Publications

(See also the personal webpage of our group members)

Group Highlights

(For a full list of publications, see below, and see also the personal webpage of our group members)

Risk-Based Analysis and Design of Secure Control Systems

Networked Control Systems (NCSs) are integral to many critical infrastructures such as power grids, transportation, and production systems. The resilient operation of such NCS against cyber-attacks is essential for society, and risk management presents an effective framework for addressing these security challenges. The risk management framework encompasses two steps: risk assessment and risk mitigation. The risk assessment step aims to quantify the risk, whereas the risk mitigation step focuses on designing mitigation strategies. This thesis leverages the risk management framework to analyze and design NCSs that are resilient to cyber-attacks. In particular, this thesis aims to address the following research challenges. Firstly, we aim to assess the risk of attack scenarios that are realistic (risk assessment step). In particular, we consider adversaries and operators with different levels of knowledge about the NCS. For instance, an adversary or operator may possess complete knowledge of the system dynamics or have only partial knowledge with varying degrees of uncertainty. Hence, we describe a systematic approach to assess the risk considering the interplay between the knowledge levels of adversaries and operators. Secondly, we aim to design the NCS to minimize the risk of attacks (risk mitigation step). We explore three different strategies to minimize the risk: (a) controller/detector design, (b) security measure allocation, and (c) system architecture design. In the first strategy, we design the controller and detector gains to minimize the risk of attacks. Here, risk is characterized by the performance loss caused by stealthy attacks on the NCS. In the second strategy, we consider a distributed NCS where certain distributed devices can be secured from attacks by deploying secure sensors and actuators. Then, we aim to strategically determine the devices to secure and mitigate the risk of attacks effectively. Finally, inspired by digital watermarking, we explore the idea of introducing watermarks in NCS to detect attacks efficiently. Throughout the thesis, we provide various numerical examples to depict the efficacy of risk assessment and risk mitigation algorithms. We also provide numerous discussions and avenues for future research directions.

Sribalaji Coimbatore Anand

Doctoral Thesis, Uppsala University, (2024)

Security Allocation in Networked Control Systems

This thesis develops a framework for evaluating and improving the security of networked control systems in the face of cyber attacks. The considered security problem involves two strategic agents, namely a malicious adversary and a defender, pursuing their specific and conflicting goals. The defender aims to efficiently allocate defense resources with the purpose of detecting malicious activities. Meanwhile, the malicious adversary simultaneously conducts cyber attacks and remains stealthy to the defender. We tackle the security problem by proposing a game-theoretic framework and characterizing its main components the payoff function, the action space, and the available information for each agent. Especially, the payoff function is characterized based on the output-to-output gain security metric that fully explores the worst-case attack impact. Then, we investigate the properties of the game and how to efficiently compute its equilibrium. Given the combinatorial nature of the defender actions, one important challenge is to alleviate the computational burden. To overcome this challenge, the thesis contributes several system- and graph-theoretic conditions that enable the defender to shrink the action space, efficiently allocating the defense resources. The effectiveness of the proposed framework is validated through numerical examples.

Anh Tung Nguyen

Licentiate Thesis, Uppsala University, (2023)

Safety, Security and Privacy for Cyber-Physical Systems

This book presents an in-depth overview of recent work related to the safety, security, and privacy of cyber-physical systems (CPSs). It brings together contributions from leading researchers in networked control systems and closely related fields to discuss overarching aspects of safety, security, and privacy; characterization of attacks; and solutions to detecting and mitigating such attacks.
The book begins by providing an insightful taxonomy of problems, challenges and techniques related to safety, security, and privacy for CPSs. It then moves through a thorough discussion of various control-based solutions to these challenges, including cooperative fault-tolerant and resilient control and estimation, detection of attacks and security metrics, watermarking and encrypted control, privacy and a novel defense approach based on deception. The book concludes by discussing risk management and cyber-insurance challenges in CPSs, and by presenting the future outlook for this area of research as a whole.
Its wide-ranging collection of varied works in the emerging fields of security and privacy in networked control systems makes this book a benefit to both academic researchers and advanced practitioners interested in implementing diverse applications in the fields of IoT, cooperative autonomous vehicles and the smart cities of the future.

Riccardo M. G. Ferrari and André M. H. Teixeira (Eds)

Lecture Notes in Control and Information Sciences (LNCIS, volume 486), Springer International Publishing, (2021)

List of Publications

Under Review

“Kullback-Liebler Divergence-Based Observer Design Against Sensor Bias Injection Attacks”.
F. E. Tosun, A. M. H. Teixeira, J. Dong, A. Ahlén, and S. Dey.
IEEE Trans. Information Forensics and Security (Submitted)
ABS BIB

This paper considers observer-based anomaly detection of bias injection attacks (BIAs) on cyber-physical systems with linear dynamics and driven by Gaussian noise. Despite the perceived simplicity of this attack strategy, BIAs pose a significant risk to systems that have an integrator in their open-loop dynamics, as the residual generated by any linear observer will be identical under attack and normal operation at steadystate. Consequently, such attacks are detectable only for a limited duration during the transient phase. In this paper, we propose a principled way for designing a residual generation filter based on maximizing the Kullback-Liebler divergence (KLD) during the transients and steady-state. This approach significantly increases the signal-to-noise ratio against BIAs. The effectiveness of our method is demonstrated through numerical examples, comparing it to the Kalman filter and a robust multi-objective H−/H2 filter.
@article{Tosun_TIFS2024, author = {Tosun, F. E. and Teixeira, A. M. H. and Dong, J. and Ahlén, A. and Dey, S.}, journal = {IEEE Trans. Information Forensics and Security (Submitted)}, number = {}, pages = {}, title = {Kullback-Liebler Divergence-Based Observer Design Against Sensor Bias Injection Attacks}, volume = {}, year = {}, published = {0}, tag = {10002} }

Published

2024

“Security Allocation in Networked Control Systems under Stealthy Attacks”.
A. T. Nguyen, A. M. H. Teixeira, and A. Medvedev.
IEEE Trans. Control of Network Systems, 2024
ABS BIB

This paper considers the problem of security allocation in a networked control system under stealthy attacks in which the system is comprised of interconnected subsystems represented by vertices. A malicious adversary selects a single vertex on which to conduct a stealthy data injection attack to maximally disrupt the local performance while remaining undetected. On the other hand, a defender selects several vertices on which to allocate defense resources against the adversary. First, the objectives of the adversary and the defender with uncertain targets are formulated in probabilistic ways, resulting in an expected worst-case impact of stealthy attacks. Next, we provide a graph-theoretic necessary and sufficient condition under which the cost for the defender and the expected worst-case impact of stealthy attacks are bounded. This condition enables the defender to restrict the admissible actions to a subset of available vertex sets. Then, we cast the problem of security allocation in a Stackelberg game-theoretic framework. Finally, the contribution of this paper is highlighted by utilizing the proposed admissible actions of the defender in the context of large-scale networks. A numerical example of a 50-vertex networked control system is presented to validate the obtained results.
@article{Tung_TCNS2024, author = {Nguyen, A. T. and Teixeira, A. M. H. and Medvedev, A.}, journal = {IEEE Trans. Control of Network Systems}, number = {}, pages = {}, title = {Security Allocation in Networked Control Systems under Stealthy Attacks}, volume = {}, doi = {10.1109/TCNS.2024.3462546}, year = {2024}, published = {1}, tag = {10005} }

“Centrality-based Security Allocation in Networked Control Systems”.
A. T. Nguyen, A. Hertzberg, and A. M. H. Teixeira.
The 19th International Conference on Critical Information Infrastructures Security (Accepted), 2024
BIB

@inproceedings{Nguyen_CRITIS24,
  author = {Nguyen, A. T. and Hertzberg, A. and Teixeira, A. M. H.},
  title = {Centrality-based Security Allocation in Networked Control Systems},
  year = {2024},
  booktitle = {The 19th International Conference on Critical Information Infrastructures Security (Accepted)},
  published = {1},
  tag = {10005}
}

“Accelerating Fair Federated Learning: Adaptive Federated Adam”.
L. Ju, T. Zhang, S. Toor, and A. Hellander.
IEEE Transactions on Machine Learning in Communications and Networking (Accepted), 2024
ABS BIB

Federated learning is a distributed and privacy-preserving approach to train a statistical model collaboratively from decentralized data of different parties. However, when datasets of participants are not independent and identically distributed (non-IID), models trained by naive federated algorithms may be biased towards certain participants, and model performance across participants is non-uniform. This is known as the fairness problem in federated learning. In this paper, we formulate fairness-controlled federated learning as a dynamical multi-objective optimization problem to ensure fair performance across all participants. To solve the problem efficiently, we study the convergence and bias of Adam as the server optimizer in federated learning, and propose Adaptive Federated Adam (AdaFedAdam) to accelerate fair federated learning with alleviated bias. We validated the effectiveness, Pareto optimality and robustness of AdaFedAdam in numerical experiments and show that AdaFedAdam outperforms existing algorithms, providing better convergence and fairness properties of the federated scheme.
@inproceedings{Ju2024, address = {}, author = {Ju, L. and Zhang, T. and Toor, S. and Hellander, A.}, booktitle = {IEEE Transactions on Machine Learning in Communications and Networking (Accepted)}, title = {Accelerating Fair Federated Learning: Adaptive Federated Adam}, published = {1}, year = {2024}, tag = {10003} }

“Scalable metrics to quantify security of large-scale systems”.
S. C. Anand, C. Grussler, and A. M. H. Teixeira.
IEEE Conference on Decisions and Control (Accepted), 2024
BIB

@inproceedings{Anand_CDC024,
  author = {Anand, S. C. and Grussler, C. and Teixeira, A. M. H.},
  title = {Scalable metrics to quantify security of large-scale systems},
  year = {2024},
  booktitle = {IEEE Conference on Decisions and Control (Accepted)},
  published = {1},
  tag = {10001}
}

“Event-triggered control of nonlinear systems under deception and Denial-of-Service attacks”.
R. Seifullaev, A. M. H. Teixeira, and A. Ahlén.
IEEE Conference on Decisions and Control (Accepted), 2024
BIB

@inproceedings{Seifullaev_CDC024,
  author = {Seifullaev, R. and Teixeira, A. M. H. and Ahl\'{e}n, A.},
  booktitle = {IEEE Conference on Decisions and Control (Accepted)},
  title = {Event-triggered control of nonlinear systems under deception and Denial-of-Service attacks},
  year = {2024},
  published = {1},
  tag = {10004}
}

“Data-Driven Identification of Attack-free Sensors in Networked Control Systems”.
S. C. Anand, M. S. Chong, and A. M. H. Teixeira.
Poster presentation at the Symposium on Systems Theory in Data and Optimization (Accepted Extended Abstract), 2024
BIB

@inproceedings{Anand_SysDo2024,
  author = {Anand, S. C. and Chong, M. S. and Teixeira, A. M. H.},
  title = {Data-Driven Identification of Attack-free Sensors in Networked Control Systems},
  year = {2024},
  booktitle = {Poster presentation at the Symposium on Systems Theory in Data and Optimization (Accepted Extended Abstract)},
  published = {1},
  tag = {}
}

“GNN-IDS: Graph Neural Network based Intrusion Detection System”.
Z. Sun, A. M. H. Teixeira, and S. Toor.
The International Conference on Availability, Reliability and Security (ARES), 2024
ABS BIB

Intrusion detection systems (IDSs) are widely used to identify anomalies in computer networks and raise alarms on intrusive behaviors. ML-based IDSs generally take network traces or host logs as input to extract patterns from individual samples, whereas the inter-dependencies of network are often not captured and learned, which may result in a large amount of uncertain predictions, false positives, and false negatives. To tackle the challenges in intrusion detection, we propose a graph neural network based intrusion detection system (GNN-IDS), which is data-driven and machine learning-empowered. In GNN-IDS, the attack graph and real-time measurements, representing the static and dynamic attributes of computer networks, respectively, are incorporated and associated to represent the complex computer networks. Graph neural networks are employed as the inference engine for intrusion detection. By learning network connectivity, graph neural networks can quantify the importance of neighboring nodes and node features to make more reliable predictions. Furthermore, by incorporating an attack graph, GNN-IDS could not only detect anomalies but also identify the malicious actions causing the anomalies. The experimental results on a use case network with two synthetic datasets (one generated from public IDS data) show that the proposed GNN-IDS achieves good performance. The results are analyzed from the aspects of uncertainty, explainability, and robustness.
@inproceedings{Sun_ARES2024, author = {Sun, Z. and Teixeira, A. M. H. and Toor, S.}, booktitle = {The International Conference on Availability, Reliability and Security (ARES)}, title = {GNN-IDS: Graph Neural Network based Intrusion Detection System}, year = {2024}, published = {1} }
“Stealthy Deactivation of Safety Filters”.
D. Arnström and A. M. H. Teixeira.
European Control Conference, 2024
ABS BIB

Safety filters ensure that only safe control actions are executed. We propose a simple and stealthy false-data injection attack for deactivating such safety filters; in particular, we focus on deactivating safety filters that are based on control barrier functions. The attack injects false sensor measurements to bias state estimates to the interior of a safety region, which makes the safety filter accept unsafe control actions. To detect such attacks, we also propose a detector that detects biases manufactured by the proposed attack policy, which complements conventional detectors when safety filters are used. The proposed attack policy and detector are illustrated on a double integrator example.
@inproceedings{Arnstrom_ECC2024, author = {Arnstr\"{o}m, D. and Teixeira, A. M. H.}, booktitle = {European Control Conference}, title = {Stealthy Deactivation of Safety Filters}, year = {2024}, published = {1} }
“Delay Attack and Detection in Feedback Linearized Control Systems”.
T. Wigren and A. M. H. Teixeira.
European Control Conference, 2024
ABS BIB

Delay injection attacks on nonlinear control systems may trigger instability mechanisms like finite escape time dynamics. The paper guards against such attacks by showing how a recursive algorithm for identification of nonlinear dynamics and delay can simultaneously provide parameter estimates for controller tuning and detection of delay injection in the feedback path. The attack methodology is illustrated using a simulated feedback linearized automotive cruise controller where the attack is disguised, but anyway rapidly detected.
@inproceedings{Wigren_ECC2024, author = {Wigren, T. and Teixeira, A. M. H.}, booktitle = {European Control Conference}, title = {Delay Attack and Detection in Feedback Linearized Control Systems}, year = {2024}, published = {1}, tag = {10004} }
“Convergence in delayed recursive identification of nonlinear systems”.
T. Wigren.
European Control Conference, 2024
ABS BIB

Early detection of delay attacks on feedback control systems can be achieved by recursive identification of delay and dynamics. The paper contributes with an analysis of the convergence of a multiple-model based algorithm for joint recursive identification of fractional delay and continuous time nonlinear state space dynamics. It is proved that the true parameter vector is in the set of global convergence points, while reasons are given why a standard local stability analysis fails. A numerical example illustrates these results.
@inproceedings{Wigren_ECC2025, author = {Wigren, T.}, booktitle = {European Control Conference}, title = {Convergence in delayed recursive identification of nonlinear systems}, year = {2024}, published = {1}, tag = {10004} }
“Kullback-Leibler Divergence-Based Detector Design Against Bias Injection Attacks in an Artificial Pancreas System”.
F. E. Tosun, A. M. H. Teixeira, A. Ahlén, and S. Dey.
12th IFAC Symposium on Fault Detection, Supervision and Safety for Technical Processes, 2024
ABS BIB

