INSE 6710: Fundamentals and Applications of

Cyber-Physical Systems

Lecture 2 - Cyber-Attacks against CPSs

Prof. Walter Lucia

Fall - 2022

Fall - 2022 1 / 68

Outline

1 Information Security and CPS

2 Adversary Model vs Defender Model

3 3D Modeling of Attacks in Networked CPS

4 Example of Stealthy Attack Against Smart Grid

Fall - 2022 2 / 68

Lecture 1 - Recap

Fall - 2022 3 / 68
Cyber-Physical Systems (CPSs)

Plant

+
Network +

Control Logic State Estimation

Anomaly Detection Strategy

Controller

• CPSs are autonomous engineering systems embedding physical

components, communication capabilities and computational power
• CPS security is a big concern because CPS are deployed in
safety-critical systems and cyber-attacks have physical
consequences
• Closed-loop Networked Control Systems (NCSs) are the core
of CPSs
Fall - 2022 4 / 68

Networked Control Systems (NCS)

• We model CPSs as NCSs subject to cyber-attacks on the

communication channels.
• We consider scenarios where an attacker can intercept the
communication channels and modify/destroy the transmitted data

actuators sensors
A S
A Plantstate x(t) S

Communication Channels

u(t) control logic state estimator y(t)

r(t)
Networked Controller

Fall - 2022 5 / 68

Securing CPS: objective

actuators sensors
A S
A Plantstate x(t) S

Communication Channels

u(t) control logic state estimator y(t)

r(t)
Networked Controller

• Cyber security and control systems must be properly combined to

solve the CPS security problems.
• Objective (in-brief): design a control architecture capable of
detecting and mitigating the possible presence of cyber-attacks on
the communication channels, possibly using multiple layer of
security
Fall - 2022 6 / 68
 Information Security and CPS

Fall - 2022 7 / 68

Information Security: CIA triad

actuators sensors
A S
A Plantstate x(t) S

Communication Channels

u(t) control logic state estimator y(t)

r(t)
Networked Controller

• Information Security is the practice of preventing unauthorized

access, use, disclosure, disruption, modification, inspection,
recording or destruction of information.
• Traditionally, information security and network security’s primary
focus is the balanced protection of the confidentiality, integrity
and availability of data (also known as the CIA1 triad)
1
M. Bishop, Computer Security, Art and Science, Addison-Wesley, 2003
Fall - 2022 8 / 68

Information Security & CPS - Confidentiality

• Confidentiality refers to the ability to keep information secret

from unauthorized users. A lack of confidentiality results in
disclosure of information to not authorized parties.
• Confidentiality in CPS must prevent an adversary from gaining
information regarding the plant and the control operations by
eavesdropping on the communication channels between the plant
and the networked controller
• E.g., from the intercepted data, the attacker might be able to figure it out
x(t), or the dynamical model of the system or the controller operations

Adversary

y(t) ‘
y(t)
Feedback
Plant Communication Channel
Controller
state x(t)
‘
u(t) u(t)

Fall - 2022 9 / 68
Information Security & CPS - Integrity

• Integrity refers to the trustworthiness of data or resources. A lack

of integrity results in deception: when an authorized party
receives false data and believes it to be true.
• Integrity in CPS is the ability to maintain the operational goals by
preventing, detecting, or surviving deception attacks (also known
as False Data Injection (FDI) attacks)

Adversary

y(t) ‘
y(t)
Feedback
Plant Communication Channel
Controller
state x(t)
‘
u(t) u(t)

Fall - 2022 10 / 68

Information Security & CPS - Availability

• Availability refers to the ability of a system/data of being
accessible and usable upon demand. Lack of availability results in
Denial of Service (DoS).
• Availability in CPS is the capability of maintaining the operational
goals by preventing or surviving DoS attacks, breaking the
control-feedback loop
• The strong real-time requirement of CPSs introduces new challenges.
• A minor DoS event for an enterprise networks might be a major event for
CPSs, i.e. producing irreparable damages to the system and entities
around it.

