Lyapunov-Based Economic Model Predictive Control for Detecting and Handling Actuator and Simultaneous Sensor/Actuator Cyberattacks on Process Control Systems

Abstract

The controllers for a cyber-physical system may be impacted by sensor measurement cyberattacks, actuator signal cyberattacks, or both types of attacks. Prior work in our group has developed a theory for handling cyberattacks on process sensors. However, sensor and actuator cyberattacks have a different character from one another. Specifically, sensor measurement attacks prevent proper inputs from being applied to the process by manipulating the measurements that the controller receives, so that the control law plays a role in the impact of a given sensor measurement cyberattack on a process. In contrast, actuator signal attacks prevent proper inputs from being applied to a process by bypassing the control law to cause the actuators to apply undesirable control actions. Despite these differences, this manuscript shows that we can extend and combine strategies for handling sensor cyberattacks from our prior work to handle attacks on actuators and to handle cases where sensor and actuator attacks occur at the same time. These strategies for cyberattack-handling and detection are based on the Lyapunov-based economic model predictive control (LEMPC) and nonlinear systems theory. We first review our prior work on sensor measurement cyberattacks, providing several new insights regarding the methods. We then discuss how those methods can be extended to handle attacks on actuator signals and then how the strategies for handling sensor and actuator attacks individually can be combined to produce a strategy that is able to guarantee safety when attacks are not detected, even if both types of attacks are occurring at once. We also demonstrate that the other combinations of the sensor and actuator attack-handling strategies cannot achieve this same effect. Subsequently, we provide a mathematical characterization of the “discoverability” of cyberattacks that enables us to consider the various strategies for cyberattack detection presented in a more general context. We conclude by presenting a reactor example that showcases the aspects of designing LEMPC.

1 Introduction

Cyber-physical systems (CPSs) integrate various physical processes with computer and communication infrastructures, which allows enhanced process monitoring and control. Although CPSs open new avenues for advanced manufacturing (Davis et al., 2015) in terms of increased production efficiency, the quality of the production, and cost reduction, this integration also opens these systems to malicious cyberattacks that can exploit vulnerable communication channels between the different layers of the system. In addition to process and network cybersecurity concerns, data collection devices such as sensors and final control elements such as actuators (and signals to or from them) are also potential candidates that can be subject to cyberattacks (Tuptuk and Hailes, 2018). Sophisticated and malicious cyberattacks may affect industrial profits and even pose a threat to the safety of individuals working on site, which motivates attack-handling strategies that are geared toward providing safety assurances for autonomous systems.

There exist multiple points of susceptibility in a CPS framework ranging from communication networks and protocols to sensor measurement and control signal transmission, requiring the development of appropriate control and detection techniques to tackle such cybersecurity challenges (Pasqualetti et al., 2013). To better understand these concerns, vulnerability identification (Ani et al., 2017) has been studied by combining people, process, and technology perspectives. A process engineering-oriented overview of different attack events has been discussed in Setola et al. (2019) to illustrate the impacts on industrial control system platforms. In order to address concerns related to control components, resilient control designs based on state estimates have been proposed for detecting and preventing attacks in works such as Ding et al. (2020) and Cárdenas et al. (2011), wherein the latter cyberattack-resilient control frameworks compare state estimates based on models of the physical process and state measurements to detect cyberattacks. Ye and Luo (2019) address a scenario where actuator faults and cyberattacks on sensors or actuators occur simultaneously by using a control policy based on the Lyapunov theory and adaptation and Nussbaum-type functions.

Cybersecurity-related studies have also been carried out in the context of model-predictive control (MPC; Qin and Badgwell, 2003), an optimization-based control methodology that computes optimal control actions to a process. Specifically, for nonlinear systems, Durand (2018) investigated various MPC techniques with economics-based objective functions [known as economic model predictive controllers (EMPCs) (Ellis et al., 2014a; Rawlings et al., 2012)] when only false sensor measurements are considered. Chen et al. (2020) integrated a neural network-based attack detection approach initially proposed in Wu et al. (2018) with a two-fold control structure, in which the upper layer is a Lyapunov-based MPC designed to ensure closed-loop stability after attacks are flagged. A methodology that may be incorporated as a criterion for EMPC design has been proposed in Narasimhan et al. (2021), in which a control parameter screening based on a residual-based attack detection scheme classifies multiplicative sensor-controller attacks on a process as “detectable,” “undetectable,” and “potentially detectable” under certain conditions. In addition, a general description of “cyberattack discoverability” (i.e., a certain system’s capability to detect attacks) without a rigorous mathematical formalism has been addressed in Oyama et al. (2021).

Prior work in our group has explored the interaction between cyberattack detection strategies, MPC/EMPC design, and stability guarantees. In particular, our prior works have primarily focused on studying and developing control/detection mechanisms for scenarios in which either actuators or sensors are attacked (Oyama and Durand, 2020; Rangan et al., 2021; Oyama et al., 2021; Durand and Wegener, 2020). For example, Oyama and Durand (2020) proposed three cyberattack detection concepts that are integrated with the control framework Lyapunov-based EMPC (Heidarinejad et al., 2012a). Advancing this work, Rangan et al. (2021) and Oyama et al. (2021) proposed ways to consider cyberattack detection strategies and the challenges in cyberattack-handling for nonlinear processes whose dynamics change with time. In the present manuscript, we extend our prior work (which covered sensor measurement cyberattack-handling with control-theoretic guarantees and actuator cyberattack-handling without guarantees) to develop strategies for maintaining safety when actuator attacks are not detected (assuming that no attack occurs on the sensors). These strategies are inspired by the first detection concept in Oyama and Durand (2020) but with a modified implementation strategy to guarantee that even when an undetected actuator attack occurs, the state measurement and actual closed-loop state are maintained inside a safe region of operation throughout the next sampling period.

The primary challenge addressed by this work is the question of how to develop an LEMPC-based strategy for handling sensor and actuator cyberattacks occurring at once. The reason that this is a challenge is that some of the concepts discussed for handling sensor and actuator cyberattacks only work if the other (sensors or actuators) is not under an attack. A major contribution of the present manuscript, therefore, is elucidating which sensor and actuator attack-handling methods can be combined to provide safety in the presence of undetected attacks, even if both undetected sensor and actuator attacks are occurring at the same time. To cast this discussion in a broader framework, we also present a nonlinear systems definition of cyberattack “discoverability,” which provides fundamental insights into how attacks can fly under the radar of detection policies. Finally, we elucidate the properties of cyberattack-handling using LEMPC through simulation studies.

The manuscript is organized as follows: following some preliminaries that clarify the class of systems under consideration and the control design (LEMPC) from which the cyberattack detection and handling concepts presented in this work are derived, we review the sensor measurement cyberattack detection and handling policies from Oyama and Durand (2020), which form the basis for the development of the actuator signal cyberattack-handling and combined sensor/actuator cyberattack-handling policies subsequently developed. Subsequently, we propose strategies for detecting and handling cyberattacks on process actuators when the sensor measurements remain intact that are able to maintain safety even when actuator cyberattacks are undetected. We then utilize the insights and developments of the prior sections to clarify which sensor and actuator attack-handling policies can be combined to achieve safety in the presence of combined sensor and actuator cyberattacks. We demonstrate that there are combinations of methods that can guarantee safety in the presence of undetected attacks, even if these attacks occur on both sensors and actuators at the same time (though the other combinations of the discussed methods cannot achieve this). Further insights on the interactions between the detection strategies and control policies for nonlinear systems are presented via a fundamental nonlinear systems definition of discoverability. The work is concluded with a reactor study that probes the question of the practicality of the design of control systems that meet the theoretical guarantees for achieving cyberattack-resilience.

2 Preliminaries

2.1 Notation

The Euclidean norm of a vector is indicated by |⋅|, and the transpose of a vector x is denoted by x^T. A continuous function α: [0, a) → [0, ∞) is said to be of class if it is strictly increasing and α(0) = 0. Set subtraction is designated by x ∈ A/B ≔ {x ∈ Rⁿ : x ∈ A, x∉B}. Finally, a level set of a positive definite function V is denoted by Ω_ρ ≔ {x ∈ Rⁿ : V(x) ≤ ρ}.

2.2 Class of Systems

This work considers the following class of nonlinear systems:where x ∈ X ⊂ Rⁿ and w ∈ W ⊂ R^z (W≔{w ∈ R^z | |w| ≤ θ_w, θ_w > 0}) are the state and disturbance vectors, respectively. The input vector function u ∈ U ⊂ R^m, where U≔{u ∈ R^m| |u| ≤ u^max}. f is locally Lipschitz on X × U × W, and we consider that the “nominal” system of Eq. 1 (w ≡ 0) is stabilizable such that there exist an asymptotically stabilizing feedback control law h(x), a sufficiently smooth Lyapunov function V, and class functions α_i(⋅), i = 1, 2, 3, 4, where∀ x ∈ D ⊂ Rⁿ (D is an open neighborhood of the origin). We define Ω_ρ ⊂ D to be the stability region of the nominal closed-loop system under the controller h(x) and require that it be chosen such that x ∈ X, ∀x ∈ Ω_ρ. Furthermore, we consider that h(x) satisfies the following equation:for all , with L_h > 0, where is the i-th component of h.

Since f is locally Lipschitz and V(x) is a sufficiently smooth function, the following holds:∀x₁, x₂ ∈ Ω_ρ, u, u₁, u₂ ∈ U and w ∈ W, where , , L_u, and M_f are positive constants.

We also assume that there are M sets of measurements , i = 1, … , M, available at t_k as follows:where k_i is a vector-valued function, and v_i represents the measurement noise associated with the measurements y_i. We assume that the measurement noise is bounded (i.e., ) and that measurements of each y_i are continuously available. For each of the M sets of measurements, we assume that there exists a deterministic observer [e.g., a high-gain observer Ahrens and Khalil (2009)] described by the following dynamic equation:where z_i is the estimate of the process state from the i-th observer, i = 1, … , M, F_i is a vector-valued function, and ϵ_i > 0. When a controller h(z_i) with Eq. 7 is used to control the closed-loop system of Eq. 1, we consider that Assumption 1 and Assumption 2 below hold.

