Attack-Resilient State Estimation with Intermittent Data Authentication

TL;DR

This paper investigates the resilience of state estimators in control systems against stealthy sensor attacks, analyzing conditions for perfect attackability and demonstrating that intermittent data authentication can prevent unbounded estimation errors.

Contribution

It introduces necessary and sufficient conditions for perfect attackability in linear systems and shows how intermittent data authentication enhances resilience against stealthy attacks.

Findings

Perfect attackability can occur even in stable plants.

Intermittent data authentication prevents unbounded estimation errors.

Cryptographic mechanisms can prevent perfect attackability but are costly.

Abstract

Network-based attacks on control systems may alter sensor data delivered to the controller, effectively causing degradation in control performance. As a result, having access to accurate state estimates, even in the presence of attacks on sensor measurements, is of critical importance. In this paper, we analyze performance of resilient state estimators (RSEs) when any subset of sensors may be compromised by a stealthy attacker. Specifically, we consider systems with the well-known l0-based RSE and two commonly used sound intrusion detectors (IDs). For linear time-invariant plants with bounded noise, we define the notion of perfect attackability (PA) when attacks may result in unbounded estimation errors while remaining undetected by the employed ID (i.e., stealthy). We derive necessary and sufficient PA conditions, showing that a system can be perfectly attackable even if the plant is stable. While PA can be prevented with the use the standard cryptographic mechanisms (e.g.,message authentication) that ensure data integrity under network-based attacks, their continuous use imposes significant communication and computational overhead. Consequently, we also study the impact that even intermittent use of data authentication has on RSE performance guarantees in the presence of stealthy attacks. We show that if messages from some of the sensors are even intermittently authenticated, stealthy attacks could not result in unbounded state estimation errors.