A survey on the security of cyber-physical systems

Guangyu WU,Jian SUN†,Jie CHEN

1.School of Automation,Beijing Institute of Technology,Beijing 100081,China;

2.Key Laboratory of Intelligent Control and Decision of Complex Systems,Beijing Institute of Technology,Beijing 100081,China Received 30 November 2015;revised 30 December 2015;accepted 30 December 2015

A survey on the security of cyber-physical systems

Guangyu WU1,2,Jian SUN1,2†,Jie CHEN1,2

1.School of Automation,Beijing Institute of Technology,Beijing 100081,China;

2.Key Laboratory of Intelligent Control and Decision of Complex Systems,Beijing Institute of Technology,Beijing 100081,China Received 30 November 2015;revised 30 December 2015;accepted 30 December 2015

Cyber-physical systems(CPSs)are integrations of computation,communication,control and physical processes.Typical examples where CPSs are deployed include smart grids,civil infrastructure,medical devices and manufacturing.Security is one of the most important issues that should be investigated in CPSs and hence has

much attention in recent years.This paper surveys recent results in this area and mainly focusses on three important categories:attack detection,attack design and secure estimation and control.We also discuss several future research directions including risk assessment,modeling of attacks and attacks design,counter-attack strategy and testbed and validation.

Security,cyber-physical systems,attack detection,secure estimation and control

1 Introduction

Cyber-physical systems can be generally characterizedascomplexnetworkedcontrolsystems,whichcombine physical elements in the real world with computing elements in the cyber space.CPSs are becoming ubiquitous and impacting on all aspects of our lives.CPSs integrate physical processes,distributed sensors,actuators,and embedded computers over a communication network and are expected to exceed traditional embeddedsystemsinvariousaspectssuchasefficiency,safety,reliability,robustness and adaptability.Nowadays,CPSs can be found in a growing number of areas such as chemical process control,building automation,emergency management,manufacturing and transportation.

However,CPSs have great potential security threats and can be vulnerable to various cyber attacks without any signs of component failure.For instance,the communication channel of control systems could be vulnerable to denial-of-service(DoS)attack,which leads to severe time-delays and serious degradation of controlperformances.As the cyber world is connected to the real world though control networks,malicious cyber attacks can cause disruption to physical services and even createanationaldisasterifcriticalinfrastructuresareunder attack.Stuxnet worm demonstrates that industrial control systems are now at a higher risk to computer attacks.It is critical to ensure control system security,robustness,and safety in CPSs.

Traditional IT security methods can be adopted to protect confidentiality,integrity and availability of data.Confidentiality ensures the data known to authorized parties and unknown to both outsiders and insiders.Integrity refers to ensuring that the data is not be changed during transmission over networks and availability concerns the ability of being timely accessible.Security issues includes removing or mitigating existing vulnerabilities,assessing whether system is under attack or not and retaining a secure and stable system state.However,traditional IT security approaches are only partial solutions for CPSs security.For instance,the channel encryption can prohibit access of some unauthorized users to some extent but it may be useless for a malicious internal staff or can be deciphered by a powerful intruder.Furthermore,some encryption methods may introduce additional time-delay in the system,which is usually one of the sources of poor performance.In addition,traditional IT security approaches did not consider the interaction between physical devices and cyber attacks.In fact,the attacker cannot only attack cyber network but also directly attack physical elements of CPSs.For instance,an attacker can use heaters and coolers to jam temperature sensors distributed in remote locations.Therefore,developing some new methods on the basis of system and control theory to ensure secure operation of CPSs is of significant importance in both theory and practice.

Security of CPSs is a challenging research field,full of open questions.Roughly speaking,existing CPSs security methods are mainly divided into two categories:one is from perspective of information security and the other is from system and control theory.Information security methods are effective on software layer of computer control system,but they do not use physical model of CPSs.Thus,information security methods will fail to predict physical response under attack and provide countermeasures.Methods based on system and control theory can help physical systems deal with certain cyber attacks,such as secure estimation,attack detection and resilient control.

Inthispaper,weattempttosurveysomerecentworks on CPSs security from perspective of system and control and discuss several future research directions.The literature included in this paper are by no means complete.We apologize for missing any important references.

The remainder of this paper is organized as follows.In Section2,we go over some papers which worked on attack detection in several detailed scenarios.In Section3,we look at some works that focused on attack design.In Section4,some works on secure algorithms for control and estimation under various attacks are discussed.Finally,some thinking on CPSs security are presented.

