I Introduction
Observations on the underlying connections between communication and control date back to [1], in which the authors (including Shannon and Bode) stated that “there is an obvious analogy between the problem of smoothing the data to eliminate or reduce the effect of tracking errors and the problem of separating a signal from interfering noise in communications systems”. In recent years, since the integrations of communication and control systems are becoming more and more prevalent, as witnessed in, e.g., cyberphysical systems and IoT systems, the interaction of communication theory (including information theory and coding theory) and control theory has especially been a heated topic (see, e.g., [2] and the references therein). In such interactions, concepts and tools from communication such as entropy have been introduced to control (see, e.g., [3]), and so are those from control to communication, as in, for instance, [4].
In this paper, we introduce yet another notion from communication to control: twoway coding in twoway communication. The concept of twoway communication channels was proposed by Shannon [5]. As its name indicates, in twoway channels, signals are transmitted simultaneously in both directions between the two terminals of communication. Accordingly, coding schemes for twoway channels should utilize the information contained in the data streaming in both directions. Stated alternatively, the coding schemes should also be twoway, and thus are correspondingly referred to as twoway coding [6, 7, 8].
With the controller side and the plant side being respectively viewed as the two terminals of communication, the communication channels embedded in networked feedback control systems are inherently twoway channels. However, approaches based on twoway coding for the twoway channels in networked feedback systems are rarely seen in the literature. One exception is the socalled scattering transformation utilized in the teleoperation of robotics [9], although, as far as we know, its connection with twoway coding has never before been established. Nevertheless, scattering transformation can be viewed in a broad sense as a special class of twoway coding, aiming to resolve the issue of twoway time delays, the most essential characterization and the main issue of the twoway channels modeled on the inputoutput level in the problem of teleoperation.
When it comes to cyberphysical security problems arising in networked control systems (see, e.g., [10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21] and the references therein), to the best of our knowledge, only oneway coding has been employed. The authors of [22] introduced oneway encryption matrices into control systems to achieve confidentiality and integrity. In [23], the authors considered using oneway coding matrices to encode the sensor outputs in order to detect stealthy false data injection attacks in cyberphysical systems. Oneway modulation matrices were inserted into cyberphysical systems in [24] to detect covert attacks and zerodynamics attacks. Dynamic oneway coding was applied to detect and isolate routing attacks [25] and replay attacks [26]
. For remote state estimation in the presence of eavesdroppers, the socalled statesecrecy codes were introduced
[27], which are also essentially oneway coding schemes. Nevertheless, oneway coding has its inherent limitations; for instance, oneway coding in general cannot eliminate the unstable poles nor nonminimumphase zeros of the plant nor the controller [28], which are most critical issues in the defense against, e.g., zerodynamics attacks [13].In our previous work [28], we examined how the presence of twoway coding in linear timeinvariant (LTI) feedback control systems can make the zeros and/or poles of the equivalent plant as viewed by the attacker all different from those of the original plant, and under some additional assumptions (i.e., the plant is stabilizable by static output feedback), the equivalent plant may even be made stable and/or minimumphase. In the particular case of zerodynamics attacks, it is then implicated that the attacks will be detected if designed according to the original plant, while the attack effect may be corrected in steady state if the attacks are to be designed with respect to the equivalent plant.
To prevent possible damages during the transient phase even when the attack affect can be corrected in steady state, in this paper we propose the notion of attack decoupling. For LTI systems, we say that a certain attack is decoupled if the transfer function from attack to plant input/output is made zero, without making zero the transfer function from reference to plant input/output. As such, when attack decoupling is achieved, the attack response will be completely zero both in transient phase and in steady state. We then examine in order conventional feedback systems, feedback systems with oneway coding, as well as feedback systems with twoway coding, and discover that it is only in feedback systems with twoway coding that attacks in the uplink or downlink channels can be decoupled.
The remainder of the paper is organized as follows. Section II introduces the twoway coding. In Section III, we propose the notion of attack decoupling. Concluding remarks are given in Section IV.
Ii TwoWay Coding
Consider the singleinput singleoutput (SISO) system depicted in Fig. 1. Herein, denotes the controller while denotes the plant. The reference signal is and the plant output is . In addition, let , , , , , , .
