Joint Effects of Jamming Interference and Disturbance in Networked Control Systems

Joint Effects of Jamming Interference and Disturbance in
Networked Control Systems

Ahmet Cetinkaya, Hideaki Ishii, and Tomohisa Hayakawa Ahmet Cetinkaya and Hideaki Ishii are with the Department of Computer Science, Tokyo Insitute of Technology, Yokohama, 226-8502, Japan. ahmet@sc.dis.titech.ac.jp, ishii@c.titech.ac.jpTomohisa Hayakawa is with the Department of Systems and Control Engineering, Tokyo Institute of Technology, Tokyo 152-8552, Japan. hayakawa@sc.e.titech.ac.jpThis work was supported in part by the JST CREST Grant No. JPMJCR15K3 and by JSPS under Grant-in-Aid for Scientific Research Grant No. 15H04020.
Abstract

The problem of networked control under disturbance and jamming attacks is investigated. Specifically, the control input packets are assumed to be transmitted from the controller to a linear plant over an insecure wireless communication channel that faces jamming attacks. The likelihood of transmission failures on this channel depends on the power of the jamming interference signal emitted by an attacker. We show that jamming attacks and disturbance can jointly prevent stability even if the attacked system without disturbance is stable. We also show that stability under jamming and disturbance can be achieved if the average jamming interference power is restricted in a certain way. We provide a numerical example to illustrate our results.

I Introduction

Recently many industrial control systems have been incorporating information and communication technologies as key components. Especially the use of wireless communication channels and the Internet is increasing in networked control applications. These communication technologies provide efficiency in the transmission of measurement and control data, but they can create cyber-security issues in a system [1].

A networked control system may face various types of cyber attacks. For instance, an attacker who is knowledgeable about the system dynamics can disrupt control operation by injecting false data into the system or altering measurement and control data [2, 3]. Attackers with limited information can also cause cyber-security issues by means of denial-of-service (DoS) attacks to prevent communication over networks. For example, a jamming attacker can effectively prevent transmission of packets over wireless channels by emitting sufficiently strong interference signals, [4, 5]. Jamming attacks can cause performance issues and instability in wireless networked control systems.

The effect of jamming attacks and other Denial-of-Service attacks that cause transmission failures in control systems have recently been investigated in several works (see, e.g., [6, 7, 8, 9, 10, 11, 12, 13]). In these works, several attack models have been considered. For example, the models in [6, 7, 8, 9, 10] allow the timing of attack strategies to be arbitrary as long as the total attack duration and the frequency of attacks satisfy certain conditions. Furthermore, the works [11, 12, 13] consider physical jamming attack models based on wireless communication theory. In those physical models, the strength of jamming affects the likelihood of the occurrence of a transmission failure. Specifically, a transmission failure at a certain time is more likely, if the power of the jamming interference signal at that time is large. In [14], we used such a physical model and considered a networked stabilization problem for the case where the level of interference power used by the attacker at each time is not known. Our results in [14] indicate that stabilization can be achieved if the average interference power is bounded in the long run even if the power level can be very large at certain times.

Our goal in this paper is to extend our previous work [14] to analyze the combined effects of jamming attacks and disturbance on the dynamics. When disturbance is present, jamming attacks can become more dangerous, as the attacker may take advantage of the disturbance to cause instability even if the attacked system without disturbance is stable. Specifically, the attacker can cause the state norm to grow to arbitrarily large values, while keeping the jamming interference power below a threshold in the long run. We show in the paper that when jamming attacks are restricted so that the wireless channel is not subject to long consecutive emissions of high powered interference signals, then under certain conditions on the system dynamics, the first moment of the state stays bounded.

In this paper, first, we investigate the scenarios where the norm of the disturbance is bounded at each time by a fixed scalar. For such scenarios, the first moment of the state is bounded under attacks from an attacker with sufficiently small resources. Then we explore the more general case where the distribution of the disturbance norm may have infinite support. For this case, we obtain an inequality for the first moment of state that resembles those used for establishing noise-to-state stability in stochastic systems (e.g., [15, 16]). In particular, we obtain an upper bound of the first moment of the state by utilizing the second moment of the disturbance. In our analysis, a key role is played by a nondecreasing and concave function of the attacker’s interference power that upper-bounds the transmission failure probability. In addition, the use of the first moment of the state in the analysis facilitates the investigation of cross product terms that involve the disturbance and the indicator process for transmission failures through induced matrix norms.

