ${a_k} = 0$, $\forall k \succeq k_0$.

    The stealthy strategy of the adversary consists of determining $\Sigma$ so that

    $ \Delta \tilde y_k^a = 0,\;\;\forall k{k_0} $

    (10a)

    $ \mathop {\rm lim}\limits_{k \to \infty } \left| {\Delta \tilde x_k^a} \right| \to \infty $

    (10b)

    with $\Delta \tilde x_{k_0}^a$ close to zero.

    Under (6), there exist $\xi$ and $g$ solution to

    $ \left[ {\begin{array}{*{20}{c}} {I\lambda - A}&{ - B}\\ C&0 \end{array}} \right]\left[ {\begin{array}{*{20}{c}} \xi \\ g \end{array}} \right] = 0 $

    (11a)

    $ {\rm{or \;equivalently}} \left[{\begin{array}{*{20}{c}} {I\lambda-(A-B \Sigma)}&{-B} \\ C&0 \\ \end{array} } \right]\!\left[{\begin{array}{*{20}{c}} \xi \\ {g-\Sigma \xi } \\ \end{array} } \right] \!= 0. $

    (11b)

    Under $g = \Sigma \xi $, (11b) gives $(A - B \Sigma)\xi = \lambda \xi $ and $C\xi = 0$ showing that the invariant zero $\lambda $ becomes an unobservable mode of the pair $(A - B \Sigma, C)$. With $\Sigma = h{(\xi)^ + }$, $\Delta \tilde x_{k_0}^a = d \xi $ and $d$ close to zero, the solution $\Delta \tilde x_k^a = {d} \xi {\lambda ^{k - k_0}}$ to (9a) shows that the zero dynamic attack reaches the destabilizing and stealthy goals with ${a_k} = {d} g \lambda^{k-k_0}$, $\forall k \succeq k_0$, the goal (10) of the adversary is then reached. An illustrative example will be given in Section4 to show the appearance effects of the proposed stealthy attack strategy on the nominal control signals, the outputs and the system states.

  • We propose to design a passive attack detection scheme that the defender can be useed by using anomaly detectors designed on the innovation sequence of the Kalman filter. By defining $d{\delta _{k, k_0 - 1}}$ as a pulse of size d triggered at time $k_0 - 1$ with ${\delta _{k, k_0 - 1}} = 0$, $\forall k \ne k_0 - 1$ and ${\delta _{k, k_0 - 1}} = 1$, when $k = k_0 - 1$, the attack model of (9) can be rewritten as

    $ \Delta \tilde x_{k + 1}^a = (A - B \Sigma)\Delta \tilde x_k^a + \xi { d} {\delta _{k, k_0 - 1}} $

    (12a)

    $ \Delta \tilde y_k^a = C\Delta \tilde x_k^a $

    (12b)

    with $\Delta \tilde x_{k_0 - 1}^a = 0$. The augmented state model of the plant under attack, given from (12) and ${a_k} = - \Sigma \Delta \tilde x_k^a$ in (7), can be described as

    $ \begin{array}{l} \left[ {\begin{array}{*{20}{c}} {{x_{k + 1}}}\\ {\Delta \tilde x_{k + 1}^a} \end{array}} \right] = \left[ {\begin{array}{*{20}{c}} A&{ - B\Sigma }\\ 0&{A - B\Sigma } \end{array}} \right]{x_k}\Delta \tilde x_k^a + \\ \left[ {\begin{array}{*{20}{c}} B\\ 0 \end{array}} \right]\bar u_k^{} + \left[ {\begin{array}{*{20}{c}} 0\\ \xi \end{array}} \right]d{\delta _{k,{k_0} - 1}} + \left[ \begin{array}{l} I\\ 0 \end{array} \right]{w_k} \end{array} $

    (13a)

    $ {y_k} = \left[{\begin{array}{*{20}{c}} C&0 \\ \end{array} } \right]\left[{\begin{array}{*{20}{c}} {{x_k}} \\ {\Delta \tilde x_k^a} \\ \end{array} } \right] + {\varepsilon_k}. $

    (13b)

