Summary:

In the paper False Data Injection Attacks in Control Systems by Yilin Mo and Bruno
Sinopoli presented how a control system can be effected by the injection of false data in to
the control system.
A system which is built in collaboration of computing elements for controlling the physical
entities is called Cyber Physical Systems. These systems are widely used in many application
areas like aerospace, energy etc. However, due to the availability of cheap source of
communication (for example: internet) the security of these systems brought into question.
The attacks on these systems can be categorized into Denial of Service Attacks and False
Data Injection Attacks. In Denial of Service Attacks the communication between the sub-
systems is prevented whereas in False Data Injection Attacks the payload values are modified
by compromising a subset of sensors. In this a paper the authors felt that the False data
injection attack are more subtler than Denial of Service attacks as they are principally
difficult to detect and not thoroughly being investigated .
Even though considering the robust control and estimation for the design of controllers which
can operate normally under the uncertain conditions where the source of the uncertainty is
said to be random. But under the careful design of attack sequence by the attacker where the
attacker can attack the control system without being identified by the estimator and failure
detector. Under this type attack strategy by a smart attacker the applicability of the failure
detection algorithm is brought into question.
The authors considered a physical system which is a linear time invariant dynamics of the
form x
k+1
=Ax
k
+Bu
k
+w
k
,where w is the process noise at time k.In order to monitor the system
a network of sensors is deployed ,were all the sensor readings are collected and forwarded to
the centralized estimator. The observation equation is given by y
k
=Cx
k
+v
k
,where y
k
is the
vector of sensor measurements made at time k and v is the measurement noise and these
noises are independent with each other and initial state x
0
.A kalman filter estimate the state
of the physical system from the observation y
k
. Kalman filter which is a commonly used
method to estimate the state variables of a dynamic system which is excited by random
disturbances and noises.so from the kalman filter the state estimate of the physical system
based on the observer equation y
k
is given by
x
^
k+1
=Ax
^
k
+Bu
k
+K[y
k+1
-C(Ax
^
k
+Bu
k
)],where is said to be Kalman gain which is of time
varying and it is said to be converge in few steps so we can assume that the kalman is
already in steady state.
A linear quadratic Gaussian controller is used to stabilize the system by minimizing the cost
function:
J=lim
T
min E (1/T) [ (x
k
T
Wx
k
+ u
k
T
Uu
k
)].
Where W, U are positive semi definite and the optimal controller of the above minimization
problem is a fixed gain controller which is of the form u
k
=-(B
T
SB+U)
-1
B
T
SAx
^
k
, where u
k
is
the optimal control input. The system is said to be stable Covariance of estimation error and
the cost function J are both bounded.
A failure detector computes the quantity g
k
=z
k
T
Pz
k
, where P is the covariance matrix of
residue z
k
. The failure detector will compare the g
k
with certain threshold so an alarm is
triggered when the quantity g
k
is greater than the threshold. The probability of alarm for the
failure detector be
k
=P (g
k
> threshold), where g
k
is said to be a continuous function of state
estimate, output and residue at the time k.
However we equip with failure detector with many other detectors that compute the function
of x
^
k
,y
k
,z
k
,then none of the detector equipped cannot be able to distinguish the healthy and
a partial compromised system if the vectors x
^
k
,y
k
,z
k
have the same statistical properties as
that of the healthy system.
In order to compromise a system, authors assume that the attacker should have the knowledge
of the following quantities:
1. Attacker knows the system model.
2.Attacker can control the sensor reading denoted as S
bad
,so that the observation equation is
given by y
k

=Cx
k

+v
k
+ y
k
a
,where is sensor selection matrix which represent binary value
value only if the sensor value represent the attacker sensor reading and y
k
a
is the corrupted
input from the attacker.
3. Attacker starts intrusion at time 0.
So based on the assumptions the new system dynamics represented as:
x
k+1
=Ax
k
+Bu
k
+w
k
,
y
k

=Cx
k

+v
k
+ y
k
a
,
x
^

k+1
=Ax
^

k
+Bu
k
+K [y
k+1
-C (Ax
^

k
+Bu
k
)] and
u
k
=-(B
T
SB+U)
-1
B
T
Sax
^

k
.
New probability of alarm is defined as
k
=P (g
k
> threshold)
x
k
, x
k
, u
k
, y
k
, z
k
, e
k
,
k
represent the difference between the partially
compromised and the healthy system.
The partially compromised system can be shown below.

The Authors given a definition for a successful attack that an attack sequence is successful if
the limit norm of x
k
is equal to infinity and norm of z
k
is less than equal to 1and also
provide the algebraic condition to identify the perfectly attackable system, if the system
matrix A has unstable eigen values and the corresponding eigen vector v satisfies:
1. Cv is equal to the column space of sensor selection matrix
2. v is the reachable state of the dynamic system e
k+1
= (A-KCA) e
k
-Ky
k+1
a
.
So using this algebraic condition an attacker can design an attack sequence based on eigen
decomposition of system matrix A and sensor selection matrix .however,the defender can
also use the same eigen decomposition on system matrix and can find out the unstable eigen
vector v.by computing Cv ,the nonzero elements in the Cv indicate the sensor readings by
which attacker can perform an successful attack on the system.so the defender can increase
the resilence of the system by installing some redundant sensors which measure the unstable
eigen vector v.
In this paper a numerical example is also provided in order to illustrate the effect of false data
injection on the cyber physical system. A vehicle is considered which is moving along x-axis
where the state space includes position and velocity of the vehicle which represent the
dynamics of the vehicle.

k+1
=
k
+u
k
+w
k,1
, x
k+1
= x
k
+(
k+1
+
k
)/2 +w
k,2

Two sensors where used for measuring position and velocity of the vehicle.
Y
k
= X
k
+ v
k
, where X
k
is the matrix represent velocity and position of the vehicle.
In this example the position sensor is compromised by the attacker i.e. the sensor selection
matrix is diag (0, 1) and the parameters on the system is given by Q=R=W=I
2
, U=1.
Since the [0 1] is an unstable eigenvector and in the span of sensor selection matrix and
reachable .by the algebraic condition mentioned above the system is said to be perfectly
attackable and the attack sequence is designed.
A graph is plotted which show the evolution of the X
k
and z
k
with respect to k.

From the above graph it is easy to observe that norm of the z
k
is always less than 1 and x
k

goes to infinity which represents the system is of perfectly attackable.
The future scope of this paper is by considering the Denial of Service Attacks and False Data
Injection Attacks and studies the effects of these together on the Control System.