Two-Way Coding and Attack Decoupling in Control Systems Under Injection Attacks

09/04/2019 ∙ by Song Fang, et al. ∙ KTH Royal Institute of Technology 0

In this paper, we introduce the concept of two-way coding, which originates in communication theory characterizing coding schemes for two-way channels, into control theory, particularly to facilitate the analysis and design of feedback control systems under injection attacks. Moreover, we propose the notion of attack decoupling, and show how the controller and the two-way coding can be co-designed to nullify the transfer function from attack to plant, rendering the attack effect zero both in transient phase and in steady state.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Observations on the underlying connections between communication and control date back to [1], in which the authors (including Shannon and Bode) stated that “there is an obvious analogy between the problem of smoothing the data to eliminate or reduce the effect of tracking errors and the problem of separating a signal from interfering noise in communications systems”. In recent years, since the integrations of communication and control systems are becoming more and more prevalent, as witnessed in, e.g., cyber-physical systems and IoT systems, the interaction of communication theory (including information theory and coding theory) and control theory has especially been a heated topic (see, e.g., [2] and the references therein). In such interactions, concepts and tools from communication such as entropy have been introduced to control (see, e.g., [3]), and so are those from control to communication, as in, for instance, [4].

In this paper, we introduce yet another notion from communication to control: two-way coding in two-way communication. The concept of two-way communication channels was proposed by Shannon [5]. As its name indicates, in two-way channels, signals are transmitted simultaneously in both directions between the two terminals of communication. Accordingly, coding schemes for two-way channels should utilize the information contained in the data streaming in both directions. Stated alternatively, the coding schemes should also be two-way, and thus are correspondingly referred to as two-way coding [6, 7, 8].

With the controller side and the plant side being respectively viewed as the two terminals of communication, the communication channels embedded in networked feedback control systems are inherently two-way channels. However, approaches based on two-way coding for the two-way channels in networked feedback systems are rarely seen in the literature. One exception is the so-called scattering transformation utilized in the tele-operation of robotics [9], although, as far as we know, its connection with two-way coding has never before been established. Nevertheless, scattering transformation can be viewed in a broad sense as a special class of two-way coding, aiming to resolve the issue of two-way time delays, the most essential characterization and the main issue of the two-way channels modeled on the input-output level in the problem of tele-operation.

When it comes to cyber-physical security problems arising in networked control systems (see, e.g., [10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21] and the references therein), to the best of our knowledge, only one-way coding has been employed. The authors of [22] introduced one-way encryption matrices into control systems to achieve confidentiality and integrity. In [23], the authors considered using one-way coding matrices to encode the sensor outputs in order to detect stealthy false data injection attacks in cyber-physical systems. One-way modulation matrices were inserted into cyber-physical systems in [24] to detect covert attacks and zero-dynamics attacks. Dynamic one-way coding was applied to detect and isolate routing attacks [25] and replay attacks [26]

. For remote state estimation in the presence of eavesdroppers, the so-called state-secrecy codes were introduced

[27], which are also essentially one-way coding schemes. Nevertheless, one-way coding has its inherent limitations; for instance, one-way coding in general cannot eliminate the unstable poles nor nonminimum-phase zeros of the plant nor the controller [28], which are most critical issues in the defense against, e.g., zero-dynamics attacks [13].

In our previous work [28], we examined how the presence of two-way coding in linear time-invariant (LTI) feedback control systems can make the zeros and/or poles of the equivalent plant as viewed by the attacker all different from those of the original plant, and under some additional assumptions (i.e., the plant is stabilizable by static output feedback), the equivalent plant may even be made stable and/or minimum-phase. In the particular case of zero-dynamics attacks, it is then implicated that the attacks will be detected if designed according to the original plant, while the attack effect may be corrected in steady state if the attacks are to be designed with respect to the equivalent plant.

To prevent possible damages during the transient phase even when the attack affect can be corrected in steady state, in this paper we propose the notion of attack decoupling. For LTI systems, we say that a certain attack is decoupled if the transfer function from attack to plant input/output is made zero, without making zero the transfer function from reference to plant input/output. As such, when attack decoupling is achieved, the attack response will be completely zero both in transient phase and in steady state. We then examine in order conventional feedback systems, feedback systems with one-way coding, as well as feedback systems with two-way coding, and discover that it is only in feedback systems with two-way coding that attacks in the uplink or downlink channels can be decoupled.

