Publications

(See also the personal webpage of our group members)

Group highlights

(For a full list of publications, see below, and see also the personal webpage of our group members)

Safety, Security and Privacy for Cyber-Physical Systems

This book presents an in-depth overview of recent work related to the safety, security, and privacy of cyber-physical systems (CPSs). It brings together contributions from leading researchers in networked control systems and closely related fields to discuss overarching aspects of safety, security, and privacy; characterization of attacks; and solutions to detecting and mitigating such attacks.
The book begins by providing an insightful taxonomy of problems, challenges and techniques related to safety, security, and privacy for CPSs. It then moves through a thorough discussion of various control-based solutions to these challenges, including cooperative fault-tolerant and resilient control and estimation, detection of attacks and security metrics, watermarking and encrypted control, privacy and a novel defense approach based on deception. The book concludes by discussing risk management and cyber-insurance challenges in CPSs, and by presenting the future outlook for this area of research as a whole.
Its wide-ranging collection of varied works in the emerging fields of security and privacy in networked control systems makes this book a benefit to both academic researchers and advanced practitioners interested in implementing diverse applications in the fields of IoT, cooperative autonomous vehicles and the smart cities of the future.

Riccardo M. G. Ferrari and André M. H. Teixeira (Eds)

Lecture Notes in Control and Information Sciences (LNCIS, volume 486), Springer International Publishing, (2021)

 

List of Publications

2022

  1. “Detection of Bias Injection Attacks on the Glucose Sensor in the Artificial Pancreas Under Meal Disturbances”.
    F. E. Tosun, A. M. H. Teixeira, A. Ahlén, and S. Dey.
    American Control Conference, Atlanta, Georgia, USA, 2022
  2. “Sequential Detection of Replay Attacks with a Parsimonious Watermarking Policy”.
    A. Naha, A. M. H. Teixeira, A. Ahlén, and S. Dey.
    American Control Conference, Atlanta, Georgia, USA, 2022
  3. “Risk-averse controller design against data injection attacks on actuators for uncertain control systems”.
    S. C. Anand and A. M. H. Teixeira.
    American Control Conference, Atlanta, Georgia, USA, 2022

2021

  1. “An Online Kullback-Leibler Divergence-Based Stealthy Attack against Cyber-Physical Systems”.
    Q. Zhang, K. Liu, A. M. H. Teixeira, Y. Li, S. Chai, and Y. Xia.
    IEEE Trans. Automatic Control (Provisionally Accepted as Technical Note), 2021
  2. “Risk Assessment of Stealthy Attacks on Uncertain Control Systems”.
    S. C. Anand, A. M. H. Teixeira, and A. Ahlén.
    IEEE Trans. Automatic Control (Submitted), 2021 [Online]. Available at: https://arxiv.org/abs/2106.07071
  3. “Bayesian network model to distinguish between intentional attacks and accidental technical failures: a case study of floodgates”.
    S. Chockalingam, W. Pieters, A. M. H. Teixeira, and P. van Gelder.
    Cybersecurity, vol. 4, no. 29, 2021
  4. “Design of multiplicative watermarking against covert attacks”.
    A. J. Gallo, S. C. Anand, A. M. H. Teixeira, and R. M. G. Ferrari.
    IEEE Conf. Decision and Control, Austin, Texas, USA, 2021
  5. “Stealthy Cyber-Attack Design Using Dynamic Programming”.
    S. C. Anand and A. M. H. Teixeira.
    IEEE Conf. Decision and Control, Austin, Texas, USA, 2021
  6. “Deception Attack Detection Using Reduced Watermarking”.
    A. Naha, A. M. H. Teixeira, A. Ahlén, and S. Dey.
    Eur. Control Conf., Rotterdam, The Netherlands, 2021
  7. “Introduction to the Book”.
    R. M. G. Ferrari and A. M. H. Teixeira.
    in Safety, Security and Privacy for Cyber-Physical Systems, R. M. G. Ferrari and A. M. H. Teixeira, Eds. Cham: Springer International Publishing, 2021, pp. 1–8
  8. “Security Metrics for Control Systems”.
    A. M. H. Teixeira.
    in Safety, Security and Privacy for Cyber-Physical Systems, R. M. G. Ferrari and A. M. H. Teixeira, Eds. Cham: Springer International Publishing, 2021, pp. 1–8
  9. “Detection of Cyber-Attacks: A Multiplicative Watermarking Scheme”.
    R. M. G. Ferrari and A. M. H. Teixeira.
    in Safety, Security and Privacy for Cyber-Physical Systems, R. M. G. Ferrari and A. M. H. Teixeira, Eds. Cham: Springer International Publishing, 2021, pp. 1–8
  10. “A Game-Theoretic Approach to Covert Communications in the Presence of Multiple Colluding Wardens”.
    A. Arghavani, A. Ahlén, A. Teixeira, and S. Dey.
    2021 IEEE Wireless Communications and Networking Conference (WCNC), 2021, pp. 1–7
  11. “Privatized Distributed Anomaly Detection for Large-Scale Nonlinear Uncertain Systems”.
    V. Rostampour, R. M. G. Ferrari, A. M. H. Teixeira, and T. Keviczky.
    IEEE Trans. Automatic Control, vol. 66, no. 11, pp. 5299–5313, 2021

