A systems and control perspective of CPS security Annual Reviews in Control

ContentslistsavailableatScienceDirect

Annual Reviews in Control

journalhomepage:www.elsevier.com/locate/arcontrol

Review article

A systems and control perspective of CPS security

Seyed Mehran Dibaji

^a,∗

, Mohammad Pirani

^b

, David Bezalel Flamholz

^a

, Anuradha M. Annaswamy

^a

, Karl Henrik Johansson

^b

, Aranya Chakrabortty

^c

a Department of Mechanical Engineering, Massachusetts Institute of Technology, Cambridge, MA, USA

b Department of Automatic Control, KTH Royal Institute of Technology, Sweden

c Department of Electrical Engineering, North Carolina State University, Raleigh, NC, USA

a rt i c l e i nf o

Article history:

Received 16 January 2019 Revised 23 April 2019 Accepted 24 April 2019 Available online 23 May 2019 Keywords:

Cyber-physical systems Cyber-security Cyber-physical security Secure control Resilient control

a b s t ra c t

Thecomprehensiveintegrationofinstrumentation,communication,andcontrolintophysicalsystemshas ledtothestudyofCyber-PhysicalSystems(CPSs),afieldthathasrecentlygarneredincreasedattention.

AkeyconcernthatisubiquitousinCPSisaneedtoensuresecurityinthefaceofcyberattacks.Inthis paper,wecarryoutasurveyofsystemsandcontrolmethodsthathavebeenproposedforthesecurity ofCPS.Weclassifythesemethodsintothreecategoriesbasedonthetypeofdefenseproposedagainst thecyberattacks:prevention,resilience,anddetection&isolation.Aunifiedthreatassessmentmetricis proposedinordertoevaluatehowCPSsecurityisachievedineachofthesethreecases.Alsosurveyedare theriskassessmenttoolsandtheeffectofnetworktopologyonCPSsecurity.Furthermore,anemphasis hasbeenplacedonpowerandtransportationapplicationsintheoverallsurvey.

© 2019ElsevierLtd.Allrightsreserved.

Contents

1. Introduction ...395

1.1. ExamplesofCPScyber-attacks ...396

1.1.1. Stuxnet...396

1.1.2. RQ-170...396

1.1.3. Ukraineattack...396

1.1.4. Maroochyattack ...396

1.1.5. Jeephack...396

1.1.6. Otherattacks...396

1.2. ResearchopportunitiesinCPSsecurity ...397

1.3. Contributionsofthispaper...398

2. SystemsandcontrolmethodsforCPSsecurity...398

2.1. Attackmodels...398

2.2. Defensemechanisms...399

2.2.1. Preventionmechanisms...400

2.2.2. Resiliencemechanisms...400

2.2.3. Detection&isolationmechanisms ...402

2.3. Securitymetric...404

3. Threatassessmentandnetworktopologies...405

3.1. Threatassessment...405

3.2. Effectsofthenetworktopology...406

3.2.1. Onpreventionmechanisms...406

∗ Corresponding author.

E-mail addresses: dibaji@mit.edu (S.M. Dibaji), mpirani@uwaterloo.ca (M. Pirani), flamholz@mit.edu (D.B. Flamholz), aanna@mit.edu (A.M. Annaswamy), kallej@kth.se (K.H.

Johansson), achakra2@ncsu.edu (A. Chakrabortty).

https://doi.org/10.1016/j.arcontrol.2019.04.011 1367-5788/© 2019 Elsevier Ltd. All rights reserved.

3.2.2. Onresiliencemechanisms...406

3.2.3. Ondetectionmechanisms...406

4. Summaryandfutureworks...407

Acknowledgement...407

References ...407

1. Introduction

Motivated by concerns about sustainability, efficiency, andre- siliency,severalsectorsincludingenergy,transportation,water,and healthcaresystems havewitnessedsignificant advancesin instru- mentation,monitoring,andautomationoverthepastdecade.The resultingintegrationofinformation,communication,andcomputa- tionwithphysicallyengineeredsystemsdemandsadetailedinves- tigationintothe analysisandsynthesisofCyber-PhysicalSystems (CPS)asameanstorealizethedesiredperformancemetricsofef- ficiency,sustainability,andsafety.Theextensiveandintricatepres- enceofcybercomponentsalsointroducesconcernsoverunwanted accesstothesesystems.Theavailablecommunicationtechnologies, referred toas SCADA (Supervisory Controland Data Acquisition), are witnessing significant advances, triggering a shift from pro- tected,closed,andwirednetworkstoopenandwirelessnetworks, which,asasideeffect,aremorevulnerabletooutsideinterference.

This,inturn,hasled toarecentsystematicinvestigationofsecu- rity of CPS,various attack models,toolsfor analysisofCPS secu- rity,andmostimportantly,methodsforensuringresilienceagainst cyberattacks.This papersurveysthisemergingarea andoffers a systems and control-theoretic perspective to provide a snapshot of the currentstate of research in the field. Forthe purposes of this paper, we denote the termCPS security to includeboth se- curity,whichsometimes isusedasa systempropertythat corre- spondstodefenseagainstattacks,andresiliency,asystemproperty that corresponds to survival and recovery after occurrence of an attack.

The notion of security against unwanted intrusions and at- tackscanbetracedbacktothetimesofCaesar(Tranquillus,1957) andearlywarfarestrategies.Atechnologicalintersectionwiththis topic,however,hasitsoriginsintheproliferationofcomputersin the commercial sector. Grouped under the rubric of InfoSec, in- formation securitybreacheswere recognized to be central tothe satisfactory performance of asystem. In particular,three security breaches were often considered to be important for the protec- tionofinformation(Cherdantseva& Hilton,2012;2013;Saltzer&

Schroeder, 1975):Confidentiality, Integrity,and Availabilitywhich denote asan unauthorized information release, an unauthorized informationmodification,andanunauthorizeddenialofuseofthe information,respectively¹.

Given the central role that information plays in a feedback control system, the approaches to achieving CPS security can be grouped using the same taxonomy (see Fig. 1). A confidentiality breach can be viewed as the monitoring of information that is used to control the system, integrity breach asthe corruptionof thesensor datasentto thenetworkforprocessing, andavailabil- ity breach as either blocking or delaying of the information be- tweenthecomputationalblockandtheactuationnodeinasystem (Cárdenas etal., 2011; Cárdenas,Amin, & Sastry,2008; Cardenas, Amin,&Sastry,2008;Sandberg,Johansson,&Amin,2015).

1 In the literature ( Zeldovich (Fall 2014 )), security goals are also defined in the same manner but with a positive voice: confidentiality is to maintain the secrecy of the important data, integrity is to guarantee the fidelity of the data, and availability is to ensure the accessibility of the data at the right time.

Fig. 1. A schematic of various attacks that can occur in a CPS grouped under the three categories, Disclosure attacks, Deception attacks, and Disruption attacks.

Ifprotectionagainstthesecuritybreachesabovecanbeviewed from a defender’s perspective, an attacker’s perspective can be considered aswell to address CPS security. Broadlyspeaking, cy- ber attacks have been grouped under three headings; disclosure attacks, deception attacks, and disruption attacks (Bishop, 2005;

Teixeira,Sou,Sandberg,&Johansson,2015)denotedasDDDattacks inwhatfollows(Fig.1).Disclosure attacksrefertoanyintrusions thatincludeeavesdropping (Nozari, Tallapragada,& Cortés,2017);

deception attack corresponds to the corruption of signals (such as a spoofing attack (Jafarnia-Jahromi, Broumandan, Nielsen, &

Lachapelle,2012)orafalse-datainjectionattack (Pasqualetti,Dör- fler,&Bullo,2013)),andadisruptionattackcorrespondstoanother activeintrusionwherethesignalmayeitherbeblockedordelayed (e.g.,denialofservice(DePersis&Tesi,2015)).Thesethreeattacks arenotmutuallyexclusive–almostalldeceptionattackscanbedis- ruptive as well; disruption attacks need not necessarily coincide witha deception attack to achieve a more active action such as blockingordelaying.Itisclearthat thereisadirectmappingbe- tween these three attack-models and the three security goals of confidentiality,integrity,andavailability(Fig.1).Thedisclosureat- tackisanalogoustotheconfidentialitybreach,thedeceptionattack totheintegritybreach,andthedisruptionattacktotheavailability breach.BoththeCIAgoalsandtheDDDattackshavebeenexten- sivelyanalyzed inthe literatureforanalysisandsynthesis ofCPS securityoverthepast fewyears(Amin,Cárdenas, &Sastry,2009;

Bishop,2005).

Inawell-designedcontrol systemwhereperformancegoals of accuracy,speed,androbustnessaremet,allowingcyberattacksto haveanimpact,letaloneasignificantone,seemslikeanimpossi- bility.Tothecontrary,thenumberofattacks,aswellastheirim- pactonthe underlying infrastructure,hasbeen quitecompelling.