The remainder of the paper is organized as follows. Section II introduces the two-way coding. In Section III, we propose the notion of attack decoupling. Concluding remarks are given in Section IV.

Ii Two-Way Coding

Consider the single-input single-output (SISO) system depicted in Fig. 1. Herein, denotes the controller while denotes the plant. The reference signal is and the plant output is . In addition, let , , , , , , .

Fig. 1: A networked feedback system with two-way coding.
Definition 1

The (static) two-way coding is defined as

(1)

Herein, are chosen such that

(2)

Strictly speaking, it should be further assumed that .

Herein, two-way coding (that operates in a feedback loop) represents a two-way transformation taking in the signal in the forward path and the signal in the feedback path while outputting a new signal to the forward path and a second new signal that passes on in the feedback path. In comparison, Fig. 2 depicts a system with one-way coding schemes, which are one-way transformations that either take in the signal in the forward path and output a new signal that passes on in the forward path, or input the signal in the feedback path and output a signal that continues in the feedback path; herein, and .

Fig. 2: A networked feedback system with one-way coding.

For simplicity, we denote the inverse of two-way coding as

(3)

where . As illustrated on the plant side in Fig. 1, the inverse of two-way coding denotes another two-way coding.

Ii-a Two-Way Coding in LTI Feedback Control Systems

We next analyze in particular LTI feedback control systems with two-way coding. Consider the SISO feedback system with two-way coding depicted in Fig. 3. Assume that herein the controller and plant are LTI with transfer functions and , respectively. In addition, let , , , , , , , , . Meanwhile, suppose that injection (additive) attacks and exist in the forward path and feedback path of the control systems, respectively. Let , , , , , , , , , , represent the Laplace transforms, assuming that they exist, of the signals , , , , , , , , , , . From now on, we assume that all the transfer functions of the systems are with zero initial conditions, unless otherwise specified.

Fig. 3: A feedback system with two-way coding under injection attacks.

We now provide expressions [28] for the Laplace transforms of the plant input and the plant output , given reference and under injection attacks and .

Proposition 1

Consider the SISO feedback system with two-way coding under injection attacks depicted in Fig. 3. Assume that controller and plant are LTI with transfer functions and , respectively, and that the closed-loop system is stable. Then,

(4)

and

(5)

Proposition 1 lays the foundation for the analysis of attack decoupling in feedback systems with two-way coding, as will be discussed shortly.

Iii Attack Decoupling

In what follows, we propose the notion of attack decoupling, which features a strong notion of security in the context of cyber-physical systems; in general, however, it is a more broad control-theoretic notion applicable to any (networked) feedback systems.

Definition 2

Consider a feedback control system. An attack is said to be decoupled if the attack response in plant input/output can be made completely zero for arbitrary attack signals, without nullifying the reference response in plant input/output.

For LTI systems, attack decoupling can be defined more specifically in terms of transfer functions.

Definition 3

Consider an LTI feedback control system. An attack is said to be decoupled if the transfer function from attack to plant input/output can be made zero, without nullifying the transfer function from reference to plant input/output.

When the attack is decoupled for a certain attack point, it is as if the path from the attack signal to plant input/output signal is cut off, while not cutting off the signal path from the reference to plant input/output. In general, attack decoupling is a system-theoretic notion, which is not restricted to dealing with attacks and is more broadly applicable to disturbances and noises. While within the scope of attack analysis, attack decoupling is a strong notion of security, meaning that the attack response will be completely zero both in transient phase and in steady state for arbitrary injection attacks, regardless of what the attacker knows or does.

As a matter of fact, attack decoupling is closely related to the notion of disturbance decoupling in geometric control [29]. More specifically, disturbance decoupling only requires that the transfer function from the disturbance to plant output to be zero, without requiring the transfer function from the disturbance to plant input to be zero. In this sense, attack decoupling implies and provides a new approach to achieve disturbance decoupling, while bringing new perspectives to other relevant topics in geometric control as well.

We next investigate, one by one, conventional feedback systems, feedback systems with one-way coding, as well as feedback systems with two-way coding, to see whether attack decoupling is possible, and if so, how to achieve it.

Iii-a Conventional Feedback Systems

Fig. 4: A feedback system without coding.

In the sequel, we let denote the transfer functions from to , respectively, and let denote the transfer functions from to , respectively. We shall first show that or conventional feedback control systems without coding, as depicted in Fig. 4, neither attack nor attack can be decoupled.

Theorem 1

Consider the SISO feedback system depicted in Fig. 4. Then, neither attack nor attack can be decoupled.

