1. Introduction
A cyber-physical system typically consists of a physical process with sensors that report the process’s status to a controller, which then sends commands or control signals to actuators to keep the system in its desired states. Cyber-physical systems are an assemblage of contemporary computer-integrated systems, including the infrastructures of human-being society [
1]. Recent years have witnessed a suite of studies that tackle cyber-security issues in discrete-event systems [
2,
3,
4,
5,
6,
7]. Much attention has focused on the attacks on sensors and actuators at the supervisory layer of cyber-physical control systems. In a networked environment, it is assumed that sensors and actuators can be compromised by an external attacker (typically assumed to be malicious) who may alter the sensor readings provided to a supervisor or the control actions sent to actuators. A thorough overview on cyber attacks and defences for the supervisory control of cyber-physical systems is found in Refs. [
8,
9,
10,
11,
12,
13].
This paper addresses the problem of creating an attack-resilient cyber-physical system under sensor deception attacks. We assume that a cyber-physical system is modelled as a discrete-event system, with sensor outputs that belong to a finite set of (observable) events, and vulnerable sensor readings that could be tampered by a hostile attacker seeking to damage the system. For example, an automated teller machine (ATM) is vulnerable to sensor deception attacks, where an attacker tampers with a sensor to report false information about the amount of cash in the machine. This can cause the ATM to stop dispensing cash and lead to customer frustration and lost revenue for the bank. An attack-resilient system usually takes the envelope of the worst-case scenario and then designs a supervisor such that the system operates safely, even in the presence of an attack.
Two main strategies have been proposed in the literature to avoid the failure of a supervisory control system under attack. The first strategy is limited to attacks that can be detected or diagnosed, called a risky or non-stealthy attack. It usually incorporates intruder detection modules (IDMs) into an existing supervisor that is assumed to be well-developed for pre-defined control specifications. In this context, security is typically represented in the same way as diagnosability [
14,
15,
16], where the attacker is modelled as a faulty behaviour and system resilience as fault tolerance [
17]. This strategy exploits fault diagnosis tools to check the existence of a supervisor that is capable of performing the predefined control actions adequately under the worst-case attack scenarios including sensor attacks [
18,
19], actuator attacks [
20], and both sensor and actuator attacks [
21,
22,
23].
The mechanism captured by the first strategy is not enough or sufficient to protect a cyber-physical system from cyber-attacks, since, unlike passive diagnostic methods, the attacker in this case is often strategic and may need to be modelled as a separate supervisor acting on the system. For example, Liu et al. [
24] show that fault-detection algorithms in power grids can be bypassed by an adversary that sends false data that is consistent with plausible power grid configurations.
The second strategy is based on the synthesis of a supervisor, which is resilient to a specific attacker, called a non-risky or smart attacker, that only conducts an attack if it remains undetected afterwards or the attack will result in a certain system damage [
25]. Several studies in the literature have investigated the problem of robust supervisor synthesis in the presence of non-risky attackers on sensors [
2,
26,
27,
28,
29,
30], on actuators [
31,
32,
33], and on both of them [
5,
34,
35]. Some works further restrict the attacker by considering a deterministic one [
36]. In this context, determinism and covertness limit the attacker’s capability as no risk can be taken, and few choices are available, making it harder to attack a system successfully.
In this work, however, we model an attacker as a nondeterministic finite-transducer to account for a broad range of actions on a specific set of compromised sensors. In addition, we consider a possibly risky attacker that may send strings that are not acceptable to the plant’s behaviour to the supervisor. We propose a defence strategy that overcomes the limitations of intruder detection modules and robust supervisor synthesis approaches based on an insertion function at run-time that is placed at the output of the system and a filter that is integrated into the existing supervisor. The insertion function and the filter cooperate to confuse the attacker and recover the original language generated by the plant in order to achieve the control goal. Thus, keeping the current supervisor prevents us from starting over with a new supervisor synthesis and from changing the standard definitions of observability and controllability regarding the impact of attacks on the system.
To the best of our knowledge, this is the first work that aims to develop attack-resilient cyber-physical systems using the notion of insertion function. The major contributions of this paper are stated as follows:
In our problem formulation, we consider a worst-case attack scenario, in which an attacker (maybe risky) with a nondeterministic attack function performs a broad range of attack actions such as insertion, deletion, and replacement attacks;
We propose a novel defence mechanism based on the use of insertion functions, which is modelled as a finite state transducer. The main idea is to safeguard the system’s compromised behaviour by exploiting the safe channels;
Given an insertion function, we provide an algorithm to construct a nondeterministic finite-state transducer, called a supervisor filter, that recovers the original language by handling the altered language received from the attacker. The insertion function and the supervisor filter cooperate to control the system and confuse the intruder without confusing the supervisor.
