Generalized Attack Model for Networked Control Systems, Evaluation of Control Methods ()
1. Introduction
Control systems have many applications in the industry. New revolution in system designs using the strategy of networked control systems (NCSs) has created security issues in industries, which has been an important challenge for many researchers. Security of NCSs plays an important role in the protection of industrial, and critical infrastructure. For example, energy and power sectors, transportation system sectors, water and wastewater system sectors, healthcare and public health sectors are some industries facing high probability of attacks. Although the security schemes for control systems have been developed in the past several years, there are still many acknowledged cyber-attacks. Some recent specific events further confirm that attacks would have happened in control systems in different industries [1] . Therefore, in recent years, security of NCS has been at the center stage for researchers, engineers, and governmental entities because exploited security risks could have cause potential catastrophic consequences [2] .
Most of conventional methods in control systems design assume that the system operates in a normal condition without any attacks involved. In this case, any interference, delay, and attack to any part of a control system, such as sensors and communication links, can drive the system from the required performance or even worst to an unstable mode.
Many researchers have studied control systems under attacks. A class of False Data Injection (FDI) attacks bypassing the bad data detection in Supervisory Control and Data Acquisition (SCADA) systems was proposed by [3] . In [4] , adversaries launched FDI attacks against state estimates of power systems, knowing only the perturbed model of the power system. Y. Mo et al., studied FDI attacks on a control system equipped with Kalman filter [3] . Fault attacks have also been critical concerns in aviation industries, where a small attack or faults can damage system itself and human life [5] . Abbaspour et al. introduced a neural network (NN) fault detection design for detection of abrupt faults in actuators and sensor of the control systems. They used extended Kalman filter to improve the NN ability in detection of faults [6] . A neural observer approach for detection of FDI attack is introduced in [7] . In [8] , the smallest set of adversary controlled meters was identified to perform an unobservable attack. Recently, Amin et al. considered Denial of Service (DoS) attacks on the communication channels in which the measurements telemetered in remote terminal units (RTUs) were sent to the control center of power systems [9] . They demonstrated that an adversary could make power systems unstable by properly designing DoS attack sequences. Liu et al. considered how a switched-DoS attack on a smart grid could affect the dynamic performance of its power systems [10] . The Viking projects [11] considered cyber-attacks to the Load Frequency Control (LFC), one of a few automatic control loops in power systems. They analyzed the impacts of cyber-attacks on the control centers of power systems, by using reachability methods. However, they only considered attacks on the control centers which are usually harder to attack than the communication channels in the sensing loop of a power system. And in the area of biomedical devices the issue of security of these devices has been increasingly critical because the development trend of these devices will connect them to other entities through both wired and wireless channels. It is therefore important to consider medical device security issues [12] .
The rest of this paper is organized as follows: Section 2 illustrates three different types of attacks to NCSs. Section 3 provides the needed information for the proposed case study. Section 4 presents the results of the numerical simulation conducted in this study. Finally, in Section 5, the conclusion and remarks are presented.
2. Types of Attacks on NCSs
Here a generalized model for an NCS under attach is shown in Figure 1.
This system is described concisely as an output feedback system having the form:
(1)
and
(2)
where x is the plant state vector; y is the information communicated with the controller about the plant state; u is the control vector; f is a function describing the plant behavior; g describes the plant output and the communication methodology used, and h is a description of the controller.
An attack on the NCS involves altering any component of the system. A general attack can be described by a function that alters any of components of the system
(3)
where
are the corrupted functions and information as the result of an attack Λ.
Three most possible attacks on NCSs, especially on Networked Power Control System (NPCS) are given below:
a) Denial of Service (DoS)
This attack seeks to sabotage an NCS by overwhelming its communication and computational resources in order to prevent it from working [13] . The DoS
Figure 1. Generalized cyber attacks on a typical NCS.
attack can disconnect service or data from the plant to the controller, from the controller to the plant, or both at the same time. In our general model of attacks, this attack can be described as follows:
(4)
where
can be zero, or some random value.
b) Fault Analysis Attack
This class of attack injects faults into a device performing some computation. These faults can be caused by changing the environmental conditions, the injection of a laser beam at an appropriate frequency [14] , or the injection of data packets that collide with legitimate packets [15] . The work of Yuan and Liu et al. has shown the load redistribution attack [16] [17] [18] which is a false data injection attack by modifying selected information in a Supervisory Control and Data Acquisition (SCADA) power system. This attack is especially dangerous due to its capabilities of being manipulating the estimation of system power flow. Depending on the attack is short term or long term, it can damage effects on the security-constrained economic dispatch (SCED) price estimation [17] . This attack can be modeled as follows:
(5)
where z is an input signal designed by the attacker for the purpose of either misleading the control system, causing systems inefficiencies, or sabotaging it.
c) Time-Delay Switched Attack (TDS)
Time Delay Switched Attack (TDS) has been proposed to NCSs by Sargolzaei et al. who has shown that this type of attacks can destabilize NCSs [2] . In [19] authors has applied this attack on a networked nonlinear heartbeat system and proposed a controller that is more robust to TDS attacks. In [20] a time-delay- switch (TDS) attack has been used to introduce time delays in the dynamics of power systems. TDS attacks can cause devastating consequences on smart grids if no prevention measures are considered in the design of these power systems. TDS attacks can be modeled as delay of the output signals telemetered to the controller
(6)
or as an attack on the clocking and synchronization mechanisms in NCSs
(7)
where
is a random variable time-delay that is always less than time
.
