Security metrics and synthesis of secure control systems

Automatica 115 (2020) 108757

Contents lists available at ScienceDirect

Automatica journal homepage: www.elsevier.com/locate/automatica

Security metrics and synthesis of secure control systems✩ ∗

Carlos Murguia a , , Iman Shames a , Justin Ruths b , Dragan Nešić a a b

Department of Electrical and Electronic Engineering, University of Melbourne, Australia Departments of Mechanical and Systems Engineering, University of Texas at Dallas, USA

article

info

Article history: Received 13 September 2018 Received in revised form 3 October 2019 Accepted 23 November 2019 Available online xxxx Keywords: Network control systems Model-based fault/attack monitors Security metrics Secure control Attacks

a b s t r a c t The term stealthy has come to encompass a variety of techniques that attackers can employ to avoid being detected. In this manuscript, for a class of perturbed linear time-invariant systems, we propose two security metrics to quantify the potential impact that stealthy attacks could have on the system dynamics by tampering with sensor measurements. We provide analysis tools to quantify these metrics for given system dynamics, control, and system monitor. Then, we provide synthesis tools (in terms of semidefinite programs) to redesign controllers and monitors such that the impact of stealthy attacks is minimized and the required attack-free system performance is guaranteed. © 2019 Published by Elsevier Ltd.

1. Introduction Recently, there has been significant interest and work in the broad area of security of Networked Control Systems (NCSs), see, e.g., Bai, Pasqualetti, and Gupta (2015), Cárdenas et al. (2011), Kwon, Liu, and Hwang (2013), Miao, Zhu, Pajic, and Pappas (2014), Mo and Sinopoli (2016), Murguia, van de Wouw, and Ruths (2016) and Pasqualetti, Dorfler, and Bullo (2013). Security of NCSs investigates properties of conventional control systems in the presence of adversarial disturbances. Control theory has shown great ability to robustly deal with disturbances and uncertainties. However, adversarial attacks raise all-new issues due to the aggressive and strategic nature of the disturbances that attackers might inject into the system. This paper focuses on quantifying and minimizing attacker capabilities in NCSs. A majority of the work on attack detection leverages the established literature of fault detection. Fault detection techniques use an estimator to forecast the evolution of the system dynamics. When the residual (the difference between measurements and their estimates) is larger than a predetermined threshold, alarms are raised. Fault detectors impose limits on attacks if the attacker ✩ This work was supported by the Australian Research Council (ARC) under the Project DP170104099; and the NATO Science for Peace and Security (SPS) PROGRAMME under the project SPS.SFP G5479. The material in this paper was not presented at any conference. This paper was recommended for publication in revised form by Associate Editor Vijay Gupta under the direction of Editor Christos G. Cassandras. ∗ Corresponding author. E-mail addresses: [email protected] (C. Murguia), [email protected] (I. Shames), [email protected] (J. Ruths), [email protected] (D. Nešić). https://doi.org/10.1016/j.automatica.2019.108757 0005-1098/© 2019 Published by Elsevier Ltd.

aims at avoiding being identified. Beyond retooling existing fault detection techniques for the new attack detection context, a fundamental question is: given a fault detection scheme, how does this particular scheme constrain the influence of an attacker? More specifically, what is an attacker able to accomplish when the system employs certain fault detection procedure? Different methodologies exist for evaluating the impact of attacks. Most of the existing works study the system response when attacks are constrained by a fault detector, i.e., they look for the system trajectories that can be induced due to stealthy attacks – attacks such that the detector threshold is never crossed (Cárdenas et al., 2011; Guo, Shi, Johansson, & Shi, 2016; Murguia et al., 2016; Pasqualetti et al., 2013). In this manuscript, we provide mathematical tools for quantifying and minimizing the potential impact of sensor stealthy attacks on the system dynamics. We consider the set of states that stealthy attacks can induce in the system (the attacker’s stealthy reachable set) and use the ‘‘size’’ of this set, in terms of volume (Lebesgue measure), as a security metric for NCSs. Stealthy reachable sets provide insight of the system potential performance degradation induced by stealthy attacks. The volume of these sets quantifies the size of the portion of the state space that opponents could reach by tampering with particular subsets of sensors. So, for different subsets of sensors being attacked, we have reachable sets of different sizes; and thus, one could quantify the system sensitivity to attacks in particular sensors by comparing their corresponding volumes. Because it is not mathematically tractable to compute reachable sets exactly, we provide analysis tools – in terms of Linear Matrix Inequalities (LMIs) – for computing ellipsoidal outer approximations of the attacker’s reachable sets. The obtained approximations quantify the attacker’s potential impact when it is constrained to stay

2

C. Murguia, I. Shames, J. Ruths et al. / Automatica 115 (2020) 108757

hidden from the detector. We use the size (again in terms of volume) of these ellipsoidal approximations to approximate the proposed security metric (the volume of stealthy reachable sets). Note that this security metric just tell us which sensors lead to larger reachable sets. So, we are implicitly assuming that all points in the state space are equally important (in terms of security) and we are just interested in the overall ‘‘number’’ of states potentially reachable by attacks. However, if there are regions of the state space that are more important than others (again in terms of security), and thus we are particularly interested in knowing if these regions are reachable by attacks, we need a different metric. To this end, as a second security metric, we propose the minimum distance from the attacker’s reachable set to a possible set of critical states – states that, if reached, compromise the integrity or safe operation of the system. We approximate this distance by the minimum distance between the ellipsoidal approximations and the critical states. This distance gives us intuition on how far the actual attacker’s reachable set is from the critical states. Once we have provided a complete set of analysis tools to approximate the aforementioned security metrics, we use these tools to derive synthesis tools (in terms of semidefinite programs) to redesign controllers and fault detectors such that the impact of stealthy attacks is minimized and the required attack-free system performance is guaranteed. There are a few results in this direction already; chiefly the work in Mo and Sinopoli (2016), where the authors provide a recursive algorithm to compute ellipsoidal approximations of attacker’s reachable sets for Linear Time Invariant (LTI) systems subjected to Gaussian noise. The authors in Mo and Sinopoli (2016) give analysis-only results for a very particular structure of controllers and fault-detectors. They consider Kalman-filter based fault detectors and use the state of the filter to construct output feedback controllers. Although this results in compact designs of controllers and fault detectors, the flexibility of having dedicated controllers and detectors (mainly for synthesis of secure control systems) is limited. We remark that, in the stochastic setting considered in Mo and Sinopoli (2016), the detector threshold is always crossed even when there are no attacks. This is due to the infinite support of the Gaussian noise they consider. Thus, they do not consider stealthy attacks in the sense described above. Instead, they consider attacks that increase the alarm rate of the detector by a small amount only. Then, they approximate the attacker’s reachable set corresponding to this small increase. The main contributions of this manuscript (in contrast to the work in Mo and Sinopoli (2016) and in general) are the following: (1) we provide a set of mathematical tools in terms of semidefinite programs to approximate reachable sets induced by stealthy attacks for LTI systems driven by peak bounded deterministic perturbations; (2) we provide both analysis and synthesis results for dedicated general dynamic output feedback controllers and observer-based fault detectors; (3) we propose two security metrics to assess the vulnerability of systems to attacks, and optimize these metrics (enhancing thus the system resilience to attacks) by synthesizing optimal controllers and detectors; and (4) the synthesis part considers the attack-free performance of the closed-loop dynamics, i.e., we optimize the security metrics subject to certain prescribed attack-free system performance. In our preliminary work (Murguia et al., 2016), we also approximate reachable sets of false-data-injection attacks but we consider the same stochastic framework as the one proposed in Mo and Sinopoli (2016), i.e., Gaussian noise, joint Kalman-filter based fault detectors and controllers, and attacks increasing the alarm rate of the detector. Thus, the problems considered in this manuscript (and the obtained results) and the ones addressed in Murguia et al. (2016) are fundamentally different; and the set of results (and the tools used to obtain them) are different too. Moreover,

in Murguia et al. (2016), we consider attacks to all the sensors. Although the latter case provides a worse-case scenario, we lose the capability of quantifying the sensitivity of the system dynamics to attacks on specific sensors. As in Mo and Sinopoli (2016), the results in Murguia et al. (2016) mainly focus on analysis (although they hint how to address synthesis for joint Kalman-filter based detectors and controllers). There are a few other results that consider different security metrics for control systems. However, all of those results have a very different interpretation and the framework upon which they are constructed is fundamentally very different from ours. For instance, in Bai et al. (2015), for arbitrary detection procedures, the authors quantify how much the attacker can increase the asymptotic covariance (their security metric) of state estimates while remaining stealthy. They characterize stealthiness using the Kullback–Leibler Divergence between the attack-free and the attacked estimates. In Tang, Kuijper, Chong, Mareels, and Leckie (2019) and Teixeira, Sou, Sandberg, and Johansson (2015), the authors use the notion of security index for LTI systems. This index refers to the smallest number of sensors and actuators that have to be compromised for successfully launching stealthy attacks. For linear stochastic systems, the authors in Milošević, Sandberg, and Johansson (2018) propose two security metrics: the probability that some of the critical states leave a safety region; and the expected value of the infinity norm of the critical states. Finally, in Müller, Milošević, Sandberg, and Rojas (2018), tools from finance risk theory are used to quantify security of LTI systems. 2. Preliminaries Here, we present preliminary results needed for subsequent sections. First, in Lemma 1, we present a preliminary tool used to compute outer time-varying bounds on the trajectories of perturbed discrete-time systems. Next, in Proposition 1, we use this lemma to compute outer ellipsoidal approximations of reachable sets of LTI systems driven by multiple peak bounded perturbations. Lemma 1. For a given a ∈ (0, 1), if there exist functions aik : N → ∑N i (0, 1), i = 1, . . . , N, and V : Rnξ → R≥0 satisfying i=1 ak ≥ a and, for all k ∈ N, the inequality: V (ξk+1 ) − aV (ξk ) −

N ∑

(1 − aik )(ωki )T Wki ωki ≤ 0;

(1)

i=1

then, V (ξk ) ≤ αk , where αk := ak−1 V (ξ1 ) + −a limk→∞ V (ζk ) ≤ N1− . a

(N −a)(1−ak−1 ) , 1−a

and

Proof. See Murguia, Shames, Ruths, and Nešić (2018, Lemma 1). ■ Next, we present a tool to identify outer ellipsoidal approximations of reachable sets of LTI systems driven by multiple peak bounded perturbations. Consider the perturbed LTI system

ξk+1 = Aξk +

N ∑

Bi ωki ,

(2)

i=1

with k ∈ N, state ξk ∈ Rnξ , initial condition ξ1 ∈ Rnξ , perturbation ωki ∈ Rpi satisfying (ωki )T Wi ωki ≤ 1 for some positive definite matrix Wi ∈ Rpi ×pi , i = 1, . . . , N, N ∈ N, and matrices A ∈ nξ ×pi i Rnξ ×nξ and . Denote by ψ ξ (k, ξ1 , ω1 (·), . . . , ωN (·)) := ∑NB ∈ ∑R k−2 Ak−1 ξ1 + i=1 j=0 Aj Bi ωki −1−j the solution of (2) at time instant k > 1 given the initial condition ξ1 and the infinite disturbance sequence ωi (·) := {ω1i , ω2i , . . .}.

C. Murguia, I. Shames, J. Ruths et al. / Automatica 115 (2020) 108757

3

Corollary 1. Consider the perturbed LTI system (2) and the reachξ able set Rk introduced in Definition 1. For a given a ∈ (0, 1), if there exist constants a1 = a∗1 , . . . , aN = a∗N and matrix P = P ∗ solution of the convex optimization:

{

min

P ,a1 ,...,aN

− log det[P ], (5)

s.t. (3); ξ

Fig. 1. Tightness of the ellipsoidal outer approximations of reachable sets obtained by Corollary 1.

ξ

ξ

ξ

then, Rk ⊆ Ek( := {ξ ∈ Rnξ | ξ) T P ∗ ξ ≤ αk }, where αk := ak−1 ξ1T P ∗ ξ1 + (N − a)(1 − ak−1 ) /(1 − a). Moreover, for any ai = a˜ i ̸ = a∗i and P = P˜ ̸ = P ∗ satisfying the constraints in (3) and ξ ξ corresponding ellipsoidal approximation E˜k , the volume of E∞ (see ξ ξ (4)) is strictly less than the volume of E˜∞ , i.e., Ek has the minimum asymptotic volume among all the outer ellipsoidal approximations ξ E˜k generated by Proposition 1. Proof. See Murguia et al. (2018, Corollary 1).