The remainder of this paper is organized as follows. In
Section 2, we briefly recall basic notions related to finite state automata and finite-state transducers. In
Section 3, we present and identify the main attributes of the sensor deception attack problem. In
Section 4, we illustrate how finite-state transducers are used in attack modelling. The defence strategy using the insertion function and the supervisor filer is provided in
Section 5.
Section 6 presents a case study on vehicle location. Finally, we conclude the paper in
Section 7.
2. Preliminaries
In this section, we provide an overview of a transition system represented as a finite-state automaton (FSA), specifically a deterministic finite-state automaton (DFA). A DFA is defined as a five-tuple , where Q is a finite set of states, is the set of events or alphabet, is the deterministic transition function, is the initial state, and is the set of final or marked states. We denote by a defined transition in G, indicating that event is active (or feasible) at state . Transition function can be naturally extended to by defining and for , , , and is the empty string. Similarly, the transition function can be also extended to .
The behaviour of automaton G, represented by its generated language and denoted by , is formally defined as . We define by the set of active events at state and by the set of active events at the subset of states , i.e., .
A relation R between two sets I and O is a set of ordered pairs where and , denoted as . Given , the set of all o such that is defined as . If for any , , the relation is a partial function. Additionally, for a subset , we define , which is a function . The inversion of a relation R is defined as . Finally, the composition of two relations and is defined as .
Compared with a finite state automaton, a finite-state transducer (FST) augments a transition with an output label in addition to the input label. In this sense, an FST is a finite-state automaton with two memory tapes: an input tape and an output tape, which maps between two sets of symbols. In plain words, an FSA defines a formal language by accepting a particular set of strings, while an FST defines a relation between sets of strings.
Definition 1. A finite state transducer is a six-tuple , I, O, , where Q is the set of states, I is a finite set of inputs, O is a finite set of outputs, is the (partial) transition function, the initial state, and is a finite set of final states.
Let T be a finite transducer. The input and output languages of T are respectively represented by and , where and . A transition of T is denoted ; we say that is a path from q to labeled with .
Example 1. We consider the plant T in Figure 1, where , , , , and . We have . FST T replaces the input symbol a with x and b with y, for instance . The transducer performs the following mapping: 3. Problem Formulation
3.1. Assumptions and General Setup
As outlined in the supervisory control theory, originated from Ramadge and Wonham’s research in discrete-event systems [
37], we examine a networked supervisory control system as depicted in
Figure 2. It is assumed that the system, referred to as
“plant” G, has a collection of sensors that may be susceptible to vulnerabilities. The behaviour of
G is controlled by a
“supervisor” S that enforces a safety property on
G.
Communication between the supervisor and the plant, and vice versa, occurs through various channels. Sensor channels are used to communicate information collected by sensors from the plant to the supervisor, while supervisory control channels are used to transfer control actions, such as enabling and disabling the controllable events (actuators), from the supervisor to the plant.
The controlled behaviour is represented by a new discrete event system (DES) denoted by , with a closed-loop language defined as follows: , i.e., closed behaviour of and, . The language represents the uncontrolled system behaviour, as it includes all possible executions of G.
In addition to the plant and the supervisor, we consider the existence of an attacker
A who can perform man-in-the-middle attacks by intercepting the communication channels between the system’s sensors and the supervisor, as shown in
Figure 3. We assume that the attacker has access to a subset of observable events
, representing vulnerable sensors, denoted by
. It also has the capacity to alter some of the sensor readings in these communication channels by injecting false events and removing or replacing authentic ones. Suppose that
G has a set of damaging states that could cause physical damage to the plant. The goal of
A is to mislead the supervisor and steer
G towards a critical state. In this paper, we assume that the supervisor
S issues a new control command when the system starts and each time it observes an event
. Otherwise, the plant
G executes the previous control command, and the supervisor
S waits for the next observable event to issue a new one. Similarly, the attacker acts in response to observing a new event
that is executed by
G. It is also assumed that the attacker observes the same observable events as
S. If the attacker is not present or does not carry out attacks, the system structure is simplified to a basic supervisory control setup.