We summarizesome of the major attacks on control systems in powerandtransportation infrastructuresin thefollowingsection.

Eachofthemajorattacksisclassifiedusingthesecuritybreaches andattackmodelsdescribedabove.Thespecificsetofcomponents compromisedintheunderlyingfeedbackcontrolloopsisindicated inFig.1.

Fig. 2. A schematic of the Stuxnet attack that occurred in 2011.

1.1.ExamplesofCPScyber-attacks

In this subsection,we namea few ofthe most consequential attackscenariosthathaveoccurredinrealcyber-physcalsystems.

1.1.1. Stuxnet

Stuxnet wasacyber-physicalattack onanIranianuraniumen- richmentplantinlate2009.Intargetingacommerciallyavailable Programmable Logic Controller, operating under a narrow set of conditions,the attackers were able to ensure the attack reached its intended recipient with limited fallout. They inserted a mal- warewhich wouldlie dormantin thesystem andgo undetected (Falliere, Murchu, & Chien, 2018; Zero Days, 2016). With such a stealthypresence, observingcriticalandconfidential systemdata, theattackerobservedkeyoutputsofthesystemunderstablecon- ditions, and replayed those measurements to other monitoring sites of the network. Simultaneously, malicious actuation signals wereinjectedintoother criticalactuationsites,resultinginasig- nificantdamage toa numberofcentrifuges (Falliereetal., 2018).

Ingeneral,manycyber-attackscanremainundetectedafterinser- tion,forasignificantlylongperioduptoayear(Mo,Weerakkody,

& Sinopoli,2015; ZeroDays, 2016). Fig. 2 illustrates Stuxnet ina schematicform.OnecanviewStuxnetasacombinationofdecep- tionanddisclosureattacks.

1.1.2. RQ-170

In2011,USoperatorslostcontrolofanRQ-170unmannedaerial vehicle(UAV)whichsubsequentlylandedinIran.Onespeculation astowhatcausedthistooccuristhatIranianforcesjammedGPS communications followedby a spoof of GPS signals, thereby de- ceivingthe droneinto landing inthe desiredlocation (Hartmann

&Steup, 2013). In additionto thisattack on aUAV, a numberof studieshavebeencarriedouttoshow thepotentialthreatofGPS spoofingonvehicles(Hardingetal., 2014). TheRQ-170attackcan beviewedasadisruptionattackfollowedbyadeceptionattack.

1.1.3. Ukraineattack

Traditional practice in power grids is to institute safeguards against physical faults (Watts, 2003) using protective devices. A singulardeparturefromsuchoccurrenceshappenedintheUkraine attack.ThisconsistedofaseriesofattacksonUkrainianpowerdis- tribution networkscausing outages aswell aslasting damage in 2015.Thefirst wasintroduced viaphishingemails containingthe Black Energy malware. Once it infiltrated the system, it enabled

the attacker to steal critical data andstudy the system environ- ment.This,inturn,enabledaccesstoamorecriticalcontrollevel andallowedthe spoofingofcontrolcommands(Case,2016).That is,firsttherewasaconfidentialitybreach,followedbyanintegrity breach.Finally, byoverwriting thefirmware ina fewsubstations, the attackerwasable toensure remote inoperability ofbreakers, leadingto an availability breach. In2016, yet anotherattack was launchedon atransmissionstationusingtheCrashOverridemal- ware.Thismalwarecould communicatedirectly withgrid control softwareanditsmodulardesignenabledittobemodifiedtowork forUSorEuropeangridprotocolsaswell(Greenberg,2017).

1.1.4. Maroochyattack

In2000,theMaroochywaterservicesinQueensland,Australia, were attacked by a disgruntled employee. Motivatedby revenge, heaccomplished the attack by infiltrating theSCADA network of water services and alteredthe control signals.The attackertook control of 150 sewage pumping stations resulting inthe evacua- tionofonemillion litersofuntreatedsewage,overathree-month period,intostormwaterdrainsandonto localwaterways (Slay &

Miller,2007).Thisisclearlyadeceptionattack/integritybreachon actuators.

1.1.5. Jeephack

Carhackingshowsalargelevelofvulnerabilitythatmodernau- tomotivesystemsseemtopossessagainstadversarialactions.One of the examples was an (under control) attack on a Jeep which was driving in 70 mph on a highway in St. Louis, USA, where the carwas hijackedremotely by attackers to show how various ElectronicControlUnits,fromwipertobrakeandenginesystems, can be manipulatedremotely through the cellularconnection in- sidethevehicle(Greenberg,2018).Althoughthisattackwassetto be undercontrol, it isclaimed that remotecar hackingcan have life-threatening consequencesforpassengervehicles inthefuture (Koscheretal.,2010).

1.1.6. Otherattacks

Theattackslistedabovearebynomeanscomprehensive.They are meant tobe an overviewof some ofthe majorcyber-attacks thathavehadanoticeableimpactonpowerandtransportationin- frastructures. Theearliest cyberattackon criticalinfrastructureis reportedto haveoccurredin1982 whenthesale ofintentionally damaged control software tothe SovietUnion resulted inan ex- plosion inSiberia(Onyeji,Bazilian, & Bronk,2014). Over thepast

fiveyears,there havebeenseveralothercyberattackson ground transportation infrastructures (ENISA cybersecurity report, 2016), the service industry, andthe manufacturing industry to name a few (fora listofcyber-attacksrefertoData Breach Investigations Report (2009, 2015); Hackmageddon (2018)). We have excluded physicalattacks liketheMetcalf sniperattack(Sniper attackCNN report, 2015) that haveoccurredon a PG&Etransmission substa- tion in California leading to a large financial loss and pilot in- tended crash of Airbus (Airbus A320-211 report, 2015) Based on Rus et al. (2018), two thirds of attacks have been initiated by phishingemails.Amajority(70-80%)ofattacksare abettedbyin- siders. 67%ofthecyberthreatsare enabledby victimerrors,64%

aredirectlyintroducedbyhackers,and38%bymalware.

1.2. Researchopportunities inCPSsecurity

TheFY2019USPresidentsBudgetincludes$15billionofbudget authorityforcyber-security-relatedactivities,a$583.4million(4.1 percent)increaseabovetheFY2018Estimate(Cybersecurityfund- ing,2019) whichindicatesthelevelofattentionbeingpaidtothis topic.AstheproblemofCPSsecurityisofhugeinteresttotheen- gineeringcommunity,itisnotsurprisingthatthereisalargenum- ber ofresearch investigations overthe pastdecade.Earlierworks such asCárdenas etal. (2011, 2008); Cardenas et al. (2008) and Sandberg, Teixeira, and Johansson (2010) brought to attention the fact that the topic of cyber-attacks is not of interest just to the cybersecuritycommunity, but out of significantly broader interest. These works also demonstrated that component-wise solutions may not suffice, and instead, these threats must be analyzedfromacomprehensivesystemandinfrastructureperspec- tive. Also asmentioned above, DDD attacks havebeen discussed atlengthinTeixeira,Shames,Sandberg,andJohansson(2015)and Cardenasetal.(2008).

Issues of CPS security arise in a range of applications. On a dailybasis, thereare reportsofcyberattacksin almostevery sec- tor that includes a cybercomponent.To give the readersa better sense of the impact of cyberattacks and the general problemof CPS security, in what follows, we expand on the impact in the context of power systems (Ashok, Govindarasu, andWang, 2017;

Bobba et al., 2012; Gusrialdi andQu, 2019; Huang, Satchidanan- dan, Kumar and Xie, 2018; Humayed, Lin, Li, and Luo, 2017; Li, Shahidehpour, and Aminifar, 2017; Liang, Zhao, Luo, Weller, and Dong, 2017; Liao and Chakrabortty, 2018; Liu and Li, 2017; Mi- lani, Khan, Chakrabortty, andHusain, 2018;Nordell,2012; Onyeji et al., 2014; Sandberg et al., 2010; Sanjab, Saad, Guvenc, Sar- wat, and Biswas, 2016; Sridhar, Hahn, Govindarasu et al., 2012; Stoustrup, Annaswamy, Chakrabortty, and Qu (ed.), 2019; Wang and Lu,2013; Xie,Mo, andSinopoli,2011; Yan, Qian, Sharif, and Tipper,2013).Inparticular,seeNordell(2012)fordefinitionsofse- curity andGusrialdiandQu(2019)forachapteroncybersecurity insmartgridcontrolwithcomprehensivediscussiononattacksby insiders and outsiders and countermeasures in a power system.

