On the Stability of Cyber-Physical Control Systems with Sensor Multiplicative Attacks

To understand the impact of cyber-attacks to sensors in control systems, we present a stability analysis of a wide range of systems in this paper. Based on Lyapunov stability analysis, we formulate an optimization problem with constraints in the form of a set of linear matrix inequalities to find conservative bounds of stability related to the attacks, which can be analyzed simultaneously or one at the time. When considering the attacks one at the time, with the proposed formulation, we can find the most vulnerable output in the system, which can help the designer (i.e., the defender) to understand how to make the system more secure in case of multiplicative attacks on sensors. We show the effectiveness of our analysis with simulations based on the three tanks benchmark system.


I. INTRODUCTION
C YBER-PHYSICAL control systems are control systems of physical systems in which sensors, actuators, and controllers are working on a network through a communication infrastructure. These systems have some advantages as reduced system wiring, low installation and maintenance costs, and increased flexibility and adaption capability [1]. Cyber-attacks on control systems have been received attention from both the information technology community, and most recently, the control community, given that once the attacker accomplishes the goal of hacking the network, the system needs to be able to react (or, at least, that is what is expected). In fact, from the control systems community, there are some very recent surveys in cyber-physical systems (CPS) security [2]- [5].
Cyber-attack detection is a subject that has received great interest recently, from two points of view: i) information security; and ii) secure control (see [2], [3], [6] and related references therein). Information security point of view focuses on IT-related aspects, such as access control, authentication, and message integrity. From the point of view of secure control methods, the focus lies on the physical part of the CPSs and use control systems techniques. Some strategies in this field include Bayesian detection with binary hypothesis, weighted least squares approaches, χ 2 -detectors based on Kalman filters, and quasi-fault detection and isolation (FDI) techniques.
Those detection strategies deal with two main kinds of attacks: denial of service (DoS), and false data injection, or deception, attacks. Many efforts have been done towards the detection of deception attacks such as cover, replay, and zero-dynamics attacks [7]. Also, very closely related to detection, there have been many works showing the design of optimal stealthy deception attacks that exploit the weakness of systems. It is commonly accepted, that cybersecurity techniques are more mature than secure control but an interesting approach to explore is the simultaneous use of tools from the two above-mentioned approaches, e.g., a better security strategy could include encryption as well as a mitigation mechanism.
Over the last few years, the problem of secure state estimation, i.e., the capability of reconstructing the state even when the CPS of interest is under deception attacks, has gained considerable attention [8]- [10]. These works assume VOLUME 4, 2021 that there are an unknown but bounded number of false-data injection on the outputs sensors. In these works, the authors give a characterization of the maximum number of attacks that can be detected and corrected in order to reconstruct the state of the system. In [8] the authors also give the conditions under which the state cannot be reconstructed. For this work, the authors assume that the set of attacked nodes remain unchanged over time i.e., the set of measurements and/or control inputs under attack are time-invariant. This last assumption is relaxed in [10], where the set of attacked nodes can change over time. The practical implementation of these approaches is reinforced in [10] with the inclusion of a Kalman filter. The aforementioned works show that the state reconstruction can be done successfully although a number of sensors are under attack. A recent survey on this subject is presented in [11].
Some features are examined for securing industrial control systems. In [12] and the references therein, the authors show that controllability, observability and operability are the most important features to analyze the security of an industrial control system. However, stability analysis are very critical in the evaluation of the safety of a control system. Some attacks could be focused on modifying the control system behavior, up to make the system unstable. Stability is perhaps the most important property of control systems, since it allows the system to have a desired performance regarding robustness, resilience, and security. However, the stability implications of cyber-attacks have not received as much attention as expected, being such an important characteristic. Most of the efforts have been directed to power systems applications, e.g., works dealing with transient stability [13], or attacks effects in isolated power systems [14]. Something more general has been done related to stability implications of denial of service (DoS) attacks, and some other attacks types in [7]. Mainly, the synthesis of new resilient controllers based on a series of techniques guarantees stability as part of the process, but not many authors have been interested in what happens to legacy cyber-physical control systems under attacks. However, in a recent work [15], the authors define some metrics to quantify the cyber-resilience level based on the design, structure, stability, and performance under the attack of a given CPS. The metrics provide reference points to evaluate whether the system is better prepared or not to face the adversaries. Therefore, it is possible to quantify the ability to recover from an adversary using its mathematical model based on actuators saturation. The evaluation of the security in an industrial control system includes vulnerability analysis to false data injection attacks, identification of potential attacks, and the development of mechanisms that increase the difficulty to launch such an attack and to reduce and limit their effects [16].

