Research on co-design of dual security control and communication for nonlinear CPS with actuator fault and FDI attacks

In this study, a co-design method of dual security control and communication is investigated for a nonlinear cyber–physical system (CPS) with an actuator fault and false data injection (FDI) attacks. First, under the discrete event trigger communication scheme, considering the different effects of actuator fault and FDI attacks on a double-end network, a dual security control strategy with active fault-tolerance and active–passive attack-tolerance is proposed. It can accommodate an actuator fault, actively compensate an actuator FDI attack, and passively resist a sensor FDI attack, respectively, thereby establishing a new dual security control framework with fault-tolerance and attack-tolerance. Moreover, the Takagi–Sugeno (T-S) fuzzy model for the nonlinear CPS is established under this framework. Second, by constructing an appropriate Lyapunov–Krasovskii functional and introducing the time-delay theory and the affine Bessel–Legendre inequality, lesser conservative design methods of a robust augmented observer for the estimation of the state, FDI attacks, and fault as well as a dual security controller are obtained. Finally, a classical quadruple-tank model is used to show the validity and feasibility of the proposed method.


Introduction
A cyber-physical system (CPS) is a complex system with the highest degree of integration among cyber and physical systems; it realizes real-time perception and control using computational techniques and by communication and control. 1,2 Because it is commonly applied in intelligent transportation, smart cities, micro-grids, and other fields, CPS has gained increasing interest and become a prominent topic. 3 Generally, a CPS is prone to risks and can lose stability because of the following reasons: (1) The system operation needs to be accessed and controlled remotely through an open network, and cyber attacks are easy in this scenario, which increases the risks of the system information being destroyed, tampered, or blocked. 4,5 (2) The actuator, as the core physical component of a CPS, is highly prone to faults because it needs to operate in a relatively harsh environment for a long time. 6 Therefore, it is significant to study security control for a CPS under the dual threats of cyber attacks and physical faults. 7,8 During application, most of the controlled plants are nonlinear. However, modeling a nonlinear system is difficult because of its complexity and particularity and the requirement of high system performance, to solve this problem, the Takagi-Sugeno (T-S) fuzzy model is an effective approach. 9 Its basic concept is to decompose a nonlinear system into a series of linear combinations of local subsystems using IF-THEN rules, and subsequently apply the linear system theory for modeling, analysis, and synthesis. Because of its simple modeling process, it has achieved remarkable results. [10][11][12] the most representative trigger scheme. In Lu and Yang, 31 based on the DETCS, a new security observer was designed to estimate a state and an attack. In Li et al., 32 the security consensus problem was considered for multi-agent systems, and an event-triggered control scheme with state dependence was used to update the control input signal. In Gao et al., 33 an event-triggered dynamic output feedback control problem was studied for a discrete Markov jump system, and a dual-eventtriggered scheme was implemented asynchronously on the node of a sensor and a controller. The above studies were based on the DETCS, which can effectively save network resources. However, there are few results on the co-design of dual security control and communication for a nonlinear CPS. This is another motivation of this study.
Based on previous investigations, in this study, we aim to co-design dual security control and communication for a nonlinear CPS under the DETCS. The main contributions are summarized as follows: (1) A new dual security control strategy with active fault-tolerance and active-passive attack-tolerance is proposed, in which an actuator fault and an actuator FDI attack are compensated actively and a sensor FDI attack is defended passively. Furthermore, a dual security control framework is built, which lays the foundation to realize dual security control for an actual CPS with FDI attacks on the dual-end network and an actuator fault. (2) A robust augmented observer is obtained to accurately estimate the system state, FDI attacks, and actuator fault in real time using the augmented matrix method.

(3) A new T-S fuzzy model of a closed-loop nonlinear
CPS is established under the DETCS, which integrates a trigger condition, FDI attacks, and an actuator fault. Subsequently, a co-design method of dual security control and communication with reduced data transmission is established to achieve a balance between dual security control and communication resources. (4) In the derivation of the robust augmented observer and the dual security controller, an appropriate Lyapunov-Krasovskii function is constructed and the affine Bessel-Legendre inequality is introduced, thereby reducing the conservatism of the system. By an engineering case verification of a quadruple tank, it is shown that the theoretical strategies of this study can effectively resist the adverse effects of FDI attacks and actuator fault and maintain system stability while saving communication resources.
The remainder of this paper is organized as follows. The problem formulation is presented in Section 2. In Sections 3, the design of the robust observer is described. The co-design of dual security control and communication is presented in Section 4. Section 5 discusses the simulation experiments, and the conclusion is presented in Section 6.