This paper considers constant bias injection attacks on the glucose sensor deployed in an artificial pancreas system that has an integrator. The main challenge with such apparently simple attacks is that, if the system is linear and has an integrator, they are only detectable for a limited duration. More formally, they are steady-state stealthy attacks. To address this issue, we propose a residual generation method to increase the detectability of these attacks based on the Kullback–Leibler divergence metric. Illustrative examples with numerical simulations are provided to demonstrate the effectiveness of the proposed method.
@inproceedings{Tosun_SP024, author = {Tosun, F. E. and Teixeira, A. M. H. and Ahlén, A. and Dey, S.}, booktitle = {12th IFAC Symposium on Fault Detection, Supervision and Safety for Technical Processes}, title = {Kullback-Leibler Divergence-Based Detector Design Against Bias Injection Attacks in an Artificial Pancreas System}, year = {2024}, published = {1}, tag = {10002} }
“Quickest Detection of Bias Injection Attacks on the Glucose Sensor in the Artificial Pancreas Under Meal Disturbances”.
F. E. Tosun, A. M. H. Teixeira, M. Abdalmoaty, A. Ahlén, and S. Dey.
Journal of Process Control, vol. 153, no. 103162, 2024
ABS BIB

Modern glucose sensors deployed in closed-loop insulin delivery systems, so-called artificial pancreas use wireless communication channels. While this allows a flexible system design, it also introduces vulnerability to cyberattacks. Timely detection and mitigation of attacks are imperative for device safety. However, large unknown meal disturbances are a crucial challenge in determining whether the sensor has been compromised or the sensor glucose trajectories are normal. We address this issue from a control-theoretic security perspective. In particular, a time-varying Kalman filter is employed to handle the sporadic meal intakes. The filter prediction error is then statistically evaluated to detect anomalies if present. We compare two state-of-the-art online anomaly detection algorithms, namely the χ^2 and CUSUM tests. We establish a robust optimal detection rule for unknown bias injections. Even if the optimality holds only for the restrictive case of constant bias injections, we show that the proposed model-based anomaly detection scheme is also effective for generic non-stealthy sensor deception attacks through numerical simulations
@article{Tosun_JPC2024, author = {Tosun, F. E. and Teixeira, A. M. H. and Abdalmoaty, M. and Ahl\'{e}n, A. and Dey, S.}, journal = {Journal of Process Control}, volume = {153}, number = {103162}, title = {Quickest Detection of Bias Injection Attacks on the Glucose Sensor in the Artificial Pancreas Under Meal Disturbances}, year = {2024}, doi = {10.1016/j.jprocont.2024.103162}, published = {1}, tag = {10002} }
“Risk Assessment of Stealthy Attacks on Uncertain Control Systems”.
S. C. Anand, A. M. H. Teixeira, and A. Ahlén.
IEEE Trans. Automatic Control, vol. 69, no. 5, pp. 3214–3221, May 2024
ABS BIB

In this article, we address the problem of risk assessment of stealthy attacks on uncertain control systems. Considering data injection attacks that aim at maximizing impact while remaining undetected, we use the recently proposed output-to-output gain to characterize the risk associated with the impact of attacks under a limited system knowledge attacker. The risk is formulated using a well-established risk metric, namely the maximum expected loss. Under this setups, the risk assessment problem corresponds to an untractable infinite non-convex optimization problem. To address this limitation, we adopt the framework of scenario-based optimization to approximate the infinite non-convex optimization problem by a sampled non-convex optimization problem. Then, based on the framework of dissipative system theory and S-procedure, the sampled non-convex risk assessment problem is formulated as an equivalent convex semi-definite program. Additionally, we derive the necessary and sufficient conditions for the risk to be bounded. Finally, we illustrate the results through numerical simulation of a hydro-turbine power system.
@article{Anand_TAC2024, author = {Anand, S. C. and Teixeira, A. M. H. and Ahl\'{e}n, A.}, journal = {IEEE Trans. Automatic Control}, number = {5}, pages = {3214--3221}, title = {Risk Assessment of Stealthy Attacks on Uncertain Control Systems}, volume = {69}, month = may, year = {2024}, doi = {10.1109/TAC.2023.3318194}, published = {1}, tag = {10001} }

2023

“Security Allocation in Networked Control Systems”.
A. T. Nguyen.
Licentiate thesis, Uppsala University, Uppsala, Sweden, 2023
ABS BIB

Sustained use of critical infrastructure, such as electrical power and water distribution networks, requires efficient management and control. Facilitated by the advancements in computational devices and non-proprietary communication technology, such as the Internet, the efficient operation of critical infrastructure relies on network decomposition into interconnected subsystems, thus forming networked control systems. However, the use of public and pervasive communication channels leaves these systems vulnerable to cyber attacks. Consequently, the critical infrastructure is put at risk of suffering operation disruption and even physical damage that would inflict financial costs as well as pose a hazard to human health. Therefore, security is crucial to the sustained efficient operation of critical infrastructure. This thesis develops a framework for evaluating and improving the security of networked control systems in the face of cyber attacks. The considered security problem involves two strategic agents, namely a malicious adversary and a defender, pursuing their specific and conflicting goals. The defender aims to efficiently allocate defense resources with the purpose of detecting malicious activities. Meanwhile, the malicious adversary simultaneously conducts cyber attacks and remains stealthy to the defender. We tackle the security problem by proposing a game-theoretic framework and characterizing its main components: the payoff function, the action space, and the available information for each agent. Especially, the payoff function is characterized based on the output-to-output gain security metric that fully explores the worst-case attack impact. Then, we investigate the properties of the game and how to efficiently compute its equilibrium. Given the combinatorial nature of the defender’s actions, one important challenge is to alleviate the computational burden. To overcome this challenge, the thesis contributes several system- and graph-theoretic conditions that enable the defender to shrink the action space, efficiently allocating the defense resources. The effectiveness of the proposed framework is validated through numerical examples.
@phdthesis{Nguyen_Lic2023, author = {Nguyen, Anh Tung}, title = {Security Allocation in Networked Control Systems}, school = {Uppsala University}, year = {2023}, address = {Uppsala, Sweden}, month = oct, type = {Licentiate thesis}, tag = {10005} }

“Privacy preserving average consensus through network augmentation”.
G. Ramos, A. P. Aguiar, S. Kar, and S. Pequito.
IEEE Trans. Automatic Control (Accepted), 2023
BIB

@article{Ramos_TAC2024,
  author = {Ramos, G. and Aguiar, A. P. and Kar, Soummya and Pequito, S.},
  journal = {IEEE Trans. Automatic Control (Accepted)},
  title = {Privacy preserving average consensus through network augmentation},
  year = {2023},
  published = {1},
  tag = {10006}
}

“Designing communication networks for discrete-time consensus for performance and privacy guarantees”.
G. Ramos and S. Pequito.
Systems & Control Letters, vol. 180, p. 105608, 2023
ABS BIB

Discrete-time consensus plays a key role in multi-agent systems and distributed protocols. Unfortunately, due to the self-loop dynamics of the agents (an agent’s current state depends only on its own immediately previous state, i.e., one time-step in the past), they often lack privacy guarantees. Therefore, in this paper, we propose a novel design that consists of a network augmentation, where each agent uses the previous iteration values and the newly received ones to increase the privacy guarantees. To formally evaluate the privacy of a network of agents, we define the concept of privacy index, which intuitively measures the minimum number of agents that should work in coalition to recover all the initial states. Moreover, we aim to explore if there is a trade-off between privacy and accuracy (rate of convergence) or if we can increase both. We unveil that, with the proposed method, we can design networks with higher privacy index and faster convergence rates. Remarkably, we further ensure that the network always reaches consensus even when the original network does not. Finally, we illustrate the proposed method with examples and present networks that lead to higher privacy levels and, in the majority of the cases, to faster consensus rates.
@article{Ramos_CSL2024, author = {Ramos, G. and Pequito, S.}, journal = {Systems & Control Letters}, volume = {180}, pages = {105608}, year = {2023}, title = {Designing communication networks for discrete-time consensus for performance and privacy guarantees}, doi = {10.1016/j.sysconle.2023.105608}, published = {1}, tag = {10006} }
“Risk-based Security Measure Allocation Against Actuator Attacks”.
S. C. Anand and A. M. H. Teixeira.
IEEE Open Journal of Control Systems, vol. 2, pp. 297–309, 2023
ABS BIB

This article considers the problem of risk-optimal allocation of security measures when the actuators of an uncertain control system are under attack. We consider an adversary injecting false data into the actuator channels. The attack impact is characterized by the maximum performance loss caused by a stealthy adversary with bounded energy. Since the impact is a random variable, due to system uncertainty, we use Conditional Value-at-Risk (CVaR) to characterize the risk associated with the attack. We then consider the problem of allocating the security measures which minimize the risk. We assume that there are only a limited number of security measures available. Under this constraint, we observe that the allocation problem is a mixed-integer optimization problem. Thus we use relaxation techniques to approximate the security allocation problem into a Semi-Definite Program (SDP). We also compare our allocation method (i) across different risk measures: the worst-case measure, the average (nominal) measure, and (ii) across different search algorithms: the exhaustive and the greedy search algorithms. We depict the efficacy of our approach through numerical examples.
@article{Anand_IEEEOJCSys2023, author = {Anand, S. C. and Teixeira, A. M. H.}, journal = {IEEE Open Journal of Control Systems}, number = {}, pages = {297--309}, title = {Risk-based Security Measure Allocation Against Actuator Attacks}, volume = {2}, year = {2023}, doi = {10.1109/OJCSYS.2023.3305831}, published = {1}, tag = {10001} }

“On the trade-offs between accuracy, privacy, and resilience in average consensus algorithms”.
G. Ramos, A. M. H. Teixeira, and S. Pequito.
IEEE Conference on Decisions and Control, 2023
BIB

@inproceedings{Ramos_CDC2023,
  author = {Ramos, G. and Teixeira, A. M. H. and Pequito, S.},
  booktitle = {IEEE Conference on Decisions and Control},
  title = {On the trade-offs between accuracy, privacy, and resilience in average consensus algorithms},
  year = {2023},
  published = {1},
  tag = {10005},
  taga = {10006}
}

“Robust Sequential Detection of Non-stealthy Sensor Deception Attacks in an Artificial Pancreas System”.
F. E. Tosun and A. M. H. Teixeira.
IEEE Conference on Decisions and Control, 2023
BIB

@inproceedings{Tosun_CDC2023,
  address = {},
  author = {Tosun, F. E. and Teixeira, A. M. H.},
  booktitle = {IEEE Conference on Decisions and Control},
  title = {Robust Sequential Detection of Non-stealthy Sensor Deception Attacks in an Artificial Pancreas System},
  year = {2023},
  published = {1},
  tag = {10002}
}

“Secure State Estimation with Asynchronous Measurements against Malicious Measurement-data and Time-stamp Manipulation”.
Z. Li, A. T. Nguyen, A. M. H. Teixeira, Y. Mo, and K. H. Johansson.
IEEE Conference on Decisions and Control, 2023
ABS BIB

This paper proposes a secure state estimation scheme with non-periodic asynchronous measurements for linear continuous-time systems under false data attacks on the measurement transmit channel. After sampling the output of the system, a sensor transmits the measurement information in a triple composed of sensor index, time-stamp, and measurement value to the fusion center via vulnerable communication channels. The malicious attacker can corrupt a subset of the sensors through (i) manipulating the time-stamp and measurement value; (ii) blocking transmitted measurement triples; or (iii) injecting fake measurement triples. To deal with such attacks, we propose the design of local estimators based on observability space decomposition, where each local estimator updates the local state and sends it to the fusion center after sampling a measurement. Whenever there is a local update, the fusion center combines all the local states and generates a secure state estimate by adopting the median operator. We prove that local estimators of benign sensors are unbiased with stable covariance. Moreover, the fused central estimation error has bounded expectation and covariance against at most p corrupted sensors as long as the system is 2p-sparse observable. The efficacy of the proposed scheme is demonstrated through an application on a benchmark example of the IEEE 14-bus system.
@inproceedings{Li_CDC2023, address = {}, author = {Li, Z. and Nguyen, A. T. and Teixeira, A. M. H. and Mo, Y. and Johansson, K. H.}, booktitle = {IEEE Conference on Decisions and Control}, title = {Secure State Estimation with Asynchronous Measurements against Malicious Measurement-data and Time-stamp Manipulation}, year = {2023}, published = {1}, tag = {10005} }

“Feedback Path Delay Attacks and Detection”.
T. Wigren and A. M. H. Teixeira.
IEEE Conference on Decisions and Control, 2023
BIB

@inproceedings{Wigren_CDC2023,
  address = {},
  author = {Wigren, T. and Teixeira, A. M. H.},
  booktitle = {IEEE Conference on Decisions and Control},
  title = {Feedback Path Delay Attacks and Detection},
  year = {2023},
  published = {1},
  tag = {10004}
}

“Quickest Detection of Deception Attacks on Cyber-Physical Systems with a Parsimonious Watermarking Policy”.
A. Naha, A. M. H. Teixeira, A. Ahlén, and S. Dey.
Automatica, vol. 155, p. 111147, 2023
ABS BIB

The addition of a physical watermarking signal to the control input increases the detection probability of data deception attacks at the expense of increased control cost. In this paper, we propose a parsimonious policy to reduce the average number of watermarking events when the attack is not present, which in turn reduces the control cost. We model the system as a stochastic optimal control problem and apply the dynamic programming to minimize the average detection delay (ADD) for fixed upper bounds on false alarm rate (FAR) and increased control cost. The optimal solution results in a two threshold policy on the posterior probability of attack, which is derived from the Shiryaev statistics for sequential change detection assuming the change point is a random variable with a geometric distribution. We derive approximate expressions of ADD and FAR applying the non-linear renewal theory. The relationship between the average number of watermarking added before the attack and the increase in control cost is also derived. We design the optimal watermarking that maximizes the Kullback-Leibler divergence for a fixed increase in the control cost. Simulation studies are performed to illustrate and validate the theoretical results.
@article{Naha_AUTOMATICA2023, author = {Naha, A. and Teixeira, A. M. H. and Ahl\'{e}n, A. and Dey, S.}, journal = {Automatica}, number = {}, pages = {111147}, title = {Quickest Detection of Deception Attacks on Cyber-Physical Systems with a Parsimonious Watermarking Policy}, volume = {155}, year = {2023}, doi = {10.1016/j.automatica.2023.111147}, }
“Probability Elicitation for Bayesian Networks to Distinguish between Intentional Attacks and Accidental Technical Failures”.
S. Chockalingam, W. Pieters, A. M. H. Teixeira, and P. van Gelder.
Journal of Information Security and Applications, vol. 75, p. 103497, 2023
ABS BIB

