Generalized Attack Model for Networked Control Systems , Evaluation of Control Methods

Networked Control Systems (NCSs) have been implemented in several different industries. The integration with advanced communication networks and computing techniques allows for the enhancement of efficiency of industrial control systems. Despite all the advantages that NCSs bring to industry, they remain at risk to a spectrum of physical and cyber-attacks. In this paper, we elaborate on security vulnerabilities of NCSs, and examine how these vulnerabilities may be exploited when attacks occur. A general model of NCS designed with three different controllers, i.e., proportional-integral-derivative (PID) controllers, Model Predictive control (MPC) and Emotional Learning Controller (ELC) are studied. Then three different types of attacks are applied to evaluate the system performance. For the case study, a networked pacemaker system using the Zeeman nonlinear heart model (ZHM) as the plant combined with the above-mentioned controllers to test the system performance when under attacks. The results show that with Emotional Learning Controller (ELC), the pacemaker is able to track the ECG signal with high fidelity even under different attack scenarios.


Introduction
Control systems have many applications in the industry.New revolution in system designs using the strategy of networked control systems (NCSs) has created security issues in industries, which has been an important challenge for many researchers.Security of NCSs plays an important role in the protection of industrial, and critical infrastructure.For example, energy and power sectors, transportation system sectors, water and wastewater system sectors, healthcare and public health sectors are some industries facing high probability of attacks.Although the security schemes for control systems have been developed in the past several years, there are still many acknowledged cyber-attacks.Some recent specific events further confirm that attacks would have happened in control systems in different industries [1].Therefore, in recent years, security of NCS has been at the center stage for researchers, engineers, and governmental entities because exploited security risks could have cause potential catastrophic consequences [2].
Most of conventional methods in control systems design assume that the system operates in a normal condition without any attacks involved.In this case, any interference, delay, and attack to any part of a control system, such as sensors and communication links, can drive the system from the required performance or even worst to an unstable mode.

Many researchers have studied control systems under attacks. A class of False
Data Injection (FDI) attacks bypassing the bad data detection in Supervisory Control and Data Acquisition (SCADA) systems was proposed by [3].In [4], adversaries launched FDI attacks against state estimates of power systems, knowing only the perturbed model of the power system.Y. Mo et al., studied FDI attacks on a control system equipped with Kalman filter [3].Fault attacks have also been critical concerns in aviation industries, where a small attack or faults can damage system itself and human life [5].Abbaspour et al. introduced a neural network (NN) fault detection design for detection of abrupt faults in actuators and sensor of the control systems.They used extended Kalman filter to improve the NN ability in detection of faults [6].A neural observer approach for detection of FDI attack is introduced in [7].In [8], the smallest set of adversary controlled meters was identified to perform an unobservable attack.Recently, Amin et al. considered Denial of Service (DoS) attacks on the communication channels in which the measurements telemetered in remote terminal units (RTUs) were sent to the control center of power systems [9].They demonstrated that an adversary could make power systems unstable by properly designing DoS attack sequences.Liu et al. considered how a switched-DoS attack on a smart grid could affect the dynamic performance of its power systems [10].The Viking projects [11] considered cyber-attacks to the Load Frequency Control (LFC), one of a few automatic control loops in power systems.They analyzed the impacts of cyber-attacks on the control centers of power systems, by using reachability methods.However, they only considered attacks on the control centers which are usually harder to attack than the communication channels in the sensing loop of a power system.And in the area of biomedical devices the issue of security of these devices has been increasingly critical because the development trend of these devices will connect them to other entities through both wired and wireless channels.It is therefore important to consider medical device security issues [12].
The rest of this paper is organized as follows: Section 2 illustrates three different types of attacks to NCSs.Section 3 provides the needed information for the proposed case study.Section 4 presents the results of the numerical simulation conducted in this study.Finally, in Section 5, the conclusion and remarks are presented.

Types of Attacks on NCSs
Here a generalized model for an NCS under attach is shown in Figure 1.
This system is described concisely as an output feedback system having the form: ) where x is the plant state vector; y is the information communicated with the controller about the plant state; u is the control vector; f is a function describing the plant behavior; g describes the plant output and the communication methodology used, and h is a description of the controller.
An attack on the NCS involves altering any component of the system.A general attack can be described by a function that alters any of components of the system ( ) ( ) , , , , , , , , , , , , where ( ) , , , , , , attack can disconnect service or data from the plant to the controller, from the controller to the plant, or both at the same time.In our general model of attacks, this attack can be described as follows: where α can be zero, or some random value.

b) Fault Analysis Attack
This class of attack injects faults into a device performing some computation.
These faults can be caused by changing the environmental conditions, the injection of a laser beam at an appropriate frequency [14], or the injection of data packets that collide with legitimate packets [15].The work of Yuan and Liu et al.
has shown the load redistribution attack [16] [17] [18] which is a false data injection attack by modifying selected information in a Supervisory Control and Data Acquisition (SCADA) power system.This attack is especially dangerous due to its capabilities of being manipulating the estimation of system power flow.Depending on the attack is short term or long term, it can damage effects on the security-constrained economic dispatch (SCED) price estimation [17].
This attack can be modeled as follows: where z is an input signal designed by the attacker for the purpose of either misleading the control system, causing systems inefficiencies, or sabotaging it. .In [19] authors has applied this attack on a networked nonlinear heartbeat system and proposed a controller that is more robust to TDS attacks.In [20] a time-delayswitch (TDS) attack has been used to introduce time delays in the dynamics of power systems.TDS attacks can cause devastating consequences on smart grids if no prevention measures are considered in the design of these power systems.
TDS attacks can be modeled as delay of the output signals telemetered to the controller ( ) or as an attack on the clocking and synchronization mechanisms in NCSs otherwise attack where τ is a random variable time-delay that is always less than time t .