2 Attack detection

In general,a well-designed control system can resist external disturbances to a certain degree.Attacks on a control system can be considered as orderly disturbances carefully designed by the attacker.More specifically,disturbance design rules are unknown and can even be changeable.Therefore,assumptions of the disturbance in control theory may not hold in the presence of attacks.

Teixeira et al.[1]model network with an undirected graph and propose a distributed scheme to detect and isolate attacks on network nodes and attacks on communication between the nodes.They model the attacks in terms of unknown disturbances in nodes dynamics.Furthermore,theyalsodiscusshowtogiveapossiblesolution to reduce number of observer nodes while maintainingcoverageoftheentirenetwork.Theyprovidesufficient conditions for detection feasibility for a network running consensus protocol and a necessary condition for a power network respectively.

Sundaram et al.[2]consider problem of stabilizing a plant with a network of resource constrained wireless nodes.An intrusion detection system(IDS)is designed to observe the transmissions of certain nodes,use that information to recover plant outputs and identify malicious behavior by any nodes.They also describe how to select a subset of nodes that needs to be monitored if the connectivity of the network is sufficiently high.A procedure is provided for the IDS to extract an upper bound on delay from the transmissions of these nodes and recover the plant outputs.

Esmalifalak et al.[3]characterize the relationship be-tween performance loss,detection rate and covariance of Gaussian authentication input.They provide a procedure to optimally design an authentication control input capable to maximize detection rate,while keeping a specified bound on the performance loss.They propose an approach to detect more general integrity attacks in the case that process noise is not restricted to be Gaussian.They also apply the findings to a micro-grid with only one generator to analyze the effect of integrity attacks.

In[4],a low-complexity attacking strategy is designed to construct sparse false data injection attack vectors.Assuming that a small subset of measurements can be madeimmuneagainsttheseattacks,theyproposealowcomplexity algorithm to identify key measurements.Finally,theyproposeafastgreedyalgorithmthatfacilitates placementofsecurephasormeasurementunits(PMUs),which has a low complexity.

Tang et al.[5]detect the presence of replay attack on networked control systems where control signals are transmitted over an additive white Gaussian noise channel.Instead of injecting authentication noise to the controlsignal,theyestimatefrequencyresponseoftheplant measurements at which the plant gain is high while the controller gain is not small.The filtered values of the spectrum are different when there is under the replay attack or not.

In[6],Moetal.enumeratetheconditionsoffeasibility of replay attack,and propose countermeasures capable of exposing such attack.The formulation is characterized by a Kalman filter,a LQG controller,and a failure detector.They use a noisy control authentication signal to improve the detection of integrity attack on sensors.They characterize the relationships between performance loss,detection rate,and strength of the authentication signal to minimize the performance loss while guaranteeing a desired probability of detection rate.Three different sets of simulations show the optimization of the control signal.

Pasqualetti et al.[7]model stealth attack as unknown inputs affecting system states and sensor measurements.They define the notions of detectability and identifiability of an attack.They characterize fundamental limitations of a class of monitors,including static,dynamic,and active monitors.They design centralized and distributed attack detection and identification monitors.

Bishop et al.[8]propose a set-valued state estimation algorithm of all descriptor states and derive a guaranteed bound on the estimation error.They safeguard the state estimator in the presence of faults or attackers.They study the false data attack that may affect nominal systems or sensor readings and provide a detection approach for the uncertain descriptor system under attack.The attack detector is guaranteed to never provide a false-positive alarm.

Esmalifalak et al.[9]assume the attacker is able to compromise measurements on a state estimator and consequently change the electricity price,but both of the attacker and defender are not able to attack and defend all measurements.They model the competitive behavior between the attacker and defender as a two person zero-sum game where the players compete to increase and decrease injected false data,respectively.This two players are like to attack and defend different measurements and try to find the Nash equilibrium and maximizetheirprofits.ThesimulationsonthePJM5-Bus test system show that the effectiveness of the attack on the prices of electricity on the real-time market.

Miao et al.[10]propose a zero-sum,finite horizon,non-stationary stochastic game between an operator and an attacker to obtain a suboptimal switching control policy in presence of replay attack.The switching framework between cost-optimal(but non-secure)and secure(but cost-suboptimal)controllers that minimizes the worst-case control performance and intrusion detection rate is developed.They use a suboptimal value iteration algorithm by considering each iteration as a robust game to gain the optimal solution.This method can be applied for LTI plants with finite number,finite cost components under attack.

