1. Introduction

2. Model Building and Detection Methods

2.1. System Modelling

The block diagram of the CPS structure with multiple actuators and sensors considering the case of sensor attacks, actuator attacks and process attacks is shown in Figure 1. The CPS is divided into the plant side and the monitoring side. The plant side includes physical devices as well as multiple actuators and sensors, and the monitoring side mainly uses the data returned from the measurement channels to realize remote control of the physical devices. Where the monitoring side controls the actuators through control commands to achieve the desired function or action; the plant side obtains the system state through multiple sensors independently measured and transmits it to the monitoring side for generation of control commands. Since the system contains several sensors, a partial or complete system state can be obtained independently by each sensor. Therefore, in many CPSs, an additional multi-sensor selection and fusion module is added at the monitoring side, whose main purpose is, based on certain principles or methods, to obtain the final system state used to generate control commands from the many system states acquired by sensors. In addition, the attackers mainly attack the measurement channels and actuation channels as well as directly attack the physical devices, thus adversely affecting them.

The CPS model with multiple sensors, considering the case of containing attacks, is constructed as:

$$\left\{\begin{array}{l}x(k+1)=Ax(k)+B\left(u(k)+a_u(k)\right)+E_P{a}_p(k)+w(k),\\ y^{s_i,a}(k)=C^{s_i}x(k)+D\left(u(k)+a_u(k)\right)+a_y^i(k)+F_P{a}_p(k)+v^i(k),\\ y^a(k)=\mathsf{\Phi }\left(y^{s_1,a}|y^{s_2,a}|\cdots |y^{s_n,a}\right).i=1,2,\dots ,n\end{array}\right.$$

(1)

where, $x(k)\in {ℝ}^p$ is the state of the system, $u(k)\in {ℝ}^m$ is the control command signal output from the monitoring side of the system, $u^a(k)\in {ℝ}^m$ is the control signal input to the plant side after the attack, $y^{s_i,a}(k)\in {ℝ}^n$ is the measurement output of the $i^{th}$ sensor after the attack, $y^a(k)\in {ℝ}^n$ is the system output after multi-sensor selection and fusion, $a_u(k)$ denotes the attack against the actuation channel, $a_p(k)$ denotes the process attack, and $a_y^i(k)$ denotes the attack against the $i^{th}$ measurement channel. $\mathsf{\Phi }\left(y^{s_1,a}|y^{s_2,a}|\cdots |y^{s_n,a}\right)$ denotes some multi-sensor fusion method. $E_P$, $F_P$ are known matrices indicating the locations of components in the system that may be subject to process attacks. $A$, $B$, $C^{s_i}$, $D$ are the parameter matrices of the system. $C^{s_i}$ denotes the corresponding output matrix when only the $i^{th}$ sensor is considered. $w(k)$ denotes the process noise and $v^i(k)$ denotes the measurement noise of the $i^{th}$ sensor, both obeying $w(k)\sim N(0,{\Sigma }_w)$, $v^i(k)\sim N(0,{\Sigma }_{v^i})$.

Figure 1. Block diagram of CPS structure with multiple actuators and sensors considering sensor attacks, actuator attacks and process attacks.

Figure 1. Block diagram of CPS structure with multiple actuators and sensors considering sensor attacks, actuator attacks and process attacks.

Remark 1.

Process attacks are direct attacks on physical devices that cause damage to physical devices, and actuator attacks and sensor attacks are operations such as blocking or data tampering on the channels of signal transmission. Since process attacks directly cause damage to physical devices and to some extent there is no longer a need for defense, this paper only studies the security defense of CPS where actuator attacks or sensor attacks exist.

Remark 2.

The type of attack mentioned in (1) is of additive attack and does not change the model parameters. Here, a multiplicative attack that causes changes in the model parameters due to functional anomalies of the system, in the process or sensors and actuators due to cyber-attacks, is not considered.