3 Economic Model Predictive Control

EMPC Ellis et al. (2014a) is an optimization-based control design for which the control actions are computed via the following optimization problem:where N is called the prediction horizon, and u(t) is a piecewise-constant input trajectory with N pieces, where each piece is held constant for a sampling period with time length Δ. The economics-based stage cost L_e of Eq. 8a is evaluated throughout the prediction horizon using the future predictions of the process state from the model of Eq. 8b (the nominal model of Eq. 1) initialized from the state measurement at t_k (Eq. 8c). The process constraints of Eq. 8d, Eq. 8e are state and input constraints, respectively. A receding or moving horizon implementation strategy is employed, i.e., the optimization problem is solved every Δ time units (at each sampling time t_k) such that the first of the N pieces of the input vector trajectory that is the optimal solution is applied to the process. The optimal solution at t_k is denoted by u∗(t_i|t_k), where i = k, … , k + N−1.

Additional constraints that can be added to the formulation in Eq. 8 to produce a formulation of EMPC that takes advantage of the Lyapunov-based controller h(⋅), called Lyapunov-based EMPC [LEMPC Heidarinejad et al. (2012a)], are as follows:where is a subset of the stability region that makes Ω_ρ forward invariant under the controller of Eqs 8–9.

4 Cyberattack Detection and Control Strategies Using LEMPC Under Single Attack-Type Scenarios: Sensor Attacks

The major goal of this work is to extend the strategies for LEMPC-based sensor measurement cyberattack detection and handling from Oyama and Durand (2020) to handle actuator attacks and simultaneous sensor measurement and actuator attacks. For the clarity of this discussion, we first review the three cyberattack detection mechanisms from Oyama and Durand (2020).

This section therefore considers a single attack-type scenario (i.e., only the sensor readings are impacted by attacks). The first control/detection strategy proposed in Oyama and Durand (2020) switches between a full-state feedback LEMPC and variations on that control design that are randomly generated over time to probe for cyberattacks by evaluating state trajectories for which it is theoretically known that a Lyapunov function must decrease between subsequent sampling times. The second control/detection strategy also uses full-state feedback LEMPC, but the detection is achieved by evaluating the state predictions based on the current and prior state measurements to flag an attack while maintaining the closed-loop state within a predefined safe region over one sampling period after an undetected attack is applied. The third control/detection strategy was developed using output feedback LEMPC, and the detection is attained by checking among multiple redundant state estimates to flag that an attack is happening when the state estimates do not agree while still ensuring closed-loop stability under sufficient conditions (which include the assumption that at least one of the estimators cannot be affected by the attack). In addition to reviewing the key features of this design, this section will provide several clarifications that were not provided in Oyama and Durand (2020) to enable us to build upon these methods in future sections.

4.1 Control/Detection Strategy 1-S Using LEMPC in the Presence of Sensor Attacks

The control/detection strategy 1-S, which corresponds to the first detection concept proposed in Oyama and Durand (2020), uses full-state feedback LEMPC as the baseline controller and randomly develops other LEMPC formulations with Eq. 9b always activated that are used in place of the baseline controller for short periods of time to potentially detect if an attack is occurring. We define specific times at which the switching between the baseline 1-LEMPC and the j-th LEMPC, j > 1, happens. Particularly, t_s,j is defined as the switching time at which the j-LEMPC is used to drive the closed-loop state to the randomly generated j-th steady-state, and t_e,j is the time at which the j-LEMPC switches back to operation under the 1-LEMPC.

The baseline 1-LEMPC is formulated as follows, which is used if t_e,j−1 ≤ t < t_s,j, j = 2, … , where t_e,1 = 0:where x₁(t_k) is used, with a slight abuse of the notation, to reflect the state measurement in a deviation variable form from the operating steady state. In addition, in the remainder of this work, f_i (i ≥ 1) represents the right-hand side of Eq. 1 when it is written in a deviation variable form from the i-th steady state. u_i represents the input vector in a deviation variable form from the steady-state input associated with the i-th steady state. X_i and U_i correspond to the state and input constraint sets in a deviation variable form from the i-th steady state. In addition, ρ_i and are associated with the i-th steady state. The addition of a subscript i to the functions in Eq. 2 (to form h_i, V_i, and α_j,i, j = 1, 2, 3, 4) or M_f also signifies association with the i-th steady state.

The j-th LEMPC, j > 1, which is used for t ∈ [t_s,j, t_e,j), is formulated as follows:where x_j(t_k) represents the state measurement in a deviation variable form from the j-th steady state.

The first theorem presented in Oyama and Durand (2020) and replicated below guarantees the closed-loop stability of the process of Eq. 1 under the LEMPCs of Eqs 10–11 under the implementation strategy described above in the absence of sensor cyberattacks. To follow this and the other theorems that will be presented in this work, the impacts of bounded measurement noise and disturbances on the process state trajectory are characterized in Proposition 1 below, and the bound on the value of the Lyapunov function at different points in the stability region is defined in Proposition 2.

4.2 Control/Detection Strategy 2-S Using LEMPC in the Presence of Sensor Attacks

The second theorem presented in Oyama and Durand (2020), which is replicated below, guarantees the closed-loop stability of the process of Eq. 1 under the 1-LEMPC of Eq. 10 under the implementation strategy described above before a sensor attack occurs and for at least one sampling period after the attack.

4.3 Control/Detection Strategy 3-S Using LEMPC in the Presence of Sensor Attacks

The Detection Strategy 3-S, which corresponds to the third detection concept proposed in Oyama and Durand (2020), utilizes multiple redundant state estimators (where we assume that not all of them are impacted by the false sensor measurements) integrated with an output feedback LEMPC and ensures that the closed-loop state is maintained in a safe region of operation for all the times that no attacks are detected. The output feedback LEMPC designed for this detection strategy receives a state estimate z₁ from one of the redundant state estimators (the estimator used to provide state estimates to the LEMPC will be denoted as the i = 1 estimator) at t_k, where the notation follows that of Eq. 10 with Eq. 10c replaced by (we will subsequently refer to this LEMPC as the output feedback LEMPC of Eq. 10).

Detection Strategy 3-S guarantees that any cyberattacks that would drive the closed-loop state out of will be detected before this occurs. It flags cyberattacks by evaluating the norm of the difference between state estimates. If this norm is above a threshold, which represents “normal” process behavior, the control system is recognized as under a potential sensor attack. To determine a threshold, Oyama and Durand (2020) designed the following bound:for all i ≠ j, i = 1, … , M, j = 1, … , M, as long as t ≥ t_q = max{t_b1, … , t_bM}. Therefore, abnormal behavior can be detected if if t_k > t_q (this avoids false detections).

The worst-case difference between the state estimate used by the output feedback LEMPC of Eq. 10 and the actual value of the process state under the implementation strategy above when an attack is not flagged is described in Proposition 3.

5 Cyberattack Detection and Control Strategies Using LEMPC Under Single Attack-Type Scenarios: Actuator Attacks

The methods described above from Oyama and Durand (2020) were developed for handling cyberattacks on process sensor measurements. In such a case, the actuators receive the signals that the controller calculated, but the signal that the controller calculated is not appropriate for the actual process state. This requires the methods to, in a sense, rely on the control actions to show that the sensor measurements are not correct. In contrast, when an attack occurs on the actuator signal, the controller no longer plays a role in which signal the actuators receive. This means that the sensor measurements must be used to show that the control actions are not correct. This difference raises the question of whether the three detection strategies of the prior section can handle actuator attacks or not. This section therefore seeks to address the question of whether it is trivial to utilize the sensor attack-handling techniques from Oyama and Durand (2020) for handling actuator attacks, or if there are further considerations.

We begin by considering the direct extension of all three methods, in which Detection Strategies 1-S, 2-S, and 3-S are utilized in a case where the sensor measurements are intact but the actuators are attacked. In this work, actuator output attacks will be considered to happen when 1) the code in the controller has been attacked and reformulated so that it no longer computes the control action according to an established control law; 2) the control action computed by a controller is replaced by a rogue control signal; or 3) a control action is received by the actuator but subsequently modified at the actuator itself.

When Detection Strategy 1-S is utilized but the actuators are attacked, then at random times, it is intended to utilize the j-LEMPC (however, because of the attack, the control actions from the j-LEMPC are not applied). For an actuator attacker to fly under the radar of the detection strategy, the attacker would need to force a net decrease in V_j along the measured state trajectory between the beginning and end of a sampling period and would need to ensure that the closed-loop state measurement does not leave at any point in the sampling period (according to the implementation strategy in Section 4.1). This restricts the set of inputs that an attacker can provide in place of those coming from the controller without being detected during a probing maneuver to those that ensure that the closed-loop state does not exit throughout the sampling period (ultimately maintaining the closed-loop state within a safe operating region if that region is a superset of ). Thus, during a probing maneuver, Detection Strategy 1-S, with the flagging of attacks both when V_j along the measurement trajectory does not decrease by the end of a sampling period and when the state measurement leaves at any point during a sampling period, provides greater protection from the impacts of attacks on safety when the actuators are attacked than when the sensors are attacked. Specifically, whereas there is no guarantee that an undetected sensor attack would not cause a safety issue when using Detection Strategy 1-S, when an actuator attack occurs instead, then over the sampling period during which a probing maneuver is undertaken, an actuator attacker is unable to cause a safety issue for the closed-loop system without being detected (because the sensor measurements are correct and would flag this problematic behavior before the attacker could cause the closed-loop state to leave a safe operating region). However, because the value of the Lyapunov function at the state measurements is only being checked at the beginning and end of the sampling period, it is possible that the actual closed-loop state could move out of over a sampling period when a rogue actuator output is applied, and furthermore that at such a point, the measurement may not show this due to the noise. Therefore, to handle the actuator attacks, it is necessary to add conservatism to the design of the safe operating region compared to , so that instead of maintaining the state measurements and closed-loop state within only, they are maintained in the supersets of it that prevent the closed-loop state from leaving a safe operating region in the presence of noise and problematic inputs before a sampling period is over. A method for devising such regions is shown in a later section in the context of a combined sensor and actuator attack-handling strategy that makes use of this methodology. If this conservatism is added, then if an actuator attack occurs in a sampling period during which a probing maneuver occurs but it is undetected, the closed-loop state is maintained within the safe operating region. When no probing maneuver is occurring, then if the Lyapunov function evaluated at the state measurement is increasing over a sampling period when the closed-loop state is outside of , it may be possible that an attack is occurring and that this could be flagged to attempt to catch the attack before the closed-loop state leaves ; however, as discussed in Section 4.3, in the presence of bounded measurement noise, it is possible that V_j may not monotonically decrease when evaluated using the state measurements so that care must be taken in flagging a temporary increase in V_j as a cyberattack to avoid characterizing measurement noise as an attack.

