Abstract

Increased automation has created an impetus to integrate infrastructure with wide-spread connectivity in order to improve e ciency, sustainability, autonomy, and security. Nonetheless, this reliance on connectivity and the inevitability of complexity in this system increase the vulnerabilities to physical faults or degradation and external cyber-threats. However, strategies to counteract faults and cyberattacks would be widely di erent and thus it is vital to not only detect but also to identify the nature of the anomaly that is present in these systems. In this work, we propose a mathematical framework to distinguish between physical faults and cyberattack using a sliding mode based unknown input observer. Finally, we present simulation case studies to distinguish between physical faults and cyberattacks using the proposed distinguishability metric and criterion. The simulation results show that the proposed framework successfully distinguishes between faults and cyberattacks.

Graphical Abstract Figure
Graphical Abstract Figure
Close modal

1 Introduction

The growing need for efficiency, coordination, precision, and autonomy has led to the integration of cybernetic components with physical infrastructure through information and communication technologies (ICT). Such physical systems with embedded networks of sensors, actuators, controllers are commonly described as cyber-physical systems (CPS). Currently, such CPS has garnered a lot of interest in the areas of smart grid [1], manufacturing [2], mobility [3], and many others. Thus, for reliable operation of these safety-critical systems, ensuring safety and security of these systems against faults and cyberattacks has become obligatory.

1.1 Motivation.

The impact of faults and cyberattacks on CPS may be disparate [4]. On one hand, faults may arise due to natural degradation of system components or physical abuse. On the other hand, cyberattack is speci cally crafted by an adversary to drive system toward unintended states while evading detection by the system administrator. The wide-range of possibilities for physical faults and cyberattacks also make it challenging to distinguish between them from system measurements. Particularly, faults can be incipient or rapidly evolving leading to runway e ects [5]. In contrast, some cyberattacks can be passive (such as eavesdropping attack) or stealthy or can deny services from the system altogether. Additionally, the adversary can also design cyberattacks such that it can mimic behavior of faults in systems [6] or coordinate series of multiple faults in the systems [7]. More importantly, if faults and cyberattacks are wrongly classi ed, they may lead to incorrect remedial actions and cause severe disruptions.

1.2 Literature Review.

Even though detection and isolation of both faults and cyberattacks have been a field of active research over the last decade, e orts to distinguish them has remained under-explored. In a distributed sensor network, hidden markov models have been used to distinguish between faulty and malicious data [8]. On the other hand, in Ref. [6], cyberattacks that maliciously trip relays to disrupt power distribution have been distinguished from faults by observing the flow of fault current in the power grid. The first e ort toward formalizing attack policies began with the introduction of an attack-space representation with respect to adversary's system knowledge, disclosure, and disruption resources [4]. This work provides replay, zero-dynamics, and bias-injection attack policies. They also present stealthy bias-injection attack policy under incomplete system knowledge. Under a multi-agent scenario, Ref. [9] proposed an H optimization-based observer design that distinguishes between in-domain faults and false-data injection attacks to the sensor measurement. The formulation considered in this work is restrictive in the sense that cyberattacks only a ect pair-wise agents while the faults a ect all the agents in the system. In contrast, Ref. [10] uses both physical and cyber properties of a mutli-agent system (speci cally smart grid) in order to achieve the same. Additionally, data-driven strategies to distinguish between faults and cyberattacks have been tackled in the context of smart grids in Refs. [11,12] and for smart buildings in Refs. [13,14]. Finally, Ref. [15] utilized both model-based detection strategies along with information technology solutions to achieve the same.

1.3 Research Gap and Contribution.

Literature in fault diagnostics and cyber-security reveal that a mathematical framework for distinguishing faults and cyberattacks for linear system has not been proposed, to the best of our knowledge. Thus, to address this gap we use a sliding mode observer to estimate an anomalous input to the system and provide a criterion to distinguish whether the anomalous input is a fault or a cyberattack. Although estimation of anomalous input is often implemented by a Luenberger unknown input observers [16], the linear output injection term often causes issues of convergence therein. In contrast, the nonlinear switching laws of the designed sliding mode-based observer offer better accuracy and finite-time convergence.

