Abstract
A zero-dynamics attack allows an attacker to input some control action that results in zero measurable output but nonzero response of the internal states. This paper extends previous works on zero-dynamics attacks to nonlinear system dynamics. This is accomplished using invariant subspace techniques that identify the subspace on which zero dynamics exist. An iterative algorithm is presented to identify both this subspace and the resulting zero dynamics of the system. These methods are implemented on a model of a pressurizer in a nuclear power plant, which is a critical subsystem of pressurized water reactors that monitors and controls the system pressure and coolant inventory. This implementation is done by analyzing all combinations of attackable signals. These attackable signals are the set of all system inputs and outputs. From this analysis, there are eight unique combinations of attacked actuators and sensors that result in zero-dynamics attacks. These combinations are characterized by stability and damage time, where damage time is the time it takes to reach some undesirable state. The damage times range from half a day to sixteen days, depending on the number of signals the attacker has access to. These results demonstrate that the physics of the pressurizer system creates some vulnerabilities to zero-dynamics attacks. This work provides plant designers with tools to identify which subsystems are most susceptible to zero-dynamics attacks and might require additional defenses.