The presence ofa large numberofsubsystems in powersystems impliesthattheimpactofattacksvarysignificantly dependingon where they occur. Broadly speaking, this impact can be summa- rizedoverthefollowingthreebroadheadings:

1. Transmission level: Attacks mayhappen inAGC control loops (generator governor control) (Huang et al., 2018), PSS, FACTS controller,andwide-areacontrollers (Ashoketal.,2017;Bobba et al., 2012; Liao & Chakrabortty, 2018). Each of these cases may involve denial-or-service type attacks, hardware failures, controlsoftwarefailure,replayattacks,anddatatampering at- tacks.Wide-area controlis especiallysusceptible toattacks as substantive long-distance sensitive communicationis required for WAC, opening up many vulnerable points forattackers to

intrudethrough.Forexample,ifthecomputationofthewide- areacontrolsignalsishappeninginacloud,thenattackersmay causeDoS,datatamperingandothersuchattackstoeitherde- grade theclosed-loopCPS performance orcompletelydestabi- lizethesystem.Moreover,GPSreceiversofPMUmeasurements arepronetospoofingattacks(Jafarnia-Jahromietal.,2012).Di- rect hardwareattacks onthe bare metal ofthe sharedvirtual computers used in the cloud for performing these computa- tions, or software attacks on their data storageunits and hy- pervisors,arealsohighlypossible.

2.Distribution level: Attacks can happen in islanded micro- grids, grid-connected microgrids, or networked microgrids (Li,Shahidehpour,etal.,2017).Similarly,inadistribution-level powergrid,anattackermaychangethecurrentandvoltageset- pointsofthepowerconvertersthatconnecttherenewable re- sources to thegrid towrongvaluessuch that thepower flow equationsnolongerhaveanyfeasiblesolution,forcingthegrid to enterintoan unsafezone(Milanietal., 2018).Anotherim- portant point isthat themajorityof communicationprotocols used for microgrid operation and control are executed using wirelesscommunication, wheresecuritymaybeaseriouscon- cern. If thiscommunication is hacked, and, as a result, mes- sages donotreachthemicrogridcontrollersfromthesupervi- sorymanagementlayer,thensevere issuesoffrequencystabil- ityandvoltagestabilitycanarise.

3.Market level: False data injection in electricity markets has beeninvestigatedinXieetal.(2011),whereaconvexoptimiza- tionproblemissolvedbytheattackertofindwhichnodalprice ofEx-Postmarketmustbemanipulatedtomaximizethefinan- cialprofitoftheattacker.

It has to be noted that in power systems and more gener- allyin complex cyber-physicalsystems, fault-tolerance is the ba- sicrequirementtomakesureablackoutwouldnotoccur evenin thepresence ofunintentionalfaults. Oneexample ofpowergrids lackingsufficient fault-toleranceistheVenezuela powergridthat encountered frequent balckouts in March 2019 (Venezuela etal., 2019).

Similarto powersystems,transportation systemsexperiencea wide range of impact depending on the specific subsystem that has been targeted. Unmanned aerial vehicles and their vulner- abilities are addressed in Rani, Modares, Sriram, Mikulski, and Lewis(2016).Generaltransportationsystemshavebeenexamined in Javed and Hamida (2017), Hoppe, Kiltz, and Dittmann (2008), Fagnantand Kockelman (2015), Sucasas, Mantas, Saghezchi, Rad- wan,andRodriguez(2016),Xue,Wang,andRoy(2014),Sherif,Ra- bieh, Mahmoud, and Liang (2017), Alam, Ferreira, and Fon- seca(2016),Parkinson,Ward,Wilson,andMiller (2017),Petitand Shladover (2015), Woo, Jo, and Lee (2015), Siegel, Erb, and Sarma(2018),AhmedandGharavi(2018),Amoozadehetal.(2015), and industrial systems in Bradbury (2012), Fovino, Carcano, Masera, and Trombetta (2009), Huitsing, Chandia, Papa, and Shenoi (2008), Ding, Han, Xiang, Ge, and Zhang (2018). As ev- idenced by the Jeep-Hack and Stuxnet examples, the impact of cyber-attackscanbesignificant,astheyrepresentsafety-criticalin- frastructures.

In addition to the above applications, CPS security has been investigated in Cho and Woo (2017) for protection methods in nuclear power plants, motivated by the cyber attack in 2014.

In Wang, Wang, Shen, Alsaadi, and Hayat (2016), a review on deception and disruption attacks in CPSs has been performed.

The importance of security in SCADA has been discussed in Bradbury (2012), Fovino et al. (2009) and in Modbus con- trol systems in Huitsing et al. (2008). A survey on informa- tionandcommunication-basedsecurityaspects ofindustrial con- trol systems is done by McLaughlin et al. (2016). The repeated

occurrenceofthetermsecurityinthe recentcontrol systemssur- vey(Lamnabhi-Lagarrigue et al.,2017) isanotherindicator of the importanceofthistopic.

1.3.Contributionsofthispaper

The purpose of this paper is to present an overview of the research activities in the area of CPS security in two critical in- frastructures,power andtransportation. We provide thisoverview withtwo objectives inmind; the first is toprovide a broad sys- tem and control perspective within which most of the research contributions to-date can be viewed. The second objective is to map these contributions to a CIA-taxonomy of security breaches andDDD-taxonomyofattackmodels.Weaccomplishbothofthese objectives in Section 2, where all systems and control defense mechanismsare groupedunderthree headingsofprevention,re- silience, anddetection & isolation, based on the underlying con- ceptemployed.Inthissection,ametricthatquantifiestheCPSse- curityisalsoproposed.Wediscussthreatassessmenttoolsandre- quiredtopologicalconditionsforunderlyingnetworksinSection3. A summary and suggestions for future research are included in Section4.

2. SystemsandcontrolmethodsforCPSsecurity

With theoverall importanceof CPSsecurity mentionedinthe introduction,we now focus on the details of the intersection of thistopicwithclosed-loopcontrolsystems.Giventhatcontrolsys- tems consist of key components such assensors which measure keyvariables ofinterestandactuators thatsynthesize control in- putsthathelpthesystemperformtasksofregulationandtracking, itisimportantthat theCPSsecurityfocusesonsensors andactu- ators.Inadditiontothesecomponents,anotherimportantcompo- nentofa control systemisa communicationnetworkoftenused torelay crucialinformation to relevant places. Therefore CPS se- curity needs to include its focus not only on sensors and actua- torsbutalso theunderlyingcommunication network.It isessen- tialto modelthe adversaryandits available resources.One such conceptual modelis illustrated in Fig. 3.It should be notedthat attacksonCPSsoftenareconfusedwiththefaults thatmayoccur randomly andare oblivious of the systemmodel. Attacks, unlike faults,througheavesdropping, publiclyavailable knowledge,oper- atorfaults, andsoon, mayhaveaccesstothe systemmodeland makeuseofthisknowledgetodesignsmarterandmoreeffective attacks(Teixeira,Sou,etal., 2015). Thisisone ofthereasonsthat asystemandcontrol levelofdefense isrequiredagainstsuch at- tacks. However, in order to develop a systematic set of method- ologiesthat provides CPSsecurity forcontrol systems,one needs tobeginwithan analysisofthedifferenttype ofattacksthatare possible. Attack models that characterize the capabilities of the attacker, such as their computational power, the type of access they may have,the data they collect, andtheir collaborative ca- pabilitiesare verymuchneeded. Onesuch modelis developedin Teixeira, et al. (2015) which is based on the available resources

Fig. 3. A schematic of how attacks impact a CPS. It should be noted that an attack action differs from random faults in the sense that attacks may have access to the system model and suitably leverage to exacerbate the impact on the CPS.

toan attacker.Thesemodelsneedtobe designedusingquestions suchasthefollowing:Whatarethepointsandsignalsthatattack- ers have access to? What can they do precisely on the signals?

What aretheir limitations?Thesemust bestatedclearlyinorder tounderstandthelogicbehindtheassociateddefensemechanisms, tounderstandthelevelofconservatism,tocomparewithotherse- curitymechanisms,andtoimprovethedefensemechanisms.² The DDDattackmodelsmentionedintheintroductionprovideastart- ingpointforsuchdesignsandformourprimary focusinthispa- per.

In Fig. 1, we illustrate a feedback control systemand various vulnerablepointsthatcanbeattacked,indicatingthecorrespond- ingattacksasA_i,i=1,...,9,whichareoftenreferredtoasattack surfaces (Manadhata & Wing, 2011). In what follows,we classify the existing literature on attacks into one ofthe three DDD cat- egories, andproceed withineach categoryto subclassifythemon thebasisofthespecificpointintheCPSsystemwhichisattacked.

It should however be notedthat thismapping is not necessarily unique. A typical attack may include both features of deception and disruption, and therefore could be grouped under either of these categories. For instance, the paper Gil, Kumar, Mazumder, Katabi,andRus(2017) considers amasquerading attack inwhich amaliciousnodespoofsalargenumberoflegitimatenodes,which couldbeviewedaseitheradeceptionoradisruptionattack.