R1C1
Some recent work on the design of resilient controllers includes careful stability analysis together with the respective design of the control law. R2C3 In [17] the stochastic finitetime stability criteria for a networked closed-loop control system is analyzed with the utilization of a mode-dependent piecewise Lyapunov-Krasovskii functional. In there, a finitetime control law is exposed while special attention is put in guaranteeing that, for a given fixed-time period, the system trajectories are expected to avoid exceeding a given physical threshold. Another networked control strategy is investigated in [18]. In this work, the Lyapunov and convex optimization theories are utilized to develop a class of discrete-time Takagi-Sugeno fuzzy networked singularly perturbed systems via an observer-based technique. An attackresilient adaptive control law for networked control systems is explored in [19]. The control law in this work focuses on a design that ensures the stability and boundedness of the Markovian jumped systems with time-varying and timeinvariant attacks. Additive and multiplicative attacks on both sensors and actuators are considered in this work. A common feature is to include stability analysis within the design technique [17]- [19]. However, to the best of our knowledge, no works are focused on finding controllers vulnerabilities produced by attacks on sensors on control systems, and hence, quantification of the vulnerability level of sensors on an industrial control system to face false data injection attacks is an interesting gap that we investigate in this work.

R1C1
In the present work, we consider two kinds of false data injection attacks on sensors of legacy cyber-physical control systems: R2C1 i) additive attacks, which could be considered as external inputs; and ii) multiplicative attacks, which could be modeled as changes on the constant gain of the sensors. The effect on the tracking closed-loop control systems stability of these two types of attacks is then analyzed and the vulnerability level of each sensor is quantified. We also use the attack detection, isolation, and mitigation mechanisms described in [20] to see if the considered attacks can be mitigated, finding that once the attacker succeeds in making the system unstable, secure state estimation and, therefore, the mitigation of the sensor attack cannot be achieved. We use some tools from robust control theory to formulate two equivalent optimization problems with LMI constraints, which allows us to find a conservative limit on the gain of each sensor of the system to determine which of the system outputs is more vulnerable to multiplicative attacks. Hence, the contribution of our work is twofold: i) we propose the formulation of an optimization problem to find bounds on multiplicative attacks on sensors that guarantee the system remains stable even if a sensor attack is acting on the control system; and ii) the stability analysis formulation that gives comparative information on the vulnerability levels of existing sensors in a control system, which allows the definition of more demanding attacks to test mitigation mechanisms of attacks on sensors.
The paper is organized as follows. Section II shows the general setup of an already functional closed-loop control system, which might be subject to cyber-attacks. Section III shows how the system model including attacks on sensors, and whether or not those attacks affect the system dynamics. Section IV shows the classic Lyapunov approach for the stability of discrete-time systems and, then, we show the condition for which we can find bounds on the attacks acting on the system with the purpose of making it unstable. In Section V, the three tanks benchmark system is used to show the effects of the attacks on system stability and its mitigation, when possible. Finally, in Section VI we draw some conclusions.