2020

  1. “Using different taxonomies to formulate learning outcomes to innovate engineering curriculum towards PBL: perspectives from engineering educators”.
    K. Staffas, S. Knorn, A. O. P. de C. Guerra, D. Varagnolo, and A. M. H. Teixeira.
    in Educate for the future: PBL, Sustainability and Digitalisation 2020, Aalborg Universitetsforlag, 2020, pp. 310–320
  2. “Computer-Aided Curriculum Analysis and Design: Existing Challenges and Open Research Directions”.
    A. M. H. Teixeira, A. O. P. D. C. Guerra, S. Knorn, K. Staffas, and D. Varagnolo.
    2020 IEEE Frontiers in Education Conference (FIE), 2020, pp. 1–9
  3. “A Switching Multiplicative Watermarking Scheme for Detection of Stealthy Cyber-Attacks”.
    R. Ferrari and A. M. H. Teixeira.
    IEEE Trans. Automatic Control, vol. 66, no. 6, pp. 2558–2573, 2020
  4. “Actuator Security Indices Based on Perfect Undetectability: Computation, Robustness, and Sensor Placement”.
    J. Milosevic, A. M. H. Teixeira, H. Sandberg, and K. H. Johansson.
    IEEE Trans. Automatic Control, vol. 65, no. 9, pp. 3816–3831, 2020
  5. “Joint controller and detector design against
    data injection attacks on actuators”
    .
    S. C. Anand and A. M. H. Teixeira.
    IFAC World Congress, Berlin, Germany, 2020
  6. “Privacy-preserving Continuous Tumour Relapse Monitoring Using In-body Radio Signals”.
    S. Hylamia et al.
    IEEE Workshop on the Internet of Safe Things (SafeThings), San Francisco, CA, USA, 2020

2019

  1. “Effects of Jamming Attacks on a Control System With Energy Harvesting”.
    S. Knorn and A. M. H. Teixeira.
    IEEE Control Systems Letters, vol. 3, no. 4, pp. 829–834, 2019
  2. “Creating a quantitative basis for course and program development in higher education - a report from field tests”.
    E. Fjällström et al.
    7th Dev. Conf. for Swedish Eng. Education, Luleøa, Sweden, 2019
  3. “Optimal stealthy attacks on actuators for strictly proper systems”.
    A. M. H. Teixeira.
    IEEE Conf. Decision and Control, Nice, France, 2019
  4. “A Tutorial Introduction to Security and Privacy for Cyber-Physical Systems”.
    M. S. Chong, H. Sandberg, and A. M. H. Teixeira.
    Eur. Control Conf., Napoles, Italy, 2019
  5. “Data Injection Attacks against Feedforward Controllers”.
    A. M. H. Teixeira.
    Eur. Control Conf., Napoles, Italy, 2019
  6. “On the Confidentiality of Linear Anomaly Detector States”.
    D. Umsonst, E. Nekouei, A. M. H. Teixeira, and H. Sandberg.
    American Control Conf., Philadelphia, PA, USA, 2019
  7. “Cyber Risk Analysis of Combined Data Attacks Against Power System State Estimation”.
    K. Pan, A. M. H. Teixeira, M. Cvetkovic, and P. Palensky.
    IEEE Trans. Smart Grid, vol. 10, no. 3, pp. 3044–3056, May 2019

    Understanding smart grid cyber attacks is key for developing appropriate protection and recovery measures. Advanced attacks pursue maximized impact at minimized costs and detectability. This paper conducts risk analysis of combined data integrity and availability attacks against the power system state estimation. We compare the combined attacks with pure integrity attacks - false data injection (FDI) attacks. A security index for vulnerability assessment to these two kinds of attacks is proposed and formulated as a mixed integer linear programming problem. We show that such combined attacks can succeed with fewer resources than FDI attacks. The combined attacks with limited knowledge of the system model also expose advantages in keeping stealth against the bad data detection. Finally, the risk of combined attacks to reliable system operation is evaluated using the results from vulnerability assessment and attack impact analysis. The findings in this paper are validated and supported by a detailed case study.

2018

  1. “Combining Bayesian Networks and Fishbone Diagrams to Distinguish between Intentional Attacks and Accidental Technical Failures”.
    S. Chockalingam, A. M. H. Teixeira, W. Pieters, N. Khakzad, and P. van Gelder.
    Proc. 5th Int. Work. Graph. Model. Secur., Oxford, UK, 2018

    Because of modern societies’ dependence on industrial control systems, adequate response to system failures is essential. In order to take appropriate measures, it is crucial for operators to be able to distinguish between intentional attacks and accidental technical failures. However, adequate decision support for this matter is lacking. In this paper, we use Bayesian Networks (BNs) to distinguish between intentional attacks and accidental technical failures, based on contributory factors and observations (or test results). To facilitate knowledge elicitation, we use extended shbone diagrams for discussions with experts, and then translate those into the BN formalism. We demonstrate the methodology using an example in a case study from the water management domain. M4 - Citavi

  2. “Detection of Sensor Data Injection Attacks with Multiplicative Watermarking”.
    A. M. H. Teixeira and R. M. G. Ferrari.
    Eur. Control Conf., Cyprus, 2018
  3. “Differentially-Private Distributed Fault Diagnosis for Large-Scale Nonlinear Uncertain Systems”.
    V. Rostampour, R. Ferrari, A. M. H. Teixeira, and T. Keviczky.
    IFAC-PapersOnLine, vol. 51, no. 24, pp. 975–982, Jan. 2018

    Distributed fault diagnosis has been proposed as an effective technique for monitoring large scale, nonlinear and uncertain systems. It is based on the decomposition of the large scale system into a number of interconnected subsystems, each one monitored by a dedicated Local Fault Detector (LFD). Neighboring LFDs, in order to successfully account for subsystems interconnection, are thus required to communicate with each other some of the measurements from their subsystems. Anyway, such communication may expose private information of a given subsystem, such as its local input. To avoid this problem, we propose here to use differential privacy to pre-process data before transmission.