Framework of dual security control
Based on the DETCS, a new dual security framework with an actuator fault and FDI attacks on a double-end network is established, as shown in Figure 1.
As shown in Figure 1, the system consists of five parts: a controlled plant, an intelligent sensing unit, a control unit, an execution unit, and a communication network. In this study, an actuator fault and FDI attacks on the actuator and sensor sides are considered simultaneously.
The intelligent sensing unit includes a sensor, samplers, an augmented observer, and an event generator. Among them, the sensor and sampler 1 are used to observe the system output and conduct the sampling at equal periods, and the augmented observer is used to observe the system state, FDI attacks, and an actuator fault. The estimated results are sampled by sampler 2 at equal periods. The event generator is used to determine whether the current sampling value meets the trigger condition. If it does, the sampling value is transmitted to the control unit through the sensor network; otherwise it is discarded. Evidently, the filtered data are transmitted non-uniformly, and the transmission period is longer than the sampling period h; therefore, the network resources can be saved.
The control unit calculates the control quantity with active fault-tolerance and active-passive attacktolerance on the received data, following which the control data are transmitted to the execution unit. It can be seen that the control action is still conducted in a non-uniform periodic manner.
The execution unit includes a zero-order holder (ZOH) and an actuator. The ZOH holds the data in a non-uniform periodic manner, and it transmits the result to the actuator, which acts on the controlled plant.
Assumption 1: The sampling is conducted at equal periods h; the intelligent sensing unit is clock-driven, and the corresponding sequence is i k f g, k = 0, 1, 2, Á Á Á. Both the control and execution units are event-driven. The sending period of the filtered data by the event generator is denoted as h k , and the corresponding sequence is t k f g, k = 0, 1, 2, Á Á Á.
Assumption 2: FDI attacks are detectable and separable from physical faults.

System description
As shown in Figure 1, the plant is continuous, and the operation of the intelligent sensing and control units is completed by the calculation of a digital quantity; therefore, the system is a typical sampling data system. Considering a class of nonlinear controlled plants, the following state equation of the fuzzy system can be obtained by adopting the T-S fuzzy model: where j i (u(t)) = a i (u(t))= P N i = 1 a i (u(t)), j i (u(t)) represents the weight ratio of each fuzzy rule, , and M ij (u(t)) is the membership function of u j (t) with respect to M ij . It is assumed that a i (u(t))50(i = 1, 2, Á Á Á , N) and P N i = 1 a i (u(t)) . 0; therefore j i (u(t))50 and and E vi are known matrices with appropriate dimensions. x(t) 2 R n is the system state, u(t) 2 R n u is the control input (without the sensor FDI attack), w(t) 2 R n w is the disturbance, y(i k ) 2 R m is the sampled output at instant i k , v(i k ) 2 R n v is the measurement noise, and a a (t) 2 R n ca and a s (i k ) 2 R n sc are the FDI attacks on the double-end network called actuator FDI attack and sensor FDI attack, respectively. i 1 , i 2 , Á Á Á , i k , Á Á Á f gis the sampling time sequence and f(t) 2 R n f is a time-varying actuator fault. The derivative norms of f(t) and a a (t) are bounded, that is, there are constants f 1 and a 1 that satisfy _ f(t) 4f 1 and _ a a (t) k k4a 1 .
Remark 1: In real systems, actuator fault occurs in physical devices and FDI attack comes from information networks. Although there are essential differences in the source, generation mechanism and effect, actuator fault and FDI attack are eventually deteriorate the system performance or even make the system unstable.

Remark 2:
The actuator FDI attack changes the control actions of the system, whereas the sensor FDI attack modifies the measurements of the sensor. They are modeled in equation (1) based on different exerting locations and influences. 34,35 To detect and estimate the FDI attacks and the system state online, system state x(t), actuator FDI attack a a (t), and sensor FDI attack a s (t) are augmented into a new state h(t). Thus, the following augmented state equation can be obtained: where,

Trigger condition of DETCS
In this study, we adopt the typical DETCS in Peng and Yang 28 to determine whether the current sampling value needs to be transmitted.
where s 2 0, 1 ½ Þ is a predefined event trigger parameter that is related to the expected system performance. F is the positive definite symmetric matrix to be designed.
The state estimation error is defined aŝ x(i k ) Àx(t k ) = e(i k ), wherex(i k ) represents the estimated state value by the observer.x(t k ) represents the latest state estimation value, which is calculated by the event generator at the last moment and meets the trigger condition in equation (3), and is transmitted through the network.