II. EXISTING SYSTEM SETUP
We consider a physical system that works with a digital controller in a closed-loop manner through a network, i.e., an existing cyber-physical control system, as the one depicted in Figure 1. The controller allows the system to maintain a specific behavior, where normally the system is able to follow a reference input and to maintain specific characteristics in the transient response. Since the real system is considered to be, in general, nonlinear, it has a behavior modeled aṡ where x(t) ∈ R n , u(t) ∈ R m , and y(t) ∈ R p are the system state, input, and output, respectively. The vector functions f (·) and g(·) are, in general, nonlinear functions that relate the system state and inputs with the state dynamics and the system outputs, respectively. Since the closed-loop system works with a digital controller, we consider that the controller is designed with the more straightforward approximation, i.e., a discrete-time linear approximation of the system, which can be expressed as where x[k] ∈ R n ,ũ[k] ∈ R m , and y[k] ∈ R p are the discrete-time system state, input, and output, respectively. Notice that the system input is not u[k] butũ[k], which represents u[k] after passing through the network. A ∈ R n×n , B ∈ R n×m and C ∈ R p×n are the dynamic, input, and output matrices of the system. This kind of system model defined by (2) can be obtained from either, discretizing the linearization of the system around an equilibrium point or, learning the discrete-time model from input-output data, using an adequate sampling time, T s , according to the closedloop system dynamical behavior [21]. The controller that works with the system is considered to be a tracking control with state feedback, i.e., a servo system [22], represented as where y r [k] ∈ R p is the system reference input (the one the system is desired to follow),ỹ  is obtained as a linear combination of the states, through the state feedback gain K S ∈ R m×n , and a linear combination of the error integral, through the integral gain K I ∈ R m×p .
As usual, we assume that not all the system states are available for implementing the part of the controller related to state feedback. In order to estimate system states, we use a full-order current observer [21], [23], with the following dynamicsx wherex[k] is the predicted estimate based on a model prediction from the previous time estimate, which is corrected by the measurement of the output becomingx[k], and L ∈ R n×p is the observer gain that guarantees A − L C A is Hurwitz, when (A, C A) is observable.
Since the system and the controller are coupled by a network, the control signal received by the system is not u[k] butũ[k], and the output signal received by the controller is not y andỹ The Kronecker delta function δ[τ k −i] is used to represent the random communication delays and stochastic data missing. The time delay τ k is a random variable considered to be an integer multiple of the sampling time, T s , introduced to describe the possibility of data missing as well as the size of the delay at time instant k.

R2C4
summation, andũ[k] = 0, case where there is a lost data in the transmission through the network [24]. It should be emphasized that the system, controller, and observer described in this section are supposed to be properly designed and fully functional, because our focus is on the attacks definition and the analysis of their impact in terms of stability.

III. ATTACKED SYSTEM
Let us consider an attack on the system like the one depicted in Figure 2, with two different possibilities of false data injection attacks on sensors [7]: an additive one and a multiplicative one, in order to study the stability of the attacked system and to conclude regarding which one would be more harmful.

A. ADDITIVE ATTACK
We first consider the closed-loop system working with a controller and an observer, described by where a[k] ∈ R p represents external attack signals in each of the outputs, and F a ∈ R p×p is a matrix that indicates how the attacks signals affect each output. Let us assume that the network has no perceptible effects on the signals whatsoever, that isũ . Therefore, the state equation for the control loop can be obtained from the system defined by (7a) with the control law in (7f)-(7g) and the attacked output in (7c), defining an extended state vector composed by the state variables and the integrator variables. That is Notice that the dynamic matrix of the equation has no terms related with the attack. In fact, the attack signal acts as an external input. Therefore, it is clear that this kind of attack does not affect the stability of the control loop, since the dynamic matrix remains the same as when there is no attack considered. Let us consider the state equation of the observer loop that can be obtained from the system defined in (7a), with the observer in (7d)-(7e) and the attacked output in (7c). It can be written aŝ Notice, again, that the dynamic matrix of the equation has no terms related with the attack and it acts as an external input. That is, a[k] does not affects the stability of the observer loop.
We can conclude from the prior analysis that additive attacks, where the attack signal is external, do not affect the stability of neither the control nor the observer loops and, therefore, do not affect the overall system stability.

B. MULTIPLICATIVE ATTACK
Let us consider the closed-loop control system of the previous section, disturbed with a sensor attack proportional to the state vector. That is, the same set in (7a)-(7g), but instead of (7c), we haveỹ whereỹ a [k] ∈ R p represents a multiplicative attack on the output signal, of a tracking feedback control system, modifying its value in a proportion determined by C a (after passing through the network). The structure for C m corresponds to consider each output associated with a single measured state variable. That is, let us consider sensor gains k i , for i = 1, 2, · · · , p, for a system with p outputs, each of them related to an output. Then, without loss of generality, we consider that the sensors are related to the first p state variables (which can be easily arranged with an order modification of the state variables, through a basic transformation). Therefore, the structure for C m can be written as C a can be considered to have in some time window a similar structure. That is where α i is the constant value that represents the attack on the i th output. Notice that for stability analysis purposes all α i could be different than zero. In this case, the stability ranges will be more restrictive than considering only some of them different than zero, or even just one of them different than zero. With the previous structure for C ai , it is easy to see that the attack on the i th output consists in modifying the measurement by the i th sensor in a proportional fashion. That isỹ Now, let us show how this kind of attack affects the stability of the control and observer loops. In order to do that, we consider, as in the previous case, the network has no perceptible effects on the signals whatsoever, i.e.,ũ For the control loop, the state equation can be obtained in the same way as we have obtained (8), but with the attack described as in (10). Then, the state equation for the control loop can be written as (12) Notice that different from the additive case, the value of C a affects the dynamic matrix of the system and, therefore, the stability of the control loop.
For the observer loop, the state equation can be obtained as we have obtained (9), but with the attack described as in (10). Then, the state equation for the observer loop can be written asx where, again, the value of C a affects the system dynamic matrix and the stability of the observer loop. After analyzing the stability effects of additive and multiplicative attacks, we can conclude that an attack as an external input does not affect system stability, whereas an attack proportional to the state may destabilize the system. Then, some questions rise in order to find ways of increase system safety, such as: what are the attack values the system can handle? or, what is the most vulnerable state? In the next section we propose a method to answer those questions.