  4. “Security measure allocation for industrial control systems: Exploiting systematic search techniques and submodularity”.
    J. Milošević, A. M. H. Teixeira, T. Tanaka, K. H. Johansson, and H. Sandberg.
    Int. J. Robust Nonlinear Control, no. 11, pp. 4278–4302, 2018

2017

  1. “Bayesian network models in cyber security: A systematic review”.
    S. Chockalingam, W. Pieters, A. M. H. Teixeira, and P. van Gelder.
    in Secur. IT Syst. Nord. 2017. Lect. Notes Comput. Sci., vol. 10674 LNCS, H. Lipmaa, A. and Mitrokotsa, and R. and Matulevičius, Eds. Springer, Cham, 2017, pp. 105–122

    Bayesian Networks (BNs) are an increasingly popular mod- elling technique in cyber security especially due to their capability to overcome data limitations. This is also exemplified by the growth of BN models development in cyber security. However, a comprehensive comparison and analysis of these models is missing. In this paper, we conduct a systematic review of the scientific literature and identify 17 standard BN models in cyber security. We analyse these models based on 8 different criteria and identify important patterns in the use of these models. A key outcome is that standard BNs are noticeably used for problems especially associated with malicious insiders. This study points out the core range of problems that were tackled using standard BN models in cyber security, and illuminates key research gaps.

  2. “Co-simulation for Cyber Security Analysis: Data Attacks against Energy Management System”.
    K. Pan, A. M. H. Teixeira, C. López, and P. Palensky.
    IEEE Int. Conf. Smart Grid Commun., Dresden, Germany, 2017, pp. 253–258

    It is challenging to assess the vulnerability of a cyber-physical power system to data attacks from an integral perspective. In order to support vulnerability assessment except analytic analysis, suitable platform for security tests needs to be developed. In this paper we analyze the cyber security of energy management system (EMS) against data attacks. First we extend our analytic framework that characterizes data attacks as optimization problems with the objectives specified as security metrics and constraints corresponding to the communication network properties. Second, we build a platform in the form of co-simulation - coupling the power system simulator DIgSILENT PowerFactory with communication network simulator OMNeT++, and Matlab for EMS applications (state estimation, optimal power flow). Then the framework is used to conduct attack simulations on the co-simulation based platform for a power grid test case. The results indicate how vulnerable of EMS to data attacks and how co-simulation can help assess vulnerability.

  3. “Data attacks on power system state estimation: Limited adversarial knowledge vs. limited attack resources”.
    K. Pan, A. M. H. Teixeira, M. Cvetkovic, and P. Palensky.
    IECON 2017 - 43rd Annu. Conf. IEEE Ind. Electron. Soc., Beijing, China, 2017, pp. 4313–4318

    \textcopyright 2017 IEEE. It has shown that with perfect knowledge of the system model and the capability to manipulate a certain number of measurements, the false data injection (FDI) attacks, as a class of data integrity attacks, can coordinate measurements corruption to keep stealth against the bad data detection schemes. However, a more realistic attack is essentially an attack with limited adversarial knowledge of the system model and limited attack resources due to various reasons. In this paper, we generalize the data attacks that they can be pure FDI attacks or combined with availability attacks (e.g., DoS attacks) and analyze the attacks with limited adversarial knowledge or limited attack resources. The attack impact is evaluated by the proposed metrics and the detection probability of attacks is calculated using the distribution property of data with or without attacks. The analysis is supported with results from a power system use case. The results show how important the knowledge is to the attacker and which measurements are more vulnerable to attacks with limited resources.

  4. “Detection and Isolation of Replay Attacks through Sensor Watermarking”.
    R. M. G. Ferrari and A. M. H. Teixeira.
    IFAC-PapersOnLine, vol. 50, no. 1, pp. 7363–7368, Jul. 2017

    This paper addresses the detection and isolation of replay attacks on sensor measurements. As opposed to previously proposed additive watermarking, we propose a multiplicative watermarking scheme, where each sensor’s output is separately watermarked by being fed to a SISO watermark generator. Additionally, a set of equalizing filters is placed at the controller’s side, which reconstructs the original output signals from the received watermarked data. We show that the proposed scheme has several advantages over existing approaches: it has no detrimental effects on the closed-loop performance in the absence of attacks; it can be designed in a modular fashion, independently of the design of the controller and anomaly detector; it facilitates the detection of replay attacks and the isolation of the time at which the replayed data was recorded. These properties are discussed in detail and the results are illustrated through a numerical example.

  5. “Detection and isolation of routing attacks through sensor watermarking”.
    R. M. G. Ferrari and A. M. H. Teixeira.
    Proc. Am. Control Conf., Seattle, WA, USA, 2017, pp. 5436–5442

    \textcopyright 2017 American Automatic Control Council (AACC). In networked control systems, leveraging the peculiarities of the cyber-physical domains and their interactions may lead to novel detection and defense mechanisms against malicious cyber-attacks. In this paper, we propose a multiplicative sensor watermarking scheme, where each sensor’s output is separately watermarked by a Single Input Single Output (SISO) filter. Hence, such scheme does not require communication between multiple sensors, but can still lead to detection and isolation of malicious cyber-attacks. In particular, we analyze the benefits of the proposed watermarking scheme for two attack scenarios: The physical sensor re-routing attack and the cyber measurement re-routing one. For each attack scenario, detectability and isolability properties are analyzed with and without the proposed watermarking scheme and we show how the watermarking scheme can be leveraged to detect cyber sensor routing attacks. In order to detect compromised sensors, we design an observer-based detector with a robust adaptive threshold. Additionally, we identify the sensors involved in the re-routing attacks by means of a tailored Recursive Least Squares parameter estimation algorithm. The results are illustrated through a numerical example.

