Without us realizing it, solutions for safety and security are present all around us. However, everyone has undoubtedly also experienced how inconvenient some safety and security measures can be. For example, think about security checks at the airport, the need to wear a bicycle helmet, or being asked to perform 2-factor authentication to log into an online account. Such inconveniences caused by safety and security measures can delay or even prevent their implementation, which is undesired. This reluctance to tolerate inconveniences for the sake of safety and security provides a challenge for engineers to find solutions with minimal impact on normal behaviour.

This challenge is especially pronounced in so-called cyber-physical systems (CPSs), in which digital automation is used to coordinate the actions of one or more physical systems. Examples of CPSs are airplanes, robotic arms or the power grid. Such CPSs have the combined advantages of the physical and cyber world, but are also subject to both threats to safety and security. In fact, the integration of physical and cyber parts in a CPS means that security issues can cause safety issues, and although less common safety issues can cause security issues.

Measures for safety and security of CPSs are categorized as prevention, resilience, and detection & accommodation. These different types of precautions can be used independently, but typically they need to be combined to provide adequate safety and security of a CPS. In this dissertation, three advances within safety and security of CPSs are presented which cover contributions on each of the different types of safety and security measures. Firstly, anomaly detection is addressed by extending existing sliding mode observer (SMO) based anomaly estimation methods with detection capability. To this end, two SMO based anomaly detectors are presented, which are applicable to a large class of SMOs. These detectors, by design, have no false alarms and allow for strong theoretical guarantees on detectability.

Secondly, a topology-switching coalitional control technique which integrates resilience, detection and accommodation is designed for safe control of a collaborative vehicle platoon (CVP) subjected to man-in-the-middle (MITM) cyber-attacks. Here resilience to undetected attacks is achieved by means of scenario-based model predictive control (MPC) and detected anomalies are accommodated by disabling the affected communication links. Lastly, a real-time implementation of encrypted control based on fully homomorphic encryption (FHE) is presented. FHE allows for manipulation of encrypted data, such that it can prevent confidentiality breaches during communication and computation.

Each contribution of this dissertation addresses a specific topic within safety and security of CPSs. By doing so, they demonstrate the potential of these methods to increase safety and security of CPSs while minimizing their impact on normal behaviour. This will promote the adaptation of safety and security measures and allows for safety and security throughout the continued progress in automation.@en

The Flight Control System (FCS) is one of the most important systems in all modern aircraft. For such systems it is required to have robust Fault Detection Isolation and Reconfiguration (FDIR) functionalities with high detection performance. In this work we specifically consider the Oscillatory Failure Cases (OFC), which, if not mitigated, can cause additional structural loads for which the aircraft is not designed. A Sliding Mode Observer (SMO) based detection method is proposed for fast and consistent detection of these OFC faults. A benchmark of a generic aircraft FCS equipped with OFC simulation capabilities, as well as the presented solution for detection, have previously been presented within a competition at the 2020 IFAC World Congress.

@en

This work presents a coalitional model predictive controller for collaborative vehicle platoons. The overall system is modeled as a string of locally controlled vehicles that can share data through a wireless communication network. The vehicles can dynamically form disjoint groups that coordinate their actions, i.e., the so-called coalitions. The control goals are keeping a desired reference distance between all vehicles while allowing for occasional switching of the communication topology. Likewise, the presented controller promotes a string-stable evolution of the platoon system. Numerical results are provided to illustrate the proposed approach.

@en

Interconnections in modern systems make them vulnerable to adversarial attackers both by corrupting communication channels and compromising entire subsystems. The field of secure state estimation (SSE) aims to provide correct state estimation even when an unknown part of the measurement signals is corrupted. In this letter, we propose a solution to a novel generalized SSE problem in which full subsystems can be compromised, corrupting both the actuation and measurement signals. For a full system with p measurements, the proposed sliding mode observer (SMO)-based solution allows for up to p attack channels which can be arbitrarily distributed amongst attacks on actuation and measurement signals. This is a much larger class of attacks than considered in the existing literature. The method is demonstrated on 10 interconnected mass-spring-damper subsystems.