Adversary

‘
y(t)
y(t)
Feedback
Plant Communication Channel
Controller
state x(t)
‘
u(t) u(t)

Fall - 2022 11 / 68

CPS: Defender Model

Fall - 2022 12 / 68
Complete CPS Model
• By assuming that the defender needs to both detect and mitigate
cyber-attacks, the following networked control system is
considered:
‘
Plantstate x(t) y(t)
u(t)

Communication Channels

u(t) r(t) ‘
y(t)
control logic state estimator

anomaly detector

Networked Controller

• The anomaly detector is in charge of understanding if an anomaly/

cyber-attack is affecting the closed-loop control system.
We assume that a basic detector has at least access to the signal
transmitted over the communication channels
• The control logic + state estimator are in change of assuring that the
plant can meet the operational goals (e.g., closed-loop stability, be able to
track a reference signal, etc...)
Fall - 2022 13 / 68

Defender Model

• The defender = {control logic, state estimator, detector}2 .

• The defender’s goal:
1 In the absence of attacks: maintain the plant’s state inside the region of
required performance
2 In the presence of attacks: maintain the plant’s state, at most, inside in the
region of degraded performance. Once the attack is over, the region of
required performance must be re-entered

‘
Plantstate x(t) y(t)
Region of danger (safety is at risk)
u(t)
Region of unacceptable performance

Communication Channels Region of degraded performance

Region of required
u(t) r(t) ‘
y(t) performance
control logic state estimator

anomaly detector

Networked Controller
2
In other architectures, we might have other components
Fall - 2022 14 / 68

Defender model knowledge: control system operations

‘
Plantstate x(t) y(t)
u(t)

Communication Channels Communication Channels

u(t) r(t) ‘
y(t)
control logic state estimator

anomaly detector

Networked Controller Networked Controller

• P =information set describing the plant dynamical model

• C =information set describing the control logic
• E =information set describing the state estimator algorithm
• D =information set describing the detector rules
Defender Model knowledge Md := {P, C, E, D}
Fall - 2022 15 / 68
Information exchanged over the network

Communication Channels

Networked Controller

• Sensor measurements y(t) ∈ IRp

• Control signal u(t) ∈ IRm

Set of Information exchanged I(t) = {y(t), u(t)}

Fall - 2022 16 / 68

Adversary Models

Fall - 2022 17 / 68

Attacker’s Objectives
1 The attacker goal is to steer the plant’s state outside the region of
required performance (e.g., inside the region of
degraded/unacceptable/danger performance).
2 The attacker wants to minimize the chance to be detected by the
anomaly detector

‘
Plantstate x(t) y(t)
Region of danger (safety is at risk)
u(t)
Region of unacceptable performance

Communication Channels Region of degraded performance

Region of required
u(t) r(t) ‘
y(t) performance
control logic state estimator

anomaly detector

Networked Controller
Fall - 2022 18 / 68
Undetectable/Stealthy Attack

‘
Plantstate x(t) y(t)
Region of danger (safety is at risk)
u(t)
Region of unacceptable performance

Communication Channels Region of degraded performance

Region of required
u(t) r(t) ‘
y(t) performance
control logic state estimator

anomaly detector

Networked Controller

A cyber-attack against a CPS is said undetectable/stealthy if it

is capable of reducing the closed-loop plant performance while
remaining undetected by the anomaly detector

Fall - 2022 19 / 68

Attacker’s model knowledge 3

Communication Channels

Networked Controller

• P̂ =information set available on the Plant P

• Cˆ =information set available on the Controller C
• Ê =information set available on the state estimator E
• D̂ =information set available on the Detector D
n o
ˆ Ê, D̂ ⊆ Md
Attacker’s model knowledge Ma = P̂, C,
3
The hat symbol ˆ· denotes that the attacker might have a complete (or accurate) or partial (or inaccurate) understanding of
P, C, E, D
Fall - 2022 20 / 68

Attacker’s disclosure and disruptive resources

Communication Channels

Networked Controller

• Disclosure resources: subset of sensor measurements

y(t) ∈ IRp , p > 0 and control signals u(t) ∈ IRm , m > 0 that the
attacker can read violating the confidentiality of the channel
• Disruptive resources: subset of sensor measurements y(t) and
control signals u(t) that the attacker can corrupt violating the
integrity or availability of the channel

Fall - 2022 21 / 68
Basic attacks: eavesdropper and deception

Communication Channels

Networked Controller

• Eavesdropper attack:
  
