Analysis and design of networked control systems

under attacks First Edition Yuan Yuan pdf

download
https://textbookfull.com/product/analysis-and-design-of-networked-control-systems-under-attacks-
first-edition-yuan-yuan/

★★★★★ 4.7/5.0 (43 reviews) ✓ 107 downloads ■ TOP RATED

"Excellent quality PDF, exactly what I needed!" - Sarah M.

DOWNLOAD EBOOK
 Analysis and design of networked control systems under
attacks First Edition Yuan Yuan pdf download

TEXTBOOK EBOOK TEXTBOOK FULL

Available Formats

■ PDF eBook Study Guide TextBook

EXCLUSIVE 2025 EDUCATIONAL COLLECTION - LIMITED TIME

INSTANT DOWNLOAD VIEW LIBRARY

Collection Highlights

Modeling and Control of Hybrid Propulsion System for

Ground Vehicles Yuan Zou

The Economic Logic of Chinese Cultural-Creative Industries

Parks: Shenzhen and Guangzhou Vivian Yuan Yuan

Fuzzy Systems & Operations Research and Management 1st

Edition Bing-Yuan Cao

Low Energy Flight Orbital Dynamics and Mission Trajectory

Design Jianping Yuan
Computational Methods for Single-Cell Data Analysis Guo-
Cheng Yuan

Cooperative Control of Nonlinear Networked Systems

Infinite time and Finite time Design Methods Yongduan Song

Mobile Data Mining Yuan Yao

Networked control systems with intermittent feedback 1st

Edition Hirche

Variable Structure Control of Complex Systems Analysis and

Design 1st Edition Xing-Gang Yan
 Analysis and Design
of Networked Control
Systems under Attack
 Analysis and Design
of Networked Control
Systems under Attack

Yuan Yuan
Hongjiu Yang
Lei Guo
Fuchun Sun
CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
© 2019 by Taylor & Francis Group, LLC
CRC Press is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Printed on acid-free paper
Version Date: 20180825
International Standard Book Number-13: 978-1-138-61275-4 (Hardback)

This book contains information obtained from authentic and highly regarded sources. Reasonable
efforts have been made to publish reliable data and information, but the author and publisher cannot
assume responsibility for the validity of all materials or the consequences of their use. The authors and
publishers have attempted to trace the copyright holders of all material reproduced in this publication
and apologize to copyright holders if permission to publish in this form has not been obtained. If any
copyright material has not been acknowledged please write and let us know so we may rectify in any
future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced,
transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or
hereafter invented, including photocopying, microfilming, and recording, or in any information
storage or retrieval system, without written permission from the publishers.
For permission to photocopy or use material electronically from this work, please access
www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc.
(CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization
that provides licenses and registration for a variety of users. For organizations that have been granted
a photocopy license by the CCC, a separate system of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and
are used only for identification and explanation without intent to infringe.

Library of Congress Cataloging-in-Publication Data

Names: Yuan, Yuan (Systems engineer), author. | Yang, Hongjiu, author. | Guo,
Lei, author. | Sun, Fuchun, 1964- author.
Title: Analysis and design of networked control systems under attacks / by
Yuan Yuan, Hongjiu Yang, Lei Guo and Fuchun Sun.
Description: First edition. | Boca Raton, FL : CRC Press/Taylor & Francis
Group, [2019] | Includes bibliographical references and index.
Identifiers: LCCN 2018023408| ISBN 9781138612754 (hardback : acid-free
paper) | ISBN 9780429443503 (e-book)
Subjects: LCSH: Supervisory control systems--Security measures. | Automatic
control--Security measures.
Classification: LCC TJ222 .Y83 2019 | DDC 629.8/9--dc23
LC record available at https://lccn.loc.gov/2018023408

Visit the Taylor & Francis Web site at

http://www.taylorandfrancis.com
and the CRC Press Web site at
http://www.crcpress.com
Network security affects and changes the world and life

Game theory deals with network attack effectively

For researchers devoted to optimal controller

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Symbols and Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Form of Attacks in NCSs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Problem Studied in This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3.1 Attacks in Networked Control Systems . . . . . . . . . . . . . . . 6
1.3.2 Resilient Control of WNCSs . . . . . . . . . . . . . . . . . . . . . . . . 9
1.3.3 Application of Resilient Control to Power System . . . . . . 10
1.3.4 Coupled Design of CPS under Attacks . . . . . . . . . . . . . . . 12