  6. “Distributed sensor and actuator reconfiguration for fault-tolerant networked control systems”.
    A. M. H. Teixeira, J. Araujo, H. Sandberg, and K. H. K. H. Johansson.
    IEEE Trans. Control Netw. Syst., pp. 1–12, 2017

    IEEE In this paper, we address the problem of distributed reconfiguration of networked control systems upon the removal of misbehaving sensors and actuators. In particular, we consider systems with redundant sensors and actuators cooperating to recover from faults. Reconfiguration is performed while minimizing a steady-state estimation error covariance and a quadratic control cost. A model-matching condition is imposed on the reconfiguration scheme. It is shown that the reconfiguration and its underlying computation can be distributed. Using an average dwell-time approach, the stability of the distributed reconfiguration scheme under finite-time termination is analyzed. The approach is illustrated in a numerical example.

  7. “Estimation With Strategic Sensors”.
    F. Farokhi, A. M. H. Teixeira, and C. Langbort.
    IEEE Trans. Automat. Contr., vol. 62, no. 2, pp. 724–739, Feb. 2017

    \textcopyright 1963-2012 IEEE. We introduce a model of estimation in the presence of strategic, self-interested sensors. We employ a game-Theoretic setup to model the interaction between the sensors and the receiver. The cost function of the receiver is equal to the estimation error variance while the cost function of the sensor contains an extra term which is determined by its private information. We start by the single sensor case in which the receiver has access to a noisy but honest side information in addition to the message transmitted by a strategic sensor. We study both static and dynamic estimation problems. For both these problems, we characterize a family of equilibria in which the sensor and the receiver employ simple strategies. Interestingly, for the dynamic estimation problem, we find an equilibrium for which the strategic sensor uses a memory-less policy. We generalize the static estimation setup to multiple sensors with synchronous communication structure (i.e., all the sensors transmit their messages simultaneously). We prove the maybe surprising fact that, for the constructed equilibrium in affine strategies, the estimation quality degrades as the number of sensors increases. However, if the sensors are herding (i.e., copying each other policies), the quality of the receiver’s estimation improves as the number of sensors increases. Finally, we consider the asynchronous communication structure (i.e., the sensors transmit their messages sequentially).

  8. “Integrated Safety and Security Risk Assessment Methods: A Survey of Key Characteristics and Applications”.
    S. Chockalingam, D. Hadziosmanovic, W. Pieters, A. M. H. Teixeira, and P. van Gelder.
    in Crit. Inf. Infrastructures Secur. CRITIS 2016. Lect. Notes Comput. Sci., G. Havarneanu, R. Setola, H. Nassopoulos, and S. Wolthusen, Eds. Springer, Cham, 2017, pp. 50–62

    Over the last years, we have seen several security incidents that compromised system safety, of which some caused physical harm to people. Meanwhile, various risk assessment methods have been developed that integrate safety and security, and these could help to address the corresponding threats by implementing suitable risk treatment plans. However, an overarching overview of these methods, systematizing the characteristics of such methods, is missing. In this paper, we conduct a systematic literature review, and identify 7 integrated safety and security risk assessment methods. We analyze these methods based on 5 different criteria, and identify key characteristics and applications. A key outcome is the distinction between sequential and non-sequential integration of safety and security, related to the order in which safety and security risks are assessed. This study provides a basis for developing more effective integrated safety and security risk assessment methods in the future.

  9. “Voltage Control in Distributed Generation under Measurement Falsification Attacks”.
    M. Ma, A. M. H. Teixeira, J. van den Berg, and P. Palensky.
    IFAC-PapersOnLine, vol. 50, no. 1, pp. 8379–8384, Jul. 2017

    Low-voltage distribution grids experience a rising penetration of inverter-based, distributed generation. In order to not only contribute to but also solve voltage problems, these inverters are increasingly asked to participate in intelligent grid controls. Communicating inverters implement distributed voltage droop controls. The impact of cyber-attacks to the stability of such distributed grid controls is poorly researched and therefore addressed in this article. We characterize the potential impact of several attack scenarios by employing the positivity and diagonal dominance properties. In particular, we discuss measurement falsification scenarios where the attacker corrupts voltage measurement data received by the voltage droop controllers. Analytical, control-theoretic methods for assessing the impact on system stability and voltage magnitude are presented and validated via simulation.

2016

  1. “Combined data integrity and availability attacks on state estimation in cyber-physical power grids”.
    K. Pan, A. M. H. Teixeira, M. Cvetkovic, and P. Palensky.
    IEEE Int. Conf. Smart Grid Commun., Sydney, Australia, 2016, pp. 271–277

    \textcopyright 2016 IEEE. This paper introduces combined data integrity and availability attacks to expand the attack scenarios against power system state estimation. The goal of the adversary, who uses the combined attack, is to perturb the state estimates while remaining hidden from the observer. We propose security metrics that quantify vulnerability of power grids to combined data attacks under single and multi-path routing communication models. In order to evaluate the proposed security metrics, we formulate them as mixed integer linear programming (MILP) problems. The relation between the security metrics of combined data attacks and pure data integrity attacks is analyzed, based on which we show that, when data availability and data integrity attacks have the same cost, the two metrics coincide. When data availability attacks have a lower cost than data integrity attacks, we show that a combined data attack could be executed with less attack resources compared to pure data integrity attacks. Furthermore, it is shown that combined data attacks would bypass integrity-focused mitigation schemes. These conclusions are supported by the results obtained on a power system model with and without a communication model with single or multi-path routing.

  2. “Cyber-Physical-Security Framework for Building Energy Management System”.
    K. Paridari et al.
    ACM/IEEE 7th Int. Conf. Cyber-Physical Syst. ICCPS, Vienna, Austria, 2016

    \textcopyright 2016 IEEE. Energy management systems (EMS) are used to control energy usage in buildings and campuses, by employing technologies such as supervisory control and data acquisition (SCADA) and building management systems (BMS), in order to provide reliable energy supply and maximise user comfort while minimising energy usage. Historically, EMS systems were installed when potential security threats were only physical. Nowadays, EMS systems are connected to the building network and as a result directly to the outside world. This extends the attack surface to potential sophisticated cyber-attacks, which adversely impact EMS operation, resulting in service interruption and downstream financial implications. Currently, the security systems that detect attacks operate independently to those which deploy resiliency policies and use very basic methods. We propose a novel EMS cyber-physical-security framework that executes a resilient policy whenever an attack is detected using security analytics. In this framework, both the resilient policy and the security analytics are driven by EMS data, where the physical correlations between the data-points are identified to detect outliers and then the control loop is closed using an estimated value in place of the outlier. The framework has been tested using a reduced order model of a real EMS site.

