The problem of preserving the privacy of individual entries of a database when responding to linear or nonlinear queries with constrained additive noise is considered. For privacy protection, the response to the query is systematically corrupted with an additive random noise whose support is a subset or equal to a pre-defined constraint set. A measure of privacy using the inverse of the trace of the Fisher information matrix is developed. The Cramer-Rao bound relates the variance of any estimator of the database entries to the introduced privacy measure. The probability density that minimizes the trace of the Fisher information (as a proxy for maximizing the measure of privacy) is computed. An extension to dynamic problems is also presented. Finally, the results are compared to the differential privacy methodology. Crown Copyright

A Stackelberg game framework is presented to choose the detector tuning for a general detector class under stealthy sensor attacks. In this framework, the defender acts as a leader and chooses a detector tuning, while the attacker will follow with a stealthy attack adjusted to this tuning. The tuning chosen is optimal with respect to the cost induced by the false alarms and the attack impact. We can show that under some practical assumptions the Stackelberg game always has a solution and we state two different sufficient conditions for the uniqueness of the solution. Interestingly, these conditions show that the attack impact does not have to be a convex function. An illustrative attack scenario of a false-data injection attack shows how one can use the Stackelberg game to find the optimal detector tuning.

We consider the control design problem of optimizing the H-2 performance of a closed-loop system despite the presence of a malicious covert attacker. It is assumed that the attacker has incomplete knowledge on the true process we are controlling. To account for this uncertainty, we employ different measures of risk from the so called family of coherent measures of risk. In particular, we compare the closed-loop performance when a nominal value is used, with three different measures of risk: average risk, worst-case scenario and conditional valueat- risk (CVaR). Additionally, applying the approach from a previous work, we derive a convex formulation for the control design problem when CVaR is employed to quantify the risk. A numerical example illustrates the advantages of our approach.

We investigate worst-case impacts of stealthy full sensor attacks against linear control systems under a general class of anomaly detectors. We show that the worst-case impact scales with a parameter that is solely determined by the number of sensors in the plant, the detector used, and its tuning. Therefore, we obtain a general metric to compare the performance of detectors of this class of detectors under the investigated sensor attack, which is independent of the plant dynamics and applies to all linear systems with the same number of sensors.

In this paper, the attitude tracking problem is considered using the rotation matrices. Due to the inherent topological restriction, it is impossible to achieve global attractivity with any continuous attitude control system on SO(3). Hence in this work, we propose some control protocols achieving almost global tracking asymptotically and in finite time, respectively. In these protocols, no world frame is needed and only relative state information are requested. For finitetime tracking case, Filippov solutions and non-smooth analysis techniques are adopted to handle the discontinuities. Simulation examples are provided to verify the performances of the control protocols designed in this paper.

In this paper, we address the problem of distributed reconfiguration of networked control systems upon the removal of misbehaving sensors and actuators. In particular, we consider systems with redundant sensors and actuators cooperating to recover from faults. Reconfiguration is performed while minimizing a steady-state estimation error covariance and quadratic control cost. A model-matching condition is imposed on the reconfiguration scheme. It is shown that the reconfiguration and its underlying computation can be distributed. Using an average dwell-time approach, the stability of the distributed reconfiguration scheme under finite-time termination is analyzed. The approach is illustrated in a numerical example.

In this paper, batteries are used to preserve the privacy of households with smart meters. It is commonly understood that data from smart meters can be used by adversaries to infringe on the privacy of the households, e.g., figuring out the individual appliances that are being used or the level of the occupancy of the house. The Cramer-Rao bound is used to relate the variance of the estimation error of any unbiased estimator of the household consumption from the aggregate consumption (i.e., the household plus the battery) to the Fisher information. Subsequently, optimal policies for charging and utilizing batteries are devised to minimize the Fisher information (in the scalar case and the trace of the Fisher information matrix in the multi-variable case) as a proxy for maximizing the variance of the estimation error of the electricity consumption by adversaries (irrespective of their estimation policies). The policies are chosen to respect the physical constraints of the battery regarding capacity, initial charge, and rate constraints. The results are demonstrated on real power measurement data with non-intrusive load monitoring algorithms.

In the domain of energy automation, where a massive number of software-based IoT services interact with a complex dynamic system, processes for software installation and software update become more important and more complex. These processes have to ensure that the dependencies on all layers are fulfilled, including dependencies arising due to the energy system controlled by IT components being a hidden communication channel between these components. In addition, the processes have to be resilient against faults in and attacks to both the energy grid and the communication network. The ERA-Net funded project LarGo! aims at developing and testing processes for the large scale rollout of software applications in the power grid domain as well as the user domain. This article describes a work in progress and the project's roadmap to solve the technical issues. It investigates the problems that arise from the interlocking of the two networks - the power grid and the communication network. Based on this analysis a first set of requirements for a rollout process in such a Smart Grid is derived and the chosen approach to verify the resilience of the developed processes under research is described.

In this paper, we study the H∞-norm of linear systems over graphs, which is used to model distribution networks. In particular, we aim to minimize the H∞-norm subject to allocation of the weights on the edges. The optimization problem is formulated with LMI (Linear-Matrix-Inequality) constraints. For distribution networks with one port, i.e., SISO systems, we show that the H∞-norm coincides with the effective resistance between the nodes in the port. Moreover, we derive an upper bound of the H∞-norm, which is in terms of the algebraic connectivity of the graph on which the distribution network is defined.

Distributed approaches to secondary frequency control have become a way to address the need for more flexible control schemes in power networks with increasingly distributed generation. The distributed averaging proportional-integral (DAPI) controller presents one such approach. In this paper, we analyze the transient performance of this controller, and specifically address the question of its performance under noisy frequency measurements. Performance is analyzed in terms of an H2 norm metric that quantifies power losses incurred in the synchronization transient. While previous studies have shown that the DAPI controller performs well, in particular in sparse networks and compared to a centralized averaging PI (CAPI) controller, our results prove that additive measurement noise may have a significant negative impact on its performance and scalability. This impact is shown to decrease with an increased inter-nodal alignment of the controllers' integral states, either through increased gains or increased connectivity. For very large and sparse networks, however, the requirement for inter-nodal alignment is so large that a CAPI approach may be preferable. Overall, our results show that distributed secondary frequency control through DAPI is possible and may perform well also under noisy measurements, but requires careful tuning.