^{1}

^{*}

^{2}

^{3}

^{2}

^{4}

Networked Control Systems (NCSs) have been implemented in several different industries. The integration with advanced communication networks and computing techniques allows for the enhancement of efficiency of industrial control systems. Despite all the advantages that NCSs bring to industry, they remain at risk to a spectrum of physical and cyber-attacks. In this paper, we elaborate on security vulnerabilities of NCSs, and examine how these vulnerabilities may be exploited when attacks occur. A general model of NCS designed with three different controllers, i.e., proportional-integral-derivative (PID) controllers, Model Predictive control (MPC) and Emotional Learning Controller (ELC) are studied. Then three different types of attacks are applied to evaluate the system performance. For the case study, a networked pacemaker system using the Zeeman nonlinear heart model (ZHM) as the plant combined with the above-mentioned controllers to test the system performance when under attacks. The results show that with Emotional Learning Controller (ELC), the pacemaker is able to track the ECG signal with high fidelity even under different attack scenarios.

Control systems have many applications in the industry. New revolution in system designs using the strategy of networked control systems (NCSs) has created security issues in industries, which has been an important challenge for many researchers. Security of NCSs plays an important role in the protection of industrial, and critical infrastructure. For example, energy and power sectors, transportation system sectors, water and wastewater system sectors, healthcare and public health sectors are some industries facing high probability of attacks. Although the security schemes for control systems have been developed in the past several years, there are still many acknowledged cyber-attacks. Some recent specific events further confirm that attacks would have happened in control systems in different industries [

Most of conventional methods in control systems design assume that the system operates in a normal condition without any attacks involved. In this case, any interference, delay, and attack to any part of a control system, such as sensors and communication links, can drive the system from the required performance or even worst to an unstable mode.

Many researchers have studied control systems under attacks. A class of False Data Injection (FDI) attacks bypassing the bad data detection in Supervisory Control and Data Acquisition (SCADA) systems was proposed by [

The rest of this paper is organized as follows: Section 2 illustrates three different types of attacks to NCSs. Section 3 provides the needed information for the proposed case study. Section 4 presents the results of the numerical simulation conducted in this study. Finally, in Section 5, the conclusion and remarks are presented.

Here a generalized model for an NCS under attach is shown in

This system is described concisely as an output feedback system having the form:

x ˙ = f ( t , x , u ) y = g ( x ) (1)

and

u = h ( y ) (2)

where x is the plant state vector; y is the information communicated with the controller about the plant state; u is the control vector; f is a function describing the plant behavior; g describes the plant output and the communication methodology used, and h is a description of the controller.

An attack on the NCS involves altering any component of the system. A general attack can be described by a function that alters any of components of the system

( f ˜ , g ˜ , h ˜ , x ˜ , y ˜ , u ˜ , t ˜ ) = Λ ( f , g , h , x , y , u , t ) (3)

where ( f ˜ , g ˜ , h ˜ , x ˜ , y ˜ , u ˜ , t ˜ ) are the corrupted functions and information as the result of an attack Λ.

Three most possible attacks on NCSs, especially on Networked Power Control System (NPCS) are given below:

a) Denial of Service (DoS)

This attack seeks to sabotage an NCS by overwhelming its communication and computational resources in order to prevent it from working [

attack can disconnect service or data from the plant to the controller, from the controller to the plant, or both at the same time. In our general model of attacks, this attack can be described as follows:

y ˜ = { y otherwise α attack (4)

where α can be zero, or some random value.

b) Fault Analysis Attack

This class of attack injects faults into a device performing some computation. These faults can be caused by changing the environmental conditions, the injection of a laser beam at an appropriate frequency [

y ˜ = { y otherwise z attack (5)

where z is an input signal designed by the attacker for the purpose of either misleading the control system, causing systems inefficiencies, or sabotaging it.

c) Time-Delay Switched Attack (TDS)

Time Delay Switched Attack (TDS) has been proposed to NCSs by Sargolzaei et al. who has shown that this type of attacks can destabilize NCSs [

y ˜ = { y otherwise y ( t − τ ) attack (6)

or as an attack on the clocking and synchronization mechanisms in NCSs

t ˜ = { t otherwise t − τ attack (7)

where τ is a random variable time-delay that is always less than time t .

To evaluate the effectiveness of the performance of different controllers on the pacemakers influenced under DoS, FDI and TDS attacks, we need to have a ma-

Parameter | x_{d} | T | ε | x_{s} |
---|---|---|---|---|

value | 1.024 | 1 | 0.2 | −1.38 |

thematical model for the heartbeat. There are many researches in the area of heart signal and pacemakers [

The 2^{nd}-order heartbeat model is selected for the case study in this paper [

[ x ˙ 1 ( t ) x ˙ 2 ( t ) ] = [ − 1 ε { x 1 3 ( t ) − T x 1 ( t ) + x 2 ( t ) } ( x 1 ( t ) − x d ) + ( x d − x s ) u ( t ) ] (8)

where x_{1} and x_{2} indicates the length of a muscle fiber and the state related to electrochemical activities respectively; x_{d} indicates a typical muscle fiber length when the heart is in the systolic state; x_{s} is an additional parameter representing a typical fiber length; ε is a small positive constant; T represents tension in the muscle fiber; and u(t) is the cardiac pacemaker control that leads the heart into the diastolic and the systolic states. The parameters adopted are described in the table below [

