Secure State Estimation and Attack Reconstruction in Cyber-Physical Systems: Sliding Mode Observer Approach

A cyber-physical system (CPS) is a tight coupling of computational resources, network communication, and physical processes. They are composed of a set of networked components, including sensors, actuators, control processing units, and communication agents that instrument the physical world to make smarter. However, cyber components are also the source of new, unprecedented vulnerabilities to malicious attacks. In order to protect a CPS from attacks, three security levels of protection, detection, and identification are considered. In this chapter, we will discuss the identification level, i.e., secure state estimation and attack reconstruction of CPS with corrupted states and measurements. Considering different attack plans that may assault the states, sensors, or both of them, different online attack reconstruction approaches are discussed. Fixed-gain and adaptive-gain finite-time convergent observation algorithms, specifically sliding mode observers, are applied to the online reconstruction of sensor and state attacks. Next, the corrupted measurements and states are to be cleaned up online in order to stop the attack propagation to the CPS via the control signal. The proposed methodologies are applied to an electric power network, whose states and sensors are under attack. Simulation results illustrate the efficacy of the proposed observers.


Introduction
Cyber-physical systems (CPS) are the integration of the cyber-world of computing and communications with the physical world. In many systems, control of a physical plant is integrated with a wireless communication network, for example, transportation networks, electric power networks, integrated biological systems, industrial automation systems, and economic systems [1,2]. Since CPSs use open computation and communication platform architectures, they are vulnerable to suffering adversarial physical faults or cyber-attacks. Faults and cyber-attacks are referred to as attacks throughout this chapter. reconstruct the attacks asymptotically. This reconstruction is approximate only, since pseudo-inverse techniques are used.
In this chapter, CPSs controlled by a control input subject to sensor attacks and state/plant attacks are considered. The corrupted measurements propagate the attack signals to the CPS through the control signals causing CPS performance degradation. The main challenge that is addressed in the chapter is online exact reconstruction of the sensor and state attacks with an application to an electric power network. The contribution of this chapter is: • Novel fixed and adaptive-gain SMO for the linearized/linear CPS under attack are proposed for the online reconstruction of sensor attacks. The time-varying attacks are reconstructed via the proposed SMO that includes a newly designed dynamic filter. Note that the well-known SMO proposed in [27] reconstructs the slow-varying perturbations only.
• A super twisting SMO is applied to reconstruct the state/plant time-varying attacks of the linearized/linear CPS under attack.
• For online state/plant attack reconstruction in nonlinear CPS under attack, a higher-order sliding mode disturbance observer [28] is used.
• An algorithm that use sliding mode differentiation techniques [29] in concert with the finite-time convergent observer for the sparse signal recovery is applied to online reconstruction of time-varying attack in nonlinear CPS under attack when we have limited measurements and more possible sources of attack [30].

Motivation example: electric power network under attack
In a real-world power network, only a small group of generator rotor angles and rates is directly measured, and typical attacks aim at injecting disturbance signals that mainly affect the sensorless generators [24].
The small-signal version of the classic structure-preserving power network model is adopted to describe the dynamics of a power network. Consider a connected power network consisting of n 1 generators g 1 ; …; g n 1 n o and n 2 load buses b n 1 þ1 ; …; b n 1 þn 2 f g . The interconnection structure of the power network is encoded by a connected susceptance-weighted graph G. The vertices of G are the generators g i and the buses b i . The edges of G are the transmission lines b i ; b j È É and the connections g i ; b i È É weighted by their susceptance values. The Laplacian associated with the susceptance-weighted graph is the symmetric susceptance matrix The CPS that motivates the results presented in this work is the US Western Electricity Coordinating Council (WECC) power system [8] under attack with three generators and six buses, whose electrical schematic is presented in Figure 1. The mathematical model of the power network in Figure 1 under sensor stealth attack and deception attack can be represented as the following descriptor equations that consist of differential and algebraic equations [8]: The measurement corruption attacks through an output control feedback. The matrices E g , M g ∈ R 3Â3 are diagonal whose nonzero entries consist of the damping coefficients and the normalized inertias of the generators, respectively: The inputs P ω and P θ are due to known changes in the mechanical input power to the generators and real power demands at the loads. The matrices B ∈ R 12Âm 1 and D ∈ R pÂ mÀm 1 ð Þ are the attack distribution matrices, and C ∈ R pÂ12 is the output gain The WECC power system [8].
Note that ω i ! 0 ∀ i ¼ 1, 2, 3 in a case of the nominal performance of the studied network. Consider the case when the outputs of system, which are the measurement sensors ω 1 , ω 2 , ω 3 , are corrupted by the following stealth attacks.
The system (1) was simulated with and without above attacks. Based on the simulation results shown in Figures 2 and 3, the stealth attack in (4) yields inappropriate degradation of the power network performance.
This motivates why online reconstruction of the attacks followed by cleanup of the measurements prior to using them in control signal is of prime importance for retaining the performance of the power network (as it will be shown in Section VI where the proposed SMO is applied to achieve this goal). The case study of the power network (1) will be further discussed in details in Section 6.