@en

In this paper we present a hierarchical scheme to detect cyber-attacks in a hierarchical control architecture for large-scale interconnected systems (LSS). We consider the LSS as a network of physically coupled subsystems, equipped with a two-layer controller: on the local level, decentralized controllers guarantee overall stability and reference tracking; on the supervisory level, a centralized coordinator sets references for the local regulators. We present a scheme to detect attacks that occur at the local level, with malicious agents capable of affecting the local control. The detection scheme is computed at the supervisory level, requiring only limited exchange of data and model knowledge. We offer detailed theoretical analysis of the proposed scheme, highlighting its detection properties in terms of robustness, detectability and stealthiness conditions.@en

Fully Homomorphic Encryption (FHE) has made it possible to perform addition and multiplication operations on encrypted data. Using FHE in control thus has the advantage that control effort for a plant can be calculated remotely without ever decrypting the exchanged information. FHE in its current form is however not practically applicable for real-time control as its computational load is very high compared to traditional encryption methods. In this paper a reformulation of the Gentry FHE scheme is proposed and applied on an FPGA to solve this problem. It is shown that the resulting FHE scheme can be implemented for real-time stabilization of an inverted double pendulum using discrete time control.@en

Sliding Mode Observer (SMO) based methods have been extensively used for Fault Estimation (FE). However, the fault detection (FD) problem for these SMO based FE methods has not been completely solved. In this paper a robust threshold on the so-called Equivalent Output Injection (EOI) is presented which enables FD for systems with measurement noise and unmatched uncertainties. This threshold is applicable to a large class of existing SMO based FE methods, and its applicability can easily be verified. Theoretical guarantees on the detection performance of this threshold are provided, and further demonstrated via a simulation study.

@en

Road intersections are widely recognized as a lead cause for accidents and traffic delays. In a future scenario with a significant adoption of Cooperative Autonomous Vehicles, solutions based on fully automatic, signage-less Intersection Control would become viable. Such a solution, however, requires communication between vehicles and, possibly, the infrastructure over wireless networks. This increases the attack surface available to a malicious actor, which could lead to dangerous situations. In this paper, we address the safety of Intersection Control algorithms, and design a Sliding-Mode-Observer based solution capable of detecting and estimating false data injection attacks affecting vehicles’ communication. With respect to previous literature, a novel detection logic with improved detection performances is presented. Simulation results are provided to show the effectiveness of the proposed approach.@en

Platoons of autonomous vehicles are being investigated as a way to increase road capacity and fuel efficiency. Cooperative Adaptive Cruise Control (CACC) is an approach to achieve such platoons, in which vehicles collaborate using wireless communication. While this collaboration improves performance, it also makes the vehicles vulnerable to cyberattacks. In this paper the performance of a sliding mode observer (SMO) based approach to cyber-attack detection is analysed, considering simultaneous attacks on the communication and local sensors. To this end, the considered cyber-attacks are divided into three classes for which relevant theoretical properties are proven. Furthermore, the harm that attacks within each of these classes can do to the system while avoiding detection is analysed based on simulation examples.@en

In this paper a coalitional control and observation scheme is presented in which the coalitions are changed online by enabling and disabling communication links. Transitions between coalitions are made to best balance overall system performance and communication costs. Linear Matrix Inequalities are used to design the controller and observer, guaranteeing stability of the switching system. Simulation results for vehicle platoon control are presented to illustrate the proposed method.

@en

Platoons of autonomous vehicles are being investigated as a way to increase road capacity and fuel efficiency. Cooperative Adaptive Cruise Control (CACC) is one approach to controlling platoons longitudinal dynamics, which requires wireless communication between vehicles. In the present paper we use a sliding mode observer to detect and estimate cyber-attacks threatening such wireless communication. In particular we prove stability of the observer and robustness of the detection threshold in the case of event-triggered communication, following a realistic Vehicle-to-Vehicle network protocol.

@en