■

ξ

Definition 1. The reachable set Rk at time instant k > 1 from initial condition ξ1 , is the set of states ψ ξ (k, ξ1 , ω1 (·), . . . , ωN (·)) reachable in k steps by system (2) through all possible perturbations satisfying (ωki )T Wi ωki ≤ 1, i.e., ξ

{ ξ∈

Rk :=

Rnξ

⏐ } ⏐ ⏐ξ = ψ ξ (k, ξ1 , ω1 (·), . . . , ωN (·)), . ⏐ ⏐ξ1 ∈ Rnξ , and (ωki )T Wi ωki ≤ 1.

Proposition 1. Consider the LTI system (2) and the reachable set ξ Rk introduced in Definition 1. For a given a ∈ (0, 1), if there exist constants a1 = a˜ 1 , . . . , aN = a˜ N and matrix P = P˜ ∈ Rnξ ×nξ satisfying:

⎧ a1 , . . . , aN ∈ (0, 1), a1 + · · · + aN ≥ a, ⎪ ⎪ ⎤ ⎡ ⎨ T aP

⎪ P > 0, ⎣P A ⎪ ⎩ 0

A P P BT P

0 P B ⎦ ≥ 0; Wai

(3)

with Wai := diag[(1 − a1 )W1 , . . . , (1 − aN )WN ] ∈ Rp¯ ׯp , B := ∑N ξ ˜ξ (B1 , . . . , BN ) ∈ Rnξ ׯp , and p¯ = i=1 pi ; then, Rk ⊆ ( Ek := {ξ ∈ ξ ξ nξ T ˜ k−1 T ˜ R |) ξ P ξ ≤ α˜ k }, where α˜ k := a ξ1 P ξ1 + (N − a)(1 − ak−1 ) /(1 − a). Proof. See Murguia et al. (2018, Proposition 1).

■

Remark 1. Note that the contribution of the initial condition ξ ξ1 to the sequence α˜ k vanishes exponentially. We have that ξ limk→∞ α˜ k = (N − a)/(1 − a); therefore ξ

ξ lim E˜k = {ξ ∈ Rnξ | ξ T P˜ ξ ≤ (N − a)/(1 − a)} =: E˜∞ .

k→∞

(4)

That is, after transients due to initial conditions have settled down, all trajectories of the system are trapped inside the ellipξ soid E˜∞ . Proposition 1 provides a tool for computing time-varying elξ ξ ξ lipsoidal outer approximations E˜k of Rk . Note that E˜k could be an ξ ξ ξ arbitrarily conservative approximation of Rk as long as Rk ⊆ E˜k . ξ Then, to make E˜k less conservative, we aim at obtaining ellipsoids with minimal volume, i.e., the tightest possible ellipsoid bounding ξ Rk among all the ellipsoids generated by Proposition 1. To find such an ellipsoid, we look to minimize (det[P ])−1/2 subject to (3) because (det[P ])−1/2 is proportional to the volume of the asymptotic ellipsoid ξ T P ξ = (N − a)/(1 − a) for any N ∈ N and a ∈ (0, 1) (Boyd, El Ghaoui, Feron, & Balakrishnan, 1994). We minimize log det[P −1 ] instead as it shares the same minimizer with (det[P ])−1/2 and because for positive definite P this objective is convex (Boyd et al., 1994). This is stated in the following corollary of Proposition 1.

Remark 2. Note that the constant a ∈ (0, 1) in Corollary 1 must be fixed before solving (5). This constant is, in fact, a variable of the optimization problem. However, to convexify the cost and linearize some of the constraints, we fix its value before solving (5) and search over a ∈ (0, 1) to find the optimal P ∗ . The latter increases the computations needed to find P ∗ ; however, because a ∈ (0, 1) (a bounded set), the required grid is of reasonable size. Indeed, we are interested in selecting the a ∈ (0, 1) that leads to the asymptotic ellipsoid with minimum volume. In Fig. 1, we illustrate the potential tightness of the ellipsoidal outer approximations obtained using Corollary 1. The solid gray area is the actual reachable set obtained by extensive Monte Carlo simulations, and the ellipsoidal approximation is depicted with dashed lines. This figure corresponds to an LTI system driven by two peak bounded perturbation. The exact numerical values of the system matrices and the perturbations’ bounds can be found in Kafash, Giraldo, Murguia, Cardenas, and Ruths (2018, Section 4). 3. System and monitor description In this section, we introduce the class of systems under study, the monitor that we use to pinpoint attacks, and the control scheme. 3.1. System dynamics Consider the LTI perturbed system

{

xp (tk+1 ) = Ap xp (tk ) + Bp u(tk ) + E v (tk ), y(tk ) = C p xp (tk ) + F η(tk ),

(6)

with sampling time-instants tk , k ∈ N, state xp ∈ Rn , output y ∈ Rm , control input u ∈ Rl , matrices Ap , Bp , C p , E, and F of appropriate dimensions, and unknown system and sensor perturbations v ∈ Rq and η ∈ Rm , respectively. The perturbations are assumed to be peak bounded, i.e., vkT vk ≤ v¯ and ηkT ηk ≤ η¯ for some known v¯ , η¯ ∈ R>0 and all k ∈ N. The pair (Ap , Bp ) is stabilizable and (Ap , C p ) is detectable. At the time-instants tk , k ∈ N, the output of the process y(tk ) is sampled and transmitted over a communication network. The received output y¯ (tk ) is used to compute control actions u(tk ) which are sent back to the actuators. The complete control-loop is assumed to be performed instantaneously, i.e., sampling, transmission, and arrival timeinstants are equal. In this manuscript, we focus on false data injection attacks on sensor measurements. That is, in between transmission and reception of sensor data, an attacker may inject data to signals coming from sensors to the controller, see Fig. 2.

4

C. Murguia, I. Shames, J. Ruths et al. / Automatica 115 (2020) 108757

Fig. 2. Cyber–physical system under sensor attacks.

The opponent compromises up to s sensors, s ∈ {1, . . . , m} of the system. Denote the attacker’s sensor selection matrix Γ ∈ Rm×s , Γ ⊆ {γ1 , . . . , γm } where γi ∈ Rm×1 denotes the ith vector of the canonical basis of Rm . After each transmission and reception, the networked output y¯ takes the form: y¯ (tk ) := y(tk ) + Γ δ (tk ),

(7)

where δ (tk ) ∈ Rs denotes additive sensor attacks/faults. Denote xk := x(tk ), uk := u(tk ), vk := v (tk ), y¯ k := y¯ (tk ), ηk := η(tk ), and δk := δ (tk ). Using this new notation, the attacked system is written in the following compact form:

{

p

p

xk+1 = Ap xk + Bp uk + E vk ,

(8)

p

y¯ k = C p xk + F ηk + Γ δk . 3.2. Filter and residual

In this manuscript, we aim at characterizing the effect that false data injection attacks can induce in the system without being detected by standard fault-detectors. The main idea behind fault detection is the use of an estimator to forecast the evolution of the system state. If the difference between what it is measured and the output estimation is larger than expected, there may be a fault in or an attack on the system. Here, to estimate the state of the process, we use the filter: xˆ k+1 = A xˆ k + B uk + L y¯ k − C xˆ k , p

p

p

(

)

(9)

n

n× m

with estimated state xˆ ∈ R and filter gain matrix L ∈ R . p Define the estimation error ek := xk − xˆ k and the residual rk := y¯ k − C p xˆ k ∈ Rm . Then, given the system dynamics (8) and the filter (9), ek and rk evolve according to the difference equation:

{

ek+1 = Ap − LC p ek − LΓ δk − LF ηk + E vk , rk = C p ek + Γ δk + F ηk .

(

)

(10)

The pair (Ap , C p ) is detectable; hence, the observer gain L can be selected such that (Ap − LC p ) is Schur. We assume that L is such that (Ap − LC p ) is Schur.

Thus, the monitor is designed so that alarms are triggered if zk exceeds one. The matrix Π must be selected such that, after sufficiently large number of time-steps (enough to allow transients to settle down), zk ≤ 1 in the attack-free case. That is, after transients due to initial conditions have decreased to a desired level, the ellipsoid rkT Π rk = 1 must contain all the possible trajectories that the perturbations vk and ηk can induce in the residual given Eq. (10) and the inequalities vkT vk ≤ v¯ and ηkT ηk ≤ η¯ . Note that the tighter the ellipsoidal bound, the less opportunity the attacker has to manipulate the system without being detected. Here, we use Corollary 1 to design an optimal matrix Π (in terms of tightness of the ellipsoidal bound). In particular, using Corollary 1, we obtain an outer time-varying ellipsoidal approximation of the reachable set of the estimation error (10) driven by vk and ηk in the attack-free case (δk = 0). Once we have this ellipsoid, using the S -procedure (Boyd et al., 1994), we project it onto the residual hyperplane to get the ellipsoid rkT Π rk = 1 of the monitor. For transparency, these results are presented in Murguia et al. (2018, Appendix). We need, however, the following assumption for subsequent sections. Assumption 1. In the attack-free case (δk = 0), there exists some k∗ ∈ N such that the matrix Π of the monitor satisfies rkT Π rk ≤ 1 ∀ k ≥ k∗ and rk solution of (10). In Murguia et al. (2018, Appendix), we give tools for obtaining a matrix Π satisfying Assumption 1 for a desired k∗ as a function of the initial estimation error e1 and a desired tightness level of the ellipsoidal bound. 3.4. Dynamic output feedback controller We consider general dynamic output feedback controllers of the form:

{

xck+1 = Ac xck + Bc y¯ k , uk = C c xck + Dc y¯ k ,

with controller state xc ∈ Rn , networked output y¯ , control input u, and controller matrices (Ac , Bc , C c , Dc ) of appropriate dimensions. For simplicity, we only consider controllers with the same order as the plant. This is particularly important in the synthesis section of the manuscript (however, results for general order controllers can be derived following the same approach). The closed-loop system (8), (9), (12) can be written in terms of the estimation error ek = xk − xˆ k as follows:

⎧ p ⎨xk+1 = (Ap + Bp Dc C p )xpk + Bp C c xck + Bp Dc F ηk + E vk + Bp Dc Γ δk , p xc = Ac xc + Bc C p xk + Bc F ηk + Bc Γ δk , ⎩ek+1 = (Ap k− LC p )e − LF ηk + E vk − LΓ δk . k+1 k

3.3. Distance measure, anomaly detection, and system monitor

(13)

The input to any detection procedure is a distance measure zk ∈ R, i.e., a measure of how deviated the estimator is from the attack-free system dynamics (Gustafsson, 2000). Here, we use a quadratic form of the residual as distance measure. Consider the residual sequence rk and some positive definite matrix Π ∈ Rm×m . Define the distance measure zk := rkT Π rk and consider the following monitor. System Monitor: If zk = rkT Π rk > 1, k˜ = k. Design parameter: positive semidefinite Π ∈ R ˜ Output: alarm time(s) k.

(11) m×m

.

(12)

4. Analysis tools: Attacker’s reachable sets In this section, we provide tools for quantifying – for given (L, Π , Ac , Bc , C c , Dc ) – the impact of the attack δk on the state of the system when monitor (11) is used for attack detection. We are interested in attacks that keep the monitor from raising alarms. This class of attacks is what we refer to as stealthy attacks. Here, we characterize ellipsoidal bounds on the set of states that stealthy attacks can induce in the system. In particular, we provide tools in terms of Linear Matrix Inequalities (LMIs) for computing ellipsoidal bounds on the reachable set of the attack sequence given the system dynamics, the control strategy, the system monitor, and the set of sensors being attacked.

C. Murguia, I. Shames, J. Ruths et al. / Automatica 115 (2020) 108757

5

Fig. 3. (a) Stealthy reachable set RxΓ ,k ; (b) ellipsoidal outer approximation EΓx ,k of RxΓ ,k ; and (c) the volume of EΓx ,k as an approximation of the security metric (the volume of RxΓ ,k ).