Mo et al.[11]assume the attacker to have all information of the system states and sensor measurements and is able to manipulate the measurements partially.The obinary random state detection problem is formulated as a minimax optimization of the worst-case probability,where the worst-case refers to all possible manipulations available to the attacker.They also analyze a detector design problem for cases where an attacker can manipulate at least a half of the measurements and an attacker can manipulate strictly less than a half of the measurements.

Liu et al.[12]present a least-effort attack model and chracterize the optimal set of the compromised meters so as to cause the most significant deviation of stateestimation.Theyassumetheattackmatrixissparse and formulate a false data detection problem as a lowrank matrix recovery and completion problem solved by mixed-norm convex optimization.The method of augmented Lagrange multipliers is applied to offer an optimality.They make the system more resilient through protecting critical sensors and develop a spatial-based algorithm and a temporal-based detection algorithm to identify false data-injection attack.The proposed detection algorithm is tested on both IEEE case studies and Polish networks.

In[13],a false data detection problem is formulated as a matrix separation problem.Since attack vectors are sparse because attackers are either constrained to some specific measurement meters or limited in resources required to compromise meters persistently.A nuclear norm minimization and a low rank matrix factorization are presented to recover electric power states as well as detect false data attacks in a power grid,even under the situation that collected measurements are incomplete.The detection algorithm is tested on both IEEE case studies and Polish networks.

3 Attack design

A malicious attack could be carefully designed and covertly damage a healthy system.Since there exist disturbances and measurement errors in control systems,detection mechanisms have to ensure that these normal errors will not cause false alarm.This gives attackers a space to hide.From an attacker’s point of view,constructing high deceptive attack strategies usually faces a series of resource factors and security constraints.

If the attacker can only capture and forward real data packets,an effective attack method is to record some normal data and replay them to avoid being detected.It is called replay attack.If an attacker modifies the real data by obtaining the communication key or capturing some network devices,it is called data integrity attack.DoS attack consumes cyber network bandwidth.As a result,target systems stop providing services so that victim hosts are unable to respond to requests of legitimate users.

Moetal.[14]studytheeffectoffalsedatainjectionattacks on state estimation carried over a sensor network for linear Gaussian systems.They consider how an attacker compromise a subset of sensors and inject fake readings to a state estimator without being detected by a failure detector.They formulate an attack problem as a constrained control problem and characterize the reachableregionofsuchaproblem.Anellipsoidalalgorithmis provided to compute its inner and outer approximations of such a set.

Teixeira et al.[15]present a general methodology for synthesizing stealthy attacks both in the case of linear and nonlinear estimators.Specifically,they quantify trade-offs between model accuracy and possible attack impact for two different bad data detection strategies.They proposed a framework to model attackers having only partial or corrupted knowledge of the real model and limited resources.

L.Xieetal.[16]shows potential financial misconducts may be induced from cyber attack and formulate an optimal sensor injection problem as a convex optimization problem.They assume the attacker knows target system models,price models and the optimal states given by the market.They provide a heuristic algorithm for finding profitable attack which leads to profitable financial misconducts and illustrate the effect of false data injection attacks on IEEE 14-bus systems.

Kosut et al.[17]construct a strong attack policy to attackasufficientnumberofmeterssothatnetworkstates becomes unobservable by control center.They use a graph theoretic approach to characterize the smallest set of the attacked meters,which is capable of causing network unobservability.For the weak attack policy where the adversary can only attack a small number of meters,the trade-off between maximizing estimation error and minimizing detection probability is examined.

Rahman et al.[18]characterize an FDIA(false data injection attacks)implementing problem with incomplete information about admittances of transmission lines.They show how the impact of imperfect attacks on power grid can be affected by incomplete knowledge about grid parameters and attributes.From the attackers’viewpoints,they characterize perfect attacks with transmission-line admittance uncertainties and imperfectattackswithprobabilitydistributionoftheadmittance values.They use a stochastic optimization scheme tomaximizetheminimumamountoferrortobeinjected into the state estimation solutions.From grid operators’viewpoints,they introduce a novel vulnerability measure in order to compare and rank different power grid topologies against FDIAs with limited information.

Pasqualetti et al.[19]model a cyber-physical system under attack as a descriptor system subject to unknown inputs affecting the states and the measurements.They define notions of detectability and identifiability of attacks and provide existence conditions of undetectable attacks.They prove that undetectable and unidentifiable attacks can be cast out without knowing monitoring sig-nals or system noise.They characterize undetectable attacks and fundamental monitoring limitations from both system-theoretic and graph-theoretic perspectives.They also design centralized and distributed monitors able to detect and identify every detectable and identifiable attack with a low computational cost.Finally,they design novel cooperative attack strategies and demonstrated the effectiveness of designed unidentifiable attacks against a simplified model of the Western North American power grid.