Both intentional attacks and accidental technical failures can lead to abnormal behaviour in components of industrial control systems. In our previous work, we developed a framework for constructing Bayesian Network (BN) models to enable operators to distinguish between those two classes, including knowledge elicitation to construct the directed acyclic graph of BN models. In this paper, we add a systematic method for knowledge elicitation to construct the Conditional Probability Tables (CPTs) of BN models, thereby completing a holistic framework to distinguish between attacks and technical failures. In order to elicit reliable probabilities from experts, we need to reduce the workload of experts in probability elicitation by reducing the number of conditional probabilities to elicit and facilitating individual probability entry. We utilise DeMorgan models to reduce the number of conditional probabilities to elicit as they are suitable for modelling opposing influences i.e., combinations of influences that promote and inhibit the child event. To facilitate individual probability entry, we use probability scales with numerical and verbal anchors. We demonstrate the proposed approach using an example from the water management domain.
@article{Chockalingam_JISA2023, author = {Chockalingam, S. and Pieters, W. and Teixeira, A. M. H. and van Gelder, P.}, journal = {Journal of Information Security and Applications}, number = {}, title = {Probability Elicitation for Bayesian Networks to Distinguish between Intentional Attacks and Accidental Technical Failures}, year = {2023}, doi = {10.1016/j.jisa.2023.103497}, volume = {75}, pages = {103497}, issn = {2214-2126} }
“Quickest Physical Watermarking-Based Detection of Measurement Replacement Attacks in Networked Control Systems”.
A. Naha, A. M. H. Teixeira, A. Ahlén, and S. Dey.
European Journal of Control, vol. 71, p. 100804, 2023
ABS BIB

In this paper, we propose and analyze an attack detection scheme for securing the physical layer of a networked control system (NCS) with a wireless sensor network against attacks where the adversary replaces the true observations with stationary false data. An independent and identically distributed watermarking signal is added to the optimal linear quadratic Gaussian (LQG) control inputs, and a cumulative sum (CUSUM) test is carried out using the joint distribution of the innovation signal and the watermarking signal for quickest attack detection. We derive the expressions of the supremum of the average detection delay (SADD) for a multi-input and multi-output (MIMO) system under the optimal and sub-optimal CUSUM tests. The SADD is asymptotically inversely proportional to the expected KullbackLeibler divergence (KLD) under certain conditions. The expressions for the MIMO case are simplified for multi-input and single-output systems and explored further to distil design insights. We provide insights into the design of an optimal watermarking signal to maximize KLD for a given fixed increase in LQG control cost when there is no attack. Furthermore, we investigate how the attacker and the control system designer can accomplish their respective objectives by changing the relative power of the attack signal and the watermarking signal. Simulations and numerical studies are carried out to validate the theoretical results.
@article{Naha_EJC2023, author = {Naha, A. and Teixeira, A. M. H. and Ahl\'{e}n, A. and Dey, S.}, journal = {European Journal of Control}, number = {}, pages = {100804}, title = {Quickest Physical Watermarking-Based Detection of Measurement Replacement Attacks in Networked Control Systems}, volume = {71}, year = {2023}, doi = {10.1016/j.ejcon.2023.100804} }
“Privacy and Security in Network Controlled Systems via Dynamic Masking”.
M. Abdalmoaty, S. C. Anand, and A. M. H. Teixeira.
IFAC World Congress, 2023
ABS VID BIB

In this paper, we propose a new architecture to enhance the privacy and security of networked control systems against malicious adversaries. We consider an adversary which first learns the system dynamics (privacy) using system identification techniques, and then performs a data injection attack (security). In particular, we consider an adversary conducting zero-dynamics attacks (ZDA) which maximizes the performance cost of the system whilst staying undetected. However, using the proposed architecture, we show that it is possible to (i) introduce significant bias in the system estimates of the adversary: thus providing privacy of the system parameters, and (ii) efficiently detect attacks when the adversary performs a ZDA using the identified system: thus providing security. Through numerical simulations, we illustrate the efficacy of the proposed architecture.
@inproceedings{AbdalmoatyIFAC2023, address = {}, author = {Abdalmoaty, M. and Anand, S. C. and Teixeira, A. M. H.}, booktitle = {IFAC World Congress}, title = {Privacy and Security in Network Controlled Systems via Dynamic Masking}, year = {2023}, video = {https://youtu.be/uuz5ppriWLk}, tag = {10006} }
“Optimal Detector Placement in Networked Control Systems under Cyber-attacks with Applications to Power Networks”.
A. T. Nguyen, S. C. Anand, A. M. H. Teixeira, and A. Medvedev.
IFAC World Congress, 2023
ABS BIB

This paper proposes a game-theoretic method to address the problem of optimal detector placement in a networked control system under cyber-attacks. The networked control system is composed of interconnected agents where each agent is regulated by its local controller over unprotected communication, which leaves the system vulnerable to malicious cyber-attacks. To guarantee a given local performance, the defender optimally selects a single agent on which to place a detector at its local controller with the purpose of detecting cyber-attacks. On the other hand, an adversary optimally chooses a single agent on which to conduct a cyber-attack on its input with the aim of maximally worsening the local performance while remaining stealthy to the defender. First, we present a necessary and sufficient condition to ensure that the maximal attack impact on the local performance is bounded, which restricts the possible actions of the defender to a subset of available agents. Then, by considering the maximal attack impact on the local performance as a game payoff, we cast the problem of finding optimal actions of the defender and the adversary as a zero-sum game. Finally, with the possible action sets of the defender and the adversary, an algorithm is devoted to determining the Nash equilibria of the zero-sum game that yield the optimal detector placement. The proposed method is illustrated on an IEEE benchmark for power systems.
@inproceedings{NguyenIFAC2023, address = {}, author = {Nguyen, A. T. and Anand, S. C. and Teixeira, A. M. H. and Medvedev, A.}, booktitle = {IFAC World Congress}, title = {Optimal Detector Placement in Networked Control Systems under Cyber-attacks with Applications to Power Networks}, tag = {10005}, year = {2023}, }
“On-line Identification of Delay Attacks in Networked Servo Control”.
T. Wigren and A. M. H. Teixeira.
IFAC World Congress, 2023
ABS BIB

The paper discusses attacks on networked control loops by increased delay, and shows how existing round trip jitter may disguise such attacks. The attackers objective need not be de-stabilization, the paper argues that making settling time requirements fail can be sufficient. To defend against such attacks, the paper proposes the use of joint recursive prediction error identification of the round trip delay and the networked closed loop dynamics. The proposed identification algorithm allows general defense, since it is designed for delayed nonlinear dynamics in state space form. Simulations show that the method is able to detect a delay attack on a printed circuit board component mounting servo loop, long before the attack reaches full effect.
@inproceedings{WigrenIFAC2023, address = {}, author = {Wigren, T. and Teixeira, A. M. H.}, booktitle = {IFAC World Congress}, title = {On-line Identification of Delay Attacks in Networked Servo Control}, year = {2023}, tag = {10004} }
“An Online Kullback-Leibler Divergence-Based Stealthy Attack against Cyber-Physical Systems”.
Q. Zhang, K. Liu, A. M. H. Teixeira, Y. Li, S. Chai, and Y. Xia.
IEEE Trans. Automatic Control, vol. 68, no. 6, pp. 3672–3679, 2023
ABS BIB

This article investigates the design of online stealthy attacks with the aim of moving the system’s state to a desired target. Different from the design of offline attacks, which is only based on the system’s model, to design the online attack, the attacker also estimates the system’s state with the intercepted data at each instant and computes the optimal attack accordingly. To ensure stealthiness, the Kullback-Leibler divergence between the innovations with and without attacks at each instant should be smaller than a threshold. We show that the attacker should solve a convex optimization problem at each instant to compute the mean and covariance of the attack. The feasibility of the attack policy is also discussed. Furthermore, for the strictly stealthy case with zero threshold, the analytic expression of the unique optimal attack is given. Finally, a numerical example of the longitudinal flight control system is adopted to illustrate the effectiveness of the proposed attack.
@article{Zhang_TAC2023, author = {Zhang, Q. and Liu, K. and Teixeira, A. M. H. and Li, Y. and Chai, S. and Xia, Y.}, journal = {IEEE Trans. Automatic Control}, number = {6}, pages = {3672--3679}, title = {An Online Kullback-Leibler Divergence-Based Stealthy Attack against Cyber-Physical Systems}, volume = {68}, year = {2023}, doi = {10.1109/TAC.2022.3192201} }
“Sequential detection of Replay attacks”.
A. Naha, A. M. H. Teixeira, A. Ahlén, and S. Dey.
IEEE Trans. Automatic Control, vol. 68, no. 3, pp. 1941–1948, 2023
ABS BIB

One of the most studied forms of attacks on the cyber-physical systems is the replay attack. The statistical similarities of the replayed signal and the true observations make the replay attack difficult to detect. In this paper, we address the problem of replay attack detection by adding watermarking to the control inputs and then perform resilient detection using cumulative sum (CUSUM) test on the joint statistics of the innovation signal and the watermarking signal, whereas existing work considers only the marginal distribution of the innovation signal. We derive the expression of the Kullback-Liebler divergence (KLD) between the two joint distributions before and after the replay attack, which is, asymptotically, inversely proportional to the detection delay. We perform a structural analysis of the derived KLD expression and suggest a technique to improve the KLD for the systems with relative degree greater than one. A scheme to find the optimal watermarking signal variance for a fixed increase in the control cost to maximize the KLD under the CUSUM test is presented. We provide various numerical simulation results to support our theory. The proposed method is also compared with a state-ofthe-art method based on the Neyman-Pearson detector, illustrating the smaller detection delay of the proposed sequential detector.
@article{NahaTAC2022, author = {Naha, A. and Teixeira, A. M. H. and Ahl\'{e}n, A. and Dey, S.}, journal = {IEEE Trans. Automatic Control}, number = {3}, pages = {1941--1948}, title = {Sequential detection of Replay attacks}, volume = {68}, year = {2023}, doi = {10.1109/TAC.2022.3174004} }

2022

“A Zero-Sum Game Framework for Optimal Sensor Placement in Uncertain Networked Control Systems under Cyber-Attacks”.
A. T. Nguyen, S. C. Anand, and A. M. H. Teixeira.
IEEE Conference on Decision and Control (CDC), 2022
ABS BIB

This paper proposes a game-theoretic approach to address the problem of optimal sensor placement against an adversary in uncertain networked control systems. The problem is formulated as a zero-sum game with two players, namely a malicious adversary and a detector. Given a protected performance vertex, we consider a detector, with uncertain system knowledge, that selects another vertex on which to place a sensor and monitors its output with the aim of detecting the presence of the adversary. On the other hand, the adversary, also with uncertain system knowledge, chooses a single vertex and conducts a cyber-attack on its input. The purpose of the adversary is to drive the attack vertex as to maximally disrupt the protected performance vertex while remaining undetected by the detector. As our first contribution, the game payoff of the above-defined zero-sum game is formulated in terms of the Value-at-Risk of the adversary’s impact. However, this game payoff corresponds to an intractable optimization problem. To tackle the problem, we adopt the scenario approach to approximately compute the game payoff. Then, the optimal monitor selection is determined by analyzing the equilibrium of the zero-sum game. The proposed approach is illustrated via a numerical example of a 10-vertex networked control system.
@inproceedings{NguyenCDC2022, address = {}, author = {Nguyen, A. T. and Anand, S. C. and Teixeira, A. M. H.}, booktitle = {IEEE Conference on Decision and Control (CDC)}, title = {A Zero-Sum Game Framework for Optimal Sensor Placement in Uncertain Networked Control Systems under Cyber-Attacks}, year = {2022}, doi = {10.1109/CDC51059.2022.9992468}, tag = {10005} }
“Structural analyses of a parsimonious watermarking policy
for data deception attack detection in networked control systems”.
A. Naha, A. M. H. Teixeira, A. Ahlén, and S. Dey.
IEEE Conference on Decisions and Control (CDC), 2022
ABS BIB

In this paper, we perform structural analyses of a parsimonious watermarking policy, which minimizes the average detection delay (ADD) to detect data deception attacks on networked control systems (NCS) for a fixed upper bound on the false alarm rate (FAR). The addition of physical watermarking to the control input of a NCS increases the probability of attack detections with an increase in the control cost. Therefore, we formulate the problem of data deception attack detection for NCS with the facility to add physical watermarking as a stochastic optimal control problem. Then we solve the problem by applying dynamic programming value iterations and find a parsimonious watermarking policy that decides to add watermarking and detects attacks based on the estimated posterior probability of attack. We analyze the optimal policy structure and find that it can be a one, two or three threshold policy depending on a few parameter values. Simulation studies show that the optimal policy for a practical range of parameter values is a two-threshold policy on the posterior probability of attack. Derivation of a threshold-based policy from the structural analysis of the value iteration method reduces the computational complexity during the runtime implementation and offers better structural insights. Furthermore, such an analysis provides a guideline for selecting the parameter values to meet the design requirements.
@inproceedings{NahaCDC2022, address = {}, author = {Naha, A. and Teixeira, A. M. H. and Ahl\'{e}n, A. and Dey, S.}, booktitle = {IEEE Conference on Decisions and Control (CDC)}, title = {Structural analyses of a parsimonious watermarking policy for data deception attack detection in networked control systems}, year = {2022}, doi = {10.1109/CDC51059.2022.9993201} }
“Risk assessment and optimal allocation of security measures under stealthy false data injection attacks”.
S. C. Anand, A. M. H. Teixeira, and A. Ahlén.
IEEE Conference on Control Technology and Applications (CCTA), 2022
ABS BIB

This paper firstly addresses the problem of risk assessment under false data injection attacks on uncertain control systems. We consider an adversary with complete system knowledge, injecting stealthy false data into an uncertain control system. We then use the Value-at-Risk to characterize the risk associated with the attack impact caused by the adversary. The worst-case attack impact is characterized by the recently proposed output-to-output gain. We observe that the risk assessment problem corresponds to an infinite non-convex robust optimization problem. To this end, we use dissipative system theory and the scenario approach to approximate the risk-assessment problem into a convex problem and also provide probabilistic certificates on approximation. Secondly, we con-sider the problem of security measure allocation. We consider an operator with a constraint on the security budget. Under this constraint, we propose an algorithm to optimally allocate the security measures using the calculated risk such that the resulting Value-at-risk is minimized. Finally, we illustrate the results through a numerical example. The numerical example also illustrates that the security allocation using the Value-at-risk, and the impact on the nominal system may have different outcomes: thereby depicting the benefit of using risk metrics.
@inproceedings{AnandCCTA2022, address = {}, author = {Anand, S. C. and Teixeira, A. M. H. and Ahl\'{e}n, A.}, booktitle = {IEEE Conference on Control Technology and Applications (CCTA)}, title = {Risk assessment and optimal allocation of security measures under stealthy false data injection attacks}, year = {2022}, tag = {10001}, doi = {10.1109/CCTA49430.2022.9966025}, }
“A Single-Adversary-Single-Detector Zero-Sum Game in Networked Control Systems”.
A. T. Nguyen, A. M. H. Teixeira, and A. Medvedev.
IFAC Conference on Networked Systems (NecSys), 2022
ABS BIB