  3. “Cybersecurity as a Politikum”.
    L. Fichtner, W. Pieters, and A. Teixeira.
    Proc. 2016 New Secur. Paradig. Work. NSPW, Granby, CO, USA, 2016, vol. 26-29-Sept, pp. 36–48

    \textcopyright 2016 ACM. In the cybersecurity community it is common to think of security as a design feature for systems and infrastructures that may be difficult to balance with other requirements. What is less studied is how security requirements come about, for which reasons, and what their influence is on the actions the system facilitates. Security is for example often used as an argument for or against granting access rights that are of importance to stakeholders, such as in the discussion on counterterrorism and privacy. This paper argues that the ongoing politicization of security issues calls for a paradigm to study cybersecurity as a Politikum: a matter of political concern, embedded in existing and future infrastructures. We summarize literature which inspired this paper and explain the role of security arguments for infrastructure governance. Then we outline the new paradigm and its core concepts and contribution, including the notion of framing. Finally, we present discourse analysis and infrastructure ethnography as research methods and discuss cases in which discourses (may) shape infrastructures, in particular smart cities.

  4. “Fault Detection and Diagnosis for Compliance Monitoring in International Supply Chains”.
    Y. Wang et al.
    22nd Am. Conf. Inf. Syst., San Diego, CA, USA, 2016

    Currently international supply chains are facing risks concerning faults in compliance, such as altering shipping documentations, fictitious inventory, and inter-company manipulations. In this paper a method to detect and diagnose fault scenarios regarding customs compliance in supply chains is proposed. This method forms part of a general approach called model-based auditing, which is based on a normative meta-model of the movement of money and goods or services. The modeling framework is proposed on compliance monitoring of supply chains with focus on information systems and compliance reporting tools. The innovation lies in the application and mapping of modeling techniques from dynamical systems engineering to business process analysis for audit and supervision purposes. Specifically, the application domain is where money, goods as well as information are transferred between international supply chain partners. A case study of a leading company in electronics manufacturing applying the model is analyzed.

  5. “From control system security indices to attack identifiability”.
    H. Sandberg and A. M. H. A. M. H. Teixeira.
    2016 Sci. Secur. Cyber-Physical Syst. Work., Vienna, Austria, 2016, pp. 1–6

    \textcopyright 2016 IEEE. In this paper, we investigate detectability and identifiability of attacks on linear dynamical systems that are subjected to external disturbances. We generalize a concept for a security index, which was previously introduced for static systems. The index exactly quantifies the resources necessary for targeted attacks to be undetectable and unidentifiable in the presence of disturbances. This information is useful for both risk assessment and for the design of anomaly detectors. Finally, we show how techniques from the fault detection literature can be used to decouple disturbances and to identify attacks, under certain sparsity constraints.

  6. “The ADMM Algorithm for Distributed Quadratic Problems: Parameter Selection and Constraint Preconditioning”.
    A. Teixeira, E. Ghadimi, I. Shames, H. Sandberg, and M. Johansson.
    IEEE Trans. Signal Process., vol. 64, no. 2, pp. 290–305, Jan. 2016

    \textcopyright 2015 IEEE. This paper presents optimal parameter selection and preconditioning of the alternating direction method of multipliers (ADMM) algorithm for a class of distributed quadratic problems, which can be formulated as equality-constrained quadratic programming problems. The parameter selection focuses on the ADMM step-size and relaxation parameter, while the preconditioning corresponds to selecting the edge weights of the underlying communication graph. We optimize these parameters to yield the smallest convergence factor of the iterates. Explicit expressions are derived for the step-size and relaxation parameter, as well as for the corresponding convergence factor. Numerical simulations justify our results and highlight the benefits of optimal parameter selection and preconditioning for the ADMM algorithm.

2015

  1. “A secure control framework for resource-limited adversaries”.
    A. Teixeira, I. Shames, H. Sandberg, and K. H. Johansson.
    Automatica, vol. 51, no. 1, pp. 135–148, 2015

    Cyber-secure networked control is modeled, analyzed, and experimentally illustrated in this paper. An attack space defined by the adversary’s model knowledge, disclosure, and disruption resources is introduced. Adversaries constrained by these resources are modeled for a networked control system architecture. It is shown that attack scenarios corresponding to denial-of-service, replay, zero-dynamics, and bias injection attacks on linear time-invariant systems can be analyzed using this framework. Furthermore, the attack policy for each scenario is described and the attack’s impact is characterized using the concept of safe sets. An experimental setup based on a quadruple-tank process controlled over a wireless network is used to illustrate the attack scenarios, their consequences, and potential counter-measures.