1.4 Organization of the Paper.

The remainder of the paper is organized as follows: Sec. 2 describes the problem setup, Sec. 3 presents the distinguishability criterion, Sec. 4 shows the validation of our framework through simulation studies for faults and cyberattacks scenarios, and finally in Sec. 5 we present the concluding remarks and scope for future work.

Notations: The following notations have been used in this work: In is an identity matrix of size n, R(M) represents the range of matrix M, B represents the generalized inverse of matrix B, η represents the Euclidean norm of the vector η, and PF represents the Frobenius norm of a matrix P.

2 Problem Setup

2.1 Cyber-Physical System Model.

Cyber-physical systems comprise of six layers: physical layer, control layer, communication layer, network layer, supervisory layer, and management layer [17]. The physical layer here represents the physical plant, sensors, and actuators. The network and communication layers contains the ICT and provides interconnections between the physical layer, control layer, and supervisory-management layers. Now, the control layer consists of the control module (CM) which contains controllers and state estimators. In contrast, the supervisory layer and management layer consist of the central management system and have the following role: (i) to provide high-level supervisory management in terms of operating condition commands to the CM, (ii) to diagnose the integrity of the plant operation using a diagnostic filter (DF), and (iii) to distinguish between physical faults and cyberattacks utilizing a distinguisher module.

Physical plant. Subsequently, let us consider the following linear time-invariant state space model for the physical plant S:
S:x˙=Ax+Bu+η,y=x
(1)
where xRn represents the states of the system; uRp represents the control input obtained from CM; ARn×n represents the state matrix; BRn×p is the actuation distribution matrix; η(t)Rn represents any unknown input. In this work, we have assumed full state feedback and thus the measurement y=x. Our goal in this work is to focus on isolating cyberattack and faults on system actuation only, since it directly a ects the system states. This isolation is crucial as cyberattacks on actuation cannot be bypassed, while corrupted sensors can be avoided by implementing sensor redundancies.

Notably, under a cyber-physical setting, the adversary is able to manipulate the actuation channel of the system to launch a cyberattack αRp. Consequently, such cyberattack on the actuation channel is modeled in the control-theoretic framework as an unknown input η=Bα, since the control command passes through the actuation distribution matrix [17]. On the other hand, if there is a fault fRq~ in the system, then the unknown input η=Ef, where ERn×q~ represents the fault distribution matrix. It is to be noted that such distribution matrix E can be reliably obtained using failure mode and e ect analysis and strategies for uncertainty quanti cation [18]. We present the schematic of our problem framework in Fig. 1.

Fig. 1
The schematic diagram of the problem framework
Fig. 1
The schematic diagram of the problem framework
Close modal
Assumption 1
In this framework, we assume that these unknown inputs are injected to the system either as cyberattacks or faults but never both simultaneously, since model-based detection-isolation schemes are unable to handle such scenarios due to the inherent ill-posedness of estimating unknown inputs to the system dynamics or measurement. Even though some work on multi-agent systems have considered simultaneous cyberattacks and faults (largely limited to the connection topology), for general CPS systems only transient faults and cyberattacks have been considered simultaneously [9]. Moreover, this assumption ensures that the injected cyberattack is not covert, which can evade detection [4]. We also assume here that the unknown input is bounded such that
η(t)<M<,t
(2)

In the next section, we propose a sliding mode-based diagnostic filter that detects and estimates unknown inputs defined in Eqn. (1).