Consider the CPS shown in Figure 1, where the observer-based residual detector is defined at the monitoring side as follows.

$$r_o(k)=y^a(k)-C\widehat{x}(k)$$

(2)

where, $y^a(k)\in {ℝ}^m$ denotes the measurement under attack and $\widehat{x}(k)\in {ℝ}^n$ is the state estimated by the observer. $r_0(k)$ is the residual signal that satisfies $r_0(k)\sim N(0,{\Sigma }_{r_0})$.

According to the ${\chi }^2$ test, the residual evaluation function $J(\cdot )$ can be written as:

$$J\left(r_0(k)\right)=r_0^T(k){\Sigma }_{r_0}^{-1}{r}_0(k)~{\chi }^2(m)$$

(3)

So, the logic law of detection to determine the presence of an attack is expressed as:

$$\left\{\begin{array}{l}J\left(r_0(k)\right)\le J_{th}\Rightarrow attack-free\\ J\left(r_0(k)\right)>J_{th}\Rightarrow attacked\end{array}\right.$$

(4)

When the false alarm rate $\alpha$ is given, the threshold $J_{th}$ is set to the upper bound of ${\chi }_{\alpha }^2(m)$.

2.3. Detection Method

From the previous analysis of stealthy attacks, the core purpose of the three stealthy attacks is to attack the actuators to make the control performance degraded or even severely degraded, while the main purpose of the attacks against the sensors is to avoid the detection mechanism given in (3). Therefore, the detection of stealthy attacks can be achieved by exploiting the difference between the states of the system on the monitoring side and the plant side [20]. Considering the case of containing only one sensor that can independently measure the full state of the system, the detection scheme is designed as shown in Figure 2. The specific working principle is described below.

Figure 2. The scheme of attack detection based on improved residual.

Figure 2. The scheme of attack detection based on improved residual.

On the monitoring side, the observer is constructed in the following form:

$$\left\{\begin{array}{l}{\widehat{x}}_M(k+1)=A{\widehat{x}}_M(k)+Bu(k)+L\left(y^a(k)-{\widehat{y}}^a(k)\right)\\ {\widehat{y}}^a(k)=C{\widehat{x}}_M(k)+Du(k)\end{array}\right.$$

(7)

On the plant side, the observer is constructed in the following form:

$$\left\{\begin{array}{l}{\widehat{x}}_P(k+1)=A{\widehat{x}}_P(k)+B{u}^a(k)+L\left(y(k)-\widehat{y}(k)\right)\\ \widehat{y}(k)=C{\widehat{x}}_P(k)+D{u}^a(k)\end{array}\right.$$

(8)

From (7) and (8), it can be found that when there is no attack, ${\widehat{x}}_P(k)={\widehat{x}}_M(k)$; when there is an attack, ${\widehat{x}}_P(k)\ne {\widehat{x}}_M(k)$. This is because the states on both sides are estimated based on different signals. Therefore, this difference can be used for the detection of stealthy attacks. Also, to avoid the attack when $x_P(k)$ is transmitted to the monitoring side, the following form of the transmission signal is designed.

$$\beta (k)=\kappa \left({\widehat{x}}_P(k)\right)$$

(9)

where, $\kappa \left(\cdot \right)$ indicates a certain encryption policy, which is known only to the system itself.

Therefore, the residual signal used to detect stealthy attacks can be constructed as:

$$r_{\beta }(k)=\beta (k)-\kappa \left({\widehat{x}}_M(k)\right)$$

(10)

3. State Estimation and Recovery Control

3.2. The Recovery Control Strategy Based on Optimal State

In the security defense problem of CPS, it is the goal to ensure that the system can continue to maintain the normal operation state even after an attack. Therefore, after detecting an attack using the detection method in Section II and performing attack isolation and system state estimation according to the method in Section III, the next step is to implement recovery control for the system based on the above results. This section introduces an optimal state-based recovery control strategy and summarizes the attack detection, attack isolation, state estimation and recovery control comprehensively to give a complete framework of the CPS security protection process, as shown in Figure 3.

Figure 3. The security defense process of CPS that includes attack detection, secure state estimation, and recovery control.

Figure 3. The security defense process of CPS that includes attack detection, secure state estimation, and recovery control.

