A Scalable Design Approach to Resilient Architectures for Interconnected Cyber-Physical Systems: Safety Guarantees under Multiple Attacks

TL;DR

The paper tackles safety guarantees for interconnected CPS under actuator attacks by introducing a per-subsystem Criticality Index (CI) that aggregates linearly across subsystems. It derives a simple linear safety condition, $\sum_{i=1}^N \rho_i \, t(M(S_i)) + c \ge 0$, linking CI to architecture recovery times, and strengthens the bound with a segmentation-based SCI; both approaches are complemented by a Sum-of-Squares (SOS) computation of the indices and a cost-aware architecture assignment algorithm. The framework is demonstrated on a three-room temperature regulation case, showing that carefully chosen recovery times preserve safety across various attack orders, while highlighting trade-offs between margin $c$, segmentation granularity, and offline computation. Overall, the work enables scalable resilience planning for large interconnected CPS and informs the safe deployment of cyber-resilient architectures.

Abstract

Complex, interconnected cyber-physical systems (CPS) are increasingly prevalent in domains such as power systems. Cyber-resilient architectures have been proposed to recover compromised cyber components of CPS. Recent works have studied tuning the recovery times of such architectures to guarantee safety in single-system settings. Extending these designs to interconnected CPS is more challenging, since solutions must account for attacks on multiple subsystems that can occur in any order and potentially infinite possible temporal overlap. This paper aims to address the aforementioned challenge by developing a scalable framework to assign resilient architectures and to inform the tuning of their recovery times. Our approach introduces a scalar index that quantifies the impact of each subsystem on safety under compromised input. These indices aggregate linearly across subsystems, enabling scalable analysis under arbitrary attack orderings and temporal overlaps. We establish a linear inequality relating each subsystem's index and recovery time that guarantees safety and guides resilient architecture assignment. We also propose a segmentation-based approach to strengthen the previously derived conditions. We then present algorithms to compute the proposed indices and to find a cost-optimal architecture assignment with a safety guarantee. We validate the framework through a case study on temperature regulation in interconnected rooms under different attack scenarios.

Figures (6)

• Figure 1: Illustration of three attack scenarios on an interconnected CPS with three subsystems: (a) all subsystems are compromised simultaneously, (b) each subsystem is attacked sequentially without overlap among the compromised subsystems, and (c) subsystems are attacked with 50% temporal overlap among the compromised subsystems. The red dashed arrows denote attack events, while the blue bars denote the duration of subsystem compromise until recovery. Recovery times are shown equal for simplicity but are not assumed equal in our analysis. Attacks may occur in different order with infinitely many possible temporal overlaps among subsystems.
• Figure 2: (a) Single criticality index $\rho_i$ representing worst-case degradation rate of the safety function over the set $\mathcal{C} \setminus \mathcal{C}_c$ for the subsystem $S_i$. (b) Segmented criticality indices $\rho_{ij}$, where the set $\mathcal{C} \setminus \mathcal{C}_c$ is divided into $K$ equal intervals of size $\Delta = c/K$.
• Figure 3: Time evolution of average temperature for simultaneous attack. All the systems are compromised simultaneously after Phase 0, which corresponds to time $t=0.2$ seconds. At Phase 1 (or equivalently, Phase 2), $S_1$ and $S_2$ are recovered together, as both have the same recovery time; however, $S_3$ remains compromised. At Phase 3, $S_3$ is also recovered. At Phase 4, the system returns to the set $\mathcal{C}_c$. As we see, the system maintains safety within the attack cycle.
• Figure 4: Time evolution of average temperature under sequential non-overlapping attacks. Subsystem $S_1$ is compromised after Phase 0 at $t = 0.2$. During Phase 1, $S_1$ is recovered, and $S_2$ is compromised immediately. At Phase 2, $S_2$ is recovered, followed by the immediate compromise of $S_3$. At Phase 3, $S_3$ is recovered. Finally, at Phase 4, the system returns to the set $\mathcal{C}_c$. Throughout the attack cycle, the system maintains safety.
• Figure 5: Time evolution of average temperature under partial overlapping attack with an overlap interval of $\ t_{\mathrm{ov}} = 0.0018$ s. Subsystem $S_1$ is compromised after Phase 0 at $t = 0.2$. During Phase 1, $S_1$ is recovered, and $S_2$ remains compromised. At Phase 2, $S_2$ is recovered and $S_3$ remains compromised. At Phase 3, $S_3$ is recovered. Finally, at Phase 4, the system returns to the set $\mathcal{C}_c$. Throughout the attack cycle, the system maintains safety.

Theorems & Definitions (11)

• Definition 1
• Theorem 1
• proof
• Theorem 2
• proof
• Definition 2
• Theorem 3
• proof
• Theorem 4
• Lemma 1