Published in: IEEE Conference on Decision and Control 2019
Authors: Jongsoo Ha and Hyungbo Shim
DOI: 10.1109/CDC40024.2019.9029726
Abstract: Zero dynamics attacks are known to be lethal in the sense that they are stealthy in principle and are not detected from output measurements. Therefore, instead of detecting the zero dynamics attacks, an idea to mitigate the effect of the zero dynamics attack has been proposed recently, which is to enforce the zeros to become stable by changing the zero-order hold to a generalized hold in the sampled data framework. Once all the zeros become stable, then even if the zero dynamics attack is engaged, its effect on the plant is negligible. However, it was observed that the amplitude of the generalized hold becomes unrealistically large in some cases, which leads to a large input to the physical plant. This paper studies this phenomenon at a deeper level and figures out that changing the intrinsic zeros requires an excessively large amplitude of the generalized hold while changing the sampling zeros can be done with a reasonable amplitude.

This work is a continued effort of CDSL to improve discretization methods of cyber-physical systems (CPSs) and its application to assign zeros of the systems. For our previous works, see http://dx.doi.org/10.1109/CDC.2017.8263842. This post only sketch the main ideas of the paper. For more technical details, I refer to the paper and the presentation material at the bottom.

Motivation: unstable zeros of sampled data systems

Sampled data systems, being a part of CPS, are composed of physical plants and discretization devices such as hold and sampler. Especially, zero-order hold (ZOH) has been widely used in industry and academic areas because of the simplicity of the hold function.

On the other hand, ZOH equivalent models are known to have a disadvantage. Actually, the ZOH models are easy to have unstable zeros (under the specific circumstance), even though the original plant is minimum phase, which may cause issues regarding controller design or security of CPSs. This tendency is described in the following example.

The sampled data system employing the zero-order hold

1. Example: zeros of a ZOH equivalent model

The continuous-time plant has the transfer function, given by

$$G_p \left( s\right) = \frac{s+4}{\left(s+1 \right)^3 }.$$

When $T=0.01$ , the ZOH equivalent model $G$ has the zeros at $z^i=0.9608$ and $z^s=-1.0033$ , and it is expressed as $$G(z) = \frac{T^2(z-z^i)g(z-z^s)}{\left(z-e^{-T}\right)^3}, ~\lim_{T\to0}g=0.5.$$

I emphasize that the stable zero $z^i$ , referred to as the intrinsic zero, is approximated as $e^{-4T}$ , whereas the unstable one is called the sampling zero which converges to $-1$ as $T\to0$ . Accordingly, we can say that the sampled data system somewhat preserves the properties of the physical plants depending on the sampling process.

The one who is interested in more details may read the following papers:

Zeros of sampled systems
K. J. Åström, P. Hagander, and J. Sternby
Automatica, vol. 20, no. 1, pp. 31-38, 1984
https://doi.org/10.1016/0005-1098(84)90062-1

Sampling zero란 무엇인가?
심형보
ICROS, 2019
https://post.cdsl.kr/archives/2606

2. Improving the discretization process

In regard to security issues of CPSs, unstable zeros of the ZOH models may be used for zero dynamics attack, which is related to the zeros of the systems and is hardly detected from the output measurements in principle. Therefore, we can say that it is important to improve the discretization process to make the sampled data systems minimum phase as a countermeasure against the zero dynamics attack.

Two years ago, my colleagues wrote a paper dealing with the replacement of the ZOH to a generalized hold to enforce the systems to be minimum phase. As a result, when the zeros of the systems become stable, the effect of the attacks is mitigated, even though it is still not detected from the output measurements. For more details, I refer to the paper as follows.

Enhancement of security against zero dynamics attack via generalized hold
J. Back, J. Kim, C. Lee, G. Park, and H. Shim
IEEE Conference on Decision and Control, 2017, pp. 1350-1355.
http://dx.doi.org/10.1109/CDC.2017.8263842

Zeros assignments and design guidelines for the holds

With the generalized hold functions, the sampled data systems can have arbitrarily assigned zeros and can be turned into minimum phase systems in the discrete-time domain regardless of whether the continuous-time plants have unstable zeros or not. However, the variation of the hold amplitude sometimes goes unbounded as the sampling period $T$ tends to zero, which results in too large amplitude of the sample hold to be implemented (see the example in the subsection 2 below). In this paper, we analyze the reason for this phenomenon and suggest design guidelines for the desired zeros, which lead to a reasonable variation of the holds.

