**2. Motivation example: electric power network under attack**

In a real-world power network, only a small group of generator rotor angles and rates is directly measured, and typical attacks aim at injecting disturbance signals that mainly affect the sensorless generators [24].

The small-signal version of the classic structure-preserving power network model is adopted to describe the dynamics of a power network. Consider a connected power network consisting of *n*<sup>1</sup> generators *g*1*;* …*; gn*<sup>1</sup> n o and *<sup>n</sup>*<sup>2</sup> load buses *bn*1þ<sup>1</sup>*;* …*; bn*1þ*n*<sup>2</sup> f g. The interconnection structure of the power network is encoded by a connected susceptance-weighted graph *G*. The vertices of *G* are the generators *gi* and the buses *bi*. The edges of *G* are the transmission lines *bi; bj* � � and the connections *gi ; bi* � � weighted by their susceptance values. The Laplacian associated with the susceptance-weighted graph is the symmetric susceptance matrix

$$L \in \mathbb{R}^{(n\_1+n\_2)\times(n\_1+n\_2)} \text{ defined by } L^{\theta} = \begin{bmatrix} L^{\theta}\_{\mathbf{g},\mathbf{g}} & L^{\theta}\_{\mathbf{g},l} \\ L^{\theta}\_{l,\mathbf{g}} & L^{\theta}\_{l,l} \end{bmatrix} \text{ [8]}.$$

The CPS that motivates the results presented in this work is the US Western Electricity Coordinating Council (WECC) power system [8] under attack with three generators and six buses, whose electrical schematic is presented in **Figure 1**. The mathematical model of the power network in **Figure 1** under sensor stealth attack and deception attack can be represented as the following descriptor equations that consist of differential and algebraic equations [8]:

Recent real-world cyber-attacks, including multiple power blackouts in Brazil [3], and the Stuxnet attack [4] in 2010, showed the importance of providing security to CPSs. Identification and modeling process as [5, 6] which are based on data can be seriously affected by corrupted data. As a result, information security techniques [7] may be not sufficient for protecting systems from sophisticated cyberattacks. It is suggested in [8] that information security mechanisms have to be complemented by specially designed resilient control systems. Controlling CPS with sensors and actuators, who are hijacked/corrupted remotely or physically by the attackers, is a challenge. The use of novel control/observation algorithms is proposed in this chapter for recovering CPS performance online if an attacker pene-

Cyber security of CPS must provide three main security goals: *availability*, *confidentiality*, and *integrity* [7]. This means that the CPS is to be accessible and usable upon demand, the information has to be kept secret from unauthorized users, and the trustworthiness of data has to be guaranteed. Lack of availability, confidentiality, and integrity yields denial of service, disclosure, and deception, respectively. A specific kind of deception attack called a *replay attack* has been investigated when the system model is unknown to the attackers but they have access to the all sensors [9, 10]. *Replay attacks* are carried out by "hijacking" the sensors, recording the readings for a certain time, and repeating such readings while injecting them together with an exogenous signal into the system's sensors. It is shown that these attacks can be detected by injecting a random signal, unknown to the attacker, into the system. In the case when the system's dynamic model is known to the attacker, another kind of deception attack, called a *cover attack*, has been studied in [11], and the proposed algorithm allows cancelling out the effect of this attack on the system dynamics. In systems with unstable modes, false data injection attacks are applied to make some unstable modes unobservable [12]. Denial of service attacks assaults data availability through blocking information flows between different components of the CPS. The attacker can jam the communication channels, modify devices, and prevent them from sending data, violate the routing protocols, etc. [13]. In a stealth attack, the attacker modifies some sensor readings by physically tampering with the individual meters or by getting access to some communication channels [14, 15]. As a result, detecting and isolating of cyberattacks in CPSs has received immense attention [16]. However, how to ensure the CPS can continue functioning properly if a cyber-attack has happened is another serious problem that should be investigated; therefore, the focus of this chapter is

In [17], new adaptive control architectures that can foil malicious sensor and actuator attacks are developed without reconstructing the attacks, by means of feedback control only. A sparse recovery algorithm is applied to reconstruct online the cyber-attacks in [18]. Sliding mode control with advantages of quick response and strong robustness is one of the best approaches to control CPS [19–22]. In [23], a finite-time convergent higher-order sliding mode (HOSM) observer, based on a HOSM differentiator and a sparse recovery algorithm, are used to reconstruct online the cyber-attack in a nonlinear system. Detection and observation of a scalar attack by a sliding mode observer (SMO) has been accomplished for a linearized differential-algebraic model of an electric power network when plant and sensor attacks do not occur simultaneously [24]. Cyber-attacks against phasor measurement unit (PMU) networks are considered in [25], where a risk mitigation technique determines whether a certain PMU should be kept connected to network or removed. In [26] a sliding mode-based observation algorithm is used to

trates the information security mechanisms.