Zhang et al.[20]investigate a novel DoS jamming attack problem which maximizes the linear quadratic Gaussian control cost function with attacking energy constraints.They assume the attacker can only attack communication channels within a finite number of times.Then they find grouping the limited attacks together in every active period is optimal.They also propose optimal attack schedules in order to bypass intrusion detection mechanism for average error case and terminal error case respectively.Simulations are conducted to demonstrate the effectiveness of their results.

Coordinated cyber attacks on power meter readings can be undetectable to any bad data detection mechanism,which present a serious threat to grid operations.Giani et al.[21]develop unobservable low-sparsity cyber attacks and offer countermeasures against arbitrary unobservable attacks.General sparse attacks can only compromise a modest number of meter readings.Next,they find unobservable attacks by compromise two power injection meters and an arbitrary number of power meters on lines.For the case that all lines are metered,canonical forms is derived for sparse unobservable attacks using graph-theoretic algorithms.

In[22],Zhang et al.consider a scenario where a sensor sends its data to a remote estimator.An attacker decides whether to jam a wireless channel at each samplingtime,whenithasgainedunauthorizedaccess.They construct optimal DoS attack schedules to deteriorate system performance indexes and maximize the trace of expected average estimation error.To avoid intrusion detection mechanism,they propose optimal attack schedules for average error case and terminal error case respectively.

Yang et al.[23]study the optimal data injection attack strategy of finding the minimum number of the manipulated meters so as to cause the maximum damage.As a result,a predetermined number of state variables are changed.They propose to find the optimal solution through matrix transformation.Then,they test the attack strategy on various IEEE standard bus systems.Finally,they propose a protection-based defense strategy to protect critical sensors and a detection-based defense strategy to accurately identify data injection attacks.

As detailed knowledge of system parameters is difficult to acquire in practice,Kim et al.[24]present a subspace method to construct the unobservable attack and provide its existence conditions under a partialmeasurement model.They provide two data-driven attack strategies based on the subspace of estimated system.Thefirststrategyaimstoattackthesystemstatesdirectly by hiding the attack vector.The second strategy aims to mislead the bad data detection mechanism to remove healthy data.They compared performance of the attack methods using IEEE 14-bus network and IEEE 118-bus network.

Haoetal.[25]proposeanalgorithmwhichcanquickly generate highly sparse attack vectors in state estimation for random attacks which compromise arbitrary measurements and targeted attacks which modify specified state variables.It is found that protecting the system can be achieved by making a certain subset of measurements immune to attacks.A fast greedy search method is also proposed to find a subset of measurements to be protected to defend against the integrity attacks.A robust attack detection method is discussed based on the robust principal component analysis to identify attacks even when partial observations are collected.

4 Secure estimation and control

The goal of secure control is to restore system operation.When an attack occurs,secure control mechanism detects it,identifies its type and performs corresponding counter strategy to degrade the performance loss of CPSs.

Amin et al.[26]consider a scenario that the sensor and control packets can be dropped by a resource constrained attacker.They propose a security constrained optimal control problem and use a causal feedback controller to minimize a given objective function subjects to safety and power constraints.For the Bernoulli attack model,minimization of the objective function is equivalent to solving a semi-definite program.

Gupta et al.[27]consider a dynamic zero-sum game between a controller of a standard discrete-time LQG control system with state feedback and a jammer.The jammer launches DoS attacks on communication channels between the controller and plant,and its goal is to activelyandoptimallyperturbcontrolprocessbylimited number of jamming actions.They determine the saddlepoint equilibrium control using dynamic programming to compute.A jamming strategy is derived that the jammer jams if and only if the plant state is larger than a time-varying threshold function at each decision step.

Zhu et al.[28]consider two types of attackers:a measurement jammer and a control jammer whose strategies are highly correlated to system operators.They study the resilient control problem for a discrete-time linear system subjects to state and input constraints,considering the cases that both types of jammers are present and only the control jammer exits.A recedinghorizon Stackelberg control law is proposed for the operator,and closed-loop stability of the system is analyzed under correlated attacks.For the case that both types of jammers are present,they derive regionally stable conditions for the closed-loop system.While for the case that only the control jammer is present,they study the regional exponential stability of the closed-loop system.