2.2 Sliding Mode-Based Diagnostic Filter.

In this formulation, the objective of the sliding mode-based DF is to detect and estimate unknown inputs (such as cyberattacks and faults) to the system. The structure of the filter considered here is based on measurement feedback from the system [19,20] and the unknown input η is estimated using an equivalent output error injection term. Let us first present the structure of the sliding mode-based DF as
DF:x^˙=Ax^+Bu+Lyy^yy^,y^=x^
(3)
where LRn×n is the filter gain. Next, let us now define the error state as e:=xx^. The error dynamics is then
e˙=Ae+ηL(xx^)/xx^
(4)
For 0<τ<1, the switching hyperplane and reaching law for the sliding mode-based DF (3) is respectively as
S={eRn:e=0},τS˙=e+(τ1)sgn(e)
(5)

Convergence of the sliding mode-based diagnostic filter

Proposition 1
Consider the system given by Eq. (1) and the sliding mode-based DF given by Eq. (3). If there exists positive definite matrices PRn×n and QRn×n, constant γ>0 such that
ATP+PAQ,andγ>PFM
(6)
where M is obtained from Eq. (2) and we choose filter gain L such that L=γP1, then the estimate for the bounded unknown input vector η is given by
η^=F(L(xx^)/xx^)
(7)
where F(.) is a low-pass filter function and ηη^ in finite time.
Proof
Let us define a Lyapunov functional V(e)=eTPe, where P is determined by Eq. (6). Taking the time derivative of V(e) and using Eq. (4), we obtain V˙=eT(ATP+PA)e+2eTPη2eTPL(e/e). With filter gain L=γP1 and using Eq. (6), we obtain
V˙eTQe+2ePFM2γe
(8)
Since eTQe<0 due to positive definiteness of Q, we can write Eq. (8) as V˙2ePFM2γe. Considering the fact that γ>PFM, we can write V˙2β+e where β+=(PFM+γ)>0. From this, and considering Vλmin(P)e2eV/λmin(P), we can further write V˙βV where β=2β+λmin(P)>0. This implies that e0 as tTmax where Tmax< is a finite time [20].

Consequently, after t>Tmax, Eq. (4) becomes 0=ηL(xx^)/xx^, and yields the equivalent output error dynamics [19,20]. Subsequently, we can use this solution to obtain an estimate of the unknown input by passing the output error injection term through a low-pass filter F(.) [19,20]. To achieve the reaching law, the low-pass filter is chosen as η^˙=(1/τ)η^+(1/τ)(L((yy^)/yy^)).

3 Distinguishability

Using the sliding mode-based DF from Proposition 1, we use the estimation of the unknown input η(t) for distinguishing between cyberattack and fault. Now, if η is a cyberattack, then η=Bα, i.e., R(B) represents the plausible set of cyberattacks. Similarly, R(E) represents the plausible set of faults. Therefore, the question of distinguishability translates to identifying if η lies in R(B) or R(E). With this intent, we define the following Distinguishability metric.

Distinguishability metric

Definition 1
For an unknown input η ≢ 0, we define a distinguishability metric
M(η):=PBη2PEη2
(9)

In the above definition, PB:=(InB(BTB)1BT), PE:=(InE(ETE)1ET), PBη2 denotes the minimum distance of η(t) from R(B), while PEη2 denotes the minimum distance of η(t) from R(E). Hence, M represents how closer or further η is to the range space of B or E. Evidently, positive M implies that the distance of η to R(B) is more than the distance of η to R(E). Similarly, if M is negative, it implies η is closer to the R(B). Thus, M=0 for a non-zero η implies that the unknown input is equidistant from both R(B) and R(E).

Remark 1

For an arbitrarily accurate estimation of the distribution matrices B,E, and the unknown input η, we will have only two scenarios. Either there exists an α such that ηBα0, or an f such that ηEf0. This would have unambiguously proven that the unknown input η is in fact a cyberattack in the first case and a fault for the second. However, such assumptions are unrealistic for detector performance and due to uncertainties in system model and measurements. Hence, the metric Eq. (9) is defined to obtain the degree of closeness of the unknown input η to the space of plausible cyberattacks R(B) and faults R(E). Figure 2 shows the geometric interpretation of the distinguishability metric M.

Distinguishability criterion

Theorem 1

Consider the system Eq. (1) with non-zero unknown input η(t) and the sliding mode-based DF from Eq. (3). Let us also assume that the DF satis es conditions provided in Proposition 1. Then this estimated unknown input Eq. (7) is a cyberattack if M(η^)<0 and is a fault if M(η^)>0. Inversely, if M(η^)=0, unknown inputs are indistinguishable as a fault or cyberattack.