Analysis of correlated delay interval
From the above analysis, the estimation of the observer has an equal sampling period, whereas the fault-tolerant/attack-tolerant control is associated with a nonuniform sampling period. Therefore, we treat them as sampling data systems, and subsequently adopt the time-delay theory to deal with these problems. 36,37 Similar to the related delay analysis in Li et al., 38 it will not elaborate here.
The time delay function is defined as where h is the sampling period.
The upper and lower bounds of the time delay function can be described as follows: , h k max is the maximum transmission period filtered by the event generator, and t 0 is the upper bound of t t k + d k + 1 ð Þ h .
Design of robust H ' observer for estimation of state, FDI attacks, and actuator fault

Augmented error system
The time delay theory is adopted to analyze the sampling characteristics of the system output in one sampling period; the discrete sampling output equation is held through the ZOH, 39 and the measurement output can be obtained as follows: The following observer is constructed to observe the system state, FDI attacks, and the actuator fault: The following are defined: The error system can be obtained as follows: Thus, the augmented error system with the system state, FDI attacks, and actuator fault is as follows: Where Remark 3: Using the augmented matrix method, an augmented observer is obtained in equation (7), which can observe the system state, the FDI attacks on the double-end network, and the actuator fault in real time.

Design of robust H ' observer
Theorem 1: Considering the error system in equation (9), for certain positive constants h 1 and g 1 , if there exist a symmetric positive definite matrix P and appropriate dimension matrices X, Y j such that the following conditions hold: \ 0 ð13Þ then the error system in equation (9) is asymptotically stable and satisfies the H ' performance index in equation (14). The augmented state observer gain matrix, L j , and the fault estimation gain matrix, F j , are obtained where Proof: To ensure the error system is asymptotically stable in equation (9), we first consider w(t) = 0, v(i k ) = 0, and construct the Lyapunov-Krasovskii function as follows: where u 1 (t) = e(t) À e(i k ) and P = P T . 0, Q = Q T . 0, and R = R T . 0, S = S T . 0: Differentiating along the trajectory of the system in equation (9), we obtain The integral term, À Ð t tÀt 1 (t) _ e T (t)R _ e(s)ds, can be processed by the affine Bessel-Legendre inequality with reduced conservatism, 40 that is, where Substituting the inequality in equation (17) If S 11 + (h 1 À t 1 (t))S 12 + t 1 (t)S 13 \ 0, then _ V 1 (t) \ 0; therefore, the error system in equation (9) is asymptotically stable. According to the linear convex combination lemma in Park et al., 41 the necessary and sufficient conditions for S 11 + (h 1 À t 1 (t))S 12 + t 1 (t)S 13 \ 0 are Under zero initial conditions, when w(t) 6 ¼ 0, v(i k ) 6 ¼ 0, and considering the following H ' performance index function: we define Furthermore, the following equation can be obtained: where It can be seen from the linear convex combination lemma that J 1 \ 0 is equivalent to Because the inequalities in equations (18) and (21) are nonlinear, let R = n 1 P, S = n 2 P, Q = n 3 P, Y j = P L j ; thus, the nonlinear matrix inequalities can be converted into linear matrix inequalities by applying the Schur complement lemma. Furthermore, the inequalities in equations (10)- (13) can be obtained using the Linear matrix inequality (LMI) toolbox. Among them, parameters L j , F j can be designed by solving L j = P À1 Y j . Integrating equation (19) from 0 to + ', we obtain is true. Consequently, the relevant H ' performance index is verified.

Remark 4:
When dealing with the integral term, the affine Bessel-Legendre inequality is used in the paper, which reduces the conservativeness of the final result and increases the solution space, resulting in improved system performance and enhanced defense against actuator fault and FDI attacks.

Co-design of robust H ' dual security control and communication
The control input can be updated to apply the following equation: where t 2 t k , t k + 1 ½ Þ and t 1 , t 2 , Á Á Á , t k , Á Á Á f g is a sequence of the transmitted data in the event generator backend.x(t k ),f(t k ), andâ a (t k ) are the estimation of the system state, actuator fault, and actuator FDI attack, respectively, which are estimated by the observer. K j 2 R m3n is the designed controller gain matrix. B + j 2 R n u 3n is the fault adjustment matrix, and it satis- Remark 5. For the actuator fault, an active faulttolerant control strategy is adopted. For the FDI attacks on the double-end network, different countermeasures are adopted according to their different exerting locations. Specifically, the actuator FDI attack is defended by active compensation, and the sensor FDI attack is passively defended to robustly deal with it by dynamic output feedback control. The combination of active and passive can be called as active-passive attack-tolerant control. Substituting the control input in equation (22) into the controlled plant model in equation (1), the closedloop nonlinear CPS model with the actuator fault and the FDI attacks can be obtained as follows: Furthermore, equation (23) can be written as follows: Remark 6: Theorem 1 ensures that estimation errors e x (t À t 2 (t)), e f (t À t 2 (t)), e a a (t À t 2 (t)) are asymptotically convergent for the system state, actuator fault, and actuator FDI attack, whereas t 2 (t)E fi _ f(t) and t 2 (t)B i _ a a (t) are norm-bounded; therefore, they can be treated as external disturbances. In addition, the sensor FDI attack is considered as a special type of disturbance to be tolerated passively in a robust manner.