    By letting $\left[ {\begin{array}{*{20}{c}} {{{\tilde x}_k}}\\ {\Delta \tilde x_k^a} \end{array}} \right]\;\;\; = \;\;T\left[ {\begin{array}{*{20}{c}} {{x_k}}\\ {\Delta \tilde x_k^a} \end{array}} \right]\;$ with $T = \left[ {\begin{array}{*{20}{c}} , I&{ - I}\\ 0&I \end{array}} \right]$, (13) can be equivalently rewritten as

    $ \begin{array}{l} \left[ {\begin{array}{*{20}{c}} {{{\tilde x}_{k + 1}}}\\ {\Delta \tilde x_{k + 1}^a} \end{array}} \right] = \left[ {\begin{array}{*{20}{c}} A&0\\ 0&{A - B\Sigma } \end{array}} \right]\left[ {\begin{array}{*{20}{c}} {{{\tilde x}_k}}\\ {\Delta \tilde x_k^a} \end{array}} \right] + \\ \;\;\;\;\left[ {\begin{array}{*{20}{c}} B\\ 0 \end{array}} \right]\bar u_k^{} + \left[ {\begin{array}{*{20}{c}} { - \xi }\\ \xi \end{array}} \right]{\rm{d}}{\delta _{k,{k_0} - 1}} + \left[ {\begin{array}{*{20}{c}} I\\ 0 \end{array}} \right]{w_k} \end{array} $

    (14a)

    $ {y_k} = \left[{\begin{array}{*{20}{c}} C&C \\ \end{array} } \right]\left[{\begin{array}{*{20}{c}} {{{\tilde x}_k}} \\ {\Delta \tilde x_k^a} \\ \end{array} } \right] + {\varepsilon_k}. $

    (14b)

    From $C\Delta \tilde x_k^a = 0$ with $\forall k \succeq {k_0}$, $\Delta \tilde x_k^a = {d} \xi {\lambda ^{k - {k_0}}}$ and $C\xi=0$, the augmented state model (14) shows that $\Delta \tilde x_k^a$ is unobservable and that ${\tilde x_k}$ evolves in accordance to

    $ {\tilde x_{k + 1}} = A{\tilde x_k} + B\bar u_k^{} - \xi {\rm d} {\delta _{k, k_0 - 1}} + {w_k} $

    (15a)

    $ {y_k} = C{\tilde x_k} + {\varepsilon_k}. $

    (15b)

    If the attacker chooses $d$ close to zero and $\xi$ orthogonal to the eigenvectors of $A$ associated with unstable eigenvalues, the pulse ${d} {\delta _{k, k_0 - 1}}$ cannot be detected from the anomaly detector designed on the innovation sequence $\gamma _k^{} ={y_k} - C\widehat{\overline{x}}_{k/k - 1}^{}$ of the Kalman filter. The proof that the attacker can perform the malicious act while forcing the system out of its safe operating region without any consequences on the nominal control law (4b) are established via a simulation example given in Section 4.1.

  • Resilient defensive strategy injection on the control signal generated by a LQG controller can be designed to act on the state variables of the NCS while remaining undetectable to any passive detector applied on the innovation sequence of the Kalman filter. In this section, we give an active attack detection scheme to reveal the presence of a zero dynamic attack and investigate a resilient control strategy that a defender can use to quickly recover the normal behavior of the NCS, see Fig. 3.

    Figure 3.  NCS under attack with resilient LQG controller

  • When the attack is stopped at the intrusion time $k_f$, the consequences of $a_k$, $\forall k \succeq k_f$ can be described as

    $ \Delta \tilde x_{k + 1}^a = A\Delta \tilde x_k^a $

    (16a)

    $ \Delta \tilde y_k^a = C\Delta \tilde x_k^a $

    (16b)

    with $\Delta \tilde x_{k_f}^a = {d} \xi {\lambda ^{k_f - k_0 - 1}}$ and $\Delta \tilde x_{k_f - 1}^a = 0$. From $\nu {\delta _{k, k_f - 1}}$, a pulse of size $\nu = {d} {\lambda ^{k_f - k_0 - 1}}$, (16) can be equivalently rewritten as