2.1. Attackmodels

As showninFig.1,a typicalcyber-physicalsystemconsistsof inputsu(k)attime stepk andoutputs y[k] that aremeasured by sensors,communicatedthroughanetwork,andwithsuitablecom- putations,thecontrolinputiscommunicatedanddeliveredtothe physicalsystemthroughactuators.TheattacksA_i,i=1,2,3areon thesensors,A₅,A₆areonthenetworks,A₆isonthecomputational layer,A_i,i=7,8,9areontheactuators.Inwhatfollows,wegroup theseattacksintotheDDDcategories,andwherever possible,we presenttheunderlyingattackmodel.

Disclosureattacks:Disclosureattacksaimtofindaccesstoinfor- mativesignalsorobtainsome conclusiveinformationaboutthem.

Asuccessfuldisclosureattackmaydirectlyuseorselltheobtained dataorusethem inorderto extractother informationaboutthe system. The latteris calledinference attacksorsometimes known plaintext attacks (Yuan & Mo, 2015) which are to infer the pri- vate information of a system, such as its transfer function, us- ing theaccess tosome potentially legitimate partsof thesystem (du PinCalmon &Fawaz, 2012) such assensorydata andcontrol inputs. Disclosed, or indirectlyinferred data,can also be used to designsmarter attacksinthefuture.Oneofthereasonsthat dis- closureattacksare, despitetheir simple definitions,morevital in security isthat thedetection ofdisclosure attacksusually take a long time, i.e.the attacksare in theso-called zerodays mode. It has been proved that in some systems, the attacks that use the system’s information, potentially gained via an initial disclosure attack, can destabilize the closed-loop system. Disclosure attacks maytakeplaceon eithersensormeasurements,control computa- tions, or actuation signals,which are indicated in Fig. 1, respec- tively,byA₃,A₅,andA₉.

Deceptionattacks:Deceptionattacksorfalsedatainjection(FDI) are accomplished when the signals are somehow different from

2 There is a wide spectrum of assumptions that can be made on attacks. Based on Shannon’s Maxim , the enemy knows the system. The Shannon’s paradigm is in contrast to Security by Obscurity in which the security is guaranteed by assumptions on the secrecy of the system’s data ( Shannon, 1949 ). The best security solutions are those that with the assumptions on which data are shared or under a direct ac- cess of the public (or non-trusted insiders), the attacks are defined thoroughly. This is done in computer security via Access Control tables ( Kern, Kesavan, & Daswani, 2007 ).

Fig. 4. Threat assessment of a CPS system and its reduction due to three defense mechanisms, based on prevention, resilience, and detection & isolation. The variable I denotes a quantity of interest that signifies the system vulnerability.

their truevalue. Theycan occurin threedistinct locationsinthe closed-loopsystem(seeFig.1):

(i)Sensorattacks,whichchangetheoperatingconditionsruin- ingthefidelityofthemeasurements(A₂inFig.1),i.e.,

y^a[k]=y[k]+ay[k], (1)

where y^a[k] is the corrupted measurement vector and ay[k] is the attack verctor, non-zero for some of the measurements (Cardenasetal.,2008).

(ii) Actuation attacks, which deviate the control signals from the valuesthey haveto be (A₈ inFig. 1),and (iii)Computational attacks, insome CPSs, whichalter the control law (A₆ in Fig.1), i.e.,inbothcasestheattackedcontrolinputu^a[k]isgivenby u^a[k]=u[k]+au[k],

where au[k] is a non-zero value for some of the control inputs (Cardenasetal.,2008).

Deceptionattacksarethestrongestattacksintermsofthelevel of damages they may create. For example, it is easy to imagine howadeceptionattackcanquicklydestabilizetheclosed-loopsys- tem. Agood exampleofsuch attacksisintroduced inBrown and Demarco(2018)forpowersystems.

Disruptionattacks: Any intentional tampering of information comes under the category of disruption attacks, sometimes de- notedasdenialofservice(DoS)attacksorjammingattacks.DoSat- tacks can be on the sensordata (A₁ in Fig.1), in the underlying network for(A4) orontheactuationsignals(A7)(Cardenasetal., 2008),allofwhichcanbeclassifiedintothefollowingattackmod- els:

y^a[k]=



_{0 ifA}

1 occurs,

y[k] otherwise. (2)

u^a[k]=



_{0 ifA}

4orA7 occurs,

u[k] otherwise. (3)

Often such DoS attacks are countered by using a Zero-Order- Hold approach.GusrialdiandQu (2019)provides amore detailed expositionofthesemodelsandaddressesgrid-specificattackssuch asthoseonloadfrequency controlandinterdictionattacksandde- ceptionattackssuch ascircuitbreakerattacksandloadalteringat- tacks.

Itcouldbearguedthattheattacksasin(2)and(3)couldhave beeneasily groupedunderdeceptionattacks.Adifferentexample

ofdisruptionattacks,ratherthan(2),isanerasure,wherethegoal oftheattackerissimplytopreventauthorizedentitiesfrombeing madeavailabletheinformationthatisrequiredfortheiroperation.

Suchanattackcanbeexpressedas y^a[k]=



_{∅ ifA}

1occurs,

y[k] otherwise. (4)

where∅denotesthetotallackofarrivalofthedataattheintended recipient.

In addition to the above perspective which is that of an at- tacker,a defender’s perspective isimportantaswell. One canar- guethatthefocusofcyber-security(Rusetal.,2018) isfromsuch aperspective andseeks to provideprotection toa systemby se- curingkeycomponentsthroughfirewall,encryption,etc.However, asthecomplexityoftheoverallsystemincreases,itbecomesdiffi- culttoensurethatadefensemechanismoftheentiresystemcan beguaranteedonlythroughprotectionofeveryoneofitsindivid- ualcomponents.Rather,asystemsperspectiveisneeded,whichfo- cusesonprevention oftheseattacks,andifattacksdooccur, en- surethatthesystemisresilientbycontainingtheimpactofthese threats,and/ordetectandisolatethesethreatsandrecoverquickly.

Thisisthefocusofthenextsubsection.

2.2.Defensemechanisms

Inthispaper, we characterizethree defense mechanisms,em- ployed eitherprior to, orduringthe occurrenceof the attack, to ensureCPSsecurity.Inordertopresentthesethreemechanismsin aunifiedmanner,weconsideranoverallthreatassessmentmetric illustratedinFig.4.Ourthesis isthatinordertodevelop acom- prehensivedefense mechanism forsecurity,all three components ofprevention (to postpone theonset of an attack), resilience(to containthemaximumimpact oftheattackandoperateasclosely tonormalaspossible),anddetectionandisolation(toidentifythe sourceoftheattack,isolatethecorruptedsubsystems,andrestore thenormalmodeasquicklyaspossible)areequallyimportantand haveto be layered in.If the defense strategy relies on detection alone, then the threat of the same attack recurring is not mini- mized.Inaddition,intheintervalbetweentheonsetoftheattack anddetection,thesystemcouldexperienceasignificantdamage.A goodexampleofsuch ascenarioistheStuxnet(Chen,2010). Ma- roochy isalsoan outcome ofthe lackof detectionandresilience mechanisms (Slay & Miller, 2007). The absence of resilience in

RQ-170 is apparent, asthe control systemwas unable to defend against the spoofing attack. It could be viewed that preventive mechanismsare activeprior to theattack whereas resilienceand detectionandisolationmechanismsareinvokedduringtheattacks anduntilthesystemisrestoredtonormaloperation.

Each of the three defense mechanisms represents a certain pointofviewofensuring securityandthereforecorresponds toa certaincontrol methodologyandrelatedsystemstools.Thegoals, the tools used, and the resulting performance are therefore in- timatelyconnected with the defense mechanism. In the sections thatfollow,thecontrolmethodology,thetools,andtheresultsre- portedintheliteratureareprovidedindetail.

2.2.1. Preventionmechanisms

Methodsinthiscategoryaretoguardagainstdisclosureattacks, which start from an infiltration stage to steal the vital informa- tionofthe systemandleverage themin futureattacks.A simple exampleofthisstage is through an insider(like the caseinMa- roochy attack) orAdvanced Persistent Threats (APTs), an attack in whichtheaccessofthesystemisgiventoanunauthorizeduserin astealthy fashion foran extensiveperiodoftime (Chen,Desmet,

&Huygens,2014). Wegroupdefensemechanismsinthiscategory into two cases; Cryptography and Randomization. The former is along-standingtopicwithitsunderpinningsincomputer science andextensivelystudied(Katz,Menezes,VanOorschot,&Vanstone, 1996).Thelatter,ontheotherhand,isgroundedincontroltheory andhasarichhistoryinrobustcontrolproblems(Milanese,2013).

(i)Cryptography:

Cryptographyisthescienceofconstructingandanalyzingpro- tocolsthatpreventthirdpartiesorthepublicfromreadingprivate messages.ModerncryptographystartedafterWorldWarIImaking useoftheconceptofpublickey(Diffie&Hellman,1976),Fig.5(a).

