See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/320496448

Fallback and Recovery Control System of Industrial Control System for

Cybersecurity

Article in IFAC-PapersOnLine · July 2017

DOI: 10.1016/j.ifacol.2017.08.2402

CITATIONS READS

9 353

4 authors, including:

Kenji Sawada
The University of Electro-Communications
136 PUBLICATIONS 474 CITATIONS

SEE PROFILE

All content following this page was uploaded by Kenji Sawada on 05 June 2018.

The user has requested enhancement of the downloaded file.

Preprints of the 20th World Congress
The International Federation of Automatic Control
Toulouse, France, July 9-14, 2017

Fallback and Recovery Control System

of Industrial Control System for Cybersecurity
Tsubasa Sasaki*. Kenji Sawada*. Seiichi Shin*.
Shu Hosokawa**

*The University of Electro-Communications, Chofu, Tokyo 1828585
Japan (Tel: +81-42-443-5891; e-mail: {tsubasa-sasaki}{knj.sawada}{seiichi.shin}@uec.ac.jp).
**Control System Security Center, Tagajo, Miyagi 9850842 Japan (e-mail:
shu.hosokawa@css-center.or.jp)

Abstract: This paper focuses on the Fallback Control System (FCS), which is an emergency response
method of networked Industrial Control System (ICS) as a countermeasure for cyber-attacks. The FCS is
disposed on not networked controllers but controlled objects. After some incidents happen, the FCS
isolates the controlled objects from networked controllers and controls the objects safely and locally. This
ICS operation switching is one-way from normal one to fallback one and the recovery switching from the
fallback one to the normal one still remains open. This is because there is a possibility of cyber-attacks
aiming the reconnection of the controlled objects with the network controllers. Motivated by this, this
paper proposes a Fallback and Recovery Control System (FRCS) by adding a safety recovery switching
to the FCS. Maintaining the fallback control of the controlled object, the virtual operation mode of FRCS
connects the networked controller with the virtual controlled object (Plant Simulator). The FRCS
evaluates the ICS soundness from the responses between the controller and the virtual object and then
reconnects the controller with the actual one. The ICS soundness evaluation is based on the discrete-
event system observer. This paper verifies the validity of the proposed recovery switching via a practical
experiment.
Keywords: Security, Petri nets, Control over networks, Observers for linear systems, Manufacturing
automation over networks, Discrete event systems in manufacturing.

devices (actuators and sensors), while the existing results use
1. INTRODUCTION
communication contents of network traffics (ex. Onoda 2016).
Industrial Control Systems (ICSs) are facing security This is because attackers possibly tamper with
incidents (Kissel, 2013) including power systems, water communication contents. The second is that the fallback
supply facilities, nuclear facilities, and Factory Automation control is not networked one but local one. During the normal
(FA) systems and so on (Miller and Rowe, 2012; Zhioua, operation, the FCS connects the networked controller with
2013; Khorrami et al., 2016). The reason is that ICSs are the filed devices via the field network (which is based on
being designed and implemented using industry standard industrial Ethernet technologies). During the fallback
computers, Operation Systems (OS) and network protocols operation, the FCS isolates the field devices from the
and then are resembling Information Technology (IT) networked controller and then the fallback controller of the
systems. ICS incidents could endanger costly equipment or FCS takes over the control of the field devices via not the
human life (Stouffer et al., 2007) and then ICS security is field network but the analog signals directly. Field devices
attracting attention of various research fields. Hu et al. (2016) are isolated from cyber-attacks or secondary injury although
proposes the security monitoring architecture for smart grids. the local control logic of the fallback controller is restricted
Kogiso et al. (2015) proposes encryption methods of due to the network isolation. Focusing on “maintaining after
controller parameters for ICS. Some intrusion, cyber-attacks incident”, the our previous works (Sasaki et al. 2015; Sawada
or incidents detection methods focus on machine learning and et al. 2015) implements an incident detection function, a
sequence characteristics of network traffics (Hoehn and fallback switching (network disconnection) function, and a
Zhang 2016; Onoda 2016; Ozay et al. 2016; Isozaki et al. fallback control function by FCS.
2016). The current authors are interested in “maintaining
On the other hand, this operation switching is one-way from
functionality after incident” and “safety recovering after
the normal one to the fallback one and the recovery switching
incident”. In particular, we propose Fallback Control System
from the fallback one to the normal one still remains open.
(FCS) for maintaining functionality after an incident (Sasaki
This is because there is a possibility of cyber-attacks aiming
et al. 2015; Sawada et al. 2015).
the reconnection the controlled objects with the network
The FCS is disposed on not networked controllers but controllers. Motivated by this, this paper proposes a Fallback
controlled objects and has two main features. The first is that and Recovery Control System (FRCS) by adding a safety
its incident detection is based on analog signals of field recovery switching to the FCS. In other words, this paper