An improved version of Detection Strategy 1-S when there are actuator cyberattacks would only probe constantly for attacks (i.e., the implementation strategy would be the same as that in Section 4.1, except that the probing occurs at every sampling time, instead of at random sampling times; this implementation strategy assumes that the regions meeting the requirements in Step 2 in Section 4.1 can be found at every sampling time, although reviewing when this is possible in detail can be a subject of future work). In this case, since at every sampling time, the attacker would be constrained to choose inputs that cannot cause the state measurement to leave , the attacker can never perform an undetected attack that drives the closed-loop state out of a safe operating region before it is detected. This indicates that this modified version of Detection Strategy 1-S (referred to subsequently as Detection Strategy 1-A) is resilient to cyberattacks on actuators in the sense that it is able to prevent an undetected attack from causing safety issues. In light of the question of whether it is trivial to extend Detection Strategy 1-S to handle actuator attacks, we note that Detection Strategy 1-A, which performs continuous probing, is performed in a different manner than Detection Strategy 1-S. Specifically, random probing is used in Detection Strategy 1-S to attempt to surprise an attacker, because the element of surprise is a part of what that algorithm has to counter the fact that the sensor measurements are incorrect. In contrast, Detection Strategy 1-A does not need to have randomized or unpredictable probing; it inherits its closed-loop stability properties from the fact that its design forces the cyberattacker into a corner in terms of what inputs they can apply, even if they fully knew how Detection Strategy 1-A worked, without being detected. This indicates that there is not a 1-to-1 correspondence between how a sensor cyberattack should be handled and how an actuator cyberattack should be handled, with approximately the same strategy. Furthermore, for this strategy, we see a flip in its power between the sensor and actuator attack-handling cases in that Detection Strategy 1-S cannot guarantee safety when a falsified state measurement is provided to the j-LEMPC but can guarantee safety in the presence of an actuator attack during the sampling period after a probing maneuver is initiated if the state measurements are correct.

To further explore how the sensor attack-handling strategies from Oyama and Durand (2020) extend to actuator cyberattack handling, we next consider the use of Detection Strategy 2-S for actuator attacks. This detection strategy is based on state predictions. These predictions must be computed under some inputs, so it is first necessary to consider which inputs these are for the actuator attack extension. Several options for inputs that could be used in making the state predictions include an input computed by a redundant control system, an approximation of the expected control output (potentially obtained via fitting the data between state measurements and (non-attacked) controller outputs to a data-driven model), or a signal from the actuator if it is reflective of what was actually implemented. If an actuator signal reflective of the control action that was actually implemented is received and a redundant control system is available, these can be used to cross-check whether the actuator output is correct. This would rapidly catch an attack if the signals are not the same. However, if there is no fully redundant controller (e.g., if actuator signals are available but only an approximation of the expected control output is also available) or if there is a concern that the actuator signals may be spoofed (and there is either a redundant control system or an approximation of the expected control output also available), then state measurements can be used (in the spirit of Detection Strategy 2-S as described in Section 4.2) to attempt to handle attacks.

The motivation for considering this latter case in which state measurements and predictions are used to check whether an actuator attack is occurring is as follows: the difference between the redundant control system output or approximation of the control system output and the control output of the LEMPC that is expected to be used to control the process can be checked a priori, before the controller is put online. This will result in a known upper bound ϵ_u between control actions that might be computed by the LEMPC and those of the redundant or approximate controller (for the redundant controller, ϵ_u = 0) for a given state measurement. If the state measurements are intact, then the state measurements and predictions under the redundant or approximate controller can be compared to assess the accuracy of the input that was actually applied. The redundant or approximate controller can be used to estimate the input that should be applied to the process, and state predictions can be made using the nominal model of Eq. 1 to check whether the input that was actually applied to the system seems to be sufficiently similar to the input that was expected (in the sense that it causes the control action that was actually applied to maintain the state measurement in an expected operating region), as it would have under the control action in the absence of an actuator attack, and keeps the norm of the difference between the state prediction and measurement below a bound. Even if ϵ_u = 0, process disturbances and measurement noise could cause the state prediction at the end of a sampling period over which a control action is applied to not fully match the measurement; however, if the error between the prediction and measurement is larger than a bound ν_u that should hold under normal operation considering the noise, value of ϵ_u, and plant/model mismatch, this signifies that there is another source of error in the state predictions beyond what was anticipated, which can be expected to come from the input applied to the process deviating more significantly from what it should have been than was expected (i.e., an actuator attack is flagged). Because the state measurements are correct, the state predictions are always initiated from a reasonably accurate approximation of the closed-loop state; therefore, with sufficient conservatism in the design of and a constant monitoring of whether the state measurement leaves that region, the closed-loop state can be prevented from leaving a safe operating region within a sampling period before an attack is detected. We will call the resulting strategy Detection Strategy 2-A. A method for designing a sufficiently conservative control strategy is shown in a later section in the context of a combined sensor and actuator attack-handling strategy that makes use of this methodology. In contrast to Detection Strategy 2-S that can only ensure safe operation for at least one sampling period after a sensor attack is implemented, Detection Strategy 2-A, like Detection Strategy 1-A, can be made fully resilient to actuator cyberattacks in the sense that an undetected attack could not cause safety issues. As long as the actual and predicted inputs are sufficiently close in a norm sense (within ϵ_u of one another), and the disturbances and measurement noise are bounded, then the deviations between the actual and predicted input act as bounded plant/model mismatch (if no attack is detected) that an LEMPC can be designed to handle such that the actual state and predicted state trajectories can still be kept inside a safe region of operation under actuator attacks with the monitoring of whether the state measurement leaves . Once again, we see that the modifications to Detection Strategy 2-S, and casting it in a form applicable to actuator attacks rather than sensor attacks, significantly enhances the power of the strategy compared to what can be guaranteed with sensor attacks only.

So far, the extended versions of Detection Strategy 1-S and of 2-S to the actuator-handling case have been more powerful against actuator attacks than Detection Strategies 1-S and 2-S have been against sensor attacks. In contrast, attempting to utilize Detection Strategy 3-S, which enabled safety to be maintained for all times if a sensor measurement attack was undetected (and at least one redundant estimator was not), may result in a strategy that appears to be weaker in the face of actuator attacks. One of the assumptions of Detection Strategy 3-S in Section 4.3 is that an observer exists that satisfies the conditions in Assumption 1 and Assumption 2. High-gain observers can meet this assumption, and under sufficient conditions, they meet this assumption regardless of the actual value of the input (which was important for achieving the results in Theorem 3 as noted in Remark 3). However, this means that in the case that only the inputs are awry, the state estimates would still be intact because of the convergence assumption, such that they will not deviate from one another in the desired way and Detection Strategy 3-S could not be used as an effective detection strategy for actuator attacks with such estimators. Although a further investigation of whether other types of observer designs or assumptions could be more effective in designing an actuator attack-handling strategy based on Detection Strategy 3-S (to be referred to as Detection Strategy 3-A) could be pursued, these insights again indicate that there are fundamental differences between utilizing the detection strategies for actuator attack-handling compared to sensor attack-handling. The discussion throughout this section therefore seems to suggest that the integrated control and detection frameworks presented above have structures that make them more or less relevant to certain types of attacks and that also affect the extent to which they move toward flexible and lean frameworks with minimal redundancy for cyberattack detection, compared to relying on redundant systems. For example, Detection Strategy 3-S relies on redundant state estimators for detecting sensor attacks, but Detection Strategy 2-A relies on having a redundant controller for detecting actuator attacks. It is interesting in light of this that Detection Strategies 1-A and 1-S do not require redundant control laws but do require many different steady-states to be selected over time. We can also note that the strength of Detection Strategies 1-A and 2-A against actuator attacks above comes partially from the ability of the combined detection and control policies in those cases to set expectations for what the sensor signals should look like that, if not violated, indicate safe operation, and if violated, can flag an attack before safe operation is compromised. As will be discussed later, this has relevance to the notions of cyberattack discoverability in that to cause attacks to be discoverable, integrated detection and control need to be performed such that the control theory can set the expectations for detection to be different if there is an attack or impending safety issue from an attack compared to if not, to force attacks to show themselves. A part of the power of a theory-based control law like Detection Strategy 1-A or 2-A against actuator attacks is the ability to perform that expectation setting.

6 Motivation for Detection Strategies for Actuator and Sensor Attacks

The above sections addressed how LEMPC might be used for handling sensor attacks or actuator attacks individually. In this section, we utilize a process example to motivate further work on exploring how LEMPC might be used to handle both sensor and actuator attacks. Specifically, consider the nonlinear process model below, which consists of a continuous stirred tank reactor (CSTR) with a second-order, exothermic, irreversible reaction of the form A→B with the following dynamics:where the states are the reactant concentration of species A (C_A) and temperature in the reactor (T). The manipulated input is C_A0 (the reactant feed concentration of species A). The values of the parameters of the CSTR model (F, V, k₀, E, R_g, T₀, ρ_L, ΔH, and C_p) are taken from (Heidarinejad et al., 2012b). The vectors of deviation variables for the states and input from their operating steady-state values, , C_A0s = 4.0 kmol/m³, respectively, are and u₁ = C_A0−C_A0s. The process model represented by Eqs 40, 41 is numerically integrated using the explicit Euler method with the integration step of 10^–4 h. The stage cost, for which the time integral is desired to be maximized, is selected to be . The sampling period was set to Δ = 0.01 h, with the prediction horizon set to N = 10. The initial condition for the closed-loop state was 0.7 kmol/m³ below the steady-state value for C_A and 30 K below the steady-state value for T. The LEMPC simulations were performed using fmincon on a Lenovo model 80XN x64-based ideapad 320 with an Intel(R) Core(TM) i7-7500U CPU at 2.70 GHz, 2,904 Mhz, running Windows 10 Enterprise, in MATLAB R2016b. To ensure that the fmincon solver status was that it stated it had found a local minimum, a variety of initial guesses for the solver were made at a sampling time if it did not find a local minimum using the first guess.