The idea behindcryptography isto make surethat the data be- tweenasenderandareceivercannotberevealedviaanunautho- rizeduser.Authenticationcanbecheckedwithsharingthesecure acknowledgemessages.Fig.5(b)showswhymakinguseofencryp- tionanddecryptionishelpfulinmaintainingtheconfidentialityof data. However, if the eavesdropper has access to the points be- tween decryptorand B, or encryptorand A, it can still read the message. As A and B can be any of three components, sensors, communicationnetwork, or actuators, shown in Fig.1, this kind ofattacks may take place in CPS. However, if a form of encryp- tionthatallowscomputationonciphertextsisused,itcanprevent theeavesdropperfromaccessingthesemessages.Farokhi,Shames, and Batterham (2017) and Darup, Redder, Shames, Farokhi, and Quevedo (2018) discuss a homomorphic cryptographic platform with closed-loop stability analysis to address. An application of this method to secure transportation systems is discussed in Farokhi,Shames,andJohansson(2017).Akeymanagementscheme forprivacyissuesinSCADAsystemsisalsoproposed inRezai,Ke- shavarzi, and Moravej (2013). A polynomial-based scheme for a symmetric key generation in SCADA is discussed in Pramod and Sunitha (2015) and a cryptographic framework for the threats

Fig. 5. (a) German Lorenz cipher machine, used in World War II to encrypt very- high-level messages, (b) Encryption and Decryption’s roles in confidentiality.

in cyber-physicalsystems is analyzed inBurmester, Magkos, and Chrissikopoulos (2012).Also Sherif et al.(2017) proposesa simi- larity technique between encrypted data to preserve the privacy of ride-sharingautonomous vehicles. Secureestimation withpri- vacy assurance of the encoded data is discussed in Wiese etal.

(2018).

(ii)Randomization:

Randomizationasadefensivetoolisutilizedtoconfusethepo- tential attackerand has proved useful whenever the predictabil- ity of the deterministic rules may be leveraged by the attackers to obtain key informationof thesystem, potentially for conduct- ing much more advanced attacks. Randomized algorithms have proved useful in a wide range of mathematical and algorithmic problems(Motwani&Raghavan,2010).Randomizationasarobust control technique has been employed in the last decade (Frasca, Ishii, Ravazzi, & Tempo,2015; Milanese, 2013). Most ofthe tech- niques which aim to provide a confidentiality service use ran- domization of data. An example of masking the private data in the presence of an adversarial agent is Mo and Murray (2017). Theregular (non-adversarial)agentsobtainthecorrectstatesand compute the average consensus using the masked data with a noise. Asimilar techniqueina network ofagentsis proposed by Nozari etal. (2017),where theprivacy of thestates is preserved in an approximate manner. The latter methoduses the differen- tial privacy technique to tackle the problem (Corts et al., 2016;

Dwork, 2011). The idea there is to use an alternative random- ized data set to maintain the main data set from confidentiality breaches.Theideaofrandomizationhasbeenproposedalsoinad- versarial machinelearning(Huang, Joseph,Nelson,Rubinstein,and Tygar(2011)).InGupta,Katz,andChopra(2017),theideaofmask- ingdatatoachievetheexactaverageconsensusinthepresenceof aneavesdropper isproposed.Dibaji,Pirani,Annaswamy,Johansso, andChakrabortty(2018)proposesarandomgainselectionmethod tosecurethe closedloop systemagainstdisclosureattackson A₃ andA₉.

2.2.2. Resiliencemechanisms

Resilienceisapropertydefinedastheabilitytowithstandand recover from severe stresses induced by natural stresses or de- liberate attacks (Annaswamy, Malekpour, andBaros, 2016; Fawzi, Tabuada,andDiggavi,2014; Khargonekar,2015; Obamapresiden- tialpolicy;Rieger,Gertman,&McQueen,2009).Resiliencemaynot be aninherent propertyofthesystemandneedstobe bestowed through a suitable design of the control system. A large num- ber ofthemethods reportedintheliterature canbe viewedasa resilience-increasingmechanism. Inwhatfollows,we groupthese methodsintofourtypes,whichinclude(i)Gametheory,(ii)Event- triggeredControl,(iii)MeanSubsequenceReducedalgorithms,and (iv)Trust-basedapproaches.While(i)and(ii)arebasedon state- spacemethods,(iii)and(iv)aregraph-based.

(i)Game-theoreticmethods:

Agame-theoretic approach that provides resilienceconsistsof trying to maximize the priceof attacking a system or minimize thedamage that an attackercan apply tothe system. Gamethe- ory,inanutshell,isaninteractionbetweentwo ormultipleplay- ers, whereeach player triesto optimizesome objectivefunction.

The challengingpartof games isthat the objective functionof a playerdependson thechoicesofatleastone otherplayer inthe game.Thus,eachplayercannotoptimizeitsobjectiveindependent ofchoicesofotherplayers.

There isa vastliterature on game-theoreticapproachesto the security and resilience ofcontrol systems since the past decade.

These approaches vary dependingon the structure of the cyber- physicalsystemorbased onthe specifictype ofmalicious action acting on the cyber layer. Each of these two approaches is dis- cussedbrieflyasfollows:

Fig. 6. Schematic figure of games in games in physical and cyber layers.

ThefirstapproachistomodelthegameforthesecurityofCPS basedonthestructureofthecyberandthephysicallayers(Amin, Schwartz, & Sastry,2013; Chen& Zhu, 2015; Clark, Zhu,Pooven- dran,&Ba¸sar,2013;Ferdowsi,Saad,&Mandayam,2017;La,2017;

Sanjab & Saad, 2016;Sanjab, Saad,& Ba¸sar, 2017; Zhu, Bushnell,

& Ba¸sar,2013;Zhu,Tembine, & Ba¸sar, 2010). Oneofthe common approaches isto define games in both physicaland cyberlayers.

Moreformally,consideringthatinthephysicallayer,theevolution ofthesystemismodeledwiththefollowinggeneraldynamics

˙

x

(

^t

)

=g

(

^t,x,u,w,

η (

t,

α

^,

β ))

, (5)

whereg(.)isanonlinearfunctionofthestatex,thecontrolaction u,thedisturbanceeffectwand

η

^(t,

α

^,

β

^{)whichisaswitchingsig-}

nal indicatingthe stateofthe cyber-layer.Here tis thetime and

α

^and

β

^{are the actions ofthe attacker anddefender inthe cy-}

ber layer, respectively. Parameter

η

^{evolves in discrete time, e.g.,}

Markov jump model, in the cyber-layer which makes the over- all hybridsystemshowninFig.6.Theconceptofgames-in-games reflects two interconnected games, one in the physical layer and the otherinthe cyberlayer.Atthe physicallayercontrol system, a zero-sum differential game between the robust controller and the disturbance is used to design an H∞ controller for achiev- ing robust performance foruncertain parameters or disturbances (Pan&Ba¸sar,1999).Atthecyberlayerdefensesystem,azero-sum stochasticgamebetweenadefenderandanattackerisusedtode- signan optimalcyberpolicy forensuringsystemsecurity (Zhu &

Ba¸sar,2011).

Anotherapproachisbasedonthetype oftheattackandmali- ciousbehaviour(Horák,Zhu,&Bošansk`y,2017;Khanafer,Touri,&

Baar,2013; Miao,Zhu,Pajic, &Pappas, 2018;Ugrinovskii &Lang- bort,2017;Wu,Li,&Shi,2017).Moreparticularly,inthiscase,de- pending on the type ofadversarial or malicious behavior that is activeorpassive,anappropriategamestrategy,e.g.,NashorStack- elberg, has been discussed. More specifically, the interaction be- tween a jammer and a passive defender can be reasonably cap- turedbyaStackelberggameinthatthejammerisanactiveplayer whosendssignalsatanintendedleveltointerferewithcommuni- cation channelswhilethelegitimateuserrationallydefends itself fromsuchanattack.Ontheotherhand,inthecasewherethede- fendinguserbehavesactivelyoreithersidehasaninformationad- vantage,theNashequilibriumbecomesareasonablesolutioncon- cept(Felegyhazi&Hubaux,2006;Gupta,Langbort,&Ba¸sar,2010).

Another example is eavesdropping action. As eavesdropping is a passive attack where an eavesdropper receives information that leaks from a communication channel, the behavior of an eaves- droppercanbeviewedasthatofafollowerinaStackelberggame against a userwhoemploys active defenses(Manshaei,Zhu, Alp- can, Basar,& Hubaux, 2013). Recently, an attacker-defendergame framework on networks with unknown topology is proposed in whichthe defenderinjectscontrol inputstoreacha synchroniza-

tionwhile attenuatingthe (worst case)attack signal from adver- sarialagents(Vamvoudakis&Hespanha,2018a;2018b).