In[29],they propose a hybrid model contains continuous-time dynamics which model the physical layer plant,discrete-time dynamics which model the cyber layer,unanticipated events and deterministic uncertainties which represent the known range of disturbances.Theauthorsdesigntheresilientcontrolforcyber system and robust control for physical system.Furthermore,they use a stochastic zero-sum game between an defender and an attacker to design a defense mechanism.

Pang et al.[30]integrate the data encryption standard algorithm,message digest algorithm and time stamp strategy to form a secure transmission mechanism between the controller and the plant.A secure networked predictive control system(SNPCS)is designed for data encryption and detection of typical deception attacks.A recursive networked predictive control(RNPC)method is proposed to compensate for adverse effects caused by deception attacks and network communication constraints,which are ultimately treated as the network round-trip time delay.The stability theorem using the switched system theory is obtained for the closed-loop RNPC system.

In[31],Fawzi et al.extend their study and propose a estimation and control problem of a linear system under malicious attacks on some sensors and actuators.They first show that feedback control can make the system more resilient to sensor attacks by an appropriate choice of feedback gain matrix.Then they stabilize a plant using output feedback control law despite attacks on sensors.Finally,they design an optimization-based decoder that recovers the sequence of states despite attacks on both sensors and actuators.

Foroush et al.[32]study an energy-constrained periodic jammer that imposes DoS attacks over the communication channel.A time-trigger strategy is introduced which is resilient towards jamming attacks.A triggering time-sequence is derived to determine when to update the control signal if the period of the jammer has been detected.This method is capable of counteracting the jammer and assuring asymptotic stability of the plant under some sufficient condition.

Kwon et al.[33]classify the integrity attacks into three cases according to the attackers capability:the attackers can only compromise the actuators,the attackers can only compromise the sensors and the attackers can compromise both of them.A CPS is modeled as a stochastic linear system with a steady-state Kalman filter.The attacker performs stealthy deception attacks causing unbounded estimation errors.Based on existing hypothesis testing algorithms,they derive necessary and sufficient conditions under which deception attacks fail the state estimators while bypassing the monitoring system.An Unmanned Aerial Vehicle(UAV)navigation exampleisillustratedtoanalysistheeffectoftheoptimal attack method.Such an analysis can give design criteria to improve the security of CPSs against malicious cyber attacks.

In[34],they propose a hybrid robust controller that contains multiple sub-controllers.Each sub-controller matches a specific type of cyber attacks.The switching logic of the hybrid controller depends on systems current state and past attack history.It computes future worst-performance of each sub-controller to determine which is the best.It is able to verify the linearquadratic performance and maintains stability.This is demonstrated by applying the hybrid controller to an unmanned aerial system(UAS).

Fawzi et al.[35]show that it is impossible to accurately reconstruct the system states if more than half the sensors are attacked.They give a novel characterization of the maximum number of sensor attacks that can be corrected.Then,they propose an efficient algorithm to exactly recover the system states under condition that the number of attacks is sufficient small.Finally,a principle of separation between estimation and control is proposed.They also show that the attacked states can be reconstructed if one can design an output-feedback law that ensures stability despite attacks on sensors.

Mo et al.[36]assume the attacker has limited resources and can only manipulate part of the measurements.They design the optimal estimator by formulating a minimax optimization that minimizes the worstcase expected cost.It is shown that the optimal worstcase estimator should ignore all measurements,if the attacker can manipulate at least half the measurements.They also provide an explicit form of the optimal estimator when the attacker can manipulate less than half the measurements.

Zhu et al.[37]employ a distributed constrained formation control methodology for the resilient control againstreplayattacksofaclassofmulti-agentsystemsin an operator-vehicle adversarial network.They show that the desired formation can be asymptotically achieved under a certain connectivity assumption.The algorithm shows an analogous resilience to denial-of-service attacks.

Amin et al.[38]study security choices of identical plant-controller systems.Each plant is modeled by a discrete-time stochastic linear system.The equilibria point of a two-stage game gives the optimal security choices.Theymodelsecuritydecisionsofindividualsystems as a non-cooperative two-stage game.In the first stage,each player decides whether to invest in security or not.In the second stage,players choose optimal control to minimize average operational cost which is comprised of plant operating cost and security measure cost.

