This article discusses various aspects of a course on cyber-physical systems (CPS) in the educational programs of defense organizations. CPS are engineered systems that are built from, and depend upon, the seamless integration of computational algorithms and physical components. The article also highlights various objectives of the CPS course. A central challenge to deploying resilient CPSs involves the appreciation for the multi-disciplinary challenges and the lack of a unified framework for CPS analysis, design and implementation. A significant part of the course focuses on a case study in industrial control of a Vinyl Acetate (VAc) chemical plant. The course described herein presents fundamental concepts within the rapidly expanding field of CPS and has been tailored to and is well received by U.S. Naval Academy Systems Engineering senior level engineering students. The U.S. Naval Academy thrust in cyber security studies includes a new major, Cyber Sciences, and construction of a new facility, Hopper Hall, to house the assembled multi-disciplinary teaching and research team.
In response to ever-present cyber threats, the U. S. Naval Academy thrust in cyber security studies includes a new major, Cyber Sciences, and construction of a new facility, Hopper Hall, to house the assembled multi-disciplinary teaching and research team. An essential component of this initiative is Cyber-Physical Systems (CPS) dependability and security of critical infrastructure and mission-critical systems. To address this need, a new senior-level engineering undergraduate technical elective has been offered and evolved over the past five years. Key concepts, design, content and teaching experiences are presented herein. Targeted primarily to Systems Engineering majors, this course builds on a foundation of linear control system design and embedded computer hardware / software integration to explore fundamental CPS concepts, attributes and risks. The course contains three primary themes: (1) fundamentals including the evolution of CPS including shipboard engineering plants, (2) a simulation-based case study of the dynamic interdependencies associated with cyber intrusions into a vinyl acetate industrial plant control challenge problem and (3) hands-on Controller Area Network (CAN) and CANopen real-time embedded control networks. The long-term objective is to provide an integrative teaching, learning and research environment for multidisciplinary advances targeting unification of key CPS enabling technologies including: (1) control theory, (2) computer science (3), communications, (4) embedded systems and (5) cyber security. The discussion commences with an introduction to CPS concepts and a survey of CPS research needs.
Introduction to Cyber-Physical Systems
As defined by the National Science Foundation, “Cyber-physical systems (CPS) are engineered systems that are built from, and depend upon, the seamless integration of computational algorithms and physical components” . The President's Council of Advisors on Science and Technology assesses that cyber-physical systems “are now a national priority for Federal R&D. Improved methods are needed for the efficient development of these systems. These methods must assure high levels of reliability, safety, security, and usability” . CPS “scientific and technological importance as well as its potential impact on grand challenges in a number of sectors critical to U.S. security and competitiveness”  has been established along with strategic challenges and driving sectors including: (1) Defense, (2) Energy, (3) Transportation, (4) Manufacturing, (5) Buildings and Infrastructure, and (6) Healthcare. Potentially catastrophic failures of highly vulnerable national infrastructure such as the terrestrial power grid  and mission systems could have disastrous consequences.
The Editorial of the Editor in Chief of IEEE Transactions on Automatic Control special issue on CPS states that “The control of Cyber-Physical Systems presents enormous challenges and requires approaches drawn from Systems and Control, such as those in traditional control, hybrid control systems, discrete event systems, networked control, and also approaches drawn from Computer Science, such as abstraction and verification, Networks, and many other areas depending on the applications of interest. The large scale and heterogeneity of components in CPS introduce grand research challenges. Robustness, resilience, reliability, safety and security issues for changing and reconfiguring dynamical systems must be addressed and these are novel research areas of great importance. The integration of different technologies and scientific domains presents new and challenging fundamental problems underlying the theoretical foundations for this class of systems” .