Copyright by the 15812

International Federation of Automatic Control (IFAC)
Preprints of the 20th IFAC World Congress
Toulouse, France, July 9-14, 2017

aims to implement “safety recovering after incident” to the

FCS. Maintaining the fallback control of the controlled
object, the FRCS judges the soundness of the networked
controller (the ICS soundness). The FRCS confirms the
integrity and then reconnects the networked controller. For
checking integrity, we adopt Plant Simulator and the incident
detection method proposed in Sawada et al. (2015). The Plant
Simulator simulates the behaviour of the controlled object
and the detection method is based on the discrete-event
observer. Also, we call the operation mode for checking
soundness by the virtual operation. During the operation, the
actual controlled object is connected with the FRCS via
analog signals and only the Plant Simulator is connected with
the networked controller via the field network. The observer Fig. 2 Appearance of Ball-Sorter
checks the integrity from the feedback loop between the Plant
Simulator and the controller without influencing the actual
controlled object. This paper executes practical experiments
to verify the capability of FRCS.
The contribution of this paper is to implement “safety
recovering after incident” by the virtual operation. Since the
actual controlled objects is not connected with field network
during the virtual operation, FRS can confirm the integrity of
controller safety. FRCS designed in this paper contributes to
enhance the cyber-security of ICS.
2. EXPERIMENTAL CONTROL SYSTEM

Fig. 3 Schematic of Ball-Sorter

When a ball exits at the sorting section, P-sensor1 reacts
Fig. 1 Networked control system
(ON). When the ball is a ping-pong ball, S-sensor does not
Fig. 1 shows a constitution of the networked control system react (OFF). When the ball is a golf ball, S-sensor reacts
in this paper. Plant is controlled remotely by the networked (ON). After that, when the ball flows to BOX1, P-sensor2
controller. The software for control implemented in the reacts (ON). When the ball flows to BOX2, P-sensor3 reacts
networked controller is developed by MATLAB/Simulink (ON). Fig. 4 shows a state transition diagram of control logic
(MathWorks, 2016). The network protocol between the to implement the sorting function. In this paper, the notation
network devices such as the networked controller and of a state transition diagram is based on Stateflow for
Remote I/O is Modbus/TCP (Modbus-IDA 2012). MATLAB/Simulink because we have implemented the
Modbus/TCP is a common industrial protocol based on control logic by Stateflow. In Fig. 4, “Cylinder1 stops
Ethernet (Rojas and Peter, 2010). MATLAB/Simulink can (drives)” or “Cylinder3 stops (drives)” mean that they drive
deal with Modbus/TCP. The remote I/O interconverts in the downward (upward) direction as shown in Cylinder1
between Modbus/TCP packets and the analog signals for (Cylinder3) of Fig. 3. “Cylinder2 stops (drives)” means that
actuators and sensors. The networked controller makes the Cylinder2 drives in the upward (downward) direction.
actuators of Plant drive via the remote I/O. The sensor signals
are sent to the networked controller via the remote I/O.
Fig. 2 is the Ball-Sorter plant for the experiments. Fig. 3 Select/
Cylinder1 drives
shows a schematic of Ball-Sorter. The function of Ball-Sorter Cylinder2 stops
is sorting two kinds of ball according to their weight. Used Cylinder3 stops
balls are a ping-pong ball and golf ball. Ball-Sorter is P-sensor2 P-sensor3
consisted of three sections: a supply section, a sorting section, ON P-sensor1 ON ON
and a collection section. Only one ball can exist at the sorting Unknown_ball/
section. Ball-Sorter has three air cylinders (Cylinder1,
Cylinder2, and Cylinder3), a sorting sensor (S-sensor), and S-sensor OFF S-sensor ON
three proximity sensors (P-sensor1, P-sensor2, and P-
sensor3). In Fig. 3, P1, P2, and P3 represent P-sensor1, P- BOX1/ BOX2/
sensor2, and P-sensor3 respectively. Ball-Sorter sorts the Cylinder1 stops Cylinder1 stops
ping-pong balls to BOX1 and the golf balls to BOX2 by these Cylinder2 stops Cylinder2 drives
Cylinder3 drives Cylinder3 stops
actuators and sensors.
Fig. 4 State transition diagram of control logic for sorting