Definition 1
The (static) twoway coding is defined as
(1) 
Herein, are chosen such that
(2) 
Strictly speaking, it should be further assumed that .
Herein, twoway coding (that operates in a feedback loop) represents a twoway transformation taking in the signal in the forward path and the signal in the feedback path while outputting a new signal to the forward path and a second new signal that passes on in the feedback path. In comparison, Fig. 2 depicts a system with oneway coding schemes, which are oneway transformations that either take in the signal in the forward path and output a new signal that passes on in the forward path, or input the signal in the feedback path and output a signal that continues in the feedback path; herein, and .
For simplicity, we denote the inverse of twoway coding as
(3) 
where . As illustrated on the plant side in Fig. 1, the inverse of twoway coding denotes another twoway coding.
Iia TwoWay Coding in LTI Feedback Control Systems
We next analyze in particular LTI feedback control systems with twoway coding. Consider the SISO feedback system with twoway coding depicted in Fig. 3. Assume that herein the controller and plant are LTI with transfer functions and , respectively. In addition, let , , , , , , , , . Meanwhile, suppose that injection (additive) attacks and exist in the forward path and feedback path of the control systems, respectively. Let , , , , , , , , , , represent the Laplace transforms, assuming that they exist, of the signals , , , , , , , , , , . From now on, we assume that all the transfer functions of the systems are with zero initial conditions, unless otherwise specified.
We now provide expressions [28] for the Laplace transforms of the plant input and the plant output , given reference and under injection attacks and .
Proposition 1
Consider the SISO feedback system with twoway coding under injection attacks depicted in Fig. 3. Assume that controller and plant are LTI with transfer functions and , respectively, and that the closedloop system is stable. Then,
(4) 
and
(5) 
Proposition 1 lays the foundation for the analysis of attack decoupling in feedback systems with twoway coding, as will be discussed shortly.
Iii Attack Decoupling
In what follows, we propose the notion of attack decoupling, which features a strong notion of security in the context of cyberphysical systems; in general, however, it is a more broad controltheoretic notion applicable to any (networked) feedback systems.
Definition 2
Consider a feedback control system. An attack is said to be decoupled if the attack response in plant input/output can be made completely zero for arbitrary attack signals, without nullifying the reference response in plant input/output.
For LTI systems, attack decoupling can be defined more specifically in terms of transfer functions.
Definition 3
Consider an LTI feedback control system. An attack is said to be decoupled if the transfer function from attack to plant input/output can be made zero, without nullifying the transfer function from reference to plant input/output.
When the attack is decoupled for a certain attack point, it is as if the path from the attack signal to plant input/output signal is cut off, while not cutting off the signal path from the reference to plant input/output. In general, attack decoupling is a systemtheoretic notion, which is not restricted to dealing with attacks and is more broadly applicable to disturbances and noises. While within the scope of attack analysis, attack decoupling is a strong notion of security, meaning that the attack response will be completely zero both in transient phase and in steady state for arbitrary injection attacks, regardless of what the attacker knows or does.
As a matter of fact, attack decoupling is closely related to the notion of disturbance decoupling in geometric control [29]. More specifically, disturbance decoupling only requires that the transfer function from the disturbance to plant output to be zero, without requiring the transfer function from the disturbance to plant input to be zero. In this sense, attack decoupling implies and provides a new approach to achieve disturbance decoupling, while bringing new perspectives to other relevant topics in geometric control as well.
We next investigate, one by one, conventional feedback systems, feedback systems with oneway coding, as well as feedback systems with twoway coding, to see whether attack decoupling is possible, and if so, how to achieve it.
Iiia Conventional Feedback Systems
In the sequel, we let denote the transfer functions from to , respectively, and let denote the transfer functions from to , respectively. We shall first show that or conventional feedback control systems without coding, as depicted in Fig. 4, neither attack nor attack can be decoupled.
Theorem 1
Consider the SISO feedback system depicted in Fig. 4. Then, neither attack nor attack can be decoupled.
Proof:
For the system in Fig. 4, it can be obtained that
Clearly,
As such, if or , then . In other words, attack cannot be decoupled. Similarly, by noting that
and that
it follows that attack cannot be decoupled.
IiiB Feedback System with OneWay Coding
In the system in Fig. 5 with oneway coding, neither attack nor attack can be decoupled.