Proof:

For the system in Fig. 4, it can be obtained that

Clearly,

As such, if or , then . In other words, attack cannot be decoupled. Similarly, by noting that

and that

it follows that attack cannot be decoupled.

Iii-B Feedback System with One-Way Coding

Fig. 5: A feedback system with one-way coding.

In the system in Fig. 5 with one-way coding, neither attack nor attack can be decoupled.

Theorem 2

Consider the SISO feedback system depicted in Fig. 5. Then, neither attack nor attack can be decoupled.

Proof:

For the system in Fig. 5, it can be obtained that

Clearly,

As such, if or , then . In other words, attack cannot be decoupled. Similarly, by noting that

and that

it follows that attack cannot be decoupled.

In fact, it can be shown that attack decoupling on neither points is possible even with dynamic one-way coding and .

Iii-C Feedback System with Two-Way Coding

For the system shown in Fig. 3 with two-way coding, attack can be decoupled, and attack can be decoupled as well.

Theorem 3

Consider the SISO feedback system depicted in Fig. 3. Suppose that plant is stabilizable by static output feedback, and that controller is chosen among such static output-feedback stabilizing controllers, i.e., .

  • If , then attack is decoupled;

  • If , then attack is decoupled.

Proof:

For the system in Fig. 3, it can be obtained that (see Proposition 1)

and

Clearly, when and , we have

and it follows that and , while and . In other words, attack is decoupled. Similarly, when and , we have

and it follows that and , while and . In other words, attack is decoupled.

Intuitively, in feedback systems without coding as well as systems with one-way coding, there is only one feedback loop; as such, if the path from the attack signal to plant input/output signal is to be cut off, then the signal path from the reference to plant input/output will inevitably also be cut off. On the other hand, the presence of two-way coding brings additional feedback loops into a feedback system, enabling, probably in a subtle way, the cutting off of the path from the attack signal to plant input/output signal without cutting off that from the the reference to plant input/output.

Note that the attack decoupling of or requires the co-design of the controller and the two-way coding, as well as the sacrifice of control performance since controllers are limited to be static output-feedback.

Note also that the conditions for achieving attack decoupling do not involve the plant. In other words, attack decoupling will not be affected by the inaccuracies/uncertainties in plant model .

It is clear that if attack (or ) is decoupled, then its attack response (for any injection attacks) will be zero in plant input/output, even though the attacks may not be detected; for instance, zero-dynamics attacks [13] at (or ) cannot be detected if designed properly, but they will have no influence on plant input/output when attack (or ) is decoupled.

Iii-C1 Control-theoretic implications of attack decoupling

We now examine the implications of attack decoupling in control systems. It is clear that when , its norm is zero, that is,

(6)

and moreover, the corresponding Bode integral is given by

(7)

This means perfect attack attenuation, and thus no limitations (e.g., lower bound on norm [30]) or trade-offs (e.g., Bode integral [30]) are present. Similar conclusions hold for the cases when , , and as well.

Iii-C2 Almost vs. exact attack decoupling

Strictly and practically speaking, for , only “almost attack decoupling” is possible; otherwise, algebraic loops will be present in the feedback system. By “almost attack decoupling”, we mean the attack signal can be attenuated to any degree of accuracy, e.g., the norm of the corresponding transfer function can be made arbitrarily close to zero; cf. almost disturbance decoupling in [31]. In particular, (6) will then become

(8)

and (7) becomes

(9)

Meanwhile, for , “exact attack decoupling” (as defined in Definition 2 and Definition 3) can be achieved. That is to say, the following are still achievable:

(10)

and

(11)

However, since almost attack decoupling will involve dynamic and/or dynamic

we leave the detailed discussions on this topic to future research.

Iii-D An “Impossibility Theorem”

In what has been presented in this paper so far, we only considered the so-called “single-point” attacks, such as zero-dynamics attacks [13], where attacks are injected into the feedback system at only one point; in other words, one of and is zero. In fact, “double-point” attacks, such as covert attacks [16], where attacks are injected into the system at two points simultaneously, have also been discussed in the literature.

In the subsequent theorem, it will be shown that for double-point attacks injecting attack signals and at the same time (e.g., covert attacks [16]), the attacks and cannot be decoupled simultaneously, and hence the attack effect cannot be made completely zero for arbitrary double-point attacks.

Theorem 4

In the SISO feedback system depicted in Fig. 3, attack and attack cannot be decoupled simultaneously.