Zhu et al.[39]study a resilient control problem for linear systems subject to state and input constraints.They propose a variation of the receding-horizon control law against the replay attacks on actuators and analyze system performance degradation.A set of sufficient conditions are provided to ensure asymptotical and exponential stability.They characterize a class of competitive resource allocation problems for resilient control by using the relation between the infinite-horizon cost and the attacking horizons.

Djouadi et al.[40]assume the attacker has access to the system parameters and injects sensor signal attacks for observer-based linear quadratic controlled systems.The error signals between states of healthy systems and the attacked systems are quantified.The authors construct bounded optimal sensor and actuator attacks for thefiniteandinfinitehorizonLQcontrolintermsofmaximizing the LQ cost functions.They apply this method to a power generation network with distributed LQ controllers.

5 Discussion

HavingsummarizedsomerecentworksonCPSssecurity,we would like to conclude this paper by elaborating some of our opinions on CPSs security to guide future research.

1)Risk assessment:Ensuring CPSs security is a dynamic procedure,as attackers may discover new vulnerabilitiesofCPSsanddevelopstrategiestobypasscurrent detection mechanisms.To assess how a risk will impact CPSs security will provide an overall view of CPSs security status and a guide to design mitigating methods.Traditional IT system risk assessment methods may be applicable in CPSs as they are quite mature.However,they cannot solve the problem completely since there are distinguished differences between IT systems and CPSs.Qualitative and quantitative approaches to vulnerability assessment sufficiently considering the characteristics of CPSs are in urgent need.

2)Modeling of attack and attack design:Most existing studies do not take into account process noises and uncertainties of system model parameters.They also assume that the state trajectory of the attacked system is completely determined and can be measured accurately[41].These assumptions in the existing studies need to be reconsidered.How to model the attack under some more practical assumptions is a problem worth exploiting.In order to design a defense mechanism effectively,it is of great importance to study the attackers’intentions and behaviors.Knowing the impact of different types of attacks on system performance can provide a theoretical guidance for attack detection and resilient control[42].We should pay attention to optimal attack strategies design from the attacker’s angle.

3)Counter-attack strategy:How to design effective counter measures is based on the attacker’s strategies andsystemresources.Anintelligentattackermayswitch attack types and attack points at any time,using a combination strategy of continuous attacks and intermittent attacks.Powerful attackers can even attack information systems and physical systems at the same time.Since the attack detection mechanism usually has a certain detection time,the attacker will also consider how to implement the most effective attack in a limited time,change the attack points or attack types after being detected.A general protection process of a control system under external attack is as follows.First,the operator identifies the existence of attacks using polluted data and sends alarm signals to the system.Then the detection mechanism identifies the attack nodes and the attack types.The input and output data of the attacked system can be used to model the attacks.The control center starts the corresponding counter measures to degrade the impact of the attack and recovers the system afterwards.However,though the detection mechanism candetecttheattackssuccessfully,itdoesnotmeanthat it can accurately acquire the parameter information of the attacks.Like the existing anti-virus software,we can design detection algorithms and counter measures for all known attacks in advance to degrade the impact of attacks in limited time and minimize the damage to the system.In addition,how to reduce the cost of security mitigation and coordinate different security measures of information system and physical system still need further study.

4)Testbed and validation:With the development of approaches for CPS security,there is in quest of a testbed to evaluate the emerging theories,methods and techniques.The testbed should provide a practical and real-time environment to conduct some attack-defense experimentations.

Generallyspeaking,CPSsecurityisachallengingtopic and requires approaches coming from different fields such as hybrid systems,discrete event systems,networked control systems,and big data analysis.

[1]A.Teixeira,H.Sandberg,K.H.Johansson.Networked control systems under cyber attacks with applications to power networks.Proceedings of the American Control Conference,Maryland:IEEE,2010:3690-3696.

[2]S.Sundaram,M.Pajic,C.N.Hadjicostis,et al.The wireless control network:Monitoring for malicious behavior.IEEE Conference on Decision and Control,Atlanta:IEEE,2010:5979-5984.

[3]R.Chabukswar,Y.Mo,B.Sinopoli.Detecting integrity attacks on SCADA systems.Proceedings of the 18th IFAC World Congress,Milano:IEEE,2014:11239-11244.

[4]T.T.Kim,H.V.Poor.Strategic protection against data injection attacks on power grids.IEEE Transactions on Smart Grid,2011,2(2):326-333.

[5]B.Tang,L.D.Alvergue,G.Gu.Securenetworkedcontrolsystems against replay attacks without injecting authentication noise.Proceedings of the American Control Conference,Montreal:IEEE,2012:60280-6036.