IV. STABILITY ANALYSIS
In the previous section, we have showed that additive attacks do not affect the system stability, since the attack values do not affect the dynamic matrix of neither the control nor the observer loops. Also, we have showed that multiplicative attacks do modify the dynamic matrix of both the control and the observer loops, therefore, it can modify the stability of the closed-loop system. In this section, we use Lyapunov's second method for discrete-time systems and, with a parameterization of the attack, we come up with a way of finding conservative bounds on the attacks values to guarantee closed-loop asymptotic stability of the system.

A. QUADRATIC LYAPUNOV STABILITY FOR DISCRETE-TIME SYSTEMS
We start with a very well know result that establishes the conditions for the existence of a Lyapunov function for a discrete-time system, associated with the system state, and the asymptotic stability of the equilibrium point, shown in Theorem 1 [22]. Theorem 1. Consider a system of the form Then, the equilibrium state x * = 0 is asymptotically stable in the large and V (x) is a Lyapunov function.
Let us consider the following Lyapunov function candidate, where P is a positive definite and symmetric Hermitian matrix. Then For asymptotic stability we require that ∆V (x[k]) < 0. Therefore, For this equation to be satisfied, we need to solve the following linear matrix inequality (LMI)

B. QUADRATIC LYAPUNOV STABILITY FOR THE ATTACKED SYSTEM
We need to check the stability for both, the dynamic matrix from the discrete-time closed-loop system and the observer.
In order to do that, we use Lyapunov theory, which for this kind of system establishes that the LMI in (16) should be satisfied. For the tracking feedback closed-loop system, from (12) we can see that VOLUME 4, 2021 and, for the observer, from (13) we can identifȳ each of them designed to be stable for C a = 0. Before introducing the main result of this work, let us introduce a lemma that will help to prove our result [25]. Lemma 1. Let S and Z be q × q symmetric positivesemidefinite matrices and Y a q × q symmetric negativesemidefinite matrix. Suppose further that for all w ̸ = 0 ∈ R q . Then ε 2 S + ε Y + Z < 0, for some ε > 0.
Theorem 2 (General Stability). Let us assume that the system is described by whereĀ =Ā n + ∆Ā and the matrix ∆Ā is decomposed as a bounded norm uncertainty, i.e., F represents the real unknown parameters, in this case the attacks, that satisfies F ⊤ F ≤ 1 and, D and E represent how the unknown values affectĀ. The equilibrium state of the system in (18) is stable if and only if there exist a symmetric positive definite matrix P and positive scalars α > 0 and ε > 0 such that or, equivalently, if and only if there exist a symmetric positive definite matrix P and positive scalars β > 0 and ε > 0 such that max β
By hypothesis, we will considerĀ as a matrix with a bounded nominal uncertainty, that isĀ =Ā n + ∆Ā, this representation is the more general one. For the controller loop, we will have that we must havē with For the observer loop, we will have that with Then, By (19), this corresponds to which can also be written in quadratic form as for all X ̸ = 0. Since we know that F ⊤ F ≤ 1, we can write which left hand side is negative. Then, squaring on both sides of the inequality, we have In order to rewrite the right hand side of (27), we express X = x ⊤ y ⊤ ⊤ , obtaining

