Abstract

Cyber-Physical Systems (CPS) are smart co-engineered interacting networks of physical and computational components. They refer to a large class of technologies and infrastructure in almost all life aspects including, for example, smart grids, autonomous vehicles, Internet of Things (IoT), advanced medical devices, and water supply systems. The development of CPS aims to improve the capabilities of traditional engineering systems by introducing advanced computational capacity and communications among system entities. On the other hand, the adoption of such technologies introduces a threat and exposes the system to cyber-attacks. Given the unique properties of CPSs, i.e. physically interacting with its environment, malicious parties might be interested in exploiting the physical properties of the system in the form of a cyber-physical attack. In a large class of CPSs, the physical systems are controlled using a feedback control loop. In this thesis, we investigate, from many angles, how CPSs' control systems can be prone to cyber-physical attacks and how to defend them against such attacks using arguments drawn from control theory.

In our first contribution, by considering Smart Grid applications, we address the problem of designing a Denial of Service (DoS)-resilient controller for recovering the system's transient stability robustly. We propose a Model Predictive Control (MPC) controller based on the set-theoretic (ST) arguments, which is capable of dealing with both model uncertainties, actuator limitations, and DoS. Unlike traditional MPC solutions, the proposed controller has the capability of moving most of the required computations into an offline phase. The online phase requires the solution of a quadratic programming problem, which can be efficiently solved in real-time. Then, stemming from the same ST based MPC controller idea, we propose a novel physical watermarking technique for the active detection of replay attacks in CPSs. The proposed strategy exploits the ST-MPC paradigm to design control inputs that, whenever needed, can be safely and continuously applied to the system for an apriori known number of steps. Such a control scheme enables the design of a physical watermarked control signal. We prove that, in the attack-free case, the generators' transient stability is achieved for all admissible watermarking signals and that the closed-loop system enjoys uniformly ultimately bounded stability.

In our second contribution, we address the attacker's ability to collect useful information about the control system in the reconnaissance phase of a cyber-physical attack. By using existing system identification tools, an attacker who has access to the control loop can identify the dynamics of the underlying control system. We develop a decoy-based moving target defense mechanism by leveraging an auxiliary set of virtual state-based decoy systems. Simulation results show that the provided solution degrades the attacker's ability to identify the underlying state-space model of the considered system from the intercepted control inputs and sensor measurements. It also does not impose any penalty on the control performance of the underlying system.

Finally, in our third contribution, we introduce a covert channel technique, enabling a compromised networked controller to leak information to an eavesdropper who has access to the measurement channel. We show that this can be achieved without establishing any additional explicit communication channels by properly altering the control logic and exploiting robust reachability arguments. A dual-mode receding horizon MPC strategy is used as an illustrative example to show how such an undetectable covert channel can be established.