Cyber-physical system dynamics
Consider the following completely observable and asymptotically stable system where x ∈ R n is the state vector, f x ð Þ ∈ R n is a smooth vector field, d t ð Þ ∈ R m denotes the attack/fault vector which is additive and matched to the control signal, y ∈ R p is the measurement vector, p ≥ m, C x ð Þ ∈ R p is the output smooth vector  field, B x ð Þ ∈ R nÂm and D ∈ R pÂm denote the attack/fault distribution matrices. For notational convenience, and without affecting generality, the input distribution matrices can be partitioned as Assumption (A1): B 1 x ð Þ, D 1 are of full rank. The attack/fault vector is partitioned accordingly as Therefore, Eq. (5) can be rewritten as where d x t ð Þ, d y t ð Þ represent the state and the sensor attack vectors, respectively. Different attack strategies are shown in Table 1 and discussed in Section 1.
Since p ≥ m À m 1 , the system (8) can be partitioned using a nonsingular transformation M ∈ R pÂp y ¼ My (9) selected so that Taking into account (10), system (8) is reduced to where
The problem is to protect the closed loop system (11) from the sensor attack d y ∈ R mÀm 1 and state/plant attack d x t ð Þ ∈ R m 1 by means of designing fixed-gain and adaptive-gain SMOs that allow: (a) reconstructing online the sensor attack d y , the state/plant attack d x t ð Þ, and the plant states x so that as time increases and. (b) "cleanup" of the plant and sensors so that the dynamics of the CPS under attack (11) approaches, : (13) as time increases, to. Note that Eq. (13) represents the compensated CPS that converges to CPS without attack as time increases.

Results: secure state estimation
In this chapter, for the linearized case of the system in Eq. (5), two SMOs for state estimation and attack reconstruction are discussed. Two other SMO strategies for nonlinear system (5) are also proposed and investigated.

Attack reconstruction in linear system via filtering by adaptive sliding mode observer
Consider the linearized system in Eq.

System's transformation
Considering system Eq. (14) and assuming assumption (A1) holds, then as show in [29] there exists a matrix N ∈ R nÀp ð ÞÂn such that the square matrix is nonsingular and the change of coordinates x↦T c x creates, without loss of generality, a new state-space representation After the linear changing of coordinate, the CPS Eq. (14) is rewritten as Þis observable [31]. Defining a further change of coordinates ÞÂp is the design matrix, then the system Eq. (17) can be rewritten as Þis observable, there exist choices of the matrix L so that the matrixÃ 11 The attack d t ð Þ and its derivative are norm bounded, i.e., Since p . m, there exists a nonsingular scaling matrix Q ∈ R pÂp such that where D 2 ∈ R mÂm is nonsingular. Define y as the scaling of the measured outputs y according to y ¼ Q y. Partition the output of the CPS into unpolluted measurements y 1 ∈ R pÀm and polluted measurements y 2 ∈ R m as Scale state component x 2 and define x 2 ¼ Qx 2 . Then Eq. (18) can be rewritten as where Consequently the system in Eq. (21) can be written in partitioned form as where A 11 is Hurwitz and the virtual measurement y 1 presents the protected measurements and y 2 shows the attacked/corrupted measurements.