In control systems, many control objectives are to enable the system to stably track the reference input to achieve the control requirements. The internal model control (IMC) has a very wide range of applications in the control field as a way to enable the system to track the reference input asymptotically with zero steady-state error. For the recovery control problem of CPS under attacks, this paper introduces an integration link of the reference input signal by combining IMC with the optimal state to achieve the stable operation of the attacked system according to the target command.

Assume that the reference input signal $\gamma (k)$ is generated by the following model.

$$\left\{\begin{array}{l}\gamma (k)=x_{\gamma }\\ \dot{\gamma }(k)=0\end{array}\right.$$

(29)

Also, define the tracking error $e(k)$:

$$e(k)=y^a(k)-\gamma (k)$$

(30)

Then, the state space can be extended as follows.

$$\left(\begin{array}{c}e(k+1)\\ z(k+1)\end{array}\right)=\left[\begin{array}{cc}0& C\\ 0& A\end{array}\right]\left(\begin{array}{c}e(k)\\ z(k)\end{array}\right)+\left[\begin{array}{c}0\\ B\end{array}\right]\left(u(k)-u(k-1)\right)$$

(31)

where, $z(k)$ denotes the difference of the state variable $x(k)$, i.e., $z(k)=x(k)-x(k-1)$.

If the system shown in (32) is controllable, then a set of feedback control signals can be designed to make the system stable, i.e.

$$u(k)-u(k-1)=-\left[\begin{array}{cc}{F}_1& F_2\end{array}\right]\left(\begin{array}{c}e(k)\\ z(k)\end{array}\right)$$

(32)

This means that the tracking error $e(k)$ is stable. Therefore, the system is then able to track the reference input signal with zero steady-state error. Integrating (33), the feedback control signal inside the system is obtained as:

$$u(k)=-F_1{\displaystyle \sum _{i=1}^{k}e(k)}-F_{2}x(k)$$

(33)

Since the state $x(k)$ of the system cannot be obtained directly, the optimal state estimate$\widehat{x}(k|k)$ is obtained by an improved Kalman filtering method and used to replace the true state $x(k)$ in (34).

4. Simulation Results

4.1. Simulation Setup

Consider a 4-wheeled Omnidirectional Mobile Robot (OMR) with the system parameters shown below:

$$A=\left[\begin{array}{ccc}-0.1759& 8.0754\times {10}^{-4}& 0.0000\\ 8.0754\times {10}^{-4}& -0.1759& 0.0000\\ 0.0000& 0.0000& -0.0675\end{array}\right],B=\left[\begin{array}{cccc}0.0299& 0.0299& 0.0299& 0.0299\\ 0.0299& -0.0299& 0.0299& -0.0299\\ -0.0887& -0.0887& 0.0887& 0.0887\end{array}\right]$$

It is assumed that the mobile robot contains three independent sensors, each of which can independently measure partial or complete state information. So, the matrix of system output parameters corresponding to each sensor is given as:

$$C^{s_1}=\left[\begin{array}{ccc}0.9& 0& 0\\ 0& 0.9& 0\\ 0& 0& 0.9\end{array}\right],C^{s_2}=\left[\begin{array}{ccc}0.8& 0& 0\\ 0& 0.8& 0\\ 0& 0& 0.8\end{array}\right],C^{s_3}=\left[\begin{array}{ccc}0.6& 0& 0\\ 0& 0.6& 0\\ 0& 0& 0.6\end{array}\right]$$

The state variables $x={\left[\dot{x},\dot{y},\dot{\theta }\right]}^T$ of the OMR are the X-axis and Y-axis travel velocity and rotation angular velocity in the robot coordinate system. The process noise is set to $w(k)\sim N(0,0.001)$ and the measurement noise of the three sensors is set to $v^1(k)\sim N(0,0.008)$, $v^2(k)\sim N(0,0.005)$ and $v^3(k)\sim N(0,0.003)$ respectively.