15813
Preprints of the 20th IFAC World Congress
Toulouse, France, July 9-14, 2017
Fig. 5 Mixing prevention mechanism at sorting section
This paper supposes that Ball-Sorter is the subsystem in
production lines as FA systems and there are upper
subsystems from the supply section. The balls in the
collection section flow to the lower process. Ball-Sorter sorts
the ping-pong balls as the non-defective products to BOX1
and the golf balls as the defective products to BOX2. Ball-
Sorter has a mixing prevention mechanism at the sorting
section such that golf balls cannot go to BOX 1. When a golf
ball goes through the sorting section, the supporting frame of
the sorting section tilts. Otherwise, the frame does not tilt. If
the networked controller confuses a golf ball with a ping-
pong ball, the golf ball continues to exist at the sorting
section and then the interruption of the balls flow can happen
via the frame tilt. This ball-jamming is corresponding to a
stop or overflow of a production line in FA systems.
3. SUPPOSED INCIDENT AND FALLBACK
This paper supposes that the attackers aims to stop Ball-
Sorter. When the networked controller detects balls
erroneously, ball-jamming occurs. The attackers exploit this
feature to achieve their aim. Specifically, the attackers insert
themselves into the conversation between the Remote Input
and the networked controller and manipulate the S-sensor
information included in Modbus/TCP such that S-sensor
never reacts. This attack is called by Man In The Middle
attack (MITM). We consider the situation that defenders take
measure to inhibit the damage expansion caused by the
cyber-attacks from the perspective of “maintaining
functionality after incident”. The previous works (Sasaki et
al. 2015; Sawada et al. 2015) considers the fallback operation
that all balls are sorted to BOX2 (Defective products BOX).
This operation sets the priority order of the limited operation
for the maintenance higher than that of the sorting. Further,
the previous works develop the Fallback Control System
(FCS) achieving the fallback operation.
4. FALLBACK AND RECOVERY CONTROL
This paper aims to implement “maintaining functionality
after incident” and “safety recovering after incident”. The
existing FCS does not achieve the latter yet. This is due to its
recovery flow after the fallback operation as follows:
1. Operators of Ball-Sorter pursue the factors of the
security incident during the fallback operation.
2. Operators take measure to resolve the incident.
3. Operators execute the test operation in which Ball-Sorter
is controlled via the field network and check operation
failures.
15814
4. When operation failures are not detected during the test
operation, the operation is switched to the normal one.
The test operation of the above flow (Steps 3 and 4) is
recovery switching from the fallback operation to the normal
operation. The test operation does not consider a possibility
of cyber-attacks and is in danger of the incident recurrence if
the measure is insufficient. Therefore, this paper proposes a
safety recovery switching mechanism as the virtual operation
to implement “safety recovering after incident”. This paper
calls the FCS with the virtual operation by the Fallback and
Recovery Control System (FRCS). Table 1 shows the
comparison of the test operation and the virtual operation.
During the virtual operation, the controlled object of the
networked controller is Plant Simulator that simulates the
behaviour of Ball-Sorter. The virtual operation implements
the new test operation without the connection between the
field network and the actual controlled object.
Table 1 Comparison of two operations
Test operation Virtual operation
Controlled Plant
Ball-Sorter
Object Simulator
Networked Networked
Controller
Controller Controller
Normal Fallback Virtual Normal
Fig. 6 Operation transition of FRCS
During the virtual operation, the incident detection function
of the FRCS checks whether the incident is resolved and
allows Ball-Sorter to avoid a recurrence of incident and to
guarantee the networked controller integrity. The virtual
operation requires input (actuator) signals from the
networked controller to Ball-Sorter and output (sensor)
signals from Ball-Sorter to the networked controller. The
virtual operation executes the following recovery flow.
1. Operators of Ball-Sorter pursue the factors of the
incident during the fallback operation.
2. Operators take measure to resolve the incident.
3. The networked controller controls Plant Simulator of
FRCS for a certain time.
4. When the incident detection function does not detect the
incident, FRCS switches the operation from the virtual
one to the normal one automatically.
Fig. 6 shows the operation transition diagram by the above
recovery flow by the virtual operation.
4.1 Expansion of control system of Ball-Sorter
Fig. 7 shows the control system of Ball-Sorter in the previous
works (Sawada et al., 2015). In Fig. 7, the solid lines
represent the analog signals, and the dashed lines represent
the signals of Modbus/TCP. The existing FCS is consisted of
two units: Fallback Operation Unit (FOU) and Selector Unit.
FOU carries out an incident detection function and fallback
control. Selector Unit switches the input signal of Ball Sorter
from the remote output to the fallback controller according to
the operation mode. See the previous work (Sasaki et al.,
2015) about the realization of the FOU and selector unit via
Preprints of the 20th IFAC World Congress
Toulouse, France, July 9-14, 2017

