Real-Time Controller Reconfiguration for Delay-Resilient Cyber-Physical Systems

Networks on the cyber-physical systems (CPSs) configure feedback control loops between physical systems in the real world and control software in the cyber world. Malicious behaviors on the networks can increase network delays by exhausting limited network resources and security vulnerabilities to destabilize CPSs, which are entitled the network delay attack. In this paper, we focus on the problem of how to guarantee the stability of CPS under the network delay attack. We propose a real-time controller reconfiguration to ensure the resiliency of the physical systems against the network delay attack. Our controller reconfiguration consists of two algorithms: controller gain tuning and access point (AP) handover, which give a delay tolerance and an attack avoidance, respectively. Depending on the network delays, the computing system adopts one of these two algorithms and mitigates the physical impacts of the network delay attack. We validate that the proposed controller reconfiguration can ensure the resiliency of CPS against the network delay attack by implementing a testbed with wireless networks.

realistic network on NCSs, where a sequence of delays in 105 the stability region can destabilize NCSs. Furthermore, the 106 stability analysis of [12] shows that the stability condition 107 depends on the controller design in computing systems and 108 the sampling period of the physical systems. An empirical 109 study in [13] showed the impact of network delay attacks over 110 a wireless network for a realistic drone control system. The 111 study [13] considered the network delay attack as consump-112 tion of limited network resources, which is implemented as 113 the Internet control message protocol (ICMP) flooding attack 114 that transmits large ICMP packets within a short time inter-115 val. The experimental results in [13] showed that network 116 delays by the ICMP flooding attack incur time-outs of sensor 117 measurement deliveries, resulting in the activation of fail-safe 118 mode on the drone system. Controller reconfiguration techniques make control systems 122 robust against cyber attacks and system faults. However, most 123 of studies mainly focus on the sensor and actuator faults, 124 or simple communication failure. In [14], a fault-tolerant 125 control mechanism for power systems is proposed against 126 sensor measurement failure. The proposed control mecha-127 nism augments legitimate sensor measurements to provide 128 state estimation when the observability of control systems is 129 lost by sensor faults or communication errors. Authors in [15] 130 propose a virtual actuator method with a reconfiguration 131 block in the feedback control loop, which does not require 132 modification of the original controller. In [15], the power 133 system has redundant actuators, and the VA method redirects 134 control signals to the redundant actuators when actuation 135 faults are detected. Furthermore, the study in [16] extends the 136 VA methods in [15] into multi-input multi-output (MIMO) 137 control systems. When a certain actuator suffers from failure, 138 the VA method in [16] redistributes control input signals to 139 other available actuators, which is independent to the actuator 140 redundancy [15]. Both VA methods in [15] and [16] mitigate 141 physical effects on the actuator fault, and show a better set-142 tling time than the case without the VA. 143 For network delay attacks, most conventional studies con-144 sider network delays as constant. A fuzzy control method 145 is proposed in [17], which simultaneously considers physi-146 cal states and communication delays to ensure the stability 147 of the control systems. The proposed method divides com-148 munication latency into three sections, and provide proper 149 control input signals to mitigate the delay effect in physi-150 cal systems. The study [18] proposed a piece-wise constant 151 control technique for recovering control performance against 152 various cyber-physical attacks, including a constant network 153 delay attack. The proposed control technique estimates the 154 effect of cyber-physical attacks and generates control input 155 signals to stabilize the physical systems under the attacks by 156 solving a linear programming problem. In [19], a machine 157 learning (ML)-based safety guaranteeing strategy was pro-158 posed for power grid systems under a constant delay attack. 159 The proposed strategy consists of an ML-based safety 160 checking algorithm and two attack mitigation methods; 161 proportional-integral-derivative (PID) controller gain adjust-162 ment and load shedding. If the PID gain adjustment is 163 impossible to stabilize the power grid systems, the proposed 164 strategy sheds the load of the systems.

165
A robust controller design mechanism is proposed in [20] 166 against network delays and model uncertainty for power sys-167 tems. The authors in [20] show that the proposed controller 168 stabilizes the power system under bounded time-varying 169 delays. The study [21] proposed a sampling rate optimization 170 to mitigate the delay effect of an NCS with massive physical 171 systems. Furthermore, study [21] formulated a physical insta- 205 where x(k) ∈ R n is the state of the physical system with 206 n dimension; A ∈ R n×n is the system matrix; B ∈ R n is the 207 input matrix; u(t) ∈ R is the control input signal. For the LTI 208 system (1), we assume that a matrix pair (A, B) is controllable.