This paper proposes a game-theoretic approach to address the problem of optimal sensor placement for detecting cyber-attacks in networked control systems. The problem is formulated as a zero-sum game with two players, namely a malicious adversary and a detector. Given a protected target vertex, the detector places a sensor at a single vertex to monitor the system and detect the presence of the adversary. On the other hand, the adversary selects a single vertex through which to conduct a cyber-attack that maximally disrupts the target vertex while remaining undetected by the detector. As our first contribution, for a given pair of attack and monitor vertices and a known target vertex, the game payoff function is defined as the output-to-output gain of the respective system. Then, the paper characterizes the set of feasible actions by the detector that ensures bounded values of the game payoff. Finally, an algebraic sufficient condition is proposed to examine whether a given vertex belongs to the set of feasible monitor vertices. The optimal sensor placement is then determined by computing the mixed-strategy Nash equilibrium of the zero-sum game through linear programming. The approach is illustrated via a numerical example of a 10-vertex networked control system with a given target vertex.
@inproceedings{NguyenNecsys2022, address = {}, author = {Nguyen, A. T. and Teixeira, A. M. H. and Medvedev, A.}, booktitle = {IFAC Conference on Networked Systems (NecSys)}, title = {A Single-Adversary-Single-Detector Zero-Sum Game in Networked Control Systems}, year = {2022}, doi = {10.1016/j.ifacol.2022.07.234}, tag = {10005}, }
“Detection of Bias Injection Attacks on the Glucose Sensor in the Artificial Pancreas Under Meal Disturbances”.
F. E. Tosun, A. M. H. Teixeira, A. Ahlén, and S. Dey.
American Control Conference, Atlanta, Georgia, USA, 2022
ABS BIB

The artificial pancreas is an emerging concept of closed-loop insulin delivery that aims to tightly regulate the blood glucose levels in patients with type 1 diabetes. This paper considers bias injection attacks on the glucose sensor deployed in an artificial pancreas. Modern glucose sensors transmit measurements through wireless communication that are vulnerable to cyber-attacks, which must be timely detected and mitigated. To this end, we propose a model-based anomaly detection scheme using a Kalman filter and a χ 2 test. One key challenge is to distinguish cyber-attacks from large unknown disturbances arising from meal intake. This challenge is addressed by an online meal estimator, and a novel time-varying detection threshold. More precisely, we show that the ordinary least squares is the optimal unbiased estimator of the meal size under certain modelling assumptions. Moreover, we derive a novel time-varying threshold for the χ 2 detector to avoid false alarms during meal ingestion. The results are validated by means of numerical simulations.
@inproceedings{Tosun_ACC2022, address = {Atlanta, Georgia, USA}, author = {Tosun, F. E. and Teixeira, A. M. H. and Ahl\'{e}n, A. and Dey, S.}, booktitle = {American Control Conference}, title = {Detection of Bias Injection Attacks on the Glucose Sensor in the Artificial Pancreas Under Meal Disturbances}, year = {2022}, doi = {10.23919/ACC53348.2022.9867556}, tag = {10002}, }
“Sequential Detection of Replay Attacks with a Parsimonious Watermarking Policy”.
A. Naha, A. M. H. Teixeira, A. Ahlén, and S. Dey.
American Control Conference, Atlanta, Georgia, USA, 2022
ABS BIB

In this paper, we have proposed a technique for Bayesian sequential detection of replay attacks on networked control systems with a constraint on the average number of watermarking (ANW) events used during normal system operations. Such a constraint limits the increase in the control cost due to watermarking. To determine the optimal sequence regarding the addition or otherwise of watermarking signals, first, we formulate an infinite horizon stochastic optimal control problem with a termination state. Then applying the value iteration approach, we find an optional policy that minimizes the average detection delay (ADD) for fixed upper bounds on the false alarm rate (FAR) and ANW. The optimal policy turns out to be a two thresholds policy on the posterior probability of attack. We derive approximate expressions of ADD and FAR as functions of the two derived thresholds and a few other parameters. A simulation study on a single-input single-output system illustrates that the proposed method improves the control cost considerably at the expense of small increases in ADD. We also perform simulation studies to validate the derived theoretical results.
@inproceedings{Naha_ACC2022, address = {Atlanta, Georgia, USA}, author = {Naha, A. and Teixeira, A. M. H. and Ahl\'{e}n, A. and Dey, S.}, booktitle = {American Control Conference}, title = {Sequential Detection of Replay Attacks with a Parsimonious Watermarking Policy}, year = {2022}, doi = {10.23919/ACC53348.2022.9867703}, }
“Risk-averse controller design against data injection attacks on actuators for uncertain control systems”.
S. C. Anand and A. M. H. Teixeira.
American Control Conference, Atlanta, Georgia, USA, 2022
ABS BIB

In this paper, we consider the optimal controller design problem against data injection attacks on actuators for an uncertain control system. We consider attacks that aim at maximizing the attack impact while remaining stealthy in the finite horizon. To this end, we use the Conditional Value-at-Risk to characterize the risk associated with the impact of attacks. The worst-case attack impact is characterized using the recently proposed output-to-output ℓ 2 -gain (OOG). We formulate the design problem and observe that it is non-convex and hard to solve. Using the framework of scenario-based optimization and a convex proxy for the OOG, we propose a convex optimization problem that approximately solves the design problem with probabilistic certificates. Finally, we illustrate the results through a numerical example.
@inproceedings{Anand_ACC2022, address = {Atlanta, Georgia, USA}, author = {Anand, S. C. and Teixeira, A. M. H.}, booktitle = {American Control Conference}, title = {Risk-averse controller design against data injection attacks on actuators for uncertain control systems}, year = {2022}, doi = {10.23919/ACC53348.2022.9867257}, tag = {10001}, }
“Scalable federated machine learning with FEDn”.
M. Ekmefjord et al.
Symposium on Cluster, Cloud and Internet Computing, Taormina, Italy, 2022
ABS BIB

Federated machine learning promises to overcome the input privacy challenge in machine learning. By iteratively updating a model on private clients and aggregating these local model updates into a global federated model, private data is incorporated in the federated model without needing to share and expose that data. Several open software projects for federated learning have appeared. Most of them focuses on supporting flexible experimentation with different model aggregation schemes and with different privacy-enhancing technologies. However, there is a lack of open frameworks that focuses on critical distributed computing aspects of the problem such as scalability and resilience. It is a big step to take for a data scientist to go from an experimental sandbox to testing their federated schemes at scale in real-world geographically distributed settings. To bridge this gap we have designed and developed a production-grade hierarchical federated learning framework, FEDn. The framework is specifically designed to make it easy to go from local development in pseudo-distributed mode to horizontally scalable distributed deployments. FEDn both aims to be production grade for industrial applications and a flexible research tool to explore real-world performance of novel federated algorithms and the framework has been used in number of industrial and academic R&D projects. In this paper we present the architecture and implementation of FEDn. We demonstrate the framework’s scalability and efficiency in evaluations based on two case-studies representative for a cross-silo and a cross-device use-case respectively.
@inproceedings{Ekmefjord_CCGrid2022, address = {Taormina, Italy}, author = {Ekmefjord, M. and Ait-Mlouk, A. and Alawadi, S. and Åkesson, M. and Singh, P. and Spjuth, O. and Toor, S. and Hellander, A.}, booktitle = {Symposium on Cluster, Cloud and Internet Computing}, title = {Scalable federated machine learning with FEDn}, year = {2022}, doi = {10.1109/CCGrid54584.2022.00065}, tag = {10003}, }

2021

“Bayesian network model to distinguish between intentional attacks and accidental technical failures: a case study of floodgates”.
S. Chockalingam, W. Pieters, A. M. H. Teixeira, and P. van Gelder.
Cybersecurity, vol. 4, no. 29, 2021
BIB

@article{Chockalingam_2021,
  author = {Chockalingam, S. and Pieters, W. and Teixeira, A. M. H. and van Gelder, P.},
  journal = {Cybersecurity},
  number = {29},
  pages = {},
  title = {Bayesian network model to distinguish between intentional attacks and accidental technical failures: a case study of floodgates},
  volume = {4},
  year = {2021}
}

“Design of multiplicative watermarking against covert attacks”.
A. J. Gallo, S. C. Anand, A. M. H. Teixeira, and R. M. G. Ferrari.
IEEE Conf. Decision and Control, Austin, Texas, USA, 2021
BIB

@inproceedings{Gallo_CDC2021,
  address = {Austin, Texas, USA},
  author = {Gallo, A. J. and Anand, S. C. and Teixeira, A. M. H. and Ferrari, R. M. G.},
  booktitle = {IEEE Conf. Decision and Control},
  title = {Design of multiplicative watermarking against covert attacks},
  year = {2021},
  doi = {10.1109/CDC45484.2021.9683075}
}

“Stealthy Cyber-Attack Design Using Dynamic Programming”.
S. C. Anand and A. M. H. Teixeira.
IEEE Conf. Decision and Control, Austin, Texas, USA, 2021
BIB

@inproceedings{Anand_CDC2021,
  address = {Austin, Texas, USA},
  author = {Anand, S. C. and Teixeira, A. M. H.},
  booktitle = {IEEE Conf. Decision and Control},
  title = {Stealthy Cyber-Attack Design Using Dynamic Programming},
  year = {2021},
  doi = {10.1109/CDC45484.2021.9683451},
}

“Deception Attack Detection Using Reduced Watermarking”.
A. Naha, A. M. H. Teixeira, A. Ahlén, and S. Dey.
Eur. Control Conf., Rotterdam, The Netherlands, 2021
BIB

@inproceedings{Naha_ECC2021,
  address = {Rotterdam, The Netherlands},
  author = {Naha, A. and Teixeira, A. M. H. and Ahl\'{e}n, A. and Dey, S.},
  booktitle = {Eur. Control Conf.},
  title = {Deception Attack Detection Using Reduced Watermarking},
  year = {2021},
  doi = {10.23919/ECC54610.2021.9654843}
}

“Introduction to the Book”.
R. M. G. Ferrari and A. M. H. Teixeira.
in Safety, Security and Privacy for Cyber-Physical Systems, R. M. G. Ferrari and A. M. H. Teixeira, Eds. Cham: Springer International Publishing, 2021, pp. 1–8
BIB

@incollection{FerrariTeixeira_Springer2021,
  author = {Ferrari, Riccardo M. G. and Teixeira, Andr{\'e} M. H.},
  editor = {Ferrari, Riccardo M.G. and Teixeira, Andr{\'e} M. H.},
  title = {Introduction to the Book},
  booktitle = {Safety, Security and Privacy for Cyber-Physical Systems},
  year = {2021},
  publisher = {Springer International Publishing},
  address = {Cham},
  pages = {1--8},
  isbn = {978-3-030-65048-3},
  doi = {10.1007/978-3-030-65048-3_1}
}

“Security Metrics for Control Systems”.
A. M. H. Teixeira.
in Safety, Security and Privacy for Cyber-Physical Systems, R. M. G. Ferrari and A. M. H. Teixeira, Eds. Cham: Springer International Publishing, 2021, pp. 1–8
BIB

@incollection{Teixeira_Springer2021,
  author = {Teixeira, Andr{\'e} M. H.},
  editor = {Ferrari, Riccardo M.G. and Teixeira, Andr{\'e} M. H.},
  title = {Security Metrics for Control Systems},
  booktitle = {Safety, Security and Privacy for Cyber-Physical Systems},
  year = {2021},
  publisher = {Springer International Publishing},
  address = {Cham},
  pages = {1--8},
  isbn = {978-3-030-65048-3},
  doi = {10.1007/978-3-030-65048-3_6},
  tag = {10001}
}

“Detection of Cyber-Attacks: A Multiplicative Watermarking Scheme”.
R. M. G. Ferrari and A. M. H. Teixeira.
in Safety, Security and Privacy for Cyber-Physical Systems, R. M. G. Ferrari and A. M. H. Teixeira, Eds. Cham: Springer International Publishing, 2021, pp. 1–8
BIB

@incollection{Ferrari_Springer2021,
  author = {Ferrari, Riccardo M. G. and Teixeira, Andr{\'e} M. H.},
  editor = {Ferrari, Riccardo M.G. and Teixeira, Andr{\'e} M. H.},
  title = {Detection of Cyber-Attacks: A Multiplicative Watermarking Scheme},
  booktitle = {Safety, Security and Privacy for Cyber-Physical Systems},
  year = {2021},
  publisher = {Springer International Publishing},
  address = {Cham},
  pages = {1--8},
  isbn = {978-3-030-65048-3},
  doi = {10.1007/978-3-030-65048-3_9}
}

“A Game-Theoretic Approach to Covert Communications in the Presence of Multiple Colluding Wardens”.
A. Arghavani, A. Ahlén, A. Teixeira, and S. Dey.
2021 IEEE Wireless Communications and Networking Conference (WCNC), 2021, pp. 1–7
BIB

@inproceedings{Arghavani_WCNC2021,
  title = {A {{Game}}-Theoretic {{Approach}} to {{Covert Communications}} in the {{Presence}} of {{Multiple Colluding Wardens}}},
  booktitle = {2021 {{IEEE Wireless Communications}} and {{Networking Conference}} ({{WCNC}})},
  author = {Arghavani, Abbas and Ahl{\'e}n, Anders and Teixeira, Andr{\'e} and Dey, Subhrakanti},
  year = {2021},
  month = mar,
  pages = {1--7},
  issn = {1558-2612},
  doi = {10.1109/WCNC49053.2021.9417312},
  copyright = {All rights reserved},
  keywords = {communications,Computational modeling,Conferences,game-theory,Games,Linear programming,Nash equilibrium,Numerical simulation,Rayleigh channels,security}
}

“An Evaluation of Container Security Vulnerability Detection Tools”.
O. Javed and S. Toor.
Cloud and Big Data Computing, 2021
BIB

@inproceedings{javed_CBDC2021,
  title = {An Evaluation of Container Security Vulnerability Detection Tools},
  booktitle = {Cloud and Big Data Computing},
  author = {Javed, O. and Toor, S.},
  year = {2021},
  doi = {10.1145/3481646.3481661},
  astract = {Container is a lightweight virtualization technology which packages an application, its dependencies and an operating system (OS) to run as an isolated unit. However, the pressing concern with the use of containers is its susceptibility to security attacks. Consequently, a number of container scanning tools are available for detecting container security vulnerabilities. Therefore, in this experience report, we investigate the quality of existing container scanning tools by considering two metrics that reflect coverage and accuracy. We analyze popular public container images hosted on DockerHub using different container scanning tools (i.e., Clair, Anchore, and Microscanner). Our findings show that existing container scanning tools do not detect application package vulnerabilities. Furthermore, we find that existing tools do not have high accuracy.},
}

“Privatized Distributed Anomaly Detection for Large-Scale Nonlinear Uncertain Systems”.
V. Rostampour, R. M. G. Ferrari, A. M. H. Teixeira, and T. Keviczky.
IEEE Trans. Automatic Control, vol. 66, no. 11, pp. 5299–5313, 2021
BIB