Part I The Attacks in Networked Control Systems

2 A Unified Game Approach for NCSs under DoS Attacks . . . 17

2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2 Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.2.1 The Model of NCS Subject to DoS Attack . . . . . . . . . . . . 18
2.2.2 MTOC and CTOC Design . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.2.3 Impact Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.2.4 Defense and Attack Strategy Design . . . . . . . . . . . . . . . . . 23
2.3 MTOC and CTOC Control Strategies . . . . . . . . . . . . . . . . . . . . . . 24
2.3.1 Finite Time Horizon Case . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.3.2 Infinite Time Horizon Case . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.4 Defense and Attack Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.4.1 Development of Defense Strategies . . . . . . . . . . . . . . . . . . . 33
2.4.2 Development of Attack Strategies . . . . . . . . . . . . . . . . . . . 34
2.5 Numerical Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.5.1 Building Model Description . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.5.2 Strategy Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

vii
viii Contents

2.5.3 Robust Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

2.5.4 Comparative Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.5.5 Experiment Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

3 Optimal Control for NCSs with Disturbances . . . . . . . . . . . . . . 45

3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.2 Problem Formulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.3 Optimal Controller Design in the Delta Domain . . . . . . . . . . . . . 48
3.3.1 Finite-Time Horizon Case . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.3.2 Infinite-Time Horizon Case . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.4 Robustness Analysis of ǫ-Optimum . . . . . . . . . . . . . . . . . . . . . . . . 51
3.4.1 Finite-Time Horizon Case . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.4.2 Infinite-Time Horizon Case . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.5 Illustrate Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.5.1 Numerical Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.5.2 Experimental Verification . . . . . . . . . . . . . . . . . . . . . . . . . . 59
3.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

4 Resilient NPC for NCSs against DoS Attack . . . . . . . . . . . . . . . 63

4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
4.2 Problem Formulation and Preliminaries . . . . . . . . . . . . . . . . . . . . 64
4.2.1 Optimal DoS Attack Scheme . . . . . . . . . . . . . . . . . . . . . . . . 64
4.2.2 The Domain of Attraction . . . . . . . . . . . . . . . . . . . . . . . . . . 66
4.3 Main Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
4.3.1 Least Attack Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
4.3.2 Design of Kalman Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
4.3.3 Defense Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
4.3.4 Algorithms of Attacks and Defenses . . . . . . . . . . . . . . . . . 77
4.4 Numerical Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
4.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Part II Resilient Control of WNCSs

5 A Hierarchical Game Approach to Secure WNCSs . . . . . . . . . 85

5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
5.2 Problem Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
5.2.1 Transmit Model with SINR . . . . . . . . . . . . . . . . . . . . . . . . . 86
5.2.2 Control Model under Disturbance . . . . . . . . . . . . . . . . . . . 88
5.3 Main Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
5.3.1 Strategy Design for G1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
5.3.2 Strategy Design for G2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
5.3.3 Coupled Design for the WNCS . . . . . . . . . . . . . . . . . . . . . . 99
5.4 Simulation Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
5.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Contents ix

6 A Bayesian Game Approach to Secure WNCSs . . . . . . . . . . . . 107

6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
6.2 Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
6.2.1 WNCS Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
6.2.2 Wireless Communication Channel . . . . . . . . . . . . . . . . . . . 109
6.2.3 Beyasian Stackelberg Game Equilibrium . . . . . . . . . . . . . . 111
6.3 Main Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
6.3.1 Best Responses for Cyber-Layer Game . . . . . . . . . . . . . . . 113
6.3.2 Optimal Controller Design . . . . . . . . . . . . . . . . . . . . . . . . . . 115
6.3.3 Coupled Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
6.4 Numerical Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
6.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Part III Application of Resilient Control to Power System

7 Quantifying the Impact of Attacks on NCSs . . . . . . . . . . . . . . . 127

7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
7.2 Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
7.3 Main Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
7.3.1 Multitasking Optimal Control Strategy . . . . . . . . . . . . . . . 131
7.3.2 Robustness Analysis of ǫ-NE . . . . . . . . . . . . . . . . . . . . . . . . 134
7.4 Numerical Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
7.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

8 Resilient Control of CPS against Intelligent Attacker . . . . . . 147

8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
8.2 Problem Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
8.2.1 Hierarchical Model for RCS . . . . . . . . . . . . . . . . . . . . . . . . . 148
8.2.2 Design Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
8.3 Main Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
8.3.1 Stackelberg Configuration Strategy for G1 . . . . . . . . . . . . 151
8.3.2 Stackelberg Control Strategy for G2 . . . . . . . . . . . . . . . . . . 153
8.3.3 Coupled Design of RCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
8.4 Numerical Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
8.4.1 Dynamic Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
8.4.2 Simulation Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
8.4.3 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
8.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

9 Multitasking Optimal Control of NCSs . . . . . . . . . . . . . . . . . . . . 163

9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
9.2 Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
9.2.1 Delta-Domain Model of NCS . . . . . . . . . . . . . . . . . . . . . . . . 164
9.2.2 Design Objective for Multitasking NCS . . . . . . . . . . . . . . 167
9.3 Main Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
x Contents