Inadditionto theabove game-theoretic approaches,other ap- proacheshavebeenproposedaswell.Forinstance,theevolutionof networkcontrol systemshasbeenmodeled ascooperativegames (Marden,Arslan,& Shamma,2009) andtheresilienceoftheseco- operativegames to the actions of adversarial agents or commu- nicationfailures havebeeninvestigated. InBrown, Borowski,and Marden (2019), Brown and Marden (2017) and Amin, Schwartz, et al. (2013) the effect of adversarial agents and communica- tion failures on a cooperative game was discussed. Moreover, in Vamvoudakis,Hespanha,Sinopoli,andMo(2014)azero-sumgame fortheproblemofestimationunderattackedsensorsissuggested.

Inordertoaddress thethreatsoncloud-based controlsystems,a signaling game is designed to model the trust between the de- fenderandthethreats(Chen&Zhu,2017;Pawlick,Farhang,&Zhu, 2015).

(ii)Event-triggeredcontrol:

Basedonhow frequenttheattacksoccur, event-triggeredcon- trol schemes instead of time-triggered schemes emerged as ap- propriate tools to increase the resilience of control systems (for an introduction to event-triggered control, refer to Heemels, Jo- hansson, & Tabuada,2012). Sensordisruption attacks (also called jammingorDoS),insometime intervals,onmeasurements (A₁ in Fig.1),are amongthethreatswhose effectscanbe mitigated via appropriate event-triggered control policies. Event-triggered con- troltechniqueshavebeenusedtodesign thesequenceofcontrol inputsu(t_k) inorderto preservetheinputtostate stabilityofthe closed-loopsystem. TheDoSattacksintheseworksarelimitedby thefrequencyandlength.The applicationofevent-triggeredcon- troltotheresilienceofcyber-physicalsystemshasbeenstudiedin DePersisandTesi(2014),DePersisandTesi(2015),DePersisand Tesi(2018),Cetinkaya,Ishii, andHayakawa (2017)andSun,Peng, Zhang,Yang, andWang (2018). Inthese works,thecontrol input is sample-and-hold inthe time sequence of t_k− tk−1>

δ

^instead

ofperiodicsampled-datasystems.The triggeringfunction togen- erate a new control input is based on the errors of state vari- ablesx(^tk)− x(^t)^.ForacomprehensivesurveyonDoSattacksand event-triggeredcontrol toolsagainstthem,thereadercan referto Cetinkaya,Ishii, andHayakawa(2019) andthe referencestherein.

In addition to the case of disruption attacks, mitigating the ef- fectsofcomputational deception attacks (A₆ in Fig.1) via event- triggered control techniques has been investigated (Lei, Yang, &

Yang,2016;Yang,Lei,&Yang,2017).

(iii)MeanSubsequenceReduced(MSR)algorithms:

MSRisaresilientcontrolapproachinwhichateachtimeofthe updates,thecontroller,inordertonotgetaffectedbytheattacks, ignoresthesuspiciousvaluesandcomputesthecontrolinput.One ofthewell-knownapplicationsofMSRalgorithmsisagainstByzan- tine threats. Byzantine nodes are the computational nodes that, in an adversarial manner, send inconsistent information to their neighbors (Dibaji, Ishii, & Tempo, 2018; LeBlanc & Koutsoukos, 2018;LeBlanc,Zhang,Koutsoukos,&Sundaram,2013;Lynch,1996;

Usevitch & Panagou, 2018b; Zhang, Fata, & Sundaram, 2015).

Byzantineattackshavebeen investigatedinthe ’80sincomputer science(e.g.,Lynch,1996).Recently,Byzantineconsensusisgetting revisited,againinthecomputersciencecommunity,todevelopse- cureandreliablecryptocurrencies (see, e.g.,Algorand). MSRalgo- rithmshavebeen applied todistributed computational problems, includingconsensus (Dibaji& Ishii,2017;Dibaji,Ishii,etal.,2018;

LeBlanc et al., 2013), distributed state estimation (Mitra & Sun- daram,2018),synchronization(LeBlanc&Koutsoukos,2018),clock synchronization(Kikuya,Dibaji,& Ishii,2018),anddistributedop- timization(Sundaram&Gharesifard,2016).MSRalgorithmsactas localfilters,inwhich,byassumingthatthemaximumnumberfof maliciousagentsin thenetwork isknown,every node disregards

flargest andfsmallestvaluesfromits neighbors.Hence,there is noneedtohaveaknowledgeabouttheglobaltopology.³Inthese studies,network-theoretic necessary and sufficient conditions for theconvergenceofMSRalgorithmshavebeenintroduced.Thecrit- icalpropertyiscalledgraphrobustnesswhichisameasureofcon- nectivitywithinagraphandcharacterizeshowwellgroupswithin thenetworkareconnectedviamultiplepaths.Networkrobustness wasfirstintroduced byLeBlancetal.(2013)fortheresilientcon- sensusofagents withfirst-orderinteraction dynamics. Graphro- bustnesscanbe determinedwithlinearprogramming(Usevitch&

Panagou,2018a)andingeneralwasshowninZhangetal.(2015)to be a computationally hard problembut can be obtained almost surelyinrandomlargenetworks.Whileasimilarproblemofmul- tiplesensorsbeingattackedsimultaneouslyhasbeenaddressedin Fawzietal.(2014)aswell,thedefenseapproachtakenisdifferent fromthe MSR-approach andisbasedon compressedsensingand errorcorrection.

(iv)Trust-basedapproaches:

Trust-basedmethodshavebeeninvestigatedfornotonlycyber- security but also general problems where some of the subsys- temsmaybeuntrustworthy.Mikulski,Lewis,Gu,andHudas(2011), Mikulski,Lewis,Gu, andHudas(2014)andHausetal.(2014)have used a multi-agent approach in order to improve overall re- silience.Thisstrategyisequivalenttoredundancy-basedapproaches ingraphs andis based onthe assumption that if thenumber of attacksissufficiently small,correctinformationcan flowthrough thepaths formed by trustednodes.Trust-based approaches have beeninvestigatedinJiangandBaras(2006)andAbbas,Laszka,and Koutsoukos(2018)tospreadtheinformationinamulti-agentsys- tem in the presence of adversarial nodes. An alternative way is todefine a function oftrust andupdate the trust value between thenodesasthesystemevolves. Insuchapproaches, thereliance and effects of each healthy node on its neighbors is a function ofthe trust value. A survey on how to use trust models in dif- ferentnetworkdomainsisMomaniandChalla(2010).Trust-based approacheshavebeen used mainlyfor defense against deception attacksandmoreofteninthecontextofsensornetworks(Ahmed, Bakar, Channa, Haseeb, & Khan, 2015; Khan & Stankovi´c, 2013) andinDCmicrogridcontrol(Abhinav,Modares,Lewis,&Davoudi, 2019).

(v)Otherapproaches:

In addition tothe above fourmethods, resiliencemechanisms have been proposed using a variety of other control methods.

Sun, Peng, Yang, Zhang, and He (2017), for instance, suggests a resilient control assuming that the probability of the disruption attacks at each time is at least partially known. A sliding mode control for the resilience against DoS attacks in nonlinear and chaotic systems hasbeen proposed in Zhao andYang (2017).An acknowledge-basedcheatingschemeisproposedinDing,Ren,and Shi(2016).AnothertechniqueisLiu,Xu,Li,andLiu(2017),where itproposesadecomposition ofKalmanfilters asa weightedsum oflocalstate estimatesundersparsesensordeceptionattacks(A₂) intoamoresecureestimationframework. Withthehelp ofcom- pressed sensing methods and their relation in error corrections overthe reals,Fawzi etal. (2014)proposes adecoding algorithm to recovertrue states despite the existence of attacks.Moreover, byusing separationprinciple, itshows thatif thesystemis con- trollable, one can enforce the number of correctable errors (at- tacks) to be maximum without loosing the performance of the system(Fawzi, Tabuada,& Diggavi,2012). InSatchidanandan and Kumar (2018a,b) when the state space is subject to malicious

3 One reason that in such algorithms detection is not utilized is that detection- based approaches require global topology of the network and have a heavy compu- tational burden on each node ( Sundaram & Hadjicostis, 2011 ).

actions, a decomposition of the state space into a securable and anunsecurablesubspaceiscarriedout,wherethemaliciousnodes cannot degrade the state estimation performance in the former but only along the latter. Another recent work is Dibaji, Pirani, etal.(2018)wherefordefendingagainstthedeceptionattacks(A₆) on the cyberlayer, an informationretrieval approach is hired so that the state feedback, at each time step, makes use of healthy andunattackeddata.Finally,inLu,Chang,Zhang,Marinovici,and Conejo (2016), a Lyapunov stabilitymethod is employed forDoS attacksinwide-areacontrol ofpowersystems. InDibaji,Safi and Ishii(2019),aresilientdistributedretrievalalgorithmbasedonse- cure broadcasting and accepting has been employed to compute averaging over strongly robust graphs. Yet another tool used for obtainingresilience,mainlyagainstdisclosureattacks,istheuseof privacyloss asapenalty componentin theunderlyingcost func- tion(e.g.,Tanaka,Skoglund,Sandberg,&Johansson,2017).Bycon- structing an information theoretic measure, I, betweentwo data setsXandY,givenby

I

(

^X;Y

)

^=H

(

^X

)

^{− H}

(

^X

|

^Y

)

^{, (6)}

whereH isthe entropy,to formthe penalty component;the ap- proachconsistsoftheoptimizationofthiscost functionwithand withoutthepenaltycomponentandevaluatingtheresultingtrade- off.