Arduino. Table 2 shows the flow of the signals during the and Incident Detector 2. That is, the proposed FRCS is
normal operation. Table 3 shows the flow of the signals consisted of three units: VOU, FOU, and Selector Unit with
during the fallback operation. The FCS carries out the the operator tact switch. This paper implements these units by
following fallback switching flow when an incident occurs. three Arduino respectively.
1. Incident Detector1 drives via the sensor signals from
Ball-Sorter. Initial state
2. An incident occurs. ball=0;
Psensor1=0;
3. Incident Detector 1 catches the incident. Psensor2=0;
4. Selector switches the input signal of Ball Sorter from the Psensor3=0;
Ssensor=0;
remote output to the fallback controller.
5. The signals from the networked controller to Ball-Sorter
is cut off. Buffer
Psensor1=0;
6. The controller for Ball-Sorter is switched from the Psensor2=0;
networked controller to the fallback controller. Psensor3=0;
Ssensor=0;
Networked Remote Clyinder1==1
Controller Output
Unknown ball
ball=ball+1;
Mod(ball,2)==0 Psensor1=0; Mod(ball,2)==1
N Psensor2=0;
E Psensor3=0;
T Ball Ssensor=0;
Selector Sorter
W Unit Ping-pong Golf
Fallback (Plant)
O Psensor1=1; Psensor1=1;
R Controller Psensor2=0; Psensor2=0;
K FOU Psensor3=0; Psensor3=0;
Incident Ssensor=0; Ssensor=1;
Detector1
Cylinder3==1 Clyinder2==1
Remote
Input P-sensor2 P-sensor3
Psensor1=0 Psensor1=0;
Fig. 7 Ball-Sorter control system (FCS) Psensor2=1 Psensor2=0;
Psensor3=0 Psensor3=1;
Ssensor=0 Ssensor=0;
Table 2 Signal flow during normal operation
Source Destination Fig. 9 Plant behaviour on Plant Simulator
Remote Output Ball-Sorter
Ball-Sorter Remote Input Plant Simulator imitates the Ball-Sorter and is the control
Ball-Sorter Incident Detector 1 object of the network controller during the virtual operation.
Fig. 9 shows the state machine of Plant Simulator. Plant
Table 3 Signal flow during fallback operation Simulator receives the actuator commands (Cylinder 1,
Cylinder 2 and Cylinder 3) from the networked controller and
Source Destination
then replies sensor signals to the networked controller
Fallback Controller Ball-Sorter
according to its state machine.
Ball-Sorter Incident Detector 1
Selector Unit switches actuator/sensor signals according to
Networked Remote the FRCS operation mode. Table 4, Table 5, and Table 6
Controller Output Human show the connection of the devices during each operation
(Tact Switch) mode. This paper does not consider the full automatic
Plant
N VOU
Simulator switching of the FRCS operation mode. The operator triggers
E Incident the switching from the fallback mode to the virtual mode
T Detector2
Ball
(Tact Switch of Selector Unit) because it takes the operator
W Selector
O Fallback Unit Sorter time to remove the cause of the incident. On the other hand,
Controller (Plant)
R
FOU
the transitions from the normal one to the fallback one and
K
Incident from the virtual one to normal one are automatic. When
Detector1
Incident Detector1 catches an incident in the normal
Remote operation, Selector Unit switches the signal connection from
Input
Table 4 to Table 5. When Incident Detector 2 detects no
Fig. 8 Ball-Sorter control system (FRCS) incident for a certain time, Selector Unit switches the signal
This paper implements the virtual operation by adding new connection from Table 7 to Table 4. This paper supposes that
units as shown in Fig. 8 and realizes the FRCS. In Fig. 8, the the integrity of the networked controller is confirmed when
solid lines represent the analog signals, and the dashed lines Incident Detector 2 catches no incident for a certain time. The
represent the signals of Modbus/TCP. The added units are as incident detection method is the discrete-event system
follows: The tact switch for Human (Operator) and the observer used in the previous work (Sawada et al., 2015). The
Virtual Operation Unit (VOU) consisted of Plant Simulator details are described in the next subsection.