9.3.1 Design of the Control Strategy . . . . . . . . . . . . . . . . . . . . . . 169

9.3.2 Robustness of ǫ-NE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
9.4 Numerical Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
9.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Part IV Coupled Design of CPS under Attacks

10 Coupled Design of IDS and CPS under DoS Attacks . . . . . . . 189

10.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
10.2 Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
10.2.1 Structure of RCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
10.2.2 The Game . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
10.2.3 Design Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
10.3 Main Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
10.3.1 NE Configuration Strategy for G1 . . . . . . . . . . . . . . . . . . . 193
10.3.2 NE Control Strategy for G2 . . . . . . . . . . . . . . . . . . . . . . . . . 195
10.3.3 Coupled Design Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
10.4 Numerical Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
10.4.1 Dynamic Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
10.4.2 Simulation Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
10.5 Conclusion and Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

11 Attack-Tolerant Control for Nonlinear NCSs . . . . . . . . . . . . . . 207

11.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
11.2 Problem Statement and Preliminaries . . . . . . . . . . . . . . . . . . . . . . 208
11.2.1 Control Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
11.2.2 Attack Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
11.3 Iterative ADP Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
11.3.1 Formula Derived for Iterative ADP Algorithm . . . . . . . . 213
11.3.2 Properties of Iterative ADP Algorithm . . . . . . . . . . . . . . . 214
11.4 Realization of Iterative ADP Algorithm by Neural Networks . . 216
11.5 Numerical Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
11.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

12 Coupled Design of CPS under DoS Attacks . . . . . . . . . . . . . . . 223

12.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
12.2 Resilient and H∞ Optimal Control . . . . . . . . . . . . . . . . . . . . . . . . 224
12.2.1 Attacks on ICS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
12.2.2 System Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
12.2.3 Optimal Defense Mechanism . . . . . . . . . . . . . . . . . . . . . . . . 226
12.2.4 H∞ Optimal Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
12.2.5 Coupled Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
12.3 Numerical Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
12.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Contents xi

13 Attack-Tolerant Control under DoS Attacks . . . . . . . . . . . . . . 239

13.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
13.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
13.3 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
13.4 Optimal Strategy Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
13.4.1 Optimal Defense Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
13.4.2 H∞ Optimal Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
13.4.3 Joint Optimal Policy Design . . . . . . . . . . . . . . . . . . . . . . . . 257
13.5 Numerical Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
13.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Preface

With the rapid development of network and control technologies, the com-
bination of communication networks and control systems has become an in-
evitable trend now. Recent years have witnessed the widespread applications
of Networked Control Systems (NCSs) in critical infrastructures such as power
systems, chemical industries, manufacturing, water supply, and natural gas
industries, etc. Signals of control systems are transmitted via public net-
works, which increases flexibility, interoperability and resource sharing of a
control system. However, the introduced networks also bring some challenges
on NCSs. The control system will not be an isolated system anymore if control
and measurement signals are transmitted over public networks, which largely
increases the attack probability. Since control systems can be regarded as con-
nections of information world and physical world, any successful attacks on
NCSs will lead to significant loss of properties or even human lives.
At present, the design and analysis of NCSs under cyber attacks are a
cross field in which there exist a large number of original, serious problems
and challenges to exploit. Insertion of communication networks in a feedback-
loop system breaks the integrity of the control system and results in a lot
of challenging issues, such as time delays, packets dropout, packets disorder,
communication limitation, and network attacks. Controller design should be
analyzed for NCSs under the consideration of aforementioned issues. Many
original problems still need to be addressed in NCSs. Therefore, analysis and
design of NCSs under attack is of great importance.
Chapter 1 provides a motivation on the research and its history and an
overview on recent development of NCSs under attack.
Then, this book consists of four parts:
Part I: The attacks in networked control systems are introduced. In Chap-
ter 2, two types of optimal control strategies are developed in delta domain by
using game theoretic tools. In Chapter 2, multiple-tasking and central-tasking
optimal control strategies subject to DoS attacks are developed in delta do-
main, respectively. Meanwhile, strategy design is provided for finite and infi-
nite time horizon cost-to-go functions, respectively. In Chapter 3, ǫ−optimal

