Multiplicative Attacks with Essential Stealthiness in Sensor and Actuator Loops against Cyber-Physical Systems

Abstract

Stealthy attacks in sensor and actuator loops are the research priorities in the security of cyber-physical systems. Existing attacks define the stealthiness conditions against the Chi-square or Kullback-Leibler divergence detectors and parameterize the attack model based on additive signals. Such conditions ignore the potential anomalies of the vulnerable outputs in the control layer, and the attack sequences need to be generated online, increasing the hardware and software costs. This paper investigates a type of multiplicative attack with essential stealthiness where the employed model is a novel form. The advantage is that the parameters can be designed in a constant form without having to be generated online. An essential stealthiness condition is proposed for the first time and complements the existing ones. Two sufficient conditions for the existence of constant attack matrices are given in the form of theorems, where two methods for decoupling the unknown variables are particularly considered. A quadruple-tank process, an experimental platform for attack and defense, is developed to verify the theoretical results. The experiments indicate that the proposed attack strategy can fulfill both the attack performance and stealthiness conditions.

1. Introduction

As the core and driving force of information technology in the past four decades, computers, communication, and control have caused a huge change in human social life. In this context, the concept of cyber-physical systems (CPSs) is proposed and widely valued. The CPSs involve most of the important industries that affect people’s livelihoods, making it important to study their key technologies [1].

The high integration of computing, physical plants, and communication networks increases the flexibility, reliability, and productivity of CPSs. However, it also extends the information security issues from the network layer to the computational and physical layers, resulting in serious safety problems [2]. Since the Stuxnet event in 2010 [3], more and more security incidents involving CPSs have appeared in the limelight. For example, the Flame virus suffered by the oil industry in the Middle East in 2012 [4], the advanced persistent threat cyber-attacks on a German steel company in 2014 [5], the Triton attacks on Schneider Triconex security instruments in 2017 [6], and the Watering Hole attacks on a municipal water treatment company in America in 2021 [7] can be easily listed. To address the security threats to CPSs, researchers focus on both attack and defense strategies. These studies are categorized into four types: attack methods [8,9], prevention of attacks [10], resilient control [11,12], and detection of attacks [13,14].

To cope with the potential stealth attacks in cyber-physical multi-agent systems, Nozari et al. [10] investigate the differential privacy issue of average consistency. The authors suggest that the differential privacy of communication information and the average consistency of multi-agents is a trade-off between them. To achieve differential privacy and thus prevent potential attacks, the agent states cannot be weakly converged to the exact average of their initial values. Abhinav et al. [11] studied a trust-based cooperative control strategy to counteract dual-channel false data injection (FDI) attacks in direct current (DC) microgrids. Sun et al. [12] suggest that a higher level of resilience can be obtained by improving the event-trigger mechanism to cope with denial-of-service attacks in networked control systems. The above studies consider the prevention and response to a single type of attack. For multi-class ones, such as stealthy FDI attacks and integrity and availability attacks, refs. [13] and [14] are two typical examples. Zhang et al. and Liu et al. propose a summation-based and a mode division-based detector, respectively. These methods are proven to be effective in the detection of stealthy attacks including, Stuxnet-like attacks.

In terms of attack strategies, an attacker attempts to deviate the actual output of the CPS from the defender’s desired reference trajectory. The extent of the deviation is termed the attack performance. The greater the deviation, the better the attack performance. However, the attacker cannot compromise a physical plant without recklessness. If a stealthiness condition cannot be satisfied, the attack will be detected, leading to its failure. Therefore, stealthiness is a necessary condition, and attack performance is the attacker’s goal. Existing work focuses on FDI attacks with particular stealth performance metrics, such as stealthy attacks [15,16,17], covert attacks [18,19], zero-dynamics attacks [20], optimal stealthy attacks [21], perfect stealthy attacks [22], and unpredictable attacks [23]. These attack strategies have a common design idea, that is, maximizing the attack impacts of the physical plant while ensuring the attacks cannot be detected by some specific detectors.

The Chi-square (${\chi }^2$) detector is usually the object to be targeted when designing a stealthy FDI attack strategy. Mo et al. [24] propose a stealthy attack method in a linear CPS and analyze the relationship between the stability of the state matrix and the attackability of attack sequences. The authors also quantify the effects caused by the attacks in terms of the variation in the estimation error. In ref. [13], Ye et al. introduce two variable parameters $({\rho }_1,{\rho }_2)$ for the attack strategy in ref. [24] that can adjust the attack strength. After that, the authors further propose a self-generated approach in [8] for such kinds of attacks in refs. [13] and [24]. Since the ${\chi }^2$ detector only determines the anomalies of the state estimation residuals generated at the current detection instant, Mo et al. [25] present a method to construct a detector by measuring the difference of residuals in terms of Kullback-Leibler divergence (KLD). Li et al. [26] investigate a stealthy attack strategy acting in the actuator loop by solving an optimization problem to maximize the difference in residuals’ KLD before and after the attacks, under the constraint that the detection variable is lower than its threshold. Guo et al. [16] study a worst-case stealthy attack strategy in a remote state estimation scenario, where the KLD is chosen as the stealthiness metric. The authors present an innovation-based linear stealth attack, where the worst-case attack sequences are proved to obey a Gaussian distribution with a zero mean. In addition, the trade-off between the stealthiness of the attack and the impact on the system performance is discussed in [16]. Shang et al. [27] also investigate the worst-case stealthy attacks. The authors indicate the reasons for the method given in ref. [16] being a suboptimal solution and give an algorithm to obtain the optimal attack sequences without solving a semidefinite programming problem. Li et al. [21] present a stealthy attack strategy with an arbitrary mean Gaussian noise form, whose attack sequences are also obtained by solving an optimization problem.