R1C5
Using the triangle inequality, we have

R1C5
which can be rewritten as which implies that the right hand side is the maximum value that we are looking for. Therefore, we can rewrite (27) as Using Lemma 1, Adding up the matrices, we have which needs to be solved for ϵ, γ and P and, therefore, it is not an LMI. Finally, applying the Schur complement to each of the principal diagonal elements and defining α −1 = ε γ 2 , the problem of finding the upper limit for the attack in order the complete closed-loop system (controller together with observer) remains stable can be formulated as (20). If we only apply the Schur complement to the term −P+ε −1 P D D ⊤ P in (32), the problem can be formulated as (21), with β = ε γ 2 .
Notice that the previous result can be applied not only to systems with controllers as the ones defined in (3), but also controllers in state-space representation. Therefore, the formulation proposed can be used with a wide range of systems.
Now, how can we use the results obtained in this section? Solving (20) or, equivalently, (21) for one attack simultaneously, we can find the most vulnerable variable of the system and, depending on the stability range of the attack value in such output, we can decide if it is necessary to reinforce the safety characteristics of the system. That is, if an attacker could easily instabilize the system, some actions are needed, like using some kind of encryption for the data. Also, this result could give us information about the hardest combination of attacks the system could handle, before going unstable, and the most restrictive stability range derived from such situation. In the following section we illustrate particularly the first situation.

V. NUMERICAL RESULTS
In order to see the implications on the closed-loop system stability of the false data injection attacks considered in Section III, we are going to simulate additive and multiplicative attacks on the original system, and on the system with the mitigation mechanism similar to the ones proposed in [27] and [20], in order to verify the severity of the attacks.
Let us consider the three tanks benchmark system [28]. The system modeling, parameters, operation point, and linearized model are the same as the ones utilized in [20], and for the reader's convenience are included next. The nonlinear dynamics of this system are obtained using first-principles, which are based on the use of physical laws to describe the dynamic evolution of a system. In this specific case, a balance of mass is used to obtain the differential equations that are the model of the system [28], given by where the parameter description and values are shown in Table 1, and The schematic diagram of the system is shown in Fig. 3. The goal of this control system is to track the liquid level of two tanks (L 1 (t) and L 2 (t)) in concordance with the two setpoints settled. For this case, we consider the system has three coupled tanks, with a level sensor for tanks 1 and 2 (i.e., two outputs), and two valves to regulate the intake flow in tanks 1 and 2 (i.e. two inputs). However, the state variables are the levels of the three tanks (i.e., there is no measurements in one of the three tanks).
The operation point of the system is obtained fixing the nominal intake flow as u 1 = 3.5 × 10 −5 m 3 /s and u 2 = 3.75 × 10 −5 m 3 /s. Therefore, the operation point for the state variables of the system would be h 1 = 0.4 m, h 2 = 0.2 m, and h 3 = 0.3 m.
In order to be able of using the stability analysis, a linear discrete-time model for the system is required. This linear model is obtained using input-output data. The data is used to estimate a discrete-time incremental linear state-space VOLUME 4, 2021 model, which is an approximation of the physical nonlinear system near the operation point. The discrete-time space state model (2) is obtained using a sampling time T s = 1 s as in [29], together with subspace identification techniques [30] and a similarity transformation. Therefore, the parameters of the model are given by The proposed control for this system given in [29] is a discrete-time controller as in (7f)-(7g), and feedback gains given by In order to implement the control law, we design a full order current observer as in (7d) The behavior of the closed-loop system is shown in Figure 4.
In order to show some interesting numerical results, we found through simulation that the stability limits for multiplicative attacks on input 1 is 0.553, whereas for output 2 is 0.735. Since the behavior attacking each output is quite similar, we will show attacks on output 2 (since the range of attacks is a little larger), to illustrate the effect of the attacks and how to use the results presented in this work.

R2C2
Notice the attack signal is not random. What we have done is to sweep over a range of attack values that would cause a big impact on the system, for both the additive and multiplicative attacks. The selection of the attack signal is done taking into account the effect that this signal can cause on the system. Additive attacks are effectively external inputs whereas multiplicative attacks are changes in the model output matrix of the system.

A. ADDITIVE ATTACKS
where f s1 and f s2 are functions to soften the initial and final portions of the attacks, as and  1 = 900s and t 2 = 1300s are the initial and final times of the attack, f i is the function that shapes the i th attack itself, in this case a pulse (between t 1 and t 2 ) of amplitude a, see Figure 5 for an example of attack signals with a = −0.05. R2C7 In Figure 6 we can see the effect of the attacks defined by (35) for different values of a. There, we can notice that, no matter the sign or the magnitude of the additive attack, the shape of the attack effect on the outputs is the same and it never compromises system stability, as it was shown in the analysis in Subsection III-A. Also, it is important to mention that there can be attack magnitudes that will take out the variables from its feasible values, and that can cause malfunction of the closed-loop system. However, that is not an implication related with stability.