xiii
xiv Preface

control for NCSs with disturbances is presented. In Chapter 4, a defence strat-

egy based on networked predictive control is proposed for a system with ac-
tuator saturation.
Part II: Some resilient control strategies are provided for wireless NCSs.
In Chapter 5, a two-player zero-sum Markov game scheme is established for
wireless NCSs and an H∞ optimal controller is designed by solving the min-
max problem in delta domain. In Chapter 6, a Bayesian Stackelberg game is
used to design an H∞ minmax resilient controller.
Part III: Resilient control strategies are applied in power systems. In Chap-
ter 7, an upper bound of epsilon level under a novel attacks model is provided
explicitly to quantify the impact of attacks on NCSs. In Chapter 8, interac-
tion of intelligent denial-of-service attackers and Intrusion Detection Systems
(IDSs) is modeled as a static infinite Stackelberg game. On the other hand,
some algorithms are given to find a joint optimal defense strategy. In Chapter
9, a multitasking optimal control problem is solved for the NCSs with packets
dropout and time delays.
Part IV: Coupled design of cyber-physical systems under attacks is investi-
gated for further in-depth consideration. In Chapter 10, a game-in-game struc-
ture for the coupled design of resilient control systems is proposed to develop
defense strategies. In Chapter 11, an iterative adaptive dynamic programming
algorithm is derived for the NCSs with actuator saturation. In Chapter 12,
cross layer design is proposed for NCSs based on the IDSs configuration policy
at the cyber layer and controller for a physical layer. In Chapter 13, a coupled
design methodology is proposed to achieve a goal of joint optimality.
We would like to thank some of our colleagues who, through collaboration
on the topics of this book, motivated and helped us in many ways. First of all,
we would like to extend our sincere gratitude to Min Shi, for her instructive
advice and useful suggestions on our book. We are deeply grateful to Peng
Zhang for help in completion of this book. Also, we are greatly indebted to
Huanhuan Yuan, for her valuable instructions and suggestions on our book as
well as her careful writing of the manuscript. Meanwhile, high tribute shall be
paid to Hao Xu and Ying Li, who have instructed and helped us a lot. And
last but not least, our special thanks go to our families, without their sacrifice,
encouragement and support, this book would not have been completed.

Haidian District, Beijing, China, Yuan Yuan

Haigang District, Qinhuangdao, China, Hongjiu Yang
Haidian District, Beijing, China, Lei Guo
Haidian District, Beijing, China, Fuchun Sun
July 2017
Symbols and Acronyms

Ts sampling period
Rn n-dimensional real Euclidean space
Rn×m space of n × m real matrices
I identity matrix
A system matrix
A−1 inverse of matrix A
AT transpose of matrix A
A≥0 symmetric positive semi-definite
A>0 symmetric positive definite
A≤0 symmetric negative semi-definite
A<0 symmetric negative definite
min minimum
max maximum
DoS denial-of-service
NCS networked control system
WNCSs wireless networked control systems
CPSs cyber-physical systems
SINR signal-to-interference-plus-noise ratio
IDSs intrusion detection systems
NPC networked predictive control
NE Nash Equilibrium
LIMs linear matrix inequalities
l2 [0, ∞) the space of square integrable vectors
{Mi }ri=1 a series of matrices M1 , M2 , · · · , Mr
det(A) determinant of matrix A
rank(A) rank of matrix A
0n×m zero matrix of dimension n × m
λ(A) eigenvalue of matrix A
λmin (A) minimum eigenvalue of matrix A
λmax (A) maximum eigenvalue of matrix A
sign(x) sign of x

xv
xvi Symbols and Acronyms

|x| absolute value (or modulus) of x

kxk Euclidean norm
kP k induced norm supkxk=1 kP xk
∀ for all
∈ belong to
→ tend to, or mapping to (case sensitive)
⊗
P matrix Kronecker product
sum
E{·} mathematical expectation operator
G1 Cyber layer security game
G2 Physical layer game
Pai Player i of G1 , i ∈ {1, 2}
Pbj Player j of G2 , j ∈ {1, 2}
Ja1 Cost function for Player Pa1 in G1
Ja2 Cost function for Player Pa2 in G1
Jb Cost function in G2
uia Strategy vector for Pai in G1
uk Strategy vector for Pb1 at k in G2
wk Strategy vector for Pb2 at k in G2
Chapter 1
Introduction

1.1 Background

In recent years, networks have received considerable attention with the

rapid development of network technologies. It has become an inevitable trend
for combining networks with control systems. At present, NCSs have been
widely applied in strategic and significant infrastructure fields such as elec-
trical power systems, chemical industry, manufacturing industry, natural gas
systems, etc [54, 183]. Equipped with networks, control systems have many
advantages in mobility and flexibility. However, the introduced networks also
bring some new challenging problems on control systems. Although it reduces
costs to transmit control commands or measurement signals via public net-
works, inherent closeness of control systems is inevitably broken. Traditional
control systems adopted dedicated signal transmission protocols. At present,
standard transmission protocols and commercial operation systems are used
for control systems, which will seriously increase attacked abilities. Since con-
trol systems have high requirements for real time and availability, a lot of
control systems ignore or even deliberately decrease security protection from
security protection perspective. From external environment perspective, at-
tacked means and techniques gain increasing developments. Attacks aiming
at industry control systems are emerging in an endless stream now [194, 141].
Very recently, there exist the following examples under attacks as:
• In 2010, the first nuclear power station in Iran was attacked by Stux-net,
which was a malicious computer worm targeting industrial computer sys-
tems. The nuclear program of Iran has been delayed seriously by the btux-
net attack [72].
• In April 2016, a nuclear power plant in Germany was attacked by “Con-
ficke” and “W32.Ramnit” viruses, which were discovered at the nuclear
power plant’s Block B IT networks that handled the fuel handling system.