*Control Theory in Engineering*

on resilient control of CPS.

**4**

**Figure 1.** *The WECC power system [8].*

$$
\begin{bmatrix} I & \mathbf{0} & \mathbf{0} \\ \mathbf{0} & M\_{\mathbf{g}} & \mathbf{0} \\ \mathbf{0} & \mathbf{0} & \mathbf{0} \end{bmatrix} \begin{bmatrix} \dot{\boldsymbol{\delta}} \\ \dot{\boldsymbol{\alpha}} \\ \dot{\boldsymbol{\theta}} \end{bmatrix} = - \begin{bmatrix} \mathbf{0} & -I & \mathbf{0} \\ L\_{\mathbf{g},\mathbf{g}}^{\theta} & E\_{\mathbf{g}} & L\_{\mathbf{g},l}^{\theta} \\ L\_{\mathbf{l},\mathbf{g}}^{\theta} & \mathbf{0} & L\_{\mathbf{l},l}^{\theta} \end{bmatrix} \begin{bmatrix} \boldsymbol{\delta} \\ \boldsymbol{\alpha} \\ \boldsymbol{\theta} \end{bmatrix} + \underbrace{\begin{bmatrix} \mathbf{0} \\ B\_{\boldsymbol{\alpha}} \\ B\_{\boldsymbol{\theta}} \end{bmatrix}}\_{\mathbf{x}} d\_{\mathbf{x}} + \underbrace{\begin{bmatrix} \mathbf{0} \\ P\_{\boldsymbol{\alpha}} \\ P\_{\boldsymbol{\theta}} \end{bmatrix}}\_{\mathbf{P}}, \quad \mathbf{y} = \mathbf{C} \mathbf{x} + D d\_{\mathbf{y}} \tag{1}
$$

where the state vector *<sup>x</sup>* <sup>¼</sup> *<sup>δ</sup><sup>T</sup> <sup>ω</sup><sup>T</sup> <sup>θ</sup><sup>T</sup>* � �*<sup>T</sup>* includes the vector of rotor angles *δ*∈ R<sup>3</sup> , the vector of generator speed deviations from synchronicity *ω*∈ R<sup>3</sup> , as well as the vector of voltage angles at the buses *θ* ∈ R6. The *y*∈ R*<sup>p</sup>* is the measurement vector, *dx* ∈ R*<sup>m</sup>*<sup>1</sup> is the *Deception* attack corrupting the states, and *dy* ∈ R*<sup>m</sup>*�*m*<sup>1</sup> is the *stealth* attack vector spoofing the measurements. Note that the states of the plant are under attack even if they are not attacked directly but via propagation.

Note that *ω<sup>i</sup>* ! 0 ∀*i* ¼ 1*,* 2*,* 3 in a case of the nominal performance of the studied network. Consider the case when the outputs of system, which are the measure-

*Comparing corrupted sensor measurements (ω*1*,ω*2*, ω*<sup>3</sup> *under attack) and sensor measurements when there is*

*Secure State Estimation and Attack Reconstruction in Cyber-Physical Systems: Sliding Mode…*

*DOI: http://dx.doi.org/10.5772/intechopen.88669*

*d*<sup>1</sup> ¼ �*ω*<sup>1</sup> þ 2 sin ð Þ *πt , d*<sup>2</sup> ¼ �*ω*<sup>2</sup> þ cos 0ð Þ *:*5*πt , d*<sup>3</sup> ¼ �*ω*<sup>3</sup> þ sin ð Þ *πt* (4)

This motivates why online reconstruction of the attacks followed by cleanup of the measurements prior to using them in control signal is of prime importance for retaining the performance of the power network (as it will be shown in Section VI where the proposed SMO is applied to achieve this goal). The case study of the

Consider the following completely observable and asymptotically stable system

*<sup>y</sup>* <sup>¼</sup> *C x*ð Þþ *Dd t*ð Þ (5)

