## Abstract

Increased automation has created an impetus to integrate infrastructure with wide-spread connectivity in order to improve e ciency, sustainability, autonomy, and security. Nonetheless, this reliance on connectivity and the inevitability of complexity in this system increase the vulnerabilities to physical faults or degradation and external cyber-threats. However, strategies to counteract faults and cyberattacks would be widely di erent and thus it is vital to not only detect but also to identify the nature of the anomaly that is present in these systems. In this work, we propose a mathematical framework to distinguish between physical faults and cyberattack using a sliding mode based unknown input observer. Finally, we present simulation case studies to distinguish between physical faults and cyberattacks using the proposed distinguishability metric and criterion. The simulation results show that the proposed framework successfully distinguishes between faults and cyberattacks.

## 1 Introduction

The growing need for efficiency, coordination, precision, and autonomy has led to the integration of cybernetic components with physical infrastructure through information and communication technologies (ICT). Such physical systems with embedded networks of sensors, actuators, controllers are commonly described as cyber-physical systems (CPS). Currently, such CPS has garnered a lot of interest in the areas of smart grid [1], manufacturing [2], mobility [3], and many others. Thus, for reliable operation of these safety-critical systems, ensuring safety and security of these systems against faults and cyberattacks has become obligatory.

### 1.1 Motivation.

The impact of faults and cyberattacks on CPS may be disparate [4]. On one hand, faults may arise due to natural degradation of system components or physical abuse. On the other hand, cyberattack is speci cally crafted by an adversary to drive system toward unintended states while evading detection by the system administrator. The wide-range of possibilities for physical faults and cyberattacks also make it challenging to distinguish between them from system measurements. Particularly, faults can be incipient or rapidly evolving leading to runway e ects [5]. In contrast, some cyberattacks can be passive (such as eavesdropping attack) or stealthy or can deny services from the system altogether. Additionally, the adversary can also design cyberattacks such that it can mimic behavior of faults in systems [6] or coordinate series of multiple faults in the systems [7]. More importantly, if faults and cyberattacks are wrongly classi ed, they may lead to incorrect remedial actions and cause severe disruptions.

### 1.2 Literature Review.

Even though detection and isolation of both faults and cyberattacks have been a field of active research over the last decade, e orts to distinguish them has remained under-explored. In a distributed sensor network, hidden markov models have been used to distinguish between faulty and malicious data [8]. On the other hand, in Ref. [6], cyberattacks that maliciously trip relays to disrupt power distribution have been distinguished from faults by observing the flow of fault current in the power grid. The first e ort toward formalizing attack policies began with the introduction of an attack-space representation with respect to adversary's system knowledge, disclosure, and disruption resources [4]. This work provides replay, zero-dynamics, and bias-injection attack policies. They also present stealthy bias-injection attack policy under incomplete system knowledge. Under a multi-agent scenario, Ref. [9] proposed an $H\u221e$ optimization-based observer design that distinguishes between in-domain faults and false-data injection attacks to the sensor measurement. The formulation considered in this work is restrictive in the sense that cyberattacks only a ect pair-wise agents while the faults a ect all the agents in the system. In contrast, Ref. [10] uses both physical and cyber properties of a mutli-agent system (speci cally smart grid) in order to achieve the same. Additionally, data-driven strategies to distinguish between faults and cyberattacks have been tackled in the context of smart grids in Refs. [11,12] and for smart buildings in Refs. [13,14]. Finally, Ref. [15] utilized both model-based detection strategies along with information technology solutions to achieve the same.

### 1.3 Research Gap and Contribution.

Literature in fault diagnostics and cyber-security reveal that a mathematical framework for distinguishing faults and cyberattacks for linear system has not been proposed, to the best of our knowledge. Thus, to address this gap we use a sliding mode observer to estimate an anomalous input to the system and provide a criterion to distinguish whether the anomalous input is a fault or a cyberattack. Although estimation of anomalous input is often implemented by a Luenberger unknown input observers [16], the linear output injection term often causes issues of convergence therein. In contrast, the nonlinear switching laws of the designed sliding mode-based observer offer better accuracy and finite-time convergence.

### 1.4 Organization of the Paper.

The remainder of the paper is organized as follows: Sec. 2 describes the problem setup, Sec. 3 presents the distinguishability criterion, Sec. 4 shows the validation of our framework through simulation studies for faults and cyberattacks scenarios, and finally in Sec. 5 we present the concluding remarks and scope for future work.

*Notations:* The following notations have been used in this work: $In$ is an identity matrix of size $n$, $R(M)$ represents the range of matrix $M$, $B\u2020$ represents the generalized inverse of matrix $B$, $\Vert \eta \Vert $ represents the Euclidean norm of the vector $\eta $, and $\Vert P\Vert F$ represents the Frobenius norm of a matrix $P$.