@article{Rostampour_TAC2020,
  author = {Rostampour, V. and Ferrari, R. M.G. and Teixeira, A. M. H. and Keviczky, T.},
  journal = {IEEE Trans. Automatic Control},
  number = {11},
  pages = {5299--5313},
  title = {Privatized Distributed Anomaly Detection for Large-Scale Nonlinear Uncertain Systems},
  volume = {66},
  year = {2021},
  doi = {10.1109/TAC.2020.3040251}
}

2020

“A Switching Multiplicative Watermarking Scheme for Detection of Stealthy Cyber-Attacks”.
R. Ferrari and A. M. H. Teixeira.
IEEE Trans. Automatic Control, vol. 66, no. 6, pp. 2558–2573, 2020
BIB

@article{Ferrari_TAC2020,
  author = {Ferrari, R. and Teixeira, A. M. H.},
  journal = {IEEE Trans. Automatic Control},
  number = {6},
  pages = {2558--2573},
  title = {A Switching Multiplicative Watermarking Scheme for Detection of Stealthy Cyber-Attacks},
  volume = {66},
  year = {2020}
}

“Actuator Security Indices Based on Perfect Undetectability: Computation, Robustness, and Sensor Placement”.
J. Milosevic, A. M. H. Teixeira, H. Sandberg, and K. H. Johansson.
IEEE Trans. Automatic Control, vol. 65, no. 9, pp. 3816–3831, 2020
BIB

@article{Milosevic_TAC2020,
  author = {Milosevic, J. and Teixeira, A. M. H. and Sandberg, H. and Johansson, K. H.},
  doi = {10.1109/TAC.2020.2981392},
  journal = {IEEE Trans. Automatic Control},
  number = {9},
  pages = {3816--3831},
  title = {Actuator Security Indices Based on Perfect Undetectability: Computation, Robustness, and Sensor Placement},
  volume = {65},
  year = {2020}
}

“Joint controller and detector design against
data injection attacks on actuators”.
S. C. Anand and A. M. H. Teixeira.
IFAC World Congress, Berlin, Germany, 2020
BIB

@inproceedings{Anand_2020,
  address = {Berlin, Germany},
  author = {Anand, S. C. and Teixeira, A M H},
  booktitle = {IFAC World Congress},
  title = {Joint controller and detector design against
  data injection attacks on actuators},
  year = {2020}
}

“Privacy-preserving Continuous Tumour Relapse Monitoring Using In-body Radio Signals”.
S. Hylamia et al.
IEEE Workshop on the Internet of Safe Things (SafeThings), San Francisco, CA, USA, 2020
BIB

@inproceedings{Hylamia_2020,
  address = {San Francisco, CA, USA},
  author = {Hylamia, S. and Yan, W. and Teixeira, A M. H. and Asan, N. B. and Perez, M. and Augustine, R. and Voigt, T.},
  booktitle = {IEEE Workshop on the Internet of Safe Things (SafeThings)},
  title = {Privacy-preserving Continuous Tumour Relapse Monitoring Using In-body Radio Signals},
  year = {2020}
}

2019

“Effects of Jamming Attacks on a Control System With Energy Harvesting”.
S. Knorn and A. M. H. Teixeira.
IEEE Control Systems Letters, vol. 3, no. 4, pp. 829–834, 2019
BIB

@article{Knorn_CSL2019,
  author = {Knorn, S. and Teixeira, A. M. H.},
  journal = {IEEE Control Systems Letters},
  number = {4},
  pages = {829--834},
  title = {Effects of Jamming Attacks on a Control System With Energy Harvesting},
  volume = {3},
  year = {2019}
}

“Optimal stealthy attacks on actuators for strictly proper systems”.
A. M. H. Teixeira.
IEEE Conf. Decision and Control, Nice, France, 2019
BIB

@inproceedings{Teixeira_CDC2019,
  address = {Nice, France},
  author = {Teixeira, A. M. H.},
  booktitle = {IEEE Conf. Decision and Control},
  title = {Optimal stealthy attacks on actuators for strictly proper systems},
  year = {2019}
}

“A Tutorial Introduction to Security and Privacy for Cyber-Physical Systems”.
M. S. Chong, H. Sandberg, and A. M. H. Teixeira.
Eur. Control Conf., Napoles, Italy, 2019
BIB

@inproceedings{Chong_ECC2019,
  address = {Napoles, Italy},
  author = {Chong, M. S. and Sandberg, H. and Teixeira, A. M. H.},
  booktitle = {Eur. Control Conf.},
  title = {A Tutorial Introduction to Security and Privacy for Cyber-Physical Systems},
  year = {2019}
}

“Data Injection Attacks against Feedforward Controllers”.
A. M. H. Teixeira.
Eur. Control Conf., Napoles, Italy, 2019
BIB

@inproceedings{Teixeira_ECC2019,
  address = {Napoles, Italy},
  author = {Teixeira, A. M. H.},
  booktitle = {Eur. Control Conf.},
  title = {Data Injection Attacks against Feedforward Controllers},
  year = {2019}
}

“On the Confidentiality of Linear Anomaly Detector States”.
D. Umsonst, E. Nekouei, A. M. H. Teixeira, and H. Sandberg.
American Control Conf., Philadelphia, PA, USA, 2019
BIB

@inproceedings{Umsonst_ACC2019,
  address = {Philadelphia, PA, USA},
  author = {Umsonst, D. and Nekouei, E. and Teixeira, A. M. H. and Sandberg, H.},
  booktitle = {American Control Conf.},
  title = {On the Confidentiality of Linear Anomaly Detector States},
  year = {2019}
}

“Cyber Risk Analysis of Combined Data Attacks Against Power System State Estimation”.
K. Pan, A. M. H. Teixeira, M. Cvetkovic, and P. Palensky.
IEEE Trans. Smart Grid, vol. 10, no. 3, pp. 3044–3056, May 2019
ABS BIB

Understanding smart grid cyber attacks is key for developing appropriate protection and recovery measures. Advanced attacks pursue maximized impact at minimized costs and detectability. This paper conducts risk analysis of combined data integrity and availability attacks against the power system state estimation. We compare the combined attacks with pure integrity attacks - false data injection (FDI) attacks. A security index for vulnerability assessment to these two kinds of attacks is proposed and formulated as a mixed integer linear programming problem. We show that such combined attacks can succeed with fewer resources than FDI attacks. The combined attacks with limited knowledge of the system model also expose advantages in keeping stealth against the bad data detection. Finally, the risk of combined attacks to reliable system operation is evaluated using the results from vulnerability assessment and attack impact analysis. The findings in this paper are validated and supported by a detailed case study.
@article{Pan2018, archiveprefix = {arXiv}, author = {Pan, Kaikai and Teixeira, Andre M. H. and Cvetkovic, Milos and Palensky, Peter}, doi = {10.1109/TSG.2018.2817387}, eprint = {1708.08349}, issn = {19493053}, journal = {IEEE Trans. Smart Grid}, keywords = {Combined integrity and availability attack,Indexes,Network topology,Power systems,Security,State estimation,Transmission line matrix methods,Transmission line measurements,false data injection,power system state estimation.,risk analysis}, pages = {3044--3056}, volume = {10}, number = {3}, title = {Cyber Risk Analysis of Combined Data Attacks Against Power System State Estimation}, year = {2019}, month = may }

2018

“Combining Bayesian Networks and Fishbone Diagrams to Distinguish between Intentional Attacks and Accidental Technical Failures”.
S. Chockalingam, A. M. H. Teixeira, W. Pieters, N. Khakzad, and P. van Gelder.
Proc. 5th Int. Work. Graph. Model. Secur., Oxford, UK, 2018
ABS BIB

Because of modern societies’ dependence on industrial control systems, adequate response to system failures is essential. In order to take appropriate measures, it is crucial for operators to be able to distinguish between intentional attacks and accidental technical failures. However, adequate decision support for this matter is lacking. In this paper, we use Bayesian Networks (BNs) to distinguish between intentional attacks and accidental technical failures, based on contributory factors and observations (or test results). To facilitate knowledge elicitation, we use extended shbone diagrams for discussions with experts, and then translate those into the BN formalism. We demonstrate the methodology using an example in a case study from the water management domain. M4 - Citavi
@inproceedings{Chockalingam2018, address = {Oxford, UK}, author = {Chockalingam, Sabarathinam and Teixeira, Andr{\'{e}} M. H. and Pieters, Wolter and Khakzad, Nima and van Gelder, Pieter}, booktitle = {Proc. 5th Int. Work. Graph. Model. Secur.}, title = {Combining Bayesian Networks and Fishbone Diagrams to Distinguish between Intentional Attacks and Accidental Technical Failures}, year = {2018} }

“Detection of Sensor Data Injection Attacks with Multiplicative Watermarking”.
A. M. H. Teixeira and R. M. G. Ferrari.
Eur. Control Conf., Cyprus, 2018
BIB

@inproceedings{Teixeira2018,
  address = {Cyprus},
  author = {Teixeira, A. M. H. and Ferrari, R. M. G.},
  booktitle = {Eur. Control Conf.},
  title = {Detection of Sensor Data Injection Attacks with Multiplicative Watermarking},
  year = {2018}
}

“Differentially-Private Distributed Fault Diagnosis for Large-Scale Nonlinear Uncertain Systems”.
V. Rostampour, R. Ferrari, A. M. H. Teixeira, and T. Keviczky.
IFAC-PapersOnLine, vol. 51, no. 24, pp. 975–982, Jan. 2018
ABS BIB

Distributed fault diagnosis has been proposed as an effective technique for monitoring large scale, nonlinear and uncertain systems. It is based on the decomposition of the large scale system into a number of interconnected subsystems, each one monitored by a dedicated Local Fault Detector (LFD). Neighboring LFDs, in order to successfully account for subsystems interconnection, are thus required to communicate with each other some of the measurements from their subsystems. Anyway, such communication may expose private information of a given subsystem, such as its local input. To avoid this problem, we propose here to use differential privacy to pre-process data before transmission.
@article{Rostampour2018, author = {Rostampour, Vahab and Ferrari, Riccardo and Teixeira, Andr{\'{e}} M H and Keviczky, Tam{\'{a}}s}, doi = {10.1016/J.IFACOL.2018.09.703}, issn = {2405-8963}, journal = {IFAC-PapersOnLine}, month = jan, number = {24}, pages = {975--982}, title = {Differentially-Private Distributed Fault Diagnosis for Large-Scale Nonlinear Uncertain Systems}, volume = {51}, year = {2018} }

“Security measure allocation for industrial control systems: Exploiting systematic search techniques and submodularity”.
J. Milošević, A. M. H. Teixeira, T. Tanaka, K. H. Johansson, and H. Sandberg.
Int. J. Robust Nonlinear Control, no. 11, pp. 4278–4302, 2018
BIB

@article{Jezdimir2018,
  author = {Milo{\v{s}}evi{\'{c}}, Jezdimir and Teixeira, Andr{\'{e}} M. H. and Tanaka, Takashi and Johansson, Karl H. and Sandberg, Henrik},
  doi = {10.1002/rnc.4375},
  journal = {Int. J. Robust Nonlinear Control},
  vol = {30},
  number = {11},
  pages = {4278--4302},
  title = {Security measure allocation for industrial control systems: Exploiting systematic search techniques and submodularity},
  year = {2018}
}

“Secure Cloud Connectivity for Scientific Applications”.
L. Osmani et al.
IEEE Transactions on Services Computing, 2018
ABS BIB

Cloud computing improves utilization and flexibility in allocating computing resources while reducing the infrastructural costs. However, in many cases cloud technology is still proprietary and tainted by security issues rooted in the multi-user and hybrid cloud environment. A lack of secure connectivity in a hybrid cloud environment hinders the adaptation of clouds by scientific communities that require scaling-out of the local infrastructure using publicly available resources for large-scale experiments. In this article, we present a case study of the DII-HEP secure cloud infrastructure and propose an approach to securely scale-out a private cloud deployment to public clouds in order to support hybrid cloud scenarios. A challenge in such scenarios is that cloud vendors may offer varying and possibly incompatible ways to isolate and interconnect virtual machines located in different cloud networks. Our approach is tenant driven in the sense that the tenant provides its connectivity mechanism. We provide a qualitative and quantitative analysis of a number of alternatives to solve this problem. We have chosen one of the standardized alternatives, Host Identity Protocol, for further experimentation in a production system because it supports legacy applications in a topologically-independent and secure way.
@article{OsmaniTSC2018, author = {Osmani, L. and Toor, S. and Komu, N. and Kortelainen, M. and Lindén, T. and White, J. and Khan, R. and Eerola, P. and Tarkoma, S.}, journal = {IEEE Transactions on Services Computing}, number = {}, pages = {}, title = {Secure Cloud Connectivity for Scientific Applications}, volume = {}, year = {2018}, doi = {10.1109/TSC.2015.2469292} }

2017

“Bayesian network models in cyber security: A systematic review”.
S. Chockalingam, W. Pieters, A. M. H. Teixeira, and P. van Gelder.
in Secur. IT Syst. Nord. 2017. Lect. Notes Comput. Sci., vol. 10674 LNCS, H. Lipmaa, A. and Mitrokotsa, and R. and Matulevičius, Eds. Springer, Cham, 2017, pp. 105–122
ABS BIB

Bayesian Networks (BNs) are an increasingly popular mod- elling technique in cyber security especially due to their capability to overcome data limitations. This is also exemplified by the growth of BN models development in cyber security. However, a comprehensive comparison and analysis of these models is missing. In this paper, we conduct a systematic review of the scientific literature and identify 17 standard BN models in cyber security. We analyse these models based on 8 different criteria and identify important patterns in the use of these models. A key outcome is that standard BNs are noticeably used for problems especially associated with malicious insiders. This study points out the core range of problems that were tackled using standard BN models in cyber security, and illuminates key research gaps.
@incollection{Chockalingam2017a, author = {Chockalingam, Sabarathinam and Pieters, Wolter and Teixeira, Andr{\'{e}} M. H. and van Gelder, Pieter}, booktitle = {Secur. IT Syst. Nord. 2017. Lect. Notes Comput. Sci.}, doi = {10.1007/978-3-319-70290-2_7}, editor = {Lipmaa, Helger and and Mitrokotsa, Aikaterini and and Matulevi{\v{c}}ius, Raimundas}, isbn = {9783319702896}, issn = {16113349}, keywords = {Bayesian attack graph,Bayesian network,Cyber security,Information security,Insider threat}, pages = {105--122}, publisher = {Springer, Cham}, title = {Bayesian network models in cyber security: A systematic review}, volume = {10674 LNCS}, year = {2017} }
“Co-simulation for Cyber Security Analysis: Data Attacks against Energy Management System”.
K. Pan, A. M. H. Teixeira, C. López, and P. Palensky.
IEEE Int. Conf. Smart Grid Commun., Dresden, Germany, 2017, pp. 253–258
ABS BIB

