On Zero Dynamics and Controllable Cyber-Attacks in Cyber-Physical Systems and Dynamic Coding Schemes as Their Countermeasures

Mahdi Taheri; Khashayar Khorasani; Nader Meskin

doi:10.1109/JAS.2024.124692

Volume 11 Issue 11

Nov. 2024

IEEE/CAA Journal of Automatica Sinica

JCR Impact Factor: 15.3, Top 1 (SCI Q1)

CiteScore: 23.5, Top 2% (Q1)
Google Scholar h5-index: 77， TOP 5

Turn off MathJax

Article Contents

Article Navigation > IEEE/CAA Journal of Automatica Sinica > 2024 > 11(11): 2191-2203

M. Taheri, K. Khorasani, and N. Meskin, “On zero dynamics and controllable cyber-attacks in cyber-physical systems and dynamic coding schemes as their countermeasures,” IEEE/CAA J. Autom. Sinica, vol. 11, no. 11, pp. 2191–2203, Nov. 2024. doi: 10.1109/JAS.2024.124692

Citation:

M. Taheri, K. Khorasani, and N. Meskin, “On zero dynamics and controllable cyber-attacks in cyber-physical systems and dynamic coding schemes as their countermeasures,” IEEE/CAA J. Autom. Sinica, vol. 11, no. 11, pp. 2191–2203, Nov. 2024. doi: 10.1109/JAS.2024.124692

Citation:

PDF( 1735 KB)

On Zero Dynamics and Controllable Cyber-Attacks in Cyber-Physical Systems and Dynamic Coding Schemes as Their Countermeasures

doi: 10.1109/JAS.2024.124692

Funds: The authors would like to acknowledge the financial support received from NATO under the Emerging Security Challenges Division program. K. Khorasani and N. Meskin would like to acknowledge the support received from NPRP (10-0105-17017) from the Qatar National Research Fund (a member of Qatar Foundation). K. Khorasani would also like to acknowledge the support received from the Natural Sciences and Engineering Research Council of Canada (NSERC) and the Department of National Defence (DND) under the Discovery Grant and DND Supplemental Programs. This work was also supported in part by funding from the Innovation for Defence Excellence and Security (IDEaS) program from the Department of National Defence (DND). Any opinions and conclusions in this work are strictly those of the authors and do not reflect the views, positions, or policies of - and are not endorsed by - IDEaS, DND, or the Government of Canada

More Information

Author Bio:
Mahdi Taheri received the B.Sc. degree in electrical engineering from Ilam University, Iran, in 2013, the M.Sc. degree in electrical engineering (control systems) from Isfahan University of Technology, Iran, in 2016, and the Ph.D. degree in electrical and computer engineering from Concordia University, Canada, in 2024. His main research interests are in the areas of fault diagnosis and cyber-attack detection, distributed control of multi-agent systems, privacy-preserving control in cyber-physical systems, and data-driven and Koopman operator-based anomaly detection

Khashayar Khorasani received the B.S., M.S., and Ph.D. degrees in electrical and computer engineering from the University of Illinois at Urbana-Champaign in 1981, 1982 and 1985, respectively. From 1985 to 1988 he was an Assistant Professor at the University of Michigan at Dearborn and since 1988 he has been at Concordia University, Canada, where he is currently a Professor and Concordia University Tier I Research Chair in the Department of Electrical and Computer Engineering and Concordia Institute for Aerospace Design and Innovation (CIADI). His main areas of research are in nonlinear and adaptive control; cyber-physical systems and cybersecurity; intelligent and autonomous control of networked unmanned systems; fault diagnosis, isolation and recovery (FDIR); diagnosis, prognosis, and health management (DPHM); satellites, and neural networks/machine learning. He has authored/co- authored over 500 publications in these areas that have also led to the training of over 135 highly qualified personnel. He has served as an Associate Editor of the IEEE Transactions on Aerospace and Electronic Systems