The Lyapunov-based stability constraints in Eqs 9a, 9b were designed using a quadratic Lyapunov function V₁ = x^TPx, where P = [110.11 0; 0 0.12]. The Lyapunov-based controller utilized was a proportional controller of the form (Heidarinejad et al., 2012b) subject to input constraints (|u₁| ≤ 3.5 kmol/m³). The stability region was set to ρ₁ = 440 (i.e., ) and . The LEMPC receives full-state feedback, which is sent to the LEMPC at synchronous time instants t_k. The controller receives a state measurement subject to bounded measurement noise, and the process is subject to bounded disturbances. Specifically, the noise is represented by a standard normal distribution with mean zero, standard deviations of 0.0001 kmol/m³ and 0.001 K, and bounds of 0.00001 kmol/m³ and 0.0005 K for the concentration of the reactant and reactor temperatures, respectively. In addition, disturbances were added to the right-hand side of the differential equations describing the rates of change of C_A and T with zero mean and standard deviations of 0.05 kmol/m³ h and 2 K/h, and bounds of 0.005 kmol/m³ h and 1 K/h, respectively. Normally distributed random numbers were implemented using the randn function in MATLAB, with a seed of 10 to the random number generator rng.

We first seek to gain insight into the differences between single attack-type cases and simultaneous sensor and actuator attacks. To gain these insights, we will use the strategies inspired by the detection strategies discussed above, but not meeting the theoretical conditions, so that these are not guaranteed to have resilience against any types of attacks (some discussion of moving toward getting theoretical parameters for LEMPC, which elucidates that obtaining the parameters that guarantee cyberattack-resilience for LEMPC formulations in practice should be a subject of future work, will be provided later in this work). Despite the fact that there are no guarantees that any of the strategies used in this example that attempt to detect attacks will do so with the parameters selected, this example still provides a number of fundamental insights into the different characteristics of single attack types compared to simultaneous sensor and actuator attacks, providing motivation for the next results in this work. We also consider that the attack detection mechanisms are put online at the same time as the cyberattack occurs (0.4 h) so that we do not consider that they would have flagged, for example, the changes in the sensor measurements under a sensor measurement attack between the times prior to 0.4 and 0.4 h.

The case studies to be undertaken in moving toward understanding the differences between single and multiple attack-type scenarios involve an LEMPC where the constraint of Eq. 9b is enforced at the sampling time, followed by the constraints of the form of Eq. 9a enforced at the end of all sampling periods. The first study involves an attack monitoring strategy that involves checking whether the closed-loop state is overall driven toward the origin over a sampling period (if it is not, a possibility of an attack will be flagged). We implement attacks at 0.4 h; sensor attacks are implemented such that the measurement received by the sensor at 0.4 h would be faulty, and an actuator attack would be implemented by replacing the input computed for the time period between 0.4 and 0.41 h with an alternative input. When no attack occurs in the sampling period following 0.4 h of operation, the Lyapunov function evaluated at the actual state and at the state measurement decreases over the subsequent sampling period, as shown in Figures 1, 2.

FIGURE 1

FIGURE 2

If instead we consider the case where only a rogue actuator output with the form u = 0.5 kmol/m³ is provided to the process for a sampling period after 0.4 h of operation, Figures 1, 2 show that the Lyapunov function profile increases over one sampling period after the attack policy is applied, when the Lyapunov function is evaluated for both the actual state and the measured state, and thus, this single attack event would be flagged by the selected monitoring methodology. Consider now the case where only a false state measurement for reactant concentration, with the form x₁ + 0.5 kmol/m³, is continuously provided to the controller after 0.4 h of operation. This false sensor measurement causes the Lyapunov function value to decrease along the measurement trajectory, as can be seen in Figure 2, showing that this attack would not be detected by the strategy. However, it also decreases along the actual closed-loop state trajectory in this case (Figure 1) so that no safety issues would occur in this sampling period. This is thus a case when individual attacks would either be flagged over the subsequent sampling period or would not drive the closed-loop state toward the boundary of the safe operating region over that sampling period. Due to the large (order-of-magnitude) difference in the value of V₁ evaluated along the measured state trajectory between the case that the sensor attack is applied and that no attack occurs, as shown in Figure 1, it could be argued that this type of attack could be flagged by the steep jump in V₁ between the times prior to the sensor attack that occurs at 0.4 and 0.4 h. However, because we assumed that the method for checking V₁ was not put online until 0.4 h, we assume that it does not have a record of the prior value of V₁ so that we can focus on the trends in this single sampling period after the attacks.

We now consider two scenarios involving the combinations of sensor and actuator attacks. First, we combine the two attacks just described (i.e., false measurements are continuously provided to the controller and detection policies, which have the form x₁ + 0.5 kmol/m³, and rogue actuator outputs with the form u = 0.5 kmol/m³ are provided directly to the actuators to replace any inputs computed by the controller). This attack is applied to the process after 0.4 h of operation and subsequently referred to as the “baseline” combined actuator and sensor attack because it is a straightforward extension of the two separate attack policies. In this case, the value of V₁ increases along the measurement trajectory and also increases for the actual closed-loop state so that this attack would be flagged by the proposed policy. In some sense, the addition of the actuator attack made the fact that the system was under some type of attack “more visible” to this detection policy than in the sensor attack-only case (although the individual sensor attack was not causing the closed-loop state to move toward the boundary of the safe operating region so that the lack of detection of an attack in that case would not be considered problematic).

We next consider an alternative combined sensor and actuator attack policy, which we will refer to as a “stealthy” policy. In this case, the attacker provides the exact state trajectory to the detection device that would have been obtained if there was no attack, while at the same time falsifying the inputs to the process. In the case that this same false actuator trajectory was applied to the process and the sensor readings were accurate, we considered that it could be flagged. With the falsified sensor readings occurring at the same time, however, the attack is both undetected and driving the closed-loop state closer to the boundary of the safe operating region over a sampling period. From this, it can be seen that a major challenge arising from combining the attacks is that actuator attack detection policies based on state measurements may fail when attacks are combined, so that the state measurements may imply that the process is operating normally when problematic inputs are being applied.

This raises the question of whether there are alternative detection policies that might flag combined attacks, including those of the stealthy type just described that was “missed” by the detection policy described above where an overall decrease in the Lyapunov function value for the measured state across a sampling period was considered. For example, some of the detection methods described in the prior sections are able to flag actuator attacks before safety issues occur, whereas others flag sensor attacks. This suggests that detection strategies with different strengths might be combined into two-part detection strategies that involve multiple detection methods. To explore the concept of combining multiple methods of attempting to detect attacks (where again this example does not meet theoretical conditions required for resilience and is meant instead to showcase concepts underlying simultaneous attack mechanisms), we consider designing a state estimator for the process to use to compare state estimates against full-state feedback. If the difference between the state estimates and state measurements is larger than a threshold considered to represent abnormal behavior, we will flag that an attack might be occurring. In addition, we will monitor the decrease in the Lyapunov function evaluated along the trajectory of the state measurement over time, and flag a potential attack if it is noticeably increasing across a sampling period.

To implement such a strategy, we must first design a state estimator. We will use the high-gain observer from (Heidarinejad et al., 2012b) with respect to a transformed system state obtained via input–output linearization. This estimator (which is redundant because full-state feedback is available) will be used to estimate the reactant concentration of species A from continuously available temperature measurements. The observer equation using the set of new coordinates is as follows:where is the state estimate vector in the new coordinate Khalil (2002), y is the output measurement, A = [0 1; 0 0], C = [1 0], and L = [100 10,000]^T. To obtain the state estimate of the system z, the inverse transformation is applied.

The next step in designing the detection strategy is to decide on a threshold for the norm of the difference between the state estimate and the state feedback. As a rough attempt to design one that avoids flagging measurement noise and process disturbances as attacks, the data from attack-free scenarios are gathered by simulating the process under different initial conditions and inputs within the input bounds. Particularly, we simulate attack-free events with an end time of 0.4 h of operation for initial conditions in the following discretization: x₁ ranges from −1.5 to 3 kmol/m³ in the increments of 0.1 kmol/m³, with x₂ ranging from −50 to 50 K in the increments of 5 K. When these initial conditions are within the stability region, the initial value of the state estimate is found in the transformed coordinates based on the assumption that the initial condition holds. Then, inputs must be generated to apply to the process with noise and disturbances. To explore what the threshold on the difference between the state measurement and estimate might be after 0.4 h to set a threshold to use when the state estimation-based attack detection strategy comes online at that time, we try several different input policies. One is to try h₁(x) at every integration step; if this is done, then the maximum value of the norm of the difference between the state estimate and state measurement at 0.4 h among the scenarios tested is 0.026. If instead a random input policy is used (i.e., at every integration step, a new value of u is generated with mean zero and standard deviation of 2, and bounds on the input of −3.5 and 3.5 kmol/m³), then the maximum value of the difference between the state estimate and state measurement at 0.4 h among the scenarios tested is 0.122. If instead the random inputs are applied in sample-and-hold with a sampling period of length 0.01 h, the maximum value of the difference between the state estimate and state measurement at 0.4 h is 0.885. If the norm of the error between the state estimate and state measurement is checked at 1 h instead of 0.4 h in the three cases above, the results are 0.003, 0.107, and 0.923, respectively. Though a limited data set was used in these simulations and the theoretical principles of high-gain observer convergence were not reviewed in developing this threshold, 0.923 was selected for the cyberattack detection strategy based on the simulations that had been performed. One could also set the threshold by performing simulations for 0.4 h for a number of different initial states, specifically operated under the LEMPC, instead of the alternative policies above. Changing the threshold in the following discussion could have an impact on attack detection, although there would still be fundamental differences between single attack-type scenarios and simultaneous attack-type scenarios as discussed below.

We next consider the application of the same form of the baseline attacks as described in the prior example occurring at once, i.e., false measurements are continuously provided to the controller, which have the form x₁ + 0.5 kmol/m³, and rogue actuator outputs with the form u = 0.5 kmol/m³ are provided to the process at 0.4 h of operation. In this combined attack scenario, the norm of the difference between the (falsified) state measurement and the state estimate at 0.4 h is 0.5016, and at 0.41 h is 0.5233, demonstrating that if the threshold is set to a larger number such as 0.923, the state estimate-based detection mechanism does not flag this attack at 0.4 or 0.41 h. Figure 3 plots the closed-loop state trajectory against the state estimate trajectory over one sampling period after 0.4 h of operation, showing the closeness of the trajectories in that time period despite the sensor and actuator attacks at 0.4 h. In fact, if this system is simulated with an actuator attack only, then the difference in the state estimate and state measurement at 0.41 h (the time at which the effects of the actuator attack could first be observed in the process data) is 0.05, showing that with the selected threshold for flagging an attack based on the difference between the state estimate and measurement, the actuator attack only would not be flagged at 0.41 h (despite that there is a net increase in the Lyapunov function value along the measured state trajectory in this case because that is not being checked with only the state estimate-based detection strategy). Considering that the threshold was set based on non-attacked measurements and many different input policies for the threshold set, it is reasonable to expect that an attack would not be flagged if only the input was to change.