It is challenging to assess the vulnerability of a cyber-physical power system to data attacks from an integral perspective. In order to support vulnerability assessment except analytic analysis, suitable platform for security tests needs to be developed. In this paper we analyze the cyber security of energy management system (EMS) against data attacks. First we extend our analytic framework that characterizes data attacks as optimization problems with the objectives specified as security metrics and constraints corresponding to the communication network properties. Second, we build a platform in the form of co-simulation - coupling the power system simulator DIgSILENT PowerFactory with communication network simulator OMNeT++, and Matlab for EMS applications (state estimation, optimal power flow). Then the framework is used to conduct attack simulations on the co-simulation based platform for a power grid test case. The results indicate how vulnerable of EMS to data attacks and how co-simulation can help assess vulnerability.
@inproceedings{Pan2017, address = {Dresden, Germany}, archiveprefix = {arXiv}, author = {Pan, Kaikai and Teixeira, Andr{\'{e}} M. H. and L{\'{o}}pez, Claudio and Palensky, Peter}, booktitle = {IEEE Int. Conf. Smart Grid Commun.}, doi = {10.1109/SmartGridComm.2017.8340668}, eprint = {1708.08322}, isbn = {9781538640555}, pages = {253--258}, title = {Co-simulation for Cyber Security Analysis: Data Attacks against Energy Management System}, year = {2017} }
“Data attacks on power system state estimation: Limited adversarial knowledge vs. limited attack resources”.
K. Pan, A. M. H. Teixeira, M. Cvetkovic, and P. Palensky.
IECON 2017 - 43rd Annu. Conf. IEEE Ind. Electron. Soc., Beijing, China, 2017, pp. 4313–4318
ABS BIB

\textcopyright 2017 IEEE. It has shown that with perfect knowledge of the system model and the capability to manipulate a certain number of measurements, the false data injection (FDI) attacks, as a class of data integrity attacks, can coordinate measurements corruption to keep stealth against the bad data detection schemes. However, a more realistic attack is essentially an attack with limited adversarial knowledge of the system model and limited attack resources due to various reasons. In this paper, we generalize the data attacks that they can be pure FDI attacks or combined with availability attacks (e.g., DoS attacks) and analyze the attacks with limited adversarial knowledge or limited attack resources. The attack impact is evaluated by the proposed metrics and the detection probability of attacks is calculated using the distribution property of data with or without attacks. The analysis is supported with results from a power system use case. The results show how important the knowledge is to the attacker and which measurements are more vulnerable to attacks with limited resources.
@inproceedings{Pan2017a, address = {Beijing, China}, author = {Pan, Kaikai and Teixeira, Andre M. H. and Cvetkovic, Milos and Palensky, Peter}, booktitle = {IECON 2017 - 43rd Annu. Conf. IEEE Ind. Electron. Soc.}, doi = {10.1109/IECON.2017.8216741}, isbn = {978-1-5386-1127-2}, month = oct, pages = {4313--4318}, title = {Data attacks on power system state estimation: Limited adversarial knowledge vs. limited attack resources}, year = {2017} }
“Detection and Isolation of Replay Attacks through Sensor Watermarking”.
R. M. G. Ferrari and A. M. H. Teixeira.
IFAC-PapersOnLine, vol. 50, no. 1, pp. 7363–7368, Jul. 2017
ABS BIB

This paper addresses the detection and isolation of replay attacks on sensor measurements. As opposed to previously proposed additive watermarking, we propose a multiplicative watermarking scheme, where each sensor’s output is separately watermarked by being fed to a SISO watermark generator. Additionally, a set of equalizing filters is placed at the controller’s side, which reconstructs the original output signals from the received watermarked data. We show that the proposed scheme has several advantages over existing approaches: it has no detrimental effects on the closed-loop performance in the absence of attacks; it can be designed in a modular fashion, independently of the design of the controller and anomaly detector; it facilitates the detection of replay attacks and the isolation of the time at which the replayed data was recorded. These properties are discussed in detail and the results are illustrated through a numerical example.
@article{Ferrari_IFAC_2017, author = {Ferrari, Riccardo M.G. and Teixeira, Andr{\'{e}} M. H.}, doi = {10.1016/j.ifacol.2017.08.1502}, issn = {24058963}, journal = {IFAC-PapersOnLine}, month = jul, number = {1}, pages = {7363--7368}, title = {Detection and Isolation of Replay Attacks through Sensor Watermarking}, volume = {50}, year = {2017} }
“Detection and isolation of routing attacks through sensor watermarking”.
R. M. G. Ferrari and A. M. H. Teixeira.
Proc. Am. Control Conf., Seattle, WA, USA, 2017, pp. 5436–5442
ABS BIB

\textcopyright 2017 American Automatic Control Council (AACC). In networked control systems, leveraging the peculiarities of the cyber-physical domains and their interactions may lead to novel detection and defense mechanisms against malicious cyber-attacks. In this paper, we propose a multiplicative sensor watermarking scheme, where each sensor’s output is separately watermarked by a Single Input Single Output (SISO) filter. Hence, such scheme does not require communication between multiple sensors, but can still lead to detection and isolation of malicious cyber-attacks. In particular, we analyze the benefits of the proposed watermarking scheme for two attack scenarios: The physical sensor re-routing attack and the cyber measurement re-routing one. For each attack scenario, detectability and isolability properties are analyzed with and without the proposed watermarking scheme and we show how the watermarking scheme can be leveraged to detect cyber sensor routing attacks. In order to detect compromised sensors, we design an observer-based detector with a robust adaptive threshold. Additionally, we identify the sensors involved in the re-routing attacks by means of a tailored Recursive Least Squares parameter estimation algorithm. The results are illustrated through a numerical example.
@inproceedings{Ferrari2017, address = {Seattle, WA, USA}, author = {Ferrari, Riccardo M.G. and Teixeira, Andre M. H.}, booktitle = {Proc. Am. Control Conf.}, doi = {10.23919/ACC.2017.7963800}, isbn = {9781509059928}, issn = {07431619}, month = may, pages = {5436--5442}, title = {Detection and isolation of routing attacks through sensor watermarking}, year = {2017} }
“Distributed sensor and actuator reconfiguration for fault-tolerant networked control systems”.
A. M. H. Teixeira, J. Araujo, H. Sandberg, and K. H. K. H. Johansson.
IEEE Trans. Control Netw. Syst., pp. 1–12, 2017
ABS BIB

IEEE In this paper, we address the problem of distributed reconfiguration of networked control systems upon the removal of misbehaving sensors and actuators. In particular, we consider systems with redundant sensors and actuators cooperating to recover from faults. Reconfiguration is performed while minimizing a steady-state estimation error covariance and a quadratic control cost. A model-matching condition is imposed on the reconfiguration scheme. It is shown that the reconfiguration and its underlying computation can be distributed. Using an average dwell-time approach, the stability of the distributed reconfiguration scheme under finite-time termination is analyzed. The approach is illustrated in a numerical example.
@article{Teixeira_TCNS_2017, author = {Teixeira, Andre M. H. and Araujo, Jose and Sandberg, Henrik and Johansson, K.H. Karl H.}, doi = {10.1109/TCNS.2017.2732158}, issn = {2325-5870}, journal = {IEEE Trans. Control Netw. Syst.}, keywords = {Actuators,Computational modeling,Estimation error,Networked control systems,Redundancy}, pages = {1--12}, title = {Distributed sensor and actuator reconfiguration for fault-tolerant networked control systems}, year = {2017} }
“Estimation With Strategic Sensors”.
F. Farokhi, A. M. H. Teixeira, and C. Langbort.
IEEE Trans. Automat. Contr., vol. 62, no. 2, pp. 724–739, Feb. 2017
ABS BIB

\textcopyright 1963-2012 IEEE. We introduce a model of estimation in the presence of strategic, self-interested sensors. We employ a game-Theoretic setup to model the interaction between the sensors and the receiver. The cost function of the receiver is equal to the estimation error variance while the cost function of the sensor contains an extra term which is determined by its private information. We start by the single sensor case in which the receiver has access to a noisy but honest side information in addition to the message transmitted by a strategic sensor. We study both static and dynamic estimation problems. For both these problems, we characterize a family of equilibria in which the sensor and the receiver employ simple strategies. Interestingly, for the dynamic estimation problem, we find an equilibrium for which the strategic sensor uses a memory-less policy. We generalize the static estimation setup to multiple sensors with synchronous communication structure (i.e., all the sensors transmit their messages simultaneously). We prove the maybe surprising fact that, for the constructed equilibrium in affine strategies, the estimation quality degrades as the number of sensors increases. However, if the sensors are herding (i.e., copying each other policies), the quality of the receiver’s estimation improves as the number of sensors increases. Finally, we consider the asynchronous communication structure (i.e., the sensors transmit their messages sequentially).
@article{Farokhi2017, author = {Farokhi, Farhad and Teixeira, Andre M. H. and Langbort, Cedric}, doi = {10.1109/TAC.2016.2571779}, issn = {0018-9286}, journal = {IEEE Trans. Automat. Contr.}, keywords = {Estimation,Kalman filtering,game theory,strategic sensors}, month = feb, number = {2}, pages = {724--739}, title = {Estimation With Strategic Sensors}, volume = {62}, year = {2017} }
“Integrated Safety and Security Risk Assessment Methods: A Survey of Key Characteristics and Applications”.
S. Chockalingam, D. Hadziosmanovic, W. Pieters, A. M. H. Teixeira, and P. van Gelder.
in Crit. Inf. Infrastructures Secur. CRITIS 2016. Lect. Notes Comput. Sci., G. Havarneanu, R. Setola, H. Nassopoulos, and S. Wolthusen, Eds. Springer, Cham, 2017, pp. 50–62
ABS BIB

Over the last years, we have seen several security incidents that compromised system safety, of which some caused physical harm to people. Meanwhile, various risk assessment methods have been developed that integrate safety and security, and these could help to address the corresponding threats by implementing suitable risk treatment plans. However, an overarching overview of these methods, systematizing the characteristics of such methods, is missing. In this paper, we conduct a systematic literature review, and identify 7 integrated safety and security risk assessment methods. We analyze these methods based on 5 different criteria, and identify key characteristics and applications. A key outcome is the distinction between sequential and non-sequential integration of safety and security, related to the order in which safety and security risks are assessed. This study provides a basis for developing more effective integrated safety and security risk assessment methods in the future.
@incollection{Chockalingam2017, archiveprefix = {arXiv}, author = {Chockalingam, Sabarathinam and Hadziosmanovic, Dina and Pieters, Wolter and Teixeira, Andre M. H. and van Gelder, Pieter}, booktitle = {Crit. Inf. Infrastructures Secur. CRITIS 2016. Lect. Notes Comput. Sci.}, doi = {10.1007/978-3-319-71368-7_5}, editor = {Havarneanu, G. and Setola, R. and Nassopoulos, H. and Wolthusen, S.}, eprint = {1707.02140}, isbn = {9783319713670}, issn = {16113349}, keywords = {Integrated safety and security risk assessment,Risk analysis,Risk evaluation,Risk identification,Safety risk assessment,Security risk assessment}, month = oct, pages = {50--62}, publisher = {Springer, Cham}, title = {Integrated Safety and Security Risk Assessment Methods: A Survey of Key Characteristics and Applications}, year = {2017} }
“Voltage Control in Distributed Generation under Measurement Falsification Attacks”.
M. Ma, A. M. H. Teixeira, J. van den Berg, and P. Palensky.
IFAC-PapersOnLine, vol. 50, no. 1, pp. 8379–8384, Jul. 2017
ABS BIB

Low-voltage distribution grids experience a rising penetration of inverter-based, distributed generation. In order to not only contribute to but also solve voltage problems, these inverters are increasingly asked to participate in intelligent grid controls. Communicating inverters implement distributed voltage droop controls. The impact of cyber-attacks to the stability of such distributed grid controls is poorly researched and therefore addressed in this article. We characterize the potential impact of several attack scenarios by employing the positivity and diagonal dominance properties. In particular, we discuss measurement falsification scenarios where the attacker corrupts voltage measurement data received by the voltage droop controllers. Analytical, control-theoretic methods for assessing the impact on system stability and voltage magnitude are presented and validated via simulation.
@article{Ma2017, author = {Ma, Mingxiao and Teixeira, Andr{\'{e}} M. H. and van den Berg, Jan and Palensky, Peter}, doi = {10.1016/j.ifacol.2017.08.1562}, issn = {24058963}, journal = {IFAC-PapersOnLine}, keywords = {Cyber security,distribution network,risk assessment,stability,voltage control}, month = jul, number = {1}, pages = {8379--8384}, title = {Voltage Control in Distributed Generation under Measurement Falsification Attacks}, volume = {50}, year = {2017} }

2016

“Combined data integrity and availability attacks on state estimation in cyber-physical power grids”.
K. Pan, A. M. H. Teixeira, M. Cvetkovic, and P. Palensky.
IEEE Int. Conf. Smart Grid Commun., Sydney, Australia, 2016, pp. 271–277
ABS BIB

\textcopyright 2016 IEEE. This paper introduces combined data integrity and availability attacks to expand the attack scenarios against power system state estimation. The goal of the adversary, who uses the combined attack, is to perturb the state estimates while remaining hidden from the observer. We propose security metrics that quantify vulnerability of power grids to combined data attacks under single and multi-path routing communication models. In order to evaluate the proposed security metrics, we formulate them as mixed integer linear programming (MILP) problems. The relation between the security metrics of combined data attacks and pure data integrity attacks is analyzed, based on which we show that, when data availability and data integrity attacks have the same cost, the two metrics coincide. When data availability attacks have a lower cost than data integrity attacks, we show that a combined data attack could be executed with less attack resources compared to pure data integrity attacks. Furthermore, it is shown that combined data attacks would bypass integrity-focused mitigation schemes. These conclusions are supported by the results obtained on a power system model with and without a communication model with single or multi-path routing.
@inproceedings{Pan2016, address = {Sydney, Australia}, author = {Pan, Kaikai and Teixeira, Andre M H and Cvetkovic, Milos and Palensky, Peter}, booktitle = {IEEE Int. Conf. Smart Grid Commun.}, doi = {10.1109/SmartGridComm.2016.7778773}, isbn = {978-1-5090-4075-9}, month = nov, pages = {271--277}, title = {Combined data integrity and availability attacks on state estimation in cyber-physical power grids}, year = {2016} }
“Cyber-Physical-Security Framework for Building Energy Management System”.
K. Paridari et al.
ACM/IEEE 7th Int. Conf. Cyber-Physical Syst. ICCPS, Vienna, Austria, 2016
ABS BIB