All the above stealthy attack strategies against the KLD detector are designed in the context of remote state estimation scenarios for autonomous systems. In terms of attack strategies for generally controlled CPSs, Bai et al. [28] study an attack method acting in the actuator loop against the KLD detector with strict-stealthiness as well as a defined $\epsilon$-stealthiness. Further, the solutions of optimal and suboptimal attack sequences are given for right-reversible and non-right-reversible systems, respectively. Furthermore, for the controlled CPSs, Ren et al. [9] investigate the stealthy KLD attacks operating in the sensor loop. The authors analyze the attack performance when the attack sequences satisfy the strict- and $\epsilon$-stealthiness, as well as give the optimal solutions for the attack strategies.

It can be seen from the above that the existing attack strategies focus on the statistical properties of the state estimation residual $z(k)$, and the attack sequences are in the form of time-varying additive signals generated online, whether for the ${\chi }^2$ or the KLD stealthiness. The residual $z(k)$ can be expressed as $z(k)=y(k)-C\widehat{x}(k)$, where $y(k)$ denotes the output of the physical plant received by the control layer, $\widehat{x}(k)$ stands for the estimation of the plant state $x(k)$, and $C$ refers to the output matrix of the physical plant. In practice, however, the process data supervision of CPSs is mainly dependent on the host PC’s configuration screen in the control layer. The unbiased statistical properties of $z(k)$ cannot enable the anomaly-free display of the compromised sensor data $y(k)$. See, for example, refs. [16,17]. This fact implies that the anomalies occurring in $y(k)$ can lead to an immediate exposure of the so-called stealthy attacks. Therefore, making the compromised $y(k)$ remain stealthy should be a necessary condition for all of the stealthy attacks, and it is obvious that the existing results ignore this critical issue. Moreover, the attack strategies with forms $y(k)=y_{\mathrm{p}}(k)+y_{\mathrm{a}}(k)$ and $u_{\mathrm{p}}(k)=u(k)+u_{\mathrm{a}}(k)$ depend on specific hardware and software environments to implement the real-time computation and data injection of the attack sequences in the sensor and actuator loops. These will undoubtedly increase the attack costs and the exposure risks. In the two formulas above, $y(k)$ and $u(k)$ denote the physical layer output received by the control layer and the control input to be sent to the physical layer, $y_{\mathrm{p}}(k)$ and $u_{\mathrm{p}}(k)$ represent the actual output and the received control input of the physical layer, respectively. The subscript “p” denotes “plant”. $y_{\mathrm{a}}(k)$ and $u_{\mathrm{a}}(k)$ refer to the attack signals injected by the attacker in the sensor and actuator loops, respectively, where the subscript “a” stands for “attack”.

Motivated by the above two concerns, this paper investigates a novel class of stealthy attack strategies with multiplicative constant attack matrix parameters. Two sufficient conditions for the existence of the attack matrices are given in the form of theorems. One of them is dominated by the stealthiness condition, and the other takes into account both attack performance and stealthiness. The contributions of this paper are as follows.

(1)

A novel attack model with multiplicative attack matrices is proposed, which models the cyber-attacks as changes in the parameters of the generalized system consisting of physical and network layers instead of tampering with process data as given in existing literature.

(2)

The proposed attack matrices can be designed in a constant form, which can avoid the online operation of the attack parameters, thus reducing the costs and exposure risks of the attacks.

(3)

A definition of essential stealthiness is presented as a complement for the existing ${\chi }^2$ and KLD stealthiness conditions. Two sufficient conditions are given for the existence of constant attack matrices satisfying the essential stealthiness.

(4)

An attack and defense experimental platform is developed for CPSs, in which the physical plant is chosen as the classic quadruple-tank process. The platform can provide some experimental guidelines for related research in the field of CPSs security. The evaluations of the suggested strategies are performed in the form of hardware-in-the-loop experiments instead of simulations only, as in the existing work.

The subsequent sections of this paper are organized as follows. Section 2 introduces the basic model information of the CPS under consideration. Section 3 presents an attack model, gives a definition of essential stealthiness, and then analyzes the basic properties of the attack matrices. In Section 4, the methods for designing attack matrices are given in two theorems as the main results of this paper. In Section 5, the CPS attack and defense experimental platform are detailed, and the experimental results are analyzed, followed by conclusions and future work in Section 6.

2. Problem Formulation and Preliminaries

Consider the typical CPS illustrated in Figure 1, which consists of three parts: the control layer, the network layer, and the physical layer. The controlled plant lies in the physical layer, and its mathematical model can be represented as a discrete-time linear time-invariant (LTI) stochastic system:

$$\left\{\begin{array}{l}{x}_{\mathrm{p}}(k+1)=A{x}_{\mathrm{p}}(k)+B{u}_{\mathrm{p}}(k)+w_{\mathrm{x}}(k),\hfill \\ y_{\mathrm{p}}(k)=C{x}_{\mathrm{p}}(k)+w_{\mathrm{y}}(k),\hfill \end{array}\right.$$

(1)

where $x_{\mathrm{p}}(k)\in {ℝ}^{n_{\mathrm{x}}}$, $u_{\mathrm{p}}(k)\in {ℝ}^{n_{\mathrm{u}}}$, and $y_{\mathrm{p}}(k)\in {ℝ}^{n_{\mathrm{y}}}$ denote the system state, control input, and measurement output, respectively. The subscript ‘p’ denotes ‘plant’. $A$, $B$, and $C$ are known model parameters, $w_{\mathrm{x}}(k)$ and $w_{\mathrm{y}}(k)$ are process and measurement noise, respectively.