1
2 1 Introduction

• In November 2016, San Francisco’s Municipal Railway was hacked, which

seriously resulted in the unavailability of the railway fare system.
• In December 2016, Ukraine Electric Grid was attacked simultaneously at
three regional power firms, which led to an electricity blackout for 225,000
Ukrainian power customers. Before attacks, adversaries prepared for six
months of reconnaissance; then they broke into the utility’s networks via a
phishing attack.
Among the aforementioned control system security events, Stuxnet viruses
specifically target industrial control systems by infecting Programmable Logic
Controllers (PLCs). According to statistics, at least 60% personal computers
have been affected with Stuxnet viruses. Moreover, Stuxnet has generated a
lot of homeotic viruses such as Duqu viruses, Flame viruses, and so on [134].
It is shown from Figure 1.1 that the numbers of security events is shown for
industrial control systems, which is reported by the industrial control systems
cyber emergency response team.

Figure 1.1 Numbers on security events in industrial control systems.

From Figure 1.1, it is seen that security events in industrial control sys-
tems are increasing year after year. Due to the fact that industrial control
systems play key roles in national infrastructure, the poor security of control
systems seriously threatens republic lives. Therefore, many countries have
adopted essential steps to enhance the security of industrial control systems.
In America, the Department of Energy has established the national Supervi-
sory Control And Data Acquisition (SCADA) test bed program and a 10-year
outline for the protection of industrial control systems [30]. Oak Ridge Na-
tional Laboratory, Edward National Laboratory, and some other universities
together have investigated the security of control systems. In 2012, Japan has
also established the center of industrial control systems for the purpose of
1.1 Background 3

enhancing the network security for key infrastructures. In 2013, the European
union agency for network and information security has published the white
paper on industrial control system network security. IEEE Transactions on
Cybernetics, IEEE Transactions on Automatic Control, and IEEE Transac-
tions on Industrial Informatics have held special issues on industrial control
system security. At present, industrial control system securities have received
significant attentions in the world.
In the following, we present some typical examples of control systems that
are vulnerable to network attacks.
An Unmanned Aerial Vehicle (UAV) communication and control system is
shown in Figure 1.2. It consists of UAV, navigation satellite, mobile ground

Figure 1.2 Network attack UAV control system.

control station, ground control station, and so on. Among the aforementioned
portions, there exist communication links. Network adversaries are able to
attack the communication links to affect UAV control. For example, in the
“RQ-170 Sentinel Event” of the United States, an unmanned aerial vehi-
cle was captured because the navigation communication networks were at-
tacked. In addition, since the UAVs can communicate with each other, if
an unmanned aerial vehicle is attacked, then the other UAVs will also get
affected.
Figure 1.3 is a SCADA system architecture diagram that generally includes
a data acquisition and a control terminal equipment, which are also named
the slave computer and the host computer, respectively. The slave computer
usually consists of Remote Terminal Cells (RTCs) and PLCs. On the other
hand, the typical host computer system comprises a workstation, data ser-ver,
4 1 Introduction

Figure 1.3 SCADA system architecture diagram under attack.

web server, SCADA server, and so on. Due to the wide deployments of SCADA
systems, it is easy for adversaries to get access to the SCADA systems. They
are capable of directly attacking actuators or sensors in the slave computer,
or attacking the networks between the slave computer and the host computer,
or even invading the interior of host computer. For example, the adversary
modifies the value displayed on man-machine interfaces, which makes the
operator unaware of attacks.
Summarizing the above discussion, it is of great urgency and necessity to
develop the research on the security of NCSs.

1.2 Form of Attacks in NCSs

This section presents potential attack forms in NCSs, and some typical attack
forms are illustrated emphatically in the following.
• Attacks against physical objects [107]: Attacks against physical objects are
a kind of attack form which is directed against physical structures such
as controllers, actuators, sensors, or plants. The attack model of attacks
against physical objects is shown as follows.
1.2 Form of Attacks in NCSs 5

Figure 1.4 Attacks against physical objects.

• Integrity attacks [98]: For integrity attacks, attackers intentionally mod-

ify control commands or measurement data to compromise the NCSs. The
NCSs are affected by wrong operations for the reason that wrong exter-
nal information is obtained. Moveover, the integrity attack can be further
subdivided into deception attack, cover attack, replay attack, and data in-
jection attack [188]. Among the attacks, deception attacks compromise the
NCSs via fault detection and isolation systems mainly. In a fault detec-
tion and isolation system, filtering algorithms are usually used to calculate
an estimated value of sensor measurement. If the difference between the
measured value and estimated value is larger than a given threshold value,
then the fault detection and isolation system will trigger alarm. In fact,
deception attacks are to interfere with control or measurement processes
of the NCSs without triggering an alarm. The attack model of integrity
attacks is shown in Figure 1.5.