Proof

The proof follows from Eq. (9).

Fault-mimicking cyberattacks

Corollary 1

A cyberattack will be indistinguishable from a fault if there exists an αRp such that α=BEf,\,for somefRp~, and such attacks are called fault-mimicking cyberattacks.

Remark 2

Constrained by the assumption of an uncertain CPS, Theorem 1 provides only a su cient condition for distinguishability of attacks and faults. Hence, in Corollary 1, we present how the adversary can craft a fault-mimicking or fault-based cyberattack by leveraging this limited system knowledge of the defender. Generally, such attacks are often encountered in power grid or IoT-enabled CPS and Corollary 1 re ects the fundamental limitation of the proposed criteria. To further address the concerns for uncertain CPS, our next theorem introduces a practical guarantee for distinguishability.

Guaranteed practical distinguishability

Theorem 2

Consider a system with bounded uncertainty where η^η+ε. If the error in estimation ε2 is bounded by Mε, then the estimated unknown input η^ is a cyberattack if M(η^)<PEFMε and is a fault if M(η^)>PBFMε.

Proof

Let us consider the case of cyberattack for uncertain CPS, where Eq. (9) yields M(η^)PBε2=PE(η+ε)2<0. Similarly for faulty scenario, we can show M(η^)+PEε2>0. Next, we apply the condition of bounded uncertainty on ε and remove the overlap between these inequalities to obtain the condition of guaranteed distinguishability.

Fig. 2
Realization of distinguishability metric M using the distance from (a) fault space and (b) attack space
Fig. 2
Realization of distinguishability metric M using the distance from (a) fault space and (b) attack space
Close modal

4 Simulation Results

In this section, we illustrate the proposed concepts using simulation studies. The system considered is given as: A=10BTI2,B=[32]T, D=0,andE=[25]T. The unknown input is η=[η1,η2]T. For all the case studies in this section, a dynamic input pro le is given as input u to the system Eq. (1) (shown in Fig. 3). The observer gain for the sliding mode-based DF Eq. (3) is chosen to be L=50I2 and the filter gain as τ=0.1.

Fig. 3
Dynamic input signal u to the system Eq. (1)
Fig. 3
Dynamic input signal u to the system Eq. (1)
Close modal

In this simulation study, we consider two cases. For case 1, the system is under a physical fault. While for case 2, the system is subjected to a cyberattack. The objective of this case study is to show how the unknown input estimated by the sliding mode-based DF can be successfully identi ed as either fault or cyberattack using the distinguishability metric and criterion proposed in Eq. (9) and Theorem 1. With this, let us look at the results of the two case studies.

4.1 Case 1: Fault.

For this case, the system is subject to a fault of magnitude f=5(1exp(104t)) and it is manifested to the system as an unknown input η=Ef. Figure 4 shows that the sliding mode-based DF can estimate this unknown input while starting from arbitrary initial conditions (shown in inset). The estimates of the two components of η^=[η^1,η^2]T match with the true components of the unknown input η=[η1,η2]T (shown in Fig. 4).

Fig. 4
Fault estimated by sliding mode-based DF
Fig. 4
Fault estimated by sliding mode-based DF
Close modal

The DF also estimates the states of system x^1 and x^2, and these estimates match signi cantly with the true states x1 and x2. We observe in Fig. 5 that M>0 in steady-state, indicating that the unknown input is a fault. We also note here that the distinguishability metric is non-positive for the first 0.2 s (as shown in the inset of Fig. 5). However, this is due to the time needed by the DF in order to converge to the correct estimates of the states and unknown inputs to the system.