2.2.3. Detection&isolationmechanisms

Wenowdirectourattentiontothethirdcomponentillustrated inFig. 4,detection & isolation. Asthe namesuggests, this corre- spondstoaquickdetection&isolationoftheattack.Thesemech- anisms,similartotheresiliencedescribedinSection2.2.2,getac- tivatedaftertheattack,andconstitutethebulkoftheresearchin CPSsecurityfromthecontrolscommunity.Itshouldbenotedthat methodssuchaspatchandpray(Rusetal.,2018),stemmingfrom thecomputer sciencecommunity,canbe groupedunderthiscat- egoryaswell.Thisiscommonlyusedincybersecurity,andhasto dowithrespondingtoexistingthreatsandhopingthattheresults willdeterfutureattacks.

A detection mechanism usually uncovers the existence of an attack by monitoring its effects on the outputs of the system.

In addition to detecting the existence of an attack, stronger strategies can be proposed to identify (or localize) the set of nodes/signals that are attacked(e.g., Pasqualetti, Dorfler, & Bullo, 2013;Pasqualetti, Dorfler, & Bullo, 2015a). Ifthe effectof theat- tacksignalscannotbetracedbytheoutputs,theyarecalledcovert (Teixeira, Sou, et al., 2015) or stealthy attacks (Teixeira, Shames, Sandberg,&Johansson,2012).ThesurveypapersDingetal.,2018;

Giraldo et al., 2018 have reviewed some detection mechanisms fordeception, aswell asdisruptionattacks incyber-physicalsys- tems. Detectiontools stemming fromthe control-theoreticlitera- turehavebeen usedprimarily against deception attacks whilein thecomputer-scienceliteraturehavebeenemployed forconfiden- tialityattacksaswell(Zeldovich,2014).

In what follows, we classify all detection & isolation meth- ods proposed inthe controlsliterature intofive categorieswhich include Observer-basedtechniques,Analytical consistency, Water- marking,Baiting,andLearning-basedanomalydetection.

(i)Observer-basedtechniques:

Observersincontrol systemsaredesignedtoestimate unmea- surable state variables. Detection can therefore be enabled us- ing observers and a comparison between the resulting state es- timates in thehealthy and attackedcases, oftentermed residues. If the residues exceed a certain threshold, an alarm is activated (Teixeira,etal.,2015).Acommonmethodusedfordesigningsuch observers is geometric control theory (De Persis & Isidori, 2001;

Massoumnia, Verghese,& Willsky,1989). TermedUnknown Input

Observers,theapproachconsistsofusingthismethodinthepres- ence of unknown input that here it refers to the attacked in- putswhichcannotbe reliedupon.Anotherexamplecanbefound in Pasqualetti et al. (2013), where deception and disruption at- tacks on both sensors and actuators are modeled aslinear alge- braic conditions for detection and identification of the attacked sets. Pasqualetti et al. (2013) also proposes centralized and dis- tributed filters. Pasqualetti, Dörfler, and Bullo (2015b) proposes severalalgorithmsfordistributedanddecentralizeddetectionand identificationofsystemswithsome certaincouplingfeatures.The identification phase, in particular, is based on a combinatorial search on all potential sets of attacks. Same ideas have been usedinmulti-agentsystemsinthepresenceofmisbehavingnodes (Chen,Kar,&Moura,2017;Pasqualetti,Bicchi,&Bullo,2012;Sun- daram&Hadjicostis,2011).Moreover,Murguia,vandeWouw,and Ruths (2017) uses the same technique on sensor attacks (A₂ in Fig.1)andanalyzesthereachablesetsofattacks.However,inthese works,differentmatricesforpredictionoftheoutputs anddetec- tionhavetobeusedwhichtakesignificantamountofmemoryand computational complexities. A scalableversion of theseworks is Shoukryetal.(2018)whereattack-freesensorsusingaSatisfiabil- ityModuloTheory(SMT)areidentifiedwithLuenbergerobservers.

A specific subcase ofobservers corresponds to the casewhen theunderlyingmodelisstatic.Forexample,if

z=Hx+e, (7)

whereHistheJacobianmatrix,zisthemeasurement,xisthestate variables, and e is the measurement/modeling noise, the goal is to estimate x usingz, inthe presence of attacks, which may ei- ther be on the sensor z or on H. This problem is ubiquitous in power systems wheremeasurements of eithervoltage or current are not possible everywhere in the network but have to be es- timated (Gomez-Exposito & Abur, 2004). For example, if decep- tion attacks on sensors (e.g., A₂ in Fig. 1) occur, Teixeira, Amin, Sandberg, Johansson, and Sastry (2010), Sandberg et al. (2010), Chakhchoukh and Ishii (2015), Chakhchoukh, Vittal, Heydt, and Ishii (2017) and Liu, Ning, and Reiter (2009) propose a solu- tion based on robust signal processing techniques such as Least TrimmedSquares(LTS)tominimizetheresidue.Ingeneral,theun- derlying ideahereistotreatthe corrupteddataandignorethem asoutliersbeforedoing therequiredanalysis.Application ofsuch worksonAutomaticGenerationControl(AGC)andSCADAarestud- iedinAnderssonetal.(2012).

(ii)Analyticalconsistency:

Physical coupling and the correlation between state variables and control decisions across individual subsystems of a CPS can be an effectiveway for detecting attacks on the communication layer. Theycanenableustopartiallyorfullyreconstructa signal atonephysicallocationusingsignalsmeasuredatother locations, forming redundancyrelationships that can be used to determine if data have been manipulated during communication. These re- dundancy relationships, oftenreferred toasanalyticalconsistency, are quite common in spatially distributed CPSs. For example, in power systems,one approachto designcontrollers that bothsta- bilizefrequencyandminimize dispatchcostisZhao,Mallada,and Dörfler(2015)

Cju˙j

(

^t

)

=−

ω

j

(

^t

)

− Cj



k∈Nj

(

^Cjuj

(

^t

)

− Ckuk

(

^t

))

, (8)

whereu_j isthe adjustablemechanicalpowerinput ofgenerator j withanassociatedcost C_j,Nj isassociatedwiththeneighborsof j-thgenerator bus,and

ω

j isthefrequencydeviationofgenerator j fromthe synchronousfrequency,withits dynamicsgovernedby the swing equations.The couplingbetweenthe control decisions ofdifferentgeneratorsin(8)leadstoanapproximateconstraintof

theform

C_ju˙_j

(

^t

)

− Cku˙_k

(

^t

)

=−p˙jk

Bjk +C_k

i∈Nk

(

^Cku_k

(

^t

)

− Ciu_i

(

^t

))

−Cj



i∈Nj

(

^Cju_j

(

^t

)

^{− C}iu_i

(

^t

))

^{, (9)}

wherep_jkdenotesthepowerflowbetweengeneratorbusesjandk. Thus,ifanyfeedbackinformationis droppedorcorrupted during communication, then physical truths such as (9)can be checked for consistency, and that too via local sensing and computation asthe power flow p_jk can be measured locally at node j. Cross- checks between physics and computation for detecting anoma- lies in a CPS have been used in some recent papers such as Macwanet al. (2016) andNicol, Sanders, and Trivedi (2004). An effective future research direction on this topic wouldbe to ex- tendthisconcept tocontroldesign,i.e., todevelopcontrol strate- gies such as (9) that enhance spatial redundancy, and equip us withadditional consistency checksthan what is simply available from the open-loop system. The controller should preferably be implementedinadistributedwayascentralizedcomputationdur- ingthesetypesofattackscanbequitedangerous.

(iii)Watermarking:

Theconcept ofWatermarkingisoftenusedto authenticatean entity.Forexample,awatermarkonapieceofpaperiseffectively a signature that cannot be erased. This concept is used in the contextof detection& isolationby constructinga suitable metric anda perturbationoftheinput signal suchthat themetricdrop- pingbelowacertain thresholdsignalsthepresenceofanattacker (Mo, Hespanha, & Sinopoli, 2014b). Particular success of the wa- termarking approach has been reported in the context of replay attacksandisdiscussedbelow.