[6]Y.Mo,R.Chabukswar,B.Sinopoli.Detecting integrity attacks on SCADA systems.IEEE Transactions on Control SystemsTechnology,2013,22(4):1396-1407.

[7]F.Pasqualetti,F.Dorfler,F.Bullo.Attack detection and identification in cyber-physical systems.IEEE Transactions on Automatic Control,2013,22(4):1396-1407.

[8]A.N.Bishop,A.V.Savkin.Set-valued state estimation and attack detection for uncertain descriptor systems.IEEE Signal Processing Letters,2015,20(11):1102-1105.

[9]M.Esmalifalak,G.Shi,Z.Han,et al.Bad data injection attack and defense in electricity market using game theory study.IEEE Transactions on Smart Grid,2013,4(1):160-169.

[10]F.Miao,M.Pajic,G.J.Pappas.Stochastic game approach for replay attack detection.IEEE Conference on Decision and Control,Firenze:IEEE,2013:1854-1859.

[11]Y.Mo,J.P.Hespanha,B.Sinopoli.Resilient detection in the presence of integrity attacks.IEEE Transactions on Signal Processing,2015,62(1):31-43.

[12]L.Liu,M.Esmalifalak,Z.Han.Detection of false data injection in power grid exploiting low rank and sparsity.IEEE Conference on Communications,Budapest:IEEE,2014:4461-4465.

[13]L.Liu,M.Esmalifalak,Q.Ding,etal.Detectingfalsedatainjection attacks on power grid by sparse optimization.IEEE Transactions on Smart Grid,2014,5(2):612-621.

[14]Y.Mo,E.Garone,A.Casavola,et al.False data injection attacks against state estimation in wireless sensor networks.IEEE Conference on Decision and Control,Atlanta:IEEE,2010:5967-5972.

[15]A.Teixeira,S.Amin,H.Sandberg,et al.Cyber security analysis of state estimators in electric power systems.IEEE Conference on Decision and Control,Firenze:IEEE,2013:5991-5998.

[16]L.Xie,Y.Mo,B.Sinopoli.False data injection attacks in electricity markets.IEEE Conference on Smart Grid Communications,Maryland:IEEE,2010:226-231.

[17]O.Kosut,Y.Jia,R.J.Thomas,et al.Malicious data attacks on the smart grid.IEEE Transactions on Smart Grid,2011,2(4):645-658.

[18]M.A.Rahman,H.Mohsenian-Rad.False data injection attacks with incomplete information against smart power grids.Global CommunicationsConference,Anaheim:IEEE,2012:3153-3158.

[19]F.Pasqualetti,F.Dorfler,F.Bullo.Cyber-physical security via geometric control:Distributed monitoring and malicious attacks.IEEE Conference on Decision and Control,Hawaii:IEEE,2012:1-8.

[20]H.Zhang,P.Cheng,L.Shi,et al.Optimal dos attack policy against remote state estimation.IEEE Conference on Decision and Control,Firenze:IEEE,2013:5444-5449.

[21]A.Giani,E.Bitar,M.Garcia,etal.Smartgriddataintegrityattacks.IEEE Transactions on Smart Grid,2013,4(3):1244-1253.

[22]H.Zhang,P.Cheng,L.Shi,et al.Optimal denial-of-service attack scheduling against linear quadratic Gaussian control.Proceedings of the American Control Conference,Portland:IEEE,2014:3996-4001.

[23]Q.Yang,J.Yang,W.Yu,et al.On false data-injection attacks against power system state estimation:Modeling and countermeasures.IEEE Transactions on Parallel and Distributed Systems,2014,25(3):717-729.

[24]J.Kim,L.Tong,R.J.Thomas.Subspace methods for data attack on state estimation:A data driven approach.IEEE Transactions on Signal Processing,2015,63(5):1102-1114.

[25]J.Hao,R.J.Piechocki,D.Kaleshi,et al.Sparse malicious false data injection attacks and defense mechanisms in smart grids.IEEE Transactions on Smart Grid,2015,11(5):1198-1209.

[26]S.Amin,A.A.Cardenas,S.S.Sastry.Safe and secure networked control systems under denial-of-service attacks.International Conference on Hybrid Systems:Computation and Control,Stockholm:Springer,2009:31-45.

[27]F.Pasqualetti,F.Dorfler,F.Bullo.Cyber-physical security via geometric control:Distributed monitoring and malicious attacks.IEEE Conference on Decision and Control,Atlanta:IEEE,2010:1096-1101.