    $ \Delta \tilde x_{k + 1}^a = A\Delta \tilde x_k^a + \xi \nu {\delta _{k, k_f - 1}} $

    (17a)

    $ \Delta \tilde y_k^a = C\Delta \tilde x_k^a. $

    (17b)

    When $d$ is assumed to be close to zero, substituting (14) for (17), the model of the plant view by the controller $\forall k\succeq k_f$ becomes

    $ \begin{array}{l} \left[ {\begin{array}{*{20}{c}} {{{\tilde x}_{k + 1}}}\\ {\Delta \tilde x_{k + 1}^a} \end{array}} \right] = \left[ {\begin{array}{*{20}{c}} A&0\\ 0&A \end{array}} \right]\left[ {\begin{array}{*{20}{c}} {{{\tilde x}_k}}\\ {\Delta \tilde x_k^a} \end{array}} \right] + \left[ {\begin{array}{*{20}{c}} B\\ 0 \end{array}} \right]\bar u_k^{} + \\ \;\;\;\;\;\;\;\;\;\;\;\;\;\;\;\;\;\;\;\;\;\left[ {\begin{array}{*{20}{c}} 0\\ \xi \end{array}} \right]\nu {\delta _{k,{k_f} - 1}} + \left[ {\begin{array}{*{20}{c}} I\\ 0 \end{array}} \right]{w_k} \end{array} $

    (18a)

    $ {y_k} = \left[{\begin{array}{*{20}{c}} C&C \\ \end{array} } \right]\left[{\begin{array}{*{20}{c}} {{{\tilde x}_k}} \\ {\Delta \tilde x_k^a} \\ \end{array} } \right] + {\varepsilon_k}. $

    (18b)

    From $\left[{\begin{array}{*{20}{c}} {{x_k}} \\ {\Delta \tilde x_k^a} \\ \end{array} } \right] = {T^{ - 1}}\left[{\begin{array}{*{20}{c}} {{{\tilde x}_k}} \\ {\Delta \tilde x_k^a} \\ \end{array} } \right]$ with ${T^{ - 1}} = \left[{\begin{array}{*{20}{c}} I & I \\ 0 & I \\ \end{array} } \right]$, the augmented state model of the plant refers to (18) is rewritten as

    $ \begin{array}{l} \left[ {\begin{array}{*{20}{c}} {{x_{k + 1}}}\\ {\Delta \tilde x_{k + 1}^a} \end{array}} \right] = \left[ {\begin{array}{*{20}{c}} A&0\\ 0&A \end{array}} \right]\left[ {\begin{array}{*{20}{c}} {{x_k}}\\ {\Delta \tilde x_k^a} \end{array}} \right] + \left[ {\begin{array}{*{20}{c}} B\\ 0 \end{array}} \right]\bar u_k^{} + \\ \;\;\;\;\;\;\;\;\;\;\;\;\;\;\;\;\;\;\;\;\;\left[ {\begin{array}{*{20}{c}} \xi \\ \xi \end{array}} \right]\nu {\delta _{k,{k_f} - 1}} + \left[ {\begin{array}{*{20}{c}} I\\ 0 \end{array}} \right]{w_k} \end{array} $

    (19a)

    $ {y_k} = \left[{\begin{array}{*{20}{c}} C&0 \\ \end{array} } \right]\left[{\begin{array}{*{20}{c}} {{x_k}} \\ {\Delta \tilde x_k^a} \\ \end{array} } \right] + {\varepsilon_k} $

    (19b)

    and can be reduced to

    $ {x_{k + 1}} = A{x_k} + B\bar u_k^{} + \xi \nu {\delta _{k, {k_f} - 1}} + {w_k} $

    (20a)

    $ {y_k} = C{x_k} + {\varepsilon_k}. $

    (20b)