B. MULTIPLICATIVE ATTACKS
In this case, for k when there is no attack, C a = 0. Notice that we do not consider attacks that last the complete simulation time. That is, for the sake of comparison, we will see the implications of having a multiplicative attack on output 2 during the same time interval as the additive attack. Therefore, between t 1 and t 2 . Now, we are going to use Theorem 2 to find the stability value interval for b. We have to analyze two systems to find such interval, the controller loop and the observer loop.
Let us first consider the controller loop, withĀ n as in (23) and, C a defined as in (24) and parameterized as in (19). That is,

R1C3
Therefore, solving (21), we find that b ≤ 0.7871. For solving (21), we use the Matlab ® Robust Control Toolbox, as in the following code.

R1C3
Notice that Anb =Ā n defined as in (23) and a = β from (21). Now, considering the observer loop, withĀ n as in (25) and, C a defined as in (26) and parameterized as in (19), we have where the notation A(2, : ) represents the second row of A, and L( : , 2) represents the second column of L. Solving (21) we find that b ≤ 0.5189. Therefore, given the separation principle [22], [23], we can guarantee the stability of the system if both loops (controller and observer) are stable. That is, the system is going to be stable for attacks with b ≤ 0.5189. Equivalent results were found solving (20). Notice that, as we mentioned before, using simulation, we find b = 0.735 for critically stable system; a higher value than the one obtained solving (21), as expected, since the values obtained from that approach are more restrictive. Notice that we could do the same analysis for the stability of the system with attacks on output 1, modifying accordingly C a , ∆Ā for both, the controller and the observer loop. Solving (21), for the controller loop, we find that the system is stable for attacks up to 0.7909, and, for the observer loop, the system becomes unstable for attacks greater that 0.4989; and we could conclude that attacks on output 1 greater that 0.4989 will make the system unstable. Notice that, as we mentioned before, using simulation, we find the attack value for critically stable system as 0.553, a less restrictive value VOLUME 4, 2021 than the one found solving (21). However, it is worth to mention that the stability limits found solving either (20) or (21), even though being more restrictive, are consistent with the stability limits found by simulation. That is, we can find the most vulnerable output to multiplicative attacks solving (20) or (21), for the controller and the observer loops, for each output at a time, in a more efficient way than finding it through simulation (which is very time consuming). In Figure 7 we can see the effect of the attacks defined in (10) for different values of b, where we can notice different system behavior depending on the sign and magnitude of the attack. For instance, for negative attacks, the larger the attack the larger the response peak time and the overshoot remains approximately the same. On the other hand, for positive attacks, the larger the attack magnitude the larger the overshoot up to achieving an unstable system (see Figure 10).

R1C6
The former was expected and, it can be explained from the fact that, as we mentioned before, the C a matrix become part of the augmented dynamic matrix of the systemĀ; therefore, changes in C a move the system poles, modifying the system transient response. Now, in order to see how severe these attacks might be, we decide to mitigate them, if possible.