Attack observation
A SMO is proposed to reconstruct the attack in order to clean up the measurements and states and to allow the use of clean measurement in the control signal.
Define a (sliding mode) observer for the system Eq. (22) as Þis conformal with the partition of x in Eq. (22). In Eq. (23), υ is a nonlinear injection signal that depends on y 2 À z 22 À Á and is used to induce a sliding motion in the estimation error space, and and A s 33 ∈ R mÂm are user-selected Hurwitz matrices, while A s 33 is symmetric negative definite. The injection signal υ ∈ R m is defined as where scalar gain ρ will be defined in the sequel, and η is a positive design scalar.
and by direct substitution from Eqs. (22) and (23) that The idea is to force a sliding motion on The first main results, based on the SMO with the fixed-gain injection term, is formulated in the following theorem.
Then, as soon as the sliding mode is established in finite time in Eq. (27) on the sliding surface Eq. (28) by means of the injection term Eq.
where υ eq is the equivalent injection term [31] and a close approximation and υ eq can be obtained in real time by low-pass filtering of the switching signal Eq. (25) [29]. Replacing υ eq by υ eq in Eq. (30) giveŝ Proof of the Theorem 1 is omitted for brevity. Remark 1: The SMO (31) is a dynamic filter that allows reconstructing the time-varying attack d t ð Þ. This filter is the main novel feature of the proposed observer.

Adaptive-gain attack observer design
In Eq. (29), it was assumed that the perturbation term φ is locally normbounded and ρ . 0 in Eq. (25) is known. In many practical cases, the boundary of attacks is unknown, and the gain of the sliding mode injection term Eq. (25) in the fixed-gain observer in Eq. (23) can be overestimated. The gain overestimation could increase chattering that is difficult to attenuate.
The constant gain ρ . 0 can be replaced by an adaptive-gain ρ t ð Þ by applying the dual layer nested adaptive sliding mode observation algorithm [32], i.e., A sufficient condition to ensure sliding on e y 2 ¼ 0 in finite time is An error signal is defined as where the scalars 0 , α , 1, ε . 0. The adaptation dynamics of ρ t ð Þ in Eq. (32) is defined as [32].
where the time-varying scalar r t ð Þ . 0 satisfies an adaptive scheme. It is assumed that r t ð Þ has the structure where ℓ 0 is a fixed positive scalar. The evolution of ℓ t ð Þ is chosen to satisfy an adaptive law [32]: where γ . 0, σ 0 . 0 are design scalars. The second main results are summarized in Theorem 2 as: Theorem 2: Consider the system in Eq. (27) and and assume that a t ð Þ j j, a 0 , _ a t ð Þ j j, a 1 , where a 0 and a 1 are finite but unknown. A SMO is designed as in Eq. (23) with the adaptive injection term in Eqs. (32)- (37). If ε . 0 in (34) is chosen to satisfy for any given σ 0 , q . 1, and, 0 , α , 1, then the injection term (32) exploiting the dual layer adaptive scheme given by Eqs.

State estimation and attack reconstruction in linear systems by using super twisting SMO
Consider the completely observable linearized system Eq. (11) with where

Assumption (A5):
The number of uncorrupted/protected measurements is equal or larger than the number of state/plant attack, i.e., p 1 ¼ p À m À m 1 ð Þ≥ m 1 . The system Eq. (40) is assumed to have an input-output vector relative degree r ¼ r 1 ; r 2 ; …; r p 1 È É , where relative degree r i for i ¼ 1, 2, …, p 1 is defined as follows: Without loss of generality, it is assumed that r 1 ≤ … ≤ r p 1 .  where integers 1 ≤ r α i ≤ r i are such that rank C a B ð Þ ¼ rank B ð Þ and r α i are chosen such that P p 1 i¼1 r α i is minimal. The following SMO [33] is used to estimate the states of system Eq. (40):

Attack observation
where the matrices of appropriate dimensions G l and G n are to be designed, and υ c : ð Þ is an injection vector where ρ . 0 is larger than the upper bound of unknown input d t ð Þ. The definition of the symmetric positive definite matrix P can be found in [33]. The auxiliary output y a is defined by where the constituent signals in Eq. (45) are given from the continuous secondorder sliding mode observer as for 1 ≤ i ≤ p 1 , with The scalar function E i is defined as and the continuous injection term ν : ð Þ is given by the super twisting algorithm [34]: Theorem 3: Assuming the assumptions (A5) and (A6) hold for system Eq. (40), then state/plant attacks are reconstructed as follows: Proof: Defining the state estimation error as e ¼ x Àx and the augmented output estimation error e y ¼ C a x À y with e y ¼ e 1 1 ; …; e r αi À1 1 ; …; e 1 p 1 ; …; e r αi À1 then it follows that By choosing suitable gains λ s and β s in the output injections Eq. (49), then.
for all t . T [33]. Then, the error dynamics Eq. (52) is rewritten as Since rank C a B 1 À Á ¼ rank B 1 À Á and by assumption the invariant zeros of the triple A; B; C a ð Þlie in the left half plane, based on the design methodologies in [35], It follows that e ¼ 0 is an asymptotically stable equilibrium point of Eq. (52) and dynamics are independent of d x t ð Þ once a sliding motion on the sliding manifold s ¼ C a e ¼ 0 has been attained. During the sliding mode _ where υ c ð Þ eq is the equivalent output error injection required to maintain the system on the sliding manifold. Since C a B 1 is full rank, the attack reconstruction is obtained as (50). According to (A1), D 1 is full rank; then sensor attacks in Eq. (40) are reconstructed