Γu 0 u(t)
Ia (t) = Ia (t − 1) ∪
0 Γy y(t)
with Γu , Γy diagonal matrices containing {0, 1} on the diagonal
• Additive Deception/False Data Injection (FDI) attack
u′ (t) = u(t) + Ψu ua (t)
,
y ′ (t) = y(t) + Ψy ya (t)
with Ψu , Ψy diagonal matrices containing {0, 1} on the diagonal,
and ua (t), ya (t) the false data vectors
Fall - 2022 22 / 68

Generic attacker’s policy

Model

Communication Channels

Disruptive Disclosure
Attacker Policy

Networked Controller

• The attack policy/action at depends on the available model

knowledge Ma , disclosure resources (Γu , Γy ), and disruptive
resources (Ψu , Ψy ) .

Fall - 2022 23 / 68

3D Modeling of Attacks in Networked CPS

Fall - 2022 24 / 68
Attack Space: 3D modeling (1/3)
3D ATTACK SPACE

Model Knowledge
Model Knowledge
- Plant
-Controller
-Detector

Fall - 2022 25 / 68

Attack Space: 3D modeling (2/3)

3D ATTACK SPACE
Model Knowledge

Model Knowledge
- Plant Disclosure Resources
-Controller - Sensor measurements the attacker
-Detector can intercept
- Control Inputs the attacker can
intercept

Disclosure Resources

Fall - 2022 26 / 68

Attack Space: 3D modeling (3/3)

3D ATTACK SPACE
Model Knowledge

Model Knowledge
- Plant Disclosure Resources
-Controller - Sensor measurements the attacker
-Detector can intercept
- Control Inputs the attacker can
intercept

Disclosure Resources
s
ce
ur
o
es
eR

Disruptive Resources
tiv

- Sensor measurements the attacker

up
isr

can violate the integrity/availablity

D

- Control Inputs the attacker can

violate the integrity/availability

Fall - 2022 27 / 68
 Examples of Attacks against CPS

Fall - 2022 28 / 68

Denial-of-Service Attack (DoS)

A DoS a...k is an att.....w.h .......................

Fall - 2022 29 / 68

Denial-of-Service Attack (DoS)

Model

Attacker Policy

Disruptive Disclosure
Attacker Policy

Attack policy at
• Prevent the actuator and/or sensor data from reaching their
respective destinations and producing an absence of data
(breaking the feedback loop).

Fall - 2022 30 / 68
Denial-of-Service Attack (DoS) - resources

Model

Attacker Policy

Disruptive Disclosure
Attacker Policy

3D Modeling
• Model knowledge: Ma = ∅
• Disclosure Resources: Γu = 0, Γy = 0
• Disruption Resources: Ψu (i, i) = 1, Ψy (j, j) = 1 on all the
channels i, j where the DoS attack is performed (e.g., where then
attacker can congest/jam the communications creating a loss of
transmission)

Fall - 2022 31 / 68

Denial-of-Service Attack (DoS) - performance

Model

Attacker Policy

Disruptive Disclosure
Attacker Policy

Attack Performance
1 Trivially not a stealthy attack. However, DoS attacks may be
misdiagnosed as a poor network condition.
2 DoS attacks affect the plant performance. With DoS, the control
system operates in open-loop!

Fall - 2022 32 / 68

Replay attack on sensor measurements (stuxnet-like)

Replay Attack - Phase 1 Replay Attack - Phase 2

Attack policy
• Phase I: Measurement eavesdropping (0 ≤ t ≤ T )
  
0 0 u(t)
Ia (t) = Ia (t − 1) ∪ , ua (t) = 0, ya (t) = 0
0 Γy y(t)

• Phase II: Replay + False Data Injection (FDI) (T < t ≤ 2T )

y ′ (t) = y(t − T ), u′ (t) = u(t) + Ψu ua (t)

Fall - 2022 33 / 68
Replay attack - resources

Model

Replay Attack - Phase 2

Disruptive Disclosure
Attacker Policy

3D Modeling
• Model knowledge: ?
• Disclosure Resources: ?
• Disruption Resources: ?