3.2. System Description
We consider a partially observed system that is consistent with standard supervisory control, in which the output symbol for each event is deterministically generated using the natural projection function.
Plant: The plant is abstracted as
a partially-observed deterministic finite state automaton , where
with
and
being the sets of observable and unobservable events, respectively. The limited sensing capability of
G is illustrated by the natural projection
that is recursively defined as follows:
In addition, the restricted actuation capability of G is represented by dividing the event set into , where and are the sets of events that are controllable and uncontrollable, respectively. The plant G sends an observable event to the supervisor S whenever an observable transition takes place.
Supervisor: Formally, a supervisor S under partial observation of plant G is a function , where is the set of admissible control decisions. The admissibility of a control decision ensures that uncontrollable events are never disabled. Note that, for all , we have .
Without loss of generality, we assume that S is realized by a finite state automaton , known as the supervisor realization, that satisfies the controllability and observability constraints as follows:
(controllability) for any state and any uncontrollable event !;
(observability) for any state and any unobservable event , ! implies .
Note that a partial-observation supervisor’s realization catches the current set of enabled events in its active event set; specifically, enabled unobservable events are represented by self-loops at the current state of S.
Attacker: The attacker can alter (i.e., delete, insert, or replace) some sensor readings by performing attacks on compromised sensors. We denote by
the set of
compromised events. Let
denote a sensor channel. To keep things simple, we shall refer to a sensor as compromised if its reading is delivered to the supervisor through an attacked channel
. In practice, the set of compromised events, denoted by
, is the disjoint union of the observable events that are delivered through the compromised sensor channels, indexed by
I. This can be represented as
, where
is the set of observable events delivered through the channel
. We denote by
the set of safe events that are transmitted through protected channels. An attacker is formally defined as a nondeterministic edit function. Compared with the deterministic model in Ref. [
27], the non-deterministic model provides different attack options. The outcome of such a function is selected randomly from a set of possible outcomes when the nondeterministic edit function is implemented.
Definition 2. Let G be a plant with a set of compromised events . An attacker is recursively defined by an attack function satisfying Example 2. Consider the networked feedback control structure whose communication network is depicted in Figure 4. Let G be the automaton model of the plant shown in Figure 5a, where , , , , and . According to Figure 4, the occurrences of events in are transmitted through observation channel and the occurrences of events in are transmitted through observation channel . The supervisor shown in Figure 5b guarantees that state 6 is unreachable in the supervised system by satisfying the admissible language , i.e., . 4. Sensor Attacks Modeling Using FST
In the field of security, flawed assumptions in the model can provide the simplest means for an attacker to bypass any security measures. As such, we opt to represent sensor attack capabilities through the use of a (partial) finite-state transducer . Finite-state transducers can be used to capture a broad range of attacks such as insertion, deletion, or replacement attacks. We take advantage of FSTs’ nondeterminism to capture all potential attack behaviours, because assuming a specific (e.g., deterministic) attack mapping may be too restrictive. As a result, FST models may be considered an overestimation of the actual attack activities. Thus, they implement the worst-case scenario.
One of the most fundamental attack strategies for this problem is the all-out attack strategy. This strategy encompasses any other attacks that utilize the same set of compromised events. In this model, the attacker can attack at any opportunity. The main focus of an intrusion detection problem is the attacker’s strategy over a set of compromised events. Specifically, we design an effective intrusion detection module (IDM) based on a given attack strategy, such as a bounded or replacement strategy. The efficacy of the IDM is directly tied to the type of attack strategy employed. Since an all-out attack encompasses all other techniques, an IDM that can effectively counter an all-out attack will also be effective against any other strategy.
Example 3. As depicted in Figure 6, finite-state transducers can encode different attack strategies. The (nondeterministic) deletion attack is shown in Figure 6a. When an event e fires, it allows the attacker to either delete or leave it unchanged. The (nondeterministic) injection attack is represented in Figure 6b, indicating that a finite number of events from can be inserted before or after received events. A replacement attack is illustrated by the FST in Figure 6c, where an event from can be replaced by any event from . Finally, the all-out attack is modelled by the FST in Figure 6d. This strategy includes the deletion, insertion, and replacement attack strategies over the same set of compromised events. If no prior knowledge about the attack method is available, we presume that the adversary is using an all-out attack approach. The transducer that results from reversing the input and output alphabets and the input and output labels of each transition of T is referred to as the inverse of T, denoted by .