3. Case Study
To evaluate the effectiveness of the performance of different controllers on the pacemakers influenced under DoS, FDI and TDS attacks, we need to have a ma-
thematical model for the heartbeat. There are many researches in the area of heart signal and pacemakers [21] [22] which shows that its importance.
The 2nd-order heartbeat model is selected for the case study in this paper [19] . The model is described as follows:
(8)
where x1 and x2 indicates the length of a muscle fiber and the state related to electrochemical activities respectively; xd indicates a typical muscle fiber length when the heart is in the systolic state; xs is an additional parameter representing a typical fiber length; ε is a small positive constant;
represents tension in the muscle fiber; and u(t) is the cardiac pacemaker control that leads the heart into the diastolic and the systolic states. The parameters adopted are described in the table below [19] (Table 1).
Three different controllers are adopted to compare their performance. The optimal state feedback controller, the PID controller, and the ELCPID are given below:
(9)
(10)
(11)
Here
represents anyone of the possible attack signals described in the Equations (5) to (7). The error signal is defined as
. In the representation of ELCPID,
can be a PID controller and the controller parameters
and
can be calculated as described in [19] [23] .
4. Stability Analysis of the Nonlinear Heartbeat Model
Now we will discuss the stability of the 2nd-order nonlinear as given in (8). First, we consider the cardiac pacemaker control signal to be in the form of 0 and 1, which indicates the on-off control. If the control signal of the pacemaker, u(t), in zero when T = 1, ε = 0.2, and xd = 0, then the equilibrium point at point (0, 0) is not stable. This can be calculated by solving the following equation
(12)
It can be shown that the equilibrium point for the system described in (12) is not stable. This conclusion can be confirmed by analyzing the stability of the equilibrium point using the Lyapunov indirect stability theorem. To do this, we calculate the Jocobian matrix A, of (12) at the origin
(13)
The eigenvalues of A are
(14)
At the equilibrium point (0, 0), we obtain
i.e., both eigenvalues are positive when T = 1 and ε = 0.2, which indicates that the system is not stable at the origin.
However, the system described in (12) is stable if the condition
is satisfied. So, this condition reaches if value of
is substituted by 1.024 based on literature [24] . For
and T = 1, the equilibrium point is stable at (1.024, −0.0497) as shown in Figure 2 which is the phase portrait with the new value of
. All the trajectories, regardless of their initial values, go to the diastolic equilibrium point shown by the cubic. Since the equilibrium point is stable, system stays at this point unless there is an external excitation that forces the system to a new equilibrium point.
Now, we consider the system described in (8) with u(t) = 1, xd = 1.024, xs = −1.3804, T = 1, and ε = 0.2. By setting with these parameter values we move the heart to the systolic state (Figure 3). Based on this study, the control signal will direct the heart from diastolic to systolic state and adversaries can disrupt this
Figure 2. Phase portrait of Heartbeat model in diastolic state, the black cube shows the equilibrium point.
Figure 3. Phase portrait of heart model in systolic state, the cube denotes the equilibrium point.
Figure 4. Simulation result of ECG tracking for 2nd order heartbeat model based on ELPIC pacemaker signal.
process by injecting attacks to the sensory and/or control signal.
Also the controllability and the observability are assumed for the heartbeat model based on literature [24] .
5. Simulations and Results
The above mentioned 2nd-order heartbeat model using the Emotional Learning PI Control (ELPIC) technique has been simulated first to test whether this model can adequately represent the mechanism of heartbeat in the ECG signal generation. Figure 4 shows that the output from the model with ELPIC controller does accurately match that from the measurement. In the figure, the dashed line shows the output of the model controlled by the ELPIC technique and the solid line indicates the patient’s ECG signal which serves as the referenced signal [25] . More details about ELPIC technique can be found in [19] .
Three different attacks, TDS attack, DoS attack and FDI attack, are applied to the Heartbeat model with different controllers. The controllers evaluated are the ELPIC, the classical PI, and the MPC adopted in MATLAB. To compare the performance of these three controllers to the above mentioned attacks, we apply the attacks to the model with different controllers in the time interval between ts = 1.4 sec and tf = 1.45 sec to check the corresponding responses. In the simulation, a time delay of τ = 0.01 sec is adopted in the TDS attack small random variables were injected to the model to simulate the FDI attack.
The results are shown in Figures 5-7. In all of the figures, the ECG signal and the signals from different controllers, ELPIC, MPC and PID, are represented by solid line, dashed line, dotted line and dash-dot line, respectively. The figures
Table 2. Mean squared error for controllers under attacks.
clearly show that the responses of the model with ELPIC are closely matched the referenced ECG signal when the model is under attack of any of these attacks. The responses of the model with the classical PI controller, and the MPC are significantly off. Although ELPIC is less powerful in tracking the highly nonlinear referenced ECG signal, it is more robust under the TDS, DoS and FDI attacks.
Table 2 shows the mean squared error (MSE) value between the system’s output and the referenced ECG signal for the time slot of 1.4 seconds to 1.5 seconds which the system is under attack. The results verify our visual findings.
6. Conclusion
In this paper, we have described a general model of NCSs under attack and reviewed the mathematical model of some possible attacks. Through simulations we have shown the impacts of those attacks on the performance of a networked pacemaker. The simulation results also show that the ELPIC method provides much better performance than that of the PID and the MPC when the system is under DoS, TDS and FDI attacks.