The paper is organized as follows. We explain the wireless networked control problem under jamming attacks in Section II. In Section III, we first discuss the stability of the system without disturbance, then we explain the joint effects of jamming interference and disturbance, and moreover, we provide an analysis for the system with disturbance. We present a numerical example in Section IV, and finally we conclude the paper in Section V.

The notation used in the paper is fairly standard. Specifically, and respectively denote the set of positive and nonnegative integers. Moreover, denotes the Euclidean norm. The notations (resp., ) denote the minimum (resp., maximum) eigenvalue of the Hermitian matrix . We use and respectively denote the probability and the expectation on a probability space .

Ii Networked Control Under Jamming Attacks

In this paper, we consider the networked control problem of a discrete-time linear plant with a static state feedback controller. As illustrated in Fig. 1, a wireless communication channel is used for transmission of control input packets from the controller to the plant. This channel is assumed to be subject to transmission failures at certain times due to interference caused by the jamming signal of an attacker.

Figure 1: Operation of networked control system under jamming attacks

In the networked control operation, at each time step , the controller computes a control input using the state information and attempts to transmit it on the wireless channel. If the transmission is successful, then the transmitted control input is applied at the plant side. If, on the other hand, there is a transmission failure, then the control input at the plant side is set to . In this setting, the dynamics of the plant is given by

(1)

where is the state, is the control input that is attempted to be transmitted by the controller to the plant at time , is the disturbance vector, and represents the transmission status (with indicating failure and indicating success). Moreover, is the unstable system matrix and is the input matrix.

In this paper, the likelihood of a transmission failure at time depends on the power of the jamming interference signal at that time. If the interference power is large, then it is more likely that there is a transmission failure. In particular, with denoting the jamming interference power at time , the transmission failure indicator in (1) is given by

(2)

where, is a Borel-measurable, nondecreasing function, and are independent random variables that are distributed uniformly in . Furthermore and are assumed to be mutually independent processes. Notice that for a fixed scalar , represents the conditional probability of a transmission failure given that the jamming interference power is set to . In particular, (2) implies

Observe that, if is large so that is close to , then it becomes more likely that , and hence by (2), a transmission failure is likely to occur. Note also that transmission failures at different times are conditionally independent given the interference powers at those times. Namely, for every , ,

The characterization in (2) enables us to describe security and reliability properties of different wireless channel models by utilizing different functions. For instance, to describe the additive white Gaussian noise channel with quadrature amplitude modulation scheme considered in the work [13], can be selected as

(3)

where , and are constants associated respectively with the transmission power and the power of the channel noise, and is a constant associated with the parameters of the communication protocol. Notice that the term in (3) corresponds to Signal to Interference plus Noise Ratio (SINR), which is an indicator of the quality of a wireless channel [17]. Even if there is no attack at time (i.e., ), there may still be a transmission failure due to channel noise , since .

We remark that the case where the interference power is constant (i.e., , , for some fixed deterministic scalar ) corresponds to Bernoulli-type packet losses (see [18, 19, 20]) with packet loss probability . In this paper, we follow the problem setting in our previous work [14] and explore the scenarios where the attacker can jam the network with different interference powers at different times.

Iii Analysis of Networked Stabilization

In this section, we investigate the networked stabilization of the plant (1) through a state-feedback controller, where the control input transmitted by the controller is given by

(4)

where denotes the feedback gain, and is used for describing malicious or nonmalicious disturbances on the control input. Notice that the effects of state-measurement noise can also be represented through the process . Specifically, if the state measurement is noisy, then the control input is given by , where is the measured state and represents the measurement noise. This situation is represented through (4) by setting .

With , the closed-loop networked control system (1), (4) becomes

(5)

In what follows, we first investigate the stability of (5) in the disturbance-free case (, ). Then we discuss how a strategic jamming attacker can take advantage of the disturbance to prevent stabilization. Finally, we obtain conditions of stability under disturbance.