  2. “Cyber-Secure and Resilient Architectures for Industrial Control Systems”.
    A. Teixeira, F. Kupzog, H. Sandberg, and K. H. Johansson.
    in Smart Grid Secur. Innov. Solut. a Mod. Grid, Florian Skopik and Paul Smith, Ed. Elsevier Science Publishing Co Inc, 2015, pp. 149–183

    In this chapter, we survey cyber security solutions for control and monitoring systems that are used to manage the Smart Grid. We start with a short review of the history and use of Industrial Control Systems (ICSs) and Supervisory Control and Data Acquisition (SCADA) systems, and how cyber security in control systems has recently become a major concern, in the wake of the Stuxnet and other recently discovered malware. We follow up with surveying information technology and control-centric security tools that can be used to improve the resilience of industrial control systems. Feedback control loops are core components in the Smart Grid, as they enable the maximal utilization of the physical infrastructure and its resources. As the number of control loops in the Smart Grid increases, the cyber security challenges faced by ICSs become increasingly important within the Smart Grid’s context. To highlight such novel challenges, we give an overview of the envisioned control loops in future Smart Grids, and discuss the potential impact of cyber threats targeting critical Smart Grid functionalities. As a case study, false-data injection attacks on power transmission networks are considered. The level of resilience to such attacks is assessed through a control-centric risk assessment methodology, which is also used for allocating the deployment of more modern and secure equipment. The chapter ends with a discussion of future research challenges in the area.

  3. “Optimal parameter selection for the Alternating Direction Method of Multipliers (ADMM): Quadratic problems”.
    E. Ghadimi, A. Teixeira, I. Shames, and M. Johansson.
    IEEE Trans. Automat. Contr., vol. 60, no. 3, pp. 644–658, Mar. 2015

    The alternating direction method of multipliers (ADMM) has emerged as a powerful technique for large-scale structured optimization. Despite many recent results on the convergence properties of ADMM, a quantitative characterization of the impact of the algorithm parameters on the convergence times of the method is still lacking. In this paper we find the optimal algorithm parameters that minimize the convergence factor of the ADMM iterates in the context of l2-regularized minimization and constrained quadratic programming. Numerical examples show that our parameter selection rules significantly outperform existing alternatives in the literature.

  4. “Secure Control Systems: A Quantitative Risk Management Approach”.
    A. Teixeira, K. Sou, H. Sandberg, and K. Johansson.
    IEEE Control Syst. Mag., vol. 35, no. 1, pp. 24–45, 2015
  5. “Strategic stealthy attacks: The output-to-output ℓ2-gain”.
    A. Teixeira, H. Sandberg, and K. H. Johansson.
    Proc. IEEE Conf. Decis. Control, Osaka, Japan, 2015, vol. 54rd IEEE, pp. 2582–2587

    \textcopyright 2015 IEEE.In this paper, we characterize and analyze the set of strategic stealthy false-data injection attacks on discrete-time linear systems. In particular, the threat scenarios tackled in the paper consider adversaries that aim at deteriorating the system’s performance by maximizing the corresponding quadratic cost function, while remaining stealthy with respect to anomaly detectors. As opposed to other work in the literature, the effect of the adversary’s actions on the anomaly detector’s output is not constrained to be zero at all times. Moreover, scenarios where the adversary has uncertain model knowledge are also addressed. The set of strategic attack policies is formulated as a non-convex constrained optimization problem, leading to a sensitivity metric denoted as the output-to-output ℓ2-gain. Using the framework of dissipative systems, the output-to-output gain is computed through an equivalent convex optimization problem. Additionally, we derive necessary and sufficient conditions for the output-to-output gain to be unbounded, with and without model uncertainties, which are tightly related to the invariant zeros of the system.

  6. “The ADMM algorithm for distributed averaging: Convergence rates and optimal parameter selection”.
    E. Ghadimi, A. Teixeira, M. G. Rabbat, and M. Johansson.
    Asilomar Conf. Signals, Syst. Comput., Pacific Grove, CA, USA, 2015, vol. 2015-April

    \textcopyright 2014 IEEE. We derive the optimal step-size and over-relaxation parameter that minimizes the convergence time of two ADMM-based algorithms for distributed averaging. Our study shows that the convergence times for given step-size and over-relaxation parameters depend on the spectral properties of the normalized Laplacian of the underlying communication graph. Motivated by this, we optimize the edge-weights of the communication graph to improve the convergence speed even further. The performance of the ADMM algorithms with our parameter selection are compared with alternatives from the literature in extensive numerical simulations on random graphs.

  7. “Voltage control for interconnected microgrids under adversarial actions”.
    A. Teixeira, K. Paridari, H. Sandberg, and K. H. K. H. Johansson.
    2015 IEEE 20th Conf. Emerg. Technol. Fact. Autom., Luxembourg, 2015, pp. 1–8

    \textcopyright 2015 IEEE. In this paper, we study the impact of adversarial actions on voltage control schemes in interconnected microgrids. Each microgrid is abstracted as a power inverter that can be controlled to regulate its voltage magnitude and phase-angle independently. Moreover, each power inverter is modeled as a single integrator, whose input is given by a voltage droop-control policy that is computed based on voltage magnitude and reactive power injection measurements. Under mild assumptions, we then establish important properties of the nominal linearized closed-loop system, such as stability, positivity, and diagonal dominance. These properties play an important role when characterizing the potential impact of different attack scenarios. In particular, we discuss two attack scenarios where the adversary corrupts measurement data and reference signals received by the voltage droop controllers. The potential impact of instances of each scenario is analyzed using control-theoretic tools, which may be used to develop methodologies for identifying high-risk attack scenarios, as is illustrated by numerical examples.

2014

  1. “Toward Cyber-Secure and Resilient Networked Control Systems”.
    A. M. H. Teixeira.
    PhD thesis, KTH Royal Institute of Technology, Stockholm, Sweden, 2014
  2. “A down-sampled controller to reduce network usage with guaranteed closed-loop performance”.
    J. Araújo, A. Teixeira, E. Henriksson, and K. H. Johansson.
    IEEE Conf. Decis. Control, Los Angeles, CA, USA, 2014, no. February, pp. 6849–6856

    \textcopyright 2014 IEEE.We propose and evaluate a down-sampled controller which reduces the network usage while providing a guaranteed desired linear quadratic control performance. This method is based on fast and slow sampling intervals, as the closed-system benefits by being brought quickly to steady-state conditions while behaving satisfactorily when being actuated at a slow rate once at those conditions. This mechanism is shown to provide large savings with respect to network usage when compared to traditional periodic time-triggered control and other aperiodic controllers proposed in the literature.