In the recovery control, the feedback matrix of (34) is set to:

$$F=\left[\begin{array}{cc}{F}_1& F_2\end{array}\right]=\left[\begin{array}{ccc}0.8721& 0.8356& -0.2802\\ 0.8660& -0.8306& -0.2839\\ 0.8760& 0.8369& 0.2956\\ 0.8700& -0.8293& 0.2919\end{array}\begin{array}{ccc}4.5969& 4.4453& -1.8020\\ 4.5894& -4.4127& -1.8089\\ 4.6138& 4.4478& 1.8594\\ 4.6064& -4.4102& 1.8526\end{array}\right]$$

On the monitoring side, the expected movement strategy is set to drive forward in a straight line with a speed of $\dot{x}(k)=0.5$ from the initial state $x(k)={\left[0,0,0\right]}^T$, during which the output of the sensor $s_1$ is mainly used, i.e., the sensor fusion module is set to: $\mathsf{\Phi }\left(y^{s_1,a}|y^{s_2,a}|y^{s_3,a}\right)=0.9y^{s_1,a}+0.05y^{s_2,a}+0.05y^{s_3,a}$. Without considering the attack, the normal state of the mobile robot is shown in Figure 4.

Figure 4. The normal state and fused measurement output of the OMR when no attack is added. (a) is the normal state; (b) is the fused measurement output.

Figure 4. The normal state and fused measurement output of the OMR when no attack is added. (a) is the normal state; (b) is the fused measurement output.

Remark 4.

In all figures of this paper, the asterisk superscript (i.e., *) indicates that the results obtained using the method proposed in this paper. In contrast, the absence of the asterisk superscript indicates that the results obtained by the method proposed in this paper were not used.

4.2. Results Discussion

4.2.1. Zero-dynamics Attack

Zero-dynamics attack is mainly stealthy by designing the attack signal $a_u(k)$, and there is no direct attack signal to attack the measurement channels. Therefore, in the simulation, the measurement output matrix $C^{s_1}$ of the sensor $s_1$ is used to solve (5) and assume that the sensor $s_1$ does not have access to the rotational state information. The parameters related to the zero-dynamics attack design in (5) are calculated as follows and injected into the actuation channels at $k>300$.

$$\upsilon =1.008,g=\left[-0.0803;-0.0803;0.0803;0.0803\right]$$

The real state, estimated state, and fused measurement output of the OMR with and without taking the proposed approach in this paper after the injection attack are given in Figure 5. From Figure 5(b) and Figure 5(d), it can be found that the real state of the OMR can be basically estimated using the method proposed in this paper, and the fused measurement output can also show the real state of the system very well.

Figure 5. The real state, estimated state, and fused measured output of the OMR with and without taking the proposed approach in this paper after the injection attack. (a) is the real state and estimated state of the X-axis velocity; (b) is the real state and estimated state of the rotation angular velocity; (c) is the fused measurement output of the X-axis velocity; (d) is the fused measurement output of the rotation angular velocity.

Figure 5. The real state, estimated state, and fused measured output of the OMR with and without taking the proposed approach in this paper after the injection attack. (a) is the real state and estimated state of the X-axis velocity; (b) is the real state and estimated state of the rotation angular velocity; (c) is the fused measurement output of the X-axis velocity; (d) is the fused measurement output of the rotation angular velocity.

After detecting the attack and estimating the correct state of the OMR, recovery control is introduced, as shown in Figure 6, which shows the system after adding recovery control. From the figure, by taking recovery control, the rotation angular velocity of the OMR can be adjusted so that it will no longer rotate.

Figure 6. The situation of the OMR after adding recovery control. (a) is the situation of the X-axis velocity; (b) is the situation of the rotation angular velocity.

Figure 6. The situation of the OMR after adding recovery control. (a) is the situation of the X-axis velocity; (b) is the situation of the rotation angular velocity.

4.2.2. Covert Attack

The main purpose of the covert attack is the attack on the actuation channels. Therefore, at the simulation moment $k>300$, the attack target is set to $x_a(k)={\left[1,0,0\right]}^T$, i.e., after injecting the attack, the resulting state of the OMR is straight ahead with a speed of 1m/s. Also, to satisfy the stealthy condition, the attack signal is added to the sensor $s_1$ according to (6) without attacking the other two sensors.

