Security index based on perfectly undetectable attacks: Graph-theoretic conditions-Supplementary Material

Abstract The notion of security index quantifies the least effort involved in conducting perfectly undetectable attacks. Thus, the security index enables a systems operator to assess the vulnerability of a component, informs sensor placement strategies, and helps in deciding the feasibility of secure estimators and fault detectors. In this paper, we investigate the (possible) variation in this index as a consequence of variation in the system parameters. To this end, we adopt a structured systems approach, typically represented by a directed graph, with the edges of the said graph being in one-to-one correspondence with the system parameters. We first show that the security index is generic. That is, for almost all choices of edge weights, the security index of a component remains the same. We refer to such an index as the generic security index. Secondly, we derive graph-theoretic conditions (and based on those an algorithm) for computing the generic security index. Third, we provide graph-theoretic conditions for computing lower (resp. upper) bounds on the values that the security index of a component can take for all nonzero choices of the edge weights of the directed graph. Finally, we provide a brute force search method for calculating the said bounds.

1. Example 1 (contd.) 1.1.Generic index With respect to the example in Figure ??, I = {u 1 , u 2 , a y2 , u 3 }.Consider the vertex set I a = {u 2 , a y2 }.Since vertices u 2 , a y2 and x 2 are connected to x 2 and/or y 2 , and to no other vertices in the right vertex set of H× , the maximum size of a matching in H× is 6; see, for instance, Figures ?? and ??.Observe that the matching in Figure ?? does not cover a y2 , and, hence, δ s (a y2 ) = 2. Similarly, for vertex u 2 , it can be observed from Figure ?? that there exists a maximum matching that does not cover u 2 , and, hence, δ s (u 2 ) = 2.To compute δ s (u 1 ) (resp.δ s (u 3 )), consider the vertex set I = {u 1 , u 2 , u 3 , a y1 }.Note that the associated bipartite graph is same as H × ; see Figure ??.It can be easily verified that the size of a maximum matching in H × equals 8, while the size of a maximum matching in H ×−u 1 (resp.H ×−u 3 ) equals 7.This implies that every maximum matching in H × covers u 1 (resp.u 3 ).Hence, since condition (i)in Theorem 3 is satisfied for p = |I|, it follows from Remark 1 that δ s (u 1 ) = +∞ (resp.δ s (u 3 ) = +∞).
$ This paper was not presented at any IFAC meeting.Corresponding author: Sebin Gracy.This work was supported in part by the Swedish Civil Contingencies Agency (project CERCES), and the Swedish Research Council (project 2016-00861).

Bounds on the security index
Recall that I = {a y2 , u 1 , u 2 , u 3 }.For a given vertex i 1 and a given p, a set I a that satisfies both a) |I a | = p, and b) i 1 ∈ I a will be referred to as a candidate set.Consider vertex u 1 .Note that for p = 1, there is only one candidate set, namely I 1 a = {u 1 }. Figure ?? exhibits a uniquely restricted matching of size 6 in the associated bipartite graph H× .Thus, the condition in item (ii) in Corollary 2 is satisfied, and therefore, for all nonzero choices of edge weights of the graph in Figure ??, δ(u 2 ) ≥ 2. Next, we check for p = 2. Observe that there are three candidate sets, say I 2 a , I 3 a and I 4 a , where I 2 a = {u 1 , u 2 }, I 3 a = {a y2 , u 1 }, and I 4 a = {u 1 , u 3 }.The bipartite graph H (resp. H× ) corresponding to set I 2 a is as depicted in Figure ?? (resp.Figure ??), with the edges highlighted in red forming a uniquely restricted matching, MI 2 a (resp.MI 2 a × ), of size equals 6 (resp.7).Observe that in H vertices x 4 and x 5 are connected to both x 5 and y 4 , and to no other vertices.Therefore, by definition of uniquely restricted matching, any uniquely restricted matching in H can cover x 4 or x 5 but not both.Thus, the maximum size of a uniquely restricted matching in H equals 6.Since ver-tex u 1 is involved in every maximum uniquely restricted matching in H, it follows that the maximum size of a uniquely restricted matching in H−u1 is less than 6.Observe that since MI 2 a × does not involve the edge (x 5 , x 5 ), it follows that MI 2 a × ∩ E loop = ∅.Since MI 2 a × covers all the edges in the left vertex set of H× , it follows that any matching in H×−u1 will have size smaller than 7. Thus, with respect to set I 2 a , conditions (i) and (ii) in Theorem 5 are satisfied.Next, we consider the set I 3 a .The bipartite graph H (resp. H× ) corresponding to set I 3 a is as depicted in Figure ?? (resp.Figure ??), with the edges highlighted in red forming a uniquely restricted matching, MI 3 a (resp.MI 3 a × ), of size equals 5 (resp.7).Indeed, the maximum size of a uniquely restricted matching in H is 5, since, a) as previously discussed, either x 4 or x 5 , but not both, can be covered by a uniquely restricted matching in H, and b) since a y2 and x 2 are connected to, and only to, y 2 , by definition of matching, a matching can cover either a y2 or x 2 , but not both.Since u 1 is covered by every maximum uniquely restricted matching in H, it follows that the maximum size of a uniquely restricted matching in H−u1 is less than 5.By reasoning analogous to that for matching ), of size equals 6 (resp.7).Due to similar reasoning as with sets I 2 a and I 3 a , it can be seen that, with respect to set I 4 a also, the conditions in Theorem 5 are satisfied.Therefore, by Theorem 5, for all nonzero choices of edge weights, δ(u 1 ) ≥ 3. We increment p, i.e., we check for p = 3. Observe that there are three candidate sets, say I 5 a , I 6 a and I 7 a , where  in the concerned bipartite graphs.Hence, the conditions of Theorem 5 are met, and therefore, for all nonzero choices of edge weights, δ(u 1 ) ≥ 4. Finally, we check for p = 4, in which case there is only one candidate set, namely ) is also a maximum uniquely restricted matching, and that removal of u 1 reduces the maximum size of a uniquely restricted matching, thus satisfying the conditions in Theorem 5. Since conditions Theorem 5 are met for p = 4 (i.e., p = |I|), it follows from Remark 1, that, for all nonzero choices of edge weights, δ(u 1 ) = +∞.

