Detecting and Isolating Attacks of Deception in Networked Control Systems

This paper investigates a category of cyber-attacks on control systems, which regulate processes of a single plant while sharing a communication network. The design of these attacks aims to deceive conventional fault detectors that test locally generated residuals for inconsistent statistics. The authors propose a network-wide attack detector and isolator that collects information from other neighborhoods subject to availability of locality and network resources. Their method relies on estimating the output of a process, whose regulator may be under attack, from measurements gathered at other processes connected to the one under examination through links existing at the physical layer. Next, a notional consensus network coalesces all of these estimates into information that is independent of possibly deceptive sensory data at the suspect locality. The thesis of this paper is that residuals generated from far-flung estimates will reveal an anomaly (even if the statistics of local residuals are consistent). A necessary condition is the existence of an observable subsystem within the physical network of interconnected processes. The authors employ graph theory techniques to identify the subsystem and optimize its observability.