FIGURE 3

For the baseline combined sensor and actuator case, Figure 4 shows that the Lyapunov function increases over the sampling period after 0.4 h along the measurement trajectory. Therefore, like the case where only the Lyapunov function was checked to attempt to flag this baseline combined attack, the baseline combined sensor and actuator attack can be detected here as well between 0.4 and 0.41 h. Though the attack occurs and is flagged, the closed-loop state was still kept inside the stability region over the sampling period that the attacks were applied, as indicated in Figure 5.

FIGURE 4

FIGURE 5

If the stealthy combined sensor and actuator attack from the prior section is applied, the Lyapunov function value along the closed-loop state trajectory is again increasing, but again, it is decreasing along the estimated trajectory between 0.4 and 0.41 h. However, if this simulation is run longer, then the attack is eventually detected via the deviation of the state estimates from the state measurements exceeding the 0.923 threshold, at 0.45 h. In the case that only the Lyapunov function value along the measured state trajectories is checked until 0.45 h, no attack is yet detected, as the Lyapunov function value continues to decrease from 0.4 to 0.45 h along the measured state trajectory. These examples indicate the complexities of having combined sensor and actuator attacks, and also showcase that different detection policies may be better suited for detecting the combined attacks than others. This motivates a further study of the techniques and theory for handling the combined attacks, which is the subject of the next section.

7 Integrated Cyberattack Detection and Control Strategies Using LEMPC Under Multiple Attack Type Scenarios

The detection concepts described in the prior sections (and summarized in Table 1) have been developed to handle only single attack-type scenarios (i.e., either false sensor measurements or rogue actuator signals). However, to make a CPS resilient against different types of cyberattacks, the closed-loop system must be capable of detecting and mitigating scenarios where multiple types of attacks may happen simultaneously. As in the prior sections, detection approaches that not only enable the detection of attacks but that also prevent safety breaches when an attack is undetected are most attractive. This section extends the discussion of the prior sections to ask whether the detection strategies from Oyama and Durand (2020) that were developed for sensor cyberattack-handling and extended to actuator cyberattack-handling above can be used in handling simultaneous sensor and actuator attacks on the control systems.

We first note that based on the discussion in Section 5, we do not expect only a single method previously described (Detection Strategies 1-S, 2-S, 3-S, 1-A, 2-A, or 3-A) to be capable of handling both sensor and actuator cyberattacks occurring simultaneously. Instead, to handle the possibility that both types of attacks may occur, we expect that we may need to combine these strategies. However, care must be taken to select and design integrated control/detection strategies such that cyberattack detection and handling are guaranteed even when sensors and/or actuators are under attack. This is because the two types of attacks can interact with one another to degrade the performance of some of the attack detection/handling strategies that work for single attack types as suggested in the example of the prior section. For example, as noted in Section 5, in general, sensor measurement cyberattack-handling strategies may make use of correct actuator outputs in identifying attacks, and actuator attack-handling strategies may make use of “correct” (except for the sensor noise) sensor measurements in identifying attacks. If the actuators are no longer providing a correct output, it is then not a given that a sensor measurement cyberattack-handling strategy can continue to be successful, and if the sensors are attacked, it is not a given that an actuator cyberattack-handling strategy can continue to be successful. In this section, we analyze how the various methods in this work perform when these interactions between the sensor and actuator attacks may serve to degrade performance of strategies that worked successfully for only one attack type.

The above discussion highlights that to handle both the sensor and actuator attacks, a combination strategy cannot be based on sensor measurements alone. In the following sections, we detail how the combination strategies using Detection Strategies 3-S and 1-A, and 3-S and 2-A, can be made resilient against simultaneous sensor and actuator attacks in the sense that, as long as at least one state estimate is not impacted by a false sensor measurement attack, the closed-loop state is always maintained within a safe operating region if attacks are undetected, even if both attack types occur at once. We note that the assumptions that the detectors are intact (e.g., that at least one estimator is not impacted by false sensor measurements or that a state prediction error-based metric is evaluated against its threshold) implies that other information technology (IT)-based defenses at the plant are successful, indicating that the role of these strategies at this stage of development is not in replacing IT-based defenses but in providing extra layers of protection if there are concerns that the attacks could reach the controller itself (while leaving some sensor measurements and detectors uncompromised).

7.1 Simultaneous Sensor and Actuator Attack-Handling via Detection Strategies 3-S and 1-A: Formulation and Implementation

In the spirit of the individual strategies Detection Strategy 3-S and Detection Strategy 1-A, a combined policy (to be termed Detection Strategy 1/3) can be developed that uses redundant state estimates to check for sensor attacks (assuming that at least one of the estimates is not impacted by any attack), and also uses different LEMPCs at every sampling time that are designed around different steady-states but contained within a subset of a safe operating region (the subsets are called ). Under sufficient conditions (which will be clarified in the next section), both the closed-loop state and state estimate are maintained in for all time for the process without attacks or with undetected attacks. The notation to be used for the LEMPC for Detection Strategy 1/3 has the form in Eq. 11 with Eq. 11c replaced by (in this subsection, we will refer to this LEMPC as the i-th output feedback LEMPC of Eq. 11. The output feedback LEMPC design of Eq. 11 receives a state estimate z_1,i at t_k. In the following, i will be used as a subscript for some of the previously introduced notation to reflect that the quantity is defined for the system in deviation variable form from the i-th steady state.

7.1.1 Simultaneous Sensor and Actuator Attack-Handling via Detection Strategies 3-S and 1-A: Stability and Feasibility Analysis

In this section, we prove recursive feasibility and safety of the process of Eq. 1 under the LEMPC formulations of the output feedback LEMPCs of Eq. 11 whenever no sensor or actuator attacks are detected according to the implementation strategy in Section 7.1 in the presence of bounded measurement noise. The theorem below characterizes the safety guarantees (defined as maintaining the closed-loop state in ) of the process of Eq. 1 for all time under the implementation strategy of Section 7.1 when no sensor and actuator cyberattacks are detected.

7.2 Simultaneous Sensor and Actuator Attack-Handling via Detection Strategies 3-S and 2-A: Formulation and Implementation

Following the idea of pairing single detection strategies above, another integrated framework, named Detection Strategy 2/3, can be developed that uses redundant state estimates to check for sensor attacks (again assuming that at least one of the estimates is not impacted by any attack) and relies on the difference between a state prediction based on the last available state estimate (obtained using an expected control action computed by either a fully redundant controller or an approximation of the controller output for a given state estimate) and a state estimate being less than a bound. The premise of checking the difference between the state estimate and the state prediction is that the state prediction should not be able to deviate too much from a (converged) state estimate (i.e., it approximates the actual process state to within a bound as in Assumption 2 after a sufficient period of time has passed since initialization of the state estimates) if there are no sensor or actuator attacks, and that therefore, seeing the estimate and prediction deviate by more than an expected amount is indicative of an attack.

If the actual state is inside a subset of the stability region Ω_ρ, then under sufficient conditions (which will be clarified in the next section), both the closed-loop state and state estimate are maintained in a safe operating region for all time for the process without attacks or with undetected attacks. The notation to be used for the LEMPC for Detection Strategy 2/3 follows that of Eq. 10 with Eq. 10c replaced by (we will subsequently refer to this LEMPC as the output feedback LEMPC of Eq. 10. In this control formulation, the output feedback LEMPC design of Eq. 10 receives a state estimate z_j (j = 1, … , M) from one of the redundant state estimators (the estimator used to provide state estimates to the proposed LEMPC that controls the process will be denoted as the j = 1 estimator) at t_k.

To present the implementation strategy and subsequent proof in the next section that Detection Strategy 2/3 can be made cyberattack resilient in the sense that it can guarantee safety whenever no sensor or actuator attacks are flagged by this combined detection framework, it is necessary to determine the detection threshold for the difference between the state estimate and state prediction. Unlike in the case where a bound on the difference between state predictions and state measurements was derived for Detection Strategy 2-S for sensor attacks, we here need to set up mechanisms for detecting whether an actuator and/or sensor attack occurs. While state estimates are available to aid in detecting sensor attacks, a part of the mechanism for detecting whether actuator attacks occur is the use of a fully redundant controller (for which the input computed by the output feedback LEMPC of Eq. 10 is equivalent to the input computed by the redundant controller used in cross-checking the controller outputs) or the fast approximation of the control outputs (for which the input computed by the LEMPC would differ, within a bound, from the input computed by the algorithm used in cross-checking the controller outputs) for a given state measurement. The definition below defines the notation that will be used in this section to represent the actual state trajectory under the control input computed by the LEMPC and the state prediction obtained from the nominal (w ≡ 0) process model of Eq. 1 under the potentially approximate input used for cross-checking the control outputs.

7.2.1 Simultaneous Sensor and Actuator Attack-Handling via Detection Strategies 3-S and 2-A: Stability and Feasibility Analysis

In this section, we prove recursive feasibility and stability of the process of Eq. 1 under the proposed output feedback LEMPC of Eq. 10 whenever no sensor or actuator attacks are detected according to the implementation strategy in Section 7.2 in the presence of bounded plant/model mismatch, controller cross-check error, and measurement noise. The following theorem characterizes the safety guarantees of the process of Eq. 1 for all time under the implementation strategy of Section 7.2 when sensor and actuator cyberattacks are not detected. As for Detection Strategy 1/3, because the actuator cyberattacks would not be detected according to the implementation strategy in Section 7.2 until a sampling period after they had occurred (since they are being detected by their action on the state estimates, which would not be obvious until they have had a chance to impact the closed-loop state), it is necessary to define supersets and of Ω_ρ, but which are contained in , to set the size of Ω_ρ with respect to to ensure that Ω_ρ is defined in a sufficiently conservative fashion such that even if the closed-loop state is driven out of Ω_ρ, the closed-loop state will still always be in and the state estimate will go out of Ω_ρ before the actual closed-loop state leaves .

