Abstract
This chapter presents an overview of actuator attacks that exploit zero dynamics, and countermeasures against them. First, zero-dynamics attack is reintroduced based on a canonical representation called normal form. Then it is shown that the target dynamic system is at elevated risk if the associated zero dynamics is unstable. From there on, several questions are raised in series to ensure when the target system is immune to an attack of this kind. The first question is: Is the target system secure from zero-dynamics attack if it does not have any unstable zeros? An answer provided for this question is: No, the target system may still be at risk due to another attack surface emerging in the process of implementation. This is followed by a series of questions, and in the course of providing answers, variants of the classic zero-dynamics attack are presented, from which the vulnerability of the target system is explored in depth. In the end, countermeasures are proposed to render the attack ineffective. Because it is known that zero dynamics in continuous-time systems cannot be modified by feedback, the main idea of the countermeasure is to relocate any unstable zero to a stable region in the stage of digital implementation through modified digital samplers and holders. Adversaries can still attack actuators, but due to the relocated zeros, they are of little use in damaging the target system.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We use the notation \({O^1}\) and \({0_1}\) (of suitable size) as
$$ {O^1}= \begin{bmatrix} 0 &{} 1 &{} 0 &{} \cdots &{} 0 \\ 0 &{} 0 &{} 1 &{} \cdots &{} 0 \\ \vdots &{} \vdots &{} \vdots &{} \ddots &{} \vdots \\ 0 &{} 0 &{} 0 &{} \cdots &{} 1 \\ 0 &{} 0 &{} 0 &{} \cdots &{} 0 \end{bmatrix} \quad \text {and} \quad {0_1}= \begin{bmatrix} 0 \\ 0 \\ \vdots \\ 0 \\ 1 \end{bmatrix} . $$.
- 2.
As seen in (), the effect of the proposed attack is to replace the real zero dynamics (2.21c) with (2.21b) at time \(t_0\). This is an abrupt change, and so, unless \(z_{\mathsf {a}}(t_0)\) is close to \(x_z(t_0)\), some transient response may occur after \(t_0\) and the attack may be detected. To avoid this possibility, the attacker will carefully choose the time \(t_0\) such that the internal state \(x_z(t_0)\) is easily guessed, like the steady state at which \(z_{\mathsf {a}}(t_0)=0\) may suffice.
- 3.
The generalized hold and sampler have been actively studied in the 90s. For details, refer to [27].
- 4.
It is well-known that if (A, C) is observable, then \((A_{\mathsf d}, C_{\mathsf d})\) is observable for almost all sampling times \(T_s\).
- 5.
Note that \(\int _0^t e^{A(t-\tau )} B d\tau = \int _0^t e^{A\tau } B d\tau \).
- 6.
It is well-known that if (A, B) is controllable, then \((A_{\mathsf d}, B_{\mathsf d})\) is controllable for almost all sampling times \(T_s\).
- 7.
A similar strategy was presented in [17] where a multi-rate sampler is employed for attack detection. However, all samples \(y(iT_s/N + (k-1)T_s)\), \(i=1, \ldots , N\), are transmitted to the controller for attack detection.
- 8.
This subsection is a brief summary of the contribution of [9].