Remark 7:
In the design of the controller, we consider the dual security control for the actuator fault and the FDI attacks, and it is insensitive to various types of disturbances. In fact, it is a robust controller with active fault-tolerance and active-passive attack-tolerance; therefore, it can be referred to as a dual security controller.

Design goals
Under the DETCS, for the nonlinear CPS with the actuator fault and the FDI attacks, the co-design goals of fault-tolerance and attack-tolerance and communication are as follows: (1) In the case of no attack and disturbance, we cooperatively obtain security control matrix K j and event trigger matrix F, such that the closed-loop nonlinear CPS in equation (24) is asymptotically stable; (2) In the case of FDI attacks and disturbances, under zero initial conditions e x (t k ) 6 ¼ 0, e f (t k ) 6 ¼ 0, e a a (t k ) 6 ¼ 0,w(t) 6 ¼ 0, the system satisfies , where g 2 is the disturbance suppression parameter and k k 2 is the L 2 ½0, ') norm; (3) The nonlinear CPS realizes dual security control; the transmitted data are significantly reduced, saving network resources. Moreover, a trade-off is achieved between the security control performance and the communication resource utilization.

Design of dual security controller
Theorem 2 Under the DETCS, for certain positive constants h 2 , s, g 2 , n 1 , n 2 , n 3 , m 1 , m 2 , m 3 , m 4 , m 5 , m 6 , and s 2 0, 1 ½ Þ, for the system with time-varying actuator fault f(t) and FDI attacks a a (t), a s (i k ) in equation (24), if there exist symmetric positive definite matrix P 0 and appropriate dimension matrices X 0 , K 1 , Q 2 , Q 4 , Q 6 , Q 0 2 , Q 0 4 , Q 0 6 , such that the following conditions hold: \ 0 ð25Þ \ 0 ð26Þ then the system in equation (24) is asymptotically stable, and it meets the H ' performance index in equation (30). Dual security controller gain K j = (P 0 B i ) + K 1j and event trigger matrix F can be obtained cooperatively.

Remark 8:
In the proofs of Theorems 1 and 2, the affine Bessel-Legendre inequality with reduced conservativeness is adopted. Thus, the designed robust observer and the dual security controller can estimate the system state, actuator fault, and FDI attacks accurately. Moreover, it has the dual security control capabilities of fault-tolerance and attack-tolerance, and more importantly, it can enhance the performance of the nonlinear CPS.

Simulation experiment and results
To demonstrate the feasibility and effectiveness of the proposed method in this study, we adopted a classical quadruple-tank model described in Johansson. 42 In the simulation, x i (i = 1, 2, 3, 4) represents the water level variations of the Nth tank and y i denotes the observation of the variation. The tank is supplied by two pumps, and u 1 and u 2 are the voltages applied to them, respectively. The disturbance, w(t), and the noise, v(i k 1 ), are the independent white noise processes that obey N(0:1, 0:01). The initial state is x(0) = ½ 4 4 2 2 T , and the sampling period is h 1 = 0:1s.
The fuzzy membership function is assumed to be M 1 (x 4 ) = sin 2 x 4 , M 2 (x 4 ) = cos 2 x 4 , M 3 (x 4 ) = sin 2 x 4 , M 4 (x 4 ) = cos 2 x 4 , and the nonlinear system is expressed as a T-S fuzzy system with four rules.
Suppose that the fault occurs in the first channel, then the time-varying fault of the system is as follows: 0, t4100 2 + 2 sin 0:01p(t À 100), 100 \ t4800 & For the actuator FDI attack, we assume that its first channel is constant at zero, and the second channel satisfies the following equation: a a (t) = 0, t4100 1 + sin 0:01p(t À 100), 100 \ t4800 & For the sensor FDI attack, we assume that each channel satisfies the following equation: a s (t) = 0, t4100 1 + sin 0:01p(t À 100), 100 \ t4800 & To observe the above system fault and FDI attacks more clearly, the estimations and corresponding errors of the fault and the actuator and sensor FDI attacks are respectively shown in Figures 2 to 9.
It can be seen from Figures 2 to 9 that the estimation errors of the fault, actuator FDI attack, sensor FDI attack, and state have a larger fluctuation at 100s when the FDI attacks and the actuator fault are exerted. The remaining time they are within the normal range. Among them, the fault estimation error does not exceed 60:05, and the estimation error of the actuator FDI attack does not exceed 60:1. The estimation error of the sensor FDI attack fluctuates between 60:02, and the state estimation error fluctuates between 60:01. These results show that the designed robust observer using the proposed method can timely and accurately estimate the state, FDI attacks, and actuator fault.

