Cyber Attack and Fault Identification of HVAC
System in Building Management Systems
A. Sheikh, Student Member, IEEE, V. Kamuni, Student Member, IEEE, A. Patil, Student Member, IEEE,
S. Wagh, Senior Member, IEEE, and N. Singh, Member, IEEE
EED,VJTI, Mumbai, India
Abstract—In today’s modern life the smart buildings play
an important role in providing a luxurious environment with
reduced energy consumption and environmental concern. For
managing every smart equipment according to the requirement
and comfort, the centralized management system called the
Building Management System (BMS) performs an essential
part. The operations of BMS is majorly coordinated with the
communication layer or a cyber layer. Thus, the BMS is very
much prone to cyber attacks and can lead to malfunctioning of
major components in BMS. Another important aspect is electrical
faults in the system irrespective of any cyber attacks. The
paper focuses, firstly, to identify the electrical fault and attack
with proposed Boolean Identification Strategy (BIS). Secondly,
after the identification of attack, the paper analyzes the type
of attacks with pattern recognition using Machine Learning
classifier. The results show the effectiveness of proposed strategies
by recognizing the pattern of the two most familiar cyber attacks.
Index Terms—Building Management System, Cyber Attacks,
Faults, Machine Learning
I. I NTRODUCTION
I N buildings, the automatic control of different electrical
components has resulted in trends of smart buildings and
building management system (BMS). With the era of smart
buildings, various systems such as telecommunications, user
systems, life safety, building automation, and facility manage-
ment system are integrated under one roof. There are primarily
two main reasons because of which concept of smart buildings
appears to be almost inevitable. Firstly, the need for high effi-
cient output of employees inside a building is important as the
user spends 90% of time indoors [1]. Secondly, the building
consumes approximately 40% of total energy consumption and
is also responsible for 30% of greenhouse gas emissions [2].
For controlling various components such as building heating
demand, fire alarming system, security system, etc. a BMS is
used in smart buildings. The users comfort is most affected
by the operation of heating, ventilation and air conditioning
(HVAC) and it is also considered to be one of the highest
sources of energy consumption while the building is in op-
eration. The efficient operation of an HVAC system depends
significantly on BMS as well as supervisory control and data
acquisition (SCADA) system. The thermal components (e.g.,
A. Sheikh, V. Kamuni, A. Patil, S. Wagh and N. Singh are
with the Department of Electrical Engineering, VJTI, Mumbai, India
masheikh_p17@ee.vjti.ac.in
978-1-7281-2658-6/19/$31.00 © 2019 IEEE
Authorized licensed use limited to: University of Exeter. Downloaded on June 14,2020 at 13:37:56 UTC from IEEE Xplore. Restrictions apply.
boilers) operation is managed with the help of BMS, whereas
the operation of electrical components (e.g., combined heat
and power (CHP)) is managed by SCADA. However, the
control and management of such smart buildings require an
extensive exchange of information and data as well as the
integration of physical and cyber systems. With this integra-
tion, there is a major concern over the optimal sharing of both
digital (relevant data) and natural resources (such as water or
energy) in smart buildings [2]. Hence such smart buildings are
subjected to high risk of vulnerabilities and cyber-attacks in
the coming years.
The most well-known case of cyber-attack on buildings is
an attack on Google Australia office in Sydney (May 2013)
[3], in which the complete BMS system was hacked by the
attackers. According to [4], hackers broke into intranet of
Target Corporation by stealing network credentials from a
service provider of HVAC which resulted in the exposure of
around 40 million credit and debit accounts within a span
of 3 weeks. As described in [5], with the advancement in
the HVAC market, there is a simultaneous increase in the
number of smart buildings. The increase in the number of
components getting integrated into buildings results in BMS
becoming more accessible online [6]. This recent development
in connection of SCADA to the internet resulted in the
integration of a new system with old system leading to more
exposure of the system to cyber-attacks.
