Attack concealment for cyber-physical systems using a mechanism borrowing from differential privacy.

A cyber-physical system in general consists of a physical process intertwined with computational elements supported by a communication network, sensors, and actuators, making such a system vulnerable to external attacks. This work, from the viewpoint of an attacker, considers cyberattack protection (concealment) of cyber-physical systems in the framework of discrete event systems modeled by finite automata such that the system operator cannot detect the attacks. In particular, different types of attacks (referred to as attack dictionaries) are applied to a cyber-physical system, potentially resulting in the corruption or alteration of the generated observations. By observing the output of the attacked system, the system operator may detect which specific attack dictionary has been imposed or utilized through state estimation. To prevent the attacks launched by an attacker from being detected, a mechanism, called state sequence differential privacy, is introduced to the observer of the attacked system. Suppose that two observations exist, where one of them allows for the detection of an attack type, while the other is randomly generated. A differential privacy mechanism is designed to disguise these two observations, ensuring that its modified output (exposed to the system operator) has an approximate probability with the two input observations. As a result, the attack dictionary cannot be detected by the system operator, even if the employed differential privacy mechanism is public. Finally, a case study is presented on the attack protection for a nuclear power facility, with a specific focus on the cyberattack incident at the Natanz nuclear power plant in Iran.