References
Back, J., Shim, H.: Adding robustness to nominal output-feedback controllers for uncertain nonlinear systems: a nonlinear version of disturbance observer. Automatica 44(10), 2528–2537 (2008)
Back, J., Shim, H.: Reduced-order implementation of disturbance observers for robust tracking of non-linear systems. IET Control Theory Appl. 8(17), 1940–1948 (2014)
Freudenberg, J.S., Middleton, R.H., Braslavsky, J.H.: Robustness of zero shifting via generalized sampled-data hold functions. IEEE Trans. Autom. Control 42(12), 1681–1692 (1997)
Giles, M.: Triton is the world’s most murderous malware, and it’s spreading. MIT Technology Review, March 5 (2019)
Hitz, B.E., Anderson, B.D.O.: Discrete positive-real functions and their application to system stability. Proc. IEE 116(1), 153–155 (1969)
Hoehn, A., Zhang, P.: Detection of covert attacks and zero dynamics attacks in cyber-physical systems. In: Proceedings of American Control Conference, pp. 302–307 (2016)
Jeon, H., Aum, S., Shim, H., Eun, Y.: Resilient state estimation for control systems using multiple observers and median operation. Math. Probl. Eng. 2016, 3750264 (2016)
Khalil, H.K.: Nonlinear Control. Pearson Higher Ed (2014)
Kim, D., Ryu, K., Back, J.: Zero assignment via generalized sampler: a countermeasure against zero-dynamics attack. submitted
Kim, D., Ryu, K., Back, J.: Security enhancement of sampled-data systems: zero assignment via generalized sampler. In: Proceedings of IFAC World Congress (2020)
Kim, J., Back, J., Park, G., Lee, C., Shim, H., Voulgaris, P.G.: Neutralizing zero dynamics attack on sampled-data systems via generalized holds. Automatica 113 (2020)
Kim, J., Park, G., Shim, H., Eun, Y.: Masking attack for sampled-data systems via input redundancy. IET Control Theory Appl. 13(14), 2300–2308 (2019)
Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011)
Lee, R.M., Assante, M.J., Conway, T.: Analysis of the cyber attack on the Ukrainian power grid. SANS Industrial Control Systems, Washington, DC. USA, Technical Report (2016)
Lee, C., Shim, H., Eun, Y.: On redundant observability: from security index to attack detection and resilient state estimation. IEEE Trans. Autom. Control 64(2), 775–782 (2019)
Lee, J.G., Kim, J., Shim, H.: Fully distributed resilient state estimation based on distributed median solver. IEEE Trans. Autom. Control 65(9), 3935–3942 (2020)
Naghnaeian, M., Hirzallah, N.H., Voulgaris, P.G.: Security via multirate control in cyber-physical systems. Syst. Control Lett. 124, 12–18 (2019)
Park, G., Lee, C., Shim, H.: On stealthiness of zero-dynamics attacks against uncertain nonlinear systems: a case study with quadruple-tank process. In: Proceedings of International Symposium on Mathematical Theory of Networks and Systems (MTNS), pp. 10–17 (2018)
Park, G., Lee, C., Shim, H., Eun, Y., Johansson, K.H.: Stealthy adversaries against uncertain cyber-physical systems: threat of robust zero-dynamics attack. IEEE Trans. Autom. Control 64(12), 4907–4919 (2019)
Park, G., Shim, H., Lee, C., Eun, Y., Johansson, K.H.: When adversary encounters uncertain cyber-physical systems: Robust zero-dynamics attack with disclosure resources. In: Proceedings of IEEE 55th Conference on Decision and Control, pp. 5085–5090 (2016)
Shane, S., Sanger, D.E.: Drone crash in Iran reveals secret US surveillance effort. The New York Times, December 8 (2011)
Shieh, L.S., Wang, W.M., Bain, J., Sunkel, J.W.: Design of lifted dual-rate digital controllers for X-38 vehicle. J. Guid. Control Dyn. 23(4), 629–639 (2000)
Shim, H., Park, G., Joo, Y., Back, J., Jo, N.H.: Yet another tutorial of disturbance observer: robust stabilization and recovery of nominal performance. Control Theory Technol. 14(3), 237–249 (2016)
Slay, J., Miller, M.: Lessons learned from the Maroochy water breach. Crit. Infrastruct. Prot. 253, 73–82 (2007)
Sussmann, H., Kokotovic, P.: The peaking phenomenon and the global stabilization of nonlinear systems. IEEE Trans. Autom. Control 36(4), 424–440 (1991)
Teixeira, A., Shames, I., Sandberg, H., Johansson, K.H.: Revealing stealthy attacks in control systems. In: Proceedings of 50th Annual Allerton Conference on Communication, Control, and Computing, pp. 1806–1813 (2012)
Yuz, J.I., Goodwin, G.C.: Sampled-Data Models for Linear and Nonlinear Systems. Springer (2014)
Acknowledgements
The authors are grateful to Hyuntae Kim at Seoul National University for his idea of Remark 2. This work was supported by Institute for Information & communications Technology Promotion grant funded by MSIT, the Korean government (2014-0-00065, Resilient Cyber-Physical Systems Research).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Shim, H., Back, J., Eun, Y., Park, G., Kim, J. (2022). Zero-Dynamics Attack, Variations, and Countermeasures. In: Ishii, H., Zhu, Q. (eds) Security and Resilience of Control Systems. Lecture Notes in Control and Information Sciences, vol 489. Springer, Cham. https://doi.org/10.1007/978-3-030-83236-0_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-83236-0_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-83235-3
Online ISBN: 978-3-030-83236-0
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)