Theorem 2
Consider the SISO feedback system depicted in Fig. 5. Then, neither attack nor attack can be decoupled.
Proof:
For the system in Fig. 5, it can be obtained that
Clearly,
As such, if or , then . In other words, attack cannot be decoupled. Similarly, by noting that
and that
it follows that attack cannot be decoupled.
In fact, it can be shown that attack decoupling on neither points is possible even with dynamic oneway coding and .
IiiC Feedback System with TwoWay Coding
For the system shown in Fig. 3 with twoway coding, attack can be decoupled, and attack can be decoupled as well.
Theorem 3
Consider the SISO feedback system depicted in Fig. 3. Suppose that plant is stabilizable by static output feedback, and that controller is chosen among such static outputfeedback stabilizing controllers, i.e., .

If , then attack is decoupled;

If , then attack is decoupled.
Proof:
Intuitively, in feedback systems without coding as well as systems with oneway coding, there is only one feedback loop; as such, if the path from the attack signal to plant input/output signal is to be cut off, then the signal path from the reference to plant input/output will inevitably also be cut off. On the other hand, the presence of twoway coding brings additional feedback loops into a feedback system, enabling, probably in a subtle way, the cutting off of the path from the attack signal to plant input/output signal without cutting off that from the the reference to plant input/output.
Note that the attack decoupling of or requires the codesign of the controller and the twoway coding, as well as the sacrifice of control performance since controllers are limited to be static outputfeedback.
Note also that the conditions for achieving attack decoupling do not involve the plant. In other words, attack decoupling will not be affected by the inaccuracies/uncertainties in plant model .
It is clear that if attack (or ) is decoupled, then its attack response (for any injection attacks) will be zero in plant input/output, even though the attacks may not be detected; for instance, zerodynamics attacks [13] at (or ) cannot be detected if designed properly, but they will have no influence on plant input/output when attack (or ) is decoupled.
IiiC1 Controltheoretic implications of attack decoupling
We now examine the implications of attack decoupling in control systems. It is clear that when , its norm is zero, that is,
(6) 
and moreover, the corresponding Bode integral is given by
(7) 
This means perfect attack attenuation, and thus no limitations (e.g., lower bound on norm [30]) or tradeoffs (e.g., Bode integral [30]) are present. Similar conclusions hold for the cases when , , and as well.
IiiC2 Almost vs. exact attack decoupling
Strictly and practically speaking, for , only “almost attack decoupling” is possible; otherwise, algebraic loops will be present in the feedback system. By “almost attack decoupling”, we mean the attack signal can be attenuated to any degree of accuracy, e.g., the norm of the corresponding transfer function can be made arbitrarily close to zero; cf. almost disturbance decoupling in [31]. In particular, (6) will then become
(8) 
and (7) becomes
(9) 
Meanwhile, for , “exact attack decoupling” (as defined in Definition 2 and Definition 3) can be achieved. That is to say, the following are still achievable:
(10) 
and
(11) 
However, since almost attack decoupling will involve dynamic and/or dynamic
we leave the detailed discussions on this topic to future research.
IiiD An “Impossibility Theorem”
In what has been presented in this paper so far, we only considered the socalled “singlepoint” attacks, such as zerodynamics attacks [13], where attacks are injected into the feedback system at only one point; in other words, one of and is zero. In fact, “doublepoint” attacks, such as covert attacks [16], where attacks are injected into the system at two points simultaneously, have also been discussed in the literature.
In the subsequent theorem, it will be shown that for doublepoint attacks injecting attack signals and at the same time (e.g., covert attacks [16]), the attacks and cannot be decoupled simultaneously, and hence the attack effect cannot be made completely zero for arbitrary doublepoint attacks.
Theorem 4
In the SISO feedback system depicted in Fig. 3, attack and attack cannot be decoupled simultaneously.
Proof:
If plant is not stabilizable by static output feedback, then neither attack nor attack can be decoupled. Otherwise, if plant is stabilizable by static output feedback, it is known from Theorem 3 that the decoupling of requires that , while the decoupling of requires that , in addition to that controller is chosen among static outputfeedback stabilizing controllers, i.e., , in both cases. That is to say, if and are to be decoupled simultaneously, then , which leads to and contradicts the fact and (otherwise the transfer function from reference to plant input/output, see the proof of Theorem 3, will be zero).
