A novel security index based on the definition of perfect undetectability is proposed. The index is a tool that can help a control system operator to localize the most vulnerable actuators in the network. In particular, the security index of actuator i represents the minimal number of sensors and actuators that needs to be compromised in addition to i, such that a perfectly undetectable attack is possible. A method for computing this index for small scale systems is derived, and difficulties with the index once the system is of large scale are outlined. An upper bound for the index that overcomes these difficulties is then proposed. The theoretical developments are illustrated on a numerical example. 

The problem of preserving the privacy of individual entries of a database when responding to linear or nonlinear queries with constrained additive noise is considered. For privacy protection, the response to the query is systematically corrupted with an additive random noise whose support is a subset or equal to a pre-defined constraint set. A measure of privacy using the inverse of the trace of the Fisher information matrix is developed. The Cramer-Rao bound relates the variance of any estimator of the database entries to the introduced privacy measure. The probability density that minimizes the trace of the Fisher information (as a proxy for maximizing the measure of privacy) is computed. An extension to dynamic problems is also presented. Finally, the results are compared to the differential privacy methodology. Crown Copyright

Nonlinearities are present in all real applications. Two types of general nonlinear consensus protocols are considered in this paper, namely, the systems with nonlinear communication and actuator constraints. The solutions of the systems are understood in the sense of Filippov to handle the possible discontinuity of the controllers. For each case, we prove the asymptotic stability of the systems with minimal assumptions on the nonlinearity, for both directed and undirected graphs. These results extend the literature to more general nonlinear dynamics and topologies. As applications of established theorems, we interpret the results on quantized consensus protocols.

We study the problem of securely estimating the states of an unstable dynamical system subject to non-stochastic disturbances. The estimator obtains all its information through an uncertain channel, which is subject to nonstochastic disturbances as well, and an eavesdropper obtains a disturbed version of the channel inputs through a second uncertain channel. An encoder observes and block encodes the states in such a way that, upon sending the generated codeword, the estimator's error is bounded and a security criterion is satisfied, thereby ensuring that the eavesdropper obtains as little state information as possible. Two security criteria are considered and discussed with the help of a numerical example. A sufficient condition on the uncertain wiretap channel, i.e., the pair formed by the uncertain channel from the encoder to the estimator and the uncertain channel from the encoder to the eavesdropper is derived, which ensures that a bounded estimation error and security are achieved. This condition is also shown to be necessary for a subclass of uncertain wiretap channels. To formulate the condition, the zero-error secrecy capacity of uncertain wiretap channels is introduced, i.e., the maximal rate at which data can be transmitted from the encoder to the estimator in such a way that the eavesdropper is unable to reconstruct the transmitted data. Finally, the zero-error secrecy capacity of uncertain wiretap channels is studied.

A Stackelberg game framework is presented to choose the detector tuning for a general detector class under stealthy sensor attacks. In this framework, the defender acts as a leader and chooses a detector tuning, while the attacker will follow with a stealthy attack adjusted to this tuning. The tuning chosen is optimal with respect to the cost induced by the false alarms and the attack impact. We can show that under some practical assumptions the Stackelberg game always has a solution and we state two different sufficient conditions for the uniqueness of the solution. Interestingly, these conditions show that the attack impact does not have to be a convex function. An illustrative attack scenario of a false-data injection attack shows how one can use the Stackelberg game to find the optimal detector tuning.

We consider the control design problem of optimizing the H-2 performance of a closed-loop system despite the presence of a malicious covert attacker. It is assumed that the attacker has incomplete knowledge on the true process we are controlling. To account for this uncertainty, we employ different measures of risk from the so called family of coherent measures of risk. In particular, we compare the closed-loop performance when a nominal value is used, with three different measures of risk: average risk, worst-case scenario and conditional valueat- risk (CVaR). Additionally, applying the approach from a previous work, we derive a convex formulation for the control design problem when CVaR is employed to quantify the risk. A numerical example illustrates the advantages of our approach.

We investigate worst-case impacts of stealthy full sensor attacks against linear control systems under a general class of anomaly detectors. We show that the worst-case impact scales with a parameter that is solely determined by the number of sensors in the plant, the detector used, and its tuning. Therefore, we obtain a general metric to compare the performance of detectors of this class of detectors under the investigated sensor attack, which is independent of the plant dynamics and applies to all linear systems with the same number of sensors.

In this paper, the attitude tracking problem is considered using the rotation matrices. Due to the inherent topological restriction, it is impossible to achieve global attractivity with any continuous attitude control system on SO(3). Hence in this work, we propose some control protocols achieving almost global tracking asymptotically and in finite time, respectively. In these protocols, no world frame is needed and only relative state information are requested. For finitetime tracking case, Filippov solutions and non-smooth analysis techniques are adopted to handle the discontinuities. Simulation examples are provided to verify the performances of the control protocols designed in this paper.

In this talk, we discuss how control theory can contribute to the analysis and design of secure cyber-physical systems. We start by reviewing conditions for undetectable false-data injection attacks on feedback control systems. In particular, we highlight how a physical understanding of the controlled process can guide us in the allocation of protective measures. We show that protecting only a few carefully selected actuators or sensors can give indirect protection to many more components. We then illustrate how such analysis is exploited in the design of a resilient control scheme for a microgrid energy management system.

In this paper, we address the problem of distributed reconfiguration of networked control systems upon the removal of misbehaving sensors and actuators. In particular, we consider systems with redundant sensors and actuators cooperating to recover from faults. Reconfiguration is performed while minimizing a steady-state estimation error covariance and quadratic control cost. A model-matching condition is imposed on the reconfiguration scheme. It is shown that the reconfiguration and its underlying computation can be distributed. Using an average dwell-time approach, the stability of the distributed reconfiguration scheme under finite-time termination is analyzed. The approach is illustrated in a numerical example.