Remark 1. An FST is a strong modelling tool for attack manipulations. Particularly, it allows the inversion of an attack; here we have and the composition of multiple attacks which .
Corollary 1. , , and hold.
Proposition 1. An attacker that uses the all-out attack strategy can always reverse its attack action, i.e., .
Proof. We have . Based on Corollary 1, . □
The observable events sent by plant G are subject to nondeterministic revisions by the attacker A before they are received by the supervisor S, i.e., A may choose different attack actions for the same observation input.
Model of the Plant under Sensor Channel Attacks
Definition 3. Given two FSTs and with . The sequential composition of and , denoted by , is defined as , where We remark that in order to compose two FSTs , the output alphabet of must match the input alphabet of . The sequential composition is obtained by merging the transitions where the output of is used as the input of . Transitions with output in ( input in ) are retained since they can be triggered without affecting . Other transitions are discarded.
Example 4. Consider the networked control system of Example 1, where the sensor channel is attacked, i.e., . The all-out attack strategy over the set of compromised events is encoded by FST A as shown in Figure 7a. Based on Definition 3, the serial composition of G and A is shown in Figure 7b. Notice that unobservable event e is associated with ε as the output in FST G. This is obvious since the projection function masks it from the supervisor. FST captures the possible event changes made by A that are covert to the supervisor S, i.e., . 5. Defence Mechanism
To guarantee safety, we employ a security mechanism known as an insertion function, which is commonly used to enforce opacity [
38,
39]. The insertion function, as depicted in
Figure 8, acts as an interface between the system and external observers, where it receives the system’s output behaviour, adds fictitious events when necessary, and then releases the modified output. The set of permissible events to be added is represented by
. We assume that the attacker is unable to distinguish between an added event and its authentic counterpart in
.
5.1. Insertion Function
Given a finite state automaton , an insertion function is defined as a deterministic function that outputs an inserted event based on the current state and the current observed event. Such an insertion function is represented by an input deterministic finite state transducer , and is referred to as an insertion transducer. It has the same structure as G but is characterized with a different transition function.
Based on the work of Wu et al. [
40], an insertion function has to be admissible. The admissibility property is a requirement for insertion functions, which mandates that insertion functions must be defined for all
. This property is crucial since it ensures that the system’s behaviour cannot be tampered with or hindered.
Definition 4. Given G, an insertion function is admissible if it inserts (possibly ε) on every observable event from G, i.e., .
Accordingly, the admissibility property prevents the insertion function from blocking the controlled system after receiving an unexpected event from the plant. Safety property is an output property indicating that the output behaviour after insertion must include at least one safe event.
The projection over the set of safe events is recursively defined as follows:
Definition 5. Given G, a set of safe events and a set of compromised event , an insertion function is safe if for each received compromised event the output word includes at least one safe event, that is, for each and , holds.
Deterministic safe events insertion is an output property indicating that at a given state , safe events are deterministically inserted.
Definition 6. Given G, set of safe events and a set of compromised event , an insertion function is safe output deterministic if for each there do not exist such that .
5.2. Supervisor Filter Design
In this subsection, we propose a new structure retrieved from the insertion transducer, called the supervisor filter, whose role is to recover the original language generated by the plant by handling the input events received by the insertion function and the attacker. The construction of such a module is defined in the following Algorithm 1.
Algorithm 1 Construction of the supervisor filter F |
Input: A finite state transducer . Output: Supervisor filter F Step 1. Compute inversion of Step 2. Projection of the input language over for each transition do Step 3. Removing inputs possibly inserted by the attacker for each and do if is not defined then return F
|
Example 5. Consider again the plant G shown in Figure 5a, where and are transmitted through sensor channel . Its supervisor is depicted in Figure 5b, which guarantees that the damaging state is unreachable. As shown in Figure 7c, the all-out attacker can mislead the supervisor to generate a sequence of control patterns, which allows the plant to reach the damaging state . To prevent this, we propose the insertion transducer encoded in Figure 9a and the associated filter F presented in Figure 9b. Proposition 2. .