Proof:

If plant is not stabilizable by static output feedback, then neither attack nor attack can be decoupled. Otherwise, if plant is stabilizable by static output feedback, it is known from Theorem 3 that the decoupling of requires that , while the decoupling of requires that , in addition to that controller is chosen among static output-feedback stabilizing controllers, i.e., , in both cases. That is to say, if and are to be decoupled simultaneously, then , which leads to and contradicts the fact and (otherwise the transfer function from reference to plant input/output, see the proof of Theorem 3, will be zero).

As a matter of fact, it can be shown more generally that even with dynamic two-way coding

simultaneous decoupling of attack and attack is not possible.

This “impossibility theorem” characterizes on a fundamental level why double-point attacks are in general more difficult to defend against than single-point attacks. We will, however, leave the discussions on the defense against such double-point attacks to future research.

One final remark would be that some of the previous results and discussions apply as well to disturbance decoupling. In particular, it is known from Theorem 1 and Theorem 2 that therein disturbance decoupling is not possible without coding or with one-way coding, but it can be achieved with two-way coding as shown in Theorem 3. Additionally, it follows from Theorem 4 that therein disturbance decoupling cannot be achieved in the uplink and downlink channels simultaneously even with two-way coding.

Iv Conclusions

In this paper, we have introduced the method of two-way coding from communication into control, in particular, feedback control systems under injection attacks. Additionally, we have proposed the notion of attack decoupling, and it was seen that the controller and two-way coding can be co-designed to nullify the transfer function from attack to plant, zeroing the attack effect completely both in transient phase and in steady state. Future research directions include the analysis of dynamic two-way coding, MIMO systems, discrete-time systems, as well as other classes of attacks in the presence of two-way coding. We are also interested in examining the implications of attack decoupling in communication system design, concerning, e.g., error correction.