Analysis of impact of event-trigger parameters on CPS security and communication resource
To further analyze the influence of the trigger parameter on the CPS security and communication resources, the data transmission amount and the system security state under different trigger parameters are listed in Table 1. where n is data transmission amount, n is data transmission rate, and h is average transmission period. It can be seen that with the increase in trigger parameter d, data transmission amount n is decreased and average transmission period h is increased; however, the system becomes unstable when d = 0:0012. Therefore, although the increase in d reduces the amount of data transmission and the network resources are saved, it is    at the expense of system security. Therefore, it is significant to choose the appropriate trigger parameter d to balance the relationship between system security and network resources. In this study, trigger parameter d = 0:001 is selected based on the trade-off between them.

Comparison of different control methods
In the following, the active-passive attack tolerance method proposed in this paper and the passive attack tolerance method in Li et al. 38 (to tolerate FDI attacks on double-end network passively and actuator fault actively) are adopted. The output responses with these different attack-tolerance methods are presented in Figure 10(a) and (b). In addition, the data transmission amounts are specified in Table 2.
It can be seen that the system output in Figure 10(a) remains stable after 400 s, whereas that in Figure 10(b) becomes divergent after 500 s, which suggests that the method proposed in this paper is more effective in defending FDI attacks than that proposed in Li et al. 38 Table 2 shows that the amount of data transmission is lesser by the method proposed in this paper than that by the other methods. This shows that the former method is also more effective in saving network communication resources than the latter.
The reason is that the method in Li et al. 38 regards FDI attacks on double-end network as types of special disturbances and suppresses them passively in a robust manner. The control strategy proposed in this paper is different; specifically, a highly targeted active compensation is made for the actuator FDI attack according to its estimation, and the passive attack tolerance method    is used only for the sensor FDI attack. Therefore, for a highly serious FDI attack, in terms of both the defense ability and the saving of communication resources, the system performance with the method proposed in this paper is better than that by the other method.
Compared to the PTTCS, which needs to transmit 8000 data, the DETCS only transmits 652 data in Table  2, with transmitted data rate of 8.15% and an average transmission period of h = 1:227s. This result further shows that the method proposed in this paper not only ensures excellent performance but also effectively saves the network communication resources and achieves a trade-off between dual security control and communication resource.

Conclusion
Based on the DETCS, this study investigated a codesign method of dual security control and communication for a nonlinear CPS with an actuator fault and FDI attacks. First, a dual security control framework with active fault-tolerance and activepassive attack-tolerance was built, and a T-S fuzzy model of a closed-loop CPS was established, which integrated a trigger condition, the actuator fault, and the FDI attacks. Second, by introducing the appropriate Lyapunov-Krasovskii function, time delay theory, affine Bessel-Legendre inequality, and LMI technique, a robust observer for the estimation of the state, FDI attacks, and fault as well as a dual security controller with active fault-tolerance and active-passive attacktolerance were obtained. This consequently achieved the co-design goal of dual security control and communication. Finally, a simulation of a quadruple-tank was conducted. It showed that the method proposed in this paper can timely and accurately estimate the system  state, actuator fault, and FDI attacks as well as tolerate the fault actively and the FDI attacks actively-passively, simultaneously saving the network communication resources effectively. The proposed results can also provide a theoretical basis for dual security design of a nonlinear CPS in practical engineering. Particularly when a system is subject to FDI attacks and actuator fault simultaneously, the active-passive attack tolerance strategy is expected to be an effective defense method. However, this study deals with the FDI attack at the sensor-end passively, and the defense capability of passive attack-tolerance is very limited. Therefore, how to establish a more effective defense strategy to actively deal with FDI attacks on a double-end network and further improve the CPS security defense capability will be investigated in the next research study.

Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.