Iii-a Stabilization in the Disturbance-Free Case

For the case without disturbance (, ), our previous work [14] shows that stabilization can be achieved if the long run average jamming interference power is bounded by a sufficiently small scalar. In particular, the jamming characterization in [14] allows the interference power to arbitrarily change at each time as long as it satisfies the following assumption.

Assumption III.1

There exist scalars and such that

(6)

Here, is an asymptotic upper-bound on the average interference power (i.e., ). Notice that if in (2) is a concave function, then can be utilized in the stability analysis as an upper bound on the long run average number of transmission failures. On the other hand, if is not concave, then a concave function that upper-bounds can be used for the same purpose. To this end, we utilized in [14] a continuous, nondecreasing, and concave function such that

(7)

As discussed in [14], satisfying (7) always exists. Moreover, it is shown in [14] that

(8)

In other words, the average number of transmission failures is upper bounded in the long run by . The inequality (8) was used in [14] for establishing stability of the closed-loop system (5) in the case without disturbance. The analysis in [14] indicates that if is sufficiently small, then the closed-loop system is asymptotically stable almost surely, implying .

In addition to almost sure asymptotic stability, moment stability of the networked control system can also be analyzed under Assumption III.1. In particular, the following result provides a condition under which the first-moment of the state () converges to zero at a geometric rate. In presentation of this result, we utilize induced matrix norms (see Section 5.6 in [21]). Specifically, for a given matrix , let denote the induced matrix norm defined by , where on the right-hand side denotes a vector norm on .

Proposition III.1

Consider the closed-loop networked control system (1), (4) for the case where , . Suppose that the attacker’s interference power process satisfies Assumption III.1. Assume

(9)

Then the closed-loop system (1), (4) is first-moment geometrically stable, that is, there exist and such that

(10)
{proof}

See appendix.

In Proposition III.1, the scalar represents the rate of convergence of the first moment, and it depends on as well as the scalars and , which are associated with the closed-loop and the open-loop dynamics. In particular, is a linear function of the left-hand side of (9). As a result, if the bound on the long run average jamming interference power is small, then is also small, indicating faster convergence of the first-moment. We note that geometric convergence of the first-moment also implies that the state converges to the origin almost surely (i.e., ).

Iii-B Joint Effect of Jamming Interference and Disturbance

So far we investigated the stability of the closed-loop networked control system (1), (4) for the case without disturbance. Proposition III.1 indicates that if in Assumption III.1 is sufficiently small, then stability can be achieved. We now look at the case with disturbance. We observe that in this case, jamming attacks can become considerably more dangerous. Even if the disturbance is very small and the attacker has very limited jamming resources, there still exist attack strategies that can destabilize the system while satisfying Assumption III.1 with very small . We illustrate this idea in the following example.

Example III.1

Consider a scalar networked control system (1), (4) with , , , and constant disturbance , . Suppose that the conditional probability of transmission failures is a strictly increasing function (e.g., given by (3)). For this networked control system setup, an attacker can wait for a sufficiently long duration and then attack for a duration with a sufficiently large interference power so that the state norm grows to large values but the average interference power does not go above . In particular, for any , , , and , the attack strategy

(11)

with , , guarantees that Assumption III.1 is satisfied and the state exceeds the value with probability larger than at time , i.e., To show this, first we define the event by

This is the event that all packet transmissions during fail. By (11), we have . Now, since , , and , we obtain . Therefore,

Furthermore, the attack strategy (11) satisfies Assumption III.1 with , because , and thus, .

The attack strategy (11) can make the state grow arbitrarily large even if the upper bound of the average interference power is very small. This attack strategy is effective, because even if the attacker initially waits for a long duration without attacking, the state never reaches a small neighborhood of zero due to the disturbance. Hence, after waiting for a while, the attacker can consecutively attack with high interference powers to cause many transmission failures and make the state norm grow to large values due to lack of control. This is further illustrated in Section IV.

Iii-C Stabilization Under Jamming Interference and Bounded Disturbance

To ensure stability under both disturbance and jamming, the attacks need to be restricted in a way that high jamming interference powers at consecutive times are not allowed. To this end, we consider the following assumption.