References

  • [1] R. B. Blackman, H. W. Bode, and C. E. Shannon, “Data smoothing and prediction in fire-control systems,” Summary Technical Report, Div. 7, National Defense Research Committee, vol. 1, pp. 71–159, 1946.
  • [2] S. Fang, J. Chen, and H. Ishii, Towards Integrating Control and Information Theories: From Information-Theoretic Measures to Control Performance Limitations.   Springer, 2017.
  • [3] N. C. Martins and M. A. Dahleh, “Feedback control in the presence of noisy channels: “Bode-like” fundamental limitations of performance,” IEEE Transactions on Automatic Control, vol. 53, no. 7, pp. 1604–1615, 2008.
  • [4] Y. H. Kim, “Feedback capacity of stationary Gaussian channels,” IEEE Transactions on Information Theory, vol. 56, no. 1, pp. 57–85, 2010.
  • [5] C. E. Shannon, “Two-way communication channels,” in Proceedings of the Fourth Berkeley Symposium on Mathematical Statistics and Probability, 1961.
  • [6] E. C. V. der Meulen, “A survey of multi-way channels in information theory: 1961-1976,” IEEE Transactions on Information Theory, vol. 23, no. 1, pp. 1–37, 1977.
  • [7] H. B. Meeuwissen, Information theoretical aspects of two-way communication.   Technische Universiteit Eindhoven, 1998.
  • [8] A. Chaaban and A. Sezgin, “Multi-way communications: An information theoretic perspective,” Foundations and Trends® in Communications and Information Theory, vol. 12, no. 3-4, pp. 185–371, 2015.
  • [9] P. F. Hokayem and M. W. Spong, “Bilateral teleoperation: An historical survey,” Automatica, vol. 42, no. 12, pp. 2035–2057, 2006.
  • [10] R. Poovendran, K. Sampigethaya, S. K. S. Gupta, I. Lee, K. V. Prasad, D. Corman, and J. L. Paunicka, “Special issue on cyber-physical systems [scanning the issue],” Proceedings of the IEEE, vol. 100, no. 1, pp. 6–12, 2012.
  • [11] K. H. Johansson, G. J. Pappas, P. Tabuada, and C. J. Tomlin, “Guest editorial special issue on control of cyber-physical systems,” IEEE Transactions on Automatic Control, vol. 59, no. 12, pp. 3120–3121, 2014.
  • [12] H. Sandberg, S. Amin, and K. H. Johansson, “Cyberphysical security in networked control systems: An introduction to the issue,” IEEE Control Systems Magazine, vol. 35, no. 1, pp. 20–23, 2015.
  • [13] A. Teixeira, K. C. Sou, H. Sandberg, and K. H. Johansson, “Secure control systems: A quantitative risk management approach,” IEEE Control Systems Magazine, vol. 35, no. 1, pp. 24–45, 2015.
  • [14] Q. Zhu and T. Basar, “Game-theoretic methods for robustness, security, and resilience of cyberphysical control systems: Games-in-games principle for optimal cross-layer resilient control systems,” IEEE Control Systems Magazine, vol. 35, no. 1, pp. 46–65, 2015.
  • [15] S. Amin, G. A. Schwartz, A. A. Cárdenas, and S. S. Sastry, “Game-theoretic models of electricity theft detection in smart utility networks: Providing new capabilities with advanced metering infrastructure,” IEEE Control Systems Magazine, vol. 35, no. 1, pp. 66–81, 2015.
  • [16] R. S. Smith, “Covert misappropriation of networked control systems: Presenting a feedback structure,” IEEE Control Systems Magazine, vol. 35, no. 1, pp. 82–92, 2015.
  • [17] Y. Mo, S. Weerakkody, and B. Sinopoli, “Physical authentication of control systems: Designing watermarked control inputs to detect counterfeit sensor outputs,” IEEE Control Systems Magazine, vol. 35, no. 1, pp. 93–109, 2015.
  • [18] F. Pasqualetti, F. Dorfler, and F. Bullo, “Control-theoretic methods for cyberphysical security: Geometric principles for optimal cross-layer resilient control systems,” IEEE Control Systems Magazine, vol. 35, no. 1, pp. 110–127, 2015.
  • [19] P. Cheng, L. Shi, and B. Sinopoli, “Guest editorial special issue on secure control of cyber-physical systems,” IEEE Transactions on Control of Network Systems, vol. 4, no. 1, pp. 1–3, 2017.
  • [20] J. Giraldo, D. Urbina, A. Cardenas, J. Valente, M. Faisal, J. Ruths, N. O. Tippenhauer, H. Sandberg, and R. Candell, “A survey of physics-based attack detection in cyber-physical systems,” ACM Computing Surveys (CSUR), vol. 51, no. 4, p. 76, 2018.
  • [21] M. S. Chong, H. Sandberg, and A. M. Teixeira, “A tutorial introduction to security and privacy for cyber-physical systems,” in Proceedings of the European Control Conference.   IEEE, 2019, pp. 968–978.
  • [22] Z. Xu and Q. Zhu, “Secure and resilient control design for cloud enabled networked control systems,” in Proceedings of the First ACM Workshop on Cyber-Physical Systems-Security and/or PrivaCy, 2015, pp. 31–42.
  • [23] F. Miao, Q. Zhu, M. Pajic, and G. J. Pappas, “Coding schemes for securing cyber-physical systems against stealthy data injection attacks,” IEEE Transactions on Control of Network Systems, vol. 4, no. 1, pp. 106–117, 2017.
  • [24] A. Hoehn and P. Zhang, “Detection of covert attacks and zero dynamics attacks in cyber-physical systems,” in Proceedings of the American Control Conference, 2016, pp. 302–307.
  • [25] R. M. Ferrari and A. M. Teixeira, “Detection and isolation of routing attacks through sensor watermarking,” in Proceedings of the American Control Conference, 2017, pp. 5436–5442.
  • [26] ——, “Detection and isolation of replay attacks through sensor watermarking,” IFAC-PapersOnLine, vol. 50, no. 1, pp. 7363–7368, 2017.
  • [27] A. Tsiamis, K. Gatsis, and G. J. Pappas, “State estimation codes for perfect secrecy,” in Proceedings of the IEEE Conference on Decision and Control, 2017, pp. 176–181.
  • [28] S. Fang, K. H. Johansson, M. Skoglund, H. Sandberg, and H. Ishii, “Two-way coding in control systems under injection attacks: From attack detection to attack correction,” in Proceedings of the ACM/IEEE International Conference on Cyber-Physical Systems, 2019, pp. 141–150.
  • [29] W. M. Wonham, Linear Multivariable Control: A Geometric Approach.   Springer, 1985.
  • [30] M. M. Seron, J. H. Braslavsky, and G. C. Goodwin, Fundamental Limitations in Filtering and Control.   Springer, 2012.
  • [31] S. Weiland and J. C. Willems, “Almost disturbance decoupling with internal stability,” IEEE Transactions on Automatic Control, vol. 34, no. 3, pp. 277–286, 1989.