Assume that the inherent controller of the CPS is employed in the control layer and has a form of dynamic output feedback:

$$\left\{\begin{array}{l}{x}_{\mathrm{c}}(k+1)=A_{\mathrm{c}}{x}_{\mathrm{c}}(k)+B_{\mathrm{c}}{y}_{\mathrm{e}}(k)+E_{\mathrm{c}}{y}_{\mathrm{r}0},\hfill \\ u(k)=C_{\mathrm{c}}{x}_{\mathrm{c}}(k)+D_{\mathrm{c}}{y}_{\mathrm{e}}(k)+F_{\mathrm{c}}{y}_{\mathrm{r}0},\hfill \end{array}\right.$$

(2)

where $x_{\mathrm{c}}(k)$ is the controller’s state, $A_{\mathrm{c}}, B_{\mathrm{c}}, ..., F_{\mathrm{c}}$ are the known controller parameters, where the subscript ‘c’ means ‘controller’. $y_{\mathrm{e}}(k):=y(k)-y_{\mathrm{r}}(k)$ denotes the output error in the control layer, $y_{\mathrm{r}}(k)\in {ℝ}^{n_{\mathrm{y}}}$ and $y_{\mathrm{r}0}$ denote the output reference trajectory and the desired output stabilized value, respectively.

The output reference $y_{\mathrm{r}}(k)$ is given by

$$\left\{\begin{array}{l}{x}_{\mathrm{r}}(k+1)=A_{\mathrm{r}}^{\prime }{x}_{\mathrm{r}}^{\prime }(k)+B_{\mathrm{r}}^{\prime }{x}_{\mathrm{r}0}^{\prime },\hfill \\ y_{\mathrm{r}}(k)=C_{\mathrm{r}}^{\prime }{x}_{\mathrm{r}}^{\prime }(k).\hfill \end{array}\right.$$

(3)

$y(k)$ in $y_{\mathrm{e}}(k)$ and $u(k)$ in Equation (2) denote the physical layer output received in the control layer and the control input that is to be sent to the physical layer, respectively; see Figure 1. Note that the studied CPS is a tracking control system, and that in practice the desired output reference is not always at the modeling equilibrium point of the physical plant. Without loss of generality, we assume that the desired output stabilized value satisfies $y_{\mathrm{r}0}\ne 0$.

Attacks on CPSs may either occur in the physical layer or in the network layer. See, for example, refs. [1] and [29]. Since the attack sequences acting in the former can always be equivalently represented by the attack signals in the latter, Figure 1 simply gives the general form of the attack acting in the network layer. In particular, equations $u(k)=u_{\mathrm{p}}(k)$ and $y(k)=y_{\mathrm{p}}(k)$ hold under the assumption of an ideal communication network when the CPS is not under attack [20].

3. Modeling the Attacks

The attacker attempts to drive the state of the actual physical plant into the insecure regions by tampering with $y_{\mathrm{p}}(k)$ and $u(k)$ which are exposed to the communication network while satisfying the predefined stealthiness conditions. In this respect, existing stealthy attack strategies are mostly based on the two-channel FDI attack model [30] to implement the attack parameters design:

$$\left\{\begin{array}{c}{u}_{\mathrm{p}}(k)=u(k)+u_{\mathrm{a}}(k),\\ y(k)=y_{\mathrm{p}}(k)+y_{\mathrm{a}}(k),\end{array}\right.$$

(4)

where $u_{\mathrm{a}}(k)$ and $y_{\mathrm{a}}(k)$ are the attack sequences to be determined.

Notice that the attack sequences are usually time-varying to satisfy the stealthiness condition. This implies that the attack strategies with the form of Equation (4) in practice need to rely on some hardware and software settings to enable the real-time computation and data injection of the attack parameters. The necessary computing environments and the frequent interaction of network data increase the costs of attacks and their exposure risks. To this end, a new attack model is considered below.

According to the assumption of the desired output steady state $y_{\mathrm{r}0}\ne 0$ in the previous section, the physical layer process data satisfying $u_{\mathrm{p}}(k)\ne 0$ and $y_{\mathrm{p}}(k)\ne 0$. Then a novel attack model can be formulated as

$$\left\{\begin{array}{l}{u}_{\mathrm{p}}(k)={\mathcal{A}}_{\mathrm{a}}(k) u(k),\hfill \\ y(k)={\mathcal{A}}_{\mathrm{s}}(k) y_{\mathrm{p}}(k),\hfill \end{array}\right.$$

(5)

where ${\mathcal{A}}_{\mathrm{a}}(k)$ and ${\mathcal{A}}_{\mathrm{s}}(k)$ are the multiplicative attack matrices in the actuator and sensor loops, respectively.

Compared with the FDI model (4), the advantage of Equation (5) is that ${\mathcal{A}}_{\mathrm{a}}(k)$ and ${\mathcal{A}}_{\mathrm{s}}(k)$ can be designed as constant matrices ${\mathcal{A}}_{\mathrm{a}}$ and ${\mathcal{A}}_{\mathrm{s}}$ to avoid the online computational requirements of the existing attack parameters. At the same time, the numerical degrees of freedom for the two matrices can satisfy the stealthy attack design. The attack strategies in the form of ${\mathcal{A}}_{\mathrm{a}}$ and ${\mathcal{A}}_{\mathrm{s}}$ will be detailed in the next section. Before that, we begin with the analysis of the basic properties of the attack matrices in Equation (5).

