A critical yet often overlooked factor influencing the effectiveness of these schemes is the underlying control structure, which defines the selected manipulated inputs and measured outputs. In previous work, we uncovered this linkage between the underlying control structure and the ability to isolate cyberattacks [6]. Specifically, we formulated a screening methodology that considered cyberattack isolation an additional criterion when selecting control system structures. A key outcome of the screening methodology is the determination of control structures that enable guaranteed cyberattack isolation. However, these ideal structures may conflict with other key design goals, such as closed-loop performance, robustness to disturbances, and implementation feasibility [7,8]. Additionally, some structures may rely on measurements that are not continuously available, such as sensors that require manual monitoring and data entry, or on costly analytical instruments like gas chromatographs, which are expensive to maintain and operate continuously. Consequently, such structures may not be favorable or feasible for sustained use under normal (attack-free) operating conditions.
These challenges underscore the need for alternative operational strategies that enhance cyberattack isolation without compromising other essential design criteria. In this work, we explore two such strategies. We consider a generalized class of false data injection attacks (FDIAs) targeting controller-actuator communication links and employ an unknown input observer (UIO)-based attack isolation scheme. The first approach involves actively reconfiguring the control structure by selectively removing specific manipulated inputs for cyberattack isolation—holding their values constant rather than allowing the controller to adjust them. If the process remains controllable, we show that this input removal can isolate specific attacks by allowing unknown input observers (UIOs) to be constructed that were previously infeasible. Second, we explore augmenting the isolation scheme with additional measurements from supplementary sensors. These may include sensors installed for redundancy or quality assurance purposes, but not connected to the control network. While not viable for real-time control, such sensors can still be accessed intermittently—through manual readings or lab results—to support attack isolation schemes. We demonstrate the effectiveness of these strategies using a chemical process and show that both approaches significantly enhance attack isolation performance compared to existing static designs.
References
[1] T. Alladi, V. Chamola, and S. Zeadally, “Industrial control systems: Cyberattack trends and countermeasures,” Computer Communications, vol. 155, pp. 1–8, 2020.
[2] S. Parker, Z. Wu, and P. D. Christofides, “Cybersecurity in process control, operations, and supply chain,” Computers & Chemical Engineering, p. 108169, 2023.
[3] M. Kordestani and M. Saif, “Observer-based attack detection and mitigation for cyber-physical systems: A review,” IEEE Systems, Man, and Cybernetics Magazine, vol. 7, pp. 35–60, 2021.
[4] X. Wang, X. Luo, M. Zhang, Z. Jiang, and X. Guan, “Detection and isolation of false data injection attacks in smart grid via unknown input interval observer,” IEEE Internet of Things Journal, vol. 7, pp. 3214–3229, 2020.
[5] L. N. Lemma, S.-H. Kim, and H.-L. Choi, “An unknown-input-observer based approach for cyber attack detection in formation flying UAVs,” in Proceedings of AIAA Infotech@Aerospace Conference, San Diego, CA, Jan 2016. doi: 10.2514/6.2016-0916.
[6] A. Gajjar, M. J. Ellis, and N. H. El-Farra, “Cyberattack-aware control structure screening for controller-actuator false data injection attack isolation,” in Proceedings of the American Control Conference, Denver, CO, USA, July 2025, In Press.
[7] S. Skogestad, Control structure selection. Springer, 2021, pp. 381–394.
[8] A. Khaki-Sedigh, and B. Moaveni, Control Configuration Selection of Nonlinear Multivariable Plants. Springer, 2009.