학위논문 (박사) -- 서울대학교 대학원 : 공과대학 전기·정보공학부, 2020. 8. 심형보.The rapid evolution of communication network and computation speed has led to the emergence of cyber-physical systems in which the traditional physical plants are controlled remotely using digital controllers.
Unfortunately, however, the separation between the plant and controller with a network communication provides a new chance for external adversaries to intrude control systems, which are highly connected to human life and social infrastructures. For this reason, among various issues of the cyber-physical system, security problems have gained particular attention to control engineers these days. This dissertation presents new theoretical vulnerabilities undetectable from the conventional anomaly detector, which arise due to the mixture of continuous- and discrete-time components on cyber-physical systems, and addresses countermeasures against such vulnerabilities. Specific subjects dealt with in the dissertation are listed as follows:
1) Zero dynamics attacks can be lethal to cyber-physical systems because they can be harmful to physical plants and impossible to detect. Fortunately, if the given continuous-time physical system is minimum phase, the attack is not so effective even if it cannot be detected. However, the situation can become unfavorable if one uses digital control by sampling the sensor measurement and using a zero-order hold for actuation because of the `sampling zeros.' When the continuous-time system has a relative degree greater than two and the sampling period is small, the sampled-data system must have unstable zeros, so that the cyber-physical system becomes vulnerable to `sampling zero dynamics attack.' In this dissertation, we present an idea to neutralize the zero dynamics attack for single-input and single-output sampled-data systems by shifting the unstable discrete-time zeros into stable ones. This idea is realized by employing the so-called `generalized hold' which replaces a standard zero-order hold. It is shown that, under mild assumptions, a generalized hold exists which places the discrete-time zeros at desired positions. Furthermore, we formulate the design problem as an optimization problem whose performance index is related to the inter-sample behavior of the physical plant, and propose an optimal gain which alleviates the performance degradation caused by generalized hold as much as possible, and in order to verify the theoretical results, we apply the proposed strategy to a DC/DC converter with an electrical circuit.
2) The zero dynamics attack has usually been studied as a type of actuator attack, but it can harm the physical plant through the sensor network. Specifically, when the system monitors abnormal behavior of the plant using the anomaly detector (fault detector), one can generate zero dynamics attack on the sensor network deceiving the anomaly detector by regarding the output of the plant and residual of the anomaly detector as a new input and output of a target system. It is noticed that this sensor attack is not so effective when the plant is stable even if the attack is still undetectable. Noting this point, we propose to reexamine the generalized hold as a countermeasure against the undetectable sensor attack. That is, using the fact that the output feedback passing through the generalized hold can stabilize the unstable systems by selecting an appropriate hold function, we show that the plant can be safe from the undetectable sensor attack. Furthermore, to relieve the performance degradation of the use of generalized hold feedback, we employ a discrete-time linear quadratic regulator minimizing a continuous-time cost function.
3) In the sampled-data framework, most anomaly detectors monitor the plant's output only at discrete time instants. Consequently, abnormal behavior between sampling instants cannot be detected if output behaves normally at every sampling instant. This implies that if an actuator attack drives the plant's state to pass through the kernel of the output matrix at each sensing time, then the attack compromises the system while remaining stealthy. This type of attack is always constructible when the sampled-data system has an input redundancy, i.e., the number of inputs being larger than that of outputs and/or the sampling rate of the actuators being higher than that of the sensors. Simulation results for the X-38 vehicle and other numerical examples illustrate this new attack strategy may result in disastrous consequences.디지털 장치들의 연산 속도와 네트워크 전송 속도의 급진적인 발전으로 고전적인 제어 시스템이 네트워크를 통해 원격으로 제어되는 사이버-물리 시스템(cyber-physical systems)이 등장하기 시작했다. 이러한 사이버-물리 시스템은 제어기와 제어 대상의 분리라는 특성상 외부의 악의적인 공격신호로 부터 공격당할 수 있는 잠재적인 위험에 노출되어 있으며 파워플랜트의 원격감시제어(SCADA, Supervisory Control And Data Acquisition)와 같은 사회 기반 시설과도 밀접한 연관이 있어 그 보안성에 관한 연구의 필요성이 강조되고 있다. 본 논문은 사이버-물리 시스템이 연속시간으로 이루어진 물리 플랜트(physical plant)와 디지털 제어기로 이루어져 있다는 사실로부터 이를 영차홀드(zero-order hold)와 샘플러(sampler)로 이산화(discretize)되는 샘플-데이터 시스템으로 표현하고, 연속시간과 이산시간의 결합으로 부터 발생할 수 있는 사이버 공격에 대한 이론적인 취약점을 분석하고 그에 대한 해결책을 제시한다.
