This article proposes a distributed design method of controllers with a glocal (global/local) information structure for large-scale network systems. The glocal controller of interest has a hierarchical structure, wherein a global subcontroller coordinates a set of disjoint local subcontrollers. The global subcontroller regulates interarea oscillations among subsystems, while local subcontrollers individually regulate intraarea oscillations of the respective subsystem. The distributed design of the glocal controller is addressed to enhance the scalability of controller synthesis, where the global subcontroller and all local subcontrollers are designed independently of each other. A design problem is formulated for subcontroller sets such that any combination of subcontrollers each of which belongs to its corresponding set guarantees stability of the closed-loop system. The core idea of the proposed method is to represent the original network system as a hierarchical cascaded system composed of reduced-order models representing the interarea and intraarea dynamics, referred to as hierarchical model decomposition. Distributed design is achieved by virtue of the cascade structure. The primary findings of this study are twofold. First, a tractable solution to the distributed design problem and an existence condition of the hierarchical model decomposition are presented. Second, a clustering method appropriate for the proposed framework and a robust extension are provided. Numerical examples of a power grid highlight the practical relevance of the proposed method.

This study addresses incident handling during an adverse event for dynamical networked control systems. Incident handling can be divided into five steps: detection, analysis, containment, eradication, and recovery. For networked control systems, the containment step can be conducted through physical disconnection of an attacked subsystem. In accordance with the disconnection, the equipped attack detection unit should be reconfigured to maintain its detection capability. In particular, separating the detection subunit associated with the disconnected subsystem is considered as a specific reconfiguration scheme in this study. This article poses the problem of disconnection-aware attack detection and isolation with the separation-based detector reconfiguration. The objective is to design an attack detection unit that preserves its detection and isolation capability even under any possible disconnection and separation. The difficulty arises from network topology variation caused by disconnection that can possibly lead to stability loss of the distributed observer inside the attack detection unit. A solution is proposed based on an existing controller design technique referred to as retrofit control. Furthermore, an application to low-voltage power distribution networks with distributed generation is exhibited. Numerical examples evidence the practical use of the proposed method through a benchmark distribution network.

This letter provides a model of cyber deception with asymmetric recognition represented by private beliefs. Signaling games, which are often used in existing works, are built on the implicit premise that the receiver's belief is public information. However, this assumption, which leads to symmetric recognition, is unrealistic in adversarial decision making. For a precise evaluation of risks arising from cognitive gaps, this letter proposes epistemic signaling games based on the Mertens-Zamir model, which explicitly quantifies players' asymmetric recognition. Equilibria of the games are analytically characterized with an interpretation.

This study investigates a parameterization of all output-rectifying retrofit controllers for distributed design of a structured controller. It has been discovered that all retrofit controllers can be characterized as a constrained Youla parameterization, which is difficult to solve analytically. For synthesis, a tractable and insightful class of retrofit controllers, referred to as output-rectifying retrofit controllers, has been introduced. An unconstrained parameterization of all output-rectifying retrofit controllers can be derived under a technical assumption on measurability of the interaction signal. The aim of this note is to reveal the structure of all output-rectifying retrofit controllers in the general output-feedback case without interaction measurement. It is found out that the existing developments can be generalized based on system inversion. The result leads to the conclusion that output-rectifying retrofit controllers can readily be designed even in the general case.

This study investigates general model-based incident handler's asymptotic behaviors against cyber attacks to control systems. The attacker's and the defender's dynamic decision making is modeled as an equilibrium of a dynamic signaling game. It is shown that the defender's belief on existence of an attacker converges over time for any attacker's strategy provided that the stochastic dynamics of the control system is known to the defender. This fact implies that the rational behavior of the attacker converges to a harmless action as long as the defender possesses an effective counteraction. The obtained result supports the powerful protection capability achieved by model-based defense mechanisms.

In this article, we develop a modular design method of decentralized controllers for linear dynamical network systems, where multiple subcontroller designers aim at individually regulating their local control performance with accessibility only to their respective subsystem models. First, we derive a constrained version of the Youla parameterization that characterizes all retrofit controllers for a single subcontroller, defined as an add-on-type subcontroller that manages a subsystem. The resultant feedback system is kept robustly stable for any variation in the neighboring subsystems, other than the subsystem of interest, provided that the original system is stable prior to implementing the retrofit control. Subsequently, we find out a unique internal structure of the retrofit controllers, assuming that the interaction input signal from the neighboring subsystems is measurable. Furthermore, we show that the simultaneous implementation of multiple retrofit controllers, designed by individual subcontroller designers, can improve the upper bound of the overall control performance. Finally, the practical significance of the method is demonstrated via an illustrative example of frequency regulation using the IEEE 68-bus power system model.

In order to protect smart distribution grids from intrusions, it is important to understand possible risks and impacts of attacks. We study the worst-case attack strategy of a power injection attack against the physical layer of a smart distribution grid with a high penetration of photovoltaic resources. We derive both the worst attack signal and worst attack location: The worst attack signal is a step function which switches its sign at the final stage, and the worst attack location is the node with the largest impedance to the grid substation. Numerical examples on a European benchmark model verify the developed results. Finally, both theoretical and numerical results are used to discuss feasible defense strategies against power injection attacks.

This study investigates the relationship between resilience of control systems to attacks and the information available to malicious attackers. Specifically, it is shown that control systems are guaranteed to be secure in an asymptotic manner by rendering reactions against potentially harmful actions covert. The behaviors of the attacker and the defender are analyzed through a repeated signaling game with an undisclosed belief under covert reactions. In the typical setting of signaling games, reactions conducted by the defender are supposed to be public information and the measurability enables the attacker to accurately trace transitions of the defender's belief on existence of a malicious attacker. In contrast, the belief in the game considered in this paper is undisclosed and hence common equilibrium concepts can no longer be employed for the analysis. To surmount this difficulty, a novel framework for decision of reasonable strategies of the players in the game is introduced. Based on the presented framework, it is revealed that any reasonable strategy chosen by a rational malicious attacker converges to the benign behavior as long as the reactions performed by the defender are unobservable to the attacker. The result provides an explicit relationship between resilience and information, which indicates the importance of covertness of reactions for designing secure control systems.

This study deals with security issues in dynamical networked control systems. The goal is to establish a unified framework of the attack detection stage, which includes the four processes of monitoring the system state, making a decision based on the monitored signal, disconnecting the corrupted subsystem, and operating the remaining system during restoration. This paper, in particular, considers a disconnection-aware attack detector design problem. Traditionally, observer-based attack detectors are designed based on the system model with a fixed network topology and cannot cope with a change of the topology caused by disconnection. The disconnection-aware design problem is mathematically formulated and a solution is proposed in this paper. A numerical example demonstrates the effectiveness of the proposed detector through an inverter-based voltage control system in a benchmark model. 

Since modern network systems are managed by multiple operators, practical distributed controller design is required to be independently performed in a distributed manner. The independent design of distributed controllers, referred to as distributed design, enables the synthesis process to be scalable. Nevertheless, distributed design methods have not yet been fully developed because of its difficulty. As a novel scheme for control of network systems, this paper presents a distributed design method of glocal (global/local) controllers. In the glocal structure, a global controller is introduced into the controller to be designed in addition to local decentralized controllers. The key idea to realize distributed design is to represent the original network system as a hierarchical cascaded system composed of reduced-order models each of which stands for the dynamics of global and local behaviors, here referred to as hierarchical model decomposition. Distributed design is achieved by designing controllers for the reduced-order models owing to the cascade structure. A numerical example demonstrates the effectiveness of the proposed glocal control.