## 2 Problem Setup

### 2.1 Cyber-Physical System Model.

Cyber-physical systems comprise of six layers: physical layer, control layer, communication layer, network layer, supervisory layer, and management layer [17]. The physical layer here represents the physical plant, sensors, and actuators. The network and communication layers contains the ICT and provides interconnections between the physical layer, control layer, and supervisory-management layers. Now, the control layer consists of the control module (CM) which contains controllers and state estimators. In contrast, the supervisory layer and management layer consist of the central management system and have the following role: (i) to provide high-level supervisory management in terms of operating condition commands to the CM, (ii) to diagnose the integrity of the plant operation using a diagnostic filter (DF), and (iii) to distinguish between physical faults and cyberattacks utilizing a distinguisher module.

*Physical plant*. Subsequently, let us consider the following linear time-invariant state space model for the physical plant $S$:

Notably, under a cyber-physical setting, the adversary is able to manipulate the actuation channel of the system to launch a cyberattack $\alpha \u2208Rp$. Consequently, such cyberattack on the actuation channel is modeled in the control-theoretic framework as an unknown input $\eta =B\alpha $, since the control command passes through the actuation distribution matrix [17]. On the other hand, if there is a fault $f\u2208Rq~$ in the system, then the unknown input $\eta =Ef$, where $E\u2208Rn\xd7q~$ represents the fault distribution matrix. It is to be noted that such distribution matrix $E$ can be reliably obtained using failure mode and e ect analysis and strategies for uncertainty quanti cation [18]. We present the schematic of our problem framework in Fig. 1.

In the next section, we propose a sliding mode-based diagnostic filter that detects and estimates unknown inputs defined in Eqn. (1).

### 2.2 Sliding Mode-Based Diagnostic Filter.

#### Convergence of the sliding mode-based diagnostic filter

Consequently, after $t>Tmax$, Eq. (4) becomes $0=\eta \u2212L(x\u2212x^)/\Vert x\u2212x^\Vert ,$ and yields the equivalent output error dynamics [19,20]. Subsequently, we can use this solution to obtain an estimate of the unknown input by passing the output error injection term through a low-pass filter $F(.)$ [19,20]. To achieve the reaching law, the low-pass filter is chosen as $\eta ^\u02d9=\u2212(1/\tau )\eta ^+$$(1/\tau )(L((y\u2212y^)/\Vert y\u2212y^\Vert )).$

## 3 Distinguishability

Using the sliding mode-based DF from Proposition 1, we use the estimation of the unknown input $\eta (t)$ for distinguishing between cyberattack and fault. Now, if $\eta $ is a cyberattack, then $\eta =B\alpha $, i.e., $R(B)$ represents the plausible set of cyberattacks. Similarly, $R(E)$ represents the plausible set of faults. Therefore, the question of distinguishability translates to identifying if $\eta $ lies in $R(B)$ or $R(E)$. With this intent, we define the following *Distinguishability metric*.

### Distinguishability metric

*η*≢ 0, we define a distinguishability metric

In the above definition, $PB:=(In\u2212B(BTB)\u22121BT)$, $PE:=$$(In\u2212E(ETE)\u22121ET)$, $\Vert PB\eta \Vert 2$ denotes the minimum distance of $\eta (t)$ from $R(B)$, while $\Vert PE\eta \Vert 2$ denotes the minimum distance of $\eta (t)$ from $R(E)$. Hence, $M$ represents how closer or further $\eta $ is to the range space of $B$ or $E$. Evidently, positive $M$ implies that the distance of $\eta $ to $R(B)$ is more than the distance of $\eta $ to $R(E)$. Similarly, if $M$ is negative, it implies $\eta $ is closer to the $R(B)$. Thus, $M=0$ for a non-zero $\eta $ implies that the unknown input is equidistant from both $R(B)$ and $R(E)$.

For an arbitrarily accurate estimation of the distribution matrices $B,E$, and the unknown input $\eta $, we will have only two scenarios. Either there exists an $\alpha $ such that $\eta \u2212B\alpha \u22610$, or an $f$ such that $\eta \u2212Ef\u22610$. This would have unambiguously proven that the unknown input $\eta $ is in fact a cyberattack in the first case and a fault for the second. However, such assumptions are unrealistic for detector performance and due to uncertainties in system model and measurements. Hence, the metric Eq. (9) is defined to obtain the degree of closeness of the unknown input $\eta $ to the space of plausible cyberattacks $R(B)$ and faults $R(E)$. Figure 2 shows the geometric interpretation of the distinguishability metric $M$.

### Distinguishability criterion

Consider the system Eq. (1) with non-zero unknown input $\eta (t)$ and the sliding mode-based DF from Eq. (3). Let us also assume that the DF satis es conditions provided in Proposition 1. Then this estimated unknown input Eq. (7) is a cyberattack if $M(\eta ^)<0$ and is a fault if $M(\eta ^)>0.$ Inversely, if $M(\eta ^)=0$, unknown inputs are *indistinguishable* as a fault or cyberattack.

The proof follows from Eq. (9).

### Fault-mimicking cyberattacks

A cyberattack will be indistinguishable from a fault if there exists an $\alpha \u22c6\u2208Rp$ such that $\alpha \u22c6=B\u2020Ef,\,for somef\u2208Rp~,$ and such attacks are called fault-mimicking cyberattacks.