Fig. 5
Positive distinguishability metric M denotes the estimated unknown input as fault
Fig. 5
Positive distinguishability metric M denotes the estimated unknown input as fault
Close modal

4.2 Case 2: Cyberattack.

For this case study, we construct a cyberattack α that can drive the system states to some unintended states [1,1]. Using steady-state condition of the system equation (Eq. (1)), we obtain the attack policy to be α=BA[1,1]Tu. From Fig. 6, it is evident that the sliding mode-based DF can faithfully estimate the two components of the unknown input η=[η1,η2]T=Bα. The initial condition for the unknown inputs are unspeci ed. Hence, the estimates are initialized arbitrarily. However, the DF converges to correct estimates in the steady-state starting from the arbitrary initial conditions (as shown in the inset of Fig. 6). Subsequently, we calculate the distinguishability metric M from Eq. (9) and plot in Fig. 7. Since M<0, we can conclude from the distinguishability criterion that the unknown input η is a cyberattack.

Fig. 6
Cyberattack estimated by sliding mode-based DF
Fig. 6
Cyberattack estimated by sliding mode-based DF
Close modal
Fig. 7
Negative distinguishability metric M denotes the estimated unknown input as cyberattack
Fig. 7
Negative distinguishability metric M denotes the estimated unknown input as cyberattack
Close modal

5 Conclusion and Future Work

Distinguishing between the occurrence of faults and cyberattacks in a system is of utmost importance in order to provide appropriate mitigation strategies. In this work, we have proposed a mathematical framework for distinguishing between the two, utilizing a sliding mode-based DF. Using the estimate of the unknown input from DF, we proposed a distinguishability metric and criterion in order to achieve our goal. Finally, we have conducted a set of simulation studies with both faults and cyberattacks to illustrate the validity of our proposed framework. In the future, we intend to extend this work to nonlinear systems and consider di erent attack types such as denial-of-service, replay attacks, etc., through both control command and sensor measurement.

Conflict of Interest

There are no conflicts of interest.

Data Availability Statement

The datasets generated and supporting the findings of this article are obtainable from the corresponding author upon reasonable request.