Definition 1.

(Essential stealthiness of attacks.) For a CPS consisting of Equations (1)–(3) and the compromised communication network, an attack is said to satisfy the essential stealthiness with parameter $\gamma >0$, if its attack sequences make

$${‖y_{\mathrm{e}}(k)‖}^2<{\gamma }^2{‖\omega (k)‖}^2$$

(6)

holds, where $y_{\mathrm{e}}(k)$ refers to the output tracking error shown in the control layer, and $\omega (k)$ denotes the augmented disturbance in the closed-loop CPS affected by the attack sequences.

Under Definition 1, the attack matrices of a stealth attack strategy with the form of Equation (5) should fulfill the following proposition.

Proposition 1.

(Non-singular properties of attack matrices.) For a CPS consisting of Equations (1)–(3) and the compromised network, a necessary condition for any attack strategy represented by Equation (5) to satisfy the essential stealthiness is that the attack matrices ${\mathcal{A}}_{\mathrm{a}}(k)$ and ${\mathcal{A}}_{\mathrm{s}}(k)$ are full rank.

Proof of Proposition 1.

Consider the contrapositive of Proposition 1. When ${\mathcal{A}}_{\mathrm{a}}(k)$ and ${\mathcal{A}}_{\mathrm{s}}(k)$ have at least one set of dissatisfied ranks, the output controllability of the generalized system consisting of Equations (1) and (5) is not guaranteed. Then, for any desired trajectory $y_{\mathrm{r}}(k)$ and generalized system output $y(k)$, we have the tracking error $y_{\mathrm{e}}(k)\cancel{\to }0$. At this point, the considered attack strategy does not satisfy the essential stealthiness. The proposition is proved. □

Remark 1.

The essential stealthiness condition given in Definition 1 is a complement to the existing ones defined based on the ${\chi }^2$ and the KLD detectors. The declared Equation (6) is founded on the fact that the operating data in the control layer should not be significantly abnormal when any attack is performed on the CPS; otherwise, it can be intuitively detected by the defender, making it difficult to achieve the intended attack purpose. The condition above is an essential requirement for a successful attack strategy and is therefore referred to as the essential stealthiness.

Attack performance refers to the extent of deviation that the actual output of the physical plant causes from the defender’s desired reference trajectory. It can be defined as $\kappa :=‖{\overline{y}}_{\mathrm{p}}-y_{\mathrm{r}0}‖$, where ${\overline{y}}_{\mathrm{p}}$ denotes the steady-state value of $y_{\mathrm{p}}(k)$ in Equation (1). In particular, if the attack matrices are constant, $\kappa$ can be expressed as $\kappa =‖{\mathcal{A}}_{\mathrm{s}}^{-1}{\overline{y}}_e+$ $({\mathcal{A}}_{\mathrm{s}}^{-1}-I)y_{\mathrm{r}0}‖$, where ${\overline{y}}_e$ denotes the steady-state value of $y_{\mathrm{e}}(k)$ in Equation (6). For attacks with essential stealthiness, ${\overline{y}}_e$ has a small value, and thus the attack performance $\kappa$ is mainly determined by the attack matrix ${\mathcal{A}}_{\mathrm{s}}$ based on the assumption of $y_{\mathrm{r}0}\ne 0$ in Equations (2) and (3).

4. Attack Matrices Design for Stealthy Attacks

Consider the attack model Equation (5) with its constant matrices ${\mathcal{A}}_{\mathrm{a}}$ and ${\mathcal{A}}_{\mathrm{s}}$. This section gives two sufficient conditions for the existence of these matrices satisfying the essential stealthiness in a theoretical form. In particular, attackers aim to design the two matrices such that the compromised CPS fulfills both of the following two conditions. First, the physical plant state $x_{\mathrm{p}}(k)$ deviates from its operation and causes the actual tracking error of the physical layer satisfying $\kappa =‖{\overline{y}}_{\mathrm{p}}-y_{\mathrm{r}0}‖\ne 0$. Second, the attack sequences meet the essential stealthiness with parameter $\gamma >0$, i.e., Equation (6) holds.

For condition one, the attacker considers an auxiliary perturbation signal $d$ on $x_{\mathrm{p}}(k)$. It can be represented as

$$d+{\widehat{x}}_{\mathrm{p}}(0)=0,$$

(7)

where ${\widehat{x}}_{\mathrm{p}}(0)$ denotes the attacker’s estimation of $x_{\mathrm{p}}(k)$ before the attacks are initiated, i.e., in the instant $k=0$. For the sake of exposition, we define the instant $k\in (-\infty , 0]$, similar to ref. [25], as the regular operation stage of the CPS and assume that the intended attack strategy is launched from the instant $k=1$.

Define $x(k):=x_{\mathrm{p}}(k)+d$ and rewrite Equation (1) as

$$\left\{\begin{array}{l}x(k+1)=Ax(k)+B{u}_{\mathrm{p}}(k)+A_{\mathrm{d}}d+w_{\mathrm{x}}(k),\hfill \\ y_{\mathrm{p}}(k)=Cx(k)-Cd+w_{\mathrm{y}}(k),\hfill \end{array}\right.$$

(8)

where $A_{\mathrm{d}}:=I-A$. The physical plant model (from $u_{\mathrm{p}}(k)$ to $y_{\mathrm{p}}(k)$) in the attackers’ perspective is obtained.