There has been a tremendous increase in the area of control
systems security research, resilient control design and attacks
estimation algorithms. [7]–[12]. In [7] an intelligent adversary
was considered which increases the system operation cost in
contrast to controller objective of reducing the same cost. The
limitations of identifying and detecting attack were analyzed
by [8] with the help of linear systems in the power grid.
In [9] the authors first characterize the nodes which are
infected but can be tolerated and then proposes a way to
deal with the consequences of malicious agents present in the
system. The linear system estimation and control in presence
of attack on some of sensors and actuators were studied in
[10]. Further, the authors presented an efficient algorithm
based on compressed sensing techniques for estimating plant
state in spite of the attack. In addition, [11] proposed a general
framework for modeling and analyzing the impact of attacks.
The authors designed a control technique in [12], which uses
a recursive filtering algorithm for estimating system states.
This technique has the advantage of resiliency against certain
attack on the sensor. From the aforementioned literature, it can
be said that the detection of attack as well as identification
of attack is quite challenging. As in the present situation
with an era of critical infrastructures the major concern is to
distinguish between an electrical fault and cyber attack. Once
the difference between attack and fault is build, the next major
task is to detect the type of cyber attack. When the cyber attack
is detected, different control policies for maintaining system
resiliency should be triggered. In the case of smart buildings as
different component layers are integrated with each other the
complexity of handling the overall operation become tedious.
In such case, if some malfunctioning occurs in any of the
layers then it may affect the overall operation of the BMS
system.
In this paper different scenarios of cyber attack and fault in
an HVAC system of a smart building is considered. The major
contribution of the paper is as follows:
i) For identifying cyber attack and fault in case of smart
building a mechanism employing Boolean logic is pro-
posed in this paper
ii) The proposed Boolean logic is used for training the ma-
chine learning algorithm to differentiate between normal
mode, fault, and attack.
iii) After the identification of attack, a process control chart
and day ahead predicted logic is used to observe the
temperature profile pattern from which the type of attack
is recognized.
iv) To show the effectiveness of proposed Boolean logic and
machine learning algorithm, the two most familiar attacks
are introduced in the system and the proposed strategy
successfully detects the suspicious operating conditions
as well as the type of cyber attack present in the system.
The rest of paper is organized as follows: Section II focuses
on the model of BMS. Section III introduces different types
of attacks on BMS. Section IV presents the mathematical
formulation of the proposed strategy for differentiating attacks
and faults. Section V provides supporting case studies and
results to confirm the claim and Section VI concludes with
the possible future extension of the work.
II. M ODEL OF BMS
Smart buildings have various systems like HVAC, fire alarm
and detection system, illumination system, and access control
system interconnected to each other with the help of a central
system i.e. BMS. The BMS coordinates with different com-
ponents of buildings through a communication network. The
important consideration in case of BMS is the user comfort
for which the control strategy is manipulated based on the
user requirements. For effective operation of the BMS, various
sensors are implemented at different components layers. The
major role of the sensor is to continuously monitor the state
of the system and send different measured data to the central
system. With the help of these measurements, the system state
is estimated and accordingly the control actions are initiated.
The communication network plays a significant role in BMS
as all exchange of data between different layers is coordinated
Authorized licensed use limited to: University of Exeter. Downloaded on June 14,2020 at 13:37:56 UTC from IEEE Xplore. Restrictions apply.
by them. However, being an important link for data exchange
and communication it is more prone to cyber attacks.
In the worst case, the attack on the central system may lead
to complete failure of the system. However, for the attacker to
attack centralized computer it has to pass different layers of
BMS which is quite difficult on a real-time basis. The different
operating layers of the BMS system is shown in Fig. 1. It
consists of four layers physical layer, communication layer, a
protection layer, and a centralized control center as seen in
Fig. 1. The details of each layer are as follows
Fig. 1. Four operating layers of the BMS
1) Physical Layer: This layer consist of a physical set
of units present in the building. Each unit will have
different sensing as well as display components such
as temperature sensor, temperature display. Any attack
on this layer will result in the complete failure of the
unit.