Three different controllers are adopted to compare their performance. The optimal state feedback controller, the PID controller, and the ELCPID are given below:

u ( t ) = − K x ˜ 2 ( t ) (9)

u ( t ) = K p e ( t ) + K D e ˙ ( t ) + K I ∫ 0 t e ( t ) (10)

u ( t ) = ( G A − G O C ) I S (11)

Here x ˜ 2 ( t ) represents anyone of the possible attack signals described in the Equations (5) to (7). The error signal is defined as e ( t ) = r ( t ) − x ˜ 2 ( t ) . In the representation of ELCPID, I S can be a PID controller and the controller parameters G A and G O C can be calculated as described in [

Now we will discuss the stability of the 2^{nd}-order nonlinear as given in (8). First, we consider the cardiac pacemaker control signal to be in the form of 0 and 1, which indicates the on-off control. If the control signal of the pacemaker, u(t), in zero when T = 1, ε = 0.2, and x_{d} = 0, then the equilibrium point at point (0, 0) is not stable. This can be calculated by solving the following equation

x ˙ = [ − 1 ε ( x 1 3 − T x 1 + x 2 ) x 1 − x d ] = [ − 5 ( x 1 3 − x 1 + x 2 ) x 1 ] = 0 (12)

It can be shown that the equilibrium point for the system described in (12) is not stable. This conclusion can be confirmed by analyzing the stability of the equilibrium point using the Lyapunov indirect stability theorem. To do this, we calculate the Jocobian matrix A, of (12) at the origin

A = [ ∂ x ˙ 1 ∂ x 1 ∂ x ˙ 1 ∂ x 2 ∂ x ˙ 2 ∂ x 1 ∂ x ˙ 2 ∂ x 2 ] = [ − 1 ε ( 3 x 1 2 − T ) − 1 ε 1 0 ] (13)

The eigenvalues of A are

[ λ 1 λ 2 ] = [ 1 2 ε { − ( 3 x 1 2 − T ) + ( 3 x 1 2 − T ) 2 − 4 ε } 1 2 ε { − ( 3 x 1 2 − T ) − ( 3 x 1 2 − T ) 2 − 4 ε } ] (14)

At the equilibrium point (0, 0), we obtain

[ λ 1 λ 2 ] = [ 1 2 ε { T + T 2 − 4 ε } 1 2 ε { T − T 2 − 4 ε } ] = [ 1 0.4 { 1 + 0.2 } 1 0.4 { 1 − 0.2 } ]

i.e., both eigenvalues are positive when T = 1 and ε = 0.2, which indicates that the system is not stable at the origin.

However, the system described in (12) is stable if the condition 3 x 1 2 − T > 0 is satisfied. So, this condition reaches if value of x d is substituted by 1.024 based on literature [

Now, we consider the system described in (8) with u(t) = 1, x_{d} = 1.024, x_{s} = −1.3804, T = 1, and ε = 0.2. By setting with these parameter values we move the heart to the systolic state (

process by injecting attacks to the sensory and/or control signal.

Also the controllability and the observability are assumed for the heartbeat model based on literature [

The above mentioned 2^{nd}-order heartbeat model using the Emotional Learning PI Control (ELPIC) technique has been simulated first to test whether this model can adequately represent the mechanism of heartbeat in the ECG signal generation.

Three different attacks, TDS attack, DoS attack and FDI attack, are applied to the Heartbeat model with different controllers. The controllers evaluated are the ELPIC, the classical PI, and the MPC adopted in MATLAB. To compare the performance of these three controllers to the above mentioned attacks, we apply the attacks to the model with different controllers in the time interval between t_{s} = 1.4 sec and t_{f} = 1.45 sec to check the corresponding responses. In the simulation, a time delay of τ = 0.01 sec is adopted in the TDS attack small random variables were injected to the model to simulate the FDI attack.

The results are shown in Figures 5-7. In all of the figures, the ECG signal and the signals from different controllers, ELPIC, MPC and PID, are represented by solid line, dashed line, dotted line and dash-dot line, respectively. The figures

TDS attack | DOS attack | FDI attack | |
---|---|---|---|

MPC | 0.0068 | 0.0742 | 0.0756 |

PID | 0.0074 | 0.1118 | 0.0750 |

ELPIC | 0.00029 | 0.0057 | 0.0207 |

clearly show that the responses of the model with ELPIC are closely matched the referenced ECG signal when the model is under attack of any of these attacks. The responses of the model with the classical PI controller, and the MPC are significantly off. Although ELPIC is less powerful in tracking the highly nonlinear referenced ECG signal, it is more robust under the TDS, DoS and FDI attacks.

In this paper, we have described a general model of NCSs under attack and reviewed the mathematical model of some possible attacks. Through simulations we have shown the impacts of those attacks on the performance of a networked pacemaker. The simulation results also show that the ELPIC method provides much better performance than that of the PID and the MPC when the system is under DoS, TDS and FDI attacks.

Sargolzaei, A., Yen, K., Abdelghani, M., Abbaspour, A. and Sargolzaei, S. (2017) Generalized Attack Model for Networked Control Systems, Evaluation of Control Methods. Intelligent Control and Automation, 8, 164- 174. http://dx.doi.org/10.4236/ica.2017.83013