\textcopyright 2016 IEEE. Energy management systems (EMS) are used to control energy usage in buildings and campuses, by employing technologies such as supervisory control and data acquisition (SCADA) and building management systems (BMS), in order to provide reliable energy supply and maximise user comfort while minimising energy usage. Historically, EMS systems were installed when potential security threats were only physical. Nowadays, EMS systems are connected to the building network and as a result directly to the outside world. This extends the attack surface to potential sophisticated cyber-attacks, which adversely impact EMS operation, resulting in service interruption and downstream financial implications. Currently, the security systems that detect attacks operate independently to those which deploy resiliency policies and use very basic methods. We propose a novel EMS cyber-physical-security framework that executes a resilient policy whenever an attack is detected using security analytics. In this framework, both the resilient policy and the security analytics are driven by EMS data, where the physical correlations between the data-points are identified to detect outliers and then the control loop is closed using an estimated value in place of the outlier. The framework has been tested using a reduced order model of a real EMS site.
@inproceedings{Paridari2016a, address = {Vienna, Austria}, author = {Paridari, K. and Mady, A.E.-D. and {La Porta}, S. and Chabukswar, R. and Blanco, J. and Teixeira, A. M. H. and Sandberg, H. and Boubekeur, M.}, booktitle = {ACM/IEEE 7th Int. Conf. Cyber-Physical Syst. ICCPS}, doi = {10.1109/ICCPS.2016.7479072}, isbn = {9781509017720}, keywords = {Cyber-physical-security,energy management system,resilient control,security analytics,virtual sensor}, title = {Cyber-Physical-Security Framework for Building Energy Management System}, year = {2016} }
“Cybersecurity as a Politikum”.
L. Fichtner, W. Pieters, and A. Teixeira.
Proc. 2016 New Secur. Paradig. Work. NSPW, Granby, CO, USA, 2016, vol. 26-29-Sept, pp. 36–48
ABS BIB

\textcopyright 2016 ACM. In the cybersecurity community it is common to think of security as a design feature for systems and infrastructures that may be difficult to balance with other requirements. What is less studied is how security requirements come about, for which reasons, and what their influence is on the actions the system facilitates. Security is for example often used as an argument for or against granting access rights that are of importance to stakeholders, such as in the discussion on counterterrorism and privacy. This paper argues that the ongoing politicization of security issues calls for a paradigm to study cybersecurity as a Politikum: a matter of political concern, embedded in existing and future infrastructures. We summarize literature which inspired this paper and explain the role of security arguments for infrastructure governance. Then we outline the new paradigm and its core concepts and contribution, including the notion of framing. Finally, we present discourse analysis and infrastructure ethnography as research methods and discuss cases in which discourses (may) shape infrastructures, in particular smart cities.
@inproceedings{Fichtner2016, address = {Granby, CO, USA}, author = {Fichtner, Laura and Pieters, Wolter and Teixeira, Andr{\'{e}}}, booktitle = {Proc. 2016 New Secur. Paradig. Work. NSPW}, doi = {10.1145/3011883.3011887}, isbn = {9781450348133}, keywords = {Discourse analysis,Framing,Infrastructure ethnography,Securitization,Security arguments,Security politics,Threat models}, pages = {36--48}, title = {Cybersecurity as a Politikum}, volume = {26-29-Sept}, year = {2016} }
“Fault Detection and Diagnosis for Compliance Monitoring in International Supply Chains”.
Y. Wang et al.
22nd Am. Conf. Inf. Syst., San Diego, CA, USA, 2016
ABS BIB

Currently international supply chains are facing risks concerning faults in compliance, such as altering shipping documentations, fictitious inventory, and inter-company manipulations. In this paper a method to detect and diagnose fault scenarios regarding customs compliance in supply chains is proposed. This method forms part of a general approach called model-based auditing, which is based on a normative meta-model of the movement of money and goods or services. The modeling framework is proposed on compliance monitoring of supply chains with focus on information systems and compliance reporting tools. The innovation lies in the application and mapping of modeling techniques from dynamical systems engineering to business process analysis for audit and supervision purposes. Specifically, the application domain is where money, goods as well as information are transferred between international supply chain partners. A case study of a leading company in electronics manufacturing applying the model is analyzed.
@inproceedings{Wang2016, address = {San Diego, CA, USA}, author = {Wang, Yuxin and Teixeira, Andr{\'{e}} A.H. and Tian, Yifu and Hulstijn, Joris and Tan, Yao-Hua Y.-H. and Teixeira, Andr{\'{e}} A.H. and Hulstijn, Joris and Tan, Yao-Hua Y.-H.}, booktitle = {22nd Am. Conf. Inf. Syst.}, month = aug, title = {Fault Detection and Diagnosis for Compliance Monitoring in International Supply Chains}, year = {2016} }
“From control system security indices to attack identifiability”.
H. Sandberg and A. M. H. A. M. H. Teixeira.
2016 Sci. Secur. Cyber-Physical Syst. Work., Vienna, Austria, 2016, pp. 1–6
ABS BIB

\textcopyright 2016 IEEE. In this paper, we investigate detectability and identifiability of attacks on linear dynamical systems that are subjected to external disturbances. We generalize a concept for a security index, which was previously introduced for static systems. The index exactly quantifies the resources necessary for targeted attacks to be undetectable and unidentifiable in the presence of disturbances. This information is useful for both risk assessment and for the design of anomaly detectors. Finally, we show how techniques from the fault detection literature can be used to decouple disturbances and to identify attacks, under certain sparsity constraints.
@inproceedings{Sandberg2016, address = {Vienna, Austria}, author = {Sandberg, Henrik and Teixeira, Andre M.H. A.M.H.}, booktitle = {2016 Sci. Secur. Cyber-Physical Syst. Work.}, doi = {10.1109/SOSCYPS.2016.7580001}, isbn = {978-1-5090-4304-0}, month = apr, pages = {1--6}, title = {From control system security indices to attack identifiability}, year = {2016} }

2015

“A secure control framework for resource-limited adversaries”.
A. Teixeira, I. Shames, H. Sandberg, and K. H. Johansson.
Automatica, vol. 51, no. 1, pp. 135–148, 2015
ABS BIB

Cyber-secure networked control is modeled, analyzed, and experimentally illustrated in this paper. An attack space defined by the adversary’s model knowledge, disclosure, and disruption resources is introduced. Adversaries constrained by these resources are modeled for a networked control system architecture. It is shown that attack scenarios corresponding to denial-of-service, replay, zero-dynamics, and bias injection attacks on linear time-invariant systems can be analyzed using this framework. Furthermore, the attack policy for each scenario is described and the attack’s impact is characterized using the concept of safe sets. An experimental setup based on a quadruple-tank process controlled over a wireless network is used to illustrate the attack scenarios, their consequences, and potential counter-measures.
@article{Teixeira_Automatica2015, archiveprefix = {arXiv}, author = {Teixeira, Andr{\'{e}} and Shames, Iman and Sandberg, Henrik and Johansson, Karl Henrik}, doi = {10.1016/j.automatica.2014.10.067}, eprint = {1212.0226}, isbn = {0005-1098}, issn = {00051098}, journal = {Automatica}, keywords = {Attack space,Cyber-physical systems,Secure control systems,System security}, number = {1}, pages = {135--148}, title = {A secure control framework for resource-limited adversaries}, volume = {51}, year = {2015} }
“Cyber-Secure and Resilient Architectures for Industrial Control Systems”.
A. Teixeira, F. Kupzog, H. Sandberg, and K. H. Johansson.
in Smart Grid Secur. Innov. Solut. a Mod. Grid, Florian Skopik and Paul Smith, Ed. Elsevier Science Publishing Co Inc, 2015, pp. 149–183
ABS BIB

In this chapter, we survey cyber security solutions for control and monitoring systems that are used to manage the Smart Grid. We start with a short review of the history and use of Industrial Control Systems (ICSs) and Supervisory Control and Data Acquisition (SCADA) systems, and how cyber security in control systems has recently become a major concern, in the wake of the Stuxnet and other recently discovered malware. We follow up with surveying information technology and control-centric security tools that can be used to improve the resilience of industrial control systems. Feedback control loops are core components in the Smart Grid, as they enable the maximal utilization of the physical infrastructure and its resources. As the number of control loops in the Smart Grid increases, the cyber security challenges faced by ICSs become increasingly important within the Smart Grid’s context. To highlight such novel challenges, we give an overview of the envisioned control loops in future Smart Grids, and discuss the potential impact of cyber threats targeting critical Smart Grid functionalities. As a case study, false-data injection attacks on power transmission networks are considered. The level of resilience to such attacks is assessed through a control-centric risk assessment methodology, which is also used for allocating the deployment of more modern and secure equipment. The chapter ends with a discussion of future research challenges in the area.
@incollection{Teixeira_BC2015, author = {Teixeira, Andr{\'{e}} and Kupzog, Friederich and Sandberg, Henrik and Johansson, Karl H.}, booktitle = {Smart Grid Secur. Innov. Solut. a Mod. Grid}, doi = {10.1016/B978-0-12-802122-4.00006-7}, editor = {{Florian Skopik and Paul Smith}}, isbn = {9780128023549}, keywords = {Industrial Control Systems,Resilient Control,Risk Assessment,Security}, pages = {149--183}, publisher = {Elsevier Science Publishing Co Inc}, title = {Cyber-Secure and Resilient Architectures for Industrial Control Systems}, year = {2015} }

“Secure Control Systems: A Quantitative Risk Management Approach”.
A. Teixeira, K. Sou, H. Sandberg, and K. Johansson.
IEEE Control Syst. Mag., vol. 35, no. 1, pp. 24–45, 2015
BIB

@article{Teixeira_CSM_2015,
  author = {Teixeira, A and Sou, K and Sandberg, H and Johansson, K},
  doi = {10.1109/MCS.2014.2364709},
  journal = {IEEE Control Syst. Mag.},
  keywords = {Communication networks;Computer crime;Computer sec},
  number = {1},
  pages = {24--45},
  title = {Secure Control Systems: A Quantitative Risk Management Approach},
  volume = {35},
  year = {2015}
}

“Strategic stealthy attacks: The output-to-output ℓ2-gain”.
A. Teixeira, H. Sandberg, and K. H. Johansson.
Proc. IEEE Conf. Decis. Control, Osaka, Japan, 2015, vol. 54rd IEEE, pp. 2582–2587
ABS BIB

\textcopyright 2015 IEEE.In this paper, we characterize and analyze the set of strategic stealthy false-data injection attacks on discrete-time linear systems. In particular, the threat scenarios tackled in the paper consider adversaries that aim at deteriorating the system’s performance by maximizing the corresponding quadratic cost function, while remaining stealthy with respect to anomaly detectors. As opposed to other work in the literature, the effect of the adversary’s actions on the anomaly detector’s output is not constrained to be zero at all times. Moreover, scenarios where the adversary has uncertain model knowledge are also addressed. The set of strategic attack policies is formulated as a non-convex constrained optimization problem, leading to a sensitivity metric denoted as the output-to-output ℓ2-gain. Using the framework of dissipative systems, the output-to-output gain is computed through an equivalent convex optimization problem. Additionally, we derive necessary and sufficient conditions for the output-to-output gain to be unbounded, with and without model uncertainties, which are tightly related to the invariant zeros of the system.
@inproceedings{Teixeira_CDC2015, address = {Osaka, Japan}, author = {Teixeira, Andre and Sandberg, Henrik and Johansson, Karl H.}, booktitle = {Proc. IEEE Conf. Decis. Control}, doi = {10.1109/CDC.2015.7402605}, isbn = {9781479978861}, issn = {07431546}, pages = {2582--2587}, title = {Strategic stealthy attacks: The output-to-output ℓ2-gain}, volume = {54rd IEEE}, year = {2015} }
“Voltage control for interconnected microgrids under adversarial actions”.
A. Teixeira, K. Paridari, H. Sandberg, and K. H. K. H. Johansson.
2015 IEEE 20th Conf. Emerg. Technol. Fact. Autom., Luxembourg, 2015, pp. 1–8
ABS BIB

\textcopyright 2015 IEEE. In this paper, we study the impact of adversarial actions on voltage control schemes in interconnected microgrids. Each microgrid is abstracted as a power inverter that can be controlled to regulate its voltage magnitude and phase-angle independently. Moreover, each power inverter is modeled as a single integrator, whose input is given by a voltage droop-control policy that is computed based on voltage magnitude and reactive power injection measurements. Under mild assumptions, we then establish important properties of the nominal linearized closed-loop system, such as stability, positivity, and diagonal dominance. These properties play an important role when characterizing the potential impact of different attack scenarios. In particular, we discuss two attack scenarios where the adversary corrupts measurement data and reference signals received by the voltage droop controllers. The potential impact of instances of each scenario is analyzed using control-theoretic tools, which may be used to develop methodologies for identifying high-risk attack scenarios, as is illustrated by numerical examples.
@inproceedings{Teixeira_ETFA2015, address = {Luxembourg}, author = {Teixeira, Andre and Paridari, Kaveh and Sandberg, Henrik and Johansson, K.H. Karl H.}, booktitle = {2015 IEEE 20th Conf. Emerg. Technol. Fact. Autom.}, doi = {10.1109/ETFA.2015.7301476}, isbn = {978-1-4673-7929-8}, issn = {1946-0740}, keywords = {Inverters,Microgrids,Power system dynamics,Power system stability,Stability analysis,Voltage control,Voltage measurement}, month = sep, pages = {1--8}, title = {Voltage control for interconnected microgrids under adversarial actions}, year = {2015} }

2014

“A down-sampled controller to reduce network usage with guaranteed closed-loop performance”.
J. Araújo, A. Teixeira, E. Henriksson, and K. H. Johansson.
IEEE Conf. Decis. Control, Los Angeles, CA, USA, 2014, no. February, pp. 6849–6856
ABS BIB

\textcopyright 2014 IEEE.We propose and evaluate a down-sampled controller which reduces the network usage while providing a guaranteed desired linear quadratic control performance. This method is based on fast and slow sampling intervals, as the closed-system benefits by being brought quickly to steady-state conditions while behaving satisfactorily when being actuated at a slow rate once at those conditions. This mechanism is shown to provide large savings with respect to network usage when compared to traditional periodic time-triggered control and other aperiodic controllers proposed in the literature.
@inproceedings{Araujo_CDC2014, address = {Los Angeles, CA, USA}, author = {Ara{\'{u}}jo, Jos{\'{e}} and Teixeira, Andre and Henriksson, Erik and Johansson, Karl H.}, booktitle = {IEEE Conf. Decis. Control}, doi = {10.1109/CDC.2014.7040465}, isbn = {9781467360883}, issn = {07431546}, number = {February}, pages = {6849--6856}, title = {A down-sampled controller to reduce network usage with guaranteed closed-loop performance}, year = {2014} }

“Distributed Fault Detection and Isolation Resilient to Network Model Uncertainties”.
A. Teixeira, I. Shames, H. Sandberg, and K. H. Johansson.
IEEE Trans. Cybern., vol. 44, no. 11, pp. 2024–2037, 2014
BIB

@article{Teixeira_Cyb_2014,
  author = {Teixeira, A and Shames, I and Sandberg, H and Johansson, K H},
  doi = {10.1109/TCYB.2014.2350335},
  journal = {IEEE Trans. Cybern.},
  number = {11},
  pages = {2024--2037},
  title = {Distributed Fault Detection and Isolation Resilient to Network Model Uncertainties},
  volume = {44},
  year = {2014}
}

“Gaussian cheap talk game with quadratic cost functions: When herding between strategic senders is a virtue”.
F. Farokhi, A. M. H. Teixeira, and C. Langbort.
Am. Control Conf., Portland, OR, USA, 2014, pp. 2267–2272
BIB