    The size $\nu = {d} {\lambda ^{k_f - k_0 -1}}$ of $\nu {\delta _{k, k_f - 1}}$ in (20) (upper bounded by ${d} {\lambda ^{\rm T}}$) is greater than the size $d$ of ${d} {\delta _{k, k_0 - 1}}$ in (15) via $\left| \lambda \right| > 1$, and the pulse $\nu {\delta _{k, k_f - 1}}$ has now a chance to be detected from anomaly detectors. When the model of the plant switches from (15) to (20), the active model-based FDI scheme consists of detecting the hypothesized pulse $\nu {\delta _{k, k_f - 1}}$ of unknown size $\nu$ and occurrence time $k_f$ from the GLR test as

    $ {x_{k + 1}} = A{x_k} - B\bar u_k^{} + \xi \nu {\delta _{k, {k_f} - 1}} + {w_k} $

    (21a)

    $ {y_k} = C{x_k} + {\varepsilon_k}. $

    (21b)

    The state prediction error ${e_{k/k - 1}} = {x_k} - {\hat x_{k/k - 1}}$ and the innovation $\gamma _k^{} = {y_k} - C\hat x_{k/k - 1}^{}$ of the Kalman filter propagate as

    $ {e_{k + 1/k}} = (A - {K_k}C){e_{k/k - 1}} - {K_k}{\varepsilon_k} + \xi \nu {\delta _{k, {k_f} - 1}} + {w_k} $

    (22a)

    $ {\gamma _k} = C{e_{k/k - 1}} + {\varepsilon_k} $

    (22b)

    where $\nu {\delta _{k, k_f - 1}}$ is a pulse of unknown size $\nu = {d} {\lambda ^l}$ greater than $d$ when $1 < l \leq \tau$ via $\lambda > 1$. The pulse ${d} {\delta _{k, k_f - 1}}$ chosen undetectable with $d$ close to zero, the following section proposes to detect $\nu {\delta _{k, k_f - 1}}$ from a GLR detector applied on the innovation sequence of the Kalman filter. To avoid the detection of $\nu {\delta _{k, k_f - 1}}$ several times, the Kalman filter will be updated online according to the detected event. The updating strategy of the Kalman filter associated to the infinite horizon LQG controller of Section 2 will lead to an autonomous resilient LQG controller. The additive effect of $\nu {\delta _{k, {k_f} - 1}}$ on the state prediction error ${\bar e_{k/k - 1}} = {\bar x_k} - {\widehat{\overline{x}}_{k/k - 1}}$ and the innovation sequence $\bar \gamma _k^{} = {y_k} - C\widehat{\overline{x}}_{k/k - 1}^{}$ of the Kalman filter can be expressed as

    $ {e_{k + 1/k}} = {\bar e_{k + 1/k}} + f(k, {k_f} - 1)\nu $

    (23a)

    $ {\gamma _k} = {\bar \gamma _k} + h(k, {k_f} - 1)\nu $

    (23b)

    where $f(k, {k_f}- 1)$ and $h(k, {k_f} - 1)$ are recursively computed as

    $ f(k, k_f - 1) = (A - {K_k}C)f(k - 1, k_f - 1) - \xi {\delta _{k, k_f - 1}} $

    (24a)

    $ h(k, k_f - 1) = Cf(k, k_f - 1) $

    (24b)

    with $f(k_f - 1, k_f - 1) = 0$.

    Let $H_0^{}$ denotes the null hypothesis under which no attack exists and $H_1^{}$ denotes the attack end hypothesis at time $k_f$. The hypothesis $H_1^{}$ can be confronted to the null hypothesis $H_0^{}$ as

    $ {H_0^{}:\textrm{E}\left\{ {\gamma _j^{}} \right\} = 0, }~~ {k \succeq j \succeq 0} $

    (25a)

    $ {H_1^{}:\textrm{E}\left\{ {\gamma _j^{}} \right\} = h(j, ~~{k_f}- 1)\nu, } {k \succeq j \succeq {k_f} - 1} $

    (25b)

    and

    $ {\textrm{E}\left\{ {\gamma _j^{}} \right\} = 0, }~~ {{k_f}-1 > j \succeq 0}. $

    (25c)