Assumption III.2

There exist scalars , such that

(12)

for all with .

Notice that (12) implies (6) (with and ), but the converse is not true. Assumption III.2 is thus more restrictive than Assumption III.1. In particular, under Assumption III.2, the attacker can attack with a jamming interference power consecutively for at most time steps. As a result, under Assumption III.2, the destabilizing attacks discussed in Example III.1 are avoided.

Assumption III.2 is related to other characterizations that describe malicious attacks in the literature. In particular, in the continuous-time deterministic denial-of-service attack characterization of [6], the number of attacks in a given time frame as well as the total duration of those attacks are bounded by certain ratios of the length of that time frame. Under that characterization, the maximum possible length of a continuous attack duration is bounded, which enables analysis of input-to-state stability under disturbance. The restriction on jamming through Assumption III.2 is similar, since long consecutive emissions of high powered interference signals are not allowed. We note, however, that Assumption III.2 allows the scenario where the channel is attacked at all times if the attacker’s interference power for certain times is small. Notice that emission of interference signals in jamming attacks require energy [5, 4]. In this respect, Assumption III.2 can describe the constraints of an attacker with limited energy resources.

In this section, we investigate the networked control system (5) under bounded disturbance. The analysis is then extended in Section III-D to the case where the disturbance has finite second moments but its norm may not be bounded by a fixed scalar.

In this paper, we consider scenarios where the norm of the disturbance does not approach zero, and hence the state or its moments may not converge to the origin. Therefore, instead of exploring asymptotic stability, our goal here is to obtain conditions under which the first moment of the state stays bounded. To this end, let

and moreover, for every with let

For the closed-loop system (5), we have

Therefore, for any induced norm , it follows from the triangle inequality and the submultiplicativity property of the induced norm that

Here, we have , . Hence, by letting

(13)

we obtain for ,

(14)

By using (14), we can also obtain an upper-bound of the Euclidean norm of the state. Specifically, by Corollary 5.4.5 of [21], there exist and such that

(15)

Therefore, it follows from (14) that

(16)

Notice here that the particular values of and depend on the choice of the vector norm that induces the matrix norm used in (13). For example, in the case of Euclidean norm, (16) holds with . On the other hand, if in (13) is induced by the vector norm with a positive definite matrix , then (16) holds with and .

We utilize (16) to provide bounds on the first moment of the state. First, in the following result, we consider the case where the disturbance is bounded and the jamming attacks satisfy Assumption III.2.

Theorem III.2

Consider the closed-loop networked control system (5). Suppose that the attacker’s interference power process satisfies Assumption III.2. Furthermore, suppose that there exists such that

(17)

If

(18)

then there exist , , and such that

(19)

The proof of Theorem III.2 is given later in the paper.

Theorem III.2 shows that if jamming attacks satisfy Assumption III.2 with a sufficiently small such that (18) holds, then the first moment of the state stays bounded. Furthermore, the upper bound given in (19) is geometrically decreasing towards the constant , where is an upper bound on the Euclidean norm of disturbance vector . Notice that the condition (18) of Theorem III.2 and the condition (9) utilized in the disturbance-free case in Proposition III.1 are in the same form, but they use different scalars and due to the difference of the jamming interference characterizations in Assumptions III.1 and III.2. We remark that for jamming attacks that satisfy both assumptions, we necessarily have .

As we establish in the proof of Theorem III.2, the parameters of the first moment upper bound in (19) depend on the attack parameters and . In particular, the values of and are large, if and take large values. Moreover, the scalar is directly related to the term on the left-hand side of (18). If this term is close to zero , then is close to zero, which indicates faster convergence of the bound in (19) towards the constant .

In the case where the transmission failure indicator process is a Bernoulli process or a Markov chain, the stability analysis can rely on the probability of failures and conditional failure probabilities , , (see [20, 22]). We remark that in our case, precise information of such probability terms is not available due to the uncertainty in the generation of attacks. Specifically, the interference power at a given time is part of attacker’s strategy and cannot be known with certainty. As a result, the transmission failure probability at that time is also uncertain and cannot be used in the analysis.