구체적으로 본 논문에서는 다음의 세 가지 주제들을 다룬다. 첫 번째로, 본 논문은 시스템의 불안정한(unstable) 영점(zero)의 정보를 이용하여 입력 네트워크를 통해 주입될 경우 검출불가능(undetectable)한 영동역학 공격(zero dynamics attack)이 샘플 데이터 시스템에서 발생하는 샘플링 영점(sampling zero)을 이용하여도 가능하다는 점을 밝힌다. 그리고 영차홀드 대신 일반화된 홀드(generalized hold)를 이용할 경우 이산시간 시스템의 이산시간 영점을 모두 안정한(stable)한 영역으로 할당할 수 있다는 사실에 근거하여 영동역학 공격에 대한 근본적인 대응책으로 영차홀드를 일반화된 홀드로 대체하는 방안을 제안한다. 추가적으로, 일반화된 홀드를 이용할 경우 발생하는 성능저하를 최소화 하기 위해 볼록(convex) 최적화 문제로 일반화된 홀드를 설계하는 방법을 제시한다. 다른 한편, 이산시간 시스템의 출력 센서 네트워크를 입력 그리고 고장 검출기(fault detector)의 잔여신호(residual)를 출력으로 하는 시스템의 영동역학을 이용하여 검출 불가능한 센서 공격이 가능함을 보이고, 이에 대한 해결책으로 이산시간 출력 부터 연속시간 입력까지 일반화된 홀드를 이용한 피드백 루프를 추가하여 공격의 효과를 무효화하는 방법을 제안한다. 또한 이러한 피드백 루프로 인한 제어 성능 저하를 최소화하기 위해 연속시간 비용함수를 최소화하는 이산시간 최적 제어기법의 이용을 제안한다. 마지막으로, 영차홀드와 샘플러의 동작주기가 같지 않은 다중 입출력(MIMO) 샘플-데이터 시스템을 쌓인 시스템(lifted system)으로 표현쌓을 때 출력대비 입력 여유분이 많을 경우, 입력 네트워크를 통하여 검출 불가능한 공격을 가능하게 하는 충분조건을 찾고, 이를 활용하여 공격신호를 생성하는 설계법을 제안한다.1 Introduction 1
1.1 Overview of Security Issues on Cyber-Physical Systems 1
1.2 Contributions and Outline of Dissertation 4
1.3 Preliminary: Characterization of detectable and undetectable attacks 8
2 Use of Generalized Hold in Sampled-data Systems to Counteract Zero Dynamics Attack 13
2.1 Zero Dynamics Attack with Normal Form 13
2.1.1 Continuous-time Linear Systems 13
2.1.2 Sampled-data Linear Systems 16
2.1.3 Simulation Result: Zero Dynamics Attack on Sampling Zeros 18
2.1.4 Existing Countermeasures Against Zero Dynamics Attack 19
2.2 Optimal Generalized Hold Function to Neutralize Zero Dynamics Attack 22
2.2.1 Shifting discrete-time zeros by generalized hold 23
2.2.2 Design of optimal generalized hold function with security guaranteed 27
2.2.3 Simulation Results: Effect of Optimal Generalized Hold 34
2.3 Illustrative Example for Closed-loop System 36
2.4 Experiment: DC/DC Converter with Electrical Circuit 39
2.4.1 Simulation Results 43
2.4.2 Experiment Results 44
2.5 Study on the Effect of Generalized Hold on Intrinsic Zeros of Nonlinear Systems under Fast Sampling 47
3 Use of Generalized Hold Feedback in Sampled-data Systems to Counteract Zero-dynamics Sensor Attack 57
3.1 Undetectable Sensor Attack and its lethality 57
3.1.1 Construction of Zero Dynamics Sensor Attack 58
3.1.2 Simulation Results: Magnetic Levitation of a Steel Ball 61
3.2 Strategy to Neutralize Zero Dynamics Sensor Attack and Relieve Performance Degradation 63
3.2.1 Employing the generalized hold feedback to neutralize zero dynamics sensor attack 64
3.2.2 Simulation Results: Effectiveness of the Generalized Hold 69
3.2.3 DLQR under Consideration of Inter-sample Behavior 71
3.2.4 Simulation Results: Effectiveness of DLQR with Continuous-time Performance Index 77
4 Masking Attack for Sampled-data System via Input Redundancy 79
4.1 Problem Formulation 79
4.2 Design of Masking Attack with Zero-stealthy and Disruptive Properties 83
4.2.1 Clustering the Time Frame 86
4.2.2 Conditions for Masking Attack Design 90
4.2.3 Off-line Construction of Attack Signal 93
4.2.4 Practical Stealthiness of Masking Attack with R \in R 97
4.3 Simulation Results 99
4.3.1 Numerical Example: R = 1 with δ = 0 99
4.3.2 X-38 Vehicle: R = 4 with δ = 0 102
4.3.3 Numerical Example: R = 0.4 with δ = 0.75 105
5 Conclusion of Dissertation 111
BIBLIOGRAPHY 113
국문초록 121Docto