Areplay attack corresponds toone wherethe attackerhijacks the sensors or eavesdrops for a certain amount of time and re- playsthesamedataoverandoveragain. Inparticular,arecorded horizonof data,in normalconditions, issent tothe monitors of theoperators so that the alarms wouldnot be triggered andthe operators aretrickedintothinkingthat theclosed-loop systemis operatingnormally(Chen,2010;Moetal., 2014b). Replayattacks aresometimesgroupedunderthecategoryofdisruptionattacksas theycausethecurrentdatatobecomeunavailable.Obviouslythey canalsobeviewedasdeceptionattacks(Dingetal.,2018).

Replayattackscanbeovercomeusingwatermarking(Moetal., 2015)by perturbinganoptimalcontrol inputina particularman- ner.Inordertoensurethatthecontrollerdoesnotbecomeoverly sub-optimal,Moetal.(2015) discussesmethods tomaximize the likelihoodofattack detectionwhile constrainingtheeffectof the watermark on ideal system operation. An application of water- marking in SCADA networks is introduced in Mo, Chabukswar, and Sinopoli (2014a). A watermarking-based approach to defend against replay attacks in multi-agent systems (A₆) is proposed in Khazraei, Kebriaei, and Salmasi (2017). In Ferrari and Teix- eira (2017b),a multiplicativesensor based watermark is used to detect replay attacks on sensors. In Ferrari andTeixeira (2017a), thesamemultiplicativewatermarkingtechniqueisusedto detect routing attacks where the wires of the sensors are intentionally swapped(A₂).Motivatedbythereplayattacks,Lucia,Sinopoli,and Franze (2016); Moetal.(2015) posit a formofreplay attacks on linear stochastic systems and propose a

χ

^{2-detectionmethod to}

alertthesystemoperatorofthepresenceofanadversaryconduct- ingareplayattack.

Theeffectsofwatermarkingonamoregeneralsetofsensorde- ceptionattacksisstudiedinSatchidanandanandKumar(2017).It isalsoshownthatasetofuncompromisedactuators,eachinject- ingitsownaddedwatermarksignal,canbeusedtocheckthehon- estyofthe sensorswhich should reportback measurements that

containa historyoftheeffectofwatermarking. Morespecifically, SatchidanandanandKumar (2017)analyzes a numberofsystems including SISO (Single Input, Single Output) and MIMO (Multi- Input, Multi-Output) linear systems with Gaussian noise models andshowsthattheasymptoticbehaviorofasystemwiththewa- termarkconstrainsthedamage asensor spoofingattackercan do withoutbeing undetected.Dynamic watermarking hasbeen vali- datedinpowersystemsinHuangetal.(2018)andintransporta- tionsystems(Ko,Satchidanandan,&Kumar,2016).Acombination of Gaussian and Bernoulli processes to generate a watermarking signal is suggested in Weerakkody, Ozel, and Sinopoli (2017) for generaldetection of deception attacks on sensors and actuators.

Thesameideaisproposed foruseagainstcovertattacks(onboth A₂ andA₈)inHoehn andZhang(2016) byinsertinga modulation systembetweenA₈andtheactuationtomisguideandconfusethe attacker.

(iv)Baiting:

Like the watermarking case, suppose we beginwith a worst- casescenario wherethe attacker isassumed to havea complete access to the entire system dynamics, all of its sensors, and all of its actuators. The question is if one can design a method by which such an attacker cannot remain stealthy and can be re- vealed.These methods, termed Baiting (Flamholz, Annaswamy,&

Lavretsky, 2018) and Moving Target(Weerakkody, Mo, & Sinopoli, 2014), then seek to design the system in a way such that this worst-casescenariocanbedetected.InFlamholzetal.(2018)and Teixeiraetal.(2012),themethodconsistsofbaitingtheattackerto revealthemselvesbyintroducinganarbitraryoffsetinthesystem dynamicswhich guarantees that a worst-caseattack proposed in Kwon,Liu,andHwang(2014)canbequicklydetected.Byintroduc- ingvirtual state variables inadditionto theoriginal systemstate variables,WeerakkodyandSinopoli(2015,2016)offeramethodto prevent an eavesdropping attacker from inferring system knowl- edge,A, fromthe systemoutput andcontrol signals.Thislack of knowledge of A prevents the attacker from achieving worst-case stealthyattacks.MovingTargetDefenses(MTD),inageneralcyber- securitycontext,aredefenseschemesinwhichthedefendervaries systemattributesinordertointroduceunpredictabilityintotheat- tack surface (Jajodia, Ghosh, Swarup, Wang, & Wang, 2011). The moving target approach can also be utilized to detect the pres- enceof attacks on both the control inputs andsensor measure- ments(Weerakkody&Sinopoli,2015).

(v)Learning-basedanomalydetection:

Anomalydetectionisatechniqueinmachine learningtodetect the presence of suspicious data (Ng, 2018). For a review on ap- plicationsofanomaly detectionincomputernetworks, thereader isreferred to Garcia-Teodoro,Diaz-Verdejo, Maciá-Fernández, and Vázquez (2009) and Tsai, Hsu, Lin, andLin (2009). Anomaly de- tectiontechniquesinpowersystemsareintroduced inTen,Hong, andLiu(2011).ApplicationsofNeuralNetworks(NNs)andBaysian learningarestudiedforanomalydetectioninthecontextofsecu- rityinthepresenceofattacks(He,Mendis,&Wei,2016;Kailkhura, Han,Brahma, & Varshney,2013;Lippmann& Cunningham,2000;

Reddy,2013;ShitharthandPrince Winston,2017). Particularly, in thelatter,itisassumedthattheByzantinenodesareawareofthe true hypothesis and they are compromised to degrade detection performance. The problem of distributed detection is formulated asa Binaryhypothesistest by the sensors.A directapplication of thisworkisinPal,Sikdar,andChow(2018)todetectdeceptionat- tackson Phasor Measurement Units(PMUs)data.Also, it isused inBarbosa, Sadre, andPras (2013) for SCADA networks, wherea whitelistisgeneratedbylearningthenetworklegitimatetrafficfor agivenperiodof timeandis usedfordetectionofother threats.

An unsupervised detectionmethod is employed in Almalawi, Yu, Tari,Fahad,andKhalil(2014)todetectanomalies.

Fig. 7. A conceptual representation of performance degradation due to an attack on a CPS and its recovery over time.

There are several works that discuss designing anomaly detectors through other tools. In this direction, Liao and Chakrabortty (2018) uses a Round-Robin algorithm for local- izing the deception attacks on power systems. Another local- izing work in power systems is Nudell, Thomas, Nabavi and Chakrabortty(2015),whereagraph-theoretictechniqueisusedto localize wherethe effect of an attack exists in a wide-areacon- trolarchitecture.ArecursivedistributedKalmanfilterinthepres- enceofsensorattacks(A₂) isdevelopedinDing,Li,Quevedo,Dey, andShi(2017)andMishra,Shoukry,Karamchandani,Diggavi,and Tabuada(2017).Someworksalsocombinetheresiliencywithde- tection methods and investigate the resilience of the detection toolsunderattackedconditions(e.g.,Pajic,Lee,&Pappas,2017).In Li,Lu,Wang,andChoo(2017),amajorityvotingisutilizedforde- tetcion ofdeception attacks insmart grid. Application ofKalman filter in detection of replay attacks (A₂) in SCADA systems has beendiscussedinDo,Fillatre,andNikiforov(2017).InMagieraand Katulski(2015)authorspresentanapplicationofspatialprocessing methodsforGPSspoofingdetectionandmitigation.Themethodis basedonsignalprocessingtechniquesratherthanthetopologyof thenetwork. Obtaining thedirectionofarrival orangleof arrival estimate ofthe receivingsignalsis thekey techniqueutilizedfor applyingthemethod.

2.3. Securitymetric

Withvariousdefensemechanismsandunderlyingsystemsand controltoolsdescribedabove,onemayneedtoascertainthesuit- ability of one method over another for a given application. For this purpose, a security metric that quantifies the benefit ob- tainable froma given method is needed. There is a rich history in the literature on defining metrics for the security of systems (e.g., Annaswamy et al., 2016; Baros, Shiltz, Jaipuria, Hussain, &

Annaswamy,2017; Teixeira etal., 2015). One could useFig. 4for thispurposeaswell,anddenoteitastheratiooftheareasunder thecurvessand^.

Asomewhat differentrepresentationof secureperformance is oftenutilizedinthe literature(Bruneauetal., 2003).Ratherthan viewing security asthe reduction ofthreat asin Fig. 4, one can viewsecurityandresiliencyasanimprovementinthesteady-state performancefollowinganattack(seeFig.7).InFig.7,itisassumed that an attackoccursat t₀,that suitable defensemechanisms are invokedatt₁ whichallowsperformancetograduallyrecoveruntil t₂,leavinganetsteady-statedegradation.Onecanthenproposea securitymetricbasedonthisdegradationas

S

(

^I

)

=

k=T

k=0D

(

^{I∗[k]− I[k]}

)

k=T

k=0D

(

^I∗[k]

)

^{, (10)}