A crucial role in our analysis is played by the following lemma, where we investigate the products of affine functions that involve the transmission failure indicator and we obtain upper bounds for the expected values of those products. As we show later in the proof of Theorem III.2, such upper bounds allow us to conduct stability analysis without relying on transmission failure probabilities for each time step. Notice that the scalar from Assumption III.2 and the concave function satisfying (7) are essential in the derivation of these bounds.

Lemma III.3

Suppose that the attacker’s interference power process satisfies Assumption III.2. Then for every , that satisfy

(20)

there exist scalars and such that

(21)

for with .

{proof}

For the case where , (21) holds for any and . In the following, we consider the case where . First, by Lemma 2 of [14],

(22)

Next, by (22), , and , , we get

(23)

where . We note that is nondecreasing, concave, and continuous, because also possesses those properties and .

Our goal is to obtain an upper-bound for the term in (23). To this end, we first show

(24)

We note that (24) holds if for some . Now, consider the case where for all . For this case, we have

(25)

Here, is a concave function, since it is the composition of a nondecreasing concave function and a concave function (see Section 3.2.4 in [23]). Therefore, by (25),

(26)

which implies (24). The attacker’s interference power process satisfies (12) in Assumption III.2, and hence, , almost surely. Thus, noting that is a nondecreasing function, by (24), we obtain , almost surely. Consequently, we have

(27)

Now, it follows from (20) that . Therefore, by the continuity of , there exists such that . As a result, for sufficiently large values of , we have .

Let be a positive integer such that

(28)

Furthermore, let

(29)

It follows from (27) that

(30)

for all such that . If , then (21) holds, by (30). If, on the other hand, , then by using , , we obtain

(31)

for all such that . Letting

(32)

we obtain (21), by (30) and (31).

Lemma III.3 shows that under Assumption III.2, with , satisfying (20), converges to zero at a geometric rate. By using this lemma, we obtain the following result.

Lemma III.4

Suppose that the attacker’s interference power process satisfies Assumption III.2. Then for every , that satisfy (20), there exists a scalar such that

(33)

for

{proof}

Since (20) holds, it follows from Lemma III.3 that , where and are scalars that depend on and . Letting

(34)

we obtain

which completes the proof.

In Lemmas III.3 and III.4, we obtained the upper-bounding inequalities (21) and (33) concerning the transmission failure indicator process . In our proof of Theorem III.2 given below, we utilize these inequalities.

Proof of Theorem III.2: By (16) and (17),

almost surely, and hence, for ,

(35)

Next, we apply Lemma III.3 and III.4 to obtain upper-bounds for the expectation terms on the right-hand side of (35). First, since , (18) implies . Thus, we have and . By letting and , (18) implies (20). Therefore, by Lemmas III.3 and III.4, we have and , where , , and are scalars that depend on and . Hence, with

(36)

the inequality (19) follows from (35).

Remark III.5

By using (36) together with (29), (32), and (34), we can obtain the values of , , and as

(37)
(38)
(39)

where is a positive integer that satisfies

and moreover, are scalars that satisfy (15). Notice that the attacker with large resources can cause the state norm to grow to large values. This is also indicated in the upper bound for the first moment of the state given in (19). In particular, if in Assumption III.2 is large, then is large, which makes large, since is an increasing function of . Furthermore, since

we observe that is large for large values of and . On the other hand, for large values of , is close to . If the upper bound of average interference powers is large, then the term in (19) converges slowly, since for large , is close to .

Iii-D Stabilization Under Jamming Interference and Disturbance with Finite Second Moment

In Theorem III.2, we considered the case where the Euclidean norm of the disturbance is bounded at each time almost surely by a scalar . Next, we investigate the scenarios where the disturbance may not be bounded by such a scalar. Our goal is to obtain a relation between the state and the disturbance similar to those used for establishing noise-to-state stability in stochastic systems (see, e.g., [15, 16]). Specifically, in the following result, we provide an upper bound for the first moment of the state by utilizing the second moment of the disturbance.

Theorem III.6

Consider the closed-loop networked control system (5). Suppose that the attacker’s interference power process satisfies Assumption III.2. Furthermore, suppose , . If

(40)

then there exist , , and such that