Assumption 2. We assume that the attack to system (8), (9), and (12) starts at k = k∗ (the monitor convergence time), i.e., the system has been operating without attacks for sufficiently long time so that the residual trajectories rk , for k ≥ k∗ , are contained in the monitor ellipsoid {r ∈ Rm |r T Π r ≤ 1} before an attack occurs. We remark again that, using the results in Murguia et al. (2018, Appendix), we can design monitor matrices Π satisfying Assumption 1 for any desired k∗ as a function of the initial estimation error and a desired tightness level of the ellipsoidal bound. Thus, Assumption 2 is not conservative in the sense that k∗ can be selected arbitrarily small by properly designing the corresponding monitor matrix Π (k∗ ). The attacker can compromise up to s sensors, s ∈ {1, . . . , m}, of the system. Consider the monitor (11) and write zk in terms of the estimation error ek and δk : 1

zk = rkT Π rk = ∥Π 2 (C p ek + F ηk + Γ δk )∥2 ,

(14)

1 2

where Π is the symmetric square root matrix of Π and ∥ · ∥ denotes Euclidian norm. The set of feasible attack sequences that the attacker can launch while satisfying zk ≤ 1 (i.e., without raising alarms by the monitor) can be written as the constrained control problem on δk :

{

⏐ 1 } ⏐∥Π 2 (C p e + F η + Γ δ )∥2 ≤ 1, k k k ⏐ δk ∈ R ⏐ . and Eq. (13), ∀ k ≥ k∗ , m

(15)

p

Define the extended state ζk := ((xk )T , (xck )T , eTk )T . Given ζk at the starting attack instant, ζk∗ , and the disturbance and attack sequences η(·) := {η1 , η2 , . . .}, v (·) := {v1 , v2 , . . .}, and δ (·) := ζ {δ1 , δ2 , . . .}, denote by ψδ (k, ζk∗ , η(·), v (·), δ (·)) the solution of (13) for all k ≥ k∗ . Let ψδx (k, ζk∗ , η(·), v (·), δ (·)) be the partition ζ of ψδ (k, ζk∗ , η(·), v (·), δ (·)) corresponding to the plant trajectop xk

ries, i.e., the solution of (13). We are interested in the state trajectories that the attacker can induce in the system restricted to satisfy (15). To this end, we introduce the notion of stealthy reachable set.

Γ ). However, in general, it is not tractable to compute RxΓ ,k

exactly. Instead, we look for an outer approximation EΓx ,k satisfying RxΓ ,k ⊆ EΓx ,k for all k ≥ k∗ . In particular, for some positive definite PΓx ∈ Rn×n and nonnegative function αkx , we look for outer ellipsoidal approximations of the form EΓx ,k = {xp ∈ Rn |(xp )T PΓx xp ≤ αkx } such that RxΓ ,k ⊆ EΓx ,k . That is, the ellipsoid (xp )T PΓx xp = αkx contains all the possible trajectories that stealthy attacks of the form (15) can induce in the system. Because for LTI systems EΓx ,k is a good approximation of RxΓ ,k , and because EΓx ,k can be computed efficiently using LMIs, we use the volume of EΓx ,k as an approximation of the proposed security metric. This approximation allows us to quantify the potential ‘‘damage’’ that sensor attacks can induce to the system in terms of the set of sensors being compromised (the attacker’s sensor selection matrix Γ ). In Fig. 3, we depict a schematic representation of the proposed ideas. 4.1. Analysis tools In (10), the residual is given by rk = C p ek + Γ δk + F ηk . Because Γ has full column rank by construction, we can write the attack sequence as δk = Γ + (rk − C p ek − F ηk ), where Γ + denotes the Moore–Penrose inverse of Γ , and the closed-loop dynamics (13) as

ζk+1 = Aζk + B1 ηk + B2 vk + B3 rk , k ≥ k∗ , with extended state ζk =

p ((xk )T

, , and ⎧ [ p ] p c p p c p c A +B D C B C −B D Γ Γ + C p ⎪ ⎪ c p c c + p ⎪ B C A −B Γ Γ C A := , ⎪ ⎪ ⎪ ⎪ 0 0 Ap − L(Im − Γ Γ + )C p ⎪ ⎪ [ p c ] [ ] ⎪ ⎨ B D (Im − Γ Γ + )F E c + 1 2 B (Im − Γ Γ )F B := , B := 0 , ⎪ ⎪ −L(I − Γ Γ + )F E ⎪ ⎪ [ p c m +] ⎪ ⎪ B D Γ Γ ⎪ 3 [ 1 2 3] ⎪ c + ⎪ ⎪ ⎩B := B Γ Γ + , B := B B B . − LΓ Γ (xck )T

(17)

eTk )T ,

(18)

ζ

Definition 2. Given the attack selection matrix Γ , the stealthy reachable set RxΓ ,k at time k ≥ k∗ , from the starting extended state ζk∗ , is defined as the set of states, ψδx (k, ζk∗ , η(·), v (·), δ (·)), reachable by system (13) through all possible disturbances and attack sequences satisfying ηkT ηk ≤ η¯ , vkT vk ≤ v¯ , and (15), i.e., RxΓ ,k

⏐ ⎫ ⏐ xp = ψ x (k, ζk∗ , η(·), v (·), δ (·)), ⎬ δ ⏐ := xp ∈ Rn ⏐⏐ ζk∗ ∈ R3n , δk , ζk satisfy (15), . ⎩ ⏐ vkT vk ≤ v¯ , ηkT ηk ≤ η, ¯ ∀ k ≥ k∗ ⎭ ⎧ ⎨

Denote by ψr (k, ζk∗ , η(·), v (·), r(·)) the solution of (17) at time k ≥ k∗ given the extended state at the starting attack instant ζk∗ and the infinite residual and disturbance sequences r(·) := {r1 , r2 , . . .}, η(·), and v (·). Define the reachable set: ζ

RΓ ,k

(16)

In this manuscript, we propose to use the ‘‘size’’ of the set RxΓ ,k , in terms of volume (Lebesgue measure), as a security metric. Stealthy reachable sets provide insight of the system potential performance degradation induced by stealthy attacks. The volume of RxΓ ,k quantifies the size of the portion of the state space that opponents could reach by tampering with particular subsets of sensors (i.e., as a function of the sensor selection matrix

⎧ ⏐ ⎫ ⏐ζ = ψ ζ (k, ζ ∗ , η(·), v (·), r(·)), ⎪ ⎪ k r ⎨ ⏐ ⎬ ⏐ := ζ ∈ R3n ⏐ζk∗ ∈ R3n , rkT Π rk ≤ 1, . ⎪ ⏐ ⎪ ⎩ ⎭ ⏐v T v ≤ v¯ , ηT η ≤ η, ∗ ¯ ∀k ≥ k . k k k k

(19)

ζ

The set RΓ ,k is the reachable set of an LTI system driven by peakbounded perturbations. Therefore, we can use Corollary 1 to obζ ζ tain outer approximations of the form EΓ ,k = {ζ ∈ R3n |ζ T PΓ ζ ≤ ζ

ζ

ζ

αk } such that RΓ ,k ⊆ EΓ ,k .

Remark 3. We are ultimately interested in the stealthy reachable set of the plant states RxΓ ,k introduced in (16). Note that RxΓ ,k is

6

C. Murguia, I. Shames, J. Ruths et al. / Automatica 115 (2020) 108757

Fig. 4. (a)–(c) Minimum distance dxΓ ,k between EΓx ,k and critical states C x . ζ

ζ

the projection of RΓ ,k onto the xp -hyperplane. Hence, if RΓ ,k ⊆ ζ EΓ ,k ,

ζ EΓ ,k

x

p

then RΓ ,k belongs to the projection of onto the x hyperplane. Hence, to obtain the ellipsoid EΓx ,k containing RxΓ ,k , ζ

ζ

we can first obtain EΓ ,k containing RΓ ,k and project it to obtain EΓx ,k . Theorem 1. Consider the closed-loop dynamics (17) with system matrices (Ap , Bp , C p ), observer gain L, controller matrices (Ac , Bc , C c , Dc ), monitor matrix Π , perturbations bounds v¯ , η¯ ∈ R>0 , and attack selection matrix Γ . For a given a ∈ (0, 1), if there exist constants a1 = a∗1 , . . . , aN = a∗N and matrix P = P ∗ solution of (5) with A = A, N = 3, B1 = B1 , B2 = B2 , B3 = B3 , (A, B) as defined in (18), W1 = (1/η¯ )Im , W2 = (1/¯v )In , W3 = Π , p1 = m, p2 = n, and p3 = ζ ζ ζ ζ m; then, for k ≥ k∗ , RΓ ,k ⊆ EΓ ,k := {ζ ∈ R3n |ζ T PΓ ζ ≤ αk }, with ζ

ζ

PΓ := P ∗ and αk := ak−1 ζkT∗ P ∗ ζk∗ + (3 − a)(1 − ak−1 ) /(1 − a), and

(

)

ζ

the ellipsoid EΓ ,k has minimum volume in the sense of Corollary 1. Proof. See Murguia et al. (2018, Theorem 1).

■

If the conditions of Theorem 1 are satisfied, the trajectories of ζ ζ the extended dynamics (17) are contained in EΓ ,k . Having EΓ ,k , x p p we project it onto the x -hyperplane to obtain EΓ ,k = {x ∈ Rn |(xp )T PΓx xp ≤ αkx } such that RxΓ ,k ⊆ EΓx ,k . Corollary 2. Let the conditions of Theorem 1 be satisfied and ζ ζ ζ consider the corresponding matrix PΓ and function αk . Let PΓ be partitioned as ζ

ζ

[

PΓ =:

P1 ζ

ζ]

P2

ζ

(P2 )T P3 ζ

, ζ

ζ

with P1 ∈ Rn×n , P2 ∈ Rn×2n , and P3 ∈ R2n×2n . Then, for k ≥ k∗ , RxΓ ,k ⊆ EΓx ,k := {xp ∈ Rn |(xp )T PΓx xp ≤ αkx } with ζ

ζ

ζ

ζ

Proof. See Murguia et al. (2018, Corollary 2). 4.2. Distance to critical states: Analysis As a second security metric, we propose to use the minimum distance between RxΓ ,k and a possible set of critical states C x – states that, if reached, compromise the integrity or safe operation of the system. Such a region might represent states in which, for example, the pressure of a holding vessel exceeds its pressure rating or the level of a liquid in a tank exceeds its capacity. However, because RxΓ ,k is not known exactly, this distance cannot be directly computed. Instead, once the ellipsoidal bound EΓx ,k on RxΓ ,k is obtained, we compute the minimum distance dxΓ ,k from EΓx ,k to C x and use this dxΓ ,k as an approximation of the distance between RxΓ ,k and C x in terms of the set of sensors being compromised (the selection matrix Γ ). The set of critical states in many practical applications can be captured through the union of half-spaces defined by their boundary hyperplanes:

{

⏐ ⋃ ⏐ N

T p i=1 ci x

Corollary 3. Consider the set of critical states C x defined in (20) and the matrix PΓx and the function αkx obtained in Theorem 1. The minimum distance, dxΓ ,k , between the outer ellipsoidal approximation of RxΓ ,k , EΓx ,k = {xp ∈ Rn |(xp )T PΓx xp ≤ αkx }, and C x is given by dxΓ ,k =

min (|bi | − (ciT (PΓx )−1 ci /αkx )1/2 /ciT ci ).

(21)

i∈{1,...,N }

Proof. See Murguia et al. (2018, Corollary 3).

■

Remark 4. If dxΓ ,k > 0, the ellipsoid EΓx ,k bounding RxΓ ,k and the set of critical states C x do not intersect; if dxΓ ,k = 0, they touch at a point only; and dxΓ ,k < 0 implies that they intersect. In Fig. 4, we depict a schematic representation of these ideas. Remark 5. Note that it might be possible that perturbations alone drive the system to critical states even without attacks. However, it is the effect of both together, attacks and perturbations, that we want to quantify. For instance, a possible scenario is that critical states are not reachable by perturbations alone, but when you combine attacks and perturbations, critical states might be reachable by some realizations of attacks and perturbations combined. Another scenario is that critical states are reachable by perturbations alone in the first place. In this case, if one adds attacks to the mixture (due to superposition of linear systems), there would exist realizations of attacks and perturbations that lead to a larger portion of critical states being reachable. It is this combined uncertainty of having attacks and unknown perturbations that we aim at quantifying in terms of security. 4.3. Simulation results

ζ

PΓx := P1 − P2 (P3 )−1 (P2 )T and αkx := αk .

