Skip to main content

Observation-assisted heuristic synthesis of covert attackers against unknown supervisors


In this work, we address the problem of synthesis of covert attackers in the setup where the model of the plant is available, but the model of the supervisor is unknown, to the adversary. To compensate the lack of knowledge on the supervisor, we assume that the adversary has recorded a (prefix-closed) finite set of observations of the runs of the closed-loop system, which can be used for assisting the synthesis. We present a heuristic algorithm for the synthesis of covert damage-reachable attackers, based on the model of the plant and the (finite) set of observations, by a transformation into solving an instance of the partial-observation supervisor synthesis problem. The heuristic algorithm developed in this paper may allow the adversary to synthesize covert attackers without having to know the model of the supervisor, which could be hard to obtain in practice. For simplicity, we shall only consider covert attackers that are able to carry out sensor replacement attacks and actuator disablement attacks. The effectiveness of our approach is illustrated on a water tank example adapted from the literature.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14


  1. From the adversary’s point of view, any supervisor that is consistent with the given set of observations may have been deployed.

  2. It is worth mentioning that sensor replacement attacks can help achieve both of the damage-infliction goal and the covertness goal; actuator disablement attack can help achieve the covertness goal.

  3. As usual, we also view the partial transition function \(\delta : Q \times {{{\varSigma }}} \rightarrow Q\) as a relation \(\delta \subseteq Q \times {{{\varSigma }}} \times Q\).

  4. For example, if σΣ1Σ2 and δ1(q1,σ) is undefined, we treat δ(q,σ) as undefined. This convention is adopted throughout the work.

  5. If \({{{\varSigma }}}={{{\varSigma }}}^{\prime }\), then we have \(UR_{G, \varnothing }(q_{0})\), which is by definition equal to {q0}.

  6. We here remark that actuator disablement attacks cannot cause the covertness to be broken, following (Lin et al. 2020). Indeed, the supervisor is not sure whether some event σΣc,A has been disabled by an attacker, even if disabling σ may result in deadlock, as the supervisor is never sure whether: 1) deadlock has occurred due to actuator attack, or 2) σ will possibly fire soon (according to the internal mechanism of the plant), without an explicit timing mechanism.

  7. Recall that qbad is the goal state for the attacker.

  8. Since the control constraint is \(({{{\varSigma }}}_{a, A} \cup {{{\varSigma }}}_{s, A}^{\#}, {{{\varSigma }}}_{o} \cup {{{\varSigma }}}_{s, A}^{\#})\) (see Section 3.3), the normality property based synthesis approach effectively only allows the attacker to control those events in \(({{{\varSigma }}}_{a, A} \cap {{{\varSigma }}}_{o}) \cup {{{\varSigma }}}_{s, A}^{\#}\).


  • Bergeron A (1993) A unified approach to control problems in discrete event processes. RAIRO-Theoret Inform Appl 27(6):555–573

    MathSciNet  Article  Google Scholar 

  • Carvalho LK, Wu YC, Kwong R, Lafortune S (2016) Detection and prevention of actuator enablement attacks in supervisory control systems. Int Workshop Discrete Event Syst 298–305

  • Carvalho LK, Wu YC, Kwong R, Lafortune S (2018) Detection and mitigation of classes of attacks in supervisory control systems. Automatica 97:121–133

    MathSciNet  Article  Google Scholar 

  • Cassandras C, Lafortune S (1999) Introduction to discrete event systems. Kluwer, Boston

    Book  Google Scholar 

  • Feng L, Wonham WM (2006) Tct: a computation tool for supervisory control synthesis. Workshop Discrete Event Syst 388–389

  • Hopcroft JE, Ullman JD, theory Introduction to automata (1979) Languages, and computation. Addison-Wesley, Reading, Massachusetts

    Google Scholar 

  • Khoumsi A (2019) Sensor and actuator attacks of cyber-physical systems: a study based on supervisory control of discrete event systems. Conf Syst Control 176–182

  • Lima PM, Alves MVS, Carvalho LK, Moreira MV (2017) Security against network attacks in supervisory control systems. IFAC 50(1):12333–12338

    Google Scholar 

  • Lima PM, Carvalho LK, Moreira MV (2018) Detectable and undetectable network attack security of cyber-physical systems. IFAC 51(7):179–185

    Google Scholar 

  • Lin L (2015) Towards decentralized and parameterized supervisor synthesis, Ph.D thesis, School of Electrical and Electronic Engineering, Nanyang Technological Unversity. [Online] Available:

  • Lin L, Su R (2020) Bounded synthesis of resilient supervisors. IEEE Transactions on Automatic Control under review

  • Lin L, Su R (2020) Synthesis of covert actuator and sensor attackers as supervisor synthesis. Workshop on Discrete Event Systems 1–6