The real state, estimated state, and fused measurement output of the OMR with and without taking the proposed approach in this paper after the injection attack are given in Figure 7. From Figure 7(a), it is found that a better estimation of the system state can be achieved when the state of the OMR is estimated by adopting the method proposed in this paper. In this case, the actual state is 1m/s, while the average value of the estimated state is 1.07m/s. In addition, Figure 7(b) also demonstrates that the fused measurement output after detection is also valid.

Figure 7. The real state, estimated state, and fused measured output of the OMR with and without taking the proposed approach in this paper after the injection attack. (a) is the real state and estimated state of the X-axis velocity; (b) is the fused measurement output of the X-axis velocity.

Figure 7. The real state, estimated state, and fused measured output of the OMR with and without taking the proposed approach in this paper after the injection attack. (a) is the real state and estimated state of the X-axis velocity; (b) is the fused measurement output of the X-axis velocity.

Figure 8 illustrates the change of the system state after taking recovery control at $k>600$. The results show that the OMR can restore the normal driving state by adopting the recovery control strategy.

Figure 8. The change of the system state after taking recovery control.

Figure 8. The change of the system state after taking recovery control.

4.2.3. Replay Attack

According to the production conditions of the replay attack, the attacked sensor is $s_1$, the target $x_a(k)={\left[0,0.3,0\right]}^T$. The attack strategy is described as follows: collect the output data of the sensor $s_1$ for $100<k<300$, inject the attack at $k>300$, continuously overwrite the output data of the sensor $s_1$ with the previously collected data, and simultaneously calculate $a_u(k)$ injected into the actuation channels according to the attack target $x_a(k)$.

Figure 9. The real state, estimated state, and fused measured output of the OMR with and without taking the proposed approach in this paper after the injection attack. (a) is the real state and estimated state of the X-axis velocity; (b) is the real state and estimated state of the Y-axis velocity; (c) is the fused measurement output of the X-axis velocity; (d) is the fused measurement output of the Y-axis velocity.

Figure 9. The real state, estimated state, and fused measured output of the OMR with and without taking the proposed approach in this paper after the injection attack. (a) is the real state and estimated state of the X-axis velocity; (b) is the real state and estimated state of the Y-axis velocity; (c) is the fused measurement output of the X-axis velocity; (d) is the fused measurement output of the Y-axis velocity.

Figure 10. The situation of the OMR after adding recovery control. (a) is the situation of the X-axis velocity; (b) is the situation of the Y-axis velocity.

Figure 10. The situation of the OMR after adding recovery control. (a) is the situation of the X-axis velocity; (b) is the situation of the Y-axis velocity.

The real state, estimated state, and fused measurement output of the OMR with and without taking the proposed approach in this paper after the injection attack are given in Figure 9. Figure 10 illustrates the change of the system state after taking recovery control at $k>600$. The results show that the OMR can restore the normal driving state by adopting the recovery control strategy.