C x := xp ∈ Rn ⏐

where each pair (ci , bi ), ci ∈ Rn , bi ∈ R, i = 1, . . . , N quantifies a hyperplane that defines a single half-space.

} ≥ bi ,

(20)

Consider the closed-loop system √ (13) with matrices as in Murguia et al. (2018, Eq. (30)), η¯ = π , and v¯ = 1. The controller matrices (Ac , Bc , C c , Dc ) are designed to guarantee that the L2 gain Scherer, Gahinet, and Chilali (1997) from the vector of perp,3 turbations (vkT , ηkT )T to the performance output sk = 0.25xk + ηk3 is upper bounded by γ = 3. We use the results in the appendix to design the monitor matrix Π so that, for k > k∗ = 10, rk Π rk ≤ 1. ζ Using Theorem 1, we obtain EΓ ,k for all the possible combinations ζ

of the sensor attack selection matrix Γ . Once we have EΓ ,k , using Corollary 2, we project

ζ EΓ ,k

onto the x -hyperplane to obtain EΓx ,k . p

Note that we have k-dependent approximations EΓx ,k of RxΓ ,k ; however, because a < 1, the function αkx conforming EΓx ,k con-

verge exponentially to (3 − a)/(1 − a). It follows that, in a few time steps, EΓx ,k ≈ EΓx ,∞ = {x ∈ Rn |xT PΓx x ≤ (3 − a)/(1 − a)}, and thus, EΓx ,k ≈ EΓx ,∞ . We present EΓx ,∞ instead of the time-dependent EΓx ,k . In Fig. 5, we show the projection of EΓx ,∞ onto the (xp,2 , xp,3 )hyperplane for different sets of sensor being attacked. Fig. 6 depicts the projection of EΓx ,∞ onto the (xp,1 , xp,2 )-hyperplane and the distance to the set of critical states C x = {xp ∈ R3 |xp,1 ≤ −15}. In Table 1, we give the numerical values of the volume

C. Murguia, I. Shames, J. Ruths et al. / Automatica 115 (2020) 108757 Table 1 Volume of the approximation EΓx ,∞ of RxΓ ,∞ and distance dxΓ ,∞ to the critical states C x for different attacked sensors. Attacked sensors

Volume of EΓx ,∞

Distance to critical states dxΓ ,∞

(1) (2) (3) (1,2) (1,3) (2,3) (1,2,3)

150.72 453.51 219.43 952.95 279.50 2063.46 4300.32

8.07 4.20 8.60 -2.38 6.85 -6.67 -23.01

Fig. 5. Projection of EΓx ,∞ onto the (xp,2 , xp,3 )-hyperplane for different sets of sensor being attacked.

7

of stealthy attacks on the system dynamics is minimized. We first design κ to minimize the volume of EΓx ,k (thus decreasing the size of RxΓ ,k ) while guaranteeing some attack-free system performance. Remark 6. We present synthesis results in terms of the sensor attack selection matrix Γ . That is, for given Γ , we provide synthesis tools to design optimal controllers and monitors — optimal in terms of minimal volume EΓx ,∞ for a desired attackfree closed-loop system performance. Note, however, that we do not have access to Γ in practice, i.e., because we assume stealthy attacks, the set of sensors being attacked is unknown to the system designer. Nevertheless, once we have derived synthesis results for given Γ , we provide general guidelines for using these results to synthesize controllers/monitors for unknown matrix Γ . In particular, we propose techniques from sensor protection placement in power systems (Dan & Sandberg, 2010; Kim & Poor, 2011); and game-theoretic techniques (Basar & Olsder, 1998). ζ Consider the extended attacker’s reachable set RΓ ,k defined in (19) with matrices (A, B) as in (18). Note that, for every realization of κ = (L, Π , Ac , Bc , C c , Dc ), using Theorem 1 and Corollary 2, we can obtain EΓx ,k containing RxΓ ,k . Here, we aim at finding the κ = κ ∗ leading to the smallest possible volume of EΓx ,∞ (see (4)) among all realizations of (L, Π , Ac , Bc , C c , Dc ). If we let κ be optimization variables rather than given parameters, by Proposition 1, to find κ ∗ , we have to find (L, Ac , Bc , C c , Dc ) conforming the matrices (A, B), the constants (a1 , a2 , b), and the matrices P and Π solution of the optimization problem: ⎧ ⎪ min − log det[P ],

⎪ κ,P ,a1 ,a2 ,b ⎪ ⎪ ⎪ ⎨ s.t. a1 , a2 , b ∈ (0, 1), a1 + a2 + b ≥ a, P > 0, and ⎤ ⎡ aP AT P 0 ⎪ ⎪ ⎪ ⎣ ⎪ PB ⎦ ≥ 0; ⎪ ⎩ L := PA P T 0

B P Wai

with Wai := diag[ η¯ 1 Im , v¯ 2 In , (1 − b)Π ]. However, because (L, Π , Ac , Bc , C c , Dc ) are now variables, the blocks PA, PB, and bΠ in (22) are nonlinear in (κ, P ). Following the results in Scherer et al. (1997), we propose an invertible linearizing change of variables: (23) (P , κ) → ν := ((X , Y , S), (R, G), (K , O, M , N)) , such that, in the new variables ν , the objective in (22) is convex and the restrictions are affine. In particular, for P > 0 and the nonlinear matrix inequality L ≥ 0 defined in (22), we aim at finding two invertible matrices T1 and T2 such that the congruence transformations P → T1T PT1 and L → T2T LT2 lead to new linear matrix inequalities T1T PT1 > 0 and T2T LT2 ≥ 0 in ν . 1−a

Fig. 6. Projection of EΓx ,∞ onto the (xp,1 , xp,2 )-hyperplane for different sets of sensor being attacked and distance to critical states.

of EΓx ,∞ and the distance to the critical states depicted in Fig. 6 for different sensors being attacked. Note that some distances are negative, as explained in Remark 4, negative distances imply that there is a nonempty intersection between the critical states and the stealthy reachable set. That is, there exist attack sequences that can drive the system to the unsafe region without being detected by the system monitor. Assume, for instance, that two out of the three sensors can be completely secured, i.e., attacks to these sensors are impossible. From Table 1, we note that attacks to sensor two leads to the largest volume of EΓx ,∞ and the smallest distance to critical states dxΓ ,∞ . Therefore, if only two sensors can be secured, they should be sensors two and three. Following the same logic, if only one sensor can be secured, then sensor two must be selected because attacks to the remaining sensors, one and three, lead to the smallest EΓx ,∞ and the largest dxΓ ,∞ . Thereby, our tools can be used to allocate security equipment to sensors when limited resources are available. 5. Synthesis tools: Attacker’s reachable sets Next, we derive tools for designing the monitor and controller matrices κ := (L, Π , Ac , Bc , C c , Dc ) such that the impact

(22)

1−a

5.1. Change of variables and optimization problem To be able to convexify the synthesis problem, we have to impose some block diagonal structure on the matrix P . Let P be positive ⎡ definite⎤and of the form X U 0 P := ⎣U T X˜ 0⎦ , (24) 0 0 S with X , U , X˜ , S ∈ Rn×n and the matrices: ] [ [ X U Y −1 X := , X =: U T X˜ VT

positive definite X , X˜ , and S. Define

]

[

]

[

]

V Y I I 0 , Y := T , Z := . X U V 0 Y˜

(25) Using block matrix inversion formulas, it is easy to verify that YX + VU T = I and YU + V X˜ = 0, which leads to Y T X = Z . Define

8

C. Murguia, I. Shames, J. Ruths et al. / Automatica 115 (2020) 108757

the matrices T1 ⎡ and T2 [ ] Y I Y 0 T1 := = ⎣V T 0 0 I 0 0 T1 0 0 0 T1 0 0 0 I

[ T2 :=

as⎤ 0 0⎦ ∈ R3n×3n , I

(26)

] ∈ R9n×9n .

(27)

Then, P → T1T PT1 and L → T2T LT2 take the form: [ ] Y I 0 T T1 PT1 = I X 0 =: P(ν ), 0 0 S

⎡

(28)

⎤

aT1T PT1 T1T AT PT1 0 (29) T2T LT2 = ⎣T1T PAT1 T1T PT1 T1T PB⎦ . 0 BT PT1 Wai The structure of P(ν ) follows from symmetry of P , which implies symmetric X and Y and XY + UV T = I. Note that the block T1T PT1 is linear in X , Y , and S. Next, using the definition of (A, B) in (18), we expand the blocks T1T PAT1 and T1T PB. Note that the matrix A is upper triangular. Let A be partitioned as [ ] A1 A2 A =: ; (30) 0 A3 and define the change of controller, observer, and monitor variables: ( ) ( )( c c )( T ) K − XAp Y O U XBp A B V 0 := , (31a) c c p M N 0 Il C D C Y Im R := SL,

(31b)

G := Π . Then, T1T PAT1 can be written as ] [ T Y X A1 Y ZA2 A(ν ) := T1T PAT1 = 0 S A3

(31c)

(32)

Ap Y + Bp M Ap + Bp NC p −Bp N Γ Γ + C p p p K XA + OC −OΓ Γ + C p = , 0 0 SAp − R(Im − Γ Γ + )C p the block T1T PB as [ ] Z 0 T B(ν ) := T1 PB = B 0 S

[

]

Bp N(Im − Γ Γ + )F E Bp N Γ Γ O(Im − Γ Γ + )F XE OΓ Γ + −R(Im − Γ Γ + )F SE −RΓ Γ + and the block Wai as

=

[ Wai = diag

1 − a1

η¯

Im ,

1 − a2

v¯

Proof. See Murguia et al. (2018, Lemma 2).

■

So far, we have derived from the analysis inequalities, P > 0 and L ≥ 0 in (22), the synthesis inequalities P(ν ) > 0 and L(ν ) ≥ 0 defined in (28) and (37). If we find a realization of ν satisfying the synthesis inequalities, we factorize I − YX into nonsingular matrices V and U satisfying I − YX = VU T , use these V and U to solve the equations in (31) to obtain the controller, observer, and monitor matrices, and invert (28) to obtain the ellipsoid matrix P . By Lemma 2, this (κ, P ) satisfies the analysis inequalities in (22). We aim at minimizing the number of states that the attacker can induce in the system while remaining stealthy, i.e., we want to make the ‘‘size’’ of RxΓ ,k defined in (16) as small as possible by selecting ν . To achieve this, we seek for the ν that minimizes the volume of EΓx ,∞ (which would decrease the size of RxΓ ,k ). In the analysis case, we looked for the matrix P satisfying P > 0 ζ ζ and L ≥ 0 leading to the ellipsoid EΓ ,k = {ζ ∈ R3n |ζ T P ζ ≤ αk } ζ

ζ

(33)

project this EΓ ,k onto the xp -hyperplane to obtain EΓx ,k . Here, we work directly with the projection EΓx ,k by rewriting it in terms of our synthesis variables ν . ζ

ζ

Lemma 3. Consider EΓ ,k = {ζ ∈ R3n |ζ T P ζ = αk } with matrix P ∈ R3n×3n as defined in (24), extended state ζ = ((xp )T , (xc )T , eT )T , ζ ζ and αk ∈ R>0 , k ∈ N. The projection of EΓ ,k onto the xp -hyperplane

,

ζ

] In , (1 − b)G

Lemma 2. Consider the observer, monitor, and controller matrices κ = (L, Π , Ac , Bc , C c , Dc ), and the matrices L and P as defined in (22) and (24), respectively. If there exists ν = (X , Y , S , R, G, K , O, M , N ) satisfying P(ν ) > 0 and L(ν ) ≥ 0 with P(ν ) and L(ν ) as defined in (28) and (37), respectively; then, there exists (κ, P ) satisfying P > 0 and L ≥ 0. Moreover, for every ν such that P(ν ) > 0 and L(ν ) ≥ 0, the change of variables in (31) and matrix T1 are invertible and the (κ, P ) obtained by inverting (28) and (31) is unique.

bounding RΓ ,k (defined in (19)) and then, using Corollary 2, we

+]

[

If the matrix P(ν ) is positive definite, by the Schur complement, Y > 0 and X − Y −1 > 0, and because YX + VU T = I by construction (see Eq. (25)), VU T = I − YX < 0, i.e., the matrix VU T is nonsingular. Therefore, if P(ν ) > 0, it is always possible to find nonsingular U and V satisfying YX + VU T = I. In the following lemma, we summarize the discussion presented above.