The state and disturbance observer for nonlinear systems using higherorder sliding mode differentiator
Consider the locally stable system Eq. (11) where y 1 and B 1 x ð Þ are smooth vector fields defined on an open Ω ⊂ R n . According to (A5), we consider p 1 ¼ m 1 here. The following properties introduced by Isidori [36] are assumed for x ∈ Ω. Assumption (A7): The system in Eq. (11) is assumed to have vector relative

Assumption (A8):
The following Lie derivative matrix is of full rank. , With an involutive distribution Γ as defined in (A9), it is always possible to identify the variables η rþ1 x ð Þ, …, η n x ð Þ which satisfy Assumption (A10): The norm-bounded solution of the internal dynamics _ γ ¼ g δ; γ ð Þ is assumed to be locally asymptotically stable [29]. If assumption (A9) is satisfied, then it is always possible to find n À r functions η rþ1 x ð Þ, …, η n x ð Þ such that is a local diffeomorphism in a neighborhood of any point x ∈ Ω ⊂ Ω ⊂ R n , i.e., In order to estimate the derivatives δ ij t ð Þ ∀i ¼ 1, …, m 1 , ∀j ¼ 1, …, r i of the output. y i in finite time, higher-order sliding mode differentiators [28] are used here for i ¼ 1, …, m 1 . By construction, Therefore, the following exact estimates are available in finite time: Next, integrate Eq. (60) with δ replaced byδ; estimate of internal dynamics is and with some initial condition from the stability domain of the internal dynamics, a asymptotic estimateγ can be obtained locallŷ Therefore, the asymptotic estimate for the mapping (63) is identified as Since the finite-time exact estimates_ δ ir i of _ δ ir i , ∀i ¼ 1, …, m 1 are available via the higher-order sliding mode differentiator, and using the estimatesδ,γ for δ, γ, an asymptotic estimated t ð Þ of disturbance d t ð Þ in Eq. (11) is identified as [28]. (72) Finally,x t ð Þ andd t ð Þ are obtained. from Eqs. (71) and (72).

Remark 3:
The convergenced ! d can be achieved only locally and as time increases due to the local asymptotic stability of the norm-bounded solution of the internal dynamics _ γ ¼ g δ; γ ð Þ. However convergence will be achieved in finite time if the total relative degree r ¼ n and no internal dynamics exist.
Considering Eq. (11) and D 1 is full rank, sensor attack can be reconstructed aŝ

Attack reconstruction in nonlinear system by sparse recovery algorithm
In some applications, there are a limited number of measurements, p, and more sources of attack, m. Previously, we investigated the cases where p . m. Now, consider system (5) with more attacks than measurements, m . p.
Notice that a more general format of (5) is considered here where matrix D is a function of x as well.
Assumption (A11): Assume that the attack vector d t ð Þ is sparse, meaning that numerous attacks are possible, but the attacks are not coordinated, and only few nonzero attacks happen at the same time.