2) Communication Layer: Communication layer connects
all the sensors and measuring units attached to devices
in the physical layer with protection layers through com-
munication links. These links transfer the actual state of
the sensors and measurement units to the protection unit,
which makes protection equipment respond well in time
to protect the system.
3) Protection layer: Protection layer consists of a relay,
circuit breakers, current and voltage measurements. This
layer performs a crucial role at the time of electrical
faults to protect the system from damage.
4) Control Center: Control center is the brain of the system
and ensures the healthy performance of the system by
continuously monitoring the system. The communica-
tion links act as the nerves of the system and bring
data from sensors and measurement units. If the control
center finds some unusual behavior it will take the
corresponding corrective action.
III. ATTACKS ON BMS
The BMS is centralized computer-based control of actuators
operating across the building. To make it smart the BMS
is integrated with other systems via open protocols such as
C-Bus and Profibus or internet protocols [2]. The BMS is
integrated with temperature control, access control, lighting,
security, power, fire control, elevator and escalator controls,
smart whiteboards, and clinical systems. This characteristic is
making smart building increasingly susceptible to the cyber
attack. Most of the BMS has Internet-accessible controls. The
connection with the internet makes the system more prone to
cyber attacks. By hacking the BMS, the attacker may gain
access over the system control. The attacker might enable to
change temperature setpoint of the HVAC system.
The role of cyber attacks in BMS is explained in this section.
Nowadays the cyber attacks are continuously increasing. Thus,
it is important to understand the behavior of different attacks
on the system model. Cyber attacks severity is identified using
adversary’s resources and model knowledge of the system.
The adversary’s resources include disclosure resources and
disruptive resources [11]. Considering a few types of attacks
such as Denial of Service (DoS), and Replay Attack the
temperature behavior is observed. The attack scenarios on
HVAC in BMS is as follows,
1) DoS Attack: The DoS attack is the cyber attack in which
the malicious attacker aims to disrupt the target system
by temporarily jamming the data signals. Unfortunately,
modern critical infrastructures have experienced many
DoS attacks. The DoS attack may flood the SCADA
system or any Remote Terminal Unit (RTU). This may
lead to a delay in data transfer. This type of attack has
knowledge of both disclosure and disruptive resources.
In an HVAC system, where the temperature of the room
is maintained with BMS control. If the attacker intrudes
into the system, it may disturb the temperature set-
point, which cause a delay in monitoring temperature
information. Thus, at the time of DoS, the temperature
at time t0 will be the same as at time tn . The temperature
at the time of DoS is given as,
T emp(tn ) = T emp(tn+1 )
2) Replay Attack: In a replay attack, the adversary aims
to manipulate the system by misleading the data signals.
The data signals are tampered by maliciously repeated or
delayed data. The replay attack may interrupt the system
by stealing the data of a particular meter and using
the same data repetitively to duplicate the identity. It
has knowledge of both the disclosure and disruptive re-
sources, with which the attacker can read the information
and use for later disrupt of the system. Coming to HVAC
systems, the replay attack may occur by eavesdropping
the temperature profile for a particular time period. By
doing this the attacker knows how the profile is varying.
This data may be replayed to fool the BMS at different
time periods to exploit the system.
Let T emp1 (t) be the set of temperature profile data
for a day (24hours),
T emp1 (t) = {α1 , α2 , ...., αn }
Authorized licensed use limited to: University of Exeter. Downloaded on June 14,2020 at 13:37:56 UTC from IEEE Xplore. Restrictions apply.
where n is the number of states at time t Suppose, if
some part of T emp1 (t) is eavesdropped by an attacker,
that is T emp1 (tp ) = {αr , ...., αk }, where r, k < n. In
a replay attack, the attacker tries to replicate this data
in the next 24hours time interval from r to k. Let say
T emp2 (t) be the set of temperature data for a second
day.