Proof. It suffices to show that the language passing to the supervisor is exactly . By construction, we have , and . Based on Definition 4, we have , and then . □
With the presence of the filter and the insertion function, the sensor attack
A does not influence the controllability. Specifically, the filter recovers all the original outputs of the plant, under which the supervisor achieves the control goal. This result differs from the majority of previous studies [
3,
18,
23,
36], since the insertion function and the integrated filter, which are modelled by FSTs instead of automata, have more power in safely countering the attacker actions by exploiting the safe part of the plant. The supervisor control commands depend on the filter’s output language, which coincides with
, i.e.,
instead of receiving corrupted observation from the attacker.
5.3. A Comparative Analysis of the Proposed Method with Existing Methods
In this subsection, we compare the proposed defence mechanism with state-of-the-art approaches based on the provided table, which considers the model type, attack types, strategy, methodologies, advantages, and disadvantages of each method (
Table 1).
Comparing the proposed method with the existing ones, we observe that the proposed method provides robustness against sensor attacks and focuses on the secure control strategy. However, it has exponential computational complexity, which is a common disadvantage shared by several other methods, such as those in Refs. [
3,
6,
18,
42]. In contrast, the methods such as those in Refs. [
21,
23,
41] disable all controllable events once an attack is detected, which may lead to unnecessary loss of resources. Furthermore, the method in Ref. [
43] is limited by its reliance on known attack structures, potentially leaving the system vulnerable to novel or unknown attacks. This work, along with those in Refs. [
3,
6,
18,
42], focuses on secure control strategies to maintain system safety even under attack. This proactive approach helps us ensure the stability and integrity of the system, despite the exponential computational complexity.
6. Study Case: Non-Exposure of Vehicle Location
Let us consider a scenario where a vehicle travels on a public road, and the vehicle’s location should be kept confidential, as shown in
Figure 10. The vehicle is equipped with Global Positioning System (GPS) sensors that provide its location, which is used by the vehicle’s control system to navigate safely. However, an attacker may try to compromise the sensors to extract the vehicle’s location, which could be used for malicious purposes such as tracking or theft. The automaton
G associated with our model is shown in
Figure 11a, where
and
are transmitted through compromised GPS sensor channels. Its supervisor is depicted in
Figure 11b, which guarantees that the damaging state
is unreachable. The all-out attacker
can mislead the supervisor to generate a sequence of control patterns, which allows the plant to reach the damaging state. To prevent this, we propose the insertion transducer
encoded in
Figure 12a and the associated filter
F presented in
Figure 12b.
We can use the proposed defence mechanism based on an insertion function and a supervisory filter to protect the vehicle’s location. The system’s plant is modelled as a finite state automaton (FSA) . The set of events includes the GPS sensor readings, which provide the vehicle’s directions.
The insertion function is defined as a deterministic function that takes as input the current state and the current sensor reading and outputs a modified sensor reading. For example, we can define , where q is the current state, x is the original sensor reading, and y is the modified sensor reading. The insertion function can insert a fictitious location that deviates from the actual location to confuse the attacker. The set of allowed events to be inserted is , which includes all possible sensor readings.
To ensure safety, we design the insertion function to be admissible, i.e., it should insert an event on every observable event from G. We also ensure that the insertion function is safe, which means that for each received compromised event (e.g., GPS sensor reading), the output word includes at least one safe event.
The supervisor filter F is constructed by taking the inverse of the insertion function and removing the inputs that the attacker possibly inserts. This filter allows the supervisor to recover the original language generated by the plant, which is used to navigate and avoid damaging states.
7. Conclusions and Future Work
In this paper, we consider the problem of sensor deception attacks in a closed-loop control system, where the plant is abstracted as a discrete event system controlled by a supervisor through sensors and actuators. We propose a novel defence mechanism based on an insertion function that safeguard the system’s compromised behaviour by exploiting the safe channels. The proposed approach offers two significant advantages. First, by utilizing nondeterministic finite-state transducers, we account for a worst-case attack scenario and effectively capture a broad range of attacks such as insertion, deletion, or replacement attacks. This approach ensures a robust defence against various types of attacks. Second, the proposed approach integrates a filter for post-attack language recovery while keeping the existing supervisor intact, rather than synthesizing a new supervisor. The insertion function and the filter cooperate to control the system and confuse the intruder without confusing the supervisor.
This work opens several avenues for future investigations. First, we are interested in extending the proposed method to the scope of DESs under actuator attacks. Second, we plan to synthesize an optimal insertion function that safeguards the system with the minimal use of safe channels. Finally, we intend to develop an algorithm for directly synthesizing the insertion function.