Fall - 2022 34 / 68

Replay attack - resources

Model

Replay Attack - Phase 2

Disruptive Disclosure
Attacker Policy

3D Modeling
• Model knowledge: Ma = ∅
• Disclosure Resources: Γy = I
• Disruption Resources: Ψy = I, Ψu (i, i) = 1 (in the input
channels i where the FDI is injected)

Fall - 2022 35 / 68

Replay attack - performance

steady-state conditions NO steady-state conditions

t t

t t
recording replay + FDI recording replay + FDI

Attack Performance
• The plant performance can be damaged because the attacker has
an arbitrary control on the actuation channel
• If the plant is in steady-state conditionsa then the attack is
undetectable/stealthyb
a
Steady-state = the variables are unchanging in time
b
For the basic passive detector assumed so far. To detect replay-attacks, we will study the active detector
proposed in [Mo, 2009].
Fall - 2022 36 / 68
Zero-stealthy attack

Zero Dynamics Attack

• Def.: An input attack signal ua (t) is said 0−stealthy with respect to

the anomaly detector D (located in the control center) if the output
due to the attack, namely y a (t), is 0 at all times, i.e. y a (t) ≡ 0, ∀ t,
see [Teixeira, 2015]

Attack policy
• Inject in the actuation channel an attack signal ua (t) that changes
x(t) but leaves unchanged y(t).
Fall - 2022 37 / 68

Zero-stealthy attack - resources

Model

Zero Dynamics Attack

Disruptive Disclosure
Attacker Policy

3D Modeling
• Model knowledge: Ma = P̂ ≡ P
• Disclosure Resources: Γu = 0, Γy = 0
• Disruption Resources: Ψy = 0 and Ψu (i, i) = 1 (in the input
channels i where the zero-stealthy attack is injected)

Fall - 2022 38 / 68

Zero-stealthy attack - performance

Zero Dynamics Attack

Attack Performance
• The attack is, by construction, undetectable for D and it can
potentially create great damage to the plant (e.g., x(t) keeps
increasing over time possibly reaching a fatal condition for the
plant)
• Fortunately, such an attack is doable only against CPSs with
specific properties (e.g., if the plant has an unstable zero), see
[Teixeira, 2015] if you are interested in further details.
Fall - 2022 39 / 68
Covert Attack

Covert Attack

Attack policy
Inject in the actuation and measurement channels two attack vectors
ua (t) and ya (t) such that
• ua (t) produces a damage to the the plant
• ya (t) cancels out the effect of ua (t) from the sensor
measurements y(t)
Fall - 2022 40 / 68

Covert Attack - Simplified Example

Covert Attack

P is described by the following model: y(t) = 2u′ (t)

1 The controller sends u(t) = 3 to obtain y u (t) = 6 (expected output)

2 The attacker injects ua (t) = 25. Therefore u′ (t) = 3 + 25 = 28
3 The real output of the system is y(t) = 28 ∗ 2 = 56 (real output).
4 The attacker, to hide its input attack, properly corrupts y(t)
exploiting the model of the plant. It performs the following action
y ′ (t) = 2 ∗
y(t) − |{z} 25
|{z} =6
|{z}
real output model attack on u

5 The controller receives y ′ (t) ≡ y(t)u and no anomaly is detected

Fall - 2022 41 / 68

Covert Attack - resources

Model

Covert Attack

Disruptive Disclosure
Attacker Policy

3D Modeling
• Model knowledge: Ma = P̂ ≡ P
• Disclosure Resources:
• If the plant has a linear behavior: no disclosure resources are needed
• If the plant has a nonlinear behavior: Γu = I (or alternatively Γy = I)
• Disruption Resources: Ψy = I and Ψu = I

Fall - 2022 42 / 68
Covert Attack - performance

Model

Covert Attack

Disruptive Disclosure
Attacker Policy

Attack Performance
• A covert attack is a perfect stealthy attack that cannot be detected
by any detector located in the control center, see [Smith, 2011].
• Specific detection architecture have been developed to detect
such attacks.a
a
We will study the Moving Target detection schemes developed in [Schellenberger, 2017] and [Weerakkody, 2015].