Practical and Illustrative Examples
We consider two examples in this section.The purpose of the first example is to illustrate our theoretical findings in a more realistic setting, whereas the objective behind the second example is to illustrate the effectiveness of Algorithm 1 for a non-trivial system.Graphical representations of the examples in this section will be omitted in the interest of space.

Example 2: Water tanks
We consider the three-tank system from (?) shown in Figure ??.The plant states x 1 -x 3 are the levels in the three tanks.These levels are regulated using two actuators: Pump 1 (P 1 ) and Pump 2 (P 2 ).The measurements   corresponding to water levels in Tank 2 and Tank 3 are available.Our goal is to study how vulnerable are each of the actuators to attack from an adversary.Towards this end, so as to better account for the uncertainty in physical parameters, we take recourse to structured systems representation.The structural system matrices are given by: Considering these matrices, we can construct the corresponding graph G. Observe that in this case, N = 3, M = 2 and P = 2, where N , M and P are as defined in the main manuscript.We assume that while both of the sensors are secured, the actuators are vulnerable to attacks by an attacker.Hence, the set of components that the attacker can compromise is given by I = {u 1 , u 2 }.We first compute the generic security index δ s for the actuators u 1 and u 2 .Using Algorithm 1, we obtain δ s (u 1 ) = +∞ and δ s (u 2 ) = +∞.In words, perfectly undetectable attacks targeting u 1 or u 2 do not exists for almost all realizations of system parameters, so this system is robust with respect to perfectly undetectable attacks.Indeed, we can see that by attacking P1, the attacker changes the level in Tank 1.This result in changes in the levels in Tanks 2 and 3. Hence, even if the attacker compromises P2, he/she cannot simultaneously maintain the levels in Tanks 2 and 3 on the same value as prior to the attack.Hence, any attack gets detected either through the first or the second sensor.
Observe that although δ s (u 1 ) = +∞ and δ s (u 2 ) = +∞, there might be non-zero choices of free parameters of matrices W , B a and C for which δ(u 1 ) (resp.δ(u 2 )) might be small.Hence, we seek to compute the bounds on δ(u 1 ) (resp.δ(u 2 )) for all non-zero choices of free parameters in W , B a and C, respectively.Towards this end, we construct the bipartite graphs H and H × associated with this system (see Section 2.3 of the main manuscript).With respect to component u 1 (resp.u 2 ), it can be seen that, for p = 2 (i.e., p = |I|), condition (i) in Corollary 2 is satisfied.Hence, for all non-zero choices of free parameters of W , B a and C, δ(u 1 ) = +∞ (resp.δ(u 2 ) = +∞).Note that, unlike Example 1, in this example we appealed to the graphical condition in Corollary 2 for computing the bounds on δ(u 1 ) (resp.δ(u 2 )).Since the condition in Corollary 2 with respect to each set can be checked in polynomial-time, this example exhibits a scenario where the deterministic guarantees of security may be available in a shorter time.