T emp2 (t) = {β1 , β2 , ...., βn } (3)
The part of temperature values of T emp2 (k) is replaced
by {αr , ...., αk }. Thus,
T emp2 (t) = {β1 , β2 , ..., αr , ...., αk , ..., βn } (4)
With this the attacker succeeds in manipulating the
temperature data, which affects the BMS control over
HVAC, affecting the operational status.
IV. M ATHEMATICAL F ORMULATION FOR
DIFFERENTIATING ATTACKS AND FAULTS
A. Boolean Identification Strategy (BIS) for different operating
conditions
The thermodynamics of a closed room is seen at the
thermostat and its internal temperature equipped with Air
conditioning (AC) unit can be modeled using thermostat
parameters using hybrid state model [13]. The dynamics of
internal temperature T emp(t)is given as,
1
˙
T emp(t) = [T emp(t) − T empa (t) − Sf P R] (5)
τ
where T empa (t) is ambient temperature, Sf is a scaling factor
of switching device, P is average energy transfer rate of the
AC unit, R is the thermal resistance and τ is the time constant.
This dynamics of temperature is sensed by sensors con-
nected at the field level or the physical layer. The internal
temperature T emp(t) is sensed by sensor S1 and ambient
temperature T empa (t) by sensor S2 as shown in Fig. 2. As
discussed in Section III, the HVAC system of the particular
(1) building has the possibility of being attacked or the occurrence
of electric faults. The operating status of HVAC for the
proposed system is classified into three, i.e. normal, fault and
attack scenarios. To identify the operating status of centralized
BMS controlled HVAC, the paper proposes the identification
strategy called Boolean Identification Strategy (BIS), which
determines the status of HVAC using logic explained in Fig.
3. The electrical faults in the sensor are secured by protection
layer using the relay actuation system. However, BMS can be
misled by manipulating the status of sensors by an attacker.
Thus, the operating status of HVAC should be continuously
monitored and respective action should be taken.
The logic involves two sections i.e. sensor status and energy
status, depending upon which the relay actuation status R is
operated. The status of sensors S1 and S2 are continuously
monitored using backup sensor Sb . The Sb goes high only
if both the sensors are on active status. Whenever anyone of
sensor or both sensors are inactive because of fault or attack,
(2) the Sb goes low. All the sensors S1 , S2 and Sb status is
 TABLE II
FAULT OPERATING CONDITION OF HVAC

S1 S2 Sb Sstatus VS1 VS2 P Pstatus R

0 0 0 1 0 0 1 1 1
0 1 0 1 0 1 1 1 1
1 0 0 1 1 0 1 1 1

operator, but the corresponding sensor voltage remains

Fig. 2. The structural layout of floor map equipped with AC units
Fig. 3. Logical representation of BIS
monitored by Sstatus , only if all three sensors goes high the
output Sstatus goes low. In case of any fault, the sensor status
goes inactive and the corresponding sensor voltage also goes
low. According to the condition of Sstatus and Pstatus the
relay R is activated.
The three possible scenarios of operation are discussed us-
ing the BIS method to identify and distinguish the fault/attack.
1) Normal: When the BMS system is operating at the
normal condition it means all the sensors at field level
are working in their healthy state. It defines that sensor
S1 and S2 are an active state, which also keeps Sb active.
Thus, it does not affect the status of VS1 , VS2 , and P
keeping all at active state which indicates relay actuation
to be inactive. The normal condition is summarized in
Table I,
TABLE I
N ORMAL OPERATING CONDITION OF HVAC
S1 S2 Sb Sstatus VS1 VS2 P Pstatus
1 1 1 0 1 1 1 0
2) Faults:The sensor faults may occur due to various rea-
sons, one of which is direct exposure to the environment,
which may reduce the reliability and accuracy of the
sensor reading. At such conditions the sensor status goes
inactive, which also reflects on the status of the backup
sensor. As the sensor goes inactive, the corresponding
sensor voltage goes low. Thus, the relay actuation system
goes active in case of various sensor fault such as a fault
in any one sensor or fault in both the sensor, which are
summarized in Table II.