=: W(ν ).

(34)

Therefore, under T1 , T2 , and the new variables in (31), the blocks transform as { P → P(ν ), T1T PAT1 → A(ν ), (35) T1T PB → B(ν ), Wai → W(ν ), with P(ν ), A(ν ), B(ν ), and W(ν ) as defined in (28), (32), (33), and (34), respectively. That is, the original blocks, PA and PB, that depend non-linearly on the decision variables (κ, P ) are transformed into blocks that are affine functions of the new variables ν . If ν is given and U and V are invertible, the change of variables in (31) and the matrix T1 are invertible and thus (κ, P ) can be constructed from ν and they are unique. Moreover, invertible V implies that T1 and T2 are nonsingular and thus the transformations P → T1T PT1 and L → T2T LT2 are congruent. The latter implies that P > 0 and L ≥ 0 ⇔ P(ν ) > 0 and L(ν ) ≥ 0, (36) where ⎡ ⎤ aP(ν ) A(ν )T 0 T ⎣ L(ν ) := T2 LT2 = A(ν ) P(ν ) B(ν ) ⎦ . (37) 0 B(ν )T W(ν )

is given by the ellipsoid EΓx ,k = {xp ∈ Rn |(xp )T Y −1 xp = αk } with Y as defined in (25). Proof. See Murguia et al. (2018, Lemma 3).

■

Lemma 3 implies that, in the new variables, we can minimize ζ the volume of (xp )T Y −1 xp = α∞ to reduce the size of RxΓ ,k . Therefore, in the synthesis case, we seek to minimize the volume ζ of (xp )T Y −1 xp = α∞ subject to P(ν ) > 0 and L(ν ) ≥ 0. The volume √ ζ x of EΓ ,∞ is proportional to det[Y ] for any α∞ > 0 (Kurzhan-

√

skii & Valyi, 1997). Moreover, the function det[Y ] shares the same minimizer with log det[Y ] (Boyd et al., 1994). However, the function log det[Y ] is concave for any positive definite matrix Y . To √ overcome this obstacle, we look for a convex upper bound on det[Y ] and minimize this bound instead. Lemma 4. For any positive definite matrix Y ∈ Rn×n , the following is satisfied: 1 1 1 1 n det[Y ] n ≤ trace[Y ] ⇒ det[Y ] 2 ≤ n trace[Y ] 2 . (38) n n2 Moreover, because Y is positive definite arg min[trace[Y ]n/2 ] = arg min[trace[Y ]],

C. Murguia, I. Shames, J. Ruths et al. / Automatica 115 (2020) 108757

9

i.e., trace[Y ]n/2 and trace[Y ] share the same minimizer. Therefore, by √ minimizing trace[Y ], we minimize an upper bound on det[Y ].

one in Scherer et al. (1997) are compatible in the sense that any performance specification considered in Scherer et al. (1997) can be written as LMIs in terms of our syntheses variables ν .

Proof. See Murguia et al. (2018, Lemma 4).

Attack-Free Monitor Feasibility. Note that the observer gain L and the monitor matrix Π must be chosen such that Assumption 1 is satisfied. That is, the pair (L, Π ) must be selected such that, in the attack-free case (δk = 0), there exists some k∗ ∈ N satisfying rkT Π rk ≤ 1 for all k ≥ k∗ and rk solution of (10). Next, we provide constraints in the syntheses variables ν that have to be fulfilled to satisfy Assumption 1.

■

Up to this point, we have the necessary tools for selecting ν to reduce the size of the stealthy reachable set RxΓ ,k . That is, we have the constraints, P(ν ) > 0 and L(ν ) ≥ 0, and the cost function, trace[Y ], needed to cast the optimization problem to minimize the volume of EΓx ,∞ . There is, however, one last ingredient to be considered before casting the complete synthesis optimization problem; namely, the attack-free performance of the closed-loop dynamics. 5.2. Attack-free observer, monitor, and controller performance As we now move towards posing the complete syntheses optimization problem, we note that as ∥L∥ → 0, ∥Bc ∥ → 0, and ∥Dc ∥ → 0, the reachable set RxΓ ,k converges to the empty set because the attack-dependent terms in (13) vanish. While this is effective at eliminating the impact of the attacker, it implies that we discard the observer and the controller altogether and, therefore, forfeit any ability to control the system and build a reliable estimate of the state. If there are performance specifications that the observer, monitor, and controller must satisfy in the attackfree case (e.g., convergence speed and perturbation-output gain), they have to be added as extra constraints into the minimization problem posted to minimize the volume of EΓx ,∞ . Several time and frequency domain performance specifications for LTI systems have been expressed as LMI constraints on the closed-loop state-space matrices and quadratic Lyapunov functions (Scherer et al., 1997). Here, our goal is to compute a single observer (9), monitor (11), and controller (12) that: (1) meets the required attack-free performance specifications, and (2) decreases the set of states reachable by stealthy attackers. For LTI systems and some of the most frequently used performance specifications (e.g., general quadratic performance (Scherer et al., 1997)), there are analysis and synthesis results of the form: System Σ satisfies the performance specification γj if there exists a Lyapunov matrix Pj that satisfies some LMIs in Pj . If our synthesis problem involves N specifications, γ1 , . . . , γN , by collecting the LMIs of each specification, we end up having a set of matrix inequalities whose variables are the observer, monitor, and controller matrices, and the Lyapunov matrices, P1 , . . . , PN , of the specifications (plus auxiliary variables depending on the performance criteria). To pose a tractable co-design considering the volume of EΓx ,k and the specification γj , we must rewrite the specification Lyapunov matrix Pj and its corresponding LMIs in terms of the synthesis variables ν . This can be achieved by imposing Pj = TjT P Tj , where P is the Lyapunov-like matrix associated with EΓx ,k in (24) and Tj denotes some linear transformation. By doing so, we can write the specification LMIs in terms of P and use the change of variables in (31) and the transformations T1 and T2 in (26)–(27) to write these LMIs in terms of ν . Remark 7. In this manuscript, as attack-free performance specifications, we consider the spectrum of the estimation error dynamics for the observer and, for the controller, the L2 gain from the vector of perturbations to some performance output. We remark that any other specification γj can be considered in our framework as long as the corresponding Lyapunov matrix Pj and the LMIs can be written in terms of the synthesis variables ν . In Ref. Scherer et al. (1997), the authors provide a synthesis framework for general quadratic performance — which covers H2 /H∞ performance, passivity, asymptotic disturbance rejection, peak impulse response, peak-to-peak gain, nominal/robust regulation, and closed-loop pole location. The framework here and the

Lemma 5. Consider the system matrices (Ap , C p , E , F ) and the perturbation bounds v¯ , η¯ ∈ R>0 . Assume no attacks to the system, e i.e., δk = 0. For a given a ∈ (0, 1), constant α∞ := (2 − a)/(1 − a), and ϵ ∈ R>0 , if there exist constants a1 , a2 ∈ R and matrices S ∈ Rn×n , G ∈ Rm×m , and R ∈ Rn×m satisfying: ⎧ ⎪ a⎡1 , a2 ∈ (0, 1), ap1 + a2p≥T a, S > 0, G >⎤0, ⎪ ⎪ aS (SA − RC ) 0 0 ⎪ ⎪ ⎪ ⎪ SAp − RC p S −RF SE ⎥ ⎪ ⎢ ⎪ ⎥ ≥ 0, ⎨ ⎢ 1−a1 ⎣ Im 0 ⎦ 0 −(RF )T η¯ (39) 1−a2 ⎪ 0 ET S 0 In ⎪ v¯

⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎩

[

αe

∞

1

S − (C p )T GC p +ϵ+η¯

−GC p

e α∞

] −(C p )T G ≥ 0; 1 I −G +ϵ+η¯ m

then, for L = S R and Π = G, the residual dynamics (10) satisfies rkT Π rk ≤ 1 for (all k ≥ k∗ (a), ϵ, e1 , S), where k∗ (a, ϵ, e1 , S) := e min{k ∈ N|ak−1 eT1 Se1 − α∞ ≤ ϵ} and e1 denotes the initial estimation error in (10). −1

Proof. See Murguia et al. (2018, Lemma 5).

■

The constant ϵ determines the tightness of the monitor, i.e., the smaller the ϵ the tighter the bound rkT Π rk ≤ 1 for k ≥ k∗ . Note, however, that depending on the initial condition ϵ ( e1 , tooe small ) might result in very large k∗ = min{k ∈ N|ak−1 eT1 Se1 −α∞ ≤ ϵ}. See Murguia et al. (2018, Remark 10) for further details. Attack-Free Observer Performance. For the observer, we simply consider the speed of convergence of the estimation error to steady state as a performance criteria. This is quantified by the eigenvalues of the matrix (Ap − LC p ). We restrict the values that L might take by enforcing that the eigenvalues of (Ap − LC p ) are contained in a disk, Disk[β, τ ], centered at β + 0i with radius τ . We give a necessary and sufficient condition in terms of the synthesis variables, R and S, to achieve this. Lemma 6 (Observer Performance Garcia & Bernussou, 1995). Consider the system matrices (Ap , C p ). If there exist S ∈ Rn×n and R⎧∈ Rn×m satisfying: ⎨S[ > 0, ] S β S − SAp + RC p (40) ) ≥ 0; T ⎩ ( α S − SAp + RC p τ 2S then, the eigenvalues of (Ap − LC p ) with L = S −1 R are contained in the closed disk Disk[β, τ ] centered at β + 0i with radius τ . Attack-Free Controller Performance. For the controller, we consider the L2 gain of the closed-loop system from the vector of perturbations, dk := (ηkT , vkT )T ∈ Rm+n , to some performance output, say sk ∈ Rg , in the attack-free case (i.e., δk = 0). Define the matrices [ p ] [ p c ] A + Bp Dc C p Bp C c B D F E ˜ ˜ A := , B := , (41) Bc C p Ac Bc F 0 p

and the performance output sk := C s xk + Ds uk + D1 ηk + D2 vk , for some matrices C s ∈ Rg ×n , Ds ∈ Rg ×l , D1 ∈ Rg ×m , and D2 ∈ Rg ×n . Then, the closed-loop dynamics (8), (12) can be written in terms

10

C. Murguia, I. Shames, J. Ruths et al. / Automatica 115 (2020) 108757 p

of the extended state ζ˜k := ((xk )T , (xck )T )T ∈ R2n , the vector of perturbations dk , and the performance output sk : { ζ˜k+1 = A˜ζ˜k + B˜dk , (42) sk = C˜ζ˜k + D˜ dk , s s c p s c s c with C˜ := (C + D D C , D C ) and D˜ := (D1 + D D F , D2 ). The L2 gain from dk to sk of system (42) is given by supdk ∈L2 ,dk ̸=0 (∥sk ∥2 / ∥dk ∥2 ) for ζ˜1 = 0, where, for any sequence ρk ∈ Rnρ , ∥ρk ∥2 := ∑∞ T 1 2 k=1 (ρk ρk ) . The L2 gain of system (42) equals the H∞ norm of the transfer matrix H(s) := D˜ + C˜(sI − A˜)−1 B˜, see Scherer and Weiland (2000). Using the analysis inequalities for L2 performance in Murguia et al. (2018, Lemma 7), we derive corresponding synthesis constraints in terms of the synthesis variables ν . Consider the matrices X and Y introduced in (25), the change of variables in (31a), and the attack-free closed-loop system matrices ˜ ) above defined. (⎧ A˜, B˜, C˜, D [ ] Define the matrices: Y I ⎪X( ˜ ν ) := Y T X Y = ⎪ , ⎪ ⎪ I X ⎪

⎪ [ p ] ⎪ ⎪ p p ⎪ Bp NC p ⎪ ˜ ν ) := Y T X AY ⎪ ˜ = A Y +B M A + A( , ⎪ p p ⎨ K XA + OC [ p ] ⎪ ˜ ν ) := Y T X B˜ = B NF E , ⎪ B( ⎪ ⎪ OF XE ⎪ ⎪ ⎪ [ s ] ⎪ ⎪ ˜ ˜ = C Y + Ds M C s + Ds NC p , C(ν ) := CY ⎪ ⎪ ⎪ [ ] ⎩˜ D(ν ) := D˜ = D1 + Ds NF D2 .