Fall - 2022 43 / 68

Attack Overview in the 3D Attack Space

[Teixeira, 2015]4

4
bias injection = FDI
Fall - 2022 44 / 68

Example of Stealthy Attack Against State Estimation

in Smart Grid

Fall - 2022 45 / 68
Smart Grid: Power Transmission System
x(t)= grid state vector (Status)
PMU

PMU

PMU PMU

cyber-attack

Fall - 2022 46 / 68

Power System State - Why it is important?

• Given the state x of the transmission system we can see the

status of the Smart Grid:
1 Normal
2 Emergency
3 Restorative
• Normal: all the loads in the system can be supplied power by the
existing generators without violating any operating constraints
• Emergency: there is the violation of some of the operating
constraints while the power system continues to supply power to
all the loads. We must bring the system back to normal using
corrective actions!
• Restorative: Correction actions are being applied to
stabilize/eliminate limit violations, e.g. disconnecting loads,
disconnecting lines, energy re-balance

Fall - 2022 47 / 68

Power Transmission System and Control over Network

x(t)= grid state vector (Status)

PMU

PMU

PMU PMU

cyber-attack

• Good state estimation x̂ is needed to manage the power network

• Wrong estimation → wrong control action u(t)

Fall - 2022 48 / 68
 Plant Model

Fall - 2022 49 / 68

Plant Model - Power flow model

x(t)= grid state vector (Status)
PMU

PMU

PMU PMU

Communication Channels

cyber-attack

Networked Controller

• The AC power flow model (P) is described by a set of nonlinear

equations. These equations are linearized (approximated) for
state estimation purposes
Fall - 2022 50 / 68

Plant Model - DC power model

Communication Channels

Networked Controller

• Let us denote with x(t) the state of the system 5 with y(t) the
available measurements, i.e.,

x = [x1 , x2 , . . . , xn ]T , y = [y1 , y2 , . . . , ym ]T , n, m ∈ Z + , xi , yi ∈ R

• The linearized static power flow equation (plant model) has the
following structure, also known as DC power model

y(t) = Cx(t) + e(t), where m > n and C is full rank

C is the grid topology and e the measurement errors

5
the state is defined by the buses’ voltage angles and magnitudes [Liu, 2011].
Fall - 2022 51 / 68
State Estimation Problem in DC power model

x(t)= grid state vector (Status)

PMU

PMU

PMU PMU

cyber-attack

y(t) = Cx(t) + e(t)

• Problem: How can we find the best fit x(t) for a given y(t)?
• We have to solve a system with n unknown and m equations,
where m > n, and C is full rank.

Fall - 2022 52 / 68

State Estimator

Fall - 2022 53 / 68

State Estimation - Least Square Estimation

y(t) = Cx(t) + e(t)

• If the measurement error e(t) is zero mean and Gaussian, then
x(t) can be estimated using a least square estimation formula

x̂(t) = (C T C)−1 C T y(t) ← state estimation algorithm

Can we understand if some sensor measurements are wrong

(e.g., because a sensor is broken)?

Fall - 2022 54 / 68
 Anomaly Detector/Bad Data Detector

Fall - 2022 55 / 68

Bad Data Detector(1/3)

Model P
y(t) = Cx(t) + e(t)
State Estimator E

x̂(t) = (C T C)−1 C T y(t)

• If we have faulty sensors, some of the data y(t) received might not
be correct. How can we detect bad data?
• Once we get a state estimation x̂(t), we can build the so-called
measurement residual:
residual signal → r(t) = y(t) − C x̂(t)

• Notice that if the estimation is perfect (i.e., x(t) = x̂(t)) and

e(t) = 0, then r(t) = 0
• Since we have measurement noise, we can say good
estimation if r(t) ≤ τ with τ a given small threshold
Fall - 2022 56 / 68

Bad Data Detector (2/3)

• Given a threshold τ, and by considering any norm, we can claim

• No anomalies/No bad data if:

ky − C x̂k ≤ τ

• Anomaly/Bad data if:

ky − C x̂k > τ

Fall - 2022 57 / 68
Bad Data Detector (3/3)

ky − C x̂k > τ

Now the question is: If we can detect faulty sensors, can we

also detect cyber attacks producing False Data Injection in the
sensor measurements?