  3. “Distributed Coordination of Household Electricity Consumption”.
    M. Juelsgaard, A. Teixeira, M. Johansson, R. Wisniewski, and J. D. Bendtsen.
    IEEE Multi-conference Syst. Control, Antibes, France, 2014

    \textcopyright 2014 IEEE. This work presents a distributed framework for coordination of flexible electricity consumption for a number of households in the distribution grid. Coordination is conducted with the purpose of minimizing a trade-off between individual concerns about discomfort and electricity cost, on the one hand, and joint concerns about grid losses and voltage variations on the other. Our contribution is to demonstrate how distributed coordination of both active and reactive consumption may be conducted, when consumers are jointly coupled by grid losses and voltage variations. We further illustrate the benefit of including consumption coordination for grid operation, and how different types of consumption present different benefits.

  4. “Distributed Fault Detection and Isolation Resilient to Network Model Uncertainties”.
    A. Teixeira, I. Shames, H. Sandberg, and K. H. Johansson.
    IEEE Trans. Cybern., vol. 44, no. 11, pp. 2024–2037, 2014
  5. “Gaussian cheap talk game with quadratic cost functions: When herding between strategic senders is a virtue”.
    F. Farokhi, A. M. H. Teixeira, and C. Langbort.
    Am. Control Conf., Portland, OR, USA, 2014, pp. 2267–2272
  6. “Security of smart distribution grids: Data integrity attacks on integrated volt/VAR control and countermeasures”.
    A. Teixeira, G. Dán, H. Sandberg, R. Berthier, R. B. Bobba, and A. Valdes.
    Am. Control Conf., Portland, OR, USA, 2014, pp. 4372–4378

2013

  1. “Distributed actuator reconfiguration in networked control systems”.
    A. Teixeira, J. Araújo, H. Sandberg, and K. H. Johansson.
    4th IFAC Work. Distrib. Estim. Control Networked Syst., Koblenz, Germany, 2013
  2. “Optimal scaling of the ADMM algorithm for distributed quadratic programming”.
    A. Teixeira, E. Ghadimi, I. Shames, H. Sandberg, and M. Johansson.
    Proc. IEEE Conf. Decis. Control, Florence, Italy, 2013, pp. 6868–6873

    This paper addresses the optimal scaling of the ADMM method for distributed quadratic programming. Scaled ADMM iterations are first derived for generic equality-constrained quadratic problems and then applied to a class of distributed quadratic problems. In this setting, the scaling corresponds to the step-size and the edge-weights of the underlying communication graph. We optimize the convergence factor of the algorithm with respect to the step-size and graph edge-weights. Explicit analytical expressions for the optimal convergence factor and the optimal step-size are derived. Numerical simulations illustrate our results.

  3. “Quantifying Cyber-Security for Networked Control Systems”.
    A. Teixeira, K. C. Sou, H. Sandberg, and K. H. Johansson.
    in Control Cyber-Physical Syst., no. 449, D. C. Tarraf, Ed. Springer International Publishing, 2013, pp. 123–142

2012

  1. “Agents Misbehaving in a Network: a Vice or a Virtue?”.
    I. Shames, A. M. H. Teixeira, H. Sandberg, and K. H. H. Johansson.
    IEEE Netw. Mag., vol. 26, no. 3, pp. 35–40, 2012

    Misbehaviors among the agents in a network might be intentional or unintentional, they might cause a system-wide failure or they might improve the performance or even enable us to achieve an objective. In this article we consider examples of these possible scenarios. First, we argue the necessity of monitoring the agents in a network to detect if they are misbehaving or not and outline a distributed method in which each agent monitors its neighbors for any sign of misbehavior. Later, we focus on solving the problem of distributed leader selection via forcing the agents to temporarily misbehave, and introduce an algorithm that enables the agents in a network to select their leader without any interference from the outside of the network. \textcopyright 2012 IEEE.

  2. “Attack models and scenarios for networked control systems”.
    A. Teixeira, D. Pérez, H. Sandberg, and K. H. Johansson.
    Proc. 1st Int. Conf. High Confid. Networked Syst. - HiCoNS ’12, Beijing, China, 2012, pp. 55–64

    Cyber-secure networked control is modeled, analyzed, and experimentally illustrated in this paper. An attack space defined by the adversary’s system knowledge, disclosure, and disruption resources is introduced. Adversaries constrained by these resources are modeled for a networked control system architecture. It is shown that attack scenarios corresponding to replay, zero dynamics, and bias injection attacks can be analyzed using this framework. An experimental setup based on a quadruple-tank process controlled over a wireless network is used to illustrate the attack scenarios, their consequences, and potential counter-measures.

  3. “Cyber-security of SCADA systems”.
    G. Andersson et al.
    IEEE PES Innov. Smart Grid Technol., Washington, DC, USA, 2012, pp. 1–2
  4. “Distributed Fault Detection and Isolation with Imprecise Network Models”.
    I. Shames, A. Teixeira, H. Sandberg, and K. H. Johansson.
    Am. Control Conf., Montreal, Canada, 2012
  5. “Fault Detection and Mitigation in Kirchhoff Networks”.
    I. Shames, A. M. H. Teixeira, H. Sandberg, and K. H. Johansson.
    IEEE Signal Process. Lett., vol. 19, no. 11, pp. 749–752, Nov. 2012
  6. “On the Optimal Step-Size Selection for the Alternating Direction Method of Multipliers”.
    E. Ghadimi, A. Teixeira, I. Shames, and M. Johansson.
    3rd IFAC Work. Distrib. Estim. Control Networked Syst. NecSys, Santa Barbara, CA, USA, 2012, vol. 45, no. 26

    The alternating direction method of multipliers is a powerful technique for structured large-scale optimization that has recently found applications in a variety of fields including networked optimization, estimation, compressed sensing and multi-agent systems. While applications of this technique have received a lot of attention, there is a lack of theoretical support for how to set the algorithm parameters, and its step-size is typically tuned experimentally. In this paper we consider three different formulations of the algorithm and present explicit expressions for the step-size that minimizes the convergence rate. We also compare our method with one of the existing step-size selection techniques for consensus applications. \textcopyright 2012 IFAC.