(43)

Lemma 7 (H∞ -Performance). Consider the system matrices (Ap , Bp , C p , E , F ). If there exist O ∈ Rn×l , X , Y , K ∈ Rn×n , M ∈ Rm×n , and N ∈ Rl×m , and constant γ ∈ R>0 satisfying: ⎤ ⎡ ˜ ν ) A( ˜ ν )T 0 C( ˜ ν )T X( ⎥ ⎢˜ ˜ ˜ ˜ ν ) > 0, S(ν ) := ⎢A(ν ) X(ν ) B(ν ) 0 ⎥ ≥ 0; (44) X( ⎣ 0 B( ˜ ν )T γ 2 I D( ˜ ν )T ⎦ ˜ ν ) 0 D( ˜ ν) I C( then, the change of variables in (31a) and the matrix Y in (25) are invertible and the matrices (X , Ac , Bc , C c , Dc ) obtained by inverting ˜ ν ) = Y T X Y in (43) satisfy the L2 performance LMIs in (31a) and X( ∥s ∥ Murguia et al. (2018, Lemma 7), and lead to supdk ∈L2 ,dk ̸=0 ∥dk ∥2 ≤ γ k 2

for ζ˜1 = 0. Proof. See Murguia et al. (2018, Lemma 8).

■

5.3. Synthesis of secure control systems Finally, combining the results above presented, we cast the complete optimization problem to minimize the volume of the asymptotic approximation EΓx ,∞ of RxΓ ,k as a function of the set of sensor being attacked (the sensor selection matrix Γ ) while guaranteeing certain attack-free system performance. Theorem 2. Consider (Ap , Bp , C p , E , F ) (the system matrices), the perturbations bounds v¯ , η¯ ∈ R>0 , and the attack sensor selection e matrix Γ . For given a, b ∈ (0, 1), α∞ = (2 − a)/(1 − a), ϵ ∈ R>0 , τ , β ∈ (0, 1), γ ∈ R>0 , if there exist a1 , a2 ∈ R and matrices ν = (X , Y , S , R, G, K , O, M , N), X , Y , S , K ∈ Rn×n , R ∈ Rn×m , G ∈ Rm×m , O ∈ Rn×l , M ∈ Rm×n , N ∈ Rl×m , solution of the convex optimization: min trace[Y ], (45a) ν,a1 ,a2

⎧ s.t. a1 , a2 ∈ (0, 1), a1 + a2 + b ≥ a, ⎪ ⎪ ⎪ ⎨P(ν ) > 0, L(ν ) ≥ 0, (attacker’s reachable set), (39), (monitor feasibility), ⎪ ⎪ (40), (observer performance), ⎪ ⎩˜ X(ν ) > 0, S(ν ) ≥ 0, (controller performance),

(45b)

˜ ν ), and S(ν ) as defined in (28), (37), (43), and with P(ν ), L(ν ), X( (44), respectively; then, the transformation T1 in (26) and the change of variables in (31) are invertible and the matrices (P , L, Π , Ac , Bc , C c , Dc ) obtained by inverting (31) and T1T PT1 = P(ν ) in (28) lead to: (1) a feasible monitor in the sense( of Lemma 5;) (2) for e k ≥ k∗ (a, ϵ, e1 , S) = min{k ∈ N|ak−1 eT1 Se1 − α∞ ≤ ϵ} x x and initial estimation error e1 in (10), RΓ ,k ⊆ EΓ ,k with EΓx ,k =

ζ ζ {xp ∈ R3n |(xp )T PΓx xp ≤ αk }, PΓx := X − U X˜ −1 U T , and αk := 3−a k−1 p p k−1 T a ζk∗ P ζk∗ + 1−a (1 − a ); (3) the eigenvalues of (A − LC ) being contained in Disk[β, τ ]; and (4) supdk ∈L2 ,dk ̸=0 (∥sk ∥2 /∥dk ∥2 ) ≤ γ for ζ˜1 = 0. Moreover, by minimizing trace[Y ], we are minimizing an

upper bound on the volume of EΓx ,∞ .

Proof. See Murguia et al. (2018, Theorem 2).

■

Observer, Monitor, Controller, and Ellipsoidal-Approximation Reconstruction. Given a solution (ν, a1 , a2 ) of the optimization problem in (45): (1) For given X and Y , compute via singular value decomposition a full rank factorization VU T = I −YX with square and nonsingular V and U. (2) For given ν and invertible V and U, solve the system of equations T1T PT1 = P(ν ) and (31) to obtain the matrices (P , L, Π , Ac , Bc , C c , Dc ). (3) For given S, Y , P , e1 , ϵ , and a, obtain the monitor convergence ζ time k∗ , and PΓx and αk conforming the ellipsoidal approximation ( ) e EΓx ,k of RxΓ ,k as: k∗ = min{k ∈ N|ak−1 eT1 Se1 − α∞ ≤ ϵ}, ζ

−a (1 − ak−1 ). PΓx = Y −1 , and αk = ak−1 ζkT∗ P ζk∗ + 13− a By Theorem 2, the reconstructed matrices satisfy the attackfree system performance, and minimize an upper bound on the volume of EΓx ,∞ .

Remark 8. Note that the constants a, b, ϵ, τ , β , and γ in Theorem 2 must be fixed before solving the synthesis optimization problem in (45). The constants (τ , β, γ ) determine the attack-free observer and controller performance. The constant ϵ determines the tightness of the monitor in the attack-free case. The smaller the ϵ the tighter the monitor (see Murguia et al. (2018, Remark 10) for details). Finally, a, b ∈ (0, 1) are, in fact, variables of the optimization problem. However, to linearize some of the constraints, we fix their value before solving (45) and search over a, b ∈ (0, 1) to find the optimal ν . The latter increases the computations needed to find the optimal ν ; however, because a, b ∈ (0, 1) (a bounded set), the required grid in (a, b) is of reasonable size. 5.4. Distance to critical states: Synthesis As a second cost function for synthesis, we consider the distance between RxΓ ,k and a possible set of critical states C x . Because RxΓ ,k is not known exactly, we consider the distance from the approximation EΓx ,k to C x and use this distance as cost function. We capture the set of critical states through the union of halfspaces defined by their boundary hyperplanes as introduced in (20). In the analysis case, we computed the minimum distance, dxΓ ,k , between EΓx ,k and C x and use this distance to approximate the proposed security metric (the distance between RxΓ ,k and C x ). For synthesis, however, the distance dxΓ ,k is highly nonlinear and not convex/concave in the syntheses variables ν . Instead, we consider the minimum distance between each hyperplane conforming C x and the asymptotic ellipsoidal approximation, EΓx ,∞ = limk→∞ EΓx ,k , and use the weighted sum of these distances as the cost function to be maximized.

C. Murguia, I. Shames, J. Ruths et al. / Automatica 115 (2020) 108757

Consider the ellipsoidal approximation EΓx ,k as

Proposition 2.

ζ

introduced in Lemma 3 with matrix Y and function αk , and the set of critical states: C x = {xp ∈ Rn |

N ⋃

ciT xp ≥ bi },

i=1

where each pair (ci , bi ), ci ∈ Rn , bi ∈ R, i = 1, . . . , N quantifies a hyperplane that defines a single half-space. The minimum distance x, i x, i dΓ ,k between EΓx ,k and the hyperplane ciT xp = bi is given by dΓ ,k := √ ζ |bi |− ciT Yci /αk ciT ci

.

Proof. See Murguia et al. (2018, Proposition 2).

■

ρi dxΓ,i,k , for some ρi ∈ R≥0 satisfying i=1 ρi = 1, by selecting (ν, a1 , a2 ) subject to (45b). The constant ρi assigns a priority weight to the distance ζ x, i −a (1 − dΓ ,k . Note, however, that because αk = ak−1 ζkT∗ P ζk∗ + 13− a For synthesis, we aim at maximizing

∑N

∑N

i=1

ak−1 ) and P −1 = diag

[(

Y V V T Y˜

)

] , S −1 ,

ζ

the term ciT Yci /αk is nonlinear and not convex/concave in the matrix Y . However, because a ∈ (0, 1), we can maximize the weighted sum of the asymptotic minimum distances between ∑N x,i EΓx ,k and ciT xp = bi , i = 1, . . . , N, i.e., d˜ Γ := limk→∞ i=1 ρi dΓ ,k =

) ( −a T c Yci )−1/2 /ciT ci . Because (1 − a)/(3 − a) is ρi |bi | − ( 31− a i strictly positive and Y is positive definite, maximizing d˜ Γ is equiv∑N T alent to minimizing the linear function: i=1 ρi (ci Yci ). Next, ∑N

i=1

as a corollary of Theorem 2, we pose the optimization problem required to maximize d˜ Γ while guaranteeing the required attack-free performance. Corollary 4. Consider the setting stated in Theorem 2, the set of x ˜ critical states ∑NC defined in (20), and dΓ above defined for some ρi ∈ R≥0 , i=1 ρi = 1, i = 1, . . . , N. If there exists (ν, a1 , a2 ) solution of the optimization: { ∑N T minν,a1 ,a2 i=1 ρi ci Yci , (46) s.t. (45b), c c c c then, the matrices (P , L, Π , A , B , C , D ) obtained by inverting (31) and T1T PT1 = P(ν ) in (28), maximize d˜ Γ and satisfy the desired attack-free system performance in the sense of Theorem 2. Proof. See Murguia et al. (2018, Corollary 4).

■

5.5. Controller/Monitor selection for unknown Γ The synthesis results presented above are derived for given sensor attack selection matrix Γ (see Remark 6). However, we do not have access to Γ in practice, i.e., the set of sensors being attacked is usually unknown to the system designer. Next, we provide general guidelines for using the results given above to synthesize controllers/monitors when Γ is unknown. We propose two sets of techniques: sensor protection placement methods (Dan & Sandberg, 2010; Kim & Poor, 2011); and game-theoretic techniques (Basar & Olsder, 1998). Sensor Protection Placement. This technique was originally introduced for power system (Dan & Sandberg, 2010; Kim & Poor, 2011). The problem is the following: assuming that the system designer has limited security resources to completely encrypt and secure a subset of sensors (i.e., attacks to those sensors are impossible), how to select which sensors to secure in order to minimize the effect of stealthy attacks on the system performance. In exactly the same sense, we have shown in the analysis example in

11

Section 4.3 that our analysis tools can be used to allocate security equipment to sensors when limited resources are available so that the size of the stealthy reachable set is minimized. Now, in the syntheses setting, we address a slightly different problem: for given m sensors and a limited number of sensors that can be ˜ ∈ {1, . . . , m}, which sensors should be selected such secured m that the optimal controller/monitor corresponding to attacks to ˜ sensors leads to the smallest stealthy all the remaining m − m reachable set (or the largest distance to critical states) among all ˜ sensors. For instance, assume that we have subsets of m − m ˜ = 1 of them can be secured. three sensors, m = 3, and m Then, among all subsets of sensors J ⊆ {1, 2, 3} with cardinality ˜ = 2 (i.e., J ∈ {{1, 2}, {1, 3}, {2, 3}}), select card[J ] = m − m the controller/monitor κJ ∈ {κ{1,2} , κ{1,3} , κ{2,3} } that leads to the smallest asymptotic ellipsoid EJx := EΓx ,∞ |Γ =ΓJ ,κ=κJ , where κJ denotes the optimal κ = (L, Π , Ac , Bc , C c , Dc ) corresponding to the solution of (45) for Γ = ΓJ , and ΓJ ∈ {Γ{1,2} , Γ{1,3} , Γ{2,3} } is the attack selection matrix corresponding to attacks on sensors J. That is, we compute optimal controllers/monitors and corresponding asymptotic ellipsoids (κJ , EJx ) for all J ∈ {{1, 2}, {1, 3}, {2, 3}}, and select the controller κJ that leads to the smallest EJx . In the following algorithm, we summarize the ideas introduced above. Algorithm 1. Controller/Monitor Selection: (1) Consider the m available sensors, the number of sensors that ˜ ∈ {1, . . . , m}, and all subsets of sensors J ⊆ can be secured m ˜ {1, . . . , m} with cardinality card[J ] = m − m. (2) Let ΓJ denote the sensor attack selection matrix corresponding to attacks on sensors J. For Γ = ΓJ and all J ⊆ {1, . . . , m} ˜ compute the optimal controller/monitor with card[J ] = m − m, κJ := κ = (L, Π , Ac , Bc , C c , Dc ) corresponding to the solution of (45) in Theorem 2. (3) Let EJx = EΓx ,∞ |Γ =ΓJ ,κ=κJ , i.e., EJx denotes the asymptotic ellipsoidal approximation of the stealthy reachable set, RxΓ ,k , for Γ = ΓJ and κ = κJ ; and select the controller/monitor as follows:

κm∗˜ = arg min Vol[EJx ],

(47)

κJ

where Vol[

EJx

] denotes the volume of

EJx .