Constrained by the assumption of an uncertain CPS, Theorem 1 provides only a su cient condition for distinguishability of attacks and faults. Hence, in Corollary 1, we present how the adversary can craft a fault-mimicking or fault-based cyberattack by leveraging this limited system knowledge of the defender. Generally, such attacks are often encountered in power grid or IoT-enabled CPS and Corollary 1 re ects the fundamental limitation of the proposed criteria. To further address the concerns for uncertain CPS, our next theorem introduces a practical guarantee for distinguishability.

### Guaranteed practical distinguishability

Consider a system with bounded uncertainty where $\eta ^\u2192\eta +\epsilon $. If the error in estimation $\Vert \epsilon \Vert 2$ is bounded by $M\epsilon $, then the estimated unknown input $\eta ^$ is a cyberattack if $M(\eta ^)<\u2212\Vert PE\Vert FM\epsilon $ and is a fault if $M(\eta ^)>\Vert PB\Vert FM\epsilon .$

Let us consider the case of cyberattack for uncertain CPS, where Eq. (9) yields $M(\eta ^)\u2212\Vert PB\epsilon \Vert 2=\u2212\Vert PE(\eta +\epsilon )\Vert 2<0.$ Similarly for faulty scenario, we can show $M(\eta ^)+\Vert PE\epsilon \Vert 2>0.$ Next, we apply the condition of bounded uncertainty on $\epsilon $ and remove the overlap between these inequalities to obtain the condition of guaranteed distinguishability.

## 4 Simulation Results

In this section, we illustrate the proposed concepts using simulation studies. The system considered is given as: $A=\u221210BTI2,B=[32]T$, $D=0,andE=[25]T.$ The unknown input is $\eta =[\eta 1,\eta 2]T.$ For all the case studies in this section, a dynamic input pro le is given as input $u$ to the system Eq. (1) (shown in Fig. 3). The observer gain for the sliding mode-based DF Eq. (3) is chosen to be $L=50I2$ and the filter gain as $\tau =0.1$.

In this simulation study, we consider two cases. For case 1, the system is under a physical fault. While for case 2, the system is subjected to a cyberattack. The objective of this case study is to show how the unknown input estimated by the sliding mode-based DF can be successfully identi ed as either fault or cyberattack using the distinguishability metric and criterion proposed in Eq. (9) and Theorem 1. With this, let us look at the results of the two case studies.

### 4.1 Case 1: Fault.

For this case, the system is subject to a fault of magnitude $f=5(1\u2212exp(\u221210\u22124t))$ and it is manifested to the system as an unknown input $\eta =Ef$. Figure 4 shows that the sliding mode-based DF can estimate this unknown input while starting from arbitrary initial conditions (shown in inset). The estimates of the two components of $\eta ^=[\eta ^1,\eta ^2]T$ match with the true components of the unknown input $\eta =[\eta 1,\eta 2]T$ (shown in Fig. 4).

The DF also estimates the states of system $x^1$ and $x^2$, and these estimates match signi cantly with the true states $x1$ and $x2$. We observe in Fig. 5 that $M>0$ in steady-state, indicating that the unknown input is a fault. We also note here that the distinguishability metric is non-positive for the first 0.2 s (as shown in the inset of Fig. 5). However, this is due to the time needed by the DF in order to converge to the correct estimates of the states and unknown inputs to the system.

### 4.2 Case 2: Cyberattack.

For this case study, we construct a cyberattack $\alpha $ that can drive the system states to some unintended states $[1,1]$. Using steady-state condition of the system equation (Eq. (1)), we obtain the attack policy to be $\alpha =\u2212B\u2020A[1,1]T\u2212u.$ From Fig. 6, it is evident that the sliding mode-based DF can faithfully estimate the two components of the unknown input $\eta =[\eta 1,\eta 2]T=B\alpha .$ The initial condition for the unknown inputs are unspeci ed. Hence, the estimates are initialized arbitrarily. However, the DF converges to correct estimates in the steady-state starting from the arbitrary initial conditions (as shown in the inset of Fig. 6). Subsequently, we calculate the distinguishability metric $M$ from Eq. (9) and plot in Fig. 7. Since $M<0$, we can conclude from the distinguishability criterion that the unknown input $\eta $ is a cyberattack.

## 5 Conclusion and Future Work

Distinguishing between the occurrence of faults and cyberattacks in a system is of utmost importance in order to provide appropriate mitigation strategies. In this work, we have proposed a mathematical framework for distinguishing between the two, utilizing a sliding mode-based DF. Using the estimate of the unknown input from DF, we proposed a distinguishability metric and criterion in order to achieve our goal. Finally, we have conducted a set of simulation studies with both faults and cyberattacks to illustrate the validity of our proposed framework. In the future, we intend to extend this work to nonlinear systems and consider di erent attack types such as denial-of-service, replay attacks, etc., through both control command and sensor measurement.

## Conflict of Interest

There are no conflicts of interest.

## Data Availability Statement

The datasets generated and supporting the findings of this article are obtainable from the corresponding author upon reasonable request.