Remark 2.

Notice that the closed-loop CPS without attack is stable and satisfies a definite static-error-free tracking control performance, i.e., $y(0)=y_{\mathrm{p}}(0)\to y_{\mathrm{r}0}$ holds. Hence, we have $\mathrm{E}\left[x(0)\right]$ $=0$ when Equation (7) holds. It means that the auxiliary perturbation $d$ gives Equation (8) a zero initial state in the statistical sense. This condition is easily neglected in the subsequent derivations.

To satisfy the stealthiness conditions, the attacker introduces the following control layer output reference model

$$\left\{\begin{array}{l}{x}_{\mathrm{r}}(k+1)=A_{\mathrm{r}}{x}_{\mathrm{r}}(k)+B_{\mathrm{r}}{x}_{\mathrm{r}0},\hfill \\ y_{\mathrm{r}}(k)=C_{\mathrm{r}}{x}_{\mathrm{r}}(k).\hfill \end{array}\right.$$

(9)

This model has the same structure as the inherent output reference Equation (3) of the CPS, but $A_{\mathrm{r}}$, $B_{\mathrm{r}}$, and $C_{\mathrm{r}}$ are determined by the attacker with $x_{\mathrm{r}}(0)=0$. $x_{\mathrm{r}0}$ needs to satisfy $C_{\mathrm{r}}{(I-A_{\mathrm{r}})}^{-1}{B}_{\mathrm{r}}{x}_{\mathrm{r}0}=y_{\mathrm{r}0}$ to ensure that the steady output of Equation (9) is equal to $y_{\mathrm{r}0}$. Here, $y_{\mathrm{r}0}\ne 0$ denotes the desired output of the CPS before the instant of attack initiation (i.e., $k=0$), and $y_{\mathrm{r}0}$ is constant around the attacks.

The following lemmas are introduced before giving our theorems. In the derivations of theoretical results based on the Lyapunov stability theory, the coupling of pending variables will lead to the corresponding matrices without the form of linear matrix inequalities. The following Lemma 1 is an important result of eliminating coupling terms, which will be used in the proof of Theorem 1.

Lemma 1.

[31] For matrices $T$, $S$, $M$, $N$ with appropriate dimensions, and a non-zero scalar $\beta$, the inequality $T+S^{\top }{M}^{\top }+MS<0$ holds if the following inequality is true.

$$\left[\begin{array}{cc}T& \ast \\ \beta M^{\top }+NS& -\beta N-\beta N^{\top }\end{array}\right]<0.$$

(10)

The Schur’s lemma can combine matrix polynomials into a global matrix for convenience in subsequent derivation, but this process will introduce matrix inverse terms. The following Lemma 2 is used to perform the reduction in the nonlinear matrix inverse terms, after the main matrix is left and right multiplied a full rank square matrix.

Lemma 2.

[32] For matrices $X$, $Y$, and $J>0$ with appropriate dimensions, the following inequality is true.

$$XY+Y^{\top }{X}^{\top }\le XJ{X}^{\top }+Y^{\top }{J}^{-1}Y.$$

(11)

Similar to Lemma 1, Lemma 3 below also deals with the coupling of the pending terms. Lemma 1 is more concise. However, Lemma 3 is a necessary and sufficient condition. It introduces an extra matrix $F$ that can increase the degrees of freedom in solving linear matrix inequalities under some circumstances. Lemma 3 will be used in the subsequent derivation of Theorem 2.

Lemma 3.

[33] For matrices $F$, $S$, $M$, $N$, $T$ with appropriate dimensions, and a non-zero scalar $\beta$, the following two inequalities are equivalent.

$$\left[\begin{array}{cc}T+FS+S^{\top }{F}^{\top }& \ast \\ \beta M^{\top }-\beta F^{\top }+NS& -\beta N-\beta N^{\top }\end{array}\right]<0,$$

(12)

$$T+S^{\top }{M}^{\top }+MS<0.$$

(13)

Theorem 1.

For the CPS given by Equations (1)–(3), if there exist matrices $U$, $V$, $G$, $G_i$, $P_i=P_i^{\top }>0$, $i=1, \dots , 4$, and a scalar $\beta >0$, such that

$$\left[\begin{array}{cc}{T}_1& \ast \\ T_2& T_3\end{array}\right]<0,$$

(14)

holds, the attack determined by $\left({\mathcal{A}}_{\mathrm{a}}, {\mathcal{A}}_{\mathrm{s}}, d, \gamma \right)$ satisfies the essential stealthiness with parameter $\gamma$, i.e., the Equation (6) holds.

Remark 3.

In the literature related to stealthy attacks, it is typically assumed that the attackers have the complete model information of the CPS. See, for example, refs. [9,16,17]. For the attacker, a dynamic model with the closed-loop CPS information along with the attack parameters is employed in Theorem 1 (see Equation (A5) in Appendix A). This enables the attack matrices design can be turned into an $H_{\infty }$ control problem. An unstable physical plant state can easily lead to significant anomalies in the sensor measurements and causes the attack to be detected by the defender. The attacker has to take into account that the physical layer state should be driven to a new steady state, regardless of whether this steady state is technologically safe.

Remark 4.