8 Cyberattack Discoverability for Nonlinear Systems

The above sections reviewed a variety of cyberattack-handling mechanisms that rely on specific detection strategies designed in tandem with the controllers. None of those strategies, in the manner discussed, detects every attack, but some ensure that safety is maintained when the attacks are not detected. This raises the question of when detection mechanisms can detect attacks and when they cannot. This section is devoted to a discussion of these points. In Oyama et al. (2021), we first presented the notions of cyberattack discoverability for nonlinear systems in a discussionary sense (i.e., a stealthy attack is fundamentally “dynamics-based” or a “process-aware policy” and could fly under the radar of any reasonable detection method; on the other hand, a “non-stealthy” attack can be viewed as the one in which the attack policy is not within the bounds of a detection threshold and could promptly be flagged as a cyberattack using a reasonable detection method). In this section, we present the mathematical characterizations of nonlinear systems cyberattack discoverability that allow us to cast the various attack detection and handling strategies explored in this work in a unified framework and to more deeply understand the principles by which they succeed or do not succeed in attack detection.

We begin by developing a nonlinear systems definition of cyberattack discoverability as follows:

9 Probing the Practicality of LEMPC-Based Cyberattack-Resilient Control Design

The results above suggest that if controllers can be designed to satisfy the theoretical requirements discussed in the prior sections, there would be benefits to using them from a cybersecurity perspective. However, an important question that arises from these studies is how easy it might be to design controllers satisfying the theoretical requirements (and if it would be practical at all) and what the answer to this question suggests about how the future work in cyberattack-resilient LEMPC should continue. In our prior work (Oyama et al. 2021), a number of simulations of a sensor measurement cyberattack-handling LEMPC that can also account for the changes in the process dynamics were performed. The results indicated that checking that the parameters of the control law and detection strategy (such as thresholds used in the detection policy or ρ_e) prevent cyberattacks from being successful can be challenging if it is performed using only a limited number of simulations. This suggests that either a significant number of simulations may be needed to design cyberattack-resilient LEMPCs (which would be expected to be a challenging way to design these controllers due to the interactions between the various parameters and could also still potentially leave system vulnerabilities if the simulations are not able to fully cover every possible issue), or a method for obtaining the parameters of the LEMPCs that meet the theory would be needed.

In this section, we seek to provide some initial insights into obtaining parameters for an LEMPC that meet the theory. To make progress on this, we remove some of the complexity of the problem by focusing on how to obtain the theoretical parameters not of the more specialized LEMPCs for cyberattack-resilient control discussed in this work, but instead for the original LEMPC developed in Heidarinejad et al. (2012a). This discussion is used to motivate future work in seeking to extend the initial results presented here on obtaining LEMPC parameters to more comprehensive methods for obtaining these parameters that could then be scaled to the cyberattack-resilient forms of LEMPC to eliminate the vulnerabilities.

9.1 LEMPC: Meeting Theoretical Requirements in Control Design

Before moving to a study working toward obtaining LEMPC parameters for a CSTR example, we first discuss a number of preliminaries regarding this topic. First, since this section will focus on the standard LEMPC of Eqs 8, 9, instead of its cyberattack-resilient form, we consider Proposition 2 (where in the remainder of this section; we will neglect the subscript i for the simplicity of notation) and the following proposition and theorem.

9.1.1 Obtaining Control-Theoretic Parameters for LEMPC Applied to a CSTR

In this section, we provide a brute force-type method for exploring the parameters of an LEMPC that might be more aligned with the theory than assumed values. The brute force-type approach does not ensure that all of the parameters meet the theory, but it provides many insights into the shortcomings of this initial approach for attempting to obtain the parameters to motivate further studies on this topic and potential challenges with the parameters that might be obtained.

We consider the nonlinear process model of Eqs 40, 41. The manipulated inputs are C_A0 (the reactant feed concentration of species A) and Q (the heat rate input), with the bounds of 0.5 ≤ C_A0 ≤ 7.5 kmol/m³ and –5.0 × 10⁵ ≤ Q ≤ 5.0 × 10⁵ kJ/h. The values of the parameters of the CSTR model are presented in Table 2. An open-loop asymptotically stable steady-state occurs at C_As = 1.2 kmol/m³ and T_s = 438.2 K, where the subscript s indicates the steady-state values. In the control formulation, the state and input vectors are represented using deviation variables as x^T = [C_A−C_AsT−T_s] and u^T = [C_A0–C_A0sQ–Q_s], respectively.

According to Theorem 6, the first step in finding the control-theoretic parameters for LEMPC is to find a controller h(x) satisfying Eq. 2 so that Ω_ρ, V, and h in the LEMPC of Eqs 8, 9 can be defined. In general, it may be challenging to find the functions α₁, α₂, α₃, α₄, and h(x) satisfying the requirements of Eq. 2. The input-affine form of Eqs 40, 41 allows Sontag’s formula (Lin and Sontag 1991) to be used for h(x) (assuming kmol/m³ and that Sontag’s formula is then used only for ) with a guaranteed decrease on V(x), and an attempt to use a quadratic form of V as x^TPx with a positive definite P makes it possible to find some α₁ and α₂ satisfying Eq. 2a (if that selection of V turns out to be successful; notably, however, the fact that these functions satisfy some of the equations does not mean that they will make it possible or straightforward to satisfy the others). The manner in which we proceed here is as follows: initially, we select a quadratic form of V with P = [2,000 −10; −10 3]. For a symmetric P, λ_min(P)x^Tx ≤ x^TPx ≤ λ_max(P)x^Tx, where λ_min(P) and λ_max(P) represent the minimum and maximum eigenvalues of P, respectively. This indicates that for a symmetric P utilized for V = x^TPx, α₁(|x|) can be set to λ_min(P)|x|², and α₂(|x|) can be set to λ_max(P)|x|². For the given P, λ_min(P) and λ_max(P) can be found using MATLAB’s eig function to be 2.95 and 2,000.05, respectively. From this, we will set a₁ = 2.9 and a₂ = 2001, where α₁(|x|) = a₁|x|² and α₂(|x|) = a₂|x|².

The next function that we would like to obtain is α₃. According to Eq. 2b, α₃(|x|) should be a class function that provides an upper bound to along the closed-loop state trajectories at all points in the stability region. While it would be ideal in general to find such a function analytically, we perform an approximate check numerically here using kmol/m³ and given by Sontag’s formula (Lin and Sontag 1991). Notably, as soon as simulations are introduced to check that theoretical conditions are true, the potential for vulnerabilities in the design (in the sense that the safety results may not hold) opens up. The more points that are checked within the stability region to ensure that the chosen α₃ satisfies Eq. 2b within that region, the greater the expectation one might have that it does everywhere (although an expectation is not a proof), but simulations are not as rigorous of a check as an analytic check. However, it may not always be possible to perform the checks analytically. Still, this is a part of the methodology that will need further improvements for designing safe systems under LEMPC and ultimately building to a cyberattack-resilient LEMPC design.

The first thing that we will check is that is negative throughout the stability region that we plan to use so that we have reason to check if there is a negative definite upper-bounding function on as required by Eq. 2b. Specifically, initially, a check was made that was negative throughout Ω_ρ under the proposed h(x) (saturated at the input bounds) for ρ = 1,800, by discretizing the state-space in the increments of 0.01 kmol/m³ in C_A from 0 to 4 kmol/m³, and in the increments of 1 K in T from 340 to 560 K. Since was negative at the points tested, we suggest the function α₃(|x|) = a₃|x|², with a₃ originally set to 100, and then, throughout the stability region, check whether is less than the negative of this function. If it is not (implying that a₃ is too large), a₃ is changed to be equal to at the point where was not less than or equal to −α₃(|x|). This results in a₃ = 0.008 22; setting a₃ = 0.008 ensures that the inequality in Eq. 2b is satisfied at the points tested for this choice of α₃(|x|). Notably, a₃ is rounded down to obtain a suitable parameter, whereas the other parameters discussed below will be rounded up from the values returned by MATLAB because a₃ appears in a term that reflects a worst case when it is smaller, whereas the others appear in the terms that reflect the worst cases when they are larger.

The next function to be obtained is α₄(|x|). We again here guess a form for α₄(|x|) and then check whether Eq. 2c is satisfied at the points in the discretized stability region. Specifically, assuming that α₄(|x|) = a₄|x|², we set a₄ initially to −100 and then update it to be whenever . This gives that a₄ = 8,156.72 would work throughout the stability region with ρ = 1,800. We will choose a₄ = 8,160.

Next, the value of M_f is determined to satisfy Eq. 5. In this case, it is necessary to discretize not only the state-space within the stability region but also the input space and disturbance space. Furthermore, the upper bound on the magnitude of the disturbances will play a role in determining not only M_f but also whether the conditions of Proposition 2 and Proposition 6 and Theorem 6 are satisfied for the controller parameters. Again, the larger the value of ρ, the larger the value of M_f. To obtain M_f in this simulation, the state-space was discretized in the manner described above, and, in addition, the range of C_A0 was discretized in the units of 0.5 kmol/m³, while the range of Q was discretized in the units of 10⁵ kJ/h. Furthermore, the disturbances used for this process had disturbance bounds of 2 kmol/m³ h and 5 K/h for the disturbances added to the right-hand sides of Eqs 40, 41, respectively. The disturbance space was therefore considered to go from −2 to 2 kmol/m³ h in the units of 0.1 kmol/m³ h for the disturbances added to the right-hand side of Eq. 40 in deviation form and from −5 to 5 K/h in the increments of 0.5 K/h for the disturbances added to the right-hand side of Eq. 41 in deviation form. M_f was originally set to 0, but then, it was changed to at any of the discretized points where |f(x, u, w)| was greater than the stored value of M_f. This results in a value of M_f within the stability region ρ = 1,800 of 4,465.75. The selected value for this simulation is 4,466.

L_x and L_w are the Lipschitz constants for f, as shown in Eq. 4a. To obtain these, first, L_x and L_w are obtained on their own by discretizing the state, input, and disturbance spaces, and finding the values that work when only the state is changed (for L_x) or when only the disturbances are changed (for L_w). Subsequently, it is checked that the resulting L_x and L_w satisfy Eq. 4a for the points in the discretized state-space. However, using the brute force method in this paper of checking many points (an aspect of this strategy that would scale poorly and therefore pose limitations for larger processes), the computation time can become many hours if the same discretization is used as was used above. Therefore, to obtain values for L_x and L_w more quickly, the discretization was made coarser; however, it should be understood that this also means that these parameter values (like the others above with other discretizations) are not necessarily the values that would be obtained with a finer discretization and therefore still leave the potential for safety vulnerabilities if the controller parameters are designed with these imperfect values of L_x and L_w. This also provides an insight into the challenges of using strategies like this for the safety-critical design of controllers, such as for the cyberattack-resilience extension.