209
The feedback control in CPS is conducted by exchanging be controlled in the discrete-time domain. We consider a 213 full-state feedback control system with a single control input 214 signal u(t) in discrete-time domain with sampling period t s . 215 The sensors on the physical system periodically collect and 216 transmit the physical state x(k) in every time step k. Then, 217 the computing system calculates and returns the control input 218 signal u(k). The discrete-time model of the feedback control 219 system with zero-order hold is given as follows: where A d is the system matrix in the discrete-time domain; 223 B d is the input matrix in the discrete-time domain; K ∈ R 1×n 224 is the controller gain in the computing system. We assume 225 that the controller gain K is appropriately selected to place 226 the poles of the closed-loop control system model (2), i.e., 227 poles of the matrix A d − B d K lie in a unit circle [22].

228
To utilize the NCS model under time-varying network 229 delay proposed in [12], we consider the bound in the net-230 work delays τ net between minimum delay bound τ min and 231 maximum delay bound τ max . We denote the time instant t k j 232 as follows: From the time instant t k j , we rewrite the discrete-time NCS 238 model (2) as follows: augmented state vector with physical state x(k) and delayed 250 control inputs. For more details for matricesÃ(t k ) andB(t k ) 251 in the state space of ξ dynamics (4), see [12].

259
By over-approximation of the matricesÃ(t k ) andB(t k ) 260 in [12], we present a set of these matrices as linear combi-261 nations as follows: 282 whereK K 0 1,d . If a positive definite matrix P exists in 283 LMIs (6) for a given controller gain K , the NCS in (3) ensures 284 the stability under the attack-induced delays τ net < τ max [12]. 285

286
In this section, we propose a delay-aware controller reconfig-287 uration under network delay attacks. We consider a DC motor 288 position control system as an example of a physical system. 289 Based on the analysis of the physical system for network 290 delays, we describe details of the controller reconfiguration 291 with two algorithms: controller gain tuning and AP handover. 292 The controller gain tuning algorithm makes physical sys-293 tems delay-tolerant by enlarging the maximum allowable 294 delay bound τ max exceeding the attack-induced delay τ net , 295 providing seamless control to the feedback control system. 296 The AP handover algorithm replaces the controller with a new 297 one by re-establishing the control loop of the physical sys-298 tem; thereby, neutralizing the attack. Furthermore, we assume 299 that the CPS has multiple wireless networks and computing 300 systems to apply the AP handover in the proposed controller 301 reconfiguration.

303
We consider the well-known DC motor position control sys-304 tem as a physical system [24]. The control object is to reg-305 ulate the angle of the DC motor to zero by adjusting the 306 input voltage. We adopt the second-order LTI model of the 307 DC motor position control system as follows: where x(t) = θ(t)θ(t) T is the state vector of the DC motor 312 system; θ(t) is the motor angle; k m is the back-electromotive 313 force constant; k g is the gear ratio; J m is the motor inertia; 314 J l is the load inertia; R m is the motor armature resistance. 315 In the motor system in (7), our main focus is on the stability 316 of the physical system. In addition, we do not consider the 317 limitation of control input signals and state variables in order 318 to show the state divergence of the physical system due to 319 network delay attacks. For networks, we assume that all 320 state variables on the physical system (7) are aggregated in 321 a packet, and are transmitted at once. Therefore, simultane-322 ously sampled state variables at a certain time have the same 323 network delay τ net .

324
We analyze the maximum allowable delay bound of the 325 DC motor position control system model (7) using LMIs (6). 326 Fig. 2 shows the stability region of the DC motor position 327 control system analyzed using LMIs (6). Here, we numer-328 ically evaluate the delay bound τ max by changing controller 329 gain K = [k 1 k 2 ]. 330 VOLUME 10, 2022   Fig. 2 shows that the delay bound of the physical 344 system can be enhanced by tuning the controller gain K .

345
Here, we assume that the computing systems measure the 346 network delays using a suitable method. As shown in Fig. 2, 347 the computing system cannot guarantee the stability of the mitigated by enhanced maximum allowable delay bound τ max 365 from the updated controller gain K .

366
The controller gain tuning algorithm has no network over-367 heads from a change of the sampling period t s or temporal net-368 work disconnection for a network policy update. Therefore, 369 the controller gain tuning algorithm can provide seamless net-370 work delay attack mitigation with a fixed sampling period t s . 371 It is worth noting that the controller gain tuning algorithm 372 reduces the control performance of the physical systems 373 because of the trade-off between control performance and 374 delay tolerance, as shown in Fig 2.