Nader Meskin (Senior Member) received the B.Sc. degree from Sharif University of Technology, Iran, in 1998, the M.Sc. degree from the University of Tehran, Tehran, in 2001, and the Ph.D. degree in electrical and computer engineering in 2008 from Concordia University, Canada. He was a Postdoctoral Fellow at Texas A&M University at Qatar, Qatar, from January 2010 to December 2010. He is currently Professor at Qatar University, Qatar, and an Adjunct Associate Professor at Concordia University. He has published more than 300 refereed journal and conference papers. He’s been serving as a Member of Editorial Boards for IEEE Transactions on Cybernetics. His research interests include FDI, multiagent systems, active control for clinical pharmacology, and cyber-security of industrial control systems
Corresponding author: Khashayar Khorasani, e-mail: kash@ece.concordia.ca
Received Date: 2024-03-05
Revised Date: 2024-06-05
Accepted Date: 2027-07-17

Available Online: 2024-08-08

Abstract

Abstract

In this paper, we study stealthy cyber-attacks on actuators of cyber-physical systems (CPS), namely zero dynamics and controllable attacks. In particular, under certain assumptions, we investigate and propose conditions under which one can execute zero dynamics and controllable attacks in the CPS. The above conditions are derived based on the Markov parameters of the CPS and elements of the system observability matrix. Consequently, in addition to outlining the number of required actuators to be attacked, these conditions provide one with the minimum system knowledge needed to perform zero dynamics and controllable cyber-attacks. As a countermeasure against the above stealthy cyber-attacks, we develop a dynamic coding scheme that increases the minimum number of the CPS required actuators to carry out zero dynamics and controllable cyber-attacks to its maximum possible value. It is shown that if at least one secure input channel exists, the proposed dynamic coding scheme can prevent adversaries from executing the zero dynamics and controllable attacks even if they have complete knowledge of the coding system. Finally, two illustrative numerical case studies are provided to demonstrate the effectiveness and capabilities of our derived conditions and proposed methodologies.
- Controllable attacks,
- cyber-physical systems (CPS),
- dynamic coding,
- zero dynamics attacks,
- stealthy cyber-attacks

FullText(HTML)

References(48)