Case Study
To evaluate the effectiveness of the performance of different controllers on the pacemakers influenced under DoS, FDI and TDS attacks, we need to have a ma- thematical model for the heartbeat.There are many researches in the area of heart signal and pacemakers [21] [22] which shows that its importance.
The 2 nd -order heartbeat model is selected for the case study in this paper [19].
The model is described as follows: where x 1 and x 2 indicates the length of a muscle fiber and the state related to electrochemical activities respectively; x d indicates a typical muscle fiber length when the heart is in the systolic state; x s is an additional parameter representing a typical fiber length; ε is a small positive constant; T represents tension in the muscle fiber; and u(t) is the cardiac pacemaker control that leads the heart into the diastolic and the systolic states.The parameters adopted are described in the table below [19] (Table 1).
Three different controllers are adopted to compare their performance.The optimal state feedback controller, the PID controller, and the ELCPID are given below: ( ) ( )

( ) ( )
Here ( ) x t  represents anyone of the possible attack signals described in the Equations ( 5) to (7).The error signal is defined as ( ) ( ) ( ) 2 e t r t x t = −  .In the representation of ELCPID, S I can be a PID controller and the controller para- meters A G and OC G can be calculated as described in [19] [23].

Stability Analysis of the Nonlinear Heartbeat Model
Now we will discuss the stability of the 2 nd -order nonlinear as given in (8).First, we consider the cardiac pacemaker control signal to be in the form of 0 and 1, which indicates the on-off control.If the control signal of the pacemaker, u(t), in zero when T = 1, ε = 0.2, and x d = 0, then the equilibrium point at point (0, 0) is not stable.This can be calculated by solving the following equation ( ) ( ) It can be shown that the equilibrium point for the system described in ( 12) is not stable.This conclusion can be confirmed by analyzing the stability of the equilibrium point using the Lyapunov indirect stability theorem.To do this, we calculate the Jocobian matrix A, of ( 12) at the origin ( ) The eigenvalues of A are At the equilibrium point (0, 0), we obtain i.e., both eigenvalues are positive when T = 1 and ε = 0.2, which indicates that the system is not stable at the origin.However, the system described in ( 12) is stable if the condition x is substituted by 1.024 based on literature [24].For 1.024 d x = and T = 1, the equilibrium point is stable at (1.024, −0.0497) as shown in Figure 2 which is the phase portrait with the new value of d x .All the trajectories, regardless of their initial values, go to the dias- tolic equilibrium point shown by the cubic.Since the equilibrium point is stable, system stays at this point unless there is an external excitation that forces the system to a new equilibrium point.Now, we consider the system described in (8) with u(t) = 1, x d = 1.024, x s = −1.3804,T = 1, and ε = 0.2.By setting with these parameter values we move the heart to the systolic state (Figure 3).Based on this study, the control signal will direct the heart from diastolic to systolic state and adversaries can disrupt this   process by injecting attacks to the sensory and/or control signal.Also the controllability and the observability are assumed for the heartbeat model based on literature [24].

Simulations and Results
The above mentioned 2 nd -order heartbeat model using the Emotional Learning PI Control (ELPIC) technique has been simulated first to test whether this model can adequately represent the mechanism of heartbeat in the ECG signal generation.Figure 4 shows that the output from the model with ELPIC controller does accurately match that from the measurement.In the figure, the dashed line shows the output of the model controlled by the ELPIC technique and the solid line indicates the patient's ECG signal which serves as the referenced signal [25].
More details about ELPIC technique can be found in [19].
Three different attacks, TDS attack, DoS attack and FDI attack, are applied to the Heartbeat model with different controllers.The controllers evaluated are the ELPIC, the classical PI, and the MPC adopted in MATLAB.To compare the performance of these three controllers to the above mentioned attacks, we apply the attacks to the model different controllers in the time interval between t s = 1.4 sec and t f = 1.45 sec to check the corresponding responses.In the simulation, a time delay of τ = 0.01 sec is adopted in the TDS attack small random variables were injected to the model to simulate the FDI attack.
The results are shown in Figures 5-7.In all of the figures, the ECG signal and    The responses of the model with the classical PI controller, and the MPC are significantly off.Although ELPIC is less powerful in tracking the highly nonlinear referenced ECG signal, it is more robust under the TDS, DoS and FDI attacks.
Table 2 shows the mean squared error (MSE) value between the system's output and the referenced ECG signal for the time slot of 1.4 seconds to 1.5 seconds which the system is under attack.The results verify our visual findings.

Conclusion
In this paper, we have described a general model of NCSs under attack and reviewed the mathematical model of some possible attacks.Through simulations we have shown the impacts of those attacks on the performance of a networked pacemaker.The simulation results also show that the ELPIC method provides much better performance than that of the PID and the MPC when the system is under DoS, TDS and FDI attacks.
c) Time-Delay Switched Attack (TDS) Time Delay Switched Attack (TDS) has been proposed to NCSs by Sargolzaei et al. who has shown that this type of attacks can destabilize NCSs [2]

Figure 2 .
Figure 2. Phase portrait of Heartbeat model in diastolic state, the black cube shows the equilibrium point.

2 Figure 3 .
Figure 3. portrait of heart model in systolic state, the cube denotes the equilibrium point.

Figure 4 .
Figure 4. Simulation result of ECG tracking for 2 nd order heartbeat model based on ELPIC pacemaker signal.

Table 2 .
Mean squared error for controllers under attacks.show that the responses of the model with ELPIC closely matched the referenced ECG signal when the model is under attack of any of these attacks. clearly