  • Lin L, Su R (2021) Synthesis of covert actuator and sensor attackers. Automatica, vol 130:109714

    MathSciNet  Article  Google Scholar 

  • Lin L, Thuijsman S, Zhu Y, Ware S, Su R, Reniers M (2019) Synthesis of successful actuator attackers on supervisors. American Control Conf 5614–5619

  • Lin L, Zhu Y, Su R (2019) Towards bounded synthesis of resilient supervisors. Conf Dec Control 7659–7664

  • Lin L, Zhu Y, Su R (2020) Synthesis of covert actuator attackers for free, Discrete Event Dynamic Systems:Theory and Applications,

  • Lin L, Zhu Y, Tai R, Ware S, Su R (2020) Networked supervisor synthesis against lossy channels with bounded network delays as non-networked synthesis, Automatica under review

  • Lin L, Tai R, Zhu Y, Su R (2021) Heuristic synthesis of covert attackers against unknown supervisors. Conference on Decision and Control accepted

  • Malik R, Akesson K, Flordal H, Fabian M (2017) Supremica–an efficient tool for large-scale discrete event systems. IFAC-PapersOnLine 50:5794–5799

    Article  Google Scholar 

  • Meira-Goes R, Marchand H (2019) S. Lafortune Towards resilient supervisors against sensor deception attacks. Conf Dec Control 5144–5149

  • Meira-Goes R, Kang E, Kwong R, Lafortune S (2017) Stealthy deception attacks for cyber-physical systems. Conf Decision Control 4224–4230

  • Meira-Goes R, Kang E, Kwong R, Lafortune S (2020) Synthesis of sensor deception attacks at the supervisory layer of cyber–physical systems. Automatica 121:109172

    MathSciNet  Article  Google Scholar 

  • Mohajerani S, Meira-Goes R, Lafortune S (2020) Efficient synthesis of sensor deception attacks using observation equivalence-based abstraction. Workshop Discrete Event Syst 28–34

  • Su R (2018) Supervisor synthesis to thwart cyber-attack with bounded sensor reading alterations. Automatica 94:35–44

    MathSciNet  Article  Google Scholar 

  • Su R (2020) On decidability of existence of nonblocking supervisors resilient to smart sensor attacks. arXiv:2009.02626v1

  • SuSyNA (2011) Supervisor synthesis for non-deterministic automata. [Online]. Available:

  • Wakaiki M, Tabuada P, Hespanha JP (2019) Supervisory control of discrete-event systems under attacks. Dynamic Games Appl 9:965–983

    MathSciNet  Article  Google Scholar 

  • Wang Y, Pajic M (2019) Supervisory control of discrete event systems in the presence of sensor and actuator attacks. Conf Decision Control 5350–5355

  • Wang Y, Pajic M (2019) Attack-resilient supervisory control with intermittently secure communication. Conf Dec Control 2015–2020

  • Wang D, Lin L, Li Z, Wonham WM (2018) State-based control of discrete-event systems under partial observation. IEEE Access 6(1):42084–42093

    Article  Google Scholar 

  • Wonham WM, Cai K (2018) Supervisory control of discrete-event systems, Monograph Series Communications and Control Engineering. Springer, Berlin

    Google Scholar 

  • Yin X, Lafortune S (2016) Synthesis of maximally permissive supervisors for partially observed discrete event systems. IEEE Trans Autom Control 61 (5):1239–1254

    MathSciNet  Article  Google Scholar 

  • Zhu Y, Lin L, Su R (2019) Supervisor obfuscation against actuator enablement attack. Europ Control Conf 1760–1765

  • Zhu Y, Lin L, Ware S, Su R (2019) Supervisor synthesis for networked discrete event systems with communication delays and lossy events. Conf Decision Control 6730–6735

Download references


The research of the project was supported by Ministry of Education, Singapore, under grant AcRF TIER 1-2018-T1-001-245 (RG 91/18) and supported by the funding from Singapore National Research Foundation via Delta-NTU Corporate Lab Program (DELTA-NTU CORP LAB-SMA-RP2 SU RONG M4061925.043). We would like to thank the anonymous reviewers for comments that help us improve the quality of the paper.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Liyong Lin.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This article belongs to the Topical Collection: Topical Collection on Cybersecurity Guest Editors: Rong Su and Carlos Basilio

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Lin, L., Tai, R., Zhu, Y. et al. Observation-assisted heuristic synthesis of covert attackers against unknown supervisors. Discrete Event Dyn Syst (2022).

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI:


  • Cyber-physical systems
  • Discrete-event systems
  • Covert attack
  • Partial-observation
  • Supervisor synthesis
  • Unknown model