When the augmented system is stable from the attacker’s perspective, one has ${\mathcal{A}}_{\mathrm{s}}{y}_{\mathrm{p}}(k)\to y_{\mathrm{r}0}$, i.e., a new desired output ${y^{\prime }}_{\mathrm{r}0}=$ ${\mathcal{A}}_{\mathrm{s}}^{-1}{y}_{\mathrm{r}0}$ holds. Therefore, the physical sense of the sensor attack matrix ${\mathcal{A}}_{\mathrm{s}}$ can be reinterpreted. The injected ${\mathcal{A}}_{\mathrm{s}}$ can indirectly tamper with the desired steady output of the physical plant (from $y_{\mathrm{r}0}$ to ${y^{\prime }}_{\mathrm{r}0}$), making it possible for the attacker to manipulate the actual output of the physical system by simulating the sensor dead zone faults.

In practice, attackers usually consider driving the output of the actual physical plant to a particular level while satisfying the essential stealthiness. The following theorem gives an implementation of this practical attack strategy.

Theorem 2.

Consider a CPS given by Equations (1)–(3). For a given attack target ${y^{\prime }}_{\mathrm{r}0}\ne 0$ for physical plant output $y_{\mathrm{p}}(k)$ and a stealthiness parameter $\tilde{\gamma }=y_{\mathrm{e}}^{\mathrm{th}}{‖\omega (k)‖}^{-1}$ with $k>0$, where $y_{\mathrm{e}}^{\mathrm{th}}=\sup (‖y_{\mathrm{e}}(k^{\prime })‖)$, $k^{\prime }\in \left(-\infty ,0\right]$, if there exist matrices $F$, $\tilde{U}$, $\tilde{V}$, ${\tilde{G}}_i$, ${\tilde{P}}_i={\tilde{P}}_i^{\top }>0$, $i=1,\dots ,4$, and a scalar $\tilde{\beta }>0$, such that

$$\left[\begin{array}{cc}{\tilde{T}}_1& \ast \\ {\tilde{T}}_2& {\tilde{T}}_3\end{array}\right]<0,$$

(15)

holds, the attack determined by $\left({\mathcal{A}}_{\mathrm{a}}, {\mathcal{A}}_{\mathrm{s}}, d, \tilde{\gamma }\right)$ satisfies the essential stealthiness with parameter $\tilde{\gamma }$, where ${\tilde{T}}_1$,${\tilde{T}}_2$, and ${\tilde{T}}_3$are denoted as

$${\tilde{T}}_1=T_1^{\prime }+FS+S^{\top }{F}^{\top },$$

(16)

$${\tilde{T}}_2=T_2^{\prime }-\tilde{\beta }{F}^{\top },$$

(17)

$${\tilde{T}}_3=-\tilde{\beta } \mathrm{diag}\{\tilde{U}+{\tilde{U}}^{\top },\tilde{U}+{\tilde{U}}^{\top }\},$$

(18)

$T_1^{\prime }$and$T_2^{\prime }$have the same structure as$T_1$and$T_2$in Equation (14), respectively, except for the different symbolic representations of$\tilde{V}$,${\tilde{G}}_i$, and${\tilde{P}}_i$. ${\mathcal{A}}_{\mathrm{a}}$and${\mathcal{A}}_{\mathrm{s}}$can be obtained by${\mathcal{A}}_{\mathrm{a}}=$${\tilde{U}}^{-1}\tilde{V}$and${\mathcal{A}}_{\mathrm{s}}=\mathrm{diag}\left\{y_{\mathrm{r}0}(1)/{y^{\prime }}_{\mathrm{r}0}(1), \dots ,y_{\mathrm{r}0}(n_{\mathrm{y}})/{y^{\prime }}_{\mathrm{r}0}(n_{\mathrm{y}})\right\}$, respectively.

Proof of Theorem 2.

The proof can be followed by Lemma 3 and Theorem 1, so it is omitted here. □

Remark 5.

Different from Theorem 1, here the sensor attack matrix${\mathcal{A}}_{\mathrm{s}}$is a predefined diagonal matrix based on the attack target${y^{\prime }}_{\mathrm{r}0}$. Since the full-rank square matrix satisfying$y_{\mathrm{r}0}={\mathcal{A}}_{\mathrm{s}}{y^{\prime }}_{\mathrm{r}0}$is not unique, the predefined diagonal form reduces the degree of freedom for the results. Therefore, in the derivation of the decoupling terms, Theorem 2 considers the inequalities given by Lemma 3. The conservation of the result is reduced by introducing the new pending matrix$F$.

5. Hardware Experiments and Results Analysis

In this section, a CPS attack and defense experiment platform is developed by employing the classic quadruple-tank process as the physical plant. Furthermore, the effectiveness of the proposed attack strategy is verified and analyzed in a hardware-in-the-loop (HIL) experiment.

5.1. Configuration of the CPS Experiment Platform

The developed experimental platform is shown in Figure 2. The plant consists of four components: a quadruple-tank process (QTP) [34], a defender’s industrial PC (IPC) equipped with a data acquisition board, an attacker’s PC, and the private Ethernet communication network.

The QTP is a representative type of coupled system in the process industry, where the controlled outputs are the liquid levels of the two lower tanks ($h_1$ and $h_2$), and the inputs are the control voltages acting on the two pump drive units ($v_1$ and $v_2$). The modeling method of the QTP can be referred to in refs. [14,34], and the model parameters of our experimental platform are

$$A=\left[\begin{array}{cccc}0.9918& 0& 0.0036& 0\\ 0& 0.9918& 0& 0.0038\\ 0& 0& 0.9963& 0\\ 0& 0& 0& 0.9961\end{array}\right], B=\left[\begin{array}{cc}0.0354& 0\\ 0& 0.0374\\ 0& 0.0115\\ 0.0122& 0\end{array}\right], C=\left[\begin{array}{cccc}1& 0& 0& 0\\ 0& 1& 0& 0\end{array}\right],$$

where the sampling period is $T_{\mathrm{s}}=0.1 \mathrm{s}$, and the equilibrium point is selected as ${\overline{h}}_1=19.2 \mathrm{cm}$, ${\overline{h}}_2=19.5 \mathrm{cm}$, ${\overline{h}}_3=11.2 \mathrm{cm}$, ${\overline{h}}_4=10.1 \mathrm{cm}$, ${\overline{v}}_1=6.1 \mathrm{V}$, ${\overline{v}}_2=6.3 \mathrm{V}$.