As a matter of fact, it can be shown more generally that even with dynamic twoway coding
simultaneous decoupling of attack and attack is not possible.
This “impossibility theorem” characterizes on a fundamental level why doublepoint attacks are in general more difficult to defend against than singlepoint attacks. We will, however, leave the discussions on the defense against such doublepoint attacks to future research.
One final remark would be that some of the previous results and discussions apply as well to disturbance decoupling. In particular, it is known from Theorem 1 and Theorem 2 that therein disturbance decoupling is not possible without coding or with oneway coding, but it can be achieved with twoway coding as shown in Theorem 3. Additionally, it follows from Theorem 4 that therein disturbance decoupling cannot be achieved in the uplink and downlink channels simultaneously even with twoway coding.
Iv Conclusions
In this paper, we have introduced the method of twoway coding from communication into control, in particular, feedback control systems under injection attacks. Additionally, we have proposed the notion of attack decoupling, and it was seen that the controller and twoway coding can be codesigned to nullify the transfer function from attack to plant, zeroing the attack effect completely both in transient phase and in steady state. Future research directions include the analysis of dynamic twoway coding, MIMO systems, discretetime systems, as well as other classes of attacks in the presence of twoway coding. We are also interested in examining the implications of attack decoupling in communication system design, concerning, e.g., error correction.
References
 [1] R. B. Blackman, H. W. Bode, and C. E. Shannon, “Data smoothing and prediction in firecontrol systems,” Summary Technical Report, Div. 7, National Defense Research Committee, vol. 1, pp. 71–159, 1946.
 [2] S. Fang, J. Chen, and H. Ishii, Towards Integrating Control and Information Theories: From InformationTheoretic Measures to Control Performance Limitations. Springer, 2017.
 [3] N. C. Martins and M. A. Dahleh, “Feedback control in the presence of noisy channels: “Bodelike” fundamental limitations of performance,” IEEE Transactions on Automatic Control, vol. 53, no. 7, pp. 1604–1615, 2008.
 [4] Y. H. Kim, “Feedback capacity of stationary Gaussian channels,” IEEE Transactions on Information Theory, vol. 56, no. 1, pp. 57–85, 2010.
 [5] C. E. Shannon, “Twoway communication channels,” in Proceedings of the Fourth Berkeley Symposium on Mathematical Statistics and Probability, 1961.
 [6] E. C. V. der Meulen, “A survey of multiway channels in information theory: 19611976,” IEEE Transactions on Information Theory, vol. 23, no. 1, pp. 1–37, 1977.
 [7] H. B. Meeuwissen, Information theoretical aspects of twoway communication. Technische Universiteit Eindhoven, 1998.
 [8] A. Chaaban and A. Sezgin, “Multiway communications: An information theoretic perspective,” Foundations and Trends® in Communications and Information Theory, vol. 12, no. 34, pp. 185–371, 2015.
 [9] P. F. Hokayem and M. W. Spong, “Bilateral teleoperation: An historical survey,” Automatica, vol. 42, no. 12, pp. 2035–2057, 2006.
 [10] R. Poovendran, K. Sampigethaya, S. K. S. Gupta, I. Lee, K. V. Prasad, D. Corman, and J. L. Paunicka, “Special issue on cyberphysical systems [scanning the issue],” Proceedings of the IEEE, vol. 100, no. 1, pp. 6–12, 2012.
 [11] K. H. Johansson, G. J. Pappas, P. Tabuada, and C. J. Tomlin, “Guest editorial special issue on control of cyberphysical systems,” IEEE Transactions on Automatic Control, vol. 59, no. 12, pp. 3120–3121, 2014.
 [12] H. Sandberg, S. Amin, and K. H. Johansson, “Cyberphysical security in networked control systems: An introduction to the issue,” IEEE Control Systems Magazine, vol. 35, no. 1, pp. 20–23, 2015.
 [13] A. Teixeira, K. C. Sou, H. Sandberg, and K. H. Johansson, “Secure control systems: A quantitative risk management approach,” IEEE Control Systems Magazine, vol. 35, no. 1, pp. 24–45, 2015.