15815
Preprints of the 20th IFAC World Congress
Toulouse, France, July 9-14, 2017

Table 4 Normal operation Simulator via Remote Input after it receives the sensor
Source Destination signals from Ball-Sorter or Plant Simulator via Remote
Remote Output Ball-Sorter Output.
Ball-Sorter Remote Input The state space model of Fig. 9 is given by
Ball-Sorter Incident Detector 1
𝑥(𝑘 + 1) = 𝑥(𝑘) + 𝐵𝑢(𝑘) + 𝐸𝑑(𝑘)
{ , (1)
Table 5 Fallback operation 𝑦(𝑘) = 𝑥(𝑘)
Source Destination 1 −1 −1 −1 𝑥1 (𝑘)
Fallback Controller Ball-Sorter 𝐵 = [0 1 0 ] , 𝐸 = [ 0 ] , 𝑥(𝑘) = [𝑥2 (𝑘)] .
Ball-Sorter Incident Detector 1 0 0 1 0 𝑥3 (𝑘)
The values of 𝑥1 , 𝑥2 , and 𝑥3 represent the number of tokens
Table 6 Virtual operation in the places in Fig. 10. 𝑥1 , 𝑥2 , 𝑥3 , 𝑢1 , 𝑢2 , 𝑢3 , and 𝑑 are same
Source Destination with the names of the transitions and the places in Fig. 10.
Fallback Controller Ball-Sorter For example, consider the case 𝑥2 is equal to 3. This indicates
Ball-Sorter Incident Detector 1 there are three tokens in the place “𝑥2 (BOX1)” for Fig. 10
Remote Output Plant Simulator and there are three balls in BOX1 for Ball-Sorter and Plant
Plant Simulator Remote Input Simulator. From (1), the disturbance observer is expressed by
Plant Simulator Incident Detector 2
𝑥̃ (𝑘 + 1) = 𝐴𝑑 𝑥̃𝑑 (𝑘) + 𝐵𝑑 𝑢(𝑘) − 𝐾(𝑦̃(𝑘) − 𝑦(𝑘))
{ 𝑑 , (2)
4.2 Incident detection by disturbance observer 𝑦̃(𝑘) = 𝐶𝑑 𝑥̃𝑑 (𝑘)
𝐼 𝐸 𝐵
𝐴𝑑 = [ ], 𝐵𝑑 = [ ], 𝐶𝑑 = [𝐼 0],
This paper applies Petri net and a disturbance observer 0 𝐼 0
2 0 0
(Meditch and Hostetter, 1973) to the incident detection 𝑥̃(𝑘) 0 1 0
method. This method has been proposed in the previous work 𝑥̃𝑑 (𝑘) = [ ̃ ] , 𝐾 = [ ].
𝑑 (𝑘) 0 0 1
(Sawada et al., 2015). The incident this paper considers is as
−1 0 0
follows: S-sensor never reacts by the MITM. The networked
controller sends the illegal commands. A golf ball continues where 𝐾 ∈ 𝑹 4×3
is the observer gain. 𝑥̃ and 𝑑̃ are the
to exist at the sorting section and then the ball-jamming estimated values of 𝑥 and 𝑑, respectively. The above gain is
happens. We model such the balls flow by Petri net (Murata, designed such that 𝐴𝑑 − 𝐾𝐶𝑑 is stable (Sawada et al., 2015).
1989) as shown in Fig. 10. No reaction of S-sensor means The disturbance observer is implemented in the both
that the number of the token of 𝑥1 is always zero even if a detectors. When 𝑑̃ (𝑘) is equal to 1, the both detectors alert.