Cyber-Physical Systems Research Needs
The Networking and Information Technology Research and Development (NITRD) program identifies the following research needs: “A new systems science is needed to provide unified foundations, models and tools, system capabilities, and architectures that enable innovation in highly dependable cyber-enabled engineered and natural systems. Better understanding of system complexity is also necessary in this research area to aid in improved management and decision support. Specific technical areas for emphasis include:
Unifying foundations for modeling, predicting, and controlling systems that exhibit combined cyber (logical/discrete/digital) and physical (continuous/analog) system behaviors
New approaches for supervisory control of systems that must interact on an ad hoc basis
Scientific and engineering principles, metrics, and standards that integrate the disciplines of real-time embedded systems, control, communications/networking, security, and human-machine interaction
Technology to close the design and productivity gap between modeling, programming, and runtime execution of cyber-physical systems
Principles for reasoning about and actively managing properties of complex, multiscale, real-time cyber- physical system interactions, including safety, security, reliability, and performance
Design methods and systems technology for autonomy, human interaction, and management of control authority
Open systems approaches for composition, integration, and coordination of cyber-physical Systems” .
At the heart of this effort is the search for effective and efficient mathematical formulations, methods and tools that bridge the semantic and temporal gaps between physical and cyber systems . More specifically, time is an essential attribute of the physics-based differential equation modeling and control synthesis of dynamic systems wherein time is critical to the correctness of the solution. However, in computer science and communications, discrete mathematic formalisms such as finite state machines predominate wherein time is typically treated as a measure of responsiveness and is rarely associated with correctness. Embedded systems represent the preliminary fusion of control theory and computer engineering wherein invariant time steps and bounded latencies enable the application of digital control theory . The emergence of CPS systems composed of complex computer architectures, operating systems, middle-ware, communications networks and protocols and cyber intrusions require new hybrid continuous-time and discrete-event-driven mathematical formalisms , . The final essential ingredient is the incorporation of cyber security into CPS design, analysis, and implementation and maintenance considerations including: (1) threat modeling, (2) vulnerability analysis and (3) life cycle cyber security risk management ,  . The key differences in Information Technology (IT) and CPS security are highlighted by the Figure 1 comparison of key attributes .
Operability quantifies the ability to operate throughout specific scenarios including disruptive events. Observability and controllability can be defined from two perspectives:
Using linear control theory 
The aspiration of continuous situational awareness and control authority.
Cyber-Physical Course Objectives
The course is designed for a student population that is primarily composed of multi-disciplinary Systems Engineering majors who have taken:
A first year cyber security course
Second year C/C++ embedded computer hardware software integration and mechatronics courses
Third year courses in linear system analysis, modeling and control design including embedded hardware-in-the-loop experiments
Third year courses in electrical engineering and applications of cyber engineering.
Primary CPS learning objectives are:
Characterize their essential role in critical infrastructure and mission-critical systems
Characterize system and network vulnerabilities, resilience, and behavior under disruptive conditions
Investigate Supervisory Control and Data Acquisition (SCADA) systems and vulnerabilities
Analyze dynamic interdependence and performance of CPS feedback control systems stability and performance
Analyze, instrument and quantify performance of Controller Area Network (CAN) based systems including CANopen application layer systems integration and device profiles.
Part 1–Cyber-Physical Fundamentals
The course fundamentals begin with an assignment to extract key observations from the Peabody award-winning  60 Minutes “Sabotaging the System” investigation  followed by a literature search to determine the defining attributes of Cyber-Physical Systems. Arguably, the best short answer comes from the NSF, which coined the phrase: “Cyber-physical systems (CPS) are engineered systems that are built from and depend upon the synergy of computational and physical components”  among a variety of opinions. Perhaps the most notable variations center on whether the inclusion of networks is an essential or merely pervasive ingredient . An early laboratory small group exercise has students reallocate engineering and damage control responsibilities for conventional naval vessels under condition 1 “battle stations” to achieve the in-transition Navy crew size reductions of approximately 50%. The central focus of this exercise is to determine the necessary attributes of CPSs which are subjected to temporal and spatial bursts of disruptive events. These attributes lead to the following definitions:
Reliability: Duration or Probability of failure-free performance, Mean Time to Failure (MTBF) (MIL-STD-721C)
Availability: Probability a system is operable and committable for a specific mission (MIL- STD-721C)
Dependability: Ability to operate throughout a distribution of likely disruptive scenarios. In response to an ONR control challenge problem  design-oriented metrics for operability and dependability have been formulated and applied to early trade space design studies for resilient systems , .