1. The systems with generalized holds

If the sample hold patterns are designed as shown in the above figure, then the input-to-state relation is changed, compared to that of the ZOH model. For this reason, I denote the systems with the generalized hold and the ZOH model by $(A, \bar B, C)$ and $(A, B, C)$ , respectively, and I stress that the system $(A, \bar B, C)$ has arbitrarily assigned zeros, which is confirmed by the following equations.

Based on the above transfer functions, we first choose the desired numerator $\bar N$ , and later we calculate the input matrix $\bar B$ so that the system $(A, \bar B, C)$ is a realization of the transfer function $\bar G$ . Moreover, when $\bar B$ is determined, we solve some equations to obtain appropriate hold levels. In other words, if we choose a suitable hold function and the patterns are implemented, then the systems employing the hold function can have the exactly assigned zeros (i.e., the roots of $\bar N$ ).

So far, the zeros of the desired numerator may seem to be stabilized and assigned arbitrarily, although the sampled data system is originated from the physical plant. However, one may guess that changing the intrinsic natures of the original plant requires much cost (e.g., large amplitude of the hold functions), compared to the cost as regards preserving the properties. This is confirmed by the observation in the following example.

2. Example: zeros candidates for a reasonable hold functions

Let us denote numerators related to the intrinsic and the sampling zeros by $N^i$ and $N^s$ , respectively; that is, $$ N^i(z) = T^2(z-z^i),\\ N^s(z) = g(z-z^s), ~\lim_{T\to0}g=0.5,\\ $$ based on the above example. If we consider the ZOH equivalent model as a reference and choose the numerator candidates as a) $\bar N=\bar N^a$ (replacing the sampling zero) and b) $\bar N=\bar N^b$ (changing all the zeros), respectively, where $$ \bar N^a\left( z\right) = T^2\left(z-z^i \right) 2/3\left(z+0.5 \right),\\ \bar N^b\left( z\right) = T^2\left(z-e^{-4.1T} \right) 2/3\left(z+0.5 \right), $$ then, both systems have stable zeros. Consequently, the resulting hold functions are calculated as $$ a)~ h^a=\begin{bmatrix} 0.257 & 0.971 & 1.76 \end{bmatrix}^\top,\\ b)~ h^b=\begin{bmatrix} 990 & -1975 & 988 \end{bmatrix}^\top, $$ respectively. We stress that the latter case leads to the divergent hold function as $T\to0$ and an excessively large amplitude under fast sampling rate.

3. Numerator candidates for implementable sample holds

A lesson that the previous example gives us is that changing the intrinsic zero $z=z^i$ requires an excessively large hold function, even though the location of the zeros are close to each other; that is, $$ z^i=0.961 \approx e^{-4.1T}=0.960. $$ On the other hand, simply replacing the sampling zeros requires less cost with respect to the hold function. So we present guidelines for desired zeros, which are stated as follows.

Design guidelines for the numerator candidates:

Composing $\bar N$ with $N^i$ and constant coefficients $\bar N^s$ produces a reasonable hold to be implemented; $$ \bar N(z)=N^i (z) \bar N^s (z). $$
Changing the intrinsic zeros hampers reasonable hold functions.

In conclusion, preserving the intrinsic zeros with additional zeros (i.e., the roots of $\bar N^s$ ) is done with appropriate holds, whereas an attempt to change the intrinsic natures of the physical plants causes an excessively large hold function for a small enough sampling time $T>0$ .

The detailed proof and the rigorous analysis are presented in the paper. Moreover, the slides used in the presentation are attached as follows.

Study on Realizable Generalized Hold Functions as a Countermeasure against Zero Dynamics Attack