*x*\_ ¼ *f x*ð Þþ *B x*ð Þ*d t*ð Þ

where *<sup>x</sup>*<sup>∈</sup> <sup>R</sup>*<sup>n</sup>* is the state vector, *f x*ð Þ<sup>∈</sup> <sup>R</sup>*<sup>n</sup>* is a smooth vector field, *d t*ð Þ<sup>∈</sup> <sup>R</sup>*<sup>m</sup>* denotes the attack/fault vector which is additive and matched to the control signal, *<sup>y</sup>*<sup>∈</sup> <sup>R</sup>*<sup>p</sup>* is the measurement vector, *<sup>p</sup>* <sup>≥</sup> *<sup>m</sup>*, *C x*ð Þ<sup>∈</sup> <sup>R</sup>*<sup>p</sup>* is the output smooth vector

The system (1) was simulated with and without above attacks. Based on the simulation results shown in **Figures 2** and **3**, the stealth attack in (4) yields

ment sensors *ω*1*,ω*2*, ω*3, are corrupted by the following *stealth* attacks.

*Comparing corrupted states (δ*1*, δ*2*, δ*<sup>3</sup> *under attack) and stats when there is no attack.*

inappropriate degradation of the power network performance.

power network (1) will be further discussed in details in Section 6.

**3. Cyber-physical system dynamics**

**Figure 2.**

*no attack.*

**Figure 3.**

**7**

The measurement corruption attacks through an output control feedback. The matrices *Eg , Mg* ∈ R<sup>3</sup>�<sup>3</sup> are diagonal whose nonzero entries consist of the damping coefficients and the normalized inertias of the generators, respectively:

$$M\_{\mathfrak{g}} = \begin{bmatrix} 0.125 & 0 & 0 \\ 0 & 0.034 & 0 \\ 0 & 0 & 0.016 \end{bmatrix}, \quad E\_{\mathfrak{g}} = \begin{bmatrix} 0.125 & 0 & 0 \\ 0 & 0.068 & 0 \\ 0 & 0 & 0.048 \end{bmatrix} \tag{2}$$

The inputs *P<sup>ω</sup>* and *P<sup>θ</sup>* are due to *known* changes in the mechanical input power to the generators and real power demands at the loads. The matrices *B* ∈ R<sup>12</sup>�*m*<sup>1</sup> and *D* ∈ R*<sup>p</sup>*�ð Þ *<sup>m</sup>*�*m*<sup>1</sup> are the attack distribution matrices, and *C*∈ R*<sup>p</sup>*�<sup>12</sup> is the output gain matrix. The *L<sup>θ</sup>* ∈ R<sup>9</sup>�<sup>9</sup> with *L<sup>θ</sup> g, <sup>g</sup>* ∈ R<sup>3</sup>�<sup>3</sup> *, L<sup>θ</sup> g,l* ∈ R<sup>3</sup>�<sup>6</sup>*, L<sup>θ</sup> l, <sup>g</sup>* ∈ R<sup>6</sup>�<sup>3</sup> *, L<sup>θ</sup> l,l* ∈ R<sup>6</sup>�<sup>6</sup> is giving by


*Secure State Estimation and Attack Reconstruction in Cyber-Physical Systems: Sliding Mode… DOI: http://dx.doi.org/10.5772/intechopen.88669*

**Figure 2.**

*Comparing corrupted sensor measurements (ω*1*,ω*2*, ω*<sup>3</sup> *under attack) and sensor measurements when there is no attack.*

**Figure 3.**

*I* 0 0 0 *Mg* 0 000

*Mg* ¼

*<sup>L</sup><sup>θ</sup>* <sup>¼</sup>

**6**

2 6 4

matrix. The *L<sup>θ</sup>* ∈ R<sup>9</sup>�<sup>9</sup> with *L<sup>θ</sup>*

3 7 5

*Control Theory in Engineering*

*The WECC power system [8].*

2 6 4

\_ *δ ω*\_ \_ *θ*

3 7 5 ¼ � 0 �*I* 0

*g, <sup>g</sup> Eg <sup>L</sup><sup>θ</sup>*

*l, <sup>g</sup>* 0 *L<sup>θ</sup>*

*g,l*

3 7 5

2 6 4

*δ ω θ*


where the state vector *<sup>x</sup>* <sup>¼</sup> *<sup>δ</sup><sup>T</sup> <sup>ω</sup><sup>T</sup> <sup>θ</sup><sup>T</sup>* � �*<sup>T</sup>* includes the vector of rotor angles

The measurement corruption attacks through an output control feedback. The matrices *Eg , Mg* ∈ R<sup>3</sup>�<sup>3</sup> are diagonal whose nonzero entries consist of the damping