[28]M.Zhu,S.Martinez.Stackelberg-game analysis of correlated attacks in cyber-physical systems.Proceedings of the American Control Conference,San Francisco:IEEE,2011:4063-4068.

[29]Q.Zhu,T.Basar.Robust and resilient control design for cyberphysical systems with an application to power systems.IEEE Conference on Decision and Control and European Control Conference,Orlando:IEEE,2011:4066-4071.

[30]Z.Pang,G.Liu.Design andimplementation ofsecure networked predictive control systems under deception attacks.IEEE Transactions on Control Systems Technology,2012,20(5):1334-1342.

[31]H.Fawzi,P.Tabuada,S.Diggavi.Security for control systems under sensor and actuator attacks.IEEE Conference on Decision and Control,Hawaii:IEEE,2012:3412-3417.

[32]H.S.Foroush,S.Martinez.On event-triggered control of linear systems under periodic denial-of-service jamming attacks.IEEE Conference on Decision and Control,Hawaii:IEEE,2012:2551-2556.

[33]C.Kwon,W.Liu,I.Hwang.Security analysis for cyber-physical systems against stealthy deception attacks.Proceedings of the American Control Conference,Washington:IEEE,2013:3344-3349.

[34]C.Kwon,I.Hwang.Hybrid robust controller design:Cyber attack attenuation for cyber-physical systems.IEEE Conference on Decision and Control,Firenze:IEEE,2013:188-193.

[35]H.Fawzi,P.Tabuada,S.Diggavi.Secure estimation and control for cyber-physical systems under adversarial attacks.IEEE Transactions on Automatic Control,2014,59(6):1454-1467.

[36]Y.Mo,B.Sinopoli.Secure estimation in the presence of integrity attacks.IEEE Transactions on Automatic Control,2015,60(4):1145-1151.

[37]M.Zhu,S.Martinez.On distributed constrained formation control in operator-vehicle adversarial networks.Automatica,2013,49(12):3571-3582.

[38]S.Amin,G.A.Schwartz,S.S.Sastry.Security of interdependent and identical networked control systems.Automatica,2013,49(1):186-192.

[39]M.Zhu,S.Martinez.On the performance analysisof resilient networked control systems under replay attacks.IEEE Transactions on Automatic Control,2014,59(3):804-808.

[40]S.M.Djouadi,A.M.Melin,E.M.Ferragut,et al.Finite energy and bounded attacks on control system sensor signals.Proceedings of the American Control Conference,Portland:IEEE,2014:3690-3696.

[41]Y.Mo,J.Hespanha,B.Sinopoli.Robust detection in the presenceofintegrityattacks.ProceedingsoftheAmericanControl Conference,Montreal:IEEE,2012:3541-3546.

[42]C.Kwon,I.Hwang.Hybrid robust controller design:Cyber attack attenuation for cyber-physical systems.IEEE Conference on Decision and Control,Firenze:IEEE,2013:188-193.

DOI10.1007/s11768-016-5123-9

†Corresponding author.

E-mail:sunjian@bit.edu.cn.

This work was supported in part by the Natural Science Foundation of China(Nos.61321002,61120106010,61522303,U1509215),the Program for New Century Excellent Talents in University(No.NCET-13-0045),and the Beijing Higher Education Young Elite Teacher Project.

the B.Sc.and M.Sc.degreesfromXi’anUniversityofTechnology in 2010 and 2014,respectively.Currently,he was a Ph.D.candidate at the School of Automation,Beijing Institute of Technology.His research interests include security of CPSs and networked control systems.E-mail:mebest21@163.com.

JianSUNreceivedhisPh.D.degreefromthe Institute of Automation,Chinese Academy of Sciences in 2007.From April 2008 to October 2009,he was a visiting research fellow in University of Glamorgan,U.K.He is currently a professor in the School of Automation,Beijing Institute of Technology.His current research interests include security of CPSs,networked control systems,time-delay systems,and robust control.E-mail:sunjian@bit.edu.cn.

Jie CHEN received the B.Sc.,M.Sc.and Ph.D.degrees in Control Theory and Control Engineering from the Beijing Institute of Technology,Beijing,China,in 1986,1993 and 2000,respectively.He is currently a professor with the School of Automation,Beijing Institute of Technology.His research interest covers complex system multi-objective optimization and decision,constrainednonlinearcontrol,andoptimizationmethods.E-mail:chenjie@bit.edu.cn.