∗ Note that the selected controller/monitor κm ˜ in (47) is ˜ the number of sensors that can be secured; parametrized by m, ˜ = 0 (no sensors can be secured), ΓJ = and that in the case m Γ{1,...,m} = Im , i.e., the selected controller/monitor κ0∗ is a worstcase controller that assumes all sensors are attacked. We remark that Algorithm 1 could be used using the largest distance to critical states d˜ Γ as cost to be maximized instead of minimizing Vol[EJx ].

Game-Theoretic Strategies. We only briefly introduce a gametheoretic formulation and some techniques that could be used to select suitable controllers/monitors for unknown Γ . A rigorous game-theoretic formulation is beyond the scope of this paper and is left as future work. Note that we can compute optimal controllers/monitors for all possible of Γ . (m) ∑mcombinations ¯ := If there are m sensors, there are m possible mas=1 s ¯ trices Γ . We index and order all these matrices in the m-tuple (Γ{1} , Γ{2} , . . . , Γ{1,2} , Γ{1,3} , . . . , Γ{1,...,m} ) =: Γ¯ , and the corresponding optimal controllers/monitors κ in (κ{1} , κ{2} , . . . , κ{1,2} , ¯ where, κ{1,3} , . . . , κ{1,...,m} ) =: κ¯ with card[Γ¯ ] = card[κ] ¯ = m, as introduced above, for instance, κ{1,3} is the controller/monitor κ corresponding to the solution of (45) in Theorem 2 for Γ = Γ{1,3} , and Γ{1,3} is the sensor selection matrix Γ corresponding to attacks on sensors {1, 3}. Associated with every pair (κI , ΓJ ) ∈ κ¯ ×

12

C. Murguia, I. Shames, J. Ruths et al. / Automatica 115 (2020) 108757

Γ¯ , we introduce the corresponding cost hI ,J := Vol[EΓx ,∞ |Γ =ΓJ ,κ=κI

], where Vol[EΓx ,∞ |Γ =ΓJ ,κ=κI ] denotes the volume of EΓx ,∞ for Γ = ΓJ and κ = κI . That is, EΓx ,∞ |Γ =ΓJ ,κ=κI is the asymptotic ellipsoidal approximation of the stealthy reachable set RxΓ ,k for Γ = ΓJ and κ = κI , and κI is the controller/monitor κ corresponding to the solution of (45) in Theorem 2 for Γ = ΓI . Note that, by construction, κI minimizes the cost hI ,I but is not optimal for hI ,J , I ̸ = J. Next, using the notation introduced above, we cast the controller/monitor selection as a two players noncooperative zerosum matrix game (Basar & Olsder, 1998), where player one (the defender) has strategy set κ¯ , player two (the attacker) has strategy set Γ¯ , and the cost matrix of the game is H := {hI ,J } ∈ Rm¯ ×m¯ . Define the tuple K := ({1}, {2}, . . . , {1, 2}, {1, 3}, . . . , {1, . . . , m}) indexed as K1 = {1}, K2 = {2}, Km¯ = {1, . . . , m}, and so ¯ }, on. Then, elements of the game matrix H(i, j), i, j ∈ {1, . . . , m correspond to hKi ,Kj , i.e., there is a one-to-one correspondence between H(i, j) and hKi ,Kj . Hereafter, we only use entries H(i, j), ¯ }, of the matrix game without making reference i, j ∈ {1, . . . , m to the corresponding sets (Ki , Kj ); indeed, the strategy of the defender associated with H(i, j) is κKi , and the one of the attacker is ΓKj . If the defender chooses strategy i (the ith row of H) and the attacker the strategy j (the jth column of H), the outcome of the game is H(i, j). Here, the defender seeks to minimize the outcome of the game, while the attacker aims at maximizing it, both by independent decisions. Note that this game is only played once, the controller is selected before the system starts operating and it is not changed during the operation. Then, a reasonable strategy for the defender is to secure his losses against any (rational or irrational) behavior of the attacker (Basar & Olsder, 1998). Under ¯ }, this strategy, the defender selects the strategy i∗ ∈ {1, . . . , m the i∗ -row of H, whose largest entry is no bigger than the largest entry of any other row. Therefore, if the defender chooses the i∗ th row as his strategy, where i∗ satisfies the inequalities: f¯ (H) := max H(i∗ , j) ≤ max H(i, j); (48) j

j

then, his looses are no greater than f¯ , which is referred in the literature as the ceiling of the defender or the security level for the defender’s losses (Basar & Olsder, 1998). The strategy ‘‘row i∗ ’’ (the controller/monitor κKi∗ ) that yields this security level is called the security strategy of the defender. For every matrix game H, the security level of the defender’s losses is unique, and there exists at least one security strategy (Basar & Olsder, 1998). Using the security strategy κKi∗ (where i∗ satisfies (48)) as the selected controller/monitor is the best rational strategy that can be taken under the assumptions of the game (i.e., noncooperative, played only once, and independent decisions). Note that the attacker has also a security strategy that secures his gains against any strategy of the defender. However, whether he plays that strategy (or not) would not chance the security strategy of the defender. Here, we use the security strategy κKi∗ described above as the selected controller/monitor. An alternative formulation is to assign probabilities to every strategy of the attacker and select the defender’s strategy that minimizes the expected value of the game. Define ∑m¯ the vector of probabilities p := (p1 , . . . , pm¯ )T , pj ≥ 0, j=1 pj = 1, j ∈

¯ }, where pj denotes the probability that the attacker {1, . . . , m uses strategy j (the jth column of H). These probabilities have to be assigned by the defender given the system configuration. For instance, if sensors are geographically distributed (e.g., in power/water networks), some of them could be completely inaccessible and some others might be easier to reach/hack. Another option is to assign higher probabilities to attacks on single sensors than on groups of them. Simply because it might be easier to hack one sensor than more than one. Thus, the system designer

has to assign smaller/larger probabilities to every sensor of the system. Note that for a given defender’s strategy i, the value of the game is H(i, 1) with probability p1 , H(i, 2) with probability ¯ with probability pm¯ , and so on. Then, for this ith row p2 , H(i, m) strategy, the expected value of the game is given by H(i, ∗)p, where H(i, ∗) ∈ R1×m¯ denotes the ith row of the game matrix ¯ }, the i∗ -row H. The defender selects the strategy i∗ ∈ {1, . . . , m of H, that minimizes the expected value of the game, i.e., i∗ = arg min H(i∗ , ∗)p. (49) i

We use the strategy ‘‘row i∗ ’’ (the controller/monitor κKi∗ ) as the chosen controller/monitor. Note that this strategy might lead to a better outcome of the game (for the defender) with certain ‘‘optimal’’ probability. However, there is also a nonzero probability of doing worse than with the deterministic formulation presented above. This might be a risk worth taking to improve the security of the system. We remark that the matrix game H could be constructed using the largest distance to critical states d˜ Γ instead of Vol[EΓx ,∞ ]. In that case, the defender seeks to maximize the distance and the attacker aims at minimizing it. 5.6. Simulation results Consider the system matrices (Ap , Bp , C p , E , F ) as in Murguia √ et al. (2018, Eq. (30)), and the perturbation bounds η¯ = π and v¯ = 1. Let ϵ = 0.1 and (β, τ ) = (0, 0.99), i.e., the monitor constant ϵ is fixed to 0.1 and the eigenvalues of the observer closed-loop matrix (Ap − LC p ) are required to be contained in the disk centered at 0 + 0i of radius 0.80, Disk[0, 0.80]. Consider the performance output matrices Cs = (0, 0, 0.25), Ds = 01×2 , D1 = (0, 0, 1), and D2 = 01×3 , and the set of critical states C x = {xp ∈ R3 |xp,1 ≤ −15}. The controller must guarantee, in the attack-free case, that the L2 -gain from the vector of perturbations p p,3 dk = (ηkT , vkT )T to sk = Cs xk + Ds uk + D1 ηk + D2 vk = 0.25xk + ηk3 is less than or equal to γ = 3.0 (as the controller given in Murguia et al. (2018, Eq. (30)) for the analysis section). We use Theorem 2 and Corollary 4 to obtain optimal κ = (L, Π , Ac , Bc , C c , Dc ) minimizing EΓx ,∞ and maximizing d˜ Γ , respectively, for all possible combinations of sensors being attacked (all the possible sensor attack selection matrices Γ ). Once we have these κ , we use the analysis results in Theorem 1 and Corollary 2 to obtain tighter approximations EΓx ,k of RxΓ ,k ; and use these EΓx ,k to obtain tighter d˜ Γ . As in the analysis case, we have k-dependent approximations EΓx ,k ; however, because a < 1, the function αkx conforming EΓx ,k converge exponentially to (3 − a)/(1 − a). Hence, in a few time steps, EΓx ,k ≈ EΓx ,∞ = {x ∈ Rn |xT PΓx x ≤ (3 − a)/(1 − a)}, and thus, EΓx ,k ≈ EΓx ,∞ . We present EΓx ,∞ instead of the time-dependent EΓx ,k . In Table 2, we present the volume of the asymptotic ap-

proximation EΓx ,∞ and the distance d˜ Γ between EΓx ,∞ and the critical states C x for all possible combinations of sensors being attacked. We show results for the original κ in Murguia et al. (2018, Eq. (30)); and for the optimal κ obtained using Theorem 2 and Corollary 4. Note that the improvement is remarkable using the optimal κ . To illustrate this improvement, in Fig. 7, we show the projection of EΓx ,∞ onto the (xp,1 , xp,2 )-hyperplane for sensors {2},{2,3}, and {1,2,3} being attacked. We depict the projections for both the original κ in Murguia et al. (2018, Eq. (30)) and the optimal one (minimizing trace[Y ]). For sensor {2}, we have a 67% improvement in volume and 142% in distance; for {2, 3}, 88% and 247%; and for {1, 2, 3}, 67% and 92%, respectively. Once we have all the optimal controllers/monitors and the corresponding costs in Table 2, we can use Algorithm 1 in Section 5.5 (the sensor protection placement method) to select the best κ given a number ˜ If m ˜ = 1; then, of sensors that can be completely secured m. according to Algorithm 1, sensor two should be the one to be secured because κ = κ1,3 (the optimal controller/monitor assuming

C. Murguia, I. Shames, J. Ruths et al. / Automatica 115 (2020) 108757

13

Table 2 Volume of the approximation EΓx ,∞ of RxΓ ,∞ and distance d˜ Γ to the critical states C x for different sensors being attacked. We show results for the original κ in Murguia et al. (2018, Eq. (30)) and for the optimal κ obtained using Theorem 2 and Corollary 4. Cost: min[trace[Y ]] Attacked sensors

{1} {2} {3} {1,2} {1,3} {2,3} {1,2,3}

Original κ

Optimal κ

Cost: min[c T Yc] Optimal κ

Volume

Distance

Volume

Distance

Volume

Distance

150.72 453.51 219.43 952.95 279.50 2063.46 4300.32

8.07 4.20 8.60 -2.38 6.85 -6.67 -23.01

116.94 145.31 130.62 456.06 137.44 235.72 1394.31

9.12 10.15 10.77 5.15 9.23 9.74 -1.88

150.16 151.80 194.50 487.79 186.75 222.52 1371.94

9.27 10.98 11.92 5.17 9.29 9.83 -1.69

Table 3 Noncooperative zero-sum matrix game between the attacker and the defender as introduced in Section 5.5.