    Let $P(\frac{\gamma _j}{H_1})$, $P(\frac{\gamma _j}{H_0})$ be the Gaussian probability density functions of ${\gamma _j}$ conditioned on $H_1^{}$, $H_0^{}$, and define the likelihood ratio as

    $ \begin{align}\label{eq53} \lambda (k, k_f-1)=\frac{{P\left(\dfrac{\gamma _{k_f-1}}{H_1}\right)P\left(\dfrac{\gamma _{k_f}}{H_1}\right) \cdots P\left(\dfrac{\gamma _k}{H_1}\right)}}{{P\left(\dfrac{\gamma _{k_f - 1}}{H_0}\right)P\left(\dfrac{\gamma _{k_f}}{H_0}\right) \cdots P\left(\dfrac{\gamma _k}{H_0}\right)}}. \end{align} $

    (26)

    From $h(k_f - 1, k_f - 1) = 0$ and $h(k_f, k_f - 1) = 0$ via $C\xi = 0$, we have $P(\frac{\gamma _{k_f - 1}}{H_1}) = P(\frac{\gamma _{k_f- 1}}{H_0})$, $P(\frac{\gamma _{k_f}}{H_1}) = P(\frac{\gamma _{k_f}}{H_0})$, and the likelihood ratio (26) becomes

    $ \begin{equation} \lambda (k, k_f - 1) = \frac{{\textrm{exp}\Big( - \dfrac{1}{2}\sum\limits_{j = k_f + 1}^k {\left\| {{\gamma _j} - h(j, k_f - 1)\nu } \right\|_{\bar Q_j^{ - 1}}^2\Big)} }}{{\textrm{exp}\Big( - \dfrac{1}{2}\sum\limits_{j = k_f + 1}^k {\left\| {{\gamma _j}} \right\|_{\bar Q_j^{ - 1}}^2\Big)} }} \end{equation} $

    (27)

    where ${\bar Q_j} = C\bar P_{j/j - 1}^{}{C^{\rm T}} + V$ is the covariance of ${\gamma _j}$. The maximum likelihood estimate of the pulse magnitude $\nu $ conditioned on $k_f$ is given by

    $ \hat \nu (k, k_f - 1) = \frac{b(k, k_f - 1)}{a(k, k_f - 1)} $

    (28a)

    where

    $ a(k, k_f - 1) = \sum\limits_{j = k_f + 1}^k {[h_{j, k_f-1}^{\rm T}{{({{\bar Q}_j})}^{-1}}h_{j, k_f- 1}^{}]} $

    (28b)

    $ b(k, k_f - 1) = \sum\limits_{j = k_f + 1}^k {[h_{j, k_f-1}^{\rm T}{{(\bar Q_j^{})}^{-1}}\gamma _j^{}]}. $

    (28c)

    After having replaced $\nu $ by $\hat \nu (k, k_f - 1)$ in (27), the log-likelihood ratio $T(k, k_f-1) = 2\log (\lambda (k, k_f-1))$ can be expressed from the normalized estimate $\widehat{\overline{\nu}}(k, k_f-1) = a{(k, k_f-1)^{- \frac{1}{2}}}b(k, k_f-1)$ of the pulse conditioned on $H_1^{}$ as $T(k, k_f - 1) = \widehat{\overline{\nu}} {(k, k_f-1)^2}$ and the decision rules of the GLR detector becomes

    $ %\begin{equation}\label{eq58} % \hspace{6mm} T(k)= \mathop {\max }\limits_{{k_f} \in \left[ %{\begin{array}{*{20}{c}} % 0&{k-1} \\ %\end{array} } \right]} \left\{ {\widehat{\overline{\nu }}{{(k, {k_f} - 1)}^2}} % \right\} \begin{array}{*{20}{c}} % {\begin{array}{*{20}{c}} % {{H_1}} \\ % > \\ %\end{array} } \\ % {\begin{array}{*{20}{c}} % \preceq \\ % {{H_0}} \\ %\end{array} } \\ %\end{array} \varepsilon %\end{equation} \begin{equation}\label{eq58} T(k) = \mathop {\max }\limits_{{k_f} \in \left[ {\begin{array}{*{20}{c}} \!\!\!0\!&\!{k \!-\! 1\!\!\!} \\ \end{array} } \right]} \left\{{\widehat{\overline{\nu }}{{(k, {k_f} - 1)}^2}} \right\}{\text{ }}\!\!\!\left\{ {\begin{array}{*{20}{c}} {{\text{ }} \!\!\!\!\!\leqslant \varepsilon {\text{ decision for }}{{\text{H}}_0}} \\ {{\text{ }} \!\!\!\!\!> \varepsilon {\text{ decision for }}{{\text{H}}_1}} \\ \end{array} } \right. \end{equation} $