References

[1]	H. Sandberg, V. Gupta, and K. H. Johansson, “Secure networked control systems,” Annu. Rev. Control, Rob., Auton. Syst., vol. 5, pp. 445–464, May 2022. doi: 10.1146/annurev-control-072921-075953
[2]	F. Pasqualetti, F. Dörfler, and F. Bullo, “Attack detection and identification in cyber-physical systems,” IEEE Trans. Automat. Control, vol. 58, no. 11, pp. 2715–2729, Nov. 2013. doi: 10.1109/TAC.2013.2266831
[3]	A. Teixeira, I. Shames, H. Sandberg, and K. H. Johansson, “A secure control framework for resource-limited adversaries,” Automatica, vol. 51, pp. 135–148, Jan. 2015. doi: 10.1016/j.automatica.2014.10.067
[4]	X. Li, Z. Wang, C. Zhang, D. Du, and M. Fei, “A novel dynamic watermarking-based EKF detection method for FDIAs in smart grid,” IEEE/CAA J. Autom. Sinica, vol. 9, no. 7, pp. 1319–1322, Jul. 2022. doi: 10.1109/JAS.2022.105704
[5]	Y. Mo, S. Weerakkody, and B. Sinopoli, “Physical authentication of control systems: Designing watermarked control inputs to detect counterfeit sensor outputs,” IEEE Control Syst. Mag., vol. 35, no. 1, pp. 93–109, Feb. 2015. doi: 10.1109/MCS.2014.2364724
[6]	W. Duo, M. C. Zhou, and A. Abusorrah, “A survey of cyber attacks on cyber physical systems: Recent advances and challenges,” IEEE/CAA J. Autom. Sinica, vol. 9, no. 5, pp. 784–800, May 2022. doi: 10.1109/JAS.2022.105548
[7]	S. Oshnoei, M. R. Aghamohammadi, and M. H. Khooban, “Smart frequency control of cyber-physical power system under false data injection attacks,” IEEE Trans. Circuits Syst. Ⅰ: Regular Pap., 2024. doi: 10.1109/TCSI.2024.3396703
[8]	A. A. Cárdenas, S. Amin, Z. S. Lin, Y.-L. Huang, C. Y. Huang, and S. Sastry, “Attacks against process control systems: Risk assessment, detection, and response,” in Proc. 6th ACM Symp. Information, Computer and Communications Security, Hong Kong, China, 2011, pp. 355–366.
[9]	A. A. Cardenas, S. Amin, and S. Sastry, “Secure control: Towards survivable cyber-physical systems,” in Proc. 28th Int. Conf. Distributed Computing Systems Workshops, Beijing, China, 2008, pp. 495–500.
[10]	A. Teixeira, D. Pérez, H. Sandberg, and K. H. Johansson, “Attack models and scenarios for networked control systems,” in Proc. 1st Int. Conf. High Confidence Networked Systems, Beijing, China, 2012, pp. 55–64.
[11]	A. Teixeira, I. Shames, H. Sandberg, and K. H. Johansson, “Revealing stealthy attacks in control systems,” in Proc. 50th Annu. Allerton Conf. Communication, Control, and Computing (Allerton), Monticello, USA, 2012, pp. 1806–1813.
[12]	K. Zhang, C. Keliris, T. Parisini, B. Jiang, and M. M. Polycarpou, “Passive attack detection for a class of stealthy intermittent integrity attacks,” IEEE/CAA J. Autom. Sinica, vol. 10, no. 4, pp. 898–915, Apr. 2023. doi: 10.1109/JAS.2023.123177
[13]	Z. Zhao, Y. Yang, Y. Li, and R. Liu, “Security analysis for cyber-physical systems under undetectable attacks: A geometric approach,” Int. J. Robust Nonlinear Control, vol. 30, no. 11, pp. 4359–4370, Jul. 2020. doi: 10.1002/rnc.4419
[14]	A. Baniamerian and K. Khorasani, “Security index of linear cyber-physical systems: A geometric perspective,” in Proc. 6th Int. Conf. Control, Decision and Information Technologies, Paris, France, 2019, pp. 391–396.
[15]	A. Baniamerian, K. Khorasani, and N. Meskin, “Determination of security index for linear cyber-physical systems subject to malicious Cyber Attacks,” in Proc. IEEE 58th Conf. Decision and Control, Nice, France, 2019, pp. 4507–4513.
[16]	A. G. J. MacFarlane and N. Karcanias, “Poles and zeros of linear multivariable systems: A survey of the algebraic, geometric and complex-variable theory,” Int. J. Control, vol. 24, no. 1, pp. 33–74, Jul. 1976. doi: 10.1080/00207177608932805