A central challenge to deploying resilient CPSs involves the appreciation for the multi-disciplinary challenges and the lack of a unified framework for CPS analysis, design and implementation . At this point, students embark on a two-day in-class exercise to learn from Prof. Edward Lee's excellent recorded presentation: “Cyber-Physical Systems: A Rehash or A New Intellectual Challenge?” . Prof. Lee clearly distinguishes between the properties of mathematic models such as linearity and determinism and the properties of actual systems. This divergence between the idealized, nominal system and actual behavior of CPSs leads to brittle systems with complex and subtle failure modes. Lee identifies four major challenges for CPSs:
Determinate CPS models
Open minds about languages and tools
A semantics of time
A discipline of “model engineering”.
Moving from idealized, nominal systems toward more resilient systems introduces two ways to deal with faults and failures:
Fault-masking systems, which hide faulty behavior, often through redundancy
Fault-recovery systems that incorporate special procedures, such as retrying a failed operation.
These ideas are explored through the examples from computer networking, including token passing rings such as the ANSI X3 family of Fiber Distributed Data Interface (FDDI) network specifications which support both fault-masking and fault-recovery capabilities. Implementing counter-rotating rings can provide redundant data paths for fault masking. Moreover, disruption of links on both rings allows FDDI network nodes to perform fault recovery through constructing a new ring by wrapping around the failed segments. FDDI networks provide low-latency communication services with an upper bound specified by the token rotation time . However, token passing rings such as FDDI have a serious vulnerability: any node to link state change causes the network to shut down and restart. The evolution of Ethernet from a linear bus to a switch-based star topology and the emergence of real-time Ethernet is investigated in various use cases including industrial control shipboard machinery control systems .
Part 2 – Cyber-Physical Case Study
A significant part of the course focuses on a case study in industrial control of a Vinyl Acetate (VAc) chemical plant. This chemical control challenge problem, “…process model contains 246 states, 26 manipulated variables, and 43 measurements. Parts of the model, e.g., the azeotropic distillation tower, are highly nonlinear.”  The VAc chemical plant is shown pictorially in Figure 2.
As a preliminary investigation, an Internal Model Controller (IMC) is developed for a simplified inputoutput model of unstable VAc polymerization reaction . This introduces IMC control where the stable portion of the process plant is added as a feed forward term to a conventional Proportional, Integral plus Derivative (PID) controller. This exercise helps the students focus on the heart of this complex dynamically interdependent chemical plant and appreciate the dynamics of a gaseous phase exothermal process whose reaction rate rises exponentially with respect to temperature.
This problem-based learning project seeks to craft a cyber-intrusion to maximize production degradation while avoiding detection by the plant operators. VAc process control studies provide 26 single-input-single-output control loops providing a representative closed-loop control system model , . The numerically-stiff simulation model contains time constants that vary from 10 of seconds to days. A MathWorks MATLAB Simulink simulation-based wrapper around the MATLAB and C simulation developed by the “Damn Vulnerable Chemical Plant” (DVCP) initiative , ,  provides a rich environment for simulating cyber intrusions. In particular, the Simulink interface provides facilities to:
Change control set points
Insert false sensor data
Insert false controller commands
Modify the feedback controllers.
Initial experiments introduced by Table 1 process disturbances subject to the itemized constraints were simulated for 12-hour scenarios.
These initial studies provided two interesting results:
Insight into the dynamic interdependencies within the VAc production process
Forensic investigations as to why three of the simulations crashed.