As the hardware component of the control layer in CPS, the defender’s IPC is connected to the QTP through a data acquisition board and a wiring terminal board. The detailed hardware configuration of the platform is given in

Table 1. Hardware configuration of the experimental system.

Components	Attribute	Description
Water Tanks	Quantity	4
	Material	Acrylic
	Depth	350 mm
	Inner Diameter	44 mm
Pumps	Quantity	2
	Type	Diaphragm
	Rated Voltage	24 V DC
	Load Current	0.8–1.5 A DC
	Rated Flow	2.2 L/min
	Head	10 m
Drivers	Quantity	2
	Model Number	HEYO-24V916PWM
	Control Voltage	0–10 V DC
	Output Voltage	0–24 V DC
	Static Current	0.01 A
Sensors	Quantity	2
	Model Number	XGZP6887
	Range	0–5 kPa
	Output Voltage	0.5–4.5 V DC
	Accuracy	1.5 %Span
	Compensation Temperature	0–60 °C
Data Acquisition Board	Producer	Advantech
	Model Number	PCI-1710U
	Input/Output Type	Analog
	Input Quantity	16
	Output Quantity	2
	Sampling Rate	Max. 100 kHz
	Accuracy	16 bit
	Others	Digital I/O & Counters
Wiring Terminal Board	Producer	Advantech
	Model Number	ADAM-3968
	General	68-pin/DIN-rail Mounting

for readers to replicate. Specifically, the controlled plant is composed of four cylindrical tanks in acrylic and six hoses in silicone. The two pumps and their drivers in Table 1 are the actuator part of the physical plant. They change the water flow in the hose in response to the received control signal. Two gas pressure sensors with model number HEYO-24V916PWM are chosen for real-time liquid level measurement. The readers can easily see such sensors in a blood pressure meter. The data acquisition board and the wiring terminal board are used together to transfer the collected liquid level signals to Simulink in real-time, while the latter’s control signals are processed by digital-to-analog conversion and then the control voltage can be output to the pump drivers.

The software components are based on the Real-Time Windows Target environment of the Matlab/Simulink to realize the HIL control of the QTP, as shown in Figure 3. The parameters of the employed dynamic output feedback controller (2) are

$$\begin{array}{c}{A}_{\mathrm{c}}=\left[\begin{array}{cccc}0.4701& -0.1972& 0.2548& 0.2608\\ -0.2046& 0.3359& -0.3612& 0.3587\\ 0.0736& -0.2557& 0.3799& -0.1067\\ 0.1093& 0.3661& 0.1772& 0.9371\end{array}\right],B_{\mathrm{c}}=\left[\begin{array}{cc}0.0867& -0.0240\\ 0.1465& -0.0121\\ -0.1462& -0.0217\\ -0.0416& -0.0614\end{array}\right],C_{\mathrm{c}}={\left[\begin{array}{cc}-0.3921& -0.0333\\ -0.1629& -0.1501\\ 0.1740& 0.2754\\ 0.0628& 0.0092\end{array}\right]}^{\top },\\ E_{\mathrm{c}}=\left[\begin{array}{cc}-0.0295& -0.2416\\ 2.9535& -0.6866\\ -0.6632& -0.1423\\ 5.1465& -0.7280\end{array}\right],D_{\mathrm{c}}=\left[\begin{array}{cc}-0.6333& 0.0003\\ 0.0015& -0.5508\end{array}\right],F_{\mathrm{c}}=\left[\begin{array}{cc}0.2442& -0.2035\\ -0.0082& 0.1244\end{array}\right].\end{array}$$

The desired steady state output in the control layer is preset to be $y_{\mathrm{r}0}={\left[3, 5\right]}^{\top }$ (indicating the actual levels 22.2 cm and 24.5 cm) and remains constant during the attacks.

The attacker uses the user datagram protocol (UDP) to tamper with the process data of the CPS through the private communication network to achieve the attack goal. Another typical protocol is the transmission control protocol (TCP), and a platform based on this protocol can be found in ref. [15]. To reduce the hardware investment, the input and output signal acquisition part of the physical layer of the experimental platform is designed on the IPC, while its software is separated from the controller. This idea is consistent with the basic principle of CPS and is able to meet the demand for attack data injection.