Using a discretization of the input range of 1 kmol/m³ in C_A0, of 10⁵ kJ/h in Q, of 0.1 kmol/m³ in C_A, of 1 K in T, and of 1 kmol/m³ h for the disturbance added to the right-hand side of Eq. 40 in a deviation form and of 1 K/h for the disturbance added to the right-hand side of Eq. 41 in a deviation form, and then only looking at points in the stability region, the value of L_x was initialized at −1 and then reset to |f(x, u, w)− f(x′, u, w)|/|x−x′| whenever |f(x, u, w)−f(x′, u, w)| > L_x|x−x′| among the points checked. This resulted in a value of L_x = 3,008.66 being selected. A similar procedure for L_w gave L_w = 1.00. Then, a code that checks that Eq. 4a is satisfied at the points in the discretization with L_x = 3,009 and L_w = 1.1 was utilized, and the points in the discretization satisfied it.

Subsequently, it is necessary to calculate and . Using a similar strategy to that used in computing L_x and L_w, with the same discretization of the state, input, and disturbance spaces and only looking at points within the stability region, and setting the initial value of to −1 but updating it to whenever among the points checked, the value results. Following a similar procedure for , the value results. Subsequently, it is checked that Eq. 4b is satisfied at the points checked with and .

The final parameter to obtain is M_v in Eq. 16. This is obtained in a similar spirit to the methods above. Specifically, the range of C_A is discretized in the units of 0.01 kmol/m³, while the range of T is discretized in the units of 1 K. M_v was originally set to 0. The points in this discretization in the stability region are examined. Subsequently, M_v is set to if . The value of M_v after this algorithm was run was still 0. Therefore, M_v was set to 10^–5.

The set of parameters obtained via these methods that is used in the first simulation is shown in Table 3. We note that many of these parameters were obtained within a given Ω_ρ, where if that region shrinks, it is possible that some values may change. To select the values of , Δ, ρ_s, ϵ_w, and ρ_min that satisfy the conditions of Proposition 2 and Proposition 6 and Theorem 6, we consider formulating the following optimization problem:

In Eq. 86, represents ϵ_w/Δ, so that the value of ϵ_w can be obtained from after Eq. 86 is solved. The objective function of Eq. 86 was selected as to attempt to maximize the size of the region in which process economics is optimized under the constraint of Eq. 9a. Equation 86b was implemented as , and Eq. 86c was implemented as , in accordance with Eqs 16, 81b, 82, 83. Eq. 86d was developed due to the fact that the closed-loop state may enter under the operation of the LEMPC of Eqs 8, 9 with the constraint of Eq. 9b activated, where then:for t ∈ [t_k, t_k+1), according to Eq. 18 in Heidarinejad et al. (2012a). In a worst case, −α₃(|x(t_k)|) is close to zero near the origin, so that it can be neglected. From the requirement of Eq. 85, when . Substituting ρ_s and from Eq. 87 gives Eq. 86d. Equation 86e comes from the requirement that . The bounds on the decision variables were set based on expectations of the values of the parameters and theoretical requirements. For example, because and ρ_min > 0, , and ρ > 0 Eqs 86f, 86h, 86j were set (if the parameters , ρ_s, or ρ_min were to equal zero in the result of Eq. 86, then our conclusion would be that the algorithm did not work properly). Δ should be positive (leading to the lower bound of 0 in Eqs 86g, where again if Δ = 0, it would be considered that the result is problematic), and we expected it to be relatively small given the conditions of Proposition 2 and Proposition 6 and Theorem 6, so that an upper bound on Δ of 5 was selected in Eq. 86g, but this could be adjusted to be higher if desired. Finally, due to a lack of knowledge of what value should take besides that it should be positive, a large upper bound was provided to this parameter in Eq. 86i, with a lower bound enforcing that the parameter be positive. The lower bound of 10^–5 was selected to prevent the parameter from decreasing all the way to zero, as it should be positive, but this lower bound could be adjusted. This optimization problem was solved in MATLAB using fmincon. From the initial guess , Δ = 10^–12, ρ_s = 1, , and ρ_min = 1, fmincon returned that the solution had converged to an infeasible point. To better understand the reason for the infeasibility and how to overcome it, the constraints can be analyzed one by one with the parameters shown in Table 3. Several of the constraints are shown in Table 4.

Our first task is to analyze what values of the decision variables might satisfy these constraints, particularly those of interest in applying LEMPC (e.g., larger sampling periods and values of ). Considering first Eq. 86b in Table 4, we note that the value of Δ would need to be small due to the exponential terms in which Δ appears (for example, Δ of 10^–5 h would enable Eq. 86b to be satisfied with at an example value in its allowable range (from Eq. 86f) of 1,000). However, moving to Eq. 86c in Table 4, we see that problems arise. First, we note that even if takes its smallest value according to Eq. 86i, if Δ = 10^–5 h, then ρ_s would need to be at least 9, 957, 459, 550, which is not less than ρ and is therefore not allowable. However, even if Δ was 0 (which is asymptotically the smallest value it could reach) and was 10^–5, the term containing the noise bound θ_w would still cause the requirement on ρ_s to be that it be at least 5, 051, 116, 305, which again is much larger than ρ and therefore not allowable. This provides an indication that for the parameters of the LEMPC to provide guarantees for the selected values of ρ, V, h, α₁(⋅), α₂(⋅), α₃(⋅), and α₄(⋅), the value of θ_w needs to be small. In the following discussion, we will consider that it is 0 (no disturbances/plant-model mismatch).

If θ_w = 0, then values of , ρ_min = 11, ρ_s = 10, Δ = 10^–15 h, and satisfy the requirements of Eqs 86b–86j. However, this small sampling period would likely pose significant implementation challenges, particularly due to the need to execute an optimization problem every 10^–15 h, and then it could also be challenging to simulate with these parameters (e.g., it could take a long time to simulate any substantial time length if 10^–15 h was explicitly used as the time period). The problem with the sampling period size in this case is not only due to ρ_s being small; even if ρ_s was set to its maximum possible value of ρ = 1,800 from Eq. 86h in this case, was set to its minimum value, and θ_w was set to 0, then Eq. 86c still indicates that Δ would need to be no more than 3.66 × 10^–12 h. This motivates the question of what might happen to Δ if ρ was made smaller to affect some of the parameters in Table 3.

To investigate this, we can redo the procedure above for a different value of ρ that is smaller, to analyze the effects on the parameters of Table 3 and also on the feasible space of Eq. 86. Selecting ρ = 200 (i.e., ρ is about an order of magnitude smaller than above) and neglecting disturbances, we note that a₁ and a₂ are fixed by P for the selected form of V, α₁(⋅), and α₂(⋅), so that if these are still “large” in the resulting problem, V, α₁(⋅), or α₂(⋅) would need to change to make an impact on these. Though ρ is smaller here, we do not update the discretization of the stability region used, as the values that are obtained from the above procedure provide a best case (i.e., additional points in the stability region can only make a₃ smaller, making it harder to find a larger Δ meeting Eq. 86c, and cannot make a₄, M_f, L_x, L_w, , , and M_v smaller, which can also make it harder to find a larger Δ meeting Eq. 86c). Therefore, we attempt to obtain a sense of whether changing the size of ρ allows Δ to be significantly larger than in the case with ρ = 1,800 with the coarser discretization.

The new parameters from the above procedure with ρ = 200 are shown in Table 5. With these updated parameters, Eq. 86 gives a solution this time, specifically the solution in Table 6. The value of is maximized by driving it to its upper bound (since should be less than ρ, a constraint could be added in the future versions of this problem with a form similar to that in Eq. 86e but replacing ρ_min with and ρ_e with ρ, to enforce that is a strict subset of Ω_ρ). The value of Δ in Table 6 is still incredibly small for process simulation. To check whether this is a fundamental limit of the parameters in Table 5 or a function of the maximization of in Eq. 86, we can perform an analysis of the maximum possible value of Δ in Eq. 86c. For the parameters in Table 5, if ρ_s was its maximum possible value of ρ = 200 in Eq. 86c and was its minimum possible value of 10^–5, then Δ in this equation would still need to be no larger than 2.245 × 10^–10 h (again, a very small number).

The maximum possible value of Δ from this procedure from the case with ρ = 200 is about 2 orders of magnitude smaller than the maximum possible value of Δ for the case with ρ = 1,800; this begs the question of whether a further reduction of ρ may improve the situation (we also note that the discretization could play a role in this, which was not further explored in the preliminary analyses of this study). We could consider ρ = 20 for which the parameters obtained via the method above and Eq. 86 are provided in Tables 7, 8. In this case, although a₃ is increased compared to Table 5 (at least among the points in the discretization used), ρ is smaller so that the maximum possible value of ρ_s is smaller and therefore the negative term in Eq. 86c does not become as large as would be desired to raise Δ. In this case, the maximum possible value of Δ from the procedure described is 3.82 × 10^–10 h, which again is very small.

We see then that for the discretizations checked, decreasing the size of the stability region did not put the magnitude of Δ in a reasonable range for the selected for h, V, and α_i, i = 1, 2, 3, 4. This gives a greater insight into Remark 12, which indicated that it is necessary to select h and V such that reasonable parameters can be obtained. Future work could explore other functions h, V, and α_i, i = 1, 2, 3, 4 for this process to see whether there exists any that could result in more reasonable values of Δ or not. The results of this section also shed light on what changes could aid in making Δ larger (for example, it is seen above that a major reason why Δ is so small in each simulation is because a₃ is small compared to a₂ in each case and ρ_s is limited in magnitude by ρ, causing the only negative term in Eq. 86c to be small, and then since the terms that multiply Δ are large for the given shape of Ω_ρ, Δ must be small in each case to prevent the positive term containing Δ from overwhelming the negative term containing ρ_s and preventing from being positive as required by Eq. 86i). Although these results have not focused directly on the cybersecurity of control systems, they give some indication of the challenges that would be faced in working toward developing the control parameters of a cyberattack-resilient LEMPC meeting the theory in this work. They indicate that meeting the theory requires better strategies than that used in this section for preventing vulnerabilities.