@inproceedings{Farokhi_ACC2014,
  address = {Portland, OR, USA},
  author = {Farokhi, F and Teixeira, A M H and Langbort, C},
  booktitle = {Am. Control Conf.},
  doi = {10.1109/ACC.2014.6859123},
  month = jun,
  pages = {2267--2272},
  title = {Gaussian cheap talk game with quadratic cost functions: When herding between strategic senders is a virtue},
  year = {2014}
}

“Security of smart distribution grids: Data integrity attacks on integrated volt/VAR control and countermeasures”.
A. Teixeira, G. Dán, H. Sandberg, R. Berthier, R. B. Bobba, and A. Valdes.
Am. Control Conf., Portland, OR, USA, 2014, pp. 4372–4378
BIB

@inproceedings{Teixeira_ACC2014,
  address = {Portland, OR, USA},
  author = {Teixeira, A and D{\'{a}}n, G and Sandberg, H and Berthier, R and Bobba, R B and Valdes, A},
  booktitle = {Am. Control Conf.},
  doi = {10.1109/ACC.2014.6859265},
  month = jun,
  pages = {4372--4378},
  title = {Security of smart distribution grids: Data integrity attacks on integrated volt/{VAR} control and countermeasures},
  year = {2014}
}

“Toward Cyber-Secure and Resilient Networked Control Systems”.
A. M. H. Teixeira.
PhD thesis, KTH Royal Institute of Technology, Stockholm, Sweden, 2014
BIB

@phdthesis{Teixeira_PhD2014,
  author = {Teixeira, Andr\'{e} M. H.},
  title = {Toward Cyber-Secure and Resilient Networked Control Systems},
  school = {KTH Royal Institute of Technology},
  year = {2014},
  address = {Stockholm, Sweden},
  month = nov
}

2013

“Distributed actuator reconfiguration in networked control systems”.
A. Teixeira, J. Araújo, H. Sandberg, and K. H. Johansson.
4th IFAC Work. Distrib. Estim. Control Networked Syst., Koblenz, Germany, 2013
BIB

@inproceedings{teixeirarecon13,
  address = {Koblenz, Germany},
  author = {Teixeira, A and Ara{\'{u}}jo, J and Sandberg, H and Johansson, K H},
  booktitle = {4th {IFAC} Work. Distrib. Estim. Control Networked Syst.},
  month = sep,
  title = {Distributed actuator reconfiguration in networked control systems},
  year = {2013}
}

“Quantifying Cyber-Security for Networked Control Systems”.
A. Teixeira, K. C. Sou, H. Sandberg, and K. H. Johansson.
in Control Cyber-Physical Syst., no. 449, D. C. Tarraf, Ed. Springer International Publishing, 2013, pp. 123–142
BIB

@incollection{Teixeira_Springer2013,
  author = {Teixeira, A and Sou, K C and Sandberg, H and Johansson, K H},
  booktitle = {Control Cyber-Physical Syst.},
  editor = {Tarraf, Danielle C},
  number = {449},
  pages = {123--142},
  publisher = {Springer International Publishing},
  series = {Lecture Notes in Control and Information Sciences},
  title = {Quantifying Cyber-Security for Networked Control Systems},
  year = {2013}
}

2012

“Agents Misbehaving in a Network: a Vice or a Virtue?”.
I. Shames, A. M. H. Teixeira, H. Sandberg, and K. H. H. Johansson.
IEEE Netw. Mag., vol. 26, no. 3, pp. 35–40, 2012
ABS BIB

Misbehaviors among the agents in a network might be intentional or unintentional, they might cause a system-wide failure or they might improve the performance or even enable us to achieve an objective. In this article we consider examples of these possible scenarios. First, we argue the necessity of monitoring the agents in a network to detect if they are misbehaving or not and outline a distributed method in which each agent monitors its neighbors for any sign of misbehavior. Later, we focus on solving the problem of distributed leader selection via forcing the agents to temporarily misbehave, and introduce an algorithm that enables the agents in a network to select their leader without any interference from the outside of the network. \textcopyright 2012 IEEE.
@article{Shames_NM2012, author = {Shames, I. and Teixeira, A.M.H. and Sandberg, H. and Johansson, K.H. H}, doi = {10.1109/MNET.2012.6201214}, issn = {08908044}, journal = {{IEEE} Netw. Mag.}, number = {3}, pages = {35--40}, title = {Agents Misbehaving in a Network: a Vice or a Virtue?}, volume = {26}, year = {2012} }
“Attack models and scenarios for networked control systems”.
A. Teixeira, D. Pérez, H. Sandberg, and K. H. Johansson.
Proc. 1st Int. Conf. High Confid. Networked Syst. - HiCoNS ’12, Beijing, China, 2012, pp. 55–64
ABS BIB

Cyber-secure networked control is modeled, analyzed, and experimentally illustrated in this paper. An attack space defined by the adversary’s system knowledge, disclosure, and disruption resources is introduced. Adversaries constrained by these resources are modeled for a networked control system architecture. It is shown that attack scenarios corresponding to replay, zero dynamics, and bias injection attacks can be analyzed using this framework. An experimental setup based on a quadruple-tank process controlled over a wireless network is used to illustrate the attack scenarios, their consequences, and potential counter-measures.
@inproceedings{kn:Teixeira_HICONS2012, address = {Beijing, China}, author = {Teixeira, Andr{\'{e}} and P{\'{e}}rez, Daniel and Sandberg, Henrik and Johansson, Karl Henrik}, booktitle = {Proc. 1st Int. Conf. High Confid. Networked Syst. - HiCoNS '12}, doi = {10.1145/2185505.2185515}, isbn = {9781450312639}, issn = {00375675}, pages = {55--64}, title = {Attack models and scenarios for networked control systems}, year = {2012} }

“Cyber-security of SCADA systems”.
G. Andersson et al.
IEEE PES Innov. Smart Grid Technol., Washington, DC, USA, 2012, pp. 1–2
BIB

@inproceedings{Andersson_2012,
  address = {Washington, DC, USA},
  author = {Andersson, G and Esfahani, P M and Vrakopoulou, M and Margellos, K and Lygeros, J and Teixeira, A and Dan, G and Sandberg, H and Johansson, K H},
  booktitle = {IEEE PES Innov. Smart Grid Technol.},
  doi = {10.1109/ISGT.2012.6175543},
  pages = {1--2},
  title = {Cyber-security of SCADA systems},
  year = {2012}
}

“Distributed Fault Detection and Isolation with Imprecise Network Models”.
I. Shames, A. Teixeira, H. Sandberg, and K. H. Johansson.
Am. Control Conf., Montreal, Canada, 2012
BIB

@inproceedings{kn:Shames2012_ACC,
  address = {Montreal, Canada},
  author = {Shames, I and Teixeira, A and Sandberg, H and Johansson, K H},
  booktitle = {Am. Control Conf.},
  month = jun,
  title = {Distributed Fault Detection and Isolation with Imprecise Network Models},
  year = {2012}
}

“Fault Detection and Mitigation in Kirchhoff Networks”.
I. Shames, A. M. H. Teixeira, H. Sandberg, and K. H. Johansson.
IEEE Signal Process. Lett., vol. 19, no. 11, pp. 749–752, Nov. 2012
BIB

@article{Shames_SPL2012,
  author = {Shames, I and Teixeira, A M H and Sandberg, H and Johansson, K H},
  doi = {10.1109/LSP.2012.2217328},
  journal = {{IEEE} Signal Process. Lett.},
  month = nov,
  number = {11},
  pages = {749--752},
  title = {Fault Detection and Mitigation in Kirchhoff Networks},
  volume = {19},
  year = {2012}
}

“Optimal power flow: closing the loop over corrupted data”.
A. Teixeira, H. Sandberg, G. Dán, and K. H. Johansson.
Am. Control Conf., Montreal, Canada, 2012
BIB

@inproceedings{kn:Teixeira_ACC2012,
  address = {Montreal, Canada},
  author = {Teixeira, A and Sandberg, H and D{\'{a}}n, G and Johansson, K H},
  booktitle = {Am. Control Conf.},
  title = {Optimal power flow: closing the loop over corrupted data},
  year = {2012}
}

“Revealing Stealthy Attacks in Control Systems”.
A. Teixeira, I. Shames, H. Sandberg, and K. H. H. Johansson.
50th Annu. Allert. Conf. Commun. Control. Comput., Monticello, IL, USA, 2012
ABS BIB

In this paper the problem of revealing stealthy data-injection attacks on control systems is addressed. In particular we consider the scenario where the attacker performs zero-dynamics attacks on the system. First, we characterize and analyze the stealthiness properties of these attacks for linear time-invariant systems. Then we tackle the problem of detecting such attacks by modifying the system’s structure. Our results provide necessary and sufficient conditions that the modifications should satisfy in order to detect the zero-dynamics attacks. The results and proposed detection methods are illustrated through numerical examples. \textcopyright 2012 IEEE.
@inproceedings{Teixeira_Allerton2012, address = {Monticello, IL, USA}, author = {Teixeira, A. and Shames, I. and Sandberg, H. and Johansson, K.H. H}, booktitle = {50th Annu. Allert. Conf. Commun. Control. Comput.}, doi = {10.1109/Allerton.2012.6483441}, isbn = {9781467345385}, title = {Revealing Stealthy Attacks in Control Systems}, year = {2012} }

2011

“Cyber security study of a SCADA energy management system: stealthy deception attacks on the state estimator”.
A. Teixeira, G. Dán, H. Sandberg, and K. H. Johansson.
18th IFAC World Congr., Milano, Italy, 2011
BIB

@inproceedings{kn:Teixeira2011,
  address = {Milano, Italy},
  author = {Teixeira, A and D{\'{a}}n, G and Sandberg, H and Johansson, K H},
  booktitle = {18th {IFAC} World Congr.},
  title = {Cyber security study of a {SCADA} energy management system: stealthy deception attacks on the state estimator},
  year = {2011}
}

“Distributed Fault Detection for Interconnected Second-Order Systems”.
I. Shames, A. M. H. Teixeira, H. Sandberg, and K. H. Johansson.
Automatica, vol. 47, no. 12, pp. 2757–2764, 2011
ABS BIB

In this paper, the existence of unknown input observers for networks of interconnected second-order linear time invariant systems is studied. Two classes of distributed control systems of large practical relevance are considered. It is proved that for these systems, one can construct a bank of unknown input observers, and use them to detect and isolate faults in the network. The result presents a distributed implementation. In particular, by exploiting the system structure, this work provides further insight into the design of UIO for networked systems. Moreover, the importance of certain network measurements is shown. Infeasibility results with respect to available measurements and faults are also provided, as well as methods to remove faulty agents from the network. Applications to power networks and robotic formations are presented. It is shown how the developed methodology apply to a power network described by the swing equation with a faulty bus. For a multi-robot system, it is illustrated how a faulty robot can be detected and removed. \textcopyright 2011 Elsevier Ltd. All rights reserved.
@article{Shamesetal-automatica-11, author = {Shames, I. and Teixeira, A.M.H. and Sandberg, H. and Johansson, K.H.}, doi = {10.1016/j.automatica.2011.09.011}, issn = {00051098}, journal = {Automatica}, keywords = {Distributed algorithm,Distributed detection,Fault detection and isolation}, number = {12}, pages = {2757--2764}, title = {Distributed Fault Detection for Interconnected Second-Order Systems}, volume = {47}, year = {2011} }

2010

“Cyber Security Analysis of State Estimators in Electric Power Systems”.
A. Teixeira, S. Amin, H. Sandberg, K. H. H. Johansson, and S. S. S. Sastry.
49th IEEE Conf. Decis. Control, Atlanta, GA, USA, 2010
ABS BIB

In this paper, we analyze the cyber security of state estimators in Supervisory Control and Data Acquisition (SCADA) systems operating in power grids. Safe and reliable operation of these critical infrastructure systems is a major concern in our society. In current state estimation algorithms there are bad data detection (BDD) schemes to detect random outliers in the measurement data. Such schemes are based on high measurement redundancy. Although such methods may detect a set of very basic cyber attacks, they may fail in the presence of a more intelligent attacker. We explore the latter by considering scenarios where deception attacks are performed, sending false information to the control center. Similar attacks have been studied before for linear state estimators, assuming the attacker has perfect model knowledge. Here we instead assume the attacker only possesses a perturbed model. Such a model may correspond to a partial model of the true system, or even an out-dated model. We characterize the attacker by a set of objectives, and propose policies to synthesize stealthy deceptions attacks, both in the case of linear and nonlinear estimators. We show that the more accurate model the attacker has access to, the larger deception attack he can perform undetected. Specifically, we quantify trade-offs between model accuracy and possible attack impact for different BDD schemes. The developed tools can be used to further strengthen and protect the critical state-estimation component in SCADA systems. \textcopyright2010 IEEE.
@inproceedings{kn:Teixeira10, address = {Atlanta, GA, USA}, author = {Teixeira, A. and Amin, S. and Sandberg, H. and Johansson, K.H. H and Sastry, S.S. S}, booktitle = {49th {IEEE} Conf. Decis. Control}, doi = {10.1109/CDC.2010.5717318}, isbn = {9781424477456}, issn = {01912216}, month = dec, title = {Cyber Security Analysis of State Estimators in Electric Power Systems}, year = {2010} }

“Distributed Fault Detection for Interconnected Second-Order Systems with Applications to Power Networks”.
I. Shames, A. M. H. Teixeira, H. Sandberg, and K. H. Johansson.
First Work. Secur. Control Syst. CPSWeek, Stockholm, Sweden, 2010
BIB

@inproceedings{Shamesetal_SCS_10,
  address = {Stockholm, Sweden},
  author = {Shames, I and Teixeira, A M H and Sandberg, H and Johansson, K H},
  booktitle = {First Work. Secur. Control Syst. CPSWeek},
  month = apr,
  title = {Distributed Fault Detection for Interconnected Second-Order Systems with Applications to Power Networks},
  year = {2010}
}

“Networked control systems under cyber attacks with applications to power networks”.
A. Teixeira, H. Sandberg, and K. H. Johansson.
Am. Control Conf., Baltimore, MD, 2010, pp. 3690–3696
BIB

@inproceedings{Teixeira_ACC2010,
  address = {Baltimore, MD},
  author = {Teixeira, Andre and Sandberg, H and Johansson, K H},
  booktitle = {Am. Control Conf.},
  doi = {10.1109/ACC.2010.5530638},
  isbn = {978-1-4244-7427-1},
  month = jun,
  pages = {3690--3696},
  title = {Networked control systems under cyber attacks with applications to power networks},
  year = {2010}
}

“On security indices for state estimators in power networks”.
H. Sandberg, A. Teixeira, and K. H. Johansson.
First Work. Secur. Control Syst. CPSWeek, Stockholm, Sweden, 2010
BIB

@inproceedings{kn:Sandberg10,
  address = {Stockholm, Sweden},
  author = {Sandberg, H and Teixeira, A and Johansson, K H},
  booktitle = {First Work. Secur. Control Syst. CPSWeek},
  month = apr,
  title = {On security indices for state estimators in power networks},
  year = {2010}
}