ball enters the sorting section (the transition “𝑢1 (P-sensor1)” When Incident Detector 1 alerts, Selector Unit switches the
fires). This situation is expressed by the transition “ 𝑑 signal connection from Table 4 to Table 5 automatically.
(Incident)”. Consider the case 𝑢1 fires twice. The number of When Incident Detector 2 does not alert for a certain time,
tokens is two in the place “𝑥1 (Sorting)”, while only one ball Selector Unit switches the flow of signal from Table 5 to
can exist at the sorting section in Ball-Sorter. Firing once, 𝑑 Table 6 automatically. The initial states of the observers are
reduces this deviation. In other words, the firing of 𝑑 not always the same as those of Ball Sorter or Plant
indicates the ball-jamming. This modelling is applicable for Simulator because stable 𝐴𝑑 − 𝐾𝐶𝑑 .guarantees that the
Plant Simulator with the state machine of Fig. 9. estimated states converge to the true ones.
5. PRACTICAL EXPERIMENTS
This section shows the capability of FRCS by a practical
(P-sensor2) (BOX1) experiment. Table 7 shows the ball sequences in the
experiments. P represents Ping-pong ball, and G represents
Golf ball. The experimental flow is shown as follows.
(P-sensor3) (BOX2)
(P-sensor1) (Sorting) 1. MITM occurs at the beginning of the experiments.
2. Ball-jamming (the incident) occurs when the golf ball of
the input sequence number 2 shown in Table8 is put in
(Incident) Ball-Sorter.
3. FRCS catches the incident.
Fig. 10 Petri net for incident detection 4. All balls are sorted to BOX2 by the fallback operation.
5. MITM is resolved (by the operator).
In the previous work (Sawada et al., 2015), Incident Detector
6. The virtual operation starts by the operator’s pushing the
1 of FOU catches the firing of 𝑑 and detects the incident
tact switch.
during the normal operation. In addition to this, this paper
7. Plant Simulator drives according to the ball sequence
proposes a method in which Incident Detector 2 of VOU
shown in Table 8.
catches the firing of 𝑑 and detects the incident during the
8. No incident occurs in Plant Simulator.
virtual operation. As shown in Fig. 8, both detectors drives
9. Recovery from the virtual operation to normal operation.
via the analog signals from the Selector Unit. The networked
10. Balls are put in Ball-Sorter again according to the ball
controller sends the commands to Ball-Sorter or Plant
sequence shown in Table 8.