Fall - 2022 58 / 68

2011 Discovery

x(t)= grid state vector (Status)

PMU

PMU

PMU PMU

Communication Channels

cyber-attack

Networked Controller

The authors of [Liu, 2011] discovered that if an attacker knows

the power system model y = Cx + e (i.e., P̂ ≡ P), then he/she
can generate bad measurements that bypass the bad data
detector

Fall - 2022 59 / 68

Design an undetectable attack against state

estimation in Smart Grid

Fall - 2022 60 / 68
Attacker’s Objective and Resources

Model

Stealthy Bias Attack

Disruptive Disclosure
Attacker Policy

• Attack objective and policy: Cause a bias in the state

estimation without generating alarms. To obtain so, a FDI attack is
performed on the sensor measurements
• Resources:
• Model knowledge: Ma = P̂ ≡ P = {C}
• Disclosure resources: Γu = 0, Γy = 0
• Disruptive resources: Ψu = 0, Ψy (j, j) = 1 where the FDI is injected

Fall - 2022 61 / 68

FDI Attack

• We assume that the vector of observed measurements contains

malicious data according to the following formula:

y ′ = y + ya

where y are the sensor measurements and ya is the attack vector

• If yai 6= 0, then the i − th measurement has been compromised

Fall - 2022 62 / 68

Attack Impact on the State Estimation (1/2)

• Let x̂ be the state estimated using the original (without attacks)

measurements y
• Let x̂bad be the state estimate of x using the malicious
measurement y ′ = y + ya
• We can represent
x̂bad = x̂ + d
where d 6= 0 is the estimation error (bias) produced by the
attacker’s FDI injection ya

Fall - 2022 63 / 68
Attack Impact on the State Estimation (2/2)

• Theorem: If the measurement vector y (with no attack) passes the

bad data detector, i.e.

||y − C x̂|| ≤ τ

then y ′ = y + ya passes the bad data detection if ya = Cd

• Proof:
Since y can pass the detection, we have that ||y − C x̂|| ≤ τ. If we
consider the attack, we have that

||y ′ − C x̂bad || = ||y + ya − C(x̂ + d)|| = ||y + ya − C x̂ − Cd||

= ||y − C x̂ + ya − Cd || = ||y − C x̂|| ≤ τ
| {z }
if 0 then→

Fall - 2022 64 / 68

Undetectable False Data Injection

Steps:
1 The attacker decides the bias d to cause on the state estimation

x̂bad = x̂ + d

2 The attacker compute and inject ya into the measurements

ya = Cd

y ′ = y + ya
Result: The above attack bypasses the bad data detector, i.e.

||y − C x̂|| ≤ τ

while changing the result of state estimation. Therefore this attack is

by definition undetectable/stealthy for the considered anomaly detector

Fall - 2022 65 / 68

Thank you!

Fall - 2022 66 / 68
References I
D. Kundur
Cyber Security of Smart Grid
Class: Cyber-Physical Security of the Smart Grid

H. Tebianian, B. Jeyasurya
Dynamic state estimation in power systems: Modeling, and challenges
Electric Power Systems Research, 2015.

A. Teixeira, I. Shames, H. Sandberg, K. H. Johansson

A secure control framework for resource-limited adversaries
Automatica, 135–148, 2015.
Y. Mo, B. Sinopoli
Secure control against replay attacks
IEEE Allerton Conference, pp. 911–918, 2009.

A. Teixeira, I. Shames, H. Sandberg, K. H. Johansson

Revealing stealthy attacks in control systems
IEEE Allerton Conference, 1806–1813, 2012.

Fall - 2022 67 / 68

References II

S. R. Smith
A decoupled feedback structure for covertly appropriating networked control
systems
IFAC Proceedings, 44.1, 90–95, 2011.

S. Weerakkody, B. Sinopoli
Detecting integrity attacks on control systems using a moving target approach
IEEE 54th Annual Conference on Decision and Control (CDC), 2015.

C. Schellenberger, , and P. Zhang

Detection of covert attacks on cyber-physical systems by extending the system
dynamics with an auxiliary system
IEEE 56th Annual Conference on Decision and Control (CDC), 2017.

Y. Liu, P. Ning and M.K Reiter

Generalized False Data Injection Attacks Against State Estimation In Electic
Power Grids
ACM Transactions on Information and System Security 14(1), 2011.

Fall - 2022 68 / 68