κ κ{1} κ{2} κ{3} κ{1,2} κ{1,3} κ{2,3} κ{1,2,3}

Γ Γ{1}

Γ{2}

Γ{3}

Γ{1,2}

Γ{1,3}

Γ{2.3}

Γ{1,2,3}

116.94 4277.61 302.15 440.51 134.27 – 1184.02

3188.01 145.31 8681.16 473.35 86 602.67 227.83 1529.77

514.36 2728.73 130.62 14 207.72 134.62 227.85 1435.6

3104.51 4233.15 65 681.23 456.06 94 982.02 – 1346.72

514.73 38 489.72 300.58 15 029.64 137.44 74 255.39 1320.99

29 297.07 2489.05 8783.15 15 746.28 73 890.58 235.72 1538.51

29 991.81 37 986.64 68 909.86 17 830.39 97 253.67 – 1394.31

sensors {1, 3} are attacked) leads to the smallest volume (137.44), see Table 2. On the other hand, if distance to critical states is more important, the selected controller/monitor should be κ2,3 (i.e., securing sensor one) because it leads to the largest distance (9.74). Following the same logic, if two sensors can be secured, ˜ = 2, they should be sensors two and three, in terms of volume, m and sensors one and two, in terms of distance, i.e., we should select controllers/monitors κ1 (minimum volume) and κ3 (maximum distance), respectively. Next, following the game-theoretic formulation in Section 5.5, using Theorem 2 for to all possible combinations of Γ , we compute all optimal controllers/monitors and the corresponding volumes of the ellipsoidal outer approximations. We use these volumes to construct the matrix game H (given in Table 3) as introduced in Section 5.5. Note that some entries of H are hyphens. This indicates that the optimization problem used to compute the ellipsoidal approximation was not feasible for that combination of controller/monitor and Γ . From this H, using (48), it is easy to verify that the security level for the defender’s losses is 1538.31 which corresponds to controller/monitor κ{1,2,3} (the the security strategy of the defender), see Table 3. That is, by selecting κ{1,2,3} , we ensure having a worstcase volume of 1538.31 regardless of what sensors the attacker compromises. Finally, we assign probabilities to the strategies of the attacker, in the sense introduced in Section 5.5, and look for the controller/monitor that minimizes the expected value of the game. Using (49), it is easy to verify that, for the vector of probabilities p = (0.4, 0.09, 0.3, 0.1, 0.1, 0.01, 0)T , the strategy that minimizes the expected value of the game is κ{1} , see Table 3. This controller/monitor leads to H(1, ∗)p = 1135.43, which is the smallest for all H(i, ∗), i ∈ {1, . . . , 7}. 6. Conclusion We have provided mathematical tools – in terms of LMIs – for quantifying the potential impact of sensor stealthy attacks on the system dynamics. In particular, we have given a result for computing ellipsoidal outer approximations on the set of states that stealthy attacks can induce in the system. We have proposed to use the volume of these approximations and the distance to possible dangerous states as security metrics for NCSs. Then, for given

Fig. 7. Projection of EΓx ,∞ onto the (xp,1 , xp,2 )-hyperplane for different sets of sensor being attacked and distance to critical states. Continuous-lines correspond to the original κ in Murguia et al. (2018, Eq. (30)) and dashed-lines to the optimal κ obtained using Theorem 2.

sensor attack selection matrix Γ , we have provided synthesis tools (in terms of semidefinite programs) to redesign controllers and monitors such that the impact of stealthy attacks is minimized and the required attack-free system performance is guaranteed. Based on these synthesis results, we have provided general guidelines for selecting optimal controllers/monitors when Γ is unknown. In particular, we have proposed two sets of techniques: sensor protection placement methods and game-theoretic techniques. References Bai, C. Z., Pasqualetti, F., & Gupta, V. (2015). Security in stochastic control systems: Fundamental limitations and performance bounds. In American control conference. Basar, T., & Olsder, G. (1998). Dynamic noncooperative game theory (2nd ed.). Society for Industrial and Applied Mathematics. Boyd, S., El Ghaoui, L., Feron, E., & Balakrishnan, V. (1994). Studies in applied mathematics: Vol. 15, Linear matrix inequalities in system and control theory. Philadelphia, PA: SIAM. Cárdenas, A., Amin, S., Lin, Z., Huang, Y., Huang, C., & Sastry, S. (2011). Attacks against process control systems: risk assessment, detection, and response. In Proceedings of the 6th ACM symposium on information, computer and communications security (pp. 355–366). Dan, G., & Sandberg, H. (2010). Stealth attacks and protection schemes for state estimators in power systems. In 2010 first IEEE international conference on smart grid communications (pp. 214–219).

14

C. Murguia, I. Shames, J. Ruths et al. / Automatica 115 (2020) 108757

Garcia, G., & Bernussou, J. (1995). Pole assignment for uncertain systems in a specified disk by state feedback. IEEE Transactions on Automatic Control, 40, 184–190. Guo, Ziyang, Shi, D., Johansson, Karl Henrik, & Shi, Ling (2016). Optimal linear cyber-attack on remote state estimation. IEEE Transactions on Control of Network Systems, PP(99), 1–10. Gustafsson, F. (2000). Adaptive filtering and change detection. West Sussex, Chichester, England: John Wiley and Sons, LTD. Kafash, Sahand Hadizadeh, Giraldo, Jairo, Murguia, Carlos, Cardenas, Alvaro A., & Ruths, Justin (2018). Constraining attacker Capabilities through actuator saturation. In Proceedings of the American control conference. Kim, T. T., & Poor, H. V. (2011). Strategic protection against data injection attacks on power grids. IEEE Transactions on Smart Grid, 2, 326–333. Kurzhanskii, A. B., & Valyi, Istvan (1997). Ellipsoidal calculus for estimation and control. Austria, Boston: Laxenburg, IIASA, Birkhauser Boston. Kwon, C., Liu, W., & Hwang, I. (2013). Security analysis for cyber-physical systems against stealthy deception attacks. In American control conference (ACC). Miao, F., Zhu, Q., Pajic, M., & Pappas, G. J. (2014). Coding sensor outputs for injection attacks detection. In Decision and control, IEEE 53rd annual conference on. Milošević, J., Sandberg, H., & Johansson, K. H. (2018). Estimating the impact of cyber-attack strategies for stochastic control systems. ArXiv:1811.05410. Mo, Y., & Sinopoli, B. (2016). On the performance degradation of cyber-physical systems under stealthy integrity attacks. IEEE Transactions on Automatic Control, 61, 2618–2624. Müller, M. I., Milošević, J., Sandberg, H., & Rojas, C. R. (2018). A risk-theoretical approach to H2 -optimal control under covert attacks. In IEEE conference on decision and control. Murguia, Carlos, Shames, Iman, Ruths, Justin, & Nešić, Dragan (2018). Security metrics of networked control systems under sensor attacks (extended preprint). arXiv:1809.01808. Murguia, Carlos, van de Wouw, Nathan, & Ruths, Justin (2016). Reachable sets of hidden CPS sensor attacks: Analysis and synthesis tools. In Proceedings of the IFAC world congress. Pasqualetti, F., Dorfler, F., & Bullo, F. (2013). Attack detection and identification in cyber-physical systems. IEEE Transactions on Automatic Control, 58, 2715–2729. Scherer, C., Gahinet, P., & Chilali, M. (1997). Multiobjective output-feedback control via LMI optimization. IEEE Transactions on Automatic Control, 42, 896–911. Scherer, C., & Weiland, S. (2000). Linear matrix inequalities in control. The Netherlands: Springer-Verlag. Tang, Zhanghan, Kuijper, Margreta, Chong, Michelle S., Mareels, Iven, & Leckie, Christopher (2019). Linear system security—Detection and correction of adversarial sensor attacks in the noise-free case. Automatica, 101, 53–59. Teixeira, A., Sou, K. C., Sandberg, H., & Johansson, K. H. (2015). Secure control systems: A quantitative risk management approach. IEEE Control Systems Magazine, 35, 24–45.

Carlos Murguia was born in Mexico City, Mexico, in 1984. He received a Master of Science (MSc) degree (2015) in Electrical Engineering from the Center for Research and Advanced Studies of the National Polytechnic Institute (CINVESTAV), Mexico City, Mexico, in 2010. From November 2010 to May 2015, he was affiliated with the Dynamics and Control group at Eindhoven University of Technology, The Netherlands, where he pursued a Ph.D.-degree in Mechanical Engineering. He has served as postdoctoral research fellow (2015–2019) at the Singapore University of Technology and Design (Singapore); the University of Melbourne (Australia); and the University of California (USA), Los Angeles. His research interests include nonlinear dynamics and control, mechatronics, security and privacy of cyber–physical systems, distributed control systems, networked control systems, fault-detection, control of networks, stochastic systems, and time-delayed systems.

Iman Shames is currently an Associate Professor at the Department of Electrical and Electronic Engineering, the University of Melbourne. He had been a McKenzie fellow at the same department from 2012 to 2014. Previously, he was an ACCESS Postdoctoral Researcher at the ACCESS Linnaeus Centre, the KTH Royal Institute of Technology, Stockholm, Sweden. He received his B.Sc. degree in Electrical Engineering from Shiraz University in 2006, and the Ph.D. degree in engineering and computer science from the Australian National University, Canberra, Australia in 2011. His current research interests include, but are not limited to, optimization theory and its application in control and estimation, mathematical systems theory, and security and privacy in cyber–physical systems.

Justin Ruths received a B.S. in Physics from Rice University, M.S. degrees in Mechanical and Electrical Engineering from Columbia University and Washington University in Saint Louis, respectively, and a Ph.D. in Systems Science and Applied Mathematics from Washington University in Saint Louis. In 2011, He joined Engineering Systems and Design as a founding faculty member of the Singapore University of Technology and Design where he served as an assistant professor for five years. As of August 2016 he is an assistant professor with appointments in Mechanical Engineering and Systems Engineering at the University of Texas at Dallas. His research includes studying the fundamental properties of controlling networks, bilinear systems theory, attack detection methods for cyber–physical systems, and solving optimal control problems focused on neuroscience and quantum control applications.

Dr. Dragan Nesic is a Professor at the Department of Electrical and Electronic Engineering (DEEE) at The University of Melbourne, Australia. He currently serves as Associate Dean Research at the Melbourne School of Engineering. He received his Bachelors of Engineering (BE) degree in Mechanical Engineering from The University of Belgrade, Serbia (1990), and his Ph.D. degree from Systems Engineering, RSISE, Australian National University, Canberra, Australia (1997). His research interests include networked control systems, reset systems, extremum seeking control, hybrid control systems, event-triggered control, security and privacy in cyber–physical systems, and so on. He is a Fellow of the Institute of Electrical and Electronic Engineers (IEEE, 2006) and Fellow of the International Federation for Automatic Control (IFAC, 2019). He was awarded Doctorate Honoris Causa by the University of Lorraine, France (2019) and Humboldt Research Award (2020) by the Alexander von Humboldt Foundation. He was also awarded a Future Fellowship (2010–2014) and Australian Professorial Fellowship (2004– 2009) by the Australian Research Council (ARC), as well as a Humboldt Research Fellowship (2003–2004). He was invited to serve as a Distinguished Lecturer of the Control Systems Society (CSS), IEEE (2008–2012). He was a co-recipient of the George S. Axelby Outstanding Paper Award for the Best Paper in IEEE Transactions on Automatic Control (2018). He served as an Associate Editor for the journals Automatica (2003–2015), IEEE Transactions on Automatic Control (2004–2008), Systems and Control Letters (2001–2010), European Journal of Control (2007–2011) and as a General Co-Chair of IEEE Conference on Decision and Control (CDC), Melbourne (2017). He currently serves as an Associate Editor for the IEEE Transactions on Control of Network Systems (since 2016). He also served as a Member of the Board of Governors, Control Systems Society (CSS), IEEE (2011–2016).