    (29)

    where $\varepsilon$ is the threshold level. For a real time implementation of (29), the maximization can be realized on a sliding window of limited size. False alarms, missed detections and good decisions rate depend on the choice of the decision level and on the size of the sliding window.

  • When $T(k)>\varepsilon$, the detection of the same pulse $\nu {\delta _{k, k_f - 1}}$ several times can be avoided by using a Kalman filter updating strategy described as

    $ \widehat{\overline{x}}{'}_{k/k} = \widehat{\overline{x}}_{k/k} + f(k, \hat {k}_f - 1)\hat \nu (k, \hat{k}_f - 1) $

    (30a)

    $ \bar P{'}_{k/k}= \bar P_{k/k} + f(k, \hat{k}_f - 1)a{(k, \hat {k}_f - 1)^{ - 1}}f{(k, \hat{k}_f - 1)^{\rm T}} $

    (30b)

    where $a{(k, \hat{k}_f - 1)^{ - 1}}$ presents the covariance of $\hat \nu (k, \hat{k}_f - 1)$. $\widehat{\overline{x}}{'}_{k/k}$ and $\widehat{\overline{x}}_{k/k}$ denote the new and the old minimum variance unbiased estimate, respectively. The same notation is used for the new state covariance $\bar P{'}_{k/k}$ and the old one $\bar P_{k/k}$.

    The attack end time estimate $\widehat{k}_f$ is given by

    $ \begin{equation} \widehat{k}_f = \arg \left(\mathop {\max }\limits_{{k_f} \in \left[{\begin{array}{*{20}{c}} {k-1-M}&{k-1} \\ \end{array} } \right]} \left\{ {\widehat{\overline{\nu}} {{(k, {k_f} - 1)}^2}} \right\}\right). \label{eq61} \end{equation} $

    (31)

    The autonomous resilient LQG controller is then derived from the updating strategy (30) applied on the Kalman filter (5) and associated to the infinite horizon LQG controller designed in Section2. To evaluate the overall characteristic of the obtained resilient LQG controller, a performance criterion needs to be studied in relation with the maximum duration $\tau$ of the attack signal. An illustrative example will be given in Section 4 to prove that the proposed resilient controller works very well when a zero dynamic attack significantly impacts the state variables of the plant before being stopped.

  • After the completion of the modelling of attack detection schemes and the resilient control strategy, a simulation example is given in this section to demonstrate the effectiveness of the obtained results. First, we illustrate how the attacker can successfully realise the malicious act while remaining undetectable from passive detectors. We then apply the proposed detection scheme of Section3 and evaluate the performance of the proposed resilient LQG controller via a comparative study with the standard LQG controller.

    For illustration, we consider the following linear discrete time stochastic system:

    $ \begin{align}\label{eq62} \begin{array}{*{20}{c}} {\begin{array}{*{20}{c}} && \;\;\;\;\;\;\;\;\;\;{A = \left[{\begin{array}{*{20}{c}} {0.9}&0&{0.34}&{0.35} \\ 0&{1.8}&0&{0.37} \\ 0&0&{0.5}&0 \\ 0&0&0&{0.9} \\ \end{array} } \right]} & {\begin{array}{*{20}{c}} {}&{} \\ \end{array} } \\ && \hspace{-19mm} {B = \left[{\begin{array}{*{20}{c}} 1&0&0 \\ 1&0&1 \\ 0&0&2 \\ 0&1&1 \\ \end{array} } \right]} \\ \end{array} } \\ {\begin{array}{*{20}{c}} && \hspace{-22mm}{C = \left[{\begin{array}{*{20}{c}} 1&0&0&0 \\ 0&1&0&0 \\ 0&0&0&1 \\ \end{array} } \right]}&{} \\ \end{array} } \\ \end{array}\nonumber\\[-6mm] \end{align} $

    (32)

    where ${z_0} = 1.18$ is the invariant unstable zero of the plant.