  7. “Optimal power flow: closing the loop over corrupted data”.
    A. Teixeira, H. Sandberg, G. Dán, and K. H. Johansson.
    Am. Control Conf., Montreal, Canada, 2012
  8. “Revealing Stealthy Attacks in Control Systems”.
    A. Teixeira, I. Shames, H. Sandberg, and K. H. H. Johansson.
    50th Annu. Allert. Conf. Commun. Control. Comput., Monticello, IL, USA, 2012

    In this paper the problem of revealing stealthy data-injection attacks on control systems is addressed. In particular we consider the scenario where the attacker performs zero-dynamics attacks on the system. First, we characterize and analyze the stealthiness properties of these attacks for linear time-invariant systems. Then we tackle the problem of detecting such attacks by modifying the system’s structure. Our results provide necessary and sufficient conditions that the modifications should satisfy in order to detect the zero-dynamics attacks. The results and proposed detection methods are illustrated through numerical examples. \textcopyright 2012 IEEE.

2011

  1. “Cyber security study of a SCADA energy management system: stealthy deception attacks on the state estimator”.
    A. Teixeira, G. Dán, H. Sandberg, and K. H. Johansson.
    18th IFAC World Congr., Milano, Italy, 2011
  2. “Distributed Fault Detection for Interconnected Second-Order Systems”.
    I. Shames, A. M. H. Teixeira, H. Sandberg, and K. H. Johansson.
    Automatica, vol. 47, no. 12, pp. 2757–2764, 2011

    In this paper, the existence of unknown input observers for networks of interconnected second-order linear time invariant systems is studied. Two classes of distributed control systems of large practical relevance are considered. It is proved that for these systems, one can construct a bank of unknown input observers, and use them to detect and isolate faults in the network. The result presents a distributed implementation. In particular, by exploiting the system structure, this work provides further insight into the design of UIO for networked systems. Moreover, the importance of certain network measurements is shown. Infeasibility results with respect to available measurements and faults are also provided, as well as methods to remove faulty agents from the network. Applications to power networks and robotic formations are presented. It is shown how the developed methodology apply to a power network described by the swing equation with a faulty bus. For a multi-robot system, it is illustrated how a faulty robot can be detected and removed. \textcopyright 2011 Elsevier Ltd. All rights reserved.

  3. “Dynamical system decomposition using dissipation inequalities”.
    J. Anderson, A. Teixeira, H. Sandberg, and A. Papachristodoulou.
    50th IEEE Conf. Decis. Control Eur. Control Conf., Orlando, FL, USA, 2011, pp. 211–216
  4. “Toward an Indoor Testbed for Mobile Networked Control Systems”.
    M. Larsson et al.
    First Work. Res. Dev. Educ. Unmanned Aer. Syst., Seville, Spain, 2011

2010

  1. “Cyber Security Analysis of State Estimators in Electric Power Systems”.
    A. Teixeira, S. Amin, H. Sandberg, K. H. H. Johansson, and S. S. S. Sastry.
    49th IEEE Conf. Decis. Control, Atlanta, GA, USA, 2010

    In this paper, we analyze the cyber security of state estimators in Supervisory Control and Data Acquisition (SCADA) systems operating in power grids. Safe and reliable operation of these critical infrastructure systems is a major concern in our society. In current state estimation algorithms there are bad data detection (BDD) schemes to detect random outliers in the measurement data. Such schemes are based on high measurement redundancy. Although such methods may detect a set of very basic cyber attacks, they may fail in the presence of a more intelligent attacker. We explore the latter by considering scenarios where deception attacks are performed, sending false information to the control center. Similar attacks have been studied before for linear state estimators, assuming the attacker has perfect model knowledge. Here we instead assume the attacker only possesses a perturbed model. Such a model may correspond to a partial model of the true system, or even an out-dated model. We characterize the attacker by a set of objectives, and propose policies to synthesize stealthy deceptions attacks, both in the case of linear and nonlinear estimators. We show that the more accurate model the attacker has access to, the larger deception attack he can perform undetected. Specifically, we quantify trade-offs between model accuracy and possible attack impact for different BDD schemes. The developed tools can be used to further strengthen and protect the critical state-estimation component in SCADA systems. \textcopyright2010 IEEE.

  2. “Distributed Fault Detection for Interconnected Second-Order Systems with Applications to Power Networks”.
    I. Shames, A. M. H. Teixeira, H. Sandberg, and K. H. Johansson.
    First Work. Secur. Control Syst. CPSWeek, Stockholm, Sweden, 2010
  3. “Distributed Leader Selection without Direct Inter-Agent Communication”.
    I. Shames, A. Teixeira, H. Sandberg, and K. H. Johansson.
    2nd IFAC Work. Distrib. Estim. Control Networked Syst. NecSys, Annecy, France, 2010
  4. “Networked control systems under cyber attacks with applications to power networks”.
    A. Teixeira, H. Sandberg, and K. H. Johansson.
    Am. Control Conf., Baltimore, MD, 2010, pp. 3690–3696
  5. “On security indices for state estimators in power networks”.
    H. Sandberg, A. Teixeira, and K. H. Johansson.
    First Work. Secur. Control Syst. CPSWeek, Stockholm, Sweden, 2010