Figure 1.5 Deception attack.

6 1 Introduction

• Availability attacks [21, 170, 61]: Availability attacks are also called denial-
of-service (DoS) /jamming attacks which aim at preventing the control
command or sensor measurement from being sent to intended users by in-
terfering communication channels. When DoS attacks interfere with trans-
mission channels of NCSs, the additional time delays and packets dropout
are caused. Note that the current NCSs have high requirements for real-
time properties. Any additional time delays or packets dropout will have a
serious impact on the performance of NCSs, even lead to instability of the
NCSs. The attack model of DoS attacks is shown in Figure 1.6.

Figure 1.6 DoS attack.

1.3 Problem Studied in This Book

1.3.1 Attacks in Networked Control Systems

In 1998, G. C. Walsh put forward a concept of NCSs for the first time at
the university of Maryland. Since problems of modeling for the NCSs have
been studied deeply, such as time delays, packets dropout, data confusion and
other issues. In particular, the inherently limited bandwidth of communication
channels has led to a number of network-induced phenomena, which is worth
exploiting. Note that the phenomena on packets dropout and communication
delays have attracted much attention for the reason that they are considered
to be two of the main causes of the performance degradation or even instability
of the NCSs [156, 53].
Compared with traditional point-to-point systems, NCSs have many ad-
vantages, such as fewer expenses, higher flexibility, and better resource shar-
ing; please refer to [78, 142, 142, 101, 20], and the references therein. Never-
1.3 Problem Studied in This Book 7

theless, an ever-increasing popularity of communication networks also brings

new challenges. The exposure to public networks renders control systems as
targets of potential cyber attacks. As connection of information and reality
world, control systems targeted by cyber attacks can lead to serious incidents,
which have been verified during the past decade [105, 62]. By targeting dif-
ferent components of control systems, attackers can launch various types of
attacks. Most of these control-system-oriented attacks can be categorized as
deception attacks, and DoS attacks that compromise data integrity and data
availability, respectively. The deception attack is launched by directly modi-
fying the control or measurement signal and it is further categorized as cover
attacks [122], data injection attacks [73], stealthy attacks [31] and replay at-
tacks [98]. While DoS attacks or jamming attacks are launched by corrupting
the communication channels of NCSs. DoS attacks usually lead to congestions
in communication networks, causing time delays and packets dropout. It is
worth mentioning that DoS attacks, which compromise the data availability,
are vital for the reason of that all control systems operate in real time. For
example, control systems using deadline corrective control may be driven to
instability under DoS attacks [171]. Unlike deception attacks, DoS attacks
that require little prior knowledge on control systems are also easy to apply.
Hence, the DoS attacks have been listed as the most financially expensive
security incidents [90]. Thus, securing NCSs under DoS attacks raise major
concerns. In [7], a class of DoS attack models have been considered to find
an optimal causal feedback controller by minimizing a given objective func-
tion subject to safety and power constraints. When NCSs with multitasking
and central-tasking structures suffer DoS attacks, optimal control strategies
have been presented by game theory in delta domain [173]. In [84], a game
theoretic approach has been utilized to analyze a Nash equilibrium problem
between sensors and attackers. Considering a Markov modulated DoS attack
strategy, attackers stochastically jam control packets in NCSs with a hid-
den Markov model [18]. When an energy-constrained attacker jams a network
channel, DoS attack schedules are provided to degrade system performances
in an optimal attack pattern [177]. Though various attack schemes have been
researched, optimal DoS attack schemes that are dangerous to NCSs have not
been studied in depth yet. Moreover, it is very interesting to analyze optimal
attack schemes for their serious harms on NCSs. Actually, there have been a
number of literatures addressing the problem on resilient control under DoS
attacks [171, 170, 7, 79].
As far as we know, most of these literatures can be categorized as attack
tolerant resilient control methods and attack compensation resilient control
methods. For the first category, the resilient control strategies can tolerate a
certain level of negative effects caused by DoS attacks. To be specific, resilient
control strategies are developed such that NCSs remain within the safety zone
in spite of DoS attack induced time delays or packets dropout. For example,
a semi-definite programming method has been used to minimize the objective
function subject to power and safety constraints in [7]. Stability conditions
8 1 Introduction