For example, the time histories associated with the third disturbance, loss of fresh HAc (Acetic Acid) feed stream, are shown in Figure 3. Note that the HAc tank level controller progressively requests increased HAc in feed. When the HAc tank is depleted after approximately 31.4 minutes, the simulation predicts a negative fluid level and is no longer mathematically valid. These observations reinforce Edward Lee's distinction between the behavior of mathematical models and real systems.
The VAc polymerization process is very sensitive to the concentration of oxygen. The upper Figure 4 plot highlights the response to injection of false O2 feed rate commands, shown as a dashed line compared to the controller's initial proportional gain followed by integral gain requests for increased supply of O2. The lower Figure 4 plot shows the rapid response in reactor exit flowrate. Note the overshoot in both the controller response and the exit flowrate once control authority is regained.
Eventually, a variety of simulated cyber-attacks were performed as summarized in Table 2.
Part 3–Controller Area networks
Controller Area Networks provide an appropriate “fieldbus” for implementing real-time embedded microcontroller systems for a wide range of applications including the transportation, manufacturing and energy sectors. As shown in Figure 5, CANopen is one of several application layers which build on CAN physical and data link layers.
CAN provides low latency, lightweight message delivery mechanism of small data packets where the highest priority message is granted first access to the data bus. All nodes remain bit-synchronized, allowing on-the-fly bus arbitration, error detection and message acknowledgement. CAN coverage begins the low-level topics including: data frame format, dominate and recessive bus state signaling, signal propagation, characteristic impedance, cable termination and cyclic redundancy checks. Graphics, animation, and captured waveforms are used to reinforce these topics. Modern microcontrollers typically include a pair of CAN interfaces as part of the internal peripheral device suite.
Once CAN low-level concepts are established, the CANopen  application layer is added for hardware-in-the-loop experimentation. CANopen Magic from the Embedded Systems Academy  is used as a rapid prototyping network system integration, network management, logging and rich Graphic User Interface (GUI). The Microsoft Windows-based CANopen Magic computers are networked to pre-programmed Peak PCAN-MicroMod Evaluation Kits  shown in Figure 6.
The MicroMod device is pre-programmed to conform to the CAN in Automation CiA DS-401 generic I/O device profile. Therefore, once the students complete the physical connections and the accompanying MicroMod electronic data sheet is loaded, CANopen Magic is ready to manage, configure, interact with and control the MicroMod field device. Table 3 identifies the MicroMod DS-401 generic I/O functions where Transmit Process Data Objects (TPDOs) are produced by the MicroMod and Receive Process Data Objects (RPDOs) command are sent to the MicroMod.
Once the CANopen control networks are operational and the students have acclimated to the new concepts and the rich CANopen Magic GUI, DC motors are interfaced to the MicroMod devices through motor driver and velocity measurement electronics. Initially the CANopen Magic GUI is used to send open-loop PWM motor commands to the MicroMod and provide a graphical display of motor performance.
Initially, the mbed device is programmed to automatically send PWM motor commands using the same message format as previously demonstrated in CANopen Magic. The laboratory apparatus is now ready for various Cyber-Physical Systems experiments including:
mbed-in-the-middle attacks where the mbed intercepts PWM commands from CANopen Magic and reverses the duty cycle commands to the MicroMod and motor speed messsages from the MicroMod.
PI motor closed-loop control commanded and monitored by CANopen Magic.
Red on blue competitions between CANopen network managers and CAN intruders. A sample CANopen Magic PI motor closed-loop control GUI screen shot is included as Figure 8.
The course described herein presents fundamental concepts within the rapidly expanding field of Cyber-Physical Systems, has been tailored to and is well received by U. S. Naval Academy Systems Engineering senior level engineering students. For more information, contact the author at firstname.lastname@example.org.
The Cyber-Physical Systems research and pedagogical developments described herein were made possible through long-term support of the Office of Naval Research and the U. S. Naval Academy. Former Assistant Research Professor Yonggon Lee assisted with the development of the CANopen hardware and software prototyping environment. Joe Bradshaw and his Technical Support Division team assistance is also gratefully acknowledged.