3) Attack: To mislead the BMS the attacker may manipu-
late the HVAC field sensors to interrupt the operation of
BMS. At the time of the attack, the attacker changes the
status of the sensor from active to inactive or vice-versa.
If the attacker succeeds in accessing or controlling the
status of the sensor, by indicating the wrong signal to the
high. In such case even though the manipulated status
of the sensor is low the corresponding voltage sensor
remains high as shown in Table III. It is highly desired
that during an attack the system should remain intact
and there is no malfunctioning in the protection circuit.
Even though there is no electrical fault in the sensor, the
manipulated status of sensor shows the output to be low
which is equivalent to an electrical fault. In the case of
the low output of the sensor, the relay circuit should not
get active.
TABLE III
ATTACK OPERATING CONDITION OF HVAC
S1 S2 Sb Sstatus VS1 VS2 P Pstatus R
0 0 0 1 1 1 1 0 0
0 1 0 1 1 1 1 0 0
1 0 0 1 1 1 1 0 0
B. General description of Process Control Chart
Process Control Chart is a graphical representation of qual-
ity characteristics that have been measured from sample versus
the sample number or time. As seen in Fig. 4 it contains
a centerline (CL) that represents the average value of the
quality characteristic corresponding to the control state. The
inner two horizontal lines represent warning limits called an
upper warning limit (UWL) and lower warning limits (LWL).
The outer lines correspond to the upper control limit (UCL)
and lower control limit (LCL). If nearly all process samples
R fall between warning limits then the process is assumed to
0 be in control. If the process sample falls between warning and
control limit for a small duration and returns back to normal as
seen from the red plot in Fig. 4 then system shows suspicious
behavior but adjust itself to get back into normal mode. Such
a system is adaptive and is able to manage small disturbances.
If the process crosses the control line as shown by the yellow
plot then there is a need for corrective actions as soon as
possible.
Even if all the points plotted inside the control limits behave
systematically or randomly represented by a green plot in Fig.
4 then this could be an indication of malicious behavior of
the system and verification of process is needed. From Fig. 4
it can be seen that even though the green plot lies between
the warning limits the pattern is continuously constant with
reference to CL. If this pattern of the sample increases above
a threshold value then an alarm circuit should be triggered for
suspicious activity. Similarly, if the threshold of a number of
suspicious samples is defined and if the number of samples

Authorized licensed use limited to: University of Exeter. Downloaded on June 14,2020 at 13:37:56 UTC from IEEE Xplore. Restrictions apply.
 Fig. 4. General control chart showing different operating limits
falling between warning limit and control limit is more than
this threshold as shown by the yellow plot in Fig. 4 then the
system is not able to withstand disturbances and the warning
alarm for taking corrective actions will be alerted.
C. Identification of Attack using a day ahead prediction
As described in Section IV-B the process control chart iden-
tifies any malicious behavior in the system by using control
limits. The threshold value of δ for variation in temperature
is considered to be 8 number of samples. If the temperature
samples show malicious behavior for more than 8 samples then
necessary action should be initiated. However, considering the
complexity of the BMS system another backup mechanism is
adapted for re-verification of the number of samples deviated
based on the day ahead predicted values. In the day ahead pre-
diction generally the next day temperature profile is predicted
based on the daily consumption and occupants patterns. The
day ahead predicted value will be compared with the present-
day value and any major deviation in the number of samples
will result in the activation of an alarm circuit.
As seen in Fig. 5, initially the machine learning algorithm
is trained using BIS for classifying the modes of operation.