376
When attack-induced delay τ net is beyond the stability region, 377 the controller gain tuning algorithm cannot ensure the stabil-378 ity of the physical systems. In this case, the controller gain 379 selection problem (8) has no solution. Then, we execute the 380 AP handover algorithm to replace the computing system with 381 a new one to maintain the stability of the physical system. 382 We assume that there are two computing systems and 383 two APs, as shown in Fig 3, where the physical sys-384 tem is connected to controller 1 through AP 1. When the 385 attack-induced delay τ net is beyond the stability region, the 386 computing system 1 tries to solve the problem (8). However, 387 no controller gain can stabilize the physical system under 388 the attack-induced delay τ net . Then, the controller 1 requests 389 an AP handover to the physical system. The physical sys-390 tem disconnects the original link with AP 1 and tries to 391 access AP 2. Finally, the physical system configures a new 392 feedback control loop to the computing system 2. The net-393 work handover eliminates the attack-induced delay τ net to 394 neutralize the physical impact of attack-induced delay τ net . 395 We define a network overhead as the duration from the 396 time the physical emulator receives an AP handover com-397 mand from computing system 1 to the time it receives the 398 first control input signal from the computing system 2. 399 The AP handover mechanism has some network overheads 400 that degrade the control performance. In the AP handover 401 request procedure, the AP handover request packet suffers 402

411
In this section, we evaluate the resiliency of the proposed 412 controller reconfiguration under the network delay attack. 413 We implement a wireless NCS testbed, as shown in Fig. 4.

414
Then, we validate the control performance recovery of the 415 physical system for controller gain tuning and AP handover.   RTT noises, we use the moving average (MA) as follows: where RTT (k) is the network delay in time step k; RTT MA (k) 448 is the MA of the measured delays; W is the MA window 449 size. From the repetitive trials for the RTT measurements in 450 the testbed, we select the window size W as 3 without the 451 false-positive alarms. The proposed controller determines the 452 intensity of the attack-induced delay τ net by the RTT MA (k) 453 and selects the algorithm.

454
B. ATTACK SCENARIOS 455 We consider two types of ICMP flooding attacks to evalu-456 ate the recovery performance of controller gain tuning and 457 AP handover. However, there is no solution to the optimization prob-468 lem (8) if the attack-induced delay τ net is beyond the fea-469 sible stability region. Therefore, the controller gain tuning 470 algorithm is insufficient to ensure the stability of the phys-471 ical systems. In this case, the computing system 1 sends an 472 AP handover request packet to the physical system emulator. 473 Then, the physical emulator disconnects to the conventional 474 wireless link through AP 1 and attempts access to AP 2. 475 During the AP handover, the physical emulator holds the last 476 control input signal u(k) until it receives a new control input 477 signal from the computing system 2. After the AP handover, 478 the computing system 2 conducts feedback control to recover 479 the control performance of the physical emulator from the 480 damage by the ICMP flooding attack. First, we analyze the control performance recovery of CPS 485 using the gain tuning algorithm when the attack-induced 486 delay τ net remains in the stability region. Fig. 5 shows the 487 performance recovery of the DC motor system. The physical 488 emulator runs for t f = 25 s, and we launch the ICMP flooding 489 attack at t a = 5 s. Then, the computing system 1 detects the 490 network delay τ net at t = 5.6 s. After the attack detection, the 491 computing system immediately replaces the controller gain 492 K with K derived from the optimization problem (8).

493
As shown in the red graph of Fig. 5, the DC motor angle 494 diverges with oscillation by the attack network delay τ net that 495 VOLUME 10, 2022  We use an integrated absolute error (IAE) as a metric to 513 evaluate the recovery performance [25], [27]. IAE is defined 514 as an integral of the absolute value of an error between the 515 DC motor angle θ(t) and reference angle θ r (t). It is calculated 516 as follows: where t a is the attack start time; t f is the experiment time;   network overhead because the computing system replaces 535 the controller gain. Therefore, the controller gain tuning can 536 provide better recovery performance than the AP handover 537 when the attack-induced delay is in the feasible stability 538 region. If the network delay attack is very intensive, there is no 542 solution to the optimization problem (8). Therefore, the con-543 troller gain tuning is insufficient to ensure the stability of 544 the physical system. Fig. 7 shows the recovery failure of 545 the controller gain tuning algorithm when the attack-induced 546 delay is beyond the stability region. The attacker launches the 547 ICMP flooding attack at t a = 5 s, and the controller gain 548 tuning is executed at t = 5.6 s. We use the replaced controller 549 gain K selected in the first scenario.  Then, the DC motor angle is well regulated to zero.

570
In contrast to the controller gain tuning, the AP handover 571 has a network overhead that degrades the recovery perfor-