 [14] Q. Zhu and T. Basar, “Gametheoretic methods for robustness, security, and resilience of cyberphysical control systems: Gamesingames principle for optimal crosslayer resilient control systems,” IEEE Control Systems Magazine, vol. 35, no. 1, pp. 46–65, 2015.
 [15] S. Amin, G. A. Schwartz, A. A. Cárdenas, and S. S. Sastry, “Gametheoretic models of electricity theft detection in smart utility networks: Providing new capabilities with advanced metering infrastructure,” IEEE Control Systems Magazine, vol. 35, no. 1, pp. 66–81, 2015.
 [16] R. S. Smith, “Covert misappropriation of networked control systems: Presenting a feedback structure,” IEEE Control Systems Magazine, vol. 35, no. 1, pp. 82–92, 2015.
 [17] Y. Mo, S. Weerakkody, and B. Sinopoli, “Physical authentication of control systems: Designing watermarked control inputs to detect counterfeit sensor outputs,” IEEE Control Systems Magazine, vol. 35, no. 1, pp. 93–109, 2015.
 [18] F. Pasqualetti, F. Dorfler, and F. Bullo, “Controltheoretic methods for cyberphysical security: Geometric principles for optimal crosslayer resilient control systems,” IEEE Control Systems Magazine, vol. 35, no. 1, pp. 110–127, 2015.
 [19] P. Cheng, L. Shi, and B. Sinopoli, “Guest editorial special issue on secure control of cyberphysical systems,” IEEE Transactions on Control of Network Systems, vol. 4, no. 1, pp. 1–3, 2017.
 [20] J. Giraldo, D. Urbina, A. Cardenas, J. Valente, M. Faisal, J. Ruths, N. O. Tippenhauer, H. Sandberg, and R. Candell, “A survey of physicsbased attack detection in cyberphysical systems,” ACM Computing Surveys (CSUR), vol. 51, no. 4, p. 76, 2018.
 [21] M. S. Chong, H. Sandberg, and A. M. Teixeira, “A tutorial introduction to security and privacy for cyberphysical systems,” in Proceedings of the European Control Conference. IEEE, 2019, pp. 968–978.
 [22] Z. Xu and Q. Zhu, “Secure and resilient control design for cloud enabled networked control systems,” in Proceedings of the First ACM Workshop on CyberPhysical SystemsSecurity and/or PrivaCy, 2015, pp. 31–42.
 [23] F. Miao, Q. Zhu, M. Pajic, and G. J. Pappas, “Coding schemes for securing cyberphysical systems against stealthy data injection attacks,” IEEE Transactions on Control of Network Systems, vol. 4, no. 1, pp. 106–117, 2017.
 [24] A. Hoehn and P. Zhang, “Detection of covert attacks and zero dynamics attacks in cyberphysical systems,” in Proceedings of the American Control Conference, 2016, pp. 302–307.
 [25] R. M. Ferrari and A. M. Teixeira, “Detection and isolation of routing attacks through sensor watermarking,” in Proceedings of the American Control Conference, 2017, pp. 5436–5442.
 [26] ——, “Detection and isolation of replay attacks through sensor watermarking,” IFACPapersOnLine, vol. 50, no. 1, pp. 7363–7368, 2017.
 [27] A. Tsiamis, K. Gatsis, and G. J. Pappas, “State estimation codes for perfect secrecy,” in Proceedings of the IEEE Conference on Decision and Control, 2017, pp. 176–181.
 [28] S. Fang, K. H. Johansson, M. Skoglund, H. Sandberg, and H. Ishii, “Twoway coding in control systems under injection attacks: From attack detection to attack correction,” in Proceedings of the ACM/IEEE International Conference on CyberPhysical Systems, 2019, pp. 141–150.
 [29] W. M. Wonham, Linear Multivariable Control: A Geometric Approach. Springer, 1985.
 [30] M. M. Seron, J. H. Braslavsky, and G. C. Goodwin, Fundamental Limitations in Filtering and Control. Springer, 2012.
 [31] S. Weiland and J. C. Willems, “Almost disturbance decoupling with internal stability,” IEEE Transactions on Automatic Control, vol. 34, no. 3, pp. 277–286, 1989.
Comments
There are no comments yet.