Actuator security indices are developed for risk assessment purposes. Particularly, these indices can tell a system operator which of the actuators in a critical infrastructure network are the most vulnerable to cyber-attacks. Once the operator has this information, he/she can focus the security budget to protect these actuators. In this short paper, we first revisit one existing definition of an actuator security index, and then discuss possible directions for future research.

We present ongoing work in evaluating the performance of PID-controllers under DoS attacks. The experiments are conducted in a recently developed virtual testbed, which is openly available. An important observation is that also benign physical processes may exhibit potentially dangerous oscillations under DoS attacks unless care is taken in the control implementation. An event-based PID-controller with adaptive gain shows promising performance under DoS attack.

This paper studies the sensor placement problem in a networked control system for improving its security against cyber-physical attacks. The problem is formulated as a zero-sum game between an attacker and a detector. The attacker's decision is to select f nodes of the network to attack whereas the detector's decision is to place f sensors to detect the presence of the attack signals. In our formulation, the attacker minimizes its visibility, defined as the system L2 gain from the attack signals to the deployed sensors' outputs, and the detector maximizes the visibility of the attack signals. The equilibrium strategy of the game determines the optimal locations of the sensors. The existence of Nash equilibrium for the attacker-detector game is studied when the underlying connectivity graph is a directed or an undirected tree. When the game does not admit a Nash equilibrium, it is shown that the Stackelberg equilibrium of the game, with the detector as the game leader, can be computed efficiently. Our results show that, under the optimal sensor placement strategy, an undirected topology provides a higher security level for a networked control system compared with its corresponding directed topology.

A novel security index based on the definition of perfect undetectability is proposed. The index is a tool that can help a control system operator to localize the most vulnerable actuators in the network. In particular, the security index of actuator i represents the minimal number of sensors and actuators that needs to be compromised in addition to i, such that a perfectly undetectable attack is possible. A method for computing this index for small scale systems is derived, and difficulties with the index once the system is of large scale are outlined. An upper bound for the index that overcomes these difficulties is then proposed. The theoretical developments are illustrated on a numerical example. 

This tutorial provides a high-level introduction to novel control-theoretic approaches for the security and privacy of cyber-physical systems (CPS). It takes a risk-based approach to the problem and develops a model framework that allows us to introduce and relate many of the recent contributions to the area. In particular, we explore the concept of risk in the context of CPS under cyber-attacks, paying special attention to the characterization of attack scenarios and to the interpretation of impact and likelihood for CPS. The risk management framework is then used to give an overview of and map different contributions in the area to three core parts of the framework: attack scenario description, quantification of impact and likelihood, and mitigation strategies. The overview is by no means complete, but it illustrates the breadth of the problems considered and the control-theoretic solutions proposed so far.

Identity theft through phishing and session hijacking attacks has become a major attack vector in recent years, and is expected to become more frequent due to the pervasive use of mobile devices. Continuous authentication based on the characterization of user behavior, both in terms of user interaction patterns and usage patterns, is emerging as an effective solution for mitigating identity theft, and could become an important component of defense-in-depth strategies in cyber-physical systems as well. In this paper, the interaction between an attacker and an operator using continuous authentication is modeled as a stochastic game. In the model, the attacker observes and learns the behavioral patterns of an authorized user whom it aims at impersonating, whereas the operator designs the security measures to detect suspicious behavior and to prevent unauthorized access while minimizing the monitoring expenses. It is shown that the optimal attacker strategy exhibits a threshold structure, and consists of observing the user behavior to collect information at the beginning, and then attacking (rather than observing) after gathering enough data. From the operator’s side, the optimal design of the security measures is provided. Numerical results are used to illustrate the intrinsic trade-off between monitoring cost and security risk, and show that continuous authentication can be effective in minimizing security risk.

We propose a game-theoretic framework for improving the resilience of multi-agent consensus dynamics in the presence of a strategic attacker. In this game, the attacker selects a set of network nodes to inject the attack signals. The attacker's objective is to minimize the required energy for steering the consensus towards its desired direction. This energy is captured by the trace of controllability Gramian of the system when the input is the attack signal. The defender improves the resilience of dynamics by adding self-feedback loops to certain nodes of the system and its objective is to maximize the trace of controllability Gramian. The Stackelberg equilibrium of the game is studied with the defender as the game leader. When the underlying network topology is a tree and the defender can select only one node, we show that the optimal strategy of the defender is determined by a specific distance-based network centrality measure, called network's f-center. In addition, we show that the degree-based centralities solutions may lead to undesirable payoffs for the defender. At the end, we discuss the case of multiple attack and defense nodes on general graphs.

The problem of preserving the privacy of individual entries of a database when responding to linear or nonlinear queries with constrained additive noise is considered. For privacy protection, the response to the query is systematically corrupted with an additive random noise whose support is a subset or equal to a pre-defined constraint set. A measure of privacy using the inverse of the trace of the Fisher information matrix is developed. The Cramer-Rao bound relates the variance of any estimator of the database entries to the introduced privacy measure. The probability density that minimizes the trace of the Fisher information (as a proxy for maximizing the measure of privacy) is computed. An extension to dynamic problems is also presented. Finally, the results are compared to the differential privacy methodology. Crown Copyright

We study the problem of distributed consensus in networks where the local agents have high-order (n ≥ 3) integrator dynamics, and where all feedback is localized in that each agent has a bounded number of neighbors. We prove that no consensus algorithm based on relative differences between states of neighboring agents can then achieve consensus in networks of any size. That is, while a given algorithm may allow a small network to converge to consensus, the same algorithm will lead to instability if agents are added to the network so that it grows beyond a certain finite size. This holds in classes of network graphs whose algebraic connectivity, that is, the smallest non-zero Laplacian eigenvalue, is decreasing towards zero in network size. This applies, for example, to all planar graphs. Our proof, which relies on Routh-Hurwitz criteria for complex-valued polynomials, holds true for directed graphs with normal graph Laplacians. We survey classes of graphs where this issue arises, and also discuss leader-follower consensus, where instability will arise in any growing, undirected network as long as the feedback is localized.

This paper proposes a cooperative adaptive cruise control model, adding a communication network structure to an existing model that has been shown to capture real commercial adaptive cruise control vehicle behavior. The proposed model is interesting because it only requires minimal information sharing, facilitating the creation of platoons comprised of vehicles from different manufacturers. We prove the stability of the model and discuss string stability. Algorithms for estimating the velocity of the vehicles locally and for estimating the velocities of all the vehicles in the platoon are presented. We simulate vehicle platoon control with the lead vehicle following an experimentally collected trajectory, showing that adding communication can cause a string unstable platoon to become stable.