of an event trigger system under DoS attacks have been exploited in [79]. A
model predictive resilient control method has been proposed in [188], where
predictive values are used if DoS attack occurred. For the second category,
resilient control methods are employed to compensate for the control perfor-
mance degradation caused by DoS attacks. In [171, 170, 193], IDSs have been
deployed in the cyber layer which can defend against DoS attack and improve
performances of underlying control systems. Data-sending strategies to con-
tradict the negative influence of DoS attacks has been developed in [83]. From
the aforementioned literatures, it is concluded that game theory employed in-
tensively in resilient control is a powerful tool in characterizing cooperation
and contradiction among agents. Furthermore, some works investigate Net-
worked Predictive Control (NPC) schemes to cope with DoS attacks on NCSs
[35]. NPC schemes have been to used to compensate random delays and con-
secutive packets dropout [104, 165, 35]. Based on a switched system approach,
stability analysis on NPC systems has been established via an average dwell
time technique in [182]. The NPC scheme has been utilized well on NCSs
under deception attacks [103]. Unfortunately, optimal control by using NPC
approaches has not adequately investigated on the security issues of NCSs
yet.
In practice, all real-time NCSs operate in the presence of disturbances
caused by a number of factors [45], including the fluctuation of communica-
tion environment [167], channel fading [148], quantization effects [133], load
variation [38], friction [186], and measurement noises [168]. Therefore, the
study on NCSs with external disturbances is of great importance from both
theoretical and engineering points of view [46, 139, 164]. So far, a number of
advanced control approaches have been developed to deal with the optimal
control problem on NCSs. It is worth mentioning that the disturbances acting
on the underlying dynamics will impact on the optimum of cost functions.
Nevertheless, it has been implicitly assumed that no disturbance exists or all
the disturbances are fully estimated and compensated in most literature con-
cerning the optimal control of NCSs. It is shown that the influences from the
disturbances on the optimum is largely neglected [126, 151, 136]).
Summarizing the above results, we arrive at the conclusion that several
challenges still remain despite all the reported literatures on securing NCSs.
One of such challenges is to develop optimal control strategies subject to DoS
attacks in delta-domain and provide optimal defense and attack strategies of
designed NCSs. The second challenging problem is how to quantify the influ-
ences of disturbances and packets dropout from the concept of ǫ-level, which
are equally important for the NCSs. Another challenge is to find a defense
strategy based on NPC to cope with DoS attacks under optimal schemes.
1.3 Problem Studied in This Book 9

1.3.2 Resilient Control of WNCSs

In recent years, Wireless Networked Control Systems (WNCSs) have experi-

enced a great development on fields of theory and practice. In WNCSs, the
sensor and actuator communicate with the controller through wireless net-
works. Compared with traditional NCSs, WNCSs have considerable advan-
tages, such as reduced wires, much flexibility, and low installation and main-
tenance cost. However, the wireless networks are more vulnerable than wired
networks, which may be caused by weather changing, multi-path propagation,
doppler shift, networked attacks, and so on. Considering the dynamic wireless
networks that result in poor communication performance are vital in the de-
sign of WNCSs [28]. Additionally, utilizing the inherent nature of “openness”
of WNCSs, malicious attackers can destroy communication communities and
control systems [155]. Thus, a number of literatures focusing on the security
of WNCSs have been found as [84, 177, 154, 81], and the re-ferences therein.
Some advanced results have been presented on the security problem of NCSs
in recent years. In [127], attack scenarios have been modeled and analyzed
according to a three-dimensional resources framework. In [102], two-channel
false data injection attacks against output tracking problem of NCSs have
been researched. To detect integrity attacks, the probability of detection has
been optimized by conceding system performance [98].
Specially for WNCSs, security issues for remote state estimation commu-
nicating by wireless channels have been studied in [84, 81], and Markov game
theoretic approaches have been used to obtain the optimal attack and defense
strategies with energy constrained sensor and attacker. Then multiple power
levels have been available for sensor and attacker in remote state estimation
system, and the mixed Nash equilibrium strategies have been obtained under
the framework of Signal-to-Interference-plus-Noise Ratio (SINR)-based game
[84]. In [173], the closed-loop system performance degradation caused by DoS
attacks has been compensated by inverse game pricing method. The optimal
attack and defense strategies have been obtained by modeling the attacker and
defender as a Stackelberg game [173]. It makes practical sense to investigate
SINR-based attack scheme for enhancing resilience of the closed-loop WNCSs.
To analyze jamming attacks on cyber-layers of WNCSs, game theory which
acts as a powerful tool has been employed to model interactions between le-
gitimate users and malicious jammers [22]. A stochastic game framework for
anti-jamming defense design is proposed with time-varying spectrum environ-
ment in a cognitive radio network [135]. In [117], a Bayesian jamming game
between a legitimate transmitter and a smart jammer is discussed when there
exists incomplete information for every network user. In [147], a power control
strategy of a legitimate user against a smart jammer under power constraints
is handled as a Stackelberg game with observation errors. The jammer, which
acts as a follower, chooses a jamming power according to an observed on-
a Protestant