References

1.
He
,
H.
, and
Yan
,
J.
,
2016
, “
Cyber-Physical Attacks and Defences in the Smart Grid: A Survey
,”
IET Cyber-Phys. Syst.: Theory Appl.
,
1
(
1
), pp.
13
27
.
2.
Zheng
,
P.
,
Sang
,
Z.
,
Zhong
,
R. Y.
,
Liu
,
Y.
,
Liu
,
C.
,
Mubarok
,
K.
,
Yu
,
S.
, and
Xu
,
X.
,
2018
, “
Smart Manufacturing Systems for Industry 4.0: Conceptual Framework, Scenarios, and Future Perspectives
,”
Front. Mech. Eng.
,
13
(
2
), pp.
137
150
.
3.
Rawat
,
D. B.
,
Bajracharya
,
C.
, and
Yan
,
G.
,
2015
, “
Towards Intelligent Transportation Cyber-Physical Systems: Real-Time Computing and Communications Perspectives
,”
SoutheastCon 2015
,
Fort Lauderdale, FL
,
Apr. 9–12
,
IEEE
, pp.
1
6
.
4.
Teixeira
,
A.
,
Shames
,
I.
,
Sandberg
,
H.
, and
Johansson
,
K. H.
,
2015
, “
A Secure Control Framework for Resource-Limited Adversaries
,”
Automatica
,
51
, pp.
135
148
.
5.
Safaeipour
,
H.
,
Forouzanfar
,
M.
, and
Casavola
,
A.
,
2021
, “
A Survey and Classi cation of Incipient Fault Diagnosis Approaches
,”
J. Process Control.
,
97
, pp.
1
16
.
6.
Rahman
,
M. S.
,
Pota
,
H. R.
, and
Hossain
,
M. J.
,
2014
,
Cyber Vulnerabilities on Agent-Based Smart Grid Protection System
,” 2014 IEEE PES General Meeting Conference & Exposition,
IEEE
, pp.
1
5
.
7.
Slay
,
J.
, and
Miller
,
M.
,
2007
, “
Lessons Learned From the Maroochy Water Breach
,” International Conference on Critical Infrastructure Protection,
Springer
, pp.
73
82
.
8.
Basile
,
C.
,
Gupta
,
M.
,
Kalbarczyk
,
Z.
, and
Iyer
,
R. K.
,
2006
, “
An Approach for Detecting and Distinguishing Errors Versus Attacks in Sensor Networks
,” International Conference on Dependable Systems and Networks (DSN'06),
IEEE
, pp.
473
484
.
9.
Li
,
Y.
,
Fang
,
H.
, and
Chen
,
J.
,
2019
, “
Anomaly Detection and Identi cation for Multiagent Systems Subjected to Physical Faults and Cyber Attacks
,”
IEEE Trans. Ind. Electron.
,
67
(
11
), pp.
9724
9733
.
10.
Rahman
,
M. S.
,
Mahmud
,
M. A.
,
Oo
,
A. M. T.
, and
Pota
,
H. R.
,
2016
, “
Multi-agent Approach for Enhancing Security of Protection Schemes in Cyber-Physical Energy Systems
,”
IEEE Trans. Ind. Inform.
,
13
(
2
), pp.
436
447
.
11.
Patil
,
A.
,
Kamuni
,
V.
,
Sheikh
,
A.
,
Wagh
,
S.
, and
Singh
,
N.
,
2019
, “
A Machine Learning Approach to Distinguish Faults and Cyberattacks in Smart Buildings
,”
2019 9th International Conference on Power and Energy Systems (ICPES)
,
Perth, Australia
,
Dec. 10–12
,
IEEE
, pp.
1
6
.
12.
Farajzadeh-Zanjani
,
M.
,
Hallaji
,
E.
,
Razavi-Far
,
R.
,
Saif
,
M.
, and
Parvania
,
M.
,
2021
, “
Adversarial Semi-Supervised Learning for Diagnosing Faults and Attacks in Power Grids
,”
IEEE Trans. Smart Grid
,
12
(
4
), pp.
3468
3478
.
13.
Anwar
,
A.
,
Mahmood
,
A. N.
, and
Shah
,
Z.
,
2015
, “
A Data-Driven Approach to Distinguish Cyber-Attacks From Physical Faults in a Smart Grid
,”
Proceedings of the 24th ACM International on Conference on Information and Knowledge Management
,
Melbourne Australia
,
Oct. 18–23
, pp.
1811
1814
.
14.
Tertytchny
,
G.
,
Nicolaou
,
N.
, and
Michael
,
M. K.
,
2020
, “
Classifying Network Abnormalities Into Faults and Attacks in IoT-Based Cyber Physical Systems Using Machine Learning
,”
Microprocess. Microsyst.
,
77
, p.
103121
.
15.
Bernieri
,
G.
,
Miciolino
,
E. E.
,
Pascucci
,
F.
, and
Setola
,
R.
,
2017
, “
Monitoring System Reaction in Cyber-Physical Testbed Under Cyber-Attacks
,”
Comput. Electr. Eng.
,
59
, pp.
86
98
.
16.
Chen
,
J.
, and
Patton
,
R. J.
,
2012
,
Robust Model-Based Fault Diagnosis for Dynamic Systems
, Vol.
3
,
Springer Science & Business Media
,
Berlin, Germany
.
17.
Zhu
,
Q.
,
Rieger
,
C.
, and
Başar
,
T.
,
2011
, “
A Hierarchical Security Architecture for Cyber-Physical Systems
,”
2011 4th International Symposium on Resilient Control Systems
,
Boise, ID
,
Aug. 9–11
,
IEEE
, pp.
15
20
.
18.
Sprea co
,
C.
,
Russo
,
D.
, and
Rizzi
,
C.
,
2017
, “
A State-of-the-Art Review of FMEA/FMECA Including Patents
,”
Comput. Sci. Rev.
,
25
, pp.
19
28
.
19.
Edwards
,
C.
,
Spurgeon
,
S. K.
, and
Patton
,
R. J.
,
2000
, “
Sliding Mode Observers for Fault Detection and Isolation
,”
Automatica
,
36
(
4
), pp.
541
553
.
20.
Utkin
,
V.
,
Guldner
,
J.
, and
Shi
,
J.
,
2017
,
Sliding Mode Control in Electro-Mechanical Systems
,
CRC Press
,
Boca Raton, FL
.