5.2. Experimental Results and Analysis

The attacker sets the attack target value of $y_{\mathrm{p}}(k)$ as ${y^{\prime }}_{\mathrm{r}0}={\left[6, 8.3\right]}^{\top }$, which corresponds to the actual levels 25.2 cm and 27.8 cm. The sensor attack matrix can be determined according to Theorem 2 as follows:

$${\mathcal{A}}_{\mathrm{s}}=\left[\begin{array}{cc}0.5& 0\\ 0& 0.6\end{array}\right].$$

(19)

In addition, the stealthiness parameter is set to $\gamma =0.0162$, and the auxiliary perturbation $d$ is:

$$d={\left[\begin{array}{cccc}-3.00& -5.00& -3.26& -0.96\end{array}\right]}^{\top }.$$

(20)

The parameters in the output reference (9) are set as follows:

$$A_{\mathrm{r}}=\mathrm{diag}\left\{0.25, 0.5\right\}, B_{\mathrm{r}}=C_{\mathrm{r}}=I, x_{\mathrm{r}0}={\left[\begin{array}{cc}2.25& 2.5\end{array}\right]}^{\top }.$$

(21)

A feasible actuator attack matrix ${\mathcal{A}}_{\mathrm{a}}$ is obtained according to Theorem 2 as follows:

$${\mathcal{A}}_{\mathrm{a}}=\left[\begin{array}{cc}1.127& 0.667\\ 0.206& 0.893\end{array}\right].$$

(22)

The total running time of the experiment is set to $1000 \mathrm{s}$. The attacker implements the attack strategy with parameters (19) and (22) from the 750th second to the end. The experiment results are shown in Figure 4, Figure 5 and Figure 6. To emphasize the attack process, these figures omit the first 500 s of irrelevant data.

Figure 4 shows the variation curves of the actual output $y_{\mathrm{p}}(k)$ in the physical layer for the CPS. It can be seen that the physical system operates in a static-error-free tracking mode before the attack is launched. Once the attack starts, the two liquid levels deviate from the previous output reference ${\left[3, 5\right]}^{\top }$, and then stabilize at the attacker’s targets 6 cm and 8.3 cm, respectively. Thus, the attack performance can be obtained as

$$\kappa =‖{\left[6, 8.3\right]}^{\top }-{\left[3, 5\right]}^{\top }‖=4.46 .$$

(23)

The facts indicate that the attacker achieves the desired attack effect.

It should be noted that the actual outputs of the physical plant under attack have larger steady-state errors compared with those not under attack. This is because the injection of the sensor attack matrix ${\mathcal{A}}_{\mathrm{s}}$ indirectly tampers with the input gains $B_{\mathrm{c}}$ and $D_{\mathrm{c}}$ in CPS’s inherent controller Equation (2), resulting in a change in the dynamic relationship between the nominal output $u(k)$ and input $y_{\mathrm{e}}(k)$ in the control layer. Moreover, the actuator attack matrix ${\mathcal{A}}_{\mathrm{a}}$ can be considered as the tampering of the control gain for the physical plant in Equation (1), that is, $B$ is altered to $B{\mathcal{A}}_{\mathrm{a}}$. Almost all existing studies treat the attack process as the operating data being compromised. It is important to analyze both the attack and defense issues of CPSs from the perspective of model parameters under attack because the attack model essentially raises open questions.

In addition, Figure 5 and Figure 6 give the curves displayed in the control layer before and after the attacks. They present the output $y(k)$, tracking error $‖y_{\mathrm{e}}(k)‖$ (the norm form of $y_{\mathrm{e}}(k)$), and the implicit metrics of tracking control performance $\gamma ‖\omega (k)‖$ in the defender’s perspective. It can be seen that although the actual output of the physical plant deviates from the predefined reference when the CPS is subjected to attacks (as shown in Figure 4), the received data in the control layer are not significantly abnormal and only present a phenomenon similar to a short-time exogenous perturbation. From the perspective of the process data received in the control layer, the Equation (6) holds after a limited tuning time (about $29.1 \mathrm{s}$), which indicates that the designed attack matrices satisfy the desired stealthiness.

5.3. Discussions and Limitations

As we can see from the experiments in Section 5.2, the attacker can simply obtain the attack matrices in constant form by solving the linear matrix inequalities offline in a one-time process. Thanks to the constant form of the attack matrices, the attacker can, in practice, diagonalize the attack matrices and then implement the attack by adjusting the gain knobs of the sensors and actuators in the physical layer. This physical attack does not require any data injection in the communication network and is strictly stealthy for most anomaly detectors based on network traffic monitoring. In addition, the phenomenon, such as the short-time exogenous perturbation that appears in Figure 6, is essentially caused by the change in the potential desired trajectory due to the sensor attack matrix. This phenomenon can be weakened when the attacker tries to target the stepped desired trajectory as the attack goal.

It is important to note that the proposed attack strategies also have some limitations. On the one hand, we assume that the attacker has complete information on the CPS model. This assumption is common in the research of stealth attacks (e.g., in ref. [9,16,17]), but it is worth being concerned to weaken this assumption in order to further improve the practical value of the attack programs. This paper does not make a breakthrough in this regard. On the other hand, the two proposed theorems assume that the attacker tries to drive the output of the physical plant to an unsafe constant value. This linearized attack goal remains somewhat homogeneous due to the constraints of the stealthiness conditions. More flexible forms of attack targets should be considered in the future.

6. Conclusions and Future Work

In this paper, we studied a class of stealthy attack strategies in the form of multiplicative matrices against CPSs. Two theorems are given for designing attacks with constant matrices. The model of multiplicative attack matrices is proposed for the first time. The attack strategies based on this model transform the attack parameter designs into controller design issues, which may raise a new research trend in the field of stealthy attack strategies. Moreover, a CPS attack and defense experimental platform is developed. The platform has the characteristics of low cost and high openness, which promotes the practicalization of stealthy attack research.

In the future, our research will be extended to stealthy attack methods under the unknown model information. The emphasis should be on data-driven multiplicative stealthy attacks. In addition, the relationship between the proposed stealthiness conditions with the existing ${\chi }^2$ and KLD ones should also be investigated.