[17]	J. Tokarzewski, “System zeros analysis via the Moore-Penrose pseudoinverse and SVD of the first nonzero markov parameter,” IEEE Trans. Autom. Control, vol. 43, no. 9, pp. 1285–1291, Sep. 1998.
[18]	J. Tokarzewski, Finite Zeros in Discrete Time Control Systems. Berlin, Germany: Springer, 2006.
[19]	R. Alisic and H. Sandberg, “Data-injection attacks using historical inputs and outputs,” in Proc. European Control Conf., Delft, Netherlands, 2021, pp. 1399–1405.
[20]	H. Sandberg and A. M. H. Teixeira, “From control system security indices to attack identifiability,” in Proc. Science of Security for Cyber-Physical Systems Workshop, Vienna, Austria, 2016, pp. 1–6.
[21]	J. Milošević, A. Teixeira, K. H. Johansson, and H. Sandberg, “Actuator security indices based on perfect undetectability: Computation, robustness, and sensor placement,” IEEE Trans. Autom. Control, vol. 65, no. 9, pp. 3816–3831, Sep. 2020. doi: 10.1109/TAC.2020.2981392
[22]	S. Gracy, J. Milošević, and H. Sandberg, “Security index based on perfectly undetectable attacks: Graph-theoretic conditions,” Automatica, vol. 134, p. 109925, Dec. 2021. doi: 10.1016/j.automatica.2021.109925
[23]	S. Weerakkody, X. Liu, S. H. Son, and B. Sinopoli, “A graph-theoretic characterization of perfect attackability for secure design of distributed control systems,” IEEE Trans. Control Netw. Syst., vol. 4, no. 1, pp. 60–70, Mar. 2017. doi: 10.1109/TCNS.2016.2573741
[24]	A. Baniamerian, K. Khorasani, and N. Meskin, “Monitoring and detection of malicious adversarial zero dynamics attacks in cyber-physical systems,” in Proc. IEEE Conf. Control Technology and Applications, Montreal, Canada, 2020, pp. 726–731.
[25]	M. Taheri, K. Khorasani, I. Shames, and N. Meskin, “Cyberattack and machine-induced fault detection and isolation methodologies for cyber-physical systems,” IEEE Trans. Control Syst. Technol., vol. 32, no. 2, pp. 502–517, Mar. 2024. doi: 10.1109/TCST.2023.3324870
[26]	A. Hoehn and P. Zhang, “Detection of covert attacks and zero dynamics attacks in cyber-physical systems,” in Proc. American Control Conf., Boston, USA, 2016, pp. 302–307.
[27]	R. M. G. Ferrari and A. M. H. Teixeira, “A switching multiplicative watermarking scheme for detection of stealthy cyber-attacks,” IEEE Trans. Autom. Control, vol. 66, no. 6, pp. 2558–2573, Jun. 2020.
[28]	F. Miao, Q. Zhu, M. Pajic, and G. J. Pappas, “Coding schemes for securing cyber-physical systems against stealthy data injection attacks,” IEEE Trans. Control Netw. Syst., vol. 4, no. 1, pp. 106–117, Mar. 2017. doi: 10.1109/TCNS.2016.2573039
[29]	S. Fang, K. H. Johansson, M. Skoglund, H. Sandberg, and H. Ishii, “Two-way coding in control systems under injection attacks: From attack detection to attack correction,” in Proc. 10th ACM/IEEE Int. Conf. Cyber-Physical Systems, Montreal, Canada, 2019, pp. 141–150.
[30]	Y. Chen, S. Kar, and J. M. Moura, “Dynamic attack detection in cyber-physical systems with side initial state information,” IEEE Trans. Autom. Control, vol. 62, no. 9, pp. 4618–4624, Sep. 2017. doi: 10.1109/TAC.2016.2626267
[31]	M. Taheri, K. Khorasani, I. Shames, and N. Meskin, “Data-driven covert-attack strategies and countermeasures for cyber-physical systems,” in Proc. 60th IEEE Conf. Decision and Control, Austin, USA, 2021, pp. 4170–4175.
[32]	J. Wang, D. Wang, H. Yan, and H. Shen, “Composite antidisturbance H_∞ control for hidden Markov jump systems with multi-sensor against replay attacks,” IEEE Trans. Autom. Control, vol. 69, no. 3, pp. 1760–1766, Mar. 2024. doi: 10.1109/TAC.2023.3326861
[33]	S. Weerakkody and B. Sinopoli, “Detecting integrity attacks on control systems using a moving target approach,” in Proc. 54th IEEE Conf. Decision and Control, Osaka, Japan, 2015, pp. 5820–5826.
[34]	D. Umsonst, S. Sarıtaş, G. Dán, and H. Sandberg, “A Bayesian Nash equilibrium-based moving target defense against stealthy sensor attacks,” IEEE Trans. Autom. Control, vol. 69, no. 3, pp. 1659–1674, Mar. 2024. doi: 10.1109/TAC.2023.3328754