15816
Preprints of the 20th IFAC World Congress
Toulouse, France, July 9-14, 2017
Table 7 Ball sequence
Input sequence 1 2 3 4 5 6 7
Ball P G P G P G P
Fig. 11 Operation mode transition
Fig. 11 shows the time series plot of the operation mode
transition. The data are acquired from Arduino as Selector
Unit. According to Fig. 11, the operation mode transitions as
follows: the transition from the normal operation to the
fallback one at 13 sec, the transition from the fallback one to
the virtual one at 30 sec, and the transition from the virtual
one to the normal one at 51 sec. This experiment shows that
FRCS implements “maintaining functionality after incident”
and “safety recovering after incident”.
6. CONCLUSION
This paper implements “safety recovering after incident”
additional to “maintaining functionality after incident” by
FRCS. The proposed FRCS solves the open problem of the
previous works (Sawada et al., 2015) (Sasaki et al., 2015)
which is the evaluation of the control system soundness and
the safety recovery switching from the fallback operation to
the normal operation. The existing FCS focuses on the
availability of control systems, in addition to this, the FRCS
can evaluates the soundness of control systems from the
responses between the controller and Plant Simulator. The
current FRCS does not deal with the incident during the
normal operation after the recovery. Moreover, it is necessary
to implement FRCS by Programmable Logic Controller
(PLC) because PLC is usually used in FA system as a
controller. Those are future works.
This work was partially supported by Council for Science,
Technology and Innovation (CSTI), Cross-ministerial
Strategic Innovation Promotion Program (SIP), “Cyber-
Security for Critical Infrastructure” (funding agency: NEDO).
REFERENCES
Hoehn, A and Zhang, P. (2016). Detection of replay attacks
in cyber-physical systems. Proceedings of 2016
American Control Conference (ACC), pp. 290-295.
Hu, R., Hu, W., and Chen, Z. (2016). Research of smart grid
cyber architecture and standards deployment with high
adaptability for Security Monitoring. Proceedings of
2015 International Conference on Sustainable Mobility
Applications, Renewables and Technology (SMART), pp.
1-6.
15817
View publication stats
Isozaki, Y., Yoshizawa, S., Fujimoto, Y., Ishii, H., Ono, I.,
Onoda, T., and Hayashi, Y. (2014). Detection of cyber
attacks against voltage control in distribution power
grids with PVs. IEEE Transactions on Smart Grid, 7 (4),
pp. 1824-1835.
Khorrami, F., Krishnamurthy, P., and Karri, R. (2016).
Cybersecurity for control systems: A process-aware
perspective. IEEE Design & Test. 33 (5). pp. 75-83.
Kissel, R. (2013). Glossary of key information security terms.
NIST, NISTIR 729 (Revision 2).
Kogiso, K. (2015). Cyber-security enhancement of networked
control systems using homomorphic encryption.
Proceedings of 2015 54th IEEE Conference on Decision
and Control, pp. 6836-6843.
MathWorks. (2016). MathWorks.
http://www.mathworks.com/index.html?s_tid=gn_loc_dr
op (accessed 2016-10-19).
Meditch, S.J. and Hostetter, H.G. (1973). Observers for
systems with unknown and inaccessible inputs.
Proceedings of 1973 IEEE Conference on Decision and
Control including the 12th Symposium on Adaptive
processes, pp. 120-124.
Miller, B. and Rowe, D. (2012). A survey of SCADA and
critical infrastructure incidents, Proceedings of Annual
Conference on Research in Information Technology. pp.
51-56.
Modbus-IDA (2012). MODBUS Application Protocol
Specification v1.1b3. pp.1–50.
Murata, T. (1989). Petri nets: Properties, analysis and
applications, Proceedings of the IEEE, 77 (4), pp. 541-
580.
Onoda,T. (2016). Probabilistic models-based intrusion
detection using sequence characteristics in control
system. Neural Computing and Applications, 27 (5), pp.
1119-1127.
Ozay, M., Esnaola, I., Tunay, F., Vural, Y., Kulkarni, R.S.,
Poor, H.V. (2016). Machine learning methods for attack
detection in the smart grid. IEEE Transactions on Neural
Networks and Learning Systems, pp. 1773-1786.
Rojas, C., Morell, P. (2010). Guidelines for industrial
Ethernet infrastructure implementation: A control
engineer’s guide. Proceedings of 2010 IEEE-IAS/PCA
52nd Cement Industry Technical Conference. pp. 1-18.
Sasaki, T., Sawada, K., Shin, S., and Hosokawa, S. (2015).
Model based fallback control for networked control
system via switched Lyapunov function. 41st Annual
Conference of the IEEE Industrial Electronics Society,
IECON2015. pp. 2000-2005.
Sawada, K., Sasaki, T., Shin, S., and Hosokawa, S. (2015). A
fallback control study of networked control systems for
cybersecurity. 2015 10th Asian Control Conference,
ASCC2015. pp. 1-6.
Stouffer, K., Pillitteri, V., Lightman, S., Abrams, M., and
Hahn, A. (2015). Guide to Industrial Control System
(ICS) security. Recommendations of the National
Institute od Standards and Technology, (SP 800-82).
Zhioua, S. (2013). The middle east under malware attack
dissecting cyber weapons, Proceedings of International
Conference on Distributed Computing Systems. pp. 11-
16.