Example 3: Generic Security index for risk assessment
Consider a control system used for regulating temperatures within five identical areas (?) (see Figure ??).Each area is modelled with the states x i = [T ai T wi P i ] T , where T ai is the temperature of the i th area, T wi is the temperature of the i th evaporator's lumped coil wall, and P i is the refrigerant's pressure after leaving the i th evaporator.These states are regulated through the control actions u i = [ ω f i avi ] T , where ω f i is the speed of the i th evaporator's fan, and a vi is the control action that changes the fluid resistance of the i th Electronic Expansion Valve (EEV).The compressor is modelled with a single state x c = P C , where P C is the refrigerant pressure after leaving the compressor.The pressure P C is regulated through the control action u c = ω K , where ω K is the speed of the compressor.We assume that: 1) The states in Area 1 and Area 2 are not measured; 2) The states in Area 3 and Area 4 are measured by one sensor; and 3) The states in Area 5 are measured by two sensors.
To evaluate security level of the evaporators and EEVs, we computed the structured index δ s of these components using Algorithm 1 (see Table ??).We point out that this computation took 239.2 seconds, which shows that, for moderate-sized systems, generic security index can be computed reasonably quickly using Algorithm 1.
It is immediate that the most vulnerable components in the system are Evaporator 1 and Evaporator 2. This is in line with the physics of the system: by manipulating Evaporator 1, the attacker affects temperatures T w1 and T a1 .Since these states are not measured, the attacker can compromise only Evaporator 1 while remaining perfectly undetectable in almost any realization of the system.The same explanation holds for Evaporator 2. The most protected actuators are EEVs.The reason for this can also be found in the physics of the system.Namely, besides the states within the corresponding area, every EEV affects the states in all other areas.Hence, conducting a perfectly undetectable attack against an EEV requires more compromised components.Moreover, it turns out that all EEVs have equal security index.Hence, although the states in Area 1 and Area 2 are not measured, EEV 1 and EEV 2 get protected due to the physical coupling present in the system.

Figure 2 :
Figure 2: (a): bipartite graph H× corresponding to set Ia = {ay 2 , u 2 }, with edges in red forming a matching of size 6, but not covering ay 2 ; (b): bipartite graph H× corresponding to set Ia = {ay 2 , u 2 }, with edges in red forming a matching of size 5, but not covering u 2 ; and (c): With respect to Example 1, graph Ĝ.The edges in red denote the extra edges added to G, while the edges in black are the same as those in G.

×
∩E loop = ∅, and b) any matching (and therefore any uniquely restricted matching) in H×−u1 will have size smaller than 7. Next, we check for set I 4 a .The bipartite graph H (resp. H× ) corresponding to set I 4 a is as depicted in Figure ?? (resp.Figure ??), with the edges highlighted in red forming a uniquely restricted matching, MI 4 a (resp.MI 4 a ×

Figure 3 :
Figure 3: For vertex u 1 (a): with p = 1, bipartite graph H× , with edges in red highlighting a uniquely restricted matching having size equals 6; (b): with p = 2, bipartite graph H corresponding to set I 2 a , with edges in red forming a uniquely restricted matching of size 6; (c): with p = 2, bipartite graph H× corresponding to set I 2 a , with edges in red forming a uniquely restricted matching of size 7. (c): bipartite graph H, with edges in red forming a uniquely restricted matching of size 6; (d): with p = 2, for set I 3a bipartite graph H, with edges in red forming a uniquely restricted matching of size 5.

Figure 4 :.Figure 5 :
Figure 4: For vertex u 1 (a): with p = 2 bipartite graph H× corresponding to set I 3 a , with edges in red forming a uniquely restricted matching of size 7; (b): with p = 2 bipartite graph H corresponding to set I 4 a , with edges in red forming a restricted matching of size 6; (c): with p = 2 bipartite graph H× corresponding to set I 4 a , with edges in red forming a uniquely restricted matching of size 7; (d):with p = 3 bipartite graph H corresponding to set I 5 a , with edges in red forming a uniquely restricted matching of size 7.

Figure 6 :
Figure 6: For vertex u 1 (a): with p = 3 bipartite graph H× corresponding to set I 7 a , with edges in red forming a uniquely restricted matching of size 7. (b): with p = 4 bipartite graph H, with edges in red forming a uniquely restricted matching of size 7. (c): bipartite graph H× , with edges in red forming a uniquely restricted matching of size 8.

Figure 8 :
Figure 8: System used in simulations.
The bipartite graph H (resp. H× ) corresponding to set I 8 a is as depicted in Figure ?? (resp.Figure ??), with the edges highlighted in red forming a uniquely restricted matching, MI 8

Table 1 :
Generic Security index of the actuators for the system shown Figure??.