  • We first illustrate the consequences of the stealthy attack strategy on the NCS of Fig. 2, where the zero dynamic attack has been simulated during the time instants $\tau=[80\textrm{s}, 120\textrm{s}]$, see Fig. 4. Note that $d$ is chosen very close to zero to remain stealthy to any passive detector applied on the innovation sequence of the Kalman filter.

    Figure 4.  Zero dynamic attack sequence/time (s)

    As we can see in Figs. 5 and 6, the attack happens in a stealthy way having no consequences on the control signal $u_k$ and no consequences on measurements ${y_k}$, respectively. Whereas it has a harmful effect on the third state which increases to infinity as shown in Fig. 7. Fig. 8 shows that the detection variable ${T_k}$ cannot detect the presence of the attack.

    Figure 5.  LQG control law/time (s)

    Figure 6.  Measurements yk/time (s)

    Figure 7.  s

    Figure 8.  Detection variable $T_k$

    This demonstrates that an attacker located inside the network of a NCS can provide malicious consequences on the system$'$s state using a stealthy strategy without being detected from traditional model based fault detection and isolation schemes.

  • To prove the usefulness of the proposed detection scheme and the resilient control strategy, a comparative study between the standard LQG control and the resilient LQG control is presented.

    Consider now that the NCS of Fig. 3 is attacked by a zero dynamic attack during the time instants $\tau=[50\textrm{s}, 80\textrm{s}]$ as illustrated in Fig. 9. As we can see in Fig. 10, this strategy allows to detect the presence of the stealthy attack when the detection variable $T_k$ exceeds the threshold levels of significance values.

    Figure 9.  Zero dynamic attack sequence/time (s)

    Figure 10.  Detection variable $T_k$ of the GLR detector

    By using the standard control strategy (4) and (5) with $V = R = {I_3}$, $W = 0.01{I_4}$ and $Q = {I_4}$, Figs. 11-13 show the consequences of the zero dynamic attack on state variables, control signal and regulated outputs, respectively.

    Figure 11.  States of the plant/time (s)

    Figure 12.  Standard LQG control law/time (s)

    Figure 13.  Regulated outputs/time (s)

    By using the resilient control strategy (30) and (5), the consequences of the zero dynamic attack on the state variables, control signal and regulated outputs of the plant by using the resilient LQG controller are plotted in Figs. 14-16, respectively.

    Figure 14.  States of the plant/time (s)

    Figure 15.  LQG control law/time (s)

    Figure 16.  Regulated outputs/time (s)

    Compared to the regulated outputs of Fig. 13 obtained with the standard LQG controller, Fig. 16 shows that the updating strategy (30) allows to recover more quickly the nominal behavior of the networked control system.

    By representing the plant subject to multiple zero dynamic attacks as a linear time-invariant system subject to simultaneous or sequential pulses, the design of resilient controllers for plants having multiple invariant zeros is currently under consideration by the authors. Future works will concern the design of distributed resilient controllers for large scale NCS decomposed into subsystems.

  • This paper has studied a resilient control strategy for linear discrete-time stochastic systems subject to zero dynamic attack. When the attack window of the adversary is limited by the defender mechanism of the cyber-physical system, we have shown in the first part of the paper that the zero dynamic attack is undetectable from traditional model based fault detection and isolation schemes. In the second part, we have designed a resilient linear quadratic Gaussian controller having the ability to quickly recover the nominal behavior of the closed-loop system. The resilient linear quadratic Gaussian controller is obtained by updating online the Kalman filter from information given by the generalized likelihood ratio detector.

Reference (28)

Catalog

    /

    DownLoad:  Full-Size Img  PowerPoint
    Return
    Return