C. MITIGATION PROCESS
The mitigation process used here is similar to the one proposed in [27] and [31], using a bank of UIOs, and reconfiguring the control signal as in [20]. Below, we describe how to design the UIOs and how to reconstruct the outputs without the effect of the attack.
The j th UIO is designed for a system with a state description as where vector signal d j [k] ∈ R are disturbances, that in this case represent the effect of the sensor attacks in the state variables, considered different for each UIO; the matrix E j ∈ R n×1 represents how the disturbances affect the system. Then, the j th UIO is described using the following state-space equation where z j [k] ∈ R n is the dynamic (first) approximation of the estimated state vector,x j [k] ∈ R n is the estimated state vector, which corresponds to the UIO that does not uses the information of the j th output for the estimation process, i.e., y j a [k] is the output vector y a [k] where the j th component is eliminated. F j ∈ R n×n , T j ∈ R n×n , K j ∈ R n×(p−1) and H j ∈ R n×(p−1) are design matrices such that the estimated state of the UIO,x j [k], converges to x[k] without the attack effect, i.e., F a = 0, for additive attacks, or F a = 0, for multiplicative attacks. The j th UIO described by (40).
The design of the j th UIO consists in holding the following equivalences if that is possible, the estimation error will converge to zero and the UIO will estimate the system state. Attack detection and isolation processes are done as in [20]. Once the attack is detected, the attacked sensor signal is recalculated asỹ whereỹ j r [k] is the reconstruction of y[k] without the effect of the attack, where a j [k] is a binary signal that indicates whether or not there is an attack on the j th sensor, and where C j m is the j th row of the C m matrix,x j [k] is a state estimation insensitive to disturbances on j th sensor andx i [k] is a state estimation sensitive to disturbances on all but the i th sensor.
For the case of the three tanks benchmark system, we start with the design of UIOs bank. For UIO1 we have in order to decouple the influence of sensor 1 in the system state, to be able to estimate the state only with sensor 2 information. After the decoupling transformation is done on the system, the transformed resulting system turns out to have only one observable mode. Therefore, only one of the close loop UIO1 mode can be located, and we chose to locate it at p d = 0.001. Given that the non observable modes of the UIO are located at 0.9957 and 0.9707, the closed-loops poles of UIO1 will be located at 0.9957, 0.9707 and 0.0010. Doing something similar for UIO2, we have Similar to the case of UIO1, after performing the decoupling transformation, we found again only one observable mode for the resulting system. That mode will be located at p d = 0.001. The remaining non observable modes are located at 0.9667 and 0.9890, since they are inside the unit circle (they are stable) the UIO can be designed. The modes of UIO2 will be located at 0.9667, 0.9890 and 0.0010. Attack detection and isolation processes are done as mentioned in the previous section. Figures 8 and 9 show the result of mitigate the attacks effects shown in Figures 6 and  7. There, we can see that the attack effect on the system has been reduced. Interestingly enough, for the mitigation of both kinds of attacks we get sort of pulse responses in both sensors; obviously, for positive multiplicative attacks we can notice longer oscillations (since it is affecting directly system stability). Also, we can notice that the effect on the non attacked sensor is shorter than for the attacked one, whereas for the additive attacks the mitigated effect lasts almost the same in both sensors, only the magnitude of the overshoot is depending on the magnitude of the attack.
Finally, we show in Figure 10 an attack with magnitude bigger than the stability limit (specifically b = 0.8), where we can see classic unstable behavior for the attacked system without mitigation, where there are increasing oscillations up to the system collapses. Notice that, in this case, the mitigation of the attack diminish slightly the oscillations amplitude, allowing the system to work for a little bit longer, but ending up collapsing. In any case, we can see that both kinds of attacks can be mitigated, but in the case of multiplicative attacks the mitigation is only possible when the attack magnitude is inside the range that allows the system to keep stability.

R1C4 R2C6
All program codes to easily replicate the above numerical results are included as supplementary material of this paper.

VI. CONCLUSIONS
In this paper, we show that multiplicative attacks, which are very simple, can affect directly the system stability. We use an LMI formulation to calculate a conservative value for the stability bounds. R2C5 In this sense, we have utilized tools from the robust control to quantify the maximum attack on each sensor, before the system becomes unstable and collapses. If we use the stability bounds of the attack on one output at the time, we can find which output is more vulnerable to attacks, allowing the engineer in charge of the system to decide whether or not a sensor needs redundancy to enhance its resilience to cyber-attacks. R2C5 Although the method produces conservative values for the maximum attack on each sensor, this result is novel and useful because it allows us to compare the vulnerability of each sensor compared with the other ones in the system. Also, in the simulations, we have shown that this kind of attacks can be mitigated with previous approaches introduced in the literature, but once the attack is VOLUME 4, 2021 big enough to make the system unstable, the system cannot be recovered and the attack cannot be mitigated.
The proposed stability analysis can be used for attacks affecting the system simultaneously, at different times, and in as many outputs as desired. As expected, the more aggressive the scenario the more restrictive the bounds to be found. Also, when analyzing simultaneous attacks, it will be unclear the information about the vulnerability, that we have emphasized in the numerical results shown.
Future work can be addressed on different fronts. The results presented in this work can be extended into the case in which measurement noise is included or, perhaps, to include nonlinear models. Also, it is important to design strategies to defend the most vulnerable system outputs, to avoid the attacker having access to sensor information and being able to perform multiplicative attacks.

APPENDIX A PROOF OF LEMMA 1
Proof of Lemma 1. Let us start noticing that (17) holds for all w and that the unit ball in R q is compact. Since the left side of (17) is continuous in w, we can write 0 < η 1 ≜ min (w ⊤ Y w) 2 − 4w ⊤ S w w ⊤ Z w : ||w|| = 1 .