5. Conclusions

References

1. Y. Ashibani and Q. H. Mahmoud, "Cyber physical systems security: Analysis, challenges and solutions," COMPUT SECUR, vol. 68, pp.81-97,2017.
2. J. Yaacoub, O. Salman and H. N. Noura et al., "Cyber-physical systems security: Limitations, issues and future trends," MICROPROCESS MICROSY, vol. 77,2020.
3. Humayed, J. Q. Lin, F. J. Li et al., "Cyber-Physical Systems Security-A Survey," IEEE INTERNET THINGS, vol. 4, no. 6, pp.1802-1831,2017.
4. A. Wright. On Sapphire and type-safe languages. New York: ACM, 2003: 120. [CrossRef]
5. P. Y., L. T. and L. J. et al. Cyber-physical System Risk Assessment. 2013 Ninth International Conference on Intelligent Information Hiding and Multimedia Signal Processing. 2013: 442-447.
6. Adams, "Learning the lessons of WannaCry," Computer Fraud & Security, vol. 2018, no. 9, pp.6-9,2018. [CrossRef]
7. L. C., G. L. and L. J. et al., "Mimosa: Protecting Private Keys Against Memory Disclosure Attacks Using Hardware Transactional Memory," IEEE T DEPEND SECURE, vol. 18, no. 3, pp.1196-1213,2021.
8. J. Rubio-Hernan, L. De Cicco and J. Garcia-Alfaro, "On the use of watermark-based schemes to detect cyber-physical attacks.," EURASIP Journal on Information Security, vol. 2017, no. 1, pp.1-25,2017. [CrossRef]
9. N. V. Patil, C. R. Krishna and K. Kumar, "Distributed frameworks for detecting distributed denial of service attacks: A comprehensive review, challenges and future directions," Concurrency and Computation: Practice and Experience, no. No.10, pp. e6197,2021.
10. S. M. Dibaji, M. Pirani and D. B. Flamholz et al., "A systems and control perspective of CPS security," ANNU REV CONTROL, vol. 47, pp.394-411,2019. [CrossRef]
11. M. Ghaderi, K. Gheitasi and W. Lucia, "A Blended Active Detection Strategy for False Data Injection Attacks in Cyber-Physical Systems," IEEE Transactions on Control of Network Systems, vol. 8, no. 1, pp.168-176,2021. [CrossRef]
12. G. P., W. S. and S. B., "A Moving Target Defense for Securing Cyber-Physical Systems," IEEE T AUTOMAT CONTR, vol. 66, no. 5, pp.2016-2031,2021.
13. G. M., G. K. and L. W. A Novel Control Architecture for the Detection of False Data Injection Attacks in Networked Control Systems. 2019 American Control Conference (ACC). 2019: 139-144.
14. N. F. N. Forti, G. B. G. Battistelli, L. C. L. Chisci et al., "A Bayesian approach to joint attack detection and resilient state estimation," 2016 IEEE 55TH CONFERENCE ON DECISION AND CONTROL (CDC), pp.1192-1198,2016.
15. K. Zhang, B. Jiang, S. X. Ding et al., "Robust Asymptotic Fault Estimation of Discrete-Time Interconnected Systems With Sensor Faults," IEEE T CYBERNETICS, vol. 52, no. 3, pp.1691-1700,2022. [CrossRef]
16. H. Yang, S. Yin, H. Han et al., "Sparse Actuator and Sensor Attacks Reconstruction for Linear Cyber-Physical Systems With Sliding Mode Observer," IEEE T IND INFORM, vol. 18, no. 6, pp.3873-3884,2022. [CrossRef]
17. J. C. Chen and Y. Shi, "Stochastic model predictive control framework for resilient cyber-physical systems: review and perspectives," PHILOS T R SOC A, vol. 379, no. 2207,2021. [CrossRef]
18. H. Ge, D. Yue, X. P. Xie et al., "A unified modeling of muti-sources cyber-attacks with uncertainties for CPS security control," J FRANKLIN I, vol. 358, no. 1, pp.89-113,2021. [CrossRef]
19. Z. Wang, B. Zhang, X. Xu et al., "Research on cyber-physical system control strategy under false data injection attack perception.," Transactions of the Institute of Measurement & Control, vol., pp.1,2022. [CrossRef]
20. S. X. Ding, L. Li, D. Zhao et al., "Application of the unified control and detection framework to detecting stealthy integrity cyber-attacks on feedback control systems,",2021. [CrossRef]
21. A. Teixeira, I. Shames, H. Sandberg et al., "A secure control framework for resource-limited adversaries," AUTOMATICA, vol. 51, pp.135-148,2015. [CrossRef]
22. S. S. R., "Covert Misappropriation of Networked Control Systems: Presenting a Feedback Structure," IEEE CONTR SYST MAG, vol. 35, no. 1, pp.82-92,2015.
23. M. Y. and S. B. Secure control against replay attacks. 2009 47th Annual Allerton Conference on Communication, Control, and Computing (Allerton). 2009: 911-918.