[35]	S. Oshnoei, M. R. Aghamohammadi, J. Heidary, and M. H. Khooban, “Watermarking-based defense mechanism in LFC of electricity grids compromised by covert attacks,” IEEE Trans. Circuits Syst. Ⅱ: Express Briefs, 2024. doi: 10.1109/TCSII.2024.3396734
[36]	H. L. Trentelman, A. A. Stoorvogel, and M. Hautus, Control Theory for Linear Systems. London, UK: Springer, 2012.
[37]	M. Sain and J. Massey, “Invertibility of linear time-invariant dynamical systems,” IEEE Trans. Autom. Control, vol. 14, no. 2, pp. 141–149, Apr. 1969. doi: 10.1109/TAC.1969.1099133
[38]	A. K. Hajdasinski and A. A. H. Damen, “Realization of the Markov parameter sequences using the singular value decomposition of the Hankel matrix,” Technische Hogeschool Eindhoven, 1979.
[39]	B. De Moor, J. Vandewalle, M. Moonen, L. Vandenberghe, and P. Van Mieghem, “A geometrical strategy for the identification of state space models of linear multivariable systems with singular value decomposition,” IFAC Proc. Vol., vol. 21, no. 9, pp. 493–497, Aug. 1988. doi: 10.1016/S1474-6670(17)54776-X
[40]	L. Ljung, “System identification,” in Wiley Encyclopedia of Electrical and Electronics Engineering, 1999, pp. 1–19.
[41]	J. F. Dong and M. Verhaegen, “Identification of fault estimation filter from I/O data for systems with stable inversion,” IEEE Trans. Autom. Control, vol. 57, no. 6, pp. 1347–1361, Jun. 2012. doi: 10.1109/TAC.2011.2173422
[42]	P. Van Overschee and B. De Moor, “N4SID: Subspace algorithms for the identification of combined deterministic-stochastic systems,” Automatica, vol. 30, no. 1, pp. 75–93, Jan. 1994. doi: 10.1016/0005-1098(94)90230-5
[43]	H. L. Trentelman, A. A. Stoorvogel, and M. Hautus, Control Theory for Linear Systems. London, UK: Springer, 2012.
[44]	R. C. Merkle, “Secure communications over insecure channels,” Commun. ACM, vol. 21, no. 4, pp. 294–299, Apr. 1978. doi: 10.1145/359460.359473
[45]	R. F. Schaefer, H. Boche, and H. V. Poor, “Secure communication under channel uncertainty and adversarial attacks,” Proc. IEEE, vol. 103, no. 10, pp. 1796–1813, Oct. 2015. doi: 10.1109/JPROC.2015.2459652
[46]	K. H. Johansson, “The quadruple-tank process: A multivariable laboratory process with an adjustable zero,” IEEE Trans. Control Syst. Technol., vol. 8, no. 3, pp. 456–465, May 2000. doi: 10.1109/87.845876
[47]	O. Härkegård and S. T. Glad, “Resolving actuator redundancy-optimal control vs. control allocation,” Automatica, vol. 41, no. 1, pp. 137–144, Jan. 2005.
[48]	B. Boussaid, C. Aubrun, J. Jiang, and M. N. Abdelkrim, “FTC approach with actuator saturation avoidance based on reference management,” Int. J. Robust Nonlinear Control, vol. 24, no. 17, pp. 2724–2740, Nov. 2014. doi: 10.1002/rnc.3020

Supplements(0)

Cited By

Proportional views

Proportional views

通讯作者: 陈斌, bchen63@163.com

1.
沈阳化工大学材料科学与工程学院沈阳 110142

Figures(6)

Get Citation

PDF

XML

Article Metrics

Article views (94) PDF downloads(35)

Highlights

The vulnerability of Cyber-Physical Systems (CPS) to zero dynamics and controllable cyber-attacks is studied
Cyber-attacks are derived in terms of nonzero Markov parameters of the CPS and the entries of the observability matrix
The number of actuators that need to be compromised for zero dynamics and controllable cyber-attacks is studied
A dynamic coding scheme is developed to increase the number of input channels for executing these cyber-attacks

On Zero Dynamics and Controllable Cyber-Attacks in Cyber-Physical Systems and Dynamic Coding Schemes as Their Countermeasures

doi: 10.1109/JAS.2024.124692

Abstract

References

Proportional views

Catalog

通讯作者: 陈斌, bchen63@163.com

Article Metrics

Highlights

Export File

Citation

Format

Content