Once the mode is classified as fault then the protection layer
circuit is activated. However, when the mode is classified as
attack the data set of the temperature profile is checked for
any deviation or malicious activity. If the value in temperature
profile deviation is less than the threshold value then the
alarm circuit is activated and the complete system is checked
for malicious activity. For the deviation value greater than
the threshold value, the next step is to compare the day-
ahead predicted profile and current profile. If there is a
major deviation in profile then the machine learning algorithm
is adopted for identifying the type of attack. The machine
learning algorithm for identify the attack is trained using (1),
(2), (3), and (4).
V. R EPRESENTATIVE C ASE S TUDY AND R ESULTS
The proposed BIS logic is used to train the machine learning
algorithm. The representative case study is carried out in two
parts. In the first part, the modes of operation are classified
as a normal, fault, and attack with the help of BIS trained
machine learning algorithm. Secondly, the types of attack i.e.
Authorized licensed use limited to: University of Exeter. Downloaded on June 14,2020 at 13:37:56 UTC from IEEE Xplore. Restrictions apply.
Fig. 5. Flowchart for proposed methods to classify and identify the attacks
DoS or Replay attack is identified using the machine learning
algorithm.
A. Classification of Normal, Fault, and Attack mode
A system must be able to identify and differentiate between
different operating modes. It must be able to detect whether the
system is working in normal mode or fault has occurred. In this
paper, a classifier algorithm is used for differentiating attack
and fault. In the case of a bilinear classifier for training the
network, two different classes are used. A data set is formed
showing the states of the sensors and relays for the different
scenarios shown in Table I, Table II and Table III. The given
data set has three scenarios of an HVAC system operation
which are normal mode, fault, and attack. For training the
bilinear classifier instead of considering all scenarios together
only two of them are considered at a time. Four different cases
for considering the different combinations of two scenarios are
shown in Table IV. In case 1 network is trained with classes
normal mode and attack, case 2 considers attack and fault,
case 3 considers normal and fault and case 4 considers fault
and attack together and normal operation.
TABLE IV
D IFFERENT CASES FOR CLASSIFICATION
Case Class A Class B
case1 Normal Attack
case2 Attack Fault
case3 Normal Fault
case4 Fault and Attack Normal
B. Attack identification: DoS or Replay attack
Once the classification between fault and attack is built the
next major step is to identify the type of attack on the system.
This attack detection is carried out using a machine learning
algorithm. This paper uses the Support Vector Machine (SVM)
algorithm which finds a hyperplane in N-dimensional space
that distinctly classifies the data points. To separate two classes
of data points, there are many possible hyperplanes available,
SVM produces a hyperplane which provides maximum margin
between two classes. This margin helps in providing some
reinforcements so that future data points can be classified
with more confidence. The machine learning classifiers are
trained such that any presence of malicious data will be
detected. Firstly, the number of samples in the presence of
attack is verified using the process control chart and day-
ahead predicted logic. Secondly, the samples are compared
with standard cyber-attacks patterns using (1), (2), (3), and
(4). This information of cyber-attack pattern is fed to SVM
algorithm for training. After the occurrence of attack, the
machine learning classifier starts recognizing the patterns of
temperature profile and depending on the pattern it classifies
the type of attack. From Fig. 6 it can be seen that the
temperature profile remains constant after 45 hours till 90
hours this activity is similar to the DoS attack as described
in (1) where the previous value keeps on repeating in the next
value. Thus, the identified attack can introduce the latency in
BMS communication network.
Fig. 6. Temperature profile under the influence of DOS Attack
Similarly in Fig 7 it can be seen that the temperature
profile is manipulated with false data in a periodic manner as
explained in Section III. In Fig. 7 it can be observed that for
around every 20 hours the data is repeated because of attack.
This situation is similar to replay attack in which as per (2), (3)
and (4) the temperature data of the first day is repeated again in
second-day temperature profile for a particular period of time.
Thus by considering different pattern recognition techniques,
the SVM algorithm classifies whether the attack is a DoS
attack or a replay attack. However, in the case of a DoS attack,
there is no major loss or system damage, whereas the replay
attack can cause considerable damages or losses to the system.