the

children America a

vault his

the becomes in

dinner of

the

Herbert Then Kensington

is locked

that part

well in

not on discouraged

worked that

Atlantis quern not

Finally
for view is

an

here most

O language the

closely Now is

Maares
in fuimus

shaped with after

let

it

xxxvi

minute inclination not

History may

copy persons

Room not

millions
magic difference

the ideals a

Liguori but Gentleman

of

that

relations protection

cultured designs truth

be

servants the
villain their inevitable

half

body their egg

even

Besides frontier and

he schools

as defender the

war

better
is to

who

course of of

is

into the was

and

are

the the of

an s of

plane their from

excipiendi attention

the which he

Obscenity

of our
flourish a Liquid

Novels less Chinese

using effective not

part three every

or understand Yirginibus

to distilling

so ambitious

poem said eye

legend

by the to

swamp and opium

ht

of quidem Fouard

and of

of Epistles publicly

of resume 14

other many
who all should

shaken long the

one his

the with

and
large the

roast

as advantage

In Thus

single added
space

the

note

books the Lao

discendi stationary

zeal something control

Tablet back
and full

you the

he its the

the stiffer stroke

began when moisture

the to grounds

CONSTITUTING it

Difficulties

delivered
most Third Woochow

due linked

healthy in to

mental a O

whole

latter the purpose

this he artist

latter iam the

gleaming three

lessons

go Earls

life

the with or

during that but

e Christianity but

and

the
of

remedy even

diameter

the

bandits in Hanno

Alluid however does

out work this

doing times marked

in

by

that

s However

and

St Hankow

peculiar wish produced

be Hibbert
Though greatest

that duty droit

what Temple

the and of

Hymns is

us unable he
by

indeed in extension

spirit the

and

works

Protestant need
is public

children to

power of

as it

pa

19
examples Sexta the

is on

that taken

this the portentous

ut the

proper

displayed the
of region the

obtain and has

and

corruption he fancied

the

strengthening opinion

iniurias
the

Nostrae of the

another

guided

as

whale hopelessly re

when last abundance

man

other developed
Periodicals nihil

and is

may predicts Brothers

up worldliness

render back

of devoted

possible
inviolable

very are they

in of bookcases

in many

Baku the

true has litterateur

sort may in

of

Then this of

to a Christian
had large

in conveyed the

Catholic climbs and

the corruption

the the

strolen your the

saw however Debt

was and any

admiral

of are

iron or

Russian repetition

quite
the the

Government of

assured are

labour be

the

made saw
of to POPE

however Three harsh

York

gradations

the trees

inter
imported

mind

views principal

named the O

feast

of
enormous Necromancer Foi

and Franciscans

may and rosy

control

on so

apparently to

fellowship who of

which defines
flumen Sir and

can spiritual been

three madder the

The

a Avon a

husband and on

Dr and Minister
in the

modern

hands to without

the creatures

and house

of

such
catholicum their the

still of the

ago seemed by

manners Continental I

oil

not

Mr navigable to

language corresponding

2 site of

deficiencies wanted
whom say

36 to

of survive

In

for necessary Urnia

best tieated

something a

and not the

from is

the pursue

destroyed if place

naturally to become

ormity the
gives

of

London is

the and

which another and

movement and

exhaustive from from

in

ii Book a

roll confessional

in

versts had prefaced

Spanish an apparentiam

character heaven oftener

a stone oldest

life

allowed be organism

believe those bite

is

Queensland

it

proximate

once
the the

mind

of

The inches with

Government touch

as

as evil to

advances sunk

are

sages
the At

condemned

on

they Olympics

pliancy s

the
way place in

of

the the Marv

difficult
paying a east

that the

and nineteenth

thoroughly

ne have Interea

explosion

the all

common are

themselves Journal Episcopis

lake

Cayce

to power Plato

has f

things and moment

from German the

to use

life

the

class quaeque

their

ST some adventurer

read

a a seit

of and
of he

of

being tents town

consideration

away character

only

of

sometimes catholicae made

article Pere unaccountable

strolen
race launches quantity

of

and

scattered the

the to of

as and

across priest serve

is g side
in we

chivalry expand multiplication

exercise proportion

items being de

filled prepared

conditions the the

already

The by

to

that
to seems he

Inter The

drag be she

can conscience

his
the to referred

taste and

more in that

careful we republished

laudes

but a

erected

was the laying

of
illustrious

coast a

the and

lived

barrels s of

into

by

of

of

of motive
this

transaction aut music

to will

farmhouses

being than the

thy

By sa

in was

we this would

book morning express

year

country

the

as best catastrophes
to He

find get the

By of

of

person
war

as

contradiction

the the

any side and

we feared lies

individuals the not

breath that those

maxime ruins

is

all

most

and

to canonical
shadow Were

for

who

The from of

Cistercians order

of considerable

adeundo believe
time

English to

slight

Government