Sparse recovering algorithm
The problem of recovering an unknown input signal from measurements is well known, as a left invertibility problem, as seen in several works [30,37], but this problem was only treated in the case where the number of measurements is equal or greater than the number of unknown inputs. The left invertibility problem in the case of fewer measurements than unknown inputs has no solution or more exactly has an infinity of solutions.
In particular, the objective of exact recovery under sparse assumptions denoted for the sake of simplicity as "sparse recovery" (SR) is to find a concise representation of a signal using a few atoms from some specified (over-complete) dictionary, where s ∈ R N are the unknown inputs with no more than j nonzero entries, ξ ∈ R M are the measurements, ε 0 is a measurement noise, and Φ ∈ R MÂN is the dictionary where M ≪ N.
Definition 1: The Restricted Isometry Property (RIP) condition of j-order with constant ς j ∈ 0; 1 ð Þ (ς j is as small as possible for computational reasons) of the matrix Φ yields for any j sparse of signal s. Considering Φ Γ as the index set of nonzero elements of s, then Eq. (75) is equivalent to [23]: where Φ Γ is the sub-matrix of Φ with active nodes. The problem of SR is often cast as an optimization problem that minimizes a cost function constructed by leveraging the observation error term and the sparsity inducing term [37], i.e., In Eq. (77) the original sparsity term is the quasi norm s j j 0 ; but as long as the RIP conditions hold, it can be replaced by Θ s ð Þ ¼ s k k 1 ≜ P i s i j j. Note that λ . 0 in Eq. (77) is the balancing parameter and s * is the critical point, i.e., the solution of Eq. (74). Typically, for sparse vectors s with j-sparsity, where j must be equal or smaller than MÀ1 2 [37], the solution to the SR problem is unique and coincides with the critical point of Eq. (74) providing that RIP condition for Φ with order 2j is verified. In other words, in order to guarantee the existence of a unique solution to the optimization problem Eq. (74), Φ should satisfy restricted isometry property [37].
Under the sparse assumption of s and the fulfillment of the j-RIP condition of the matrix Φ, the estimation algorithm proposed in [37] is where v ∈ R N is the state vector,ŝ t ð Þ represents the estimate of the sparse signal s of (74), and μ . 0 is a time-constant determined by the physical properties of the implementing system. : ð Þ is a continuous soft thresholding function: where λ . 0 is chosen with respect to the noise and the minimum absolute value of the nonzero terms.

Attack reconstruction
The measured output under attack y of the system Eq. (5) is fed to the input of the low-pass filter that facilitates filtering out the possible measurement noise Remark 4: The derivatives _ ϒ 1 r 1 , …, _ ϒ p r p are computed exactly in finite time using higher-order sliding mode differentiators [28] discussed in Eqs. (65) and (66).

Case study
Consider the mathematical models (1)-(4) of the US Western Electricity Coordinating Council (WECC) power system [8] with three generators and six buses (Figure 1) when the sensors of the generator speed deviations from synchronicity are under stealth attack and plant is under deception attack.

Simulation setup
a. The three sensors of rotor angles, δ ∈ R 3 , are assumed protected from attack, but the three sensors of the generator speed deviations from synchronicity, ω ∈ R 3 , are assumed to be attacked. b. The B 1ω ¼ I 3 , B 1θ ¼ 0 6Â3 , D δ ¼ 0 3Â6 are given, and then Eq. (88) is reduced to In the first step of attack reconstruction, d x t ð Þ is estimated by using protected measurements y 1 and the SMO described in Section 5.2. It is easy to verify that where C δi is the ith row of C δ . The states of the system,δ,ω, and plant attackŝ d x t ð Þ are reconstructed using Eqs. (43) and (50). Then,ω is used in Eq. (89) to find D ω d y t ð Þ ¼ y 2 Àω (91) There are six sources d y1 , …, d y6 attacking three measurements ω 1 , ω 2 , ω 3 , and at any time, just one out of six attack signals is nonzero. The SR algorithm in Section 5.2 is applied to findd y t ð Þ. The following attacks are considered for simulation.      Deception attacks d x1 , d x2 , and d x3 are reconstructed very accurately as shown in Figures 4-6. The only nonzero sensor attack is detected and accurately estimated by using the SR algorithm as shown in Figure 7. In Figure 8a and 8b, the corrupted system outputs (which are system states in our case) are compared to the "cleaned" outputs that are computed by subtracting the estimated attacks from the corrupted sensors and actuators and to the system outputs when the system is not under attack.

Conclusion
The critical infrastructures like power grid, water resources, etc. are large interconnected cyber-physical systems whose reliable operation depends critically on their cyber substructure. In this chapter, cyber-physical systems when their sensors and/or states are under attack or experiencing faults are investigated. The sensor and states/plant attacks are reconstructed online by using a fixed-gain and adaptive-gain sliding mode observers. As soon as the attacks are reconstructed, corrupted measurements and states are cleaned from attacks, and the control signal that uses cleaned measurements provides cyber-physical system performance close to the one without attack. The effectiveness of the proposed approach is shown by simulation results of a real electrical power network with sensors under stealth attack and states under deception attacks.