10 Conclusion

This work extended the control/detection strategies developed in Oyama and Durand (2020) to handle actuator attacks and cases where actuator and sensor attacks can occur simultaneously. For the event where multiple attacks are considered, several integrated control/detection frameworks that pair the detection strategies designed for single attack-type events were investigated. It was demonstrated that certain combinations of the detection strategies can be ineffective to flag both types of cyberattacks evaluated in this work, while others create a cyberattack-resilient structure that enables the detection of individual or simultaneous sensor and actuator attack types while ensuring safe operation even if undetected attacks occur. In particular, the pairing of Detection Strategies 1-A and 3-S and the pairing of Detection Strategies 2-A and 3-S were shown to be resilient against both types of cyberattacks. The major benefits of these methods are that multiple attack scenarios can be discovered, which adds a layer of protection, and closed-loop stability is guaranteed if an attack policy is not flagged by these two-piece structures. Finally, to characterize the fundamental nature of sensor and actuator attacks, we mathematically defined the concept of cyberattack discoverability in the context of process control and stealthy attack policies, which may provide insights for future detection strategy development. The potential practical challenges with designing LEMPCs meeting theoretical conditions, a precursor study for getting the parameters of cyberattack-resilient LEMPCs, elucidated some of the potential challenges with obtaining the parameters meeting the theory that could be addressed in future work.

References

• 1

  AhrensJ. H.KhalilH. K. (2009). High-gain Observers in the Presence of Measurement Noise: A Switched-Gain Approach. Automatica45, 936–943. 10.1016/j.automatica.2008.11.012

  • CrossRef
  • Google Scholar

• 2

  AniU. P. D.HeH.TiwariA. (2017). Review of Cybersecurity Issues in Industrial Critical Infrastructure: Manufacturing in Perspective. J. Cyber Security Technol.1, 32–74. 10.1080/23742917.2016.1252211

  • CrossRef
  • Google Scholar

• 3

  BemporadA.MorariM.DuaV.PistikopoulosE. N. (2002). The Explicit Linear Quadratic Regulator for Constrained Systems. Automatica38, 3–20. 10.1016/s0005-1098(01)00174-1

  • CrossRef
  • Google Scholar

• 4

  BruntonS. L.ProctorJ. L.KutzJ. N. (2016). Discovering Governing Equations from Data by Sparse Identification of Nonlinear Dynamical Systems. Proc. Natl. Acad. Sci. USA113, 3932–3937. 10.1073/pnas.1517384113

  • CrossRef
  • Google Scholar

• 5

  CárdenasA. A.AminS.LinZ.-S.HuangY.-L.HuangC.-Y.SastryS. (2011). “Attacks against Process Control Systems: Risk Assessment, Detection, and Response,” in Proceedings of the ACM Asia Conference on Computer & Communications Security, Hong Kong, China.

  • Google Scholar

• 6

  ChenS.WuZ.ChristofidesP. D. (2020). A Cyber-Secure Control-Detector Architecture for Nonlinear Processes. AIChE J.66, e16907. 10.1002/aic.16907

  • CrossRef
  • Google Scholar

• 7

  DavisJ.EdgarT.GraybillR.KorambathP.SchottB.SwinkD.et al (2015). Smart Manufacturing. Annu. Rev. Chem. Biomol. Eng.6, 141–160. 10.1146/annurev-chembioeng-061114-123255

  • CrossRef
  • Google Scholar

• 8

  DingD.HanQ.-L.GeX.WangJ. (2020). Secure State Estimation and Control of Cyber-Physical Systems: A Survey. IEEE Trans. Syst. Man, Cybernetics: Syst.51, 176–190.

  • Google Scholar

• 9

  DurandH. (2018). A Nonlinear Systems Framework for Cyberattack Prevention for Chemical Process Control Systems. Mathematics6, 44. 10.3390/math6090169

  • CrossRef
  • Google Scholar

• 10

  DurandH.MessinaD. (2020). “Enhancing Practical Tractability of Lyapunov-Based Economic Model Predictive Control,” in Proceedings of the American Control Conference, Denver, Colorado, 2018–2023. 10.23919/acc45564.2020.9147880

  • CrossRef
  • Google Scholar

• 11

  DurandH.WegenerM. (2020). Mitigating Safety Concerns and Profit/production Losses for Chemical Process Control Systems under Cyberattacks via Design/control Methods. Mathematics8, 499. 10.3390/math8040499

  • CrossRef
  • Google Scholar

• 12

  EllisM.DurandH.ChristofidesP. D. (2014a). A Tutorial Review of Economic Model Predictive Control Methods. J. Process Control.24, 1156–1178. 10.1016/j.jprocont.2014.03.010

  • CrossRef
  • Google Scholar

• 13

  EllisM.ZhangJ.LiuJ.ChristofidesP. D. (2014b). Robust Moving Horizon Estimation Based Output Feedback Economic Model Predictive Control. Syst. Control. Lett.68, 101–109. 10.1016/j.sysconle.2014.03.003

  • CrossRef
  • Google Scholar

• 14

  GriffithD. W. (2018). “Advances in Nonlinear Model Predictive Control for Large-Scale Chemical Process Systems,”. Ph.D. thesis (Pittsburgh, Pennsylvania: Carnegie Mellon University).

  • Google Scholar

• 15

  HeidarinejadM.LiuJ.ChristofidesP. D. (2012a). Economic Model Predictive Control of Nonlinear Process Systems Using Lyapunov Techniques. AIChE J.58, 855–870. 10.1002/aic.12672

  • CrossRef
  • Google Scholar

• 16

  HeidarinejadM.LiuJ.ChristofidesP. D. (2012b). State-estimation-based Economic Model Predictive Control of Nonlinear Systems. Syst. Control. Lett.61, 926–935. 10.1016/j.sysconle.2012.06.007

  • CrossRef
  • Google Scholar

• 17

  KhalilH. K. (2002). Nonlinear Systems. Third edn. Upper Saddle River, New Jersey: Prentice-Hall.

  • Google Scholar

• 18

  LaoL.EllisM.DurandH.ChristofidesP. D. (2015). Real-time Preventive Sensor Maintenance Using Robust Moving Horizon Estimation and Economic Model Predictive Control. AIChE J.61, 3374–3389. 10.1002/aic.14960

  • CrossRef
  • Google Scholar

• 19

  LinY.SontagE. D. (1991). A Universal Formula for Stabilization with Bounded Controls. Syst. Control. Lett.16, 393–397. 10.1016/0167-6911(91)90111-q

  • CrossRef
  • Google Scholar

• 20

  MhaskarP.LiuJ.ChristofidesP. D. (2012). Fault-tolerant Process Control: Methods and Applications. Berlin, Germany: Springer Science & Business Media.

  • Google Scholar

• 21

  Muñoz de la PeñaD.ChristofidesP. D. (2008). Lyapunov-based Model Predictive Control of Nonlinear Systems Subject to Data Losses. IEEE Trans. Automat. Contr.53, 2076–2089. 10.1109/tac.2008.929401

  • CrossRef
  • Google Scholar

• 22

  NarasimhanS.El-FarraN. H.EllisM. J. (2021). Detectability-based Controller Design Screening for Processes under Multiplicative Cyberattacks. AIChE J.68, e17430. 10.1002/aic.17430

  • CrossRef
  • Google Scholar

• 23

  OyamaH.DurandH. (2020). Integrated Cyberattack Detection and Resilient Control Strategies Using Lyapunov-Based Economic Model Predictive Control. AIChE J.66, e17084. 10.1002/aic.17084

  • CrossRef
  • Google Scholar

• 24

  OyamaH.RanganK. K.DurandH. (2021). Handling of Stealthy Sensor and Actuator Cyberattacks on Evolving Nonlinear Process Systems. J. Adv. Manufacturing Process.3, e10099. 10.1002/amp2.10099

  • CrossRef
  • Google Scholar

• 25

  PapachristodoulouA.PrajnaS. (2002). “On the Construction of Lyapunov Functions Using the Sum of Squares Decomposition,” in Proceedings of the IEEE Conference on Decision and Control (Las Vegas, Nevada: IEEE), Vol. 3, 3482–3487.

  • Google Scholar

• 26

  PasqualettiF.DörflerF.BulloF. (2013). Attack Detection and Identification in Cyber-Physical Systems. IEEE Trans. Automat. Contr.58, 2715–2729. 10.1109/tac.2013.2266831

  • CrossRef
  • Google Scholar

• 27

  QinS. J.BadgwellT. A. (2003). A Survey of Industrial Model Predictive Control Technology. Control. Eng. Pract.11, 733–764. 10.1016/s0967-0661(02)00186-7

  • CrossRef
  • Google Scholar

• 28

  RanganK. K.OyamaH.DurandH. (2021). Integrated Cyberattack Detection and Handling for Nonlinear Systems with Evolving Process Dynamics under Lyapunov-Based Economic Model Predictive Control. Chem. Eng. Res. Des.170, 147–179. 10.1016/j.cherd.2021.03.024

  • CrossRef
  • Google Scholar

• 29

  RawlingsJ. B.AngeliD.BatesC. N. (2012). “Fundamentals of Economic Model Predictive Control,” in Proceedings of the IEEE Conference on Decision and Control, Maui, Hawaii, 3851–3861. 10.1109/cdc.2012.6425822

  • CrossRef
  • Google Scholar

• 30

  SetolaR.FaramondiL.SalzanoE.CozzaniV. (2019). An Overview of Cyber Attack to Industrial Control System. Chem. Eng. Trans.77, 907–912.

  • Google Scholar

• 31

  TuptukN.HailesS. (2018). Security of Smart Manufacturing Systems. J. Manufacturing Syst.47, 93–106. 10.1016/j.jmsy.2018.04.007

  • CrossRef
  • Google Scholar

• 32

  WuZ.AlbalawiF.ZhangJ.ZhangZ.DurandH.ChristofidesP. D. (2018). Detecting and Handling Cyber-Attacks in Model Predictive Control of Chemical Processes. Mathematics6, 22. 10.3390/math6100173

  • CrossRef
  • Google Scholar

• 33

  YeD.LuoS. (2019). A Co-design Methodology for Cyber-Physical Systems under Actuator Fault and Cyber Attack. J. Franklin Inst.356, 1856–1879. 10.1016/j.jfranklin.2019.01.009

  • CrossRef
  • Google Scholar