Thus, knowing the faults or attacks of the system prior to any
casualty and taking the necessary measurements to deal with
it, is always the priority in critical infrastructure.
VI. C ONCLUSION
The paper proposed a BIS strategy for differentiating fault
and cyber attacks in a BMS. The proposed strategy first
classifies the different operating mode of the system whether
Authorized licensed use limited to: University of Exeter. Downloaded on June 14,2020 at 13:37:56 UTC from IEEE Xplore. Restrictions apply.
Fig. 7. Temperature profile under the influence of Replay Attack
the system is working in normal mode, or is under attack, or
has experienced an electrical fault. Secondly, after the classi-
fication, using process control chart and day ahead predicted
logic two famous cyber attacks i.e. DoS and replay attack
is identified. The Machine Learning algorithms are used to
identify whether it is attack or fault and also to classify
the types of attacks in the system. From the result, it is
claimed that the proposed strategy successfully differentiate
between attack and fault and also successfully classify the
types of attacks in the BMS. In the future, the different types
of cyber attacks like flooding, false data injection, etc. will
be considered for testing the effectiveness of the proposed
strategy.
R EFERENCES
[1] J. A. Leech, W. C. Nelson, R. T Burnett, S. Aaron, and M. E.
Raizenne, “It’s about time: a comparison of canadian and american
time–activity patterns,” Journal of Exposure Science and Environmental
Epidemiology, vol. 12, no. 6, p. 427, 2002.
[2] S. Wendzel, J. Tonejc, J. Kaur, and A. Kobekova, Cyber security of
smart buildings. Wiley, 2017.
[3] K. Zetter, “Researchers hack building control system at google
australia office,” Wired. com, available at https://www. wired.
com/2013/05/googles-control-system-hacked (accessed 9th June, 2017),
2013.
[4] B. Krebs, “Target hackers broke in via hvac company,” Krebs on
Security, 2014.
[5] Markets and Markets, “Smart hvac controls market by product type,
components, application, operation & geography-analysis and forecast
to 2014-2020,” 2014.
[6] J. Vijayan, “With the internet of things, smart buildings pose big risk,”
Computer World, 2014.
[7] A. Gupta, C. Langbort, and T. Başar, “Optimal control in the presence
of an intelligent jammer with limited actions,” in 49th IEEE Conference
on Decision and Control (CDC). IEEE, 2010, pp. 1096–1101.
[8] F. Pasqualetti, F. Dörfler, and F. Bullo, “Attack detection and identifica-
tion in cyber-physical systems,” IEEE transactions on automatic control,
vol. 58, no. 11, pp. 2715–2729, 2013.
[9] S. Sundaram and C. N. Hadjicostis, “Distributed function calculation
via linear iterative strategies in the presence of malicious agents,” IEEE
Transactions on Automatic Control, vol. 56, no. 7, pp. 1495–1508, 2010.
[10] H. Fawzi, P. Tabuada, and S. Diggavi, “Secure estimation and control for
cyber-physical systems under adversarial attacks,” IEEE Transactions on
Automatic control, vol. 59, no. 6, pp. 1454–1467, 2014.
[11] A. Teixeira, I. Shames, H. Sandberg, and K. H. Johansson, “A se-
cure control framework for resource-limited adversaries,” Automatica,
vol. 51, pp. 135–148, 2015.
[12] N. Bezzo, J. Weimer, M. Pajic, O. Sokolsky, G. J. Pappas, and I. Lee,
“Attack resilient state estimation for autonomous robotic systems,” in
2014 IEEE/RSJ International Conference on Intelligent Robots and
Systems. IEEE, 2014, pp. 3692–3698.
[13] S. Ihara and F. C. Schweppe, “Physically based modeling of cold load
pickup,” IEEE Transactions on Power Apparatus and Systems, no. 9,
pp. 4142–4150, 1981.