The inputs *P<sup>ω</sup>* and *P<sup>θ</sup>* are due to *known* changes in the mechanical input power to the generators and real power demands at the loads. The matrices *B* ∈ R<sup>12</sup>�*m*<sup>1</sup> and *D* ∈ R*<sup>p</sup>*�ð Þ *<sup>m</sup>*�*m*<sup>1</sup> are the attack distribution matrices, and *C*∈ R*<sup>p</sup>*�<sup>12</sup> is the output gain

*g,l* ∈ R<sup>3</sup>�<sup>6</sup>*, L<sup>θ</sup>*

2 6 4

, the vector of generator speed deviations from synchronicity *ω*∈ R<sup>3</sup>

as the vector of voltage angles at the buses *θ* ∈ R6. The *y*∈ R*<sup>p</sup>* is the measurement vector, *dx* ∈ R*<sup>m</sup>*<sup>1</sup> is the *Deception* attack corrupting the states, and *dy* ∈ R*<sup>m</sup>*�*m*<sup>1</sup> is the *stealth* attack vector spoofing the measurements. Note that the states of the plant are

3 7 5

þ

0 *B<sup>ω</sup> Bθ*


3 7 5

*dx* þ

0 *P<sup>ω</sup> Pθ*

3 7

<sup>5</sup>*, y* <sup>¼</sup> *Cx* <sup>þ</sup> *Ddy* (1)

3 7

<sup>5</sup> (2)

*l,l* ∈ R<sup>6</sup>�<sup>6</sup> is giving by

(3)

, as well

2 6 4

0*:*125 0 0 0 0*:*068 0 0 00*:*048

*l, <sup>g</sup>* ∈ R<sup>6</sup>�<sup>3</sup>

*, L<sup>θ</sup>*

2 6 4

*l,l*

under attack even if they are not attacked directly but via propagation.

coefficients and the normalized inertias of the generators, respectively:

*g, <sup>g</sup>* ∈ R<sup>3</sup>�<sup>3</sup>

*, L<sup>θ</sup>*

0*:*058 0 0 �0*:*058 0 0 0 0 0 0 0*:*063 0 0 �0*:*063 0 0 0 0 0 00*:*059 0 0 �0*:*059 0 0 0 �0*:*058 0 0 0*:*265 0 0 �0*:*085 �0*:*092 0 0 �0*:*063 0 0 0*:*296 0 �0*:*161 0 �0*:*072 0 0 �0*:*059 0 0 0*:*330 0 �0*:*170 �0*:*101 000 �0*:*085 �0*:*161 0 0*:*246 0 0 000 �0*:*092 0 �0*:*170 0 0*:*262 0 0000 �0*:*072 �0*:*101 0 0 0*:*173

3 7 <sup>5</sup>*, Eg* <sup>¼</sup>

*Lθ*

2 6 4

0*:*125 0 0 0 0*:*034 0 0 00*:*016

*Lθ*

2 6 4

**Figure 1.**

*δ*∈ R<sup>3</sup>

*Comparing corrupted states (δ*1*, δ*2*, δ*<sup>3</sup> *under attack) and stats when there is no attack.*

Note that *ω<sup>i</sup>* ! 0 ∀*i* ¼ 1*,* 2*,* 3 in a case of the nominal performance of the studied network. Consider the case when the outputs of system, which are the measurement sensors *ω*1*,ω*2*, ω*3, are corrupted by the following *stealth* attacks.

$$d\_1 = -a\_1 + 2\sin\left(\pi t\right), \quad d\_2 = -a\_2 + \cos\left(0.5\pi t\right), \quad d\_3 = -a\_3 + \sin\left(\pi t\right) \tag{4}$$

The system (1) was simulated with and without above attacks. Based on the simulation results shown in **Figures 2** and **3**, the stealth attack in (4) yields inappropriate degradation of the power network performance.

This motivates why online reconstruction of the attacks followed by cleanup of the measurements prior to using them in control signal is of prime importance for retaining the performance of the power network (as it will be shown in Section VI where the proposed SMO is applied to achieve this goal). The case study of the power network (1) will be further discussed in details in Section 6.

### **3. Cyber-physical system dynamics**

Consider the following completely observable and asymptotically stable system

$$\begin{aligned} \dot{\boldsymbol{x}} &= \boldsymbol{f}(\boldsymbol{x}) + \boldsymbol{B}(\boldsymbol{x})\boldsymbol{d}(t) \\ \boldsymbol{y} &= \mathbf{C}(\boldsymbol{x}) + \boldsymbol{D}\boldsymbol{d}(t) \end{aligned} \tag{5}$$

where *<sup>x</sup>*<sup>∈</sup> <sup>R</sup>*<sup>n</sup>* is the state vector, *f x*ð Þ<sup>∈</sup> <sup>R</sup>*<sup>n</sup>* is a smooth vector field, *d t*ð Þ<sup>∈</sup> <sup>R</sup>*<sup>m</sup>* denotes the attack/fault vector which is additive and matched to the control signal, *<sup>y</sup>*<sup>∈</sup> <sup>R</sup>*<sup>p</sup>* is the measurement vector, *<sup>p</sup>* <sup>≥</sup> *<sup>m</sup>*, *C x*ð Þ<sup>∈</sup> <sup>R</sup>*<sup>p</sup>* is the output smooth vector

field, *B x*ð Þ<sup>∈</sup> <sup>R</sup>*n*�*<sup>m</sup>* and *<sup>D</sup>* <sup>∈</sup> <sup>R</sup>*p*�*<sup>m</sup>* denote the attack/fault distribution matrices. For notational convenience, and without affecting generality, the input distribution matrices can be partitioned as

$$B(\mathbf{x}) = [B\_1(\mathbf{x}) \quad \mathbf{0}\_1], D = [\mathbf{0}\_2 \quad D\_1] \tag{6}$$

**4. Problem formulation**

*DOI: http://dx.doi.org/10.5772/intechopen.88669*

as time increases and.

*<sup>x</sup>*\_*clean* <sup>¼</sup> *<sup>f</sup>*ð Þþ *<sup>x</sup>*^ *<sup>B</sup>*1ð Þ *<sup>x</sup>*^ *dx*ðÞ�*<sup>t</sup>* ^

without attack as time increases.

**5. Results: secure state estimation**

as time increases, to.

**observer**

*5.1.1 System's transformation*

*A*<sup>0</sup> ¼ *TcATc*

**9**

generality, a new state-space representation *A*<sup>0</sup>

�1

attack (11) approaches,

state/plant attack *dx*ð Þ*t* , and the plant states *x* so that

^

*dx* ðÞ!*<sup>t</sup> dx*ð Þ*<sup>t</sup> ,* ^

*dx*ð Þ*t , yclean* <sup>¼</sup> *<sup>y</sup>* � *<sup>D</sup>*<sup>1</sup>

for nonlinear system (5) are also proposed and investigated.

stable.

**Assumption (A2):** Attacks are detectable, i.e., the invariant zeros of Eq. (11) are

*dy*ðÞ!*t dy*ð Þ*t , x*^ ! *x* (12)

*dy* <sup>¼</sup> *<sup>C</sup>*ð Þþ *<sup>x</sup>*^ *<sup>D</sup>*<sup>1</sup> *dy*ðÞ�*<sup>t</sup>* ^

*dy*ð Þ*t :* (13)

The problem is to protect the closed loop system (11) from the sensor attack *dy* <sup>∈</sup> <sup>R</sup>*m*�*m*<sup>1</sup> and state/plant attack *dx*ð Þ*<sup>t</sup>* <sup>∈</sup> <sup>R</sup>*m*<sup>1</sup> by means of designing fixed-gain and adaptive-gain SMOs that allow: (a) reconstructing online the sensor attack *dy*, the

*Secure State Estimation and Attack Reconstruction in Cyber-Physical Systems: Sliding Mode…*

(b) "cleanup" of the plant and sensors so that the dynamics of the CPS under

Note that Eq. (13) represents the compensated CPS that converges to CPS

In this chapter, for the *linearized* case of the system in Eq. (5), two SMOs for state estimation and attack reconstruction are discussed. Two other SMO strategies

**5.1 Attack reconstruction in linear system via filtering by adaptive sliding mode**

*x*\_ ¼ *Ax* þ *Bd t*ð Þ*, y* ¼ *Cx* þ *Dd t*ð Þ (14)

(15)

(16)

Consider the linearized system in Eq. (5) with *C x*ð Þ¼ *Cx* and *B x*ð Þ¼ *B*

Considering system Eq. (14) and assuming assumption (A1) holds, then as show in [29] there exists a matrix *N* ∈ *R*ð Þ� *<sup>n</sup>*�*<sup>p</sup> <sup>n</sup>* such that the square matrix

> *Tc* <sup>¼</sup> *<sup>N</sup> C*

is nonsingular and the change of coordinates *x*↦*Tcx* creates, without loss of

After the linear changing of coordinate, the CPS Eq. (14) is rewritten as

*, B*<sup>0</sup> ¼ *TcB, C*<sup>0</sup> ¼ *CTc*

*; B*<sup>0</sup>

*;C*<sup>0</sup> ð Þ *; D* where

�<sup>1</sup> <sup>¼</sup> **<sup>0</sup>***<sup>p</sup>*�ð Þ *<sup>n</sup>*�*<sup>p</sup> Ip*�*<sup>p</sup>*

^

where *<sup>B</sup>*1ð Þ *<sup>x</sup>* <sup>∈</sup> <sup>R</sup>*n*�*m*<sup>1</sup> *, D*<sup>1</sup> <sup>∈</sup> <sup>R</sup>*p*�ð Þ *<sup>m</sup>*�*m*<sup>1</sup> *,* **<sup>0</sup>**<sup>1</sup> <sup>∈</sup> <sup>R</sup>*n*�ð Þ *<sup>m</sup>*�*m*<sup>1</sup> *,* **<sup>0</sup>**<sup>2</sup> <sup>∈</sup> <sup>R</sup>*p*�*m*<sup>1</sup> where *m*<sup>1</sup> ≤ *m*.

**Assumption (A1):** *B*1ð Þ *x , D*<sup>1</sup> are of full rank.

The attack/fault vector is partitioned accordingly as

$$d = \begin{bmatrix} d\_{\mathbf{x}} \\ d\_{\mathbf{y}} \end{bmatrix} \quad where \quad d\_{\mathbf{x}} \in \mathbb{R}^{m\_1} and \quad d\_{\mathbf{y}} \in \mathbb{R}^{m - m\_1} \tag{7}$$

Therefore, Eq. (5) can be rewritten as

$$\begin{aligned} \dot{\boldsymbol{x}} &= \boldsymbol{f}(\boldsymbol{x}) + B\_1(\boldsymbol{x}) d\_{\boldsymbol{x}}(t) \\ \boldsymbol{y} &= \mathbf{C}(\boldsymbol{x}) + D\_1 d\_{\boldsymbol{y}}(t) \end{aligned} \tag{8}$$

where *dx*ð Þ*t* , *dy*ð Þ*t* represent the state and the sensor attack vectors, respectively. Different attack strategies are shown in **Table 1** and discussed in Section 1.

Since *p* ≥ *m* � *m*1, the system (8) can be partitioned using a nonsingular transformation *M* ∈ R*<sup>p</sup>*�*<sup>p</sup>*

$$
\mathfrak{y} = \mathsf{M}\overline{\mathfrak{y}}\tag{9}
$$

selected so that

$$\mathbf{M}^{-1}\mathbf{D}\_1 = \begin{bmatrix} \mathbf{O}\_{(p-(m-m\_1))\times(m-m\_1)} \\ \overline{D}\_{1\_{(m-m\_1)\times(m-m\_1)}} \end{bmatrix} \tag{10}$$

Taking into account (10), system (8) is reduced to

$$\begin{aligned} \dot{\mathbf{x}} &= f(\mathbf{x}) + B\_1(\mathbf{x}) d\_\mathbf{x}(t) \\ \overline{\mathbf{y}}\_1 &= \mathbf{C}\_1(\mathbf{x}), \quad \overline{\mathbf{y}}\_2 = \mathbf{C}\_2(\mathbf{x}) + \overline{D}\_1 d\_\mathbf{y}(t) \end{aligned} \tag{11}$$

where *<sup>y</sup>*<sup>1</sup> <sup>∈</sup> <sup>R</sup>*<sup>p</sup>*<sup>1</sup> with *<sup>p</sup>*<sup>1</sup> <sup>¼</sup> *<sup>p</sup>* � ð Þ *<sup>m</sup>* � *<sup>m</sup>*<sup>1</sup> and *<sup>y</sup>*<sup>2</sup> <sup>∈</sup> <sup>R</sup>*<sup>p</sup>*<sup>2</sup> where *<sup>p</sup>*<sup>2</sup> <sup>¼</sup> *<sup>m</sup>* � *<sup>m</sup>*1. Note that the state attack vector *dx*ð Þ*t* is additive and matched to the control input that is embedded in system Eq. (11) already.


**Table 1.** *Cyber-attack strategies.* *Secure State Estimation and Attack Reconstruction in Cyber-Physical Systems: Sliding Mode… DOI: http://dx.doi.org/10.5772/intechopen.88669*
