(196d) Fighting Back Against Cyberattacks on Control Systems Under Lyapunov-Based Economic Model Predictive Control

Cyberattacks on cyber-physical systems (CPSs) may affect components of a control hierarchy, such as sensors and actuators. Different challenges arise in detecting and fighting back against cyberattacks on different components which must be accounted for, or there becomes a potential for loss of process control and damage to equipment and the surroundings. Previous work in our group included development of detection strategies using LEMPC to flag cyberattacks on a system. Detection of an attack, depending on the strategy, may guarantee process safety for some time after an attack occurs; however, the guarantees of safety in, for example, [1,2] end at the latest after attacks are detected. In [3], for example, it was assumed that cyberattacks could be detected and that then back-up sensors could be applied to re-gain safety. However, such a concept would require adequate redundancy and diagnosis. The means for achieving adequate diagnosis and trying to reduce redundancy with the control-theoretic framework based on Lyapunov-based economic model predictive control (LEMPC) [4] developed in our prior work for detecting cyberattacks requires further investigation.

In this talk, we will discuss ideas for extending our prior detection strategies that integrate with LEMPC to diagnosis and post-detection handling methods. Specifically, we will initially review results with regard to attempts to use distributed controllers for sensor attack diagnosis in [2]. We will also consider other ideas for attempting to diagnose attacks. For example, one of the detection strategies of our prior work relies on randomly modifying the LEMPC used for controlling the process such that it drives the closed-loop state toward a lower level set around some new steady-state. This helps to showcase an attack if the Lyapunov function does not decrease. We will use an example of a continuous stirred tank reactor (CSTR) to evaluate whether the different terms of the time derivative of a Lyapunov function, and their degree of negativity, could aid with diagnosing attacks on actuators. We will also consider methods for updating the constraints of an LEMPC after an attack is detected and diagnosed that assume a variety of potential behavior from the attacker and seek to maintain safety regardless (or in as many potential situations as possible). We will discuss ways of formulating this problem, and the extent to which guarantees can be made.

After these preliminary studies in investigating ideas for using the LEMPC to "fight back" against the attacker through diagnosis and subsequently incorporating knowledge of the attack in the control action selection, we will consider the problem of how to obtain the original control-theoretic guarantees before detection. LEMPC is a control strategy which has been developed for the control of nonlinear systems. LEMPC is a particularly attractive control strategy due to its strong theoretical guarantees regarding stability and feasibility, however, there does not exist a standard method to develop all of parameters of this controller needed for any process to meet these theoretical guarantees. In our prior work, we have discussed preliminary ideas for attempting to obtain these parameters, including a "best-case" analysis based on assuming certain values for the parameters and the absence of disturbances, and then solving for the largest possible sampling period that would meet the resulting constraints [2]. We also considered an optimization problem [5] that attempts to find parameters that cause the control-theoretic guarantees to be met at some points in the state-space. These initial results were investigated in the context of the standard LEMPC from [4]; however, the attempts to obtain the parameters may impact not only the practical implementation of LEMPC itself, but also control strategies based on LEMPC for applications such as cybersecurity. For the guarantees of safety related to the pre-detection period from our prior work to be obtained, theoretical conditions related to LEMPC must be again met in the design stage of the controller and during operation. In this final part of the talk, we will extend the methods from [2,5] towards the development of a cyberattack detection strategy based on LEMPC toward a CSTR example to characterize conditions which would make the sufficient conditions for cyberattack detection and safety guarantees related to the detection procedures hold. We will discuss the limitations related to the practical implementation of such a strategy in regards to the design of a controller and the conditions under which detection can be guaranteed.

[1] Oyama, Henrique, and Helen Durand. "Integrated cyberattack detection and resilient control strategies using Lyapunov‐based economic model predictive control." AIChE Journal 66.12 (2020): e17084.

[2] Oyama, Henrique, et al. "Lyapunov-based economic model predictive control for detecting and handling actuator and simultaneous sensor/actuator cyberattacks on process control systems." Frontiers in Chemical Engineering 4 (2022): 810129.

[3] Wu, Z., Albalawi, F., Zhang, J., Zhang, Z., Durand, H., & Christofides, P. D. (2018). Detecting and handling cyber-attacks in model predictive control of chemical processes. Mathematics, 6(10), 173.

[4] Heidarinejad, M., Liu, J., & Christofides, P. D. (2012). Economic model predictive control of nonlinear process systems using Lyapunov techniques. AIChE Journal, 58(3), 855-870.

[5] Nieman, K., Messina, D., Wegener, M., & Durand, H. (2023). Cybersecurity and dynamic operation in practice: Equipment impacts and safety guarantees. Journal of Loss Prevention in the Process Industries, 81, 104898.