**1. Introduction**

Cyber-physical systems (CPS) are the integration of the cyber-world of computing and communications with the physical world. In many systems, control of a physical plant is integrated with a wireless communication network, for example, transportation networks, electric power networks, integrated biological systems, industrial automation systems, and economic systems [1, 2]. Since CPSs use open computation and communication platform architectures, they are vulnerable to suffering adversarial physical faults or cyber-attacks. Faults and cyber-attacks are referred to as *attacks* throughout this chapter.

Recent real-world cyber-attacks, including multiple power blackouts in Brazil [3], and the Stuxnet attack [4] in 2010, showed the importance of providing security to CPSs. Identification and modeling process as [5, 6] which are based on data can be seriously affected by corrupted data. As a result, information security techniques [7] may be not sufficient for protecting systems from sophisticated cyberattacks. It is suggested in [8] that information security mechanisms have to be complemented by specially designed resilient control systems. Controlling CPS with sensors and actuators, who are hijacked/corrupted remotely or physically by the attackers, is a challenge. The use of novel control/observation algorithms is proposed in this chapter for recovering CPS performance online if an attacker penetrates the information security mechanisms.

reconstruct the attacks asymptotically. This reconstruction is approximate only,

*Secure State Estimation and Attack Reconstruction in Cyber-Physical Systems: Sliding Mode…*

In this chapter, CPSs controlled by a control input subject to sensor attacks and state/plant attacks are considered. The corrupted measurements propagate the attack signals to the CPS through the control signals causing CPS performance degradation. The main challenge that is addressed in the chapter is online exact reconstruction of the sensor and state attacks with an application to an electric

• Novel fixed and adaptive-gain SMO for the linearized/linear CPS under attack are proposed for the online reconstruction of sensor attacks. The *time-varying* attacks are reconstructed via the proposed SMO that includes a newly designed dynamic filter. Note that the well-known SMO proposed in [27] reconstructs

• A super twisting SMO is applied to reconstruct the state/plant time-varying

• For online state/plant attack reconstruction in *nonlinear* CPS under attack, a

• An algorithm that use sliding mode differentiation techniques [29] in concert with the finite-time convergent observer for the sparse signal recovery is applied to online reconstruction of time-varying attack in nonlinear CPS under attack when we have limited measurements and more possible sources of

In a real-world power network, only a small group of generator rotor angles and rates is directly measured, and typical attacks aim at injecting disturbance signals

n o and *<sup>n</sup>*<sup>2</sup> load buses

� � and the

The small-signal version of the classic structure-preserving power network model is adopted to describe the dynamics of a power network. Consider a

*bn*1þ<sup>1</sup>*;* …*; bn*1þ*n*<sup>2</sup> f g. The interconnection structure of the power network is encoded by a connected susceptance-weighted graph *G*. The vertices of *G* are the generators

> *g, <sup>g</sup> <sup>L</sup><sup>θ</sup> g,l*

The CPS that motivates the results presented in this work is the US Western Electricity Coordinating Council (WECC) power system [8] under attack with three generators and six buses, whose electrical schematic is presented in **Figure 1**. The mathematical model of the power network in **Figure 1** under sensor stealth attack and deception attack can be represented as the following descriptor equa-

" #

� � weighted by their susceptance values. The Laplacian associated

[8].

higher-order sliding mode disturbance observer [28] is used.

**2. Motivation example: electric power network under attack**

connected power network consisting of *n*<sup>1</sup> generators *g*1*;* …*; gn*<sup>1</sup>

*gi* and the buses *bi*. The edges of *G* are the transmission lines *bi; bj*

tions that consist of differential and algebraic equations [8]:

with the susceptance-weighted graph is the symmetric susceptance matrix

*Lθ l, <sup>g</sup> L<sup>θ</sup> l,l*

since pseudo-inverse techniques are used.

*DOI: http://dx.doi.org/10.5772/intechopen.88669*

power network. The contribution of this chapter is:

the slow-varying perturbations only.

that mainly affect the sensorless generators [24].

attack [30].

connections *gi*

**5**

*; bi*

*<sup>L</sup>*<sup>∈</sup> <sup>R</sup>ð Þ� *<sup>n</sup>*1þ*n*<sup>2</sup> ð Þ *<sup>n</sup>*1þ*n*<sup>2</sup> defined by *<sup>L</sup><sup>θ</sup>* <sup>¼</sup> *<sup>L</sup><sup>θ</sup>*

attacks of the linearized/linear CPS under attack.

Cyber security of CPS must provide three main security goals: *availability*, *confidentiality*, and *integrity* [7]. This means that the CPS is to be accessible and usable upon demand, the information has to be kept secret from unauthorized users, and the trustworthiness of data has to be guaranteed. Lack of availability, confidentiality, and integrity yields denial of service, disclosure, and deception, respectively. A specific kind of deception attack called a *replay attack* has been investigated when the system model is unknown to the attackers but they have access to the all sensors [9, 10]. *Replay attacks* are carried out by "hijacking" the sensors, recording the readings for a certain time, and repeating such readings while injecting them together with an exogenous signal into the system's sensors. It is shown that these attacks can be detected by injecting a random signal, unknown to the attacker, into the system. In the case when the system's dynamic model is known to the attacker, another kind of deception attack, called a *cover attack*, has been studied in [11], and the proposed algorithm allows cancelling out the effect of this attack on the system dynamics. In systems with unstable modes, false data injection attacks are applied to make some unstable modes unobservable [12]. Denial of service attacks assaults data availability through blocking information flows between different components of the CPS. The attacker can jam the communication channels, modify devices, and prevent them from sending data, violate the routing protocols, etc. [13]. In a stealth attack, the attacker modifies some sensor readings by physically tampering with the individual meters or by getting access to some communication channels [14, 15]. As a result, detecting and isolating of cyberattacks in CPSs has received immense attention [16]. However, how to ensure the CPS can continue functioning properly if a cyber-attack has happened is another serious problem that should be investigated; therefore, the focus of this chapter is on resilient control of CPS.

In [17], new adaptive control architectures that can foil malicious sensor and actuator attacks are developed without reconstructing the attacks, by means of feedback control only. A sparse recovery algorithm is applied to reconstruct online the cyber-attacks in [18]. Sliding mode control with advantages of quick response and strong robustness is one of the best approaches to control CPS [19–22]. In [23], a finite-time convergent higher-order sliding mode (HOSM) observer, based on a HOSM differentiator and a sparse recovery algorithm, are used to reconstruct online the cyber-attack in a nonlinear system. Detection and observation of a scalar attack by a sliding mode observer (SMO) has been accomplished for a linearized differential-algebraic model of an electric power network when plant and sensor attacks do not occur simultaneously [24]. Cyber-attacks against phasor measurement unit (PMU) networks are considered in [25], where a risk mitigation technique determines whether a certain PMU should be kept connected to network or removed. In [26] a sliding mode-based observation algorithm is used to

*Secure State Estimation and Attack Reconstruction in Cyber-Physical Systems: Sliding Mode… DOI: http://dx.doi.org/10.5772/intechopen.88669*

reconstruct the attacks asymptotically. This reconstruction is approximate only, since pseudo-inverse techniques are used.

In this chapter, CPSs controlled by a control input subject to sensor attacks and state/plant attacks are considered. The corrupted measurements propagate the attack signals to the CPS through the control signals causing CPS performance degradation. The main challenge that is addressed in the chapter is online